Public Statements & Remarks

Statement of Commissioner Christy Goldsmith Romero: Advancing Cyber Resilience to Thwart the Continuously Changing Threat of Cybercrime and Protect Critical Infrastructure

Proposed Rule on Cyber and Operational Resilience

December 18, 2023

Today we have before us our first proposed cyber and operational resilience rule that would apply to swap dealers (including banks) and futures commission merchants (FCMs).  I’m excited to see the proposed rule up for vote today.  I support the rule and thank the staff for their more than one year of hard work.  I also thank all who engaged with us in an extensive collaborative effort.  I also thank Chairman Behnam for entrusting me to help with this rule.

This is a critical rule for the CFTC.  FBI Director Christopher Wray recently said “that today’s cyber threats are more pervasive, hit a wider array of victims, and carry the potential for greater damage than ever before” and we face “some of our most complex, most severe, and most rapidly evolving threats.”[1]  This rule proposes to help advance our markets from a mentality of incident response to one of cyber resilience.  This would further President Biden’s White House National Cybersecurity Strategy and Executive Order on Improving the Nation’s Cybersecurity.[2]

Cyber resilience is one of my top priorities, and a critical issue on which I am engaged.  Over the last year, the CFTC staff and I have been engaged with the White House, other financial regulators, the Department of Commerce’s National Institute of Standards and Technology (NIST), the National Futures Association (NFA), swap dealers, FCMs, trade groups like the Futures Industry Association, the International Swaps and Derivatives Association, and the Securities Industry and Financial Markets Association, public interest groups, and third-party vendors.  I also sponsor the Technology Advisory Committee that covers cybersecurity, and has a dedicated Cybersecurity subcommittee stacked with well-regarded cybersecurity experts.[3] 

It takes this type of collective public and private engagement to thwart cybercrime, stay ahead of the continuously changing threat, and protect our nation’s critical infrastructure.  Director Wray has spoken about how malicious cyber actors seeking to cause destruction are working to hit us somewhere that’s going to hurt—U.S. critical infrastructure sectors.[4]  According to the FBI, in 2021, there were ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors.[5]  That includes an attack on Colonial Pipeline that led to gas shortages, and an attack on the world’s largest meat supplier JBS, that led to meat shortages and spiking prices.[6] 

As Director Wray has said, “ransomware gangs love to go after things we can’t do without.”[7]  Our nation cannot do without the commercial agriculture, energy, metals, and financial markets, on which derivatives markets are based. 

In June, I presented five key pillars of cyber resilience, pillars that are contained in the proposed rule:[8] 

  1. A proportionate and appropriate approach;
  2. Following generally accepted standards and best practices;
  3. Elevating responsibility through governance;
  4. Building resilience to third-party risk; and
  5. Leveraging the important work already done in this space, including by prudential regulators and NFA.

Taking a proportionate and appropriate approach.

There is no one-size fits all approach.  The proposed rule would require swap dealers and FCMs to ensure that their operational resilience programs are appropriate and proportionate to the nature and risk profile of their business.  This follows the White House National Cybersecurity Strategy.[9]  Our swap dealers include Globally Systemically Important Banks (GSIBs).  Additionally, some of our swap dealers and FCMs are involved in U.S. critical infrastructure such as in the energy or agricultural sectors, or in supply chains. 

FBI Director Wray testified before Congress this month that one of the most worrisome facets of state-sponsored adversaries is their focus on compromising U.S. critical infrastructure, especially during a crisis, and that there is often no bright line that separates where nation state activity ends and cybercriminal activity begins.[10]  He testified about the disruptive impact of a supply chain attack in the SolarWinds attack, conducted by the Russian Foreign Intelligence Service.[11]  This summer, Director Wray said that the FBI is seeing the effects of Russia’s invasion of Ukraine here at home, as the FBI has seen Russia conducting reconnaissance on the U.S. energy sector.[12]   

Director Wray also has said that, “China operates on a scale Russia doesn’t come close to. They’ve got a bigger hacking program than all other major nations combined. They’ve stolen more American personal and corporate data than all nations combined.”[13]  Director Wray has said that “the Chinese government has hacked more than a dozen U.S. oil and gas pipeline operators, not just stealing their information, but holding them, and all of us, at risk.”[14]  Swap dealers and FCMs involved in critical infrastructure sectors will need to build resilience for these cyber threats.

The proposal also recognizes that cyber resilience requires continuous attention.  What is appropriate or proportionate may change with the changing threat vector.  It may also change when a swap dealer or FCM enters a new line of business, onboards a new vendor, or takes other action that can carry cyber risk. 

Following generally accepted standards and practices

The proposal, like the CFTC’s rules for exchanges and clearinghouses, would require swap dealers and FCMs to follow generally accepted standards and industry best practices, like NIST or ISO (for international companies).  The NIST Cybersecurity Framework creates a clear set of cybersecurity expectations that are risk-and outcome-based rather than prescriptive, and adaptable to the size and types of businesses.[15]  These standards are regularly updated to reflect the evolving technology and threat landscape.  The proposed rule also requires at least annual assessment, testing and updates to the operational resilience framework. 

Elevating responsibility through governance

The vision of the Biden Administration’s National Cybersecurity Strategy is to rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals and small businesses, and onto the organizations that are most capable and best positioned to reduce risks.[16]  This strategy gets away from vulnerability caused by one person in an organization clicking on the wrong thing that leads to total disruption.  The banks and commodity firms this rule would apply to are capable and best positioned to reduce cyber risk and cybercrime losses. 

Building cyber resilience requires elevating responsibility to those who make strategic decisions about the business.  The stakes for businesses are high.  There is potential legal risk, reputational risk, risk to national security, as well as financial risk.  In 2022, the FBI reported $10.3 billion in cybercrime losses, shattering the record from the prior year.[17]  Tone at the top, including the C-suite’s active participation in cyber resilience programs as well as making cyber resilience a top priority, can determine whether an organization will successfully be cyber resilient and operationally resilient. 

The proposed rule would require operational resilience plans to be approved annually by a senior leader and for incidents to be escalated promptly.  It also would require senior leaders to set and approve the firm’s risk appetite and risk tolerance limit.  Leaders should make strategic decisions about the risk they are willing to take on, as well as the metrics they will monitor.  I am interested in hearing if the proposal’s definitions of these terms set a clear expectation and align with generally accepted standards.

Building resilience to third-party risk

Swap dealers and FCMs routinely rely upon third party (as well as fourth party) service providers to access new technologies and expertise, and for efficiencies in business functions.  The rule requires building resilience to third party risk, an issue brought sharply into focus with this year’s cyber-attack on third-party vendor ION Markets.

Because third parties create points of entry that need to be secured from cyber criminals, the banking regulators released updated interagency guidance on third party risk management that would apply to many of the swap dealers subject to the proposed rule.[18]  The staff and I met with the Federal Reserve, Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency about their guidance and their efforts to promote cyber resilience.  Like that interagency guidance, the proposed rule includes an inventory of all third-party service providers, assessments of risk throughout the lifecycle of the third-party relationship, the identification of critical third-parties, and subjects those critical third parties to heightened due diligence and monitoring. 

The proposed definition of who is a critical third-party service provider takes a flexible approach, asking entities to consider the impact of a disruption.[19]  At his TAC presentation, Todd Conklin, Deputy Assistant Secretary of Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) and TAC member discussed how ION Markets received less scrutiny because it was not treated as a critical third-party vendor by most firms.[20]  I look forward to comment. 

The CFTC also proposes separate guidance on managing third-party risks.  I am interested in commenters’ views on this guidance, and whether we have it right for harmonization.

Leveraging the important work of others, including prudential regulators and the NFA

The White House’s 2023 Cybersecurity Strategy recommends organizations “harmonize where sensible and appropriate to achieve better outcomes.”[21]  The proposal recognizes that many of our regulated entities are part of a larger enterprise, with cyber and operational resilience programs managed at the enterprise level, and can use those programs under this rule.  I am interested in commenters’ views on whether we have achieved appropriate harmonization or whether we need greater harmonization with bank regulators’ rules and guidance and NFA guidance.[22] 

Stronger Together

We are stronger together.  The CFTC is part of coordinated government efforts to learn about and disseminate information about emerging cyber threats.  We want to work with our swap dealers and FCMs to help strengthen their operational resilience, especially prior to any disruptive event.

Should a disruptive event occur, resilience requires rapid collaboration among the CFTC and all those who are potentially affected to contain any potential damage and to keep critical market functions running.  The proposed rule includes specific requirements for notifying the CFTC of an incident as soon as possible, but no later than 24 hours after detection.  I support immediate notification to the CFTC because if we know, we can work with regulated entities and markets to assess and minimize damage, trigger appropriate regulatory and law enforcement action, help in recovery, and protect customers.  I note that this time frame and reporting standards differs from other regulators, and look forward to comment.

A two-way flow of information can play a significant role in the ability to build resilience, which means the ability to recover quickly after an attack.  According to Deputy Assistant Secretary Conklin, collaboration between the government and industry helped mitigate the impact of the ION Markets attack.[23]  The proposal would also require notification to customers and counterparties as soon as possible of attacks that affect them.  Early notice helps minimize the impact of an attack by allowing them to secure their personal data, monitor affected accounts, and make alternative arrangements for accessing critical funds or markets. 

If we can all work together, we can harden our defenses, thwart cyber criminals, and protect critical U.S. infrastructure and national security.  Together, we can build a safer and more resilient cyberspace. 

[2]  The EO’s policy statement of policy is Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector.  The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.  In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.”  The White House, Executive Order on Improving the Nation’s Cybersecurity (May 12, 2021).

[3]  See CFTC, Commissioner Goldsmith Romero Announces Technology Advisory Committee Subcommittee Co-Chairs and Members (July 14, 2023); see also CFTC Technology Advisory Committee July 18 Meeting (July 18, 2023); CFTC Technology Advisory Committee March 22 Meeting (March 22, 2023).

[4]  See FBI, Director's Remarks to the Boston Conference on Cyber Security 2022 (June 1, 2022).

[5]  See FBI, FBI Partnering with the Private Sector to Counter the Cyber Threat, Remarks at the Detroit Economic Club (Mar. 22, 2022).

[6]  See Id. (discussing how an attack led to Colonial shutting down pipeline operations and a panic among people in the Southeast that led to a run on gas and how an attack on JBS resulted in a complete stoppage of meat production, leading to spiking prices and less availability of meat).

[7]  See FBI, Director's Remarks to the Boston Conference on Cyber Security 2022 (June 1, 2022).

[8]  Commissioner Christy Goldsmith Romero, Advancing from Incident Response to Cyber Resilience, (June 20, 2023).

[9]  See The White House, National Cybersecurity Strategy (March 2023) (recommending that organizations “demonstrate a principles-based approach that is sufficiently nimble to adapt to meet the challenges of the ever-evolving technological threat landscape and to fit the unique business and risk profile of each individual covered entity.”

[10]  See FBI, Statement of Christopher A. Wray Director Federal Bureau of Investigation Before the Committee on the Judiciary United States Senate (Dec. 5, 2023).

[11]  See Id.

[12]  See FBI, Director Wray's Remarks at the FBI Atlanta Cyber Threat Summit (July 26, 2023).

[13]  See FBI, Director's Remarks to the Boston Conference on Cyber Security 2022 (June 1, 2022).

[14] See FBI, FBI Partnering with the Private Sector to Counter the Cyber Threat, Remarks at the Detroit Economic Club (Mar. 22, 2022).

[15]  See Presentation of Kevin Stine, Chief of the Applied Security Division at NIST Information Technology Laboratory, “Managing Cybersecurity Risks,” CFTC Technology Advisory Committee Meeting (March 22, 2023).

[16]  See The White House, National Cybersecurity Strategy (March 2023).

[17]   FBI, Internet Crime Report 2022 (March 22, 2023).

[18]  Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency, Interagency Guidance on Third Party Relationships: Risk Management (Jun. 6, 2023).  

[19]  I heard from many banks and brokers that identifying who is a critical third-party service provider is an issue they regularly grapple with, and that it often comes down to specific facts and circumstances, and not just the products and service they provide.

[20]  See Presentation of Todd Conklin, Deputy Assistant Secretary of Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), “The Cyber Threat Landscape for Financial Markets:  Lessons Learned from ION Markets, Cloud Use in Financial Services, and Beyond,” CFTC Technology Advisory Committee Meeting (March 22, 2023) (“many institutions didn’t even classify [ION Markets] necessarily as a ‘critical’ third-party vendor.  So many firms who onboarded ION didn’t use the highest-level scrutiny that they use for their most critical third-party vendors.”)

[21]  See The White House, National Cybersecurity Strategy, (March 2023)

[22]  These requirements and guidance include the prudential regulator’s Sound Practices to Strengthen Operational Resilience paper, the Interagency Guidelines Establishing Standards for Safeguard Customer Information, and the recently released Interagency Guidance on Third-Party Relationships: Risk Management, as well as NFA guidance on information security, third-party service provider risk management, and notification of regulators and business continuity and disaster recovery.

[23] See Presentation of Todd Conklin, Deputy Assistant Secretary of Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), “The Cyber Threat Landscape for Financial Markets: Lessons Learned from ION Markets, Cloud Use in Financial Services, and Beyond,” CFTC Technology Advisory Committee Meeting (Mar. 22, 2023).