The US Commodity Futures Trading Commission (CFTC) has adopted new rules that require US exchanges, clearing houses, trade repositories and dealing platforms to frequently test their technology for cyber vulnerabilities.
Under the new rules, firms have to look for vulnerabilities in their systems at least once a quarter.
Firms also have to test their planned responses to breaches, enterprise technology risk assessments, along with internal and external penetration testing at least annually.
Controls testing may be conducted on a rolling basis, with each key control to be tested at least every three years.
Independent contractors must be contracted to carry out the external penetration tests, and for testing an organisation’s key controls.
CFTC chairman Timothy Massad said: “The risk of cyberattack probably represents the single greatest threat to the stability and integrity of our markets today. Instances of cyberattacks are all too familiar both inside and outside the financial sector. Today, they often are motivated not just by those with a desire to profit, but by those with a desire deliberately to disrupt or destabilize orderly operations.
That is why these system safeguard rules are so important. They will apply to the core infrastructure in our markets—the exchanges, clearinghouses, trading platforms and trade repositories. And they will ensure that those private companies are adequately evaluating cyber risks and testing their cybersecurity and operational risk defenses.”