The US Commodity Futures Trading Commission has proposed a rule to require futures commission merchants, swap dealers and major swap participants to establish an “operational resilience framework.”
The proposed rule was prompted by the operational disruptions that arose earlier this year after a ransomware attack on an industry service provider, but its scope goes well beyond cyber security.
The proposal would require firms to “identify, monitor, manage and assess risks” in three areas: 1) in information and technology security, 2) third-party relationships, and 3) emergencies and other significant disruptions. The proposal also would include requirements related to governance, training, testing, and recordkeeping.
During the open meeting at which the commissioners discussed the proposed rule, CFTC Chairman Rostin Behnam noted that the proposal is not taking a “one size fits all” approach and instead is “tailored to accommodate firms that vary in size and complexity.” That includes corporate structures in which operational resilience programs are handled at an enterprise level, rather than by an individual business unit such as a futures brokerage, as well as smaller futures commission merchants that have relatively limited resources.
Behnam explained that although these firms are covered by the CFTC’s existing risk management requirements, those requirements were drafted more than 10 years ago, and need to be updated.
“The Commission must bolster that foundational framework to promote operational resilience in the face of increasingly sophisticated cyberattacks and heightened technological disruptions,” Behnam said. “A strong ORF [operational resilience framework] is especially important as the financial sector increasingly relies on third-party service providers; the disruption of which can lead to major interruptions in—and potential corruption of—FCM and SD operations.”
The discussion also highlighted efforts by the CFTC staff to consider existing standards and guidance developed by international standard-setting bodies such as the Financial Stability Board and the International Organization of Securities Commissions. The CFTC staff noted that the proposal includes provisions to allow recognition of equivalent rules in other jurisdictions, which could reduce the compliance burden for firms operating internationally.
Although the proposed framework would only apply to intermediaries such as FCMs, Behnam indicated that the agency is considering whether to update its rules for clearinghouses as well. He pointed in particular to the discussion at the CFTC's Market Risk Advisory Committee meeting earlier this week. At that meeting, CFTC Commissioner Kristin Johnson said she will ask members of that committee to develop recommendations in this area.
The CFTC set a 75-day comment period, which will start after the proposal has been formally published in the Federal Register.