The US Commodity Futures Trading Commission held a meeting of its Market Risk Advisory Committee recently and the recent cyber-attack on one of the industry’s technology service providers was one of the main topics of discussion.
FIA President and CEO Walt Lukken, one of the speakers invited to address this issue, described FIA’s role in the industry’s response to the attack and announced the formation of a Cyber Risk Taskforce to examine the longer-term implications for cleared derivatives markets.
In his remarks before the advisory committee, Lukken said the taskforce will be global in focus, and initial work will focus on existing cyber protections and protocols, the effectiveness of the industry’s initial response, best practices around reconnection, and safeguards around third-party service providers. He added that the taskforce will aim to release an initial report by the second quarter of this year.
In related news, CFTC Chairman Rostin Behnam, speaking at a Congressional hearing the same day, noted that the agency is developing rule proposals to address cyber risk. He said that in response to the recent cyber-attack on ION Markets, he has asked the agency’s staff to “identify potential weaknesses with respect to third party service providers and vendor relationships.” He added that the CFTC does not have the authority to regulate third-party service providers directly, and he urged lawmakers to consider “what role and relationship the CFTC should have” with these companies.
Last month, the CFTC said in a statement that Commitment of Traders reports that had been delayed due to the cyber attack are expected to be published in mid-March.
Forum for discussion
The CFTC’s advisory committees have no rule-making authority, but they serve as a channel for communication between the agency and the markets that it regulates. The MRAC is led by Alicia Crighton of Goldman Sachs, who is also chair of FIA’s board of directors, and includes market participants, public interest groups, and academics.
CFTC Commissioner Kristin Johnson, the sponsor of the MRAC, noted that it is important for the agency to “not rest on our laurels” regarding cyber-related threats and related requirements for registered market participants.
“While other regulators, affected firms, the industry, and the Commission remain in a fact-gathering phase in the wake of the recent cyber-incident, it is imperative that the MRAC fulfill its duty to serve as a timely and transparent forum for critical discussions regarding resilience, recovery, and resolution,” said Johnson.
“As our financial market infrastructure becomes increasingly dependent on digital technologies, it is of the utmost importance that individual firm cyber defenses keep pace with evolving threats. In addition, we must seek to enhance cybersecurity across the network of firms, large and small, that facilitate trade execution, clearing, and settlement in our markets.”
The first panel of the MRAC included discussions about the recent cybersecurity-related disruption at ION, including both industry and regulatory perspectives.
FIA’s President and CEO Walt Lukken offered a timeline of events and praised the industry’s flexibility and communication throughout the crisis. He noted that within a few days, FIA had gathered more than 700 market participants and regulators for group updates on the situation.
Lukken also announced the formation of an industry-led body that will explore lessons learned from the disruption.
“Looking ahead, today FIA is announcing the formation of a global Cyber Risk Taskforce to look at the ION event and to develop recommendations for improvements to our markets,” Lukken said. “This taskforce will focus on several areas including existing cyber protections and protocols, the effectiveness of the industry’s initial response, best practices around reconnection, and safeguards around third-party service providers. We aim to release an initial report by the second quarter of the year.
CME Group, the National Futures Association, the US Financial Industry Regulatory Authority, and the Office of the National Cyber Director also joined the broader discussion of financial-related cyber risks and prevention.
CFTC staff also indicated that the agency intends to put forth new rules related to cyber risk. Amanda O’Lear, Director of the CFTC’s Market Participant Division, stated that the division is looking at the risk management guidelines for futures commission merchants and swap dealers and whether these guidelines should be enhanced to cover monitoring, mitigating and recovering from cyber-attacks.