Recently the Commodities Futures Trading Commission published a set of guidance, outlining its expectations with regards to cyber-security programs. In contrast to regulating bodies in other regulated industries and sectors, the CFTC tends to take a principles-based approach to regulation, which is reflected in the relative generality (some would say ambiguity) of the published guidelines. In our opinion, this approach is more effective as it allows organizations to focus their security efforts based upon their relative risk – but also means that companies must be able to demonstrate both the why and the how of their security program.
The guidance is clearly framed in the context of customer privacy and personally identifiable information (PII) protection, in light of Title V of the Gramm-Leach-Bliley Act (GLBA). While these guidelines are new to the CFTC governance rules, those familiar with Cyber-security regulation and frameworks in other industries (NERC-CIP, PCI, HIPAA, NISTIR 7628, NIST 800-53 etc.) will find many familiar themes in the advisory. Those who are subject to CFTC regulation can find some useful ideas about how to address cybersecurity challenges in those other regulations and frameworks. Similarly to the other aforementioned cyber-security regulations, the CFTC guidance falls into four key areas:
1) Make someone responsible for getting it done
A single individual, with a well-defined role and clear responsibilities (and a clear delegation model), should be empowered and tasked with getting the program defined and implemented. This does not mean that this individual should ride roughshod over the other departments and business needs in accomplishing their goals.
2) Ensure there is awareness and buy-in from the trading floor to the back office and the boardroom
Awareness by all staff about how their day-to-day activities affect the security of the firm and its customers is essential to a good cyber-security program. This is achieved through effective training and continual reinforcement programs, and improvements and refinements can be empowered through regular, transparent, board-level reporting of the successes and challenges of the program. Everyone directly involved in the implementation of the security program should know what is expected of them on a daily basis, as well as in the event of an incident, which is the most challenging part of any security program. At those times, having a well-defined set of cyber-security policies, including a detailed incident response policy, is essential.
3) Environmental awareness, and risk-based investments
Creating an asset and data map of your infrastructure and understanding the true risks that your firm faces can be some of the best investments you can make in cyber-security. Spending the time to understand the physical and technological challenges of your specific environment and mapping data flows for critical applications can help you to create a roadmap to a better cyber-security posture, and identify targeted investments to improve areas of greatest risk. This obligation extends to vendors and contractors also; anyone with potential access to the customer data needs to demonstrate that they have “appropriate safeguards” in place. The recent experience of the Target data breach, traced to a compromise at an HVAC maintenance vendor, is a prime example of why such external verification is important. In this industry, where cross-connects and Virtual Private Networks (VPNs) are prevalent this will certainly be focus of the regulators.
4) Continuous validation and improvement
Once a solid cyber-security program is in place, you can’t just sit back and enjoy some downtime. A continuous monitoring program identifies cyber-security events of organizations and information systems to determine the ongoing effectiveness of deployed security controls. Security is a constantly-shifting landscape, and staying in front of the threats is a difficult task. In order to keep the program relevant, both internal testing and external assessment (e.g. penetration testing) needs to be an ingrained, and accepted, part of the process.
For firms with mature information security programs, nothing in the guidelines will be surprising and most of these practices should already be in place. For those who have, until now, deferred significant investments in cyber-security, the CFTC has made it clear that their expectations are changing and that “the Division will enhance its audit and review standards as it continues to focus more resources on GLBA Title V compliance”.