From: JDSupra Business Advisor
Reporter, Mark H. Francis, King & Spalding
On December 16, 2015, the Commodity Futures Trading Commission (“CFTC”) released two Notices of Proposed Rulemaking (“NPRMs” or “Proposed Rules”) that would, if finalized, supplement existing regulations covering the cybersecurity practices of commodity exchanges and clearing organizations. Although the Proposed Rules would not impose direct changes to most aspects of regulated entities’ cybersecurity policies and practices, the Proposed Rules would mandate an extensive cybersecurity testing regime that likely would trigger significant changes in how regulated entities manage cybersecurity risks. These entities would need to shoulder the added costs of extensive testing internally and by independent professionals. It remains to be seen whether regulated entities would need to adjust current policies and practices, and to what extent, to remediate issues identified by those tests.
The Proposed Rules are said to reflect the collective sentiments of participants at the CFTC’s 2015 Staff Roundtable on Cybersecurity and System Safeguards Testing, which addressed the threats to financial institutions and cybersecurity best practices. The NPRMs also exhaustively cite public and private sector standards, regulations and guidance as a foundation for the Proposed Rules.