The Commodity Futures Trading Commission recognizes the benefits provided when private sector financial institutions regulated by CFTC use a standardized approach to assess and improve their cybersecurity preparedness.
Firms adopting a standardized approach are better able to track their progress over time, and to share information and best practices with their peers and with the CFTC.
CFTC regulations require derivatives markets, clearing organizations, and swap data repositories to follow generally accepted standards and best practices with respect to the development, operation, reliability, security, and capacity of their automated systems. Such best practices are provided by the National Institute of Standards and Technology (“NIST”), the International Organisation for Standardization (“ISO”), the Information Systems Audit and Control Association (“ISACA”), and the Information Technology Infrastructure Library (“ITIL”), among others. The CFTC uses all generally accepted cybersecurity standards and best practices in its oversight of regulated entity cybersecurity and system safeguards.
The CFTC welcomes collaborative approaches to advance and support cyber preparedness and enhance the efficiency and effectiveness of its system safeguards oversight. To this end, the CFTC welcomes use by regulated entities of standardized tools aligned with industry standards and best practices to assess their cybersecurity preparedness. Such tools include the Financial Services Sector Coordinating Council (“FSSCC”) Cybersecurity Profile, the NIST Cybersecurity Framework, the ISO Cybersecurity Standard, and the ISACA COBIT Framework, among others. Regulated entities can assess their cybersecurity and system safeguards programs using the standardized cybersecurity tool that they believe best fits their particular risks and circumstances. While the CFTC does not endorse any particular tool, these standardized tools support institutions in their self-assessment activities. The tools are not examination programs, and the CFTC takes a risk-based approach to cybersecurity and system safeguards oversight. As cyber risk evolves, such oversight may address areas not covered by all tools.