The rules recently changed for certain sectors of the financial industry when it comes to IT and related cybersecurity safeguards. The Commodity Futures Trading Commission (CFTC) has approved a new set of Final Rules requiring regular testing of information technology U.S. Commodities and Derivatives Firms, including clearinghouses and exchanges.
The CFTC’s announcement and its comprehensive cybersecurity assessment requirements underscore yet another shift in how federal agencies are treating burgeoning cybersecurity issues—and the vulnerabilities associated with the industries that deal with sensitive consumer information.
Financial Firms Subject to the Final Rules Must Now Utilize Certified Ethical Hackers for Penetration Testing
According to the new CFTC regulations, financial firms subject to the new Final Rules will be required to undergo specific cybersecurity testing that must include (1) penetration testing, (2) vulnerability testing, (3) controls testing, (4) enterprise technology risk assessments, and (5) security incident response plan testing.
For specified registrants, a minimum testing frequency on a regular basis is required, and such entities must use third-party, independent contractors for certain types of testing.
A Comprehensive Approach to the Scope of Testing
The Final Rules require that the scope of testing be quite broad. It must encompass an assessment of all automated controls and systems that the financial firm’s current cybersecurity threat analysis, risk analysis, and oversight indicate deem necessary to uncover vulnerabilities and risks that could enable a hacker to:
- impede the firm’s normal operations or fulfillment of regulatory and statutory mandates;
- compromise, degrade, or impair the capacity, security, or reliability of the firm’s automated systems;
- modify, delete, exfiltrate, or add to data integrity of the firm’s regulated activities; or
- partake in any unauthorized activities that affect the firm’s regulated tasks or the software and hardware used in conjunction with said activities.
The Final Rules also mandate that senior management and the board of directors conduct an internal review, reporting, and remediation based on any testing and assessment findings—and all deficiencies must be logged and documented accordingly.
The CFTC’s Final Rules Demonstrate a Needed Shift in Cybersecurity Awareness
The recent announcement of the Final Rules speaks to the reality that up to 70% of all data breaches originate with third party partners and vendors—and the fact that with every cyberattack, it becomes increasingly clear how interconnected our financial and consumer ecosystems really are. Any organization that relies on a large network of business associates, partners, and vendors to conduct its operations plays a part in a complex network of interconnected parties—and each of those parties represents a potential conduit to sensitive consumer data, and ultimately, a potential data breach.
Satisfying the CFTC’s New Rules Isn’t Enough to Safegaurd Against the Evolution of Cybersecurity Threats
The Final Rules are designed to clarify and supplement the current requirements relating to IT system safeguards, cybersecurity testing, and risk analysis. Since the rules aren’t updated on a daily—or even a monthly—basis, industry experts warn that compliance with the rules alone won’t be enough to keep businesses safe from cyberattack and data breach.
Since cybersecurity threats evolve and advance by the minute, any business that deals with sensitive consumer information should consider an advanced threat protection approach to its Information Security framework. If you’d like more information on protecting your business from the most Advanced Persistent Threats (APT), contact Intrinium for an Information Security Audit and threat assessment.