On September 8, the Commodity Futures Trading Commission approved amendments to its rules relating to system safeguards for derivatives clearing organizations, designated contract markets, swap execution facilities and swap data repositories (collectively, registered entities). The rules clarify existing obligations and enhance cybersecurity testing requirements.

The amended rules require registered entities to conduct regular, periodic and objective testing and review of certain system safeguards as a part of its risk analysis and oversight of its operations and automated systems. The rules require five types of testing: (1) vulnerability testing; (2) penetration testing; (3) controls testing; (4) security incident response plan testing; and (5) enterprise technology risk assessment. Additionally, the rules include test frequency requirements, identify tests that independent third parties should conduct, and discuss the appropriate scope of testing.

The rules also focus on categories of risk that oversight should address, recordkeeping, internal reporting, review of testing results, and remediation of vulnerabilities and deficiencies.

The final rules will be published in the Federal Register. A CFTC fact sheet is available here.