United States: The CFTC Proposes Operational Resilience Framework For Swap Dealers And Futures Commission Merchants

In Short

The Background: In 2012 and 2013, the Commodity Futures Trading Commission adopted rules requiring futures commission merchants, swap dealers, and major swap participants (collectively with swap dealers and futures commission merchants, "covered entities") to create risk management programs and swap dealers and major swap participants (together, "swap entities") to implement Business Continuity and Disaster Recovery plans.

The Proposed Rules: On December 13, 2023, the Commission proposed rules that would extend the Business Continuity and Disaster Recovery rule to futures commission merchants to require a new "operational resilience framework" to bolster existing risk management programs.

Looking Forward: The proposed operational resilience framework was driven principally by the early 2023 ransomware attack on ION Markets, which resulted in a two-week disruption in mid-office activities at several futures commission merchants, delays in trade data reporting to the Commission, and a temporary lag in producing the Commission's weekly Commitments of Traders report. At a post-mortem during a Commission Market Risk Advisory Committee meeting, Chairman Rostin Benham indicated that the agency also is exploring the possibility of updating its risk management regulations for clearinghouses.

The proposed rules would require all covered entities to create and maintain an operational resilience framework ("Framework") containing three components: (i) an information and technology security program; (ii) a third-party relationship management program; and (iii) a Business Continuity and Disaster Recovery ("BCDR") plan. The proposed rules would permit covered entities to design their Frameworks to reflect the nature, scope, complexity, and risk profile of covered entities' business activities, provided that covered entities reasonably design their Frameworks in accordance with "generally accepted standards and best practices."

The Information and Technology Security Program

The first required element of the proposed Framework is an information and technology security program. Each covered entity's information and technology security program would have to include: (i) periodic risk assessments; (ii) controls to identify and mitigate risks; and (iii) incident response plans. The periodic risk assessment would have to be performed at least annually by independent personnel to identify, assess, and prioritize risks to information and technology security. Covered entities would also need to document, implement, and maintain controls aimed at preventing, detecting, and mitigating information and technology security risks. Finally, written incident response plans would have to assess, contain, and mitigate the impact of cybersecurity incidents.

The Third-Party Relationship Program

The second component of the proposed Framework is the creation of a third-party relationship program. A third-party relationship program would have to describe how the covered entity handles risks at all stages of a third-party relationship—pre-selection through termination. In addition, covered entities would need to create, maintain, and update an inventory of their third-party service providers. The proposed rules would further require covered entities to establish heightened due diligence and monitoring of third-party service providers deemed "critical."

The Commission clarified that covered entities would need to apply the third-party relationship program only on a going-forward basis, meaning firms would not be required to renegotiate or terminate existing agreements. Nevertheless, the Commission would expect a covered entity to begin monitoring its existing third-party relationships in accordance with its third-party relationship program and the related proposed rules and to terminate third-party relationships if required by a covered entity's third-party relationship program. For any contracts renegotiated or renewed after the effective date of any final rule, however, the Commission also would expect covered entities to apply their entire third-party relationship programs from pre-selection through termination.

The BCDR Plan

The third component of the proposed Framework is a requirement that futures commission merchants ("FCMs") and swap entities create BCDR plans. Although the National Futures Association requires FCMs to establish and maintain a BCDR plan, if adopted, the proposed rules would create a new Commission BCDR plan requirement for FCMs. Similarly, current Commission Regulation 23.603 contains a BCDR plan requirement for swap entities. The proposal would make certain amendments to the BCDR plan requirement for swap entities and expand the requirement to include FCMs.

The proposed rules would require a BCDR plan to be reasonably designed to enable covered entities to: (i) recover and make use of all covered information, as well as any other data, information, or documentation required to be maintained by law and regulation; and (ii) resume operations with minimal disruption to customers or counterparties and the markets. The proposed rules do not specify a deadline for resuming operations. This is in contrast to the existing swap entity BCDR plan requirement, which requires resuming operations "by the next business day" after a disruption. A BCDR plan should also identify sensitive or confidential information, implement backup procedures for such information, identify and minimize potential disruptions to critical third-party service providers, and identify the personnel responsible for implementing the BCDR plan.

Additional Requirements

Similar to the current BCDR rule, the proposed Framework would require additional administrative and governance requirements aimed at supporting the three components. For instance, the Commission proposed new governance requirements, including annual senior leadership approval of a firm's Framework and establishing risk appetite and tolerance limits. Further, covered entities would need to ensure personnel are aware of the procedures and provide training accordingly. In addition, covered entities would need to review and test their Frameworks at least annually. However, unlike the current BCDR plan, the Framework would not need to be externally audited every three years. Finally, the proposed rules would require covered entities to notify the Commission and third parties in certain instances of elevated risk, including any incident that adversely impacts the information and technology security of the firm or the confidentiality or integrity of a customer's information.

Implementation

The Commission proposed a six-month deadline to implement the Framework if it is finalized.

Two Key Takeaways

1. Driven by concern over the early 2023 ransomware attack on ION Markets, the Commission has proposed to require swap dealers and FCMs to exercise significant oversight over their third-party relationships.
2. The Commission has proposed to impose its own BCDR requirements on FCMs, notwithstanding existing requirements imposed by the National Futures Association.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.