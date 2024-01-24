Adopted partially in response to a 2023 cyberattack on a widely-used, third-party service provider to several financial services firms, the Commodity Futures Trading Commission (CFTC) has proposed new requirements and guidance for swap dealers, major swap participants, and futures commission merchants (collectively, "Covered Entities") to establish frameworks reasonably designed to identify, monitor, manage and assess three types of operational risks:

risks related to information and technology security; risks related to the engagement of third-party relationships; and other extraordinary disruptions to normal business operations (e.g., power outages, natural disasters, pandemics).

The CFTC refers to this new proposed framework as an "operational resilience framework" or "ORF."

Of note, the ORF proposal seemingly combines and expands on aspects of various requirements already applicable to Covered Entities. For instance, during the December 15, 2023, open meeting, CFTC Chairman Rostin Benham noted that these requirements partially overlap with the CFTC's existing risk management program (RMP) requirements, which he conceded should be updated to address more current risks and business practices. In addition, several CFTC commissioners and staff noted that existing National Futures Association (NFA) rules require that Covered Entities comply with requirements relating to information systems security programs (ISSP).The NFA's ISSP requirements, however, apply only with respect to one of the identified risks in the ORF proposal.

Also at the public meeting, Chairman Benham and several CFTC commissioners commented that the ORF proposal is intended to be flexible to Covered Entities of different sizes, firms with varying degrees of complexity, as well as Covered Entities with global operations. To that end, the ORF proposal is modeled after an approach adopted by US prudential regulators and is principles-based. That is, it is designed to be adaptable to diverse institutions so that, for example, Covered Entities operating within larger corporate structures could rely on ORFs that apply at an enterprise level, while smaller Covered Entities could establish ORFs that apply on an individual registration/entity level. Moreover, CFTC staff, during their presentation of the proposal, stated that the proposal takes into consideration existing standards and guidance developed by the Financial Stability Board and the International Organization of Securities Commissions to be consistent with equivalent rules in other jurisdictions.

Some of the ORF proposal's most notable elements are summarized below.

Primary Components of ORFs . As noted above, ORFs would include an information and technology security program, a third-party relationship program and a business continuity and disaster recovery (BCDR) plan. Similar to CFTC risk management program rules, ORFs would be required to address issues related to governance, training, testing and recordkeeping. The ORF proposal would require Covered Entities to follow "generally accepted standards and best practices" in establishing, implementing and maintaining their ORFs.

.For Covered Entities that rely on an enterprise-wide ORF, the proposal requires each such covered entity's senior officer, oversight body, or senior-level official to provide an annual attestation to the effect that the enterprise-wide program meets CFTC requirements and reflects the risk appetite and risk tolerance limits appropriate to the swap dealer or FCM. New BCDR Requirements. The ORF proposal includes a new BCDR requirement for FCMs and seeks to amend the current BCDR plan requirement for swap dealers and MSPs in CFTC Rule 23.603. The proposed BCDR plan would need to be reasonably designed to enable the Covered Entity to continue or resume normal business operations with minimal disruption to customers and the markets and to recover and make use of covered information, as well as other data, information, or documentation required to be maintained by law and regulation. Unlike the current swap dealer and MSP BCDR rule, the proposed requirements would not require the BCDR plan to be audited at least once every three years by a qualified third-party service.

The ORF proposal would be codified in new CFTC Regulation 1.13 for FCMs and existing Regulation 23.603 for swap dealers and MSPs.

Public comments must be submitted on or before March 2, 2024.

The content of this article is intended to provide a general guide to the subject matter.