CFTC approves rules to strengthen cyber resilience in financial markets

US exchanges, clearing houses, trade repositories and dealing platforms will have to test their systems for cyber-vulnerabilities at least once a quarter under new rules approved by the Commodity Futures Trading Commission.

The unanimous vote in favour of the enhanced provisions was welcomed by CFTC chair Timothy Massad, who described the risk of cyberattacks as “the single greatest threat to the stability and integrity of our markets today”.

Under the rules, firms must probe their systems for loopholes at least once a quarter and conduct annual breach recovery tests. External auditors must also be contracted for annual penetration testing to attempt to identify weaknesses in perimiter defences that cyber attackers could overcome.

“The rules we have finalised today will apply to the core infrastructure in our markets — the exchanges, clearinghouses, trading platforms, and trade repositories,” says Massad. “As regulators, we must not just look backwards to address the causes of past failures or crises. We also must look ahead—ahead to the new opportunities and challenges facing our markets. Financial markets constantly evolve, and we must ensure our regulatory framework is adapting to these changes.”