Adopted partially in response to a 2023 cyberattack on a widely-used, third-party service provider to several financial services firms, the Commodity Futures Trading Commission (CFTC) has proposed new requirements and guidance for swap dealers, major swap participants, and futures commission merchants (collectively, “Covered Entities”) to establish frameworks reasonably designed to identify, monitor, manage and assess three types of operational risks:
- risks related to information and technology security;
- risks related to the engagement of third-party relationships; and
- other extraordinary disruptions to normal business operations (e.g., power outages, natural disasters, pandemics).
The CFTC refers to this new proposed framework as an “operational resilience framework” or “ORF.”
Of note, the ORF proposal seemingly combines and expands on aspects of various requirements already applicable to Covered Entities. For instance, during the December 15, 2023, open meeting, CFTC Chairman Rostin Benham noted that these requirements partially overlap with the CFTC’s existing risk management program (RMP) requirements, which he conceded should be updated to address more current risks and business practices. In addition, several CFTC commissioners and staff noted that existing National Futures Association (NFA) rules require that Covered Entities comply with requirements relating to information systems security programs (ISSP). The NFA’s ISSP requirements, however, apply only with respect to one of the identified risks in the ORF proposal.
Also at the public meeting, Chairman Benham and several CFTC commissioners commented that the ORF proposal is intended to be flexible to Covered Entities of different sizes, firms with varying degrees of complexity, as well as Covered Entities with global operations. To that end, the ORF proposal is modeled after an approach adopted by US prudential regulators and is principles-based. That is, it is designed to be adaptable to diverse institutions so that, for example, Covered Entities operating within larger corporate structures could rely on ORFs that apply at an enterprise level, while smaller Covered Entities could establish ORFs that apply on an individual registration/entity level. Moreover, CFTC staff, during their presentation of the proposal, stated that the proposal takes into consideration existing standards and guidance developed by the Financial Stability Board and the International Organization of Securities Commissions to be consistent with equivalent rules in other jurisdictions.
Some of the ORF proposal’s most notable elements are summarized below.
- Primary Components of ORFs. As noted above, ORFs would include an information and technology security program, a third-party relationship program and a business continuity and disaster recovery (BCDR) plan. Similar to CFTC risk management program rules, ORFs would be required to address issues related to governance, training, testing and recordkeeping. The ORF proposal would require Covered Entities to follow “generally accepted standards and best practices” in establishing, implementing and maintaining their ORFs.
- Notifications to Customers/Counterparties. The ORF proposal would require that Covered Entities make certain notifications to the CFTC and to customers or counterparties. In particular, the CFTC notification requirement would arise when “any incident that adversely impacts or is reasonably likely to adversely impact: information and technology security; the ability of the covered entity to continue its business activities as a covered entity; or the assets or positions of a customer or counterparty.” Covered Entities would also need to notify the CFTC of any determination to activate their BCDR plan. The timing of the CFTC notification would be as soon as possible, but in any event, no later than 24 hours after the incident has been detected or the BCDR plan has been activated, as appropriate. Customers or counterparties would need to be notified as soon as possible of any incident that is reasonably likely to have adversely affected the confidentiality or integrity of their covered information, assets or positions.
- Guidance Related to Risk Management of Third-Party Relationships. The proposal’s guidance related to the risk management arising from third-party relationships appears to be more prescriptive than other aspects of the proposal. This guidance is included in an appendix that would mandate that Covered Entities, among other things, assess the ability of third-party service providers to deliver contracted services to an acceptable standard and to review the operational risk management practices of potential third-party service providers with respect to their subcontractors. Notably this more prescriptive approach to setting forth risk management requirements for third-party risk is different than the agency’s approach with respect to other risks addressed in the proposal.
- Risk Tolerance Limits and Risk Appetite. The ORF proposal requires Covered Entities to establish and monitor compliance with its risk tolerance limits and risk appetite with respect to the three operational risk areas. In particular, the ORF proposal defines risk tolerance limits as “the amount of risk, beyond its risk appetite, that a [Covered Entity] is prepared to tolerate through mitigating actions.” Similarly, the ORF proposal also includes a definition for the term risk appetite, which the agency has not previously defined before in its regulations. In particular, it defines such term to mean “the aggregate amount of risk a [Covered Entity] is willing to assume to achieve its strategic objectives.” It is unclear how these terms are different from the intended usage and implementation of such terms in the CFTC’s existing RMP rules for Covered Entities.
- Attestations for Enterprise-Wide or Consolidated Firms. For Covered Entities that rely on an enterprise-wide ORF, the proposal requires each such covered entity’s senior officer, oversight body, or senior-level official to provide an annual attestation to the effect that the enterprise-wide program meets CFTC requirements and reflects the risk appetite and risk tolerance limits appropriate to the swap dealer or FCM.
- New BCDR Requirements. The ORF proposal includes a new BCDR requirement for FCMs and seeks to amend the current BCDR plan requirement for swap dealers and MSPs in CFTC Rule 23.603. The proposed BCDR plan would need to be reasonably designed to enable the Covered Entity to continue or resume normal business operations with minimal disruption to customers and the markets and to recover and make use of covered information, as well as other data, information, or documentation required to be maintained by law and regulation. Unlike the current swap dealer and MSP BCDR rule, the proposed requirements would not require the BCDR plan to be audited at least once every three years by a qualified third-party service.
The ORF proposal would be codified in new CFTC Regulation 1.13 for FCMs and existing Regulation 23.603 for swap dealers and MSPs.
Public comments must be submitted on or before March 2, 2024.