Vendors under new scrutiny in CFTC due diligence push

Suppliers of trading technology are nervous of the effect of an impending cyber security rule that would force swaps dealers to tighten due diligence standards, with some vendors suggesting service contracts may be thrown into doubt.

The issue of cyber security in cleared trades rose to the fore earlier this year when trading tech giant Ion Group was compromised by hackers, leaving 42 customers unable to access key services and supervisors demanding answers for the outages which held up regulatory reporting.

The chief executive of a post-trade vendor says that since the Ion incident, renewed scrutiny from regulators “is hitting every vendor in the face”.

“Regulated broker-dealers, FCMs [futures commission merchants] and banks have always had vendor due diligence obligations. What has changed is that they hadn’t totally contemplated that individual vendor outages could give rise to systemic risk in the market. Now, we’re all being held to account for the risk,” adds the chief exec.

The Commodity Futures Trading Commission has been working on its first cyber rule for swap dealers and FCMs since November 2022. Christy Goldsmith Romero, a CFTC commissioner and key architect of the rule-making, says the proposal now looks set to miss an original September deadline, but will be released in the “next upcoming months”. An open meeting will require majority approval by the CFTC’s five commissioners. The rule will then go out for public comment.

“I don’t want us to have delay on this, because what we’re seeing is a real increase in significance of the cyber threat,” Goldsmith Romero says.

Some FCMs have already changed internal policies based on third-party risk management requirements in other jurisdictions. The European Union has rubber-stamped its Digital Operations Resilience Act, or Dora, and the new regime will apply from the start of 2025.

But the CFTC proposal may lead to changes in service-level agreements or could even result in financial firms switching providers. That is because the rule may require FCMs to conduct more stringent due diligence of their vendors. If FCMs need to request more audits, and these are not covered by the existing service-level agreement, it likely will require contractual changes which would be unpopular with vendors.

“If the FCM doesn’t have the rights of audit that are required I think they won’t be able to use certain vendors. That’s been the dialogue whether it’s Ion or any other vendor, under these new operational resiliency regimes like Dora, or the CFTC’s pending rules,” says the chief exec of the vendor.

Critical thinking

Goldsmith Romero is proposing that the rule-making require banks and brokers to draw up a list of critical third-party vendors and subject them to stricter scrutiny.

“For the critical vendors, it may be that they’ve got access to your system, more sensitive data, you need them to conduct your business and comply with your regulatory obligations. So the idea that I would propose, in line with industry standards, would be that banks and brokers would conduct heightened due diligence standards on those vendors that they deemed to be critical.”

Vendors have told the CFTC that they get many different audit requests and the commissioner says the proposed rule will “probably discuss the use of generally accepted standards”, such as using SOC 2 audits.

System and Organization Controls audits are independent assessments of the risks associated with using service organizations. The second – of three – levels of SOC audits assesses third parties’ security, availability, processing integrity, confidentiality and privacy controls.

“I think a lot of the vendors are used to that,” says Goldsmith Romero, but she adds that critical vendors may face “heightened due diligence, more audits and more reviews”.

Asked if the rule could mean FCMs cut ties with vendors that aren’t cooperative, she says: “What I propose is that the regulatory requirement be that you have a cyber resilience plan that is appropriate to the risks that you face, and proportionate in terms of the scope of that risk. Within that there’s due diligence, there’s contracting provisions. But I think, ultimately, each FCM or each bank/swap dealer has got to make those decisions for themselves.

“They could ultimately be held responsible for not doing the due diligence. Could that ultimately result in in contracts being terminated or not picked up? Potentially, but I don’t think that would be us specifying as a regulatory agency.”

The buck stops at the top

Goldsmith Romero hopes the proposed rule that gets approved by the Commission adopts the “five pillars of cyber resilience” that she shared in a speech in June. “Each bank and broker needs to determine what are the specific risks that they face, and what are the specific steps that they need to take in order to ensure that they are cyber resilient.”

“We are as a government moving away from this mentality that the focus is on responding to a cyber incident. The idea is to get ahead of that and try to put in play the abilities for someone to be resilient, which means they can bounce back from setbacks quickly.”

That means, she says, banks and brokers need to think about adopting generally accepted standards such as ISO best practices and guidelines from the US Department of Commerce’s National Institute of Standards and Technology. The NIST is exploring how to guard against the hacking threat posed by quantum computers.

Goldsmith Romero believes a key issue in terms of governance is who makes decisions at a bank or broker about its cyber resilience plan. “It shouldn’t be just at the level of chief information security officer,” she says. Rather, decisions on cyber resilience should involve management and the board.

An executive at a US FCM says the firm already asks its own questions of vendors via its cyber security and chief information security office, but questions how far the rule will extend. For example, the executive speculates whether the rule could encompass clearing houses as third-party vendors, and so whether FCMs would be required to audit the cyber security of clearing houses.

Risk of overlap

Other FCMs say they are concerned that the CFTC could introduce rules that differ from those imposed by other regulatory agencies.

The head of clearing at a second FCM hopes the CFTC rule will be principles-based, and says it has had conversations with regulators not just in the US but globally around cyber risks. The second FCM would not want to be “subject to duplicative and overlapping regulations, which would hinder our ability to become more sophisticated in this space, because all of the focus would be on being compliant with something”.

The US Securities and Exchange Commission has proposed a new set of cyber risk management rules for the entities it regulates. Critics say there is a risk of duplication with other regulatory agencies that have already imposed cyber risk rules, especially prudential regulators.

An executive at a third FCM says that as it is supervised by the Federal Reserve it is obligated to maintain third-party risk management programs. “So we already have the concept of risk rating and periodic reassessments depending on the rating of a particular vendor. My hope would be that there would be significant alignment amongst the US agencies to make sure that there was no gold-plating from the CFTC perspective on whatever the Federal rule may be.”

Goldsmith Romero says the CFTC is “looking to harmonize with what’s already out there” in terms of requirements from banking regulators, for example. She adds that the rule will be “very principles-based” and will recognize that operational resilience plans are crafted at an enterprise level. “We’re not trying to layer on completely new cyber requirements. We’re trying to have a seat at the table and be one of the regulators that is involved in ensuring that the banks and brokers registering with us are thinking through these things.”