In the face of mounting cyber attacks on financial market participants, the Commodity Futures Trading Commission (CFTC) hosted a Roundtable on Cybersecurity and System Safeguards Testing on March 18 focusing on potential enhancements to further strengthen the resilience of critical market infrastructures such as clearinghouses, exchanges and swap data repositories.
The Depository Trust & Clearing Corporation’s (DTCC) Mark Clancy, Managing Director, interim Chief Information Security Officer and CEO of Soltra, and David LaFalce, Vice President, Global Head of Business Continuity and Crisis Management, participated as panelists during the day-long event.
“Cybersecurity is the most important single issue facing our markets today in terms of market integrity and financial stability,” said CFTC Chairman Timothy Massad during his opening remarks, who added that the roundtable was designed to solicit views on what the CFTC’s role might be in IT systems testing and to identify potential areas in which the regulator might add value to current cyber readiness practices.
Cybersercurity and IT professionals from across the private and public sectors attended the roundtable to weigh in on a variety of issues in four panels. Clancy participated on two panels, including one dedicated to “the need for systems testing in the current cybersecurity environment" and another addressing “key controls testing.” LaFalce helped conclude the event with an in-depth look at business continuity and disaster recovery testing.
Understanding the threat landscape key to systems testing
Clancy noted on his panel that it is essential for organizations to understand the types of cyber threats they face if they are to accurately gauge the effectiveness of system controls and adequately respond to cyber attacks.
“It is essential that we continuously look for exposures in our environment and actively assess how our testing and controls stack up against the latest types of threats that we’re seeing in the marketplace and within our own networks,” Clancy said. He added that DTCC’s system testing incorporates three main components: periodic assessments based on the business and threat landscape; episodic testing; and the continuous measurement of systems to ensure that they are performing as expected.
Clancy also stressed that although current best practices focus on ensuring data confidentiality, “For market infrastructure, integrity of the system and the data is the most important thing. If integrity cannot be assured, the markets cannot operate.”
The roundtable took place as lawmakers on Capitol Hill are considering a variety of legislative proposals to enhance U.S. cybersecurity capabilities – a debate in which DTCC and the financial services industry as a whole continue to be actively involved. In particular, Clancy has been a vocal proponent of developing platforms that encourage information sharing across public and private sectors, such as SoltraTM, a joint venture between DTCC and the Financial Services Information Sharing and Analysis Center (FS-ISAC) created to help secure critical infrastructure entities from cyber threats.
Bill Nelson, President and CEO of the FS-ISAC and President of Soltra, also participated in the roundtable and highlighted the success of Soltra in responding to the “time-scale” challenge presented by cyber threats while also improving the reliability of the information that is shared among participating entities.
Enterprise Resilience Testing
LaFalce’s panel focused on challenges related to business continuity management, with panelists noting that the cyber threat today far outweighs concerns related to kinetic or physical attacks that drove programs in the past. As a result, roundtable participants emphasized the increasing need for organizations to focus on enterprise resilience testing that takes into account both traditional physical threats to infrastructure and personnel as well as cyber threats.
LaFalce stressed the need for market infrastructures to be prepared and to have the ability to routinely operate out of multiple data centers and a separate “people” centers, as this creates a more resilient environment.
CFTC staff in attendance also noted that the Commission was considering a rulemaking on Business Continuity and Disaster Recovery Testing to ensure that critical infrastructures are sufficiently resilient – a move which prompted concerns among the panelists due its potential to raise the cost of hosting market infrastructures. As an alternative, LaFalce suggested that the Commission should consider the review and reporting of certain resiliency metrics, such as up-time and the capability for firms to conduct production operations out of multiple geographies in lieu of focusing on testing, which only provides a point in time measurement.