Last week, the Staff of the Commodity Futures Trading Commission (CFTC) issued Staff Advisory 14-21 on the subject of “Gramm-Leach-Bliley Act Security Safeguards.” The CFTC had issued guidance previously in Part 160 of the CFTC’s regulations on “Privacy of Consumer Financial Information” (April 27, 2001). Swap Dealers (SDs) and Major Swap Participants (MSPs) were added to those Part 160 regulatory obligations by the CFTC on July 22, 2011. The fact that the Commission “at this time…believes it important to outline recommended best practices for covered financial institutions” is noteworthy, especially in light of its overburdened staff which has focused on other issues such as electronic or automated trading. It demonstrates that cybersecurity is a significant issue in the financial industry and that the CFTC wants to be relevant to and actively participate in the discussion of cybersecurity.
As noted in Staff Advisory 14-21, its provisions reflect similar guidance from the Federal Financial Institutions Examination Council and the Federal Trade Commission and draft guidance from the Securities and Exchange Commission. The “recommended best practices” include maintaining a written information security and privacy program, designating an employee with management responsibility for security and privacy who “is part of or reports directly to senior management or the Board of Directors,” identifying risks and implementing safeguards to address those risks, training staff, regularly testing such controls as access management, use of encryption, and incident detection and response, retaining an independent party to evaluate the controls on a regular basis, and re-evaluating the program at intervals. Three additional practices that reflect increasing emphasis by other regulators include supervision of third party service providers to include security-related contract requirements, establishing a breach response process and providing an annual assessment of the program to the Board of Directors.
The CFTC’s Division of Swap Dealer and Intermediary Oversight, which issued Staff Advisory 14-21, will “enhance its audit and review standards as it continues to focus more resources on GLBA Title V compliance.” This echoes recent statements from the Financial Industry Regulatory Authority in a January 2014 Targeted Examination Letter on Cybersecurity, and the SEC’s announcement that it will conduct a round table later this month on cybersecurity issues.
The “covered entities” which are subject to Staff Advisory 14-21 (futures commission merchants (FCMs), commodity trading advisors (CTAs), commodity pool operators (CPOs), introducing brokers (IBs), retail foreign exchange dealers, SDs and MSPs) are not consumer-facing but they are part of the financial system. For banks and other large financial institutions, Staff Advisory 14-21 will support the goal of maintaining comprehensive, consistent security and privacy standards throughout the enterprise. Other firms, such as broker dealers, asset managers and insurance companies which have not been subject to the same level of regulation on security and privacy matters as national banks, should see this as just one more indication that all financial institutions will eventually be expected, through regulation or industry practice, to implement and maintain the essential elements of an information security program. In this respect, it would not be surprising to see the SEC re-issue the draft Regulation S-P for public comment and implementation.
For others in the commodities world, which have not yet focused on the security of personal (or proprietary) information, Staff Advisory 14-21 will require additional compliance obligations on top of their other new regulatory responsibilities to the CFTC. For example, in the energy, agriculture and metals commodity trading industries, major players in those industries have only recently begun to register as SDs, MSPs or other registered entities and more registered entities are expected in the near future. In addition to the CFTC’s recordkeeping, reporting and other business conduct obligations these entities have only recently become obligated to embrace, they can now add regulatory compliance obligations related to security of personal (or proprietary) information under Part 160 and the recommended best practices in Staff Advisory 14-21.
While the focus of Staff Advisory 14-21 is on personal information, the recommended practices apply equally to sensitive proprietary information that any financial and commodities firm would want to protect. In the past, a firm may have considered it prudent to implement some level of information security and privacy practices. Now, they can expect to be subject to government audit in those areas.