(a) A designated contract market's program of risk analysis and oversight with respect to its operations and automated systems shall address each of the following categories of risk analysis and oversight:
(1) Enterprise risk management and governance. This category includes, but is not limited to: Assessment, mitigation, and monitoring of security and technology risk; security and technology capital planning and investment; board of directors and management oversight of technology and security; information technology audit and controls assessments; remediation of deficiencies; and any other elements of enterprise risk management and governance included in generally accepted best practices.
(2) Information security. This category includes, but is not limited to, controls relating to: Access to systems and data (including least privilege, separation of duties, account monitoring and control); user and device identification and authentication; security awareness training; audit log maintenance, monitoring, and analysis; media protection; personnel security and screening; automated system and communications protection (including network port control, boundary defenses, encryption); system and information integrity (including malware defenses, software integrity monitoring); vulnerability management; penetration testing; security incident response and management; and any other elements of information security included in generally accepted best practices.
(3) Business continuity-disaster recovery planning and resources. This category includes, but is not limited to: Regular, periodic testing and review of business continuity-disaster recovery capabilities, the controls and capabilities described in paragraphs (c), (d), (j), and (k) of this section; and any other elements of business continuity-disaster recovery planning and resources included in generally accepted best practices.
(4) Capacity and performance planning. This category includes, but is not limited to: Controls for monitoring the designated contract market's systems to ensure adequate scalable capacity (including testing, monitoring, and analysis of current and projected future capacity and performance, and of possible capacity degradation due to planned automated system changes); and any other elements of capacity and performance planning included in generally accepted best practices.
(5) Systems operations. This category includes, but is not limited to: System maintenance; configuration management (including baseline configuration, configuration change and patch management, least functionality, inventory of authorized and unauthorized devices and software); event and problem response and management; and any other elements of system operations included in generally accepted best practices.
(6) Systems development and quality assurance. This category includes, but is not limited to: Requirements development; pre-production and regression testing; change management procedures and approvals; outsourcing and vendor management; training in secure coding practices; and any other elements of systems development and quality assurance included in generally accepted best practices.
(7) Physical security and environmental controls. This category includes, but is not limited to: Physical access and monitoring; power, telecommunication, and environmental controls; fire protection; and any other elements of physical security and environmental controls included in generally accepted best practices.
(b) In addressing the categories of risk analysis and oversight required under paragraph (a) of this section, a designated contract market shall follow generally accepted standards and best practices with respect to the development, operation, reliability, security, and capacity of automated systems.
(c) A designated contract market shall maintain a business continuity-disaster recovery plan and business continuity-disaster recovery resources, emergency procedures, and backup facilities sufficient to enable timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its responsibilities and obligations as a designated contract market following any disruption of its operations. Such responsibilities and obligations include, without limitation: Order processing and trade matching; transmission of matched orders to a designated clearing organization for clearing; price reporting; market surveillance; and maintenance of a comprehensive audit trail. The designated contract market's business continuity-disaster recovery plan and resources generally should enable resumption of trading and clearing of the designated contract market's products during the next business day following the disruption. Designated contract markets determined by the Commission to be critical financial markets are subject to more stringent requirements in this regard, set forth in §40.9 of this chapter. Electronic trading is an acceptable backup for open outcry trading in the event of a disruption. A designated contract market shall update its business continuity-disaster recovery plan and emergency procedures at a frequency determined by an appropriate risk analysis, but at a minimum no less frequently than annually.
(d) A designated contract market that is not determined by the Commission to be a critical financial market satisfies the requirement to be able to resume trading and clearing during the next business day following a disruption by maintaining either:
(1) Infrastructure and personnel resources of its own that are sufficient to ensure timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its responsibilities and obligations as a designated contract market following any disruption of its operations; or
(2) Contractual arrangements with other designated contract markets or disaster recovery service providers, as appropriate, that are sufficient to ensure continued trading and clearing of the designated contract market's products, and ongoing fulfillment of all of the designated contract market's responsibilities and obligations with respect to those products, in the event that a disruption renders the designated contract market temporarily or permanently unable to satisfy this requirement on its own behalf.
(e) A designated contract market must notify Commission staff promptly of all:
(1) Electronic trading halts and significant systems malfunctions;
(2) Cyber security incidents or targeted threats that actually or potentially jeopardize automated system operation, reliability, security, or capacity; and
(3) Activation of the designated contract market's business continuity-disaster recovery plan.
(f) A designated contract market must give Commission staff timely advance notice of all material:
(1) Planned changes to automated systems that may impact the reliability, security, or adequate scalable capacity of such systems; and
(2) Planned changes to the designated contract market's program of risk analysis and oversight.
(g) As part of a designated contract market's obligation to produce books and records in accordance with §1.31 of this chapter, Core Principle 18 (Recordkeeping), and §§38.950 and 38.951, a designated contract market shall provide to the Commission the following system safeguards-related books and records, promptly upon the request of any Commission representative:
(1) Current copies of its business continuity-disaster recovery plans and other emergency procedures;
(2) All assessments of its operational risks or system safeguards-related controls;
(3) All reports concerning system safeguards testing and assessment required by this chapter, whether performed by independent contractors or by employees of the designated contract market; and
(4) All other books and records requested by Commission staff in connection with Commission oversight of system safeguards pursuant to the Act or Commission regulations, or in connection with Commission maintenance of a current profile of the designated contract market's automated systems.
(5) Nothing in this paragraph (g) shall be interpreted as reducing or limiting in any way a designated contract market's obligation to comply with Core Principle 18 (Recordkeeping) or with §1.31 of this chapter, or with §38.950 or §38.951.
(h) A designated contract market shall conduct regular, periodic, objective testing and review of its automated systems to ensure that they are reliable, secure, and have adequate scalable capacity. It shall also conduct regular, periodic testing and review of its business continuity-disaster recovery capabilities. Such testing and review shall include, without limitation, all of the types of testing set forth in this paragraph (h). A covered designated contract market, as defined in this section, shall be subject to the additional requirements regarding minimum testing frequency and independent contractor testing set forth in this paragraph (h).
(1) Definitions. As used in paragraph (h) of this section:
Controls means the safeguards or countermeasures employed by the designated contract market in order to protect the reliability, security, or capacity of its automated systems or the confidentiality, integrity, and availability of its data and information, and in order to enable the designated contract market to fulfill its statutory and regulatory responsibilities.
Controls testing means assessment of the designated contract market's controls to determine whether such controls are implemented correctly, are operating as intended, and are enabling the designated contract market to meet the requirements established by this section.
Covered designated contract market means a designated contract market whose annual total trading volume in calendar year 2015, or in any subsequent calendar year, is five percent (5%) or more of the combined annual total trading volume of all designated contract markets regulated by the Commission for the year in question, based on annual total trading volume information provided to the Commission by each designated contract market pursuant to the procedure set forth in this chapter. A covered designated contract market that has annual total trading volume of less than five percent (5%) of the combined annual total trading volume of all designated contract markets regulated by the Commission for three consecutive calendar years ceases to be a covered designated contract market as of March 1 of the calendar year following such three consecutive calendar years.
Enterprise technology risk assessment means a written assessment that includes, but is not limited to, an analysis of threats and vulnerabilities in the context of mitigating controls. An enterprise technology risk assessment identifies, estimates, and prioritizes risks to designated contract market operations or assets, or to market participants, individuals, or other entities, resulting from impairment of the confidentiality, integrity, and availability of data and information or the reliability, security, or capacity of automated systems.
External penetration testing means attempts to penetrate the designated contract market's automated systems from outside the systems' boundaries to identify and exploit vulnerabilities. Methods of conducting external penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.
Internal penetration testing means attempts to penetrate the designated contract market's automated systems from inside the systems' boundaries, to identify and exploit vulnerabilities. Methods of conducting internal penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.
Key controls means those controls that an appropriate risk analysis determines are either critically important for effective system safeguards or intended to address risks that evolve or change more frequently and therefore require more frequent review to ensure their continuing effectiveness in addressing such risks.
Security incident means a cyber security or physical security event that actually jeopardizes or has a significant likelihood of jeopardizing automated system operation, reliability, security, or capacity, or the availability, confidentiality or integrity of data.
Security incident response plan means a written plan documenting the designated contract market's policies, controls, procedures, and resources for identifying, responding to, mitigating, and recovering from security incidents, and the roles and responsibilities of its management, staff and independent contractors in responding to security incidents. A security incident response plan may be a separate document or a business continuity-disaster recovery plan section or appendix dedicated to security incident response.
Security incident response plan testing means testing of a designated contract market's security incident response plan to determine the plan's effectiveness, identify its potential weaknesses or deficiencies, enable regular plan updating and improvement, and maintain organizational preparedness and resiliency with respect to security incidents. Methods of conducting security incident response plan testing may include, but are not limited to, checklist completion, walk-through or table-top exercises, simulations, and comprehensive exercises.
Vulnerability testing means testing of a designated contract market's automated systems to determine what information may be discoverable through a reconnaissance analysis of those systems and what vulnerabilities may be present on those systems.
(2) Vulnerability testing. A designated contract market shall conduct vulnerability testing of a scope sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(i) A designated contract market shall conduct such vulnerability testing at a frequency determined by an appropriate risk analysis. At a minimum, a covered designated contract market shall conduct such vulnerability testing no less frequently than quarterly.
(ii) Such vulnerability testing shall include automated vulnerability scanning, which shall follow generally accepted best practices.
(iii) A designated contract market shall conduct vulnerability testing by engaging independent contractors or by using employees of the designated contract market who are not responsible for development or operation of the systems or capabilities being tested.
(3) External penetration testing. A designated contract market shall conduct external penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(i) A designated contract market shall conduct such external penetration testing at a frequency determined by an appropriate risk analysis. At a minimum, a covered designated contract market shall conduct such external penetration testing no less frequently than annually.
(ii) A covered designated contract market shall engage independent contractors to conduct the required annual external penetration test. The covered designated contract market may conduct other external penetration testing by using employees of the covered designated contract market who are not responsible for development or operation of the systems or capabilities being tested.
(iii) A designated contract market which is not a covered designated contract market shall conduct external penetration testing by engaging independent contractors or by using employees of the designated contract market who are not responsible for development or operation of the systems or capabilities being tested.
(4) Internal penetration testing. A designated contract market shall conduct internal penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(i) A designated contract market shall conduct such internal penetration testing at a frequency determined by an appropriate risk analysis. At a minimum, a covered designated contract market shall conduct such internal penetration testing no less frequently than annually.
(ii) A designated contract market shall conduct internal penetration testing by engaging independent contractors, or by using employees of the designated contract market who are not responsible for development or operation of the systems or capabilities being tested.
(5) Controls testing. A designated contract market shall conduct controls testing of a scope sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(i) A designated contract market shall conduct controls testing, which includes testing of each control included in its program of risk analysis and oversight, at a frequency determined by an appropriate risk analysis. Such testing may be conducted on a rolling basis. At a minimum, a covered designated contract market shall conduct testing of its key controls no less frequently than every three years. The covered designated contract market may conduct testing of its key controls on a rolling basis over the course of three years or the period determined by such risk analysis, whichever is shorter.
(ii) A covered designated contract market shall engage independent contractors to test and assess the key controls included in its program of risk analysis and oversight no less frequently than every three years. The covered designated contract market may conduct any other controls testing required by this section by using independent contractors or employees of the covered designated contract market who are not responsible for development or operation of the systems or capabilities being tested.
(iii) A designated contract market which is not a covered designated contract market shall conduct controls testing by engaging independent contractors or by using employees of the designated contract market who are not responsible for development or operation of the systems or capabilities being tested.
(6) Security incident response plan testing. A designated contract market shall conduct security incident response plan testing sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(i) A designated contract market shall conduct such security incident response plan testing at a frequency determined by an appropriate risk analysis. At a minimum, a covered designated contract market shall conduct such security incident response plan testing no less frequently than annually.
(ii) A designated contract market's security incident response plan shall include, without limitation, the designated contract market's definition and classification of security incidents, its policies and procedures for reporting security incidents and for internal and external communication and information sharing regarding security incidents, and the hand-off and escalation points in its security incident response process.
(iii) A designated contract market may coordinate its security incident response plan testing with other testing required by this section or with testing of its other business continuity-disaster recovery and crisis management plans.
(iv) A designated contract market may conduct security incident response plan testing by engaging independent contractors or by using employees of the designated contract market.
(7) Enterprise technology risk assessment. A designated contract market shall conduct enterprise technology risk assessment of a scope sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(i) A designated contract market shall conduct an enterprise technology risk assessment at a frequency determined by an appropriate risk analysis. At a minimum, a covered designated contract market shall conduct an enterprise technology risk assessment no less frequently than annually. A designated contract market that has conducted an enterprise technology risk assessment that complies with this section may conduct subsequent assessments by updating the previous assessment.
(ii) A designated contract market may conduct enterprise technology risk assessments by using independent contractors or employees of the designated contract market who are not responsible for development or operation of the systems or capabilities being assessed.
(i) To the extent practicable, a designated contract market shall:
(1) Coordinate its business continuity-disaster recovery plan with those of the members and other market participants upon whom it depends to provide liquidity, in a manner adequate to enable effective resumption of activity in its markets following a disruption causing activation of the designated contract market's business continuity-disaster recovery plan;
(2) Initiate and coordinate periodic, synchronized testing of its business continuity-disaster recovery plan and the business continuity-disaster recovery plans of the members and other market participants upon whom it depends to provide liquidity; and
(3) Ensure that its business continuity-disaster recovery plan takes into account the business continuity-disaster recovery plans of its telecommunications, power, water, and other essential service providers.
(j) Part 46 of this chapter governs the obligations of those registered entities that the Commission has determined to be critical financial markets, with respect to maintenance and geographic dispersal of disaster recovery resources sufficient to meet a same-day recovery time objective in the event of a wide-scale disruption. Section 40.9 of this chapter establishes the requirements for core principle compliance in that respect.
(k) Scope of testing and assessment. The scope for all system safeguards testing and assessment required by this part shall be broad enough to include the testing of automated systems and controls that the designated contract market's required program of risk analysis and oversight and its current cybersecurity threat analysis indicate is necessary to identify risks and vulnerabilities that could enable an intruder or unauthorized user or insider to:
(1) Interfere with the designated contract market's operations or with fulfillment of its statutory and regulatory responsibilities;
(2) Impair or degrade the reliability, security, or adequate scalable capacity of the designated contract market's automated systems;
(3) Add to, delete, modify, exfiltrate, or compromise the integrity of any data related to the designated contract market's regulated activities; or
(4) Undertake any other unauthorized action affecting the designated contract market's regulated activities or the hardware or software used in connection with those activities.
(l) Internal reporting and review. Both the senior management and the Board of Directors of a designated contract market shall receive and review reports setting forth the results of the testing and assessment required by this section. A designated contract market shall establish and follow appropriate procedures for the remediation of issues identified through such review, as provided in paragraph (m) of this section, and for evaluation of the effectiveness of testing and assessment protocols.
(m) Remediation. A designated contract market shall identify and document the vulnerabilities and deficiencies in its systems revealed by the testing and assessment required by this section. The designated contract market shall conduct and document an appropriate analysis of the risks presented by such vulnerabilities and deficiencies, to determine and document whether to remediate or accept the associated risk. When the designated contract market determines to remediate a vulnerability or deficiency, it must remediate in a timely manner given the nature and magnitude of the associated risk.
(n) Required production of annual total trading volume.
(1) As used in this paragraph, annual total trading volume means the total number of all contracts traded on or pursuant to the rules of a designated contract market during a calendar year.
(2) Each designated contract market shall provide to the Commission for calendar year 2015 and each calendar year thereafter its annual total trading volume, providing this information for 2015 within 30 calendar days of the effective date of the final version of this rule, and for 2016 and subsequent years by January 31 of the following calendar year. For calendar year 2015 and each calendar year thereafter, the Commission shall provide to each designated contract market the percentage of the combined annual total trading volume of all designated contract markets regulated by the Commission which is constituted by that designated contract market's annual total trading volume, providing this information for 2015 within 60 calendar days of the effective date of the final version of this rule, and for 2016 and subsequent years by February 28 of the following calendar year.
(3) Delegation of authority. The Commission hereby delegates, until it orders otherwise, to the Director of the Division of Market Oversight or such other employee or employees as the Director may designate from time to time, the authority to provide each designated contract market with its percentage of the total annual trading volume of all designated contract markets regulated by the Commission, as set forth in paragraph (n)(2) of this section. The Director of the Division of Market Oversight may submit to the Commission for its consideration any matter that has been delegated pursuant to this section. Nothing in this section prohibits the Commission, at its election, from exercising the authority delegated in this section.
[77 FR 36700, June 19, 2012, as amended at 81 FR 64312, Sept. 19, 2016; 82 FR 45434, Sept. 29, 2017]