From: Jones Day
Article by Robert W. Gaffey, Joan E. McKown, Mauricio F. Paez, Paul M. Green, Bart Green, Zachary M. Werner and Stephen J. Obie
Recent steps by the Commodity Futures Trading Commission (“CFTC”) and the Securities and Exchange Commission (“SEC”) show that both agencies will increase their focus on cybersecurity issues going forward. The CFTC’s Division of Swap Dealer and Intermediary Oversight (“DSIO”) recently issued recommended best practices for securing financial information in compliance with Title V of the Gramm-Leach-Bliley Act (“GLBA”).1 Staff-Advisory 14-21 provides covered financial institutions with guidance for required administrative, technical, and physical safeguards and establishes the CFTC as an emerging player in the regulation of data security. In addition, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) recently announced that its 2014 Examination Priorities included a focus on cybersecurity and that it intends to examine the cybersecurity practices of more than 50 registered broker-dealers and investment advisors as part of an overall assessment of the cybersecurity preparedness of the securities industry.2 Entities subject to the jurisdiction of the SEC or the CFTC should, in turn, expect to devote increased time and resources to cybersecurity matters.
CFTC’s DSIO Best Practices
Congress enacted Title V of the GLBA in 1999 to ensure that financial institutions protect the security and confidentiality of their customers’ nonpublic personal information. The CFTC was deemed a federal financial regulator with responsibility for implementing Title V with the passage of the Commodity Futures Modernization Act of 2000. Under Part 160, issued in 2001, the CFTC promulgated its first Title V privacy rules, mandating that covered entities “adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.” Today, covered entities include futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers, and major swap participants.
Not surprisingly, given the daily barrage of news coverage concerning data breaches and hackings, the CFTC’s DSIO wrote that “at this time … it [is] important to outline recommended best practices for covered financial institutions to comply with Title V and Part 160 of the Commission’s regulations concerning security safeguards.” The CFTC’s DSIO advised that each covered entity develop, implement, and maintain a written information security and privacy program that is appropriate to its size, complexity, and scope of activities. According to the CFTC’s DSIO, covered entities should, “at a minimum,” abide by the following best practices:
Leave a Reply