CFTC Roundtable on Cybersecurity and System Safeguards Testing
Commodity Futures Trading Commission
Staff Roundtable on Cybersecurity and System Safeguards Testing
Wednesday, March 18, 2015
Key Topics & Takeaways
- CFTC Role: Chairman Massad said the CFTC is seeking industry and government agency views on systems testing procedures and thoughts on what role the CFTC’s role should be, adding that the CFTC should “add value” and not simply add more work for information technology (IT) specialists.
- Political Motivations: CrowdStrike’s Chabinsky said that cyber-attackers can be politically motivated and that state actors, mainly from Russia and China, are targeting intellectual property such as trading algorithms and other information on how the markets work.
- Tool of State: White House Cybersecurity Coordinator Daniel said that cyber capabilities are a “key tool of statecraft” and that threats are becoming “broader, more sophisticated, and more dangerous.”
- Information Sharing: Treasury’s Peretti said the “state of information sharing is not where is should be” but that work is being done to address and eliminate the industry’s concerns.
Meeting Participants
- Tim Massad, CFTC Chairman
- Christopher Giancarlo, CFTC Commissioner
- Vincent McGonagle, CFTC
- Robert Wasserman, CFTC
- Gerard Brady, Morgan Stanley
- Mark Clancy, Soltra
- Brian Peretti, U.S. Treasury Department
- Leo Taddeo, FBI
- Michael Daniel, White House Cybersecurity
- Steven Chabinsky, CrowdStrike
- William Nelson, FS-ISAC
- Ron Ross, NIST
- Tom Miller, US-CERT
- Murray Kenyon, NSA
- Jerry Perullo, ICE
- Ann Barron-DiCamillo, US-CERT
- Dave Evans, Bank of England
- Kevin Greenfield, OCC
- David Garland, CME Group
- Greg Gist, CitiGroup
- David LaFalce, DTCC
- Christopher Kinnahan, US Treasury Department
- John Rappa, Tellefsen and Company
- Randy Sabbagh, The Charles Schwab Corporation
Opening Statements
Tim Massad, Chairman of the Commodity Futures Trading Commission (CFTC), stated that cybersecurity is the “the most important single issue” for financial stability and noted that interconnectedness in the markets means that an attack on one entity can have repercussions across the financial system.
Massad said that responsibility for cyber preparedness rests with private institutions when they conduct daily comprehensive work and testing to ensure proper standards are maintained. He noted that the CFTC is seeking industry and government agency views on systems testing procedures and thoughts on what role the CFTC’s role should be. He said the CFTC should “add value” and not simply add more work for information technology (IT) specialists.
Commissioner Christopher Giancarlo added that “making the markets more resilient is essential” and that the comments should inform the CFTC on how to address cybersecurity without negatively affecting market efficiency.
Panel 1: The Need for Testing in the Current Cybersecurity Environment
William Nelson, President and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC), explained that the FS-ISAC shares cyber-attack information, including threat indicators, with the Federal Bureau of Investigation (FBI), the Treasury Department, and the Department of Homeland Security (DHS) but noted that personally identifiable information (PII) is not shared “at all.” He added that the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) are members of the FS-ISAC and said the CFTC should consider joining the group.
Nelson noted that there are “time scale challenges” that arise because bad actors can attack a system in a matter of seconds, whereas firms can take days to respond. He noted that FS-ISAC is working with the Depository Trust & Clearing Corporation (DTCC) to create automated processes to increase reaction times.
Steven Chabinsky, General Counsel and Chief Risk Officer of CrowdStrike, said that the cybersecurity landscape “evolves constantly” and noted the financial services industry has shown “good resiliency.” He said that most attacks are focused on user accounts but that there is a shift towards more destructive actions, such as Denial of Service (DoS) attacks. He also mentioned that attackers can be politically motivated and that state actors, mainly from Russia and China, are targeting intellectual property such as trading algorithms and other information on how the markets work.
Michael Daniel, Special Assistant to the President and White House Cybersecurity Coordinator, said that cyber is a “key tool of statecraft” and that threats are becoming “broader, more sophisticated, and more dangerous.” He also explained that organized crime has been moving into the cyber arena, which has led to the “industrialization of hacking.”
Leo Taddeo, Special Agent in Charge of the Special Operations/Cyber Division of the FBI, said that cyber attackers are rational and will “avoid a hardened target,” seeking instead to attack the weakest link in a system. He said that penetration testing, where a company pays a third party to find weak points and break into its system, is critical. Taddeo then said he wanted to dispel the myth that the FBI takes over control of a company’s network if it is called in after a cyber-attack. He stressed that FBI works with network operators and does not disrupt business functioning. He added that the FBI wants financial institutions to report problems even if it is not required.
Brian Peretti, Director of the Office of Critical Infrastructure Protection and Compliance Policy at the U.S. Treasury Department, noted that the Financial and Banking Information and Infrastructure Committee (FBIIC) is an interagency working group of federal and state financial regulators where information about cyber-attacks can be shared, but said the “state of information sharing is not where is should be.” He said the FBIIC is working with the private sector to determine what concerns they have with information sharing, in order to eliminate these concerns. He also noted that work is being done to push information directly into companies’ systems to allow network operators to have the information faster.
Daniel added that this direct feed of information would use a common format across the government and across industries to make archiving data more effective. He noted that work is being done to break down the each of the data fields to address PII concerns.
Mark Clancy, CEO of Soltra and Managing Director at the DTCC, said that “white listing” programs, or approving use of a limited number of good programs, along with reducing administrative access for employees can address approximately 85 percent of cybersecurity problems. He also stressed the need for companies to perform assessments based on business changes, conduct episodic testing, and conduct continuous measurement of whether systems are performing as expected.
Gerard Brady, Head of IT Security and Chief Information Security Officer at Morgan Stanley, stressed that cyber-attacks can be “profoundly impactful” and that the interconnected nature of the financial system makes diagnostic assessments difficult. He noted that the weakest link of a system will be part of the company’s ecosystem and that all elements of a organization’s the supply chain need to be assessed for vulnerabilities. Brady said that information sharing is “getting better every day” but that incident response is in its “early days” and recovery is difficult.
Peretti agreed, saying that the risk of a counterparty is “still your risk” and thus is it more important to protect the system as a whole than to protect any one entity.
Clancy said that best practices are currently tailored for confidentiality of information but stressed that emphasis should instead be placed on integrity of the system. He also stressed that the human element is unpredictable as employee training can only go so far in minimizing the potential for workers to click on malicious links or attachments.
Daniel noted that it is rare to see a network that is truly disconnected, even if they are not connected to the internet at all, noting that there are usually exceptions for certain vendors who can connect to a company’s network. He then explained that it is very difficult to find out where single points of failure may lie in a network because of the “chaotic and complex” connections that exist. He predicted that there will be more vulnerability, similar to the Heartbleed bug, exposed in the utilities of the internet in the future.
Panel 2: Vulnerability and Penetration Testing
Kevin Greenfield, Director for Bank Information Technology in the OCC’s Operational Risk Policy Division, explained that the OCC is part of the Federal Financial Institutions Examination Council (FFIEC) along with all of the other banking regulatory agencies in the U.S. to supervise critical service providers in the financial markets. He stressed the importance for firms to use vulnerability assessments to make sure proper software and patches are in place and to engage in penetration testing to find their system’s vulnerabilities.
Vincent McGonagle, Director of the Division of Market Oversight at the CFTC, asked how companies decide what is the most effective testing to consider and whether this determination is coordinated with a risk mitigation analysis.
Chabinsky said the determination is made through a dialogue between his firm and their client, where specialists like his firm engage with internal cybersecurity teams at a company. He said the penetration testing is a scientific process that is automated, logged, and repeatable.
Dave Evans, Senior Manager of Sector and Supervisory Cyber Support for the Bank of England, explained that the Bank of England developed “CBEST” as a framework to improve integrity and testing and that is was designed with transparency at its “heart.” He noted that the regulator and the entity being regulated both determine the scope of penetration tests.
Ann Barron-DiCamillo, Director of the U.S. Computer Emergency Readiness Team (CERT) at the DHS, noted that CERT has interaction with the financial services industry through the FS-ISAC and can share information that they see in other sectors of the economy, such as healthcare. She mentioned that CERT looks for robustness of systems and proper cyber “hygiene,” such as common controls, network segmentation, and proper administrative privileges. She also noted that CERT has seen problems with systems not updated over time.
Jerry Perullo, Chief Information Security Officer at Intercontinental Exchange (ICE), said the CBEST framework is excellent. He then noted there are challenges when a regulator is involved in testing exercises because the goal of a firm when a regulator is present is to pass the test, but when engaging a third party for a penetration test the company wants to fail, to learn about vulnerabilities. He also noted that regulators have limited jurisdiction because testing takes place across global networks.
Evans said the role of the Bank of England as a regulator is to be an observer that knows the process, can monitor it, and make sure the framework is adhered to. He also said it acts in a supervisory role to review remediation plans.
Brady mentioned that penetration tests can flag many vulnerabilities but that a company may not remediate every one of them if they are within the firm’s risk tolerance level. Perullo added that firms cannot be on the record with their regulator saying that a vulnerability is not a problem.
Robert Wasserman, CFTC Chief Counsel of the Division of Clearing and Risk, said the CFTC would likely ask why the firm believed the vulnerability was not a problem and would move forward if it got a good answer. He added that he did not think the CFTC would impose a burden to address 100 percent of vulnerabilities.
Murray Kenyon, National Security Agency (NSA) Information Assurance Directorate, explained that the NSA has started working with other government agencies to support the protection of critical infrastructure and said that standardization of patch management should be “job one.” He also said that restricting administrative access, segmenting accounts, and minimizing user privileges are important steps to take. He noted that the NSA has a National Security Cyber Assistance Program currently composed of 10 private partners that have met specific cybersecurity standards, and said another round of applications for companies to join will open on March 23, 2015.
Tom Miller, US-CERT, said some key controls that his organization has seen lacking in the last couple of years are proper network segmentation and use of the “rule of least privileged,” which limits the level of privilege for an employee to only the level needed to do his/her job. He said that companies are not sustaining their safeguards over time as new systems get deployed and employees change job function.
Ron Ross, Fellow at the National Institute of Standards and Technology (NIST), said organizations should focus on management, technical, and operational controls and have a contingency plan in place before anything goes wrong. He noted that NIST’s Publication 800-53 is a flexible framework that ranges across the full spectrum of controls and allows companies to customize and tailor controls to their needs.
Clancy highlighted that daily business operates at an aggregated level but that things go wrong at a granular level. He stressed the need to use white lists for software, remove access rights for employees, and have separate administrative environments. He also stated that “humans will always be the weakest link” and thus cybersecurity awareness among employees is very important.
Greenfield said that organizations should have network architecture strategies because as technology evolves many environments will be built on top of existing structures that may be vulnerable.
Clancy explained that there is an incentive to use “flat networks” because they are easy to operate on a daily basis but noted they are more vulnerable to attacks. He said that an important decision for organizations is how to balance risk management with costs.
Wasserman asked what key controls testing accomplishes and if the industry would need time to develop them, thus requiring a rule implementation timeline.
Perullo said that existing testing methods should be used and the CFTC could make sure that controls include these tests, adding that a next step could be documentation. Clancy said that building these tests would take different amounts of time depending on the maturity of the organizations’ cybersecurity practices. Ross said that contingency plans should be a key control.
Clancy then stressed the need to have information shared about attacks across sectors so that lessons learned at one organization can be adopted by the others across industries and cybersecurity practices can be constantly refined. Miller said that this type of information sharing is what CERT is trying to encourage.
The panel also agreed that a hybrid approach to penetration testing, involving internal and third party teams, is the best way to ensure vulnerabilities are detected.
When asked how much controls and testing costs, Clancy noted that average spending for these tests ranges from about one to five percent of an organization’s IT budget. He also said that information inquiries about testing processes can come from a range of parties from regulators to clients, but noted there is not harmonization of information included in these requests.
McGonagle asked if there is some type of certification of testing that can be used to allow companies to respond to inquiries with standardized documentation.
Clancy said this type of standard assessment is a kind of “holy grail” that the industry is trying to get to. Perullo said that it may help if the CFTC put “its weight” behind one standard format or framework.
Panel 4: Business Continuity and Disaster Recovery
On the next panel, participants discussed the current challenges impacting business continuity and disaster recovery. Panelists discussed the changing landscape of threats, noting that cyber- attacks have become more of a concern than physical disaster scenarios. As such, they expressed the view that business continuity testing to must evolve to address these new issues, though it will be important to continue to prepare for traditional threats, such as storms, transportation outages, and earthquakes. Panelists went on to discuss some of the key differences between physical threats to business continuity versus cyber threats. One notable difference discussed was the fact that, unlike the physical events, cyber attacks are planned, intentional and varied – thus making it is more difficult to defend against.
The panel went on discuss the need for current intelligence and awareness regarding the latest threats. It was stated that the Treasury and FS-ISAC are important sources of information, but that discussion within the industry is critical for resiliency. A panelist noted that where threats are detected, communications between exchanges and clearinghouses with their members is vital. It was also noted that market participants should speak to employees at their own firms to determine where they are most vulnerable.
Panelists described the difficulties of testing for a constantly evolving threat, especially considering the limited time and resources available to conduct the necessary exercises. It was stated that while “end-to-end” testing is ideal, given the time needed for different exercise cycles (i.e., T+1 versus T+3) it is problematic.
Outsourcing concerns were discussed next. Panelists highlighted that the risks posed by third party vendors were just as serious a threat as those faced internally. It was noted that one outside vendor has the potential to negatively impact an entire organization, and that this. This is especially true for many small to mid-sized organizations, which rely on third party vendors. Further, given market interconnections and supply chains, threats to such small and mid-sized firms can impact larger market participants as well, they said. CFTC staff noted that rules currently say that outsourcing does not relieve regulated entities of their responsibility.
CFTC staff next asked panelists to discuss how regulatory “best practices” may serve to stem threats, and how regulators may best help to ensure critical infrastructures are prepared to deal with ongoing threats. Panelists posited that if the ultimate goal is “resilience,”, then current testing may not be the best approach, as they are largely “synthetic”. CFTC staff remarked that there must be some measurable, auditable way for regulators to ensure market participants are preparing appropriately, however, and questioned what alternatives or principles might look like.
For more information on this roundtable, please click here.
,Blog Tags:,Blog Categories:,Blog TrackBack:,Blog Pingback:No,Hearing Summaries Issues:Technology/High Frequency Trading,Hearing Summaries Agency:CFTC,Publish Year:2015
Commodity Futures Trading Commission
Staff Roundtable on Cybersecurity and System Safeguards Testing
Wednesday, March 18, 2015
Key Topics & Takeaways
- CFTC Role: Chairman Massad said the CFTC is seeking industry and government agency views on systems testing procedures and thoughts on what role the CFTC’s role should be, adding that the CFTC should “add value” and not simply add more work for information technology (IT) specialists.
- Political Motivations: CrowdStrike’s Chabinsky said that cyber-attackers can be politically motivated and that state actors, mainly from Russia and China, are targeting intellectual property such as trading algorithms and other information on how the markets work.
- Tool of State: White House Cybersecurity Coordinator Daniel said that cyber capabilities are a “key tool of statecraft” and that threats are becoming “broader, more sophisticated, and more dangerous.”
- Information Sharing: Treasury’s Peretti said the “state of information sharing is not where is should be” but that work is being done to address and eliminate the industry’s concerns.
Meeting Participants
- Tim Massad, CFTC Chairman
- Christopher Giancarlo, CFTC Commissioner
- Vincent McGonagle, CFTC
- Robert Wasserman, CFTC
- Gerard Brady, Morgan Stanley
- Mark Clancy, Soltra
- Brian Peretti, U.S. Treasury Department
- Leo Taddeo, FBI
- Michael Daniel, White House Cybersecurity
- Steven Chabinsky, CrowdStrike
- William Nelson, FS-ISAC
- Ron Ross, NIST
- Tom Miller, US-CERT
- Murray Kenyon, NSA
- Jerry Perullo, ICE
- Ann Barron-DiCamillo, US-CERT
- Dave Evans, Bank of England
- Kevin Greenfield, OCC
- David Garland, CME Group
- Greg Gist, CitiGroup
- David LaFalce, DTCC
- Christopher Kinnahan, US Treasury Department
- John Rappa, Tellefsen and Company
- Randy Sabbagh, The Charles Schwab Corporation
Opening Statements
Tim Massad, Chairman of the Commodity Futures Trading Commission (CFTC), stated that cybersecurity is the “the most important single issue” for financial stability and noted that interconnectedness in the markets means that an attack on one entity can have repercussions across the financial system.
Massad said that responsibility for cyber preparedness rests with private institutions when they conduct daily comprehensive work and testing to ensure proper standards are maintained. He noted that the CFTC is seeking industry and government agency views on systems testing procedures and thoughts on what role the CFTC’s role should be. He said the CFTC should “add value” and not simply add more work for information technology (IT) specialists.
Commissioner Christopher Giancarlo added that “making the markets more resilient is essential” and that the comments should inform the CFTC on how to address cybersecurity without negatively affecting market efficiency.
Panel 1: The Need for Testing in the Current Cybersecurity Environment
William Nelson, President and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC), explained that the FS-ISAC shares cyber-attack information, including threat indicators, with the Federal Bureau of Investigation (FBI), the Treasury Department, and the Department of Homeland Security (DHS) but noted that personally identifiable information (PII) is not shared “at all.” He added that the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) are members of the FS-ISAC and said the CFTC should consider joining the group.
Nelson noted that there are “time scale challenges” that arise because bad actors can attack a system in a matter of seconds, whereas firms can take days to respond. He noted that FS-ISAC is working with the Depository Trust & Clearing Corporation (DTCC) to create automated processes to increase reaction times.
Steven Chabinsky, General Counsel and Chief Risk Officer of CrowdStrike, said that the cybersecurity landscape “evolves constantly” and noted the financial services industry has shown “good resiliency.” He said that most attacks are focused on user accounts but that there is a shift towards more destructive actions, such as Denial of Service (DoS) attacks. He also mentioned that attackers can be politically motivated and that state actors, mainly from Russia and China, are targeting intellectual property such as trading algorithms and other information on how the markets work.
Michael Daniel, Special Assistant to the President and White House Cybersecurity Coordinator, said that cyber is a “key tool of statecraft” and that threats are becoming “broader, more sophisticated, and more dangerous.” He also explained that organized crime has been moving into the cyber arena, which has led to the “industrialization of hacking.”
Leo Taddeo, Special Agent in Charge of the Special Operations/Cyber Division of the FBI, said that cyber attackers are rational and will “avoid a hardened target,” seeking instead to attack the weakest link in a system. He said that penetration testing, where a company pays a third party to find weak points and break into its system, is critical. Taddeo then said he wanted to dispel the myth that the FBI takes over control of a company’s network if it is called in after a cyber-attack. He stressed that FBI works with network operators and does not disrupt business functioning. He added that the FBI wants financial institutions to report problems even if it is not required.
Brian Peretti, Director of the Office of Critical Infrastructure Protection and Compliance Policy at the U.S. Treasury Department, noted that the Financial and Banking Information and Infrastructure Committee (FBIIC) is an interagency working group of federal and state financial regulators where information about cyber-attacks can be shared, but said the “state of information sharing is not where is should be.” He said the FBIIC is working with the private sector to determine what concerns they have with information sharing, in order to eliminate these concerns. He also noted that work is being done to push information directly into companies’ systems to allow network operators to have the information faster.
Daniel added that this direct feed of information would use a common format across the government and across industries to make archiving data more effective. He noted that work is being done to break down the each of the data fields to address PII concerns.
Mark Clancy, CEO of Soltra and Managing Director at the DTCC, said that “white listing” programs, or approving use of a limited number of good programs, along with reducing administrative access for employees can address approximately 85 percent of cybersecurity problems. He also stressed the need for companies to perform assessments based on business changes, conduct episodic testing, and conduct continuous measurement of whether systems are performing as expected.
Gerard Brady, Head of IT Security and Chief Information Security Officer at Morgan Stanley, stressed that cyber-attacks can be “profoundly impactful” and that the interconnected nature of the financial system makes diagnostic assessments difficult. He noted that the weakest link of a system will be part of the company’s ecosystem and that all elements of a organization’s the supply chain need to be assessed for vulnerabilities. Brady said that information sharing is “getting better every day” but that incident response is in its “early days” and recovery is difficult.
Peretti agreed, saying that the risk of a counterparty is “still your risk” and thus is it more important to protect the system as a whole than to protect any one entity.
Clancy said that best practices are currently tailored for confidentiality of information but stressed that emphasis should instead be placed on integrity of the system. He also stressed that the human element is unpredictable as employee training can only go so far in minimizing the potential for workers to click on malicious links or attachments.
Daniel noted that it is rare to see a network that is truly disconnected, even if they are not connected to the internet at all, noting that there are usually exceptions for certain vendors who can connect to a company’s network. He then explained that it is very difficult to find out where single points of failure may lie in a network because of the “chaotic and complex” connections that exist. He predicted that there will be more vulnerability, similar to the Heartbleed bug, exposed in the utilities of the internet in the future.
Panel 2: Vulnerability and Penetration Testing
Kevin Greenfield, Director for Bank Information Technology in the OCC’s Operational Risk Policy Division, explained that the OCC is part of the Federal Financial Institutions Examination Council (FFIEC) along with all of the other banking regulatory agencies in the U.S. to supervise critical service providers in the financial markets. He stressed the importance for firms to use vulnerability assessments to make sure proper software and patches are in place and to engage in penetration testing to find their system’s vulnerabilities.
Vincent McGonagle, Director of the Division of Market Oversight at the CFTC, asked how companies decide what is the most effective testing to consider and whether this determination is coordinated with a risk mitigation analysis.
Chabinsky said the determination is made through a dialogue between his firm and their client, where specialists like his firm engage with internal cybersecurity teams at a company. He said the penetration testing is a scientific process that is automated, logged, and repeatable.
Dave Evans, Senior Manager of Sector and Supervisory Cyber Support for the Bank of England, explained that the Bank of England developed “CBEST” as a framework to improve integrity and testing and that is was designed with transparency at its “heart.” He noted that the regulator and the entity being regulated both determine the scope of penetration tests.
Ann Barron-DiCamillo, Director of the U.S. Computer Emergency Readiness Team (CERT) at the DHS, noted that CERT has interaction with the financial services industry through the FS-ISAC and can share information that they see in other sectors of the economy, such as healthcare. She mentioned that CERT looks for robustness of systems and proper cyber “hygiene,” such as common controls, network segmentation, and proper administrative privileges. She also noted that CERT has seen problems with systems not updated over time.
Jerry Perullo, Chief Information Security Officer at Intercontinental Exchange (ICE), said the CBEST framework is excellent. He then noted there are challenges when a regulator is involved in testing exercises because the goal of a firm when a regulator is present is to pass the test, but when engaging a third party for a penetration test the company wants to fail, to learn about vulnerabilities. He also noted that regulators have limited jurisdiction because testing takes place across global networks.
Evans said the role of the Bank of England as a regulator is to be an observer that knows the process, can monitor it, and make sure the framework is adhered to. He also said it acts in a supervisory role to review remediation plans.
Brady mentioned that penetration tests can flag many vulnerabilities but that a company may not remediate every one of them if they are within the firm’s risk tolerance level. Perullo added that firms cannot be on the record with their regulator saying that a vulnerability is not a problem.
Robert Wasserman, CFTC Chief Counsel of the Division of Clearing and Risk, said the CFTC would likely ask why the firm believed the vulnerability was not a problem and would move forward if it got a good answer. He added that he did not think the CFTC would impose a burden to address 100 percent of vulnerabilities.
Murray Kenyon, National Security Agency (NSA) Information Assurance Directorate, explained that the NSA has started working with other government agencies to support the protection of critical infrastructure and said that standardization of patch management should be “job one.” He also said that restricting administrative access, segmenting accounts, and minimizing user privileges are important steps to take. He noted that the NSA has a National Security Cyber Assistance Program currently composed of 10 private partners that have met specific cybersecurity standards, and said another round of applications for companies to join will open on March 23, 2015.
Tom Miller, US-CERT, said some key controls that his organization has seen lacking in the last couple of years are proper network segmentation and use of the “rule of least privileged,” which limits the level of privilege for an employee to only the level needed to do his/her job. He said that companies are not sustaining their safeguards over time as new systems get deployed and employees change job function.
Ron Ross, Fellow at the National Institute of Standards and Technology (NIST), said organizations should focus on management, technical, and operational controls and have a contingency plan in place before anything goes wrong. He noted that NIST’s Publication 800-53 is a flexible framework that ranges across the full spectrum of controls and allows companies to customize and tailor controls to their needs.
Clancy highlighted that daily business operates at an aggregated level but that things go wrong at a granular level. He stressed the need to use white lists for software, remove access rights for employees, and have separate administrative environments. He also stated that “humans will always be the weakest link” and thus cybersecurity awareness among employees is very important.
Greenfield said that organizations should have network architecture strategies because as technology evolves many environments will be built on top of existing structures that may be vulnerable.
Clancy explained that there is an incentive to use “flat networks” because they are easy to operate on a daily basis but noted they are more vulnerable to attacks. He said that an important decision for organizations is how to balance risk management with costs.
Wasserman asked what key controls testing accomplishes and if the industry would need time to develop them, thus requiring a rule implementation timeline.
Perullo said that existing testing methods should be used and the CFTC could make sure that controls include these tests, adding that a next step could be documentation. Clancy said that building these tests would take different amounts of time depending on the maturity of the organizations’ cybersecurity practices. Ross said that contingency plans should be a key control.
Clancy then stressed the need to have information shared about attacks across sectors so that lessons learned at one organization can be adopted by the others across industries and cybersecurity practices can be constantly refined. Miller said that this type of information sharing is what CERT is trying to encourage.
The panel also agreed that a hybrid approach to penetration testing, involving internal and third party teams, is the best way to ensure vulnerabilities are detected.
When asked how much controls and testing costs, Clancy noted that average spending for these tests ranges from about one to five percent of an organization’s IT budget. He also said that information inquiries about testing processes can come from a range of parties from regulators to clients, but noted there is not harmonization of information included in these requests.
McGonagle asked if there is some type of certification of testing that can be used to allow companies to respond to inquiries with standardized documentation.
Clancy said this type of standard assessment is a kind of “holy grail” that the industry is trying to get to. Perullo said that it may help if the CFTC put “its weight” behind one standard format or framework.
Panel 4: Business Continuity and Disaster Recovery
On the next panel, participants discussed the current challenges impacting business continuity and disaster recovery. Panelists discussed the changing landscape of threats, noting that cyber- attacks have become more of a concern than physical disaster scenarios. As such, they expressed the view that business continuity testing to must evolve to address these new issues, though it will be important to continue to prepare for traditional threats, such as storms, transportation outages, and earthquakes. Panelists went on to discuss some of the key differences between physical threats to business continuity versus cyber threats. One notable difference discussed was the fact that, unlike the physical events, cyber attacks are planned, intentional and varied – thus making it is more difficult to defend against.
The panel went on discuss the need for current intelligence and awareness regarding the latest threats. It was stated that the Treasury and FS-ISAC are important sources of information, but that discussion within the industry is critical for resiliency. A panelist noted that where threats are detected, communications between exchanges and clearinghouses with their members is vital. It was also noted that market participants should speak to employees at their own firms to determine where they are most vulnerable.
Panelists described the difficulties of testing for a constantly evolving threat, especially considering the limited time and resources available to conduct the necessary exercises. It was stated that while “end-to-end” testing is ideal, given the time needed for different exercise cycles (i.e., T+1 versus T+3) it is problematic.
Outsourcing concerns were discussed next. Panelists highlighted that the risks posed by third party vendors were just as serious a threat as those faced internally. It was noted that one outside vendor has the potential to negatively impact an entire organization, and that this. This is especially true for many small to mid-sized organizations, which rely on third party vendors. Further, given market interconnections and supply chains, threats to such small and mid-sized firms can impact larger market participants as well, they said. CFTC staff noted that rules currently say that outsourcing does not relieve regulated entities of their responsibility.
CFTC staff next asked panelists to discuss how regulatory “best practices” may serve to stem threats, and how regulators may best help to ensure critical infrastructures are prepared to deal with ongoing threats. Panelists posited that if the ultimate goal is “resilience,”, then current testing may not be the best approach, as they are largely “synthetic”. CFTC staff remarked that there must be some measurable, auditable way for regulators to ensure market participants are preparing appropriately, however, and questioned what alternatives or principles might look like.
For more information on this roundtable, please click here.