Comment Text:
Christopher Kirkpatrick
Secretary of the Commission
Commodity Futures Trading Commission
Three Lafayette Centre
1155 21st Street NW
Washington, DC 20581
February 22, 2016
RE: Notice of proposed rulemaking re System Safeguards Testing Requirements for Derivatives Clearing Organizations RIN 3038-AE29
Dear Sir:
NGX appreciates the opportunity to comment on the proposed rule (the “Proposed Rule”) regarding system safeguards testing requirements for derivatives clearing organizations (“DCOs”). NGX understands the concerns raised by the Commodity Futures Trading Commission (the “Commission”) and is supportive of the objectives of the Proposed Rule. Generally, NGX believes that compliance with the Proposed Rule would not be inordinately costly relative to the benefits, with the exception of the requirements to conduct vulnerability testing quarterly.
We believe that DCOs should be required to undergo vulnerability testing no more frequently than semi-annually. Proposed section 39.18(e)(2)(i) states that a DCO must conduct vulnerability testing no less frequently than quarterly. While we believe that vulnerability testing is an important element of a cybersecurity program, there is limited incremental value to testing more frequently than annually, particularly relative to the costs in terms of time and money. Testing this frequently would cost over $100,000, a substantial sum for a clearing agency of NGX’s size and, given that there are unlikely to be substantial changes between each quarter, it seems unnecessary. The related Committee on Payments and Market Infrastructures and Board of the International Organization of Securities Commissions (“CPMI-IOSCO”) Consultative report providing Guidance on cyber resilience for financial market infrastructures suggests that DCOs conduct vulnerability assessments, but does not specific the appropriate frequency. Canadian guidance requires no more than annual testing.
We hope that you will consider and address these concerns as part of this comment process and would be happy to discuss these issues at greater length at your convenience. Please contact Jennifer Oosterbaan, Legal Counsel at [email protected] if you have any questions regarding our comments.
Respectfully submitted,
James Oosterbaan
