Comment Text:
General Comments
The WFE welcomes the opportunity to comment on the notice of proposed rulemaking published by the Commodity Futures Trading Commission (CFTC) to amend the reporting and information regulations applicable to derivatives clearing organizations (DCOs, otherwise known as CCPs).
In general, the WFE encourages further scrutiny of reporting standards. As noted in our recent paper on Cyber Incident Reporting (CIR), WFE members have commented on these matters before. It is important to note that any reviews of reporting standards must be practical, and not counterproductive to the reporting of actual, material incidents and threats. In this situation, it is the WFE’s view that the proposed amendment to the CFTC’s reporting and information regulations do not meet this requirement. Specific Comments (below) highlight our concerns with the current draft of the proposal.
Specific Comments
This view stems from the Commission’s proposed amendments to rule 39.18 (g)(1). In its current state, the rule provides a pragmatic guidance in regards to reporting, requiring that a:
“DCO promptly notify staff of the Division of Clearing and Risk (Division) of any hardware or software malfunction, security incident, or targeted threat that materially impairs, or creates a significant likelihood of material impairment of, automated system operation, reliability, security, or capacity”.
However, in the CFTC’s planned amendment, this passage will be significantly altered, with the
introduction of:
• Splitting of this rule into two - one for “hardware or software malfunction” and one for “security incidents”,
• Removing the threshold of “materiality”, the term “targeted”, and the qualifier on the “significant likelihood of material impairment”, and instead, opening the rule up to “any incident or threat”.
The updated wording is outlined below, requiring that a:
“DCO promptly notify the Division of any security incident or threat that compromises or could compromise the confidentiality, availability, or integrity of any automated system or any information, services, or data, including, but not limited to, third-party information, services, or data, relied upon by the DCO in discharging its responsibilities”.
This amendment will likely be interpreted by DCOs as requiring nearly all incidents to be reported, including lower severity incidents, which are not impactful nor targeted. Removing the materiality threshold would prevent DCOs from assessing incidents holistically. Currently, most DCOs have oversight programs in place to detect and mitigate threats in real-time without impacting core clearing and settlement functions. Additionally, a DCO’s system of controls provides effective tools to manage any system impacts. Teams from across a DCO collaborate closely when incidents arise, sharing information gathered from internal detection systems to assess the overall impact of system impairments. This allows DCOs to assess incidents quickly and report material events to the CFTC in a timely manner. With these tools and controls in place, DCOs are best situated to measure the full impact of incidents affecting them specifically, as well as those affecting the financial industry.
Therefore, it is the WFE’s view that this proposal is not practical, and that it would be counterproductive to require DCOs to notify the CFTC of all incidents or threats. The significant increase in notifications does not provide additional value, since the majority of reportable events are inconsequential in nature.
More concerning is the increased burden on the CFTC, as well as DCOs. As currently drafted, the proposed reporting requirements would result in hundreds of notifications that CFTC staff must investigate, which would reduce available resources needed to focus on truly material incidents impacting DCOs, the CFTC, and the broader financial industry.
We would encourage the CFTC to reconsider the above changes, and at least maintain the thresholds of “materiality” and “targeted”, and if the CFTC continues to be concerned about consistency in reporting, the CFTC could consider issuing guidance with respect to the definition of materiality for reporting incidents under rule 39.18(g)(1). We believe this approach strikes an appropriate balance by requiring timely notification of material incidents to the CFTC, while recognizing that DCOs need to be empowered to evaluate each incident based on the unique facts and circumstances at hand.
In addition to removing the materiality threshold, the proposal also defines “[a]utomated systems” broadly. As defined in the proposed amendments, automated systems include “computers, ancillary equipment, software, firmware, and similar procedures, services (including support services), and related resources that a derivatives clearing organization uses in its operations.” We view this definition as overinclusive because, presumably, most of the DCO’s ancillary support systems fall within this definition. The proposal would require DCOs to make prompt notification to the Commission of non-material system repairs to ancillary systems and would mark a significant increase in scope to existing reporting obligations, which inappropriately deviates from the focus on a DCO’s core clearing and settlement functions.
WFE also notes that the proposal adds prompt reporting requirements for any “operator error that impairs, or creates a significant likelihood of impairment of” a DCO’s automated systems. While “operator error” is not defined within the proposal, it appears to include an array of de minimis “business-as-usual” human or manual errors. Without a materiality threshold, the proposal again requires DCOs to promptly notify the CFTC about routine errors that have little to no impact to core clearing and settlement functions. The inclusion of “operator error”, as proposed, will likely capture immaterial errors where DCOs already have effective systems and procedures in place to mitigate any potential impacts.
