The US Commodity Futures Trading Commission held a meeting of its Market Risk Advisory Committee on March 8, and the recent cyber-attack on one of the industry's technology service providers was one of the main topics of discussion.
FIA President and CEO Walt Lukken, one of the speakers invited to address this issue, described FIA's role in the industry's response to the attack and announced the formation of a Cyber Risk Taskforce to examine the longer-term implications for cleared derivatives markets.
In his remarks before the advisory committee, Lukken said the taskforce will be global in focus, and initial work will focus on existing cyber protections and protocols, the effectiveness of the industry's initial response, best practices around reconnection, and safeguards around third-party service providers. He added that the taskforce will aim to release an initial report by the second quarter of this year.
In related news, CFTC Chairman Rostin Behnam, speaking at a Congressional hearing the same day, noted that the agency is developing rule proposals to address cyber risk. He said that in response to the recent cyber-attack on ION Markets, he has asked the agency's staff to "identify potential weaknesses with respect to third party service providers and vendor relationships." He added that the CFTC does not have the authority to regulate third-party service providers directly, and he urged lawmakers to consider "what role and relationship the CFTC should have" with these companies.
The CFTC's advisory committees have no rule-making authority, but they serve as a channel for communication between the agency and the markets that it regulates. The MRAC is led by Alicia Crighton of Goldman Sachs, who is also chair of FIA's board of directors, and includes market participants, public interest groups, and academics.
CFTC Commissioner Kristin Johnson, the sponsor of the MRAC, noted that it is important for the agency to "not rest on our laurels" regarding cyber-related threats and related requirements for registered market participants.
"While other regulators, affected firms, the industry, and the Commission remain in a fact-gathering phase in the wake of the recent cyber-incident, it is imperative that the MRAC fulfill its duty to serve as a timely and transparent forum for critical discussions regarding resilience, recovery, and resolution," said Johnson.
"As our financial market infrastructure becomes increasingly dependent on digital technologies, it is of the utmost importance that individual firm cyber defenses keep pace with evolving threats. In addition, we must seek to enhance cybersecurity across the network of firms, large and small, that facilitate trade execution, clearing, and settlement in our markets."
In other areas of discussion, the MRAC also explored topics including CCP risk and governance, digital assets, and climate-related market risk.
The first panel of the MRAC included discussions about the recent cybersecurity-related disruption at ION, including both industry and regulatory perspectives.
FIA's President and CEO Walt Lukken offered a timeline of events and praised the industry's flexibility and communication throughout the crisis. He noted that within a few days, FIA had gathered more than 700 market participants and regulators for group updates on the situation.
Lukken also announced the formation of an industry-led body that will explore lessons learned from the disruption.
"Looking ahead, today FIA is announcing the formation of a global Cyber Risk Taskforce to look at the ION event and to develop recommendations for improvements to our markets," Lukken said. "This taskforce will focus on several areas including existing cyber protections and protocols, the effectiveness of the industry's initial response, best practices around reconnection, and safeguards around third-party service providers. We aim to release an initial report by the second quarter of the year.
CME Group, the National Futures Association, the US Financial Industry Regulatory Authority, and the Office of the National Cyber Director also joined the broader discussion of financial-related cyber risks and prevention.
CFTC staff also indicated that the agency intends to put forth new rules related to cyber risk. Amanda O'Lear, Director of the CFTC's Market Participant Division, stated that the division is looking at the risk management guidelines for futures commission merchants and swap dealers and whether these guidelines should be enhanced to cover monitoring, mitigating and recovering from cyber-attacks.
The MRAC meeting also provided an update from its CCP Risk and Governance Subcommittee, pointing to recent work that may inform agency efforts as well as potential future priorities.
Ashwini Panse, chief risk officer of North American clearing at ICE, outlined some recent disruptions that have challenged derivatives markets and CCPs over the last year in the wake of volatility caused by the war in Ukraine. "Net-net, however, the industry has done extremely well to manage through the crisis," she said.
Panse also highlighted a series of 2021 publications by the CCP Risk and Governance Subcommittee, which were approved by the broader MRAC in a previous meeting. She noted that while there were areas where agreement could not be reached on specific recommendations, there were areas that the CFTC could consider to inform future rulemaking proposals or requests for public comment.
These CCP Risk and Governance Subcommittee reports include:
Panse also noted ongoing work in partnership with FIA on the issue of CCP transparency.
"Forums like the MRAC for stakeholders to discuss areas of interest, gather input on regulatory issues, and provide recommendations," Panse said, noting the critical role that CCPs play in the global economy.
Panse also reflected on the cooperative work done with FIA, SIFMA AMG and CCP 12 to bring greater CCP transparency to the industry and to speed up the public quantitative and qualitative disclosures by one month.
"With uncertainty all around us, risk management and price discovery are more important than ever," she said.
The MRAC also included other panels that addressed the following topics:
Digital Assets: Public and private sector stakeholders explored the regulatory environment digital assets, including former CFTC Chairman Tim Massad. The wide-ranging discussion included potential uses of blockchain, safeguards against fraud and illicit activity, digital identity, and potential system risk for broader financial markets.
Climate-Related Market Risk: The MRAC revisited a 2020 report by its Climate-Related Market Risk Subcommittee that presented a series of recommendations. Voluntary carbon markets and "greenwashing" fraud were also topics of discussion.
Treasury Market Structure: Biswarup Chatterjee, managing director and head of innovation for the global markets division at Citigroup, led a discussion along with a U.S. Treasury official about US Treasury market structure and clearing, including liquidity impacts related to reset block swaps thresholds.
Interest Rate Benchmark Reform: The MRAC discussed recent developments in risk-free rates markets, including the adoption of SOFR-related contracts.