On September 8, 2016 the CFTC approved "system safeguard and testing" - aka cyber security - requirements that will be applicable to certain regulated entities: DCOs, DCMs, SEFs and SDRs. Final Rules implementing these requirements were ultimately published on September 19, 2016 and became effective on the date of publication.
U.S. commodities and derivatives firms...would have to frequently test their information technology for vulnerabilities under final rules approved Thursday by the Commodity Futures Trading Commission (CFTC). The CFTC's rules are intended to promote flexibility as hacking methods evolve, and to help firms stay up-to-date on the best responses to cyber attacks. Under the rules, firms will probe for vulnerabilities at least once a quarter and test their planned responses to breaches at least once a year. Also annually, they will test if their systems can be penetrated from outside and within. Independent contractors will conduct the external penetration tests, as well as exams at least every three years on whether the companies have adequate controls to identify risks that change more frequently. CFTC officials said the commission will not recommend contractors for the testing.