On March 15, 2024 from 11:00 am – 12:00 pm (EDT), Erez Liebermann, Caroline Swett, Robert Maddox, and Stephanie Thomas from our Data Strategy and Security and Banking Groups will host the next installment of our Data Security Webcast, where we will delve into the Commodity Futures Trading Commission’s (“CFTC”) notice of proposed rulemaking for an operational resilience framework for futures commission merchants, swap dealers, and major swap participants (the “Proposal”).
Seeking to reduce the risk of operational disruptions and consumer harms arising from information and technology security, third-party relationships, and other emergencies or significant disruptions, the Proposal would require covered entities to establish an Operational Resilience Framework (“ORF”) comprised of an information and technology security program, a third-party relationship program, and a business continuity and disaster recovery (“BCDR”) plan, and would impose a number of requirements related to governance, training, testing, notifications, and recordkeeping. The Proposal also includes guidance relating to third-party relationship risks.
During the webcast, we will walk through the components of the Proposal in detail and discuss:
- How we got here. The Proposal builds off of existing CFTC requirements that covered entities have a risk management program and BCDR plan and was motivated in part by recent incidents that caused market disruption.
- Our reactions. While the Proposal includes a number of elements common to other operational resilience measures and that covered entities may already have at least partially implemented, the draft could be improved by narrowing and clarifying a number of the definitions, which presently cover and impose significant workstreams upon relatively minor disruptions, and by revising certain provisions to return to the CFTC’s stated goal of providing covered entities with a risk-based approach to operational resilience.
- Other operational resilience initiatives. The Proposal is one of several operational resilience initiatives from lawmakers and regulators that many entities will need to comply with simultaneously, including the EU’s Digital Operational Resilience Act and the SEC’s forthcoming rules relating to cybersecurity risk management, incident reporting, and disclosure for investment advisers and funds.
- Next steps for the Proposal. The Proposal’s comment period was extended until Monday, April 1, 2024. If finalized, unless this provision is revised, the requirements would be subject to only a six-month implementation period before taking effect.
To register for the Webcast, please click here.
If you are unable to join via Webcast, please click here to register to receive the recording only.
To see our previous blog posts on operational resilience, please click here.
To see our previous webcasts, please click here.
To subscribe to our Data Blog, please click here.
The cover art used in this blog post was generated by DALL-E.
