On March 15, 2024 from 11:00 am – 12:00 pm (EDT), Erez Liebermann, Caroline Swett, Robert Maddox, and Stephanie Thomas from our Data Strategy and Security and Banking Groups will host the next installment of our Data Security Webcast, where we will delve into the Commodity Futures Trading Commission’s (“CFTC”) notice of proposed rulemaking for an operational resilience framework for futures commission merchants, swap dealers, and major swap participants (the “Proposal”).

Seeking to reduce the risk of operational disruptions and consumer harms arising from information and technology security, third-party relationships, and other emergencies or significant disruptions, the Proposal would require covered entities to establish an Operational Resilience Framework (“ORF”) comprised of an information and technology security program, a third-party relationship program, and a business continuity and disaster recovery (“BCDR”) plan, and would impose a number of requirements related to governance, training, testing, notifications, and recordkeeping. The Proposal also includes guidance relating to third-party relationship risks.

During the webcast, we will walk through the components of the Proposal in detail and discuss:

  • How we got here. The Proposal builds off of existing CFTC requirements that covered entities have a risk management program and BCDR plan and was motivated in part by recent incidents that caused market disruption.
  • Our reactions. While the Proposal includes a number of elements common to other operational resilience measures and that covered entities may already have at least partially implemented, the draft could be improved by narrowing and clarifying a number of the definitions, which presently cover and impose significant workstreams upon relatively minor disruptions, and by revising certain provisions to return to the CFTC’s stated goal of providing covered entities with a risk-based approach to operational resilience.
  • Other operational resilience initiatives. The Proposal is one of several operational resilience initiatives from lawmakers and regulators that many entities will need to comply with simultaneously, including the EU’s Digital Operational Resilience Act and the SEC’s forthcoming rules relating to cybersecurity risk management, incident reporting, and disclosure for investment advisers and funds.
  • Next steps for the Proposal. The Proposal’s comment period was extended until Monday, April 1, 2024.  If finalized, unless this provision is revised, the requirements would be subject to only a six-month implementation period before taking effect.

To register for the Webcast, please click here.

If you are unable to join via Webcast, please click here to register to receive the recording only.

To see our previous blog posts on operational resilience, please click here.

To see our previous webcasts, please click here.

To subscribe to our Data Blog, please click here.


The cover art used in this blog post was generated by DALL-E.


Erez is a litigation partner and a member of the Debevoise Data Strategy & Security Group. His practice focuses on advising major businesses on a wide range of complex, high-impact cyber-incident response matters and on data-related regulatory requirements. Erez can be reached at eliebermann@debevoise.com


Caroline Swett is a partner in Debevoise’s Financial Institutions and Banking Groups. She advises domestic and foreign banks and other financial institutions on a wide range of regulatory, enforcement and transactional matters. She can be reached at cnswett@debevoise.com.


Robert Maddox is International Counsel and a member of Debevoise & Plimpton LLP’s Data Strategy & Security practice and White Collar & Regulatory Defense Group in London. His work focuses on cybersecurity incident preparation and response, data protection and strategy, internal investigations, compliance reviews, and regulatory defense. In 2021, Robert was named to Global Data Review’s “40 Under 40”. He is described as “a rising star” in cyber law by The Legal 500 US (2022). He can be reached at rmaddox@debevoise.com.


Stephanie D. Thomas is an associate in the Litigation Department and a member of the firm’s Data Strategy & Security Group and the White Collar & Regulatory Defense Group. She can be reached at sdthomas@debevoise.com.