CFTC Chief Plots New Cyber Rules in Wake of ION Trading Hack

Lydia Beyoud, Allyson Versprille and Katrina Manson, Bloomberg News

Rostin Behnam, chairman of US Commodity Futures Trading Commission , Photographer: Ting Shen/Bloomberg

(Bloomberg) -- The top US derivatives watchdog wants new cybersecurity rules as a recent attack on software company ION Trading UK continues to roil the industry.

Rostin Behnam, the chairman of the Commodity Futures Trading Commission, said that recent events have underscored the need for increased regulation. He added that the threats related to information security were “an important and increasingly urgent problem.”

Over the past week some in the derivatives industry have had to manually clear trades and calculate margin requirements following the attack, which has been attributed to Russian ransomware gang Lockbit.

The CFTC has said it’s in close contact with impacted companies and announced is delaying a closely-watched weekly staff report on aggregate holdings in different futures markets.

“As recent events have brought home, the industry’s necessary and increasing reliance on third-party service providers creates a major source of risk for participants in our markets, a risk that is only promised to rise with growth of virtual access and cloud-computing,” Behnam said in remarks prepared for a conference on Friday.

He added that the CFTC will begin work on regulations that could require futures and swaps dealers to exercise more due diligence and oversight of the third-party service providers they work with. The rule would be designed “to preserve the integrity, availability, and confidentiality of critical systems and information,” Behnam said.

ION’s system is used for clearing derivative trades around the world, particularly in the US, UK and Europe. The technology allows banks and broker-dealer clients to trade in a semi-automated manner.

Like ION, Bloomberg LP, the parent company of Bloomberg News, also provides financial institutions with execution management solutions, connectivity to electronic markets and trading tools.

UK Regulatory Steps

The Financial Conduct Authority, the chief markets regulator in the UK, has indicated it wants more direct reach into the cybersecurity of some third-party software and service providers.

Legislation introduced last year in parliament would give the FCA new powers to oversee third-party service providers relied on by financial firms and financial market infrastructure providers.

Currently, the regulator can’t directly oversee service providers like ION, but does regulate many of its customers, who have to submit detailed contingency plans to ensure resilience in the case of cyberattacks.

“We’re aware of this incident and we will continue to work with our partners and the firms affected,” the FCA said in a statement.

Crypto Trading

During Friday’s speech, Behnam also said the agency is mulling new anti-insider trading restrictions for crypto markets at CFTC-registered exchanges.

The agency is considering whether exchanges that list crypto derivatives contracts or are affiliated with crypto markets should adopt policies to restrict their employees’ trading in certain instances.

CFTC staff have recently talked to exchanges to gather information on limitations currently in place, he said.

--With assistance from Katherine Doherty and Isis Almeida.

(Updates with Behnam comments on crypto in final three paragraphs.)