17 C.F.R. § 38.1051
(a) A designated contract market's program of risk analysis and oversight with respect to its operations and automated systems shall address each of the following categories of risk analysis and oversight:
(d) A designated contract market that is not determined by the Commission to be a critical financial market satisfies the requirement to be able to resume trading and clearing during the next business day following a disruption by maintaining either:
(e) A designated contract market must notify Commission staff promptly of all:
(f) A designated contract market must give Commission staff timely advance notice of all material:
(g) As part of a designated contract market's obligation to produce books and records in accordance with § 1.31 of this chapter, Core Principle 18 (Recordkeeping), and §§ 38.950 and 38.951, a designated contract market shall provide to the Commission the following system safeguards-related books and records, promptly upon the request of any Commission representative:
(h) A designated contract market shall conduct regular, periodic, objective testing and review of its automated systems to ensure that they are reliable, secure, and have adequate scalable capacity. It shall also conduct regular, periodic testing and review of its business continuity-disaster recovery capabilities. Such testing and review shall include, without limitation, all of the types of testing set forth in this paragraph (h). A covered designated contract market, as defined in this section, shall be subject to the additional requirements regarding minimum testing frequency and independent contractor testing set forth in this paragraph (h).
(1) Definitions. As used in paragraph (h) of this section:
Controls means the safeguards or countermeasures employed by the designated contract market in order to protect the reliability, security, or capacity of its automated systems or the confidentiality, integrity, and availability of its data and information, and in order to enable the designated contract market to fulfill its statutory and regulatory responsibilities.
Controls testing means assessment of the designated contract market's controls to determine whether such controls are implemented correctly, are operating as intended, and are enabling the designated contract market to meet the requirements established by this section.
Covered designated contract market means a designated contract market whose annual total trading volume in calendar year 2015, or in any subsequent calendar year, is five percent (5%) or more of the combined annual total trading volume of all designated contract markets regulated by the Commission for the year in question, based on annual total trading volume information provided to the Commission by each designated contract market pursuant to the procedure set forth in this chapter. A covered designated contract market that has annual total trading volume of less than five percent (5%) of the combined annual total trading volume of all designated contract markets regulated by the Commission for three consecutive calendar years ceases to be a covered designated contract market as of March 1 of the calendar year following such three consecutive calendar years.
Enterprise technology risk assessment means a written assessment that includes, but is not limited to, an analysis of threats and vulnerabilities in the context of mitigating controls. An enterprise technology risk assessment identifies, estimates, and prioritizes risks to designated contract market operations or assets, or to market participants, individuals, or other entities, resulting from impairment of the confidentiality, integrity, and availability of data and information or the reliability, security, or capacity of automated systems.
External penetration testing means attempts to penetrate the designated contract market's automated systems from outside the systems' boundaries to identify and exploit vulnerabilities. Methods of conducting external penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.
Internal penetration testing means attempts to penetrate the designated contract market's automated systems from inside the systems' boundaries, to identify and exploit vulnerabilities. Methods of conducting internal penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.
Key controls means those controls that an appropriate risk analysis determines are either critically important for effective system safeguards or intended to address risks that evolve or change more frequently and therefore require more frequent review to ensure their continuing effectiveness in addressing such risks.
Security incident means a cyber security or physical security event that actually jeopardizes or has a significant likelihood of jeopardizing automated system operation, reliability, security, or capacity, or the availability, confidentiality or integrity of data.
Security incident response plan means a written plan documenting the designated contract market's policies, controls, procedures, and resources for identifying, responding to, mitigating, and recovering from security incidents, and the roles and responsibilities of its management, staff and independent contractors in responding to security incidents. A security incident response plan may be a separate document or a business continuity-disaster recovery plan section or appendix dedicated to security incident response.
Security incident response plan testing means testing of a designated contract market's security incident response plan to determine the plan's effectiveness, identify its potential weaknesses or deficiencies, enable regular plan updating and improvement, and maintain organizational preparedness and resiliency with respect to security incidents. Methods of conducting security incident response plan testing may include, but are not limited to, checklist completion, walk-through or table-top exercises, simulations, and comprehensive exercises.
Vulnerability testing means testing of a designated contract market's automated systems to determine what information may be discoverable through a reconnaissance analysis of those systems and what vulnerabilities may be present on those systems.
(3) External penetration testing. A designated contract market shall conduct external penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(4) Internal penetration testing. A designated contract market shall conduct internal penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(5) Controls testing. A designated contract market shall conduct controls testing of a scope sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(6) Security incident response plan testing. A designated contract market shall conduct security incident response plan testing sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(7) Enterprise technology risk assessment. A designated contract market shall conduct enterprise technology risk assessment of a scope sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(k) Scope of testing and assessment. The scope for all system safeguards testing and assessment required by this part shall be broad enough to include the testing of automated systems and controls that the designated contract market's required program of risk analysis and oversight and its current cybersecurity threat analysis indicate is necessary to identify risks and vulnerabilities that could enable an intruder or unauthorized user or insider to:
(n) Required production of annual total trading volume.
[77 FR 36700, June 19, 2012, as amended at 81 FR 64312, Sept. 19, 2016; 82 FR 45434, Sept. 29, 2017]