Commodity Futures Trading Commission September 19, 2016 – Federal Register Recent Federal Regulation Documents

In compliance with the Paperwork Reduction Act of 1995 (``PRA''), this notice announces that the Information Collection Request (``ICR'') abstracted below has been forwarded to the Office of Management and Budget (``OMB'') for review and comment. The ICR describes the nature of the information collection and its expected costs and burden.

The Commodity Futures Trading Commission (``Commission'' or ``CFTC'') is adopting final rules amending its current system safeguards rules for designated contract markets, swap execution facilities, and swap data repositories, by enhancing and clarifying current provisions relating to system safeguards risk analysis and oversight and cybersecurity testing, and adding new provisions concerning certain aspects of cybersecurity testing. The final rules clarify the Commission's current system safeguards rules for all designated contract markets, swap execution facilities, and swap data repositories by specifying and defining the types of cybersecurity testing essential to fulfilling system safeguards testing obligations. These testing types are vulnerability testing, penetration testing, controls testing, security incident response plan testing, and enterprise technology risk assessment. The final rules also clarify current rule provisions respecting: The categories of risk analysis and oversight that statutorily-required programs of system safeguards- related risk analysis and oversight must address; system safeguards- related books and records obligations; the scope of system safeguards testing; internal reporting and review of testing results; and remediation of vulnerabilities and deficiencies. In addition, the final rules adopt new provisions set forth in the Commission's Notice of Proposed Rulemaking, applicable to covered designated contract markets (as defined) and all swap data repositories, establishing minimum frequency requirements for conducting certain types of cybersecurity testing, and requiring performance of certain tests by independent contractors.