Central Counterparties regulations may not meet New York obligations
Central Counterparties (CCPs) are third party service providers (TPSPs) that appear to meet the definition of TPSPs under New York’s cybersecurity requirements. However, their internal rules currently do not require breach notification.
CFTC rules ambiguously require notification to the CFTC, but not to CCPs' members). CCPs provide services to financial institutions, who provide them with access to non-public information (NPI). CCPs are not affiliates of financial institutions.
CFTC regulations require system safeguards to include; risk assessment and oversight, to minimize operational risk, and a robust disaster recovery and business continuity plan.
CCP rules stipulate that when members join the CCP, they agree to abide by its rules and they cannot negotiate special conditions. Rules for major US CCPs are not obliged to timely disclose cybersecurity breaches to members. It is unclear if covered entities that have CCP memberships can meet the 72-hour cybersecurity event notification.
CCPs should amend their rules to provide explicit assurance and processes for members to ensure that they may meet their own notification requirements.