CFTC commissioner Johnson warns again about cyber-risks

Speaking at a regulatory roundtable on the supervision of new technology, Johnson focused her comments on the emergence of artificial intelligence and the increasing threat of cyber-attacks.

Johnson, who is set to leave her post later this year, told the meeting in London: “We need to align our supervisory approaches across jurisdictions to ensure that cyber risk is being addressed consistently.”

She added: “The Financial Stability Board, CPMI-IOSCO and other international standard setting bodies have already announced important principles—but implementation must be global, not fragmented.”

As well as regulatory harmonisation, financial watchdogs should also share information with their international peers and the firms they monitor, Johnson added.

Thirdly, the industry should do more work on how it responds to breaches rather than just worrying about prevention.

She said: “That means building interoperable incident response plans. Conducting joint cyber drills and tabletop exercises simulations and establishing trusted communications channels that can activate instantly in the event of a cross-border incident.”

And, lastly, regulators should think about the interconnectedness of the industry and the fact that many firms rely on the same third-party technology providers.

Johnson said: “We need a coordinated approach to supervising these critical third parties—through shared resilience testing, pooled audits, and transparent incident reporting.”

She concluded: “And finally, we must invest in cyber capacity building, especially in emerging and developing economies. Because in a globally interconnected system, our resilience is only as strong as the weakest link. Let us support these markets with the tools, training, and frameworks they need—not just to defend themselves, but to contribute to the global cyber defense ecosystem.”

Johnson’s comments echo concerns expressed by her in a May speech when she said: “At the risk of sounding like a broken record, I urge everyone to be thoughtful about these issues and what steps we can take to strengthen market participants and our broader derivatives and global financial markets.”

Steven Maijoor, executive board member and chair of supervision at the Dutch central bank, warned in May of potential vulnerabilities at clearing firms.

A cyber attack on widely used technology provider ION Markets at the start of 2023 caused severe disruption to cleared derivatives trade reporting and processing.