A CME Globex Notice on June 30 reminded you about the new client systems security ecosystem requirements. The new requirements were introduced during the CME Group Customer Forum in early 2016 and revisited in the Q4 forum.
CME Group is committed to providing the highest levels of market integrity, including the security of CME Group and adjacent ecosystems.
Security practices continue to be critically important across financial services. CME Group has consistently leveraged security best practices and announced earlier this year that it would be implementing these requirements to help ensure customers’ end-to-end information security.
By the end of 2016, all in-scope customer systems must support
All third-party (ISV and QV) systems that authenticate human users to any CME Group system. Proprietary systems and systems that do not connect to CME Group systems are out of scope.
CME Group follows the industry-standard guidelines from NIST and ISO for strong passwords:
A strong password contains:
Additional recommended best practices include:
CME Group considers incorporation of biometric methods to be equivalent to two-factor authentication.
All third-party systems that authenticate to CME Group systems must encrypt confidential and sensitive data both at rest and when sent over untrusted networks. An untrusted network is outside the direct control of the end user's organization. To determine if a particular clients’ network is Untrusted, please contact your CME Global Account Manager.
CME Group recommends all deployed third-party services (such as a gateway deployed at a customer site) utilize encryption for sensitive data, but does not require it. It is the customer's responsibility to determine mitigation of information security risks.
Examples of sensitive data include iLink session password and order and trade data.
Two-factor authentication (2FA) adds a second level of authentication to an account log-in. 2FA requires the user to have two out of three types of credentials before being able to access an account:
IP authentication does not count towards the 2FA requirement.
Using a one-time code texted to the end user's cell phone is an example of 2FA, in addition to a login and password.
No, these requirements are specific to human authentication.
Yes. CME Group is working with the partner exchanges and related systems to ensure readiness.
CME Group is working with third-party system providers to ensure readiness.
Our focus on security has already resulted in a number of enhancements:
We plan to further improve our security through 2017. Watch the CME Globex and CME Clearing notices for further information:
CME Group is aware of the NIST guidelines and is evaluating the potential impacts. We do not anticipate any change to the 2016 requirements.
Contact our Corporate Communications team.