Security Ecosystem

A CME Globex Notice on June 30 reminded you about the new client systems security ecosystem requirements. The new requirements were introduced during the CME Group Customer Forum in early 2016 and revisited in the Q4 forum.

Read the announcement at the Q2 forum.

Frequently Asked Questions

What is the intent of the ecosystem requirement updates?

CME Group is committed to providing the highest levels of market integrity, including the security of CME Group and adjacent ecosystems.

Why is CME Group introducing these requirements?

Security practices continue to be critically important across financial services. CME Group has consistently leveraged security best practices and announced earlier this year that it would be implementing these requirements to help ensure customers’ end-to-end information security.

What are the requirements?

By the end of 2016, all in-scope customer systems must support

  • Strong passwords
  • Encryption of confidential and sensitive data
  • Two-factor authentication

What customer systems are in-scope?

All third-party (ISV and QV) systems that authenticate human users to any CME Group system. Proprietary systems and systems that do not connect to CME Group systems are out of scope.

What does CME Group consider a strong password?

CME Group follows the industry-standard guidelines from NIST and ISO for strong passwords:

A strong password contains:

  • Minimum eight characters
  • Numbers, symbols, capital and lower-case letters
  • Change at least every 60 days
  • Re-use rules that do not allow the same password to be used

Additional recommended best practices include:

  • Does not include a word or a combination of words from a dictionary in any language
  • Does not rely on obvious substitutions – like replacing an “o” (oh) with a “0” (zero)
  • Unique – is not re-used for other applications or logins

Has CME Group considered alternatives to password-based authentication?

CME Group considers incorporation of biometric methods to be equivalent to two-factor authentication.

What are the encryption requirements?

All third-party systems that authenticate to CME Group systems must encrypt confidential and sensitive data both at rest and when sent over untrusted networks. An untrusted network is outside the direct control of the end user's organization. To determine if a particular clients’ network is Untrusted, please contact your CME Global Account Manager.

CME Group recommends all deployed third-party services (such as a gateway deployed at a customer site) utilize encryption for sensitive data, but does not require it. It is the customer's responsibility to determine mitigation of information security risks.

Examples of sensitive data include iLink session password and order and trade data.

What is two-factor authentication?

Two-factor authentication (2FA) adds a second level of authentication to an account log-in. 2FA requires the user to have two out of three types of credentials before being able to access an account:

  • A knowledge factor - something the user should know, like a personal identification number (PIN)
  • A physical or possession factor - something the user should have, like a cell phone, or a certificate on a trusted computer
  • An inherence factor - something you physically are, like a fingerprint

IP authentication does not count towards the 2FA requirement.

Using a one-time code texted to the end user's cell phone is an example of 2FA, in addition to a login and password.

Does this requirement extend to machine-to-machine authentication?

No, these requirements are specific to human authentication.

Does this include partner exchange systems that provide access to CME Globex markets?

Yes. CME Group is working with the partner exchanges and related systems to ensure readiness.

How will CME Group enforce these requirements? What if I cannot make the end-of-year deadline?

CME Group is working with third-party system providers to ensure readiness.

What other steps are CME Group taking for security?

Our focus on security has already resulted in a number of enhancements:

  • A single sign-on application portal with two-factor authentication – CME Group Login
  • 2FA for CME Direct
  • CME Customer Center for legacy Clearing Portal
  • Cipher and MAC enhancements
  • Mandated browser upgrades

We plan to further improve our security through 2017. Watch the CME Globex and CME Clearing notices for further information:

  • iLink and Drop copy authentication and controls
  • Encrypted Clearing connectivity

How do the new National Institute of Standards and Technology (NIST) security guidelines impact CME Group's requirements?

CME Group is aware of the NIST guidelines and is evaluating the potential impacts. We do not anticipate any change to the 2016 requirements.

View NIST Security Guidelines.

How can the media get more information?

More In Security