A CME Globex Notice on June 30 reminded you about the new client systems security ecosystem requirements. The new requirements were introduced during the CME Group Customer Forum in early 2016 and revisited in the Q4 forum.
CME Group is committed to providing the highest levels of market integrity, including the security of CME Group and adjacent ecosystems.
Security practices continue to be critically important across financial services. CME Group has consistently leveraged security best practices and announced earlier this year that it would be implementing these requirements to help ensure customers’ end-to-end information security.
By the end of 2016, all in-scope customer systems must support
- Strong passwords
- Encryption of confidential and sensitive data
- Two-factor authentication
All third-party (ISV and QV) systems that authenticate human users to any CME Group system. Proprietary systems and systems that do not connect to CME Group systems are out of scope.
CME Group follows the industry-standard guidelines from NIST and ISO for strong passwords:
A strong password contains:
- Minimum eight characters
- Numbers, symbols, capital and lower-case letters
- Change at least every 60 days
- Re-use rules that do not allow the same password to be used
Additional recommended best practices include:
- Does not include a word or a combination of words from a dictionary in any language
- Does not rely on obvious substitutions – like replacing an “o” (oh) with a “0” (zero)
- Unique – is not re-used for other applications or logins
CME Group considers incorporation of biometric methods to be equivalent to two-factor authentication.
All third-party systems that authenticate to CME Group systems must encrypt confidential and sensitive data both at rest and when sent over untrusted networks. An untrusted network is outside the direct control of the end user's organization. To determine if a particular clients’ network is Untrusted, please contact your CME Global Account Manager.
CME Group recommends all deployed third-party services (such as a gateway deployed at a customer site) utilize encryption for sensitive data, but does not require it. It is the customer's responsibility to determine mitigation of information security risks.
Examples of sensitive data include iLink session password and order and trade data.
Two-factor authentication (2FA) adds a second level of authentication to an account log-in. 2FA requires the user to have two out of three types of credentials before being able to access an account:
- A knowledge factor - something the user should know, like a personal identification number (PIN)
- A physical or possession factor - something the user should have, like a cell phone, or a certificate on a trusted computer
- An inherence factor - something you physically are, like a fingerprint
IP authentication does not count towards the 2FA requirement.
Using a one-time code texted to the end user's cell phone is an example of 2FA, in addition to a login and password.
No, these requirements are specific to human authentication.
Yes. CME Group is working with the partner exchanges and related systems to ensure readiness.
CME Group is working with third-party system providers to ensure readiness.
Our focus on security has already resulted in a number of enhancements:
- A single sign-on application portal with two-factor authentication – CME Group Login
- 2FA for CME Direct
- CME Customer Center for legacy Clearing Portal
- Cipher and MAC enhancements
- Mandated browser upgrades
We plan to further improve our security through 2017. Watch the CME Globex and CME Clearing notices for further information:
- iLink and Drop copy authentication and controls
- Encrypted Clearing connectivity
CME Group is aware of the NIST guidelines and is evaluating the potential impacts. We do not anticipate any change to the 2016 requirements.
Contact our Corporate Communications team.
© 2025 CME Group Inc. All rights reserved.