On 19 June 2025, Commissioner Kristin N. Johnson delivered a speech at the CCP Global Annual General Meeting in Amsterdam recognising the need for robust cybersecurity protocols, third-party risk frameworks, and updated regulatory expectations, particularly in light of the $1.5 billion Bybit hack in February 2025.
The speech builds on the US CFTC’s intensified focus on operational resilience, systemic risk, and cyberattack vulnerability across both traditional clearing infrastructures and decentralised digital asset ecosystems. Commissioner Johnson used the Bybit hack, a exploit involving smart contract manipulation and third-party interface compromise, as a case study to advocate for regulatory guardrails that blend traditional derivatives oversight with emergent crypto security frameworks. She also discussed the Market Risk Advisory Committee (MRAC)’s evolving role in shaping DCO wind-down protocols and third-party cybersecurity standards, explicitly linking future rulemakings to both the United States Dodd-Frank Act and global IOSCO-PFMI principles.
CCPs: The Backbone of Derivatives Markets
CCPs act as intermediaries in derivatives trades, reducing risk by ensuring transactions are completed even if one party defaults. Johnson highlighted how CCPs proved their resilience during the 2020 pandemic and geopolitical shocks, thanks to reforms from the 2009 G20 Pittsburgh Summit and regulations like the Dodd-Frank Act. “CCPs held up well, absorbing rather than amplifying shocks,” she noted, citing the Financial Stability Board.
Cybersecurity: A Growing Threat
Johnson emphasized the escalating cyber risks facing financial markets. The 2023 ION Cleared Derivatives cyberattack disrupted global transaction clearing, while the 2025 Bybit hack saw hackers exploit a third-party system to steal $1.5 billion in cryptocurrency. These incidents underscore vulnerabilities in critical third-party services.
To counter such risks, the US CFTC proposed an Operational Resilience Framework (ORF) in 2023, aiming to strengthen cybersecurity, third-party risk management, and business continuity for market participants. Johnson stressed the need for robust frameworks, particularly for smaller firms reliant on a few key vendors.
Strengthening Third-Party Oversight
The MRAC’s CCP Risk & Governance Subcommittee has recommended enhancing US CFTC regulations to include comprehensive third-party relationship management for derivatives clearing organizations (DCOs). This involves policies to assess and monitor risks from service providers, addressing concentration risks that could destabilize markets.
Planning for Recovery and Wind-Down
Johnson also discussed MRAC’s proposals to improve DCO recovery and wind-down plans, aligning with international standards. These include regular stress testing, addressing non-default losses, and ensuring customer assets are protected during a crisis. Such measures aim to prevent disruptions and maintain market stability.
A Call for Collaboration
Reflecting on the diverse expertise within MRAC, Johnson urged continued multi-stakeholder collaboration to tackle emerging risks, from cybersecurity to market concentration. She praised the committee’s work on issues like the Treasury cash-futures basis trade and futures commission merchant (FCM) capacity, which revealed growing consolidation among bank-affiliated firms.
(Source: https://www.cftc.gov/PressRoom/SpeechesTestimony/opajohnson21)
