Market Participants Worry that CFTC Can’t Safeguard Data

The Commodity Futures Trading Commission (CFTC) should have clear internal guidelines in place to safeguard the sensitive data it collects from the organizations it regulates, said Hunter Landrum, who works in government affairs, litigation and enforcement at Two Sigma Investments, during a public meeting of the CFTC’s Technology Advisory Committee on July 16.

And the CFTC should collect less data in its examinations functions, which will free up its resources and leave the data where it is: in disparate, secure locations, Landrum said.

“Various national and international regulators have taken different stances toward data collection. Some regulators acknowledge the danger and agree not to collect this information, and instead view it in a more secure way. Others insist on collecting data under the cover of regulation or recordkeeping requirements. But in the US, currently regulators such as the CFTC have no clear policies and procedures for when and how sensitive information is reviewed,” he said.

Landrum said the CFTC collects sensitive information from market infrastructure firms—such as systems diagrams, vulnerability reports, and penetration test results—and from the firms that trade derivatives, including market tactics and investment data.

“[This data] would be extremely useful for an adversary, someone attempting to profit from the misappropriation of sensitive market-related information, planning a cyber attack against the CFTC, the markets it regulates, [and] its registrants,” Landrum said.

Landrum said the CFTC has been receptive to working with the firms under its oversight on this issue, and acknowledged work by CFTC commissioner Dawn Stump on improving data protection at the agency. However, he said, regulatory agencies keep getting hacked. One of the more high-profile data breaches of recent years occurred in the Edgar system of the US Securities and Exchange Commission (SEC) in 2016.

“Now, we understand that this sensitive information can be useful for regulatory examination purposes. But we believe it can be viewed and accessed on-site where it resides, or in other ways where it is not duplicated and removed from the secure institutional systems where it resides,” Landrum said.  

To address this issue, Landrum said the CFTC first needs to instate clear policies and procedures on when and how sensitive information should be accessed, when it should be collected, and how it should be stored when it is collected.  

“We think that to better align the CFTC’s policies and procedures with its best-in-class practices regarding the limiting of sensitive information, the CFTC should provide concise and up-to-date guidance on how it reviews highly-sensitive cybersecurity artifacts and intellectual property in a way that doesn’t compound the risk,” he said.

These policies should be informed by a cybersecurity risk analysis, or “threat model” of the kind that many organizations routinely do to assess exactly what cyber threats they face, and how to guard against them, he added.

A report from an internal watchdog last year found that the CFTC’s data governance program was “of a low maturity,” and said that it had to rebuild its outdated database of regulatory filings. The CFTC’s staff, including those from its enforcement and market oversight divisions, rely on this database, the Integrated Surveillance System, to keep them apprised of market events and potential problems.

Commissioner Stump’s work on data protection has been to follow up on recommendations made in that report, and included considerations of the breadth of the CFTC’s swap data reporting regulations. 

Since post-financial crisis rules widened the CFTC’s mandate, the agency’s significance, and its workload, has increased. As it has demanded more data from market participants, concerns have grown about its ability to keep this data safe. At the same time, CFTC commissioners have complained that the agency is chronically underfunded. The Trump administration has further cut the budget.  

Landrum said that against the backdrop of limited resources and the high concentration of data at the agency, “we think it’s important that the CFTC both reduce the amount of information it collects, and also shift the burden of data retention onto market participants to divide the information into more places. That will reduce budget demands on the CFTC and provide a safer environment.”