The US Commodity Futures Trading Commission (CFTC)’s inadequate cybersecurity provisions could impact capital markets, according to the CEO of an alternative data source for investors and hedge funds, while lawyers say it will bring into question the budgetary allowance for enhancing protection of proprietary data given to the US regulator.
“The general consensus is that the security of their internal databases are suspect,” says Jordan Hauer, co-founder and CEO of Amass insights. “The report also mentions they receive data from large investors through FTP which is a protocol that has been in use for a long time, but largely replaced by SFTP or secured APIs for security purposes.”
“Inadequate security of these databases could significantly affect capital markets, exposing large market inefficiencies due to the bad actors trading on information that they have improper access to,” he says.
On May 7, the US Office of the Inspector General conducted a review of the CFTC’s data governance program, and in particular the agency’s Integrated Surveillance System (ISS). The audit found that the CFTC’s program displayed several weaknesses and threats.
“ISS data is considered a valuable resource across CFTC mission divisions and offices, but shows declining usefulness to CFTC operations… additionally, the collection and maintenance procedures for ISS data are resource intensive and subject to errors. Thus, CFTC may need to consider the current cost, effectiveness, and reliability of ISS data cleansing as used internally, and as the basis for CFTC’s external market reports,” the audit report stated.
A revamp of the CFTC’s ISS would “likely make the entire financial system more efficient and prevent hard-to-spot fraudulent actors,” says Hauer.
“The current system does not allow for efficient querying or analysis, preventing real-time fraudulent trade monitoring which requires complex calculations to be carried out in a fraction of a second,” he says.
In the CFTC’s fiscal year 2020 budget published in March, the regulator said that strengthening cybersecurity remained a priority.
“Effective cybersecurity and system safeguards oversight is increasingly crucial to the stability of the economy and a critical element of the division’s examinations. Effective cybersecurity protection of regulated entities requires an increase in the number and frequency of examinations conducted each year. In conducting such oversight, the Commission works to reduce the burden on entities by coordinating system safeguard examinations between DCOs, and one or more DCMs, SEFs, or SDRs,” the budget stated.
For Daniel Waldman, head of the derivatives practice at Arnold & Porter part of the problem is the lack of resource given to the agency after the financial crisis was disproportionate to the level of responsibility it was given under Dodd-Frank.
“It’s not surprising that one of the more expensive priorities would suffer, so I think that everybody recognizes that there is a need for all of the regulators to stay abreast of technology not only to fulfil their mission but to address all the security related issues that come with collecting data,” says Waldman.
It’s not the first time such concerns have arisen, but change does appear to be happening.
“This was a big issue several years ago when the agency was seeking to register and further regulate some of the automated trading folks and trying to get a better handle on algorithmic trading and some of the issues around high speed trading,” says Waldman.
“They issued a long proposal, and part of that proposal had to do with getting various information from these automate traders. In connection with that proposal there was a tremendous outpouring of comments relating to the security of getting all this highly proprietary and confidential information from the industry when the government has proven not be particularly good at maintaining the privacy of that information against hackers," says Waldman.