The U.S. Commodity Futures Trading Commission failed to verify whether futures and swaps brokerage firms have adequate policies to help ward off cyber attacks, an internal CFTC audit found.
The audit was completed in October by Brown & Company CPAS and Management Consultants PLLC at the request of the CFTC’s inspector general. It found that the CFTC, in conducting cyber security examinations of the firms, did not employ a “risk-based approach” to “independently test results of the cybersecurity assessments” it did.
Cyber security has been deemed one of the biggest threats to the U.S. financial system. The audit was posted online after Reuters requested it through a Freedom of Information Act request.
Auditors took issue with the method the Division of Swap Dealer and Intermediary Oversight used when it conducted cyber security exams. They said the CFTC merely asked the brokers for information about their cyber security policies and procedures without checking to see if the information was accurate.
“Validating registrant data submitted in the assessments can enhance the agency’s ability to effectively deploy its limited staff resources and may reduce cybersecurity risks,” the audit said.
The finding sparked sharp disagreement with the CFTC, which in a response to the audit defended its exams and disputed the way the watchdog characterized them.
“Due to budgetary constraints, the creation of an independent testing program is not feasible,” the CFTC said.
High-profile hacks, including an $81 million heist from the central bank of Bangladesh and attacks against major banks like JP Morgan and retailers like Target, have put the spotlight on the issue and prompted regulators to step up scrutiny of the firms they oversee.
The U.S. Securities and Exchange Commission in 2014 said it was making cybersecurity a focal point of its compliance examinations. It has since conducted two rounds of sweeps to ensure that brokerages and wealth managers are taking steps to safeguard sensitive customer information.
The CFTC based its cyber security reviews of 48 futures firms and 49 swap dealers on the SEC’s cyber examination initiative, the audit said.
The SEC’s practice has been to ask a series of questions, request supporting documentation to verify the information and, in some cases, visit the firms.
The audit concluded that the CFTC’s efforts fell short compared with the SEC’s methods because of the lack of verification.
The CFTC sharply refuted that claim, saying its approach to assessing the firms was “virtually identical” to that employed by the SEC and much more than simply a “request for information.”
The audit also made other recommendations, including urging firms to file sensitive information to the CFTC using a secure connection. That practice was implemented in late September.
It also recommended that the CFTC urge brokers to increase the frequency of their own internal and external penetration tests.