The U.S. Commodity Futures Trading Commission
failed to verify whether futures and swaps brokerage firms have
adequate policies to help ward off cyber attacks, an internal
CFTC audit found.
The audit was completed in October by Brown & Company CPAS
and Management Consultants PLLC at the request of the CFTC's
inspector general. It found that the CFTC, in conducting cyber
security examinations of the firms, did not employ a "risk-based
approach" to "independently test results of the cybersecurity
assessments" it did.
Cyber security has been deemed one of the biggest threats to
the U.S. financial system. The audit was posted online after
Reuters requested it through a Freedom of Information Act
Auditors took issue with the method the Division of Swap
Dealer and Intermediary Oversight used when it conducted cyber
security exams. They said the CFTC merely asked the brokers for
information about their cyber security policies and procedures
without checking to see if the information was accurate.
"Validating registrant data submitted in the assessments can
enhance the agency's ability to effectively deploy its limited
staff resources and may reduce cybersecurity risks," the audit
The finding sparked sharp disagreement with the CFTC, which
in a response to the audit defended its exams and disputed the
way the watchdog characterized them.
"Due to budgetary constraints, the creation of an
independent testing program is not feasible," the CFTC said.
High-profile hacks, including an $81 million heist from the
central bank of Bangladesh and attacks against major banks like
JP Morgan and retailers like Target, have put the spotlight on
the issue and prompted regulators to step up scrutiny of the
firms they oversee.
The U.S. Securities and Exchange Commission in 2014 said it
was making cybersecurity a focal point of its compliance
examinations. It has since conducted two rounds of sweeps to
ensure that brokerages and wealth managers are taking steps to
safeguard sensitive customer information.
The CFTC based its cyber security reviews of 48 futures
firms and 49 swap dealers on the SEC's cyber examination
initiative, the audit said.
The SEC's practice has been to ask a series of questions,
request supporting documentation to verify the information and,
in some cases, visit the firms.
The audit concluded that the CFTC's efforts fell short
compared with the SEC's methods because of the lack of
The CFTC sharply refuted that claim, saying its approach to
assessing the firms was "virtually identical" to that employed
by the SEC and much more than simply a "request for
The audit also made other recommendations, including urging
firms to file sensitive information to the CFTC using a secure
connection. That practice was implemented in late September.
It also recommended that the CFTC urge brokers to increase
the frequency of their own internal and external penetration