CFTC Commissioner Dawn Stump proposed various measures for the CFTC to improve CFTC data protection.
Ms. Stump stated that her aim is to ensure that the CFTC (i) collects only data required for its regulatory responsibilities, (ii) eliminates “duplicative reporting streams,” (iii) considers alternative ways to access sensitive data and (iv) reviews internal controls, including data retention practices and procedures for responding to cyber incidents.
Ms. Stump noted that, given the breadth of the CFTC’s oversight functions, “it is time for the CFTC to comprehensively evaluate our approach to data collection and implement consistent policies and procedures across the many functions required to carry out our mission.”
Commentary
Commissioner Stump’s initiative is a welcome acknowledgment of the legitimate concerns of industry participants regarding the scope of data collected by the CFTC, and the security measures the CFTC implements to safeguard data it collects. As the CFTC acknowledged in its 2018 Annual Financial Report, “[t]he cyber threat is persistent and ever changing. It is not a question of ‘if’ a cyber intrusion will occur, but ‘when’ it will occur.” The CFTC and other regulators are increasingly focused on the measures regulated entities take to guard against cyberattacks, and have sanctioned firms for alleged deficiencies (see, e.g., NFA Amendments to Interpretive Notice Regarding Information Systems Security Programs—Cybersecurity, which go into effect on April 1, 2019; FINRA 2018 Report on Cybersecurity Practices; CFTC 2018 AMP Global Clearing Enforcement Action). It is thus appropriate for the CFTC and other regulators to evaluate the data they need to discharge their oversight responsibilities – particularly sensitive data involving confidential proprietary and customer information – and implement appropriate measures to safeguard such data.