ADVERTISEMENT

A Watchdog Says Hedge-Fund Secrets Kept by the CFTC Are Vulnerable to Hacking

Hedge Fund Secrets Shared With Regulators May Be at Risk

(Bloomberg) -- Confidential market information collected from hedge funds and brokers by the main U.S. derivatives regulator is vulnerable to hacking because of the agency’s outdated computer systems, according to an internal watchdog.

The Commodity Futures Trading Commission needs to correct “numerous weaknesses” in the way it manages and stores data, the inspector general’s office said in an audit report released late last week. The review also said the CFTC needs to rebuild or replace a key, but antiquated, database of confidential trading positions that it uses to police futures and options markets.

Such programs “remain in use because they are considered irreplaceable mission-critical systems with highly sensitive data,” the IG’s office said in the report, parts of which were blacked out because of security concerns. “We believe this may result in a larger risk factor and tempting target for exfiltration.”

The audit highlighted the agency’s Integrated Surveillance System, which gathers information on positions taken by hedge funds and other big traders in the commodity markets. Along with being used for enforcement purposes, some of the data is aggregated and released in public reports that are closely watched by Wall Street. The two decade-old system must be updated or replaced by “a more modern and efficient technical solution,” the report said.

Review Risks

The audit also called on the agency’s leadership to make additional information-technology upgrades and review security risks associated with other computer systems it uses.

The CFTC’s Office of Data and Technology said in a written response that it is “committed to working with the appropriate stakeholders to address the issues and concerns’’ raised by the audit. Erica Elliott Richardson, a spokeswoman for the CFTC, declined to comment further.

The agency, which oversees trading in much of the $544 trillion derivatives market, has lagged behind other financial regulators in upgrading its systems to guard against intrusions by cybercriminals. And financial data has been a frequent target of hackers.

The Securities and Exchange Commission, for example, disclosed in September 2017 that its Edgar database of corporate filings had been breached the year before.

Technology Spending

The CFTC spent $75.4 million -- more than a quarter of its funding -- on information technology last year, according to its 2020 budget request. The problems, employees say, involve not only large databases but standard office technology as well. For example, some workers are still using Windows 7 software -- which Microsoft Corp. will stop supporting in January -- on their computers.

“I agree that the CFTC should review the security risks of ISS and other legacy systems to assure compliance with current information security standards,” Commissioner Rostin Behnam, who leads the agency’s Market Risk Advisory Committee, said in an email statement. “I am concerned that without additional resources, we will not be able to meet these critical standards.”

Brendan Gilfillan, a spokesman for the Managed Funds Association, said the hedge fund industry would work with the CFTC to make sure its members’ trading positions and other confidential data remain secure.

“Few issues are more important to our members than the security of the proprietary information they provide regulators,” Gilfillan said in an email statement. “We look forward to continued constructive engagement with the CFTC and others to ensure such sensitive data is well-protected.”

The ISS contains 10 years of futures and options positions for large traders, which are uploaded by firms each day. It also keeps 25 years of volume and price data, as well as links to at least one other system with confidential trading information, according to a document on the CFTC’s website.

The system “allows the agency to monitor the daily activities of large traders, key price relationships, and relevant supply and demand factors,” the agency said in a 2014 assessment that called it a powerful part of the CFTC’s surveillance efforts.

To contact the reporters on this story: Ben Bain in Washington at bbain2@bloomberg.net;Robert Schmidt in Washington at rschmidt5@bloomberg.net

To contact the editors responsible for this story: Jesse Westbrook at jwestbrook1@bloomberg.net, Gregory Mott

©2019 Bloomberg L.P.