A U.S. financial regulator is pleading poverty, when it comes to cybersecurity oversight.
The Commodity Futures Trading Commission (CFTC), which is charged with regulating the commodities trading market, can’t actually test companies’ cyber defenses, agency Chairman Timothy Massad said.
“Keep in mind that some of our major financial institutions are spending more on cybersecurity each year than our agency’s entire budget,” he told an industry conference in Chicago.
Massad maintained that the CFTC hasn’t ignored cybersecurity. In recent years, the agency has added “more detailed standards addressing various aspects of cybersecurity,” he said.
Companies are required to have cyber risk analysis programs, adequately secure systems, cyber emergency response procedures and regular, independent auditing of the whole program.
But the CFTC can’t always be that auditor.
“Our current budget does not permit us to conduct as many examinations as we should,” he said.
And the examinations it does conduct are limited. Instead of testing the program’s effectiveness, “we look at whether there is evidence to support management’s assertions that they are in compliance with the requirements,” Massad said.
“The simple fact is that, without additional resources, our markets cannot be as well supervised; customers cannot be as well protected; market transparency and efficiency cannot be as fully achieved.”
The CFTC was burdened with implementing much of the Dodd-Frank Act, the Wall Street reform bill passed in the wake of the financial crisis to heighten transparency and oversight of financial markets.
It has struggled with budget shortfalls since. Last week, hundreds of CFTC employees voted to join the National Treasury Employees Union, reportedly complaining of stagnating salaries and burdensome work requirements.
A recent breach at JPMorgan, which exposed 76 million household’s information, has only increased the need for a more watchful government eye, Massad said.
“We are all well aware of the risk," he said.