MFA Submits Letters to CFTC and NFA on Data Security
November 17, 2017
Today, MFA submitted letters to the CFTC and NFA on the Protection of Confidential Registrant Information. MFA continues to raise concerns to regulators on data security and the protection of confidential registrant information, and urge regulators to enhance their data security. In the letters to the CFTC and NFA, MFA makes four suggestions to ensure the efficacy of the CFTC’s and NFA’s regulatory programs while reducing the risks of inadvertent disclosures from cyber intrusions.
MFA’s recommendations are as follows:
Recommendation #1: The CFTC should narrow the scope of systemic risk filings to information that could identify such risks to data that is necessary to achieve the Commission’s core mission. To assist the CFTC in considering this request, MFA will be developing a revised Form PF/PQR, consistent with our recommendations for the CFTC and the SEC to rationalize and simplify reporting by adopting a single, simpler form; and for NFA to amend Form PQR to its pre-Dodd-Frank Act version and to make similar amendments to Form PR.
Recommendation #2: The CFTC and NFA should incorporate protections within the design of their forms and reporting systems to mitigate cyber breaches. The CFTC and NFA should focus on disaggregating the information stored. For example, the CFTC and NFA should enable CPOs and CTAs to use alphanumeric identifiers for filings, to be kept separately within their systems, and revise questions containing firm identifying information. These safeguards would mitigate damage from a breach of EasyFile (through which Forms CPO-PQR and CTA-PR and other filings are made). It would be the equivalent of using a unique numerical identifier on a credit file, rather than the person’s name and social security number.
Recommendation #3: The CFTC and NFA should have information security policies in which the protections and security requirements are heightened or tiered depending upon the level of sensitivity of the data collected. CFTC or NFA staff should have access to this sensitive information on a “need to know” basis and in accordance with pre-determined protocols.
Recommendation #4: To further mitigate the risks from a future cyber breach, the Commission and NFA should return or destroy sensitive, confidential registrant data once they are through using it.