Statement of CFTC Commissioner Dawn D. Stump Announcing Important Progress in the CFTC’s Data Protection Initiative

July 12, 2019

Today, I am pleased to provide an update to the Data Protection Initiative I announced in March[1].  This initiative is meant to serve as a pathway to better ascertain the CFTC’s regulatory data needs and enhance its internal data protection measures.  Data is critical to our markets and our regulatory mission, but the specter of data breaches requires our agency to consider the breadth of our data intake needs while weighing the sensitivity of the data with the possibility of unauthorized access.  The CFTC collects information via both legacy and recently expanded powers and it must constantly evaluate its approach to data.  The effort seeks to appraise our strengths and vulnerabilities through a structured process in an attempt to develop a meaningful policy adapted to ever-evolving threats and advances in data security.  At the end of the day, I hope to implement consistent data protection procedures across the many functions required to carry out our mission that will benefit the agency and market participants.

I am happy to announce that the Scope component, the first of five parts of this initiative, has been successfully completed and we now have an updated and detailed Data Catalogue at the CFTC.  Substantial time and effort has been invested in the Scope portion of the plan to create this inventory of all the data inflows to the Commission.  This is a significant undertaking in and of itself since the agency collects a tremendous amount of sensitive information from a multitude of sources and reporting counterparties.  This data is required to be reported under a myriad of regulations promulgated by various Divisions within the CFTC.  The Data Catalogue includes information concerning the regulation providing the authority for the collection, type of entity serving as the data submitter, category of data reported, primary CFTC data user, technology or interface by which it is collected, whether the collection is ad-hoc or recurring, and the frequency of submission.

Documenting all the data the CFTC captures is the prerequisite first step in the process and we now have an up to date agency wide view of the data we ingest from the markets we regulate.  We must identify the various use-cases of each data stream and consider the sensitivity of the data collection in light of the regulatory value.  Then consideration should be given as to whether its collection should continue by comparing the sensitivity of information to its value to the Commission.  If a data set has a demonstrable use-case, then the next steps in the Data Initiative process must be applied: (1) Access - review the manner in which we receive all data and consider alternative modes of access for sensitive data, such as not ingesting it into CFTC systems and reviewing the data on-site at market participants; (2) Security – analyze our security safeguards and internal controls, storage procedures, encryption formatting, permission access and usage tracking; (3) Response – examine how the CFTC responds in the event of a security breach through impact and risk assessments as well as notification to parties whose data is impacted; and (4) Retention – evaluate the time and means by which the agency stores types of information based upon sensitivity and update data destruction policies as appropriate.

Undertaking this laborious step has demonstrated the necessity of not only having such a Data Catalogue, but that it must always be refreshed and stay current.  I hope this initiative will foster a CFTC-wide commitment and cultural shift to ensure that this process is performed on a recurring frequency.

I want to thank the staff of all the Divisions and Offices across the entire CFTC for their assistance as many parts of the agency are involved in this project and data protection is truly everyone’s responsibility.  I look forward to continuing to work with staff and also hope to partner with market participants and cyber security experts, across both the private and public sectors, as appropriate through various mediums, such as potential future roundtables, to highlight best practices and lessons learned from this initiative.