SEC, CFTC make their case for more funding, boosting cyber-security

Once again, the season is upon us where federal regulators turn to Congress for increased budgets.

On Tuesday, the heads of the Securities and Exchange Commission and Commodity Futures Trading Commission appeared before a Senate Appropriations Committee sub-committee hearing to make their money pitches. Both agencies expressed the need to bolster cyber-security defenses and in-house technology needed to keep pace with the rapidly changing marketplaces they oversee.

The SEC requested $1.7 billion for fiscal year 2019, a $6 million increase over the fiscal year 2018 enacted amount.

The SEC’s funding is derived from fees paid by national securities exchanges and associations and result in no direct appropriation. Chairman James Lankford (R-Okla.), however, cautioned that “these fees are ultimately passed on to U.S. investors, retirement savers, and market participants,” and his Committee “has a responsibility to ensure they are spent wisely.”

The CFTC requested $281.5 million for fiscal year 2019, a $32.5 million increase over the fiscal year 2018 appropriation.

Lankford was at least somewhat sympathetic to the needs both agencies face amid budget constraints.

“Your jobs have become even more challenging with the rise in automated trading and constant technological innovation, including areas such as financial technology or FinTech, and the need to operate in markets undergoing digital transformation,” he said

SEC Chairman Jay Clayton testified that Congress’s recent funding for the agency, with additional funds for information technology, will provide the SEC with the ability to make significant investments in FY 2018 “in furtherance of our efforts to modernize our information technology infrastructure and improve our cyber-security risk profile.”

With a workforce of over 4,500 staff, the SEC oversees, among approximately $82 trillion in securities trading annually on U.S. equity markets, the disclosures of approximately 4,300 exchange-listed public companies with an approximate aggregate market capitalization of $30 trillion and the activities of over 26,000 registered entities and self-regulatory organizations. 

The SEC’s proposed FY 2019 budget “represents a modest increase,” Clayton said. The increase, if approved, “will enable the Commission to continue its work in a number of areas,” with a focus on leveraging technology and enhancing cyber-security and risk management, facilitating capital formation across markets, protecting Main Street investors, and maintaining effective oversight of changing markets.  

The FY 2019 budget would also enable the agency to start lifting the hiring freeze that has been in place since late in FY 2016.  “Our budget request would support restoring 100 positions, approximately one-quarter of the positions that became vacant during our hiring freeze, to address current critical priority areas and enhance the agency’s expertise in key areas,” Clayton said. These 100 added positions would result in SEC staffing at approximately the same level as in FY 2014. The budget request also relies on the SEC having continued access to the Commission’s Reserve Fund to fund information technology improvements, including those related to cyber-security.

Clayton explained that the SEC plans to use its budgetary resources to advance the implementation of its Office of Information Technology’s multiyear IT strategic roadmap, “to further our mission through advanced data analytics, digital workflows, and other tools to maximize efficiency, effectiveness, and security.”

Key IT priorities for FY 2018 and FY 2019 include: 

Investing in information security to improve monitoring, protect against advanced persistent threats, and strengthen risk management;

retiring antiquated legacy IT systems to improve the Commission’s cyber-security posture, while also saving agency funds;  

expanding data analytics tools to facilitate earlier detection of potential fraud or suspicious behavior and better identify high-risk registrant activities deserving examination; and

modernizing the EDGAR electronic filing system to make it more secure, more useful for investors, and less burdensome for filers.

“In particular, cyber-security at the Commission itself continues to be a priority area,” Clayton said. “No organization can guarantee that it will be able to withstand all cyber-attacks, particularly in an environment where threat actors may be backed by substantial resources. Nevertheless, we must continuously work to remain on top of evolving threats when it comes to securing our own networks and systems against intrusion.”

“This also means regularly exploring alternatives that will allow us to further our mission while reducing the sensitivity of the data we collect,” he added. “This may include, for example, taking in market-sensitive data on a delayed basis where feasible.     

Clayton said the SEC has engaged outside experts “that are in the process of reviewing our systems and data.”  More broadly, the agency is evaluating its cyber-security risk governance structure. 

“This has resulted in the establishment of a senior-level cyber-security working group, a review of our incident response procedures, and additional planned enhancements to promote the management and oversight of cyber-security across the Commission’s divisions and offices,” he added. “We have also established internal incident response exercises and have continued to interact on cyber-security efforts with other government agencies and committees.”

Clayton directed staff to review the sensitive personally identifiable information that is gathered through SEC forms “in an effort to make sure we do not take in more of such information than we need to carry out our mission.”

One recent result of this effort has been to eliminate the requirement for filers of certain forms to continue to provide their social security numbers, foreign identity numbers, or date or place of birth. 

“With respect to these forms, the Commission’s action reflected a conclusion that we would be able to achieve our regulatory objectives without taking in this sensitive personally identifiable information,” Clayton said.   

The SEC has also created a new position, the chief risk officer, to coordinate the SEC’s efforts to identify, monitor, and mitigate risks across our divisions and offices. Clayton said he has authorized the hiring of additional staff and outside technology consultants to aid in efforts to protect the security of the network, systems, and data.

An increased budget would permit the SEC to hire additional staff positions under the chief risk officer “to strengthen and advance the agency’s risk management capabilities,” Clayton said.

The FY 2019 budget request would further enable SEC staff to develop rulemaking initiatives aimed at promoting firms’ access to capital markets to generate economic growth while continuing to foster important investor protections. The budget request would also provide additional resources for staffing of the Office of the Advocate for Small Business Capital Formation.

As for enforcement activities, the FY 2019 budget request would restore 17 positions.

CFTC Chairman J. Christopher Giancarlo made the case that his agency has been underfunded for years.

“As the workload of the CFTC has increased dramatically—exponentially and globally—over the last four years, we have been flat-lined in our budget, at $250 million in three of those years, and actually experienced a budget reduction of $1 million this year,” he said. “Even with the cuts to our budget, it is still incumbent upon us to evolve into a 21st-century regulator, because the demands on our agency from the markets don’t stop as a result of budget cuts.  In fact, those demands constantly increase.”   

In FY 2019, the Commission is requesting $281.5 million and 716 full-time equivalents. This is an increase of $32.5 million and 46 FTEs over the resources provided in the FY 2018-enacted budget and is the same level of funding that the Commission requested in FY 2018.  

“The CFTC budget request is bare-bones, no waste, fiscally conservative, and mindful of taxpayer dollars,” Giancarlo said. “It is based on a rigorous analysis of each of the agency’s functions and expenditures. We built the 2019 budget based upon the real needs of the Commission. Each dollar of this budget serves a specific purpose in pursuit of the agency’s mission.”  

Giancarlo said the requested budget will allow the CFTC to address market-enhancing innovations and financial technology.  

The Commission expects the number of derivatives clearing organizations (DCOs) to continue to increase in FY 2019, with many expanding their business to other products and other jurisdictions around the world. 

“As the number of DCOs increase, the complexity of the oversight program will increase,” Giancarlo said. “It is imperative that the Commission strengthen its examination capability to enable it to keep pace with the growth in the amount of swaps cleared by DCOs pursuant to global regulatory reform implementation.”

“As the size and scope of DCOs have increased, so too has the complexity of DCOs’ risk management programs and liquidity risk management procedures,” he added. Increased funding will enable the Commission to enhance its financial analysis tools used to aggregate data and evaluate risk across all DCOs.