An internal audit of the CFTC concluded that the Agency fails to verify whether futures and swaps brokerage firms have adequate policies to help ward off cyber attacks. The audit, completed in October by Brown & Company CPAs and Management Consultants PLLC, had been requested by the CFTC inspector general. Results of the audit were posted online after Reuters requested it through a Freedom of Information Act request.

Auditors took issue with the method the Division of Swap Dealer and Intermediary Oversight used when it conducted cyber security exams. They said the CFTC merely asked the brokers for information about their cyber security policies and procedures without checking to see if the information was accurate.

"Validating registrant data submitted in the assessments can enhance the agency's ability to effectively deploy its limited staff resources and may reduce cybersecurity risks," the audit said.

The CFTC defended its exams and disputed the way the watchdog characterized them saying, in part, that "due to budgetary constraints, the creation of an independent testing program is not feasible."

An internal audit of the CFTC revealed that the Agency fails to verify whether futures and swaps brokerage firms have adequate policies to help ward off cyber attacks. The audit, completed in October by Brown & Company CPAs and Management Consultants PLLC, had been requested by the CFTC inspector general. Results of the audit were posted online after Reuters requested it through a Freedom of Information Act request.

Auditors took issue with the method the Division of Swap Dealer and Intermediary Oversight used when it conducted cyber security exams. They said the CFTC merely asked the brokers for information about their cyber security policies and procedures without checking to see if the information was accurate.

"Validating registrant data submitted in the assessments can enhance the agency's ability to effectively deploy its limited staff resources and may reduce cybersecurity risks," the audit said.

The CFTC defended its exams and disputed the way the watchdog characterized them saying, in part, that "due to budgetary constraints, the creation of an independent testing program is not feasible."

SEC Cyber Exam Protocol.    The audit found that the CFTC based its cyber security reviews of 48 futures firms and 49 swap dealers on the SEC's cyber examination initiative - a series of questions, a request for supporting documentation to verify the information and, in some cases, a visit to the firms. Apparently the CFTC's efforts fell short compared with the SEC's methods because of the lack of verification.

The CFTC sharply refuted that claim, saying its approach to assessing the firms was "virtually identical" to that employed by the SEC and much more than simply a "request for information."