Suing a regulator is probably a bad idea. Among the untold reasons you might want to do so, one is particularly pertinent: insufficient cyber-security controls.
As unlikely as legal action against a regulator may seem, this motivation to do so – to claim damages after a regulatory data leak or systems breach – is far from hypothetical. Following the SEC’s recent disclosure that personal information in the Edgar corporate filings system was accessed by hackers last year, the prospect of information security being compromised at a regulator is as least as realistic as a breach at your own firm.
The irony is that currently, holding regulators to account on their own processes is near impossible, even if or when cyber-security negligence at a regulator causes serious damage. Earlier this year a District of Columbia court dismissed a class action against the Office of Personnel Management for damages resulting from a cyber-security attack in which highly sensitive data on more than 20 million Americans was stolen.
Even putting aside procedural or technical roadblocks, a simple cost-benefit analysis in most cases would show that it’s not in a firm’s best interests to go up against a governmental body.
“You are going to have to be reasonably brave, or fairly aggressive, or really suffered quite a loss for you to want to take on government agencies because the odds are probably stacked against you,” says Jonathan Greenwold, general counsel at $7bn systematic manager Aspect Capital.
“I suspect that during any kind of operational due diligence investors will ask you about litigation and any interaction with the regulators. If you say that you are bringing a claim against the regulator that is going to lead to some interesting conversations, even if you feel you are entirely in the right.”
“If there is a leak from a regulatory body, it is likely to be challenging to recover the leaked information and to take effective action to recover any losses your firm or clients suffer,” he adds.
The catch-22 flavour of power imbalance between the watchmen and those they regulate is almost comical in its irony. Regulators like the FCA, the SEC and the CFTC require firms to report vast amounts of information to them, at least in part to ensure firms have the right systems and controls in place to try minimise operational risk.
And yet if it turns out that the regulators are more vulnerable to exploitation or less diligent in their security, then transferring information to the regulators could directly undermine the protection that regulatory oversight is supposed to achieve.
Even the best satirist couldn’t provide a better case in point than that of the real-life mishap (to put it mildly) at the Polish financial regulator, the KNF, which managed to infect a number of banks with malware. Perhaps the regulator – which is responsible for examining cyber-security at the firms it infected – took a penetration test a little too seriously.
The scale of the problem
Notwithstanding the regulatory or governmental data leaks that do get picked up in the media – that list is long and growing – the first problem for regulated firms is simply understanding the scale of this problem.
Unlike the demands for transparency placed on firms, there is no systematic way to hold regulators to account or gather important information on their internal processes. In fact, it does not seem like there are many – or any – effective ad hoc ways to do this either.
Freedom of information requests about the number and nature of cyber-security issues submitted by HFMTechnology to all the major financial regulators in the United States, Europe and the UK remain unanswered, save for a generic response from Esma to say that it is consulting internally to assess whether further public guidance is needed.
In the absence of both freely published and requested disclosures about cyber-security vulnerabilities at regulators, including data breaches, attacks and responses to any incidents, hedge funds and representative bodies don’t have substantial grounds to complain or to lobby regulators to step up their security protection, despite very reasonable concerns given the quantity and nature of information regulators hold.
Information about vulnerabilities, insufficient controls or sheer negligence at regulators only comes to light when a major breach has already occurred, and of course by then the damage is done.
But using past disclosures of regulatory leaks as evidence, we do already know that the problem is very significant, and it’s not getting solved any time soon.
Christopher Giancarlo, chairman of the CFTC, has publicly acknowledged regulators’ woeful record on cyber-security in a series of speeches that are both refreshing and disturbing in their frankness.
“Cyber risk is undoubtedly the number one threat to 21st century financial markets,” he said last year in an address to the American Enterprise Institute. “It is also a threat against which the federal government has been a poor guardian of private confidential information. This must improve.”
In that speech, as in speeches before and since, Giancarlo did not mince his words, making it very clear that in the current state of play regulators are a “weak link”, failing even to meet the cyber-security standards they expect of firms they regulate.
He said: “Regulators’ system security must be no less robust and effective than is expected of the businesses under their jurisdiction. If market regulators are to be effective in overseeing digital markets, then they must not themselves be a weak link in the financial system’s resilience to cyber-attack. If we are to attract digital innovators to American shores, we must regulate in a way that intellectual property is less – not more – vulnerable than in competing jurisdictions.”
Footnotes to that speech included headlines such as “FDIC reports five ‘major incidents’ of cybersecurity breaches since fall”, and “How the government jeopardized our national security for more than a generation”.
More worryingly, it’s not just that cyber threats are evolving while regulators struggle to catch up, the risk of and from a regulatory breach is also increasing with regulatory changes demanding more and more information, including that which is sensitive and relating to proprietary business strategies.
Mifid II, Reg AT and CAT
In both Europe and the United States, proposed and enforced regulatory changes are having a direct impact on information security.
Under Europe’s Mifid II, transaction reporting and best execution monitoring are becoming too onerous for some firms to manage manually in-house. Not only will the regulators soon be sitting on lakes of data they previously did not collect, but the nature of the regulatory requirements have inserted more middlemen into surveillance, information collection and reporting processes, forcing the arm of CTOs and compliance offers who would rather maintain total control and report directly to regulators, but simply can’t handle the data management.
A London-based chief compliance officer explained that many of her peers, including her own firm, are outsourcing best execution monitoring to specialised platforms in order to leverage an economy of scale. Although she’s confident with her firm’s security, she is acutely aware that every new step in the reporting chain opens up more vulnerabilities.
“We are feeding [platforms] a whole bunch of our trades on a daily basis in order for them to be able to gather the intelligence around every single trade we have done for best execution monitoring,” she says.
For transaction reporting, the firm tried to avoid a third party for both efficiency and security reasons, and instead requested to report directly to the FCA. But in what the CCO alleges is a clear conflict of interest, the FCA quoted £20,000 for this service. “So with the transaction report, we send it off to Univista for example and then they send it off to the regulator and what does the regulator do with it internally?” she asks. “Do they even look at it? Do they send it off to Esma?
“There are lots of questions. Everyone expects hedge funds to report on how we are looking after our systems but no one ever asks about that on the regulators’ side.”
Similarly, former counsel in the SEC’s cybersecurity enforcement division, Matt Rossi, worries that regulators are becoming a greater target for cyber attackers due to the burgeoning amount of valuable data they collect. Already, he says, serious data leaks at the SEC like the recent Edgar breach are “not that surprising”, since well-publicized breaches have indicated that regulators’ security leaves much to be desired.
“The implementation of the Consolidated Audit Trail National Market System (CAT) which will give the SEC access to data regarding trade events reported by, among others, securities exchanges, self regulatory organizations, broker dealers, and alternative trading systems may become the target of cyber attacks,” he adds. “There is considerable concern that the CAT may be subject to hacking when it is implemented – expected to be in 2018-2019 period.”
Greenwold also names regulatory changes in the EU Transparency Directive and the EU Short Selling Regulation as two factors pushing up the cyber risk, but adds that EMIR reporting, swaps reporting under Dodd-Frank, transparency directives on short-selling and the standard quarterly fund reporting regimes also present a huge number of risks.
Although he recognises the necessity of openness and transparency between firms and regulators so that regulators can have visibility into the market, he uses a cost-benefit approach to assessing (theoretically) whether in particular cases it is reasonable to sacrifice information security for that oversight.
A prime example is the yet unsuccessful proposal in the CFTC’s Regulation AT (automated trading) to remove the legal burden currently on the regulator before they can access a firm’s source code for algorithmic trading. It was in the context of rallying against the proposal which would so clearly prioritise transparency over information security that CFTC chairman Giancarlo saw fit to repeatedly warn of the low standards in cyber-security at regulators and governmental agencies.
For Greenwold, Reg AT is also an example of pre-emptive action to affect the course of regulatory will.
He says: “When new rules are proposed that will lead to greater disclosure of information, one thing we can do is actually to push back on those and to feed back to the regulator all of the risks and their own record on confidentiality.
“Reg AT was a really good example of the industry saying with one voice that this is regulatory overreach.”
Industry bodies, including AIMA, ISDA, the NFA and investor representatives have proactively campaigned on this and related issues. Yet the level of lobbying specifically on regulatory cyber-security does not seem proportionate to the likelihood or gravity of regulatory breaches.Enjoying reading this article? Want to see more?
How bad could it be?
The relative silence around regulatory cyber-security is misleading. Not only are the risks and concerns very real, but the potential impact of even a fairly minor breach could be pivotal for a firm, and a major breach could be momentous in a market-wide sense.
For managers, there are obvious distinctions between degrees of confidentiality and sensitivity around information which could be leaked through a regulator. On a scale from ‘frustrating’ on one end (unauthorised disclosure of short positions) and business-destroying on the other (publishing proprietary algorithmic source code), Greenwold places two often overlooked types of disclosure in the middle: information about investment agreements and about disciplinary situations, which could jeopardise reputations of all involved and undermine important relationships.
Understandably, investors are growing more concerned about the impact a breach could have on them, which only adds to the pressure on hedge funds, even granting how little bargaining power hedge funds actually have to deal with the issue when it’s outside their own walls.
“It’s definitely on the investors’ agenda in operational due diligence meetings,” says one CCO, but qualifies that by acknowledging that investors only ask about security controls within the firm, and never about the risk from counterparties, whether regulators or administrators.
Although public embarrassment and pressure seems to have done the trick at the SEC, which announced a host of new cyber-security initiatives recently, routes for challenging regulators on their cyber-security practice or holding them accountable for negligence remain obscure.
Rossi agrees with Greenwold that it would be “extremely difficult to hold regulatory agencies civilly liable under current law for harm caused”, and Greenwold emphasises that his approach would be to tackle risky or unnecessary regulatory demands before they were set in stone, rather than deal with the consequences.
At a most fundamental level, a formalised requirement on the regulators to disclose cyber-security issues would not go amiss. If counterparties such as administrators can be obliged to report on a regular basis to fund directors about cyber-security issues relating to a firm’s account, is it unreasonable to ask the same of those who purport to uphold standards for the whole sector?