CFTC Orders Firm to Pay $1.5 Million in Connection with Phishing Cyber Breach, Cites Inadequate Cyber Training
The Commodity Futures Trading Commission (CFTC) isn’t holding back when it comes to holding firms accountable for protecting their client’s funds and information. On September 12, 2019, the CFTC issued an order bringing proceedings against a registrant to the tune of $1.5 million US relating to claims that the registrant violated Commission Regulations 166.3 and 1.55(i). Without admitting or denying the CFTC’s allegations, the registrant entered into a settlement offer.
The CFTC order cites failures to supervise adequate implementation of, and compliance by employees with, cybersecurity policies and procedures and a written information security program. Specifically, the CFTC notes inadequate supervision of policies relating to disbursement of funds by employees which contributed to the occurrence of wire fraud by cyber criminals. The wire request originated through the typical method: phishing. Through phishing emails, hackers were able to compromise a few accounts which had administrative privileges, allowing them to use that level of access to add themselves as a “delegate” to be able to see other firm email accounts. Although the firm notified the CFTC in a timely manner after learning that it allowed a fraudulent wire to go out, the CFTC took issue with the firm not disclosing the incident to its clients.
The CFTC also took the opportunity to highlight that the individuals responsible for cybersecurity at the firm, including the CCO, had “limited training in cybersecurity” and that the CCO did not have a background in cybersecurity despite being designated with responsibility to oversee the firm’s cyber training.
What this case reveals for CFTC registrants, and perhaps as a proxy for registrants with the SEC and FINRA, is that cyber is being taken seriously. In addition to the lack of training and cyber expertise by those tasked with implementing the cyber program, other issues cited include:
- The failure to tailor the information security program to the firm’s particular functions and risks (in some cases, the firm’s cyber policies quoted the rule verbatim without any modification)
- The failure to follow the firm’s incident response plan when responding to the incident
- The failure to replace a senior information security professional who departed, and instead delegating his responsibilities to others with less experience (Author’s Note: Admittedly, it is incredibly difficult to hire individuals with cyber expertise given current demand)
If you need help tailoring your information security policies and procedures, with cyber training, phishing testing or general cybersecurity strategies, visit our Shield page to see what we offer, and then contact us.
Subscribe to the CSS Blog
CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.