Vytautas Parfionovas was criminally charged in a federal court in Brooklyn, NY, for stealing funds from and engaging in unauthorized trading of securities in accounts of US customers at various unnamed financial institutions from 2011 through 2018. According to an affidavit by a special agent of the Federal Bureau of Investigation included with the complaint, the defendant obtained access to the accounts through usernames and passwords he obtained through phishing and other computer intrusions. Mr. Parfionovas purportedly used email and social media accounts on Google, Yahoo, Facebook and Apple that he registered under false names to orchestrate his criminal scheme. The criminal complaint claims that the defendant’s actions resulted in over US $5.5 million in losses in victims’ accounts.

Mr. Parfionovas was charged with computer intrusion, money laundering, wire fraud, access device fraud, securities fraud, and identity theft, and certain related crimes. If convicted, he could be subject to up to 30 years’ imprisonment for the money-laundering charge alone.

Compliance Weeds: CFTC registrants and NFA members have express obligations to ensure the security of their information systems and customers’ personal information. Among other things, most CFTC registrants are required to maintain policies and procedures to protect customer records and information (click here to access CFTC Rule 160.30) and a written identity theft program (click here to access CFTC Rule 162.30(d)), while all NFA members must maintain a written information systems security program. (Click here for background in the article “NFA Sets April 1 as Compliance Date for New ISSP Requirements” in the January 13, 2019 edition of Bridging the Week.)

SEC registrants have similar obligations. (Click here for background in the Compliance Weeds associated with the article “Broker-Dealer Resolves SEC Charges That Inadequate Cybersecurity Procedures Led to Cyber Intrusion, Compromising Customer Personal Information” in the September 30, 2018 edition of Bridging the Week.)

However, it appears regulators are increasingly likely to file an enforcement action under a general failure to supervise theory when there is a cybersecurity breach if they feel that adequate policies and procedures reasonably designed to prevent and/or respond to a breach did not exist, and/or customer information or funds were or may have been compromised.

Since 2017, for example, the CFTC has brought and settled three enforcement actions emanating from cyber breaches.

In September 2017, the CFTC resolved an enforcement action against Tillage Commodities, LLC, a CFTC-registered commodity pool operator, with failure to supervise for purportedly not monitoring and detecting unauthorized wire transfers processed by the administrator of a fund it operated. (Click here for details in the article “Two Commodity Pool Operators Charged by CFTC with Failure to Supervise” in the October 1, 2017 edition of Bridging the Week.) In February 2018, the CFTC also settled an enforcement action against AMP Global Clearing LLC, a CFTC-registered futures commission merchant, for its alleged failure to supervise a third party’s implementation of “critical” provisions of its information system security program. (Click here for details in the article “CFTC Says Futures Brokerage Firm’s Failure to Supervise Led to Unauthorized Cyber Attack” in the February 18, 2018 edition of Between Bridges.) Most recently, the CFTC brought and settled an action against a second FCM emanating from a cyber breach (click here for a copy of the relevant settlement order).

Robust policies and procedures related to information security are critical, along with a checklist of urgent things to do when there is a cyber breach – including a list of useful contacts (e.g., forensic experts, regulators to contact). The regulatory consequences of not being prepared are high, and the out-of-pocket and reputational costs of a breach may be higher still. And unfortunately, a breach will occur no matter how good a firm’s controls and procedures.