On February 12, 2018, in a settled enforcement action, the U.S. Commodity Futures Trading Commission (“CFTC”) charged a registered futures commission merchant (“FCM”) with violations of CFTC regulations relating to an ongoing data breach. Specifically, the FCM failed to diligently supervise an information technology provider’s (“IT vendor’s”) implementation of certain provisions in the FCM’s written information systems security program. Though not unprecedented, this case represents a rare CFTC enforcement action premised on a cybersecurity failure at a CFTC-registered entity.
According to the CFTC, a defect in a network-attached storage device installed by the FCM’s IT vendor left unencrypted customers’ records and other information stored on the device unprotected from cyber-exploitation. The defect left the information unprotected for nearly 10 months and led to the compromise of this data after the FCM’s network was accessed by an unauthorized, unaffiliated third party. The IT vendor failed to discover the vulnerability in subsequent network risk assessments, notwithstanding the fact that the unauthorized third party had blogged about exploiting the vulnerability at other companies. The FCM did not learn about the breach of its systems until directly contacted by the third party.
The CFTC charged the FCM under Regulation 166.3, which requires that every CFTC registrant “diligently supervise the handling [of confidential information] by its partners, officers, employees and agents,” and Regulation 160.30, which requires all FCMs to “adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.” The CFTC noted that an FCM may delegate the performance of its information systems security program’s technical provisions, including those relevant here. But in contracting with an IT vendor as its agent to perform these services, the FCM cannot abdicate its responsibilities under Regulation 166.3, and must diligently supervise the IT vendor’s handling of all activities relating to the registered entity’s business as a CFTC registrant.
To settle the case, the FCM agreed to (1) pay a $100,000 civil monetary penalty and (2) cease and desist from future violations of Regulation 166.3. The CFTC noted the FCM’s cooperation during the investigation and agreed to reduce sanctions as a result.