CFTC Orders Firm to Pay $1.5 Million in Connection with Phishing Cyber Breach, Cites Inadequate Cyber Training

The Commodity Futures Trading Commission (CFTC) isn’t holding back when it comes to holding firms accountable for protecting their client’s funds and information. On September 12, 2019, the CFTC issued an order bringing proceedings against a registrant to the tune of $1.5 million US relating to claims that the registrant violated Commission Regulations 166.3 and 1.55(i). Without admitting or denying the CFTC’s allegations, the registrant entered into a settlement offer.

The CFTC order cites failures to supervise adequate implementation of, and compliance by employees with, cybersecurity policies and procedures and a written information security program. Specifically, the CFTC notes inadequate supervision of policies relating to disbursement of funds by employees which contributed to the occurrence of wire fraud by cyber criminals. The wire request originated through the typical method: phishing. Through phishing emails, hackers were able to compromise a few accounts which had administrative privileges, allowing them to use that level of access to add themselves as a “delegate” to be able to see other firm email accounts. Although the firm notified the CFTC in a timely manner after learning that it allowed a fraudulent wire to go out, the CFTC took issue with the firm not disclosing the incident to its clients.

The CFTC also took the opportunity to highlight that the individuals responsible for cybersecurity at the firm, including the CCO, had “limited training in cybersecurity” and that the CCO did not have a background in cybersecurity despite being designated with responsibility to oversee the firm’s cyber training.

What this case reveals for CFTC registrants, and perhaps as a proxy for registrants with the SEC and FINRA, is that cyber is being taken seriously. In addition to the lack of training and cyber expertise by those tasked with implementing the cyber program, other issues cited include:

  • The failure to tailor the information security program to the firm’s particular functions and risks (in some cases, the firm’s cyber policies quoted the rule verbatim without any modification)
  • The failure to follow the firm’s incident response plan when responding to the incident
  • The failure to replace a senior information security professional who departed, and instead delegating his responsibilities to others with less experience (Author’s Note: Admittedly, it is incredibly difficult to hire individuals with cyber expertise given current demand)

If you need help tailoring your information security policies and procedures, with cyber training, phishing testing or general cybersecurity strategies, visit our Shield page to see what we offer, and then contact us.

Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

SEC Proposes Amendments to Advertising Rules

In a proposal that would mark the first changes since 1961, the SEC has introduced amendments to modify the “Advertisements by Investment Advisers” Rule 206(4)-1 of the Investment Advisers Act. Changes to the rule would allow for testimonials and social media practices beyond that currently allowed, and performance marketing subject to new requirements. Some parts … Continued

Roadmap to Conducting Annual Compliance Reviews

The “annual” in annual review is a misnomer! That was one of the key takeaways from a session conducted at the recent 2019 NSCP National Conference that featured practical and timely tips to consider when planning and undertaking an annual review for an investment adviser or mutual fund. Panelists Tracy Abbott, CCO of Seavest Investment … Continued

Technology Advances Here and On the Way for Form CRS

CSS featured a strong presence at the recent 2019 BAM + Loring Ward Advisor National Conference in St. Louis, Mo. The conference, titled “In Our Element,” explored the chemistry of investment advisors’ relationships with their clients and the keys to successfully building those relationships. Within that context, CSS’s compliance presentation outlining the purpose and implementation … Continued