CFTC Orders Firm to Pay $1.5 Million in Connection with Phishing Cyber Breach, Cites Inadequate Cyber Training

The Commodity Futures Trading Commission (CFTC) isn’t holding back when it comes to holding firms accountable for protecting their client’s funds and information. On September 12, 2019, the CFTC issued an order bringing proceedings against a registrant to the tune of $1.5 million US relating to claims that the registrant violated Commission Regulations 166.3 and 1.55(i). Without admitting or denying the CFTC’s allegations, the registrant entered into a settlement offer.

The CFTC order cites failures to supervise adequate implementation of, and compliance by employees with, cybersecurity policies and procedures and a written information security program. Specifically, the CFTC notes inadequate supervision of policies relating to disbursement of funds by employees which contributed to the occurrence of wire fraud by cyber criminals. The wire request originated through the typical method: phishing. Through phishing emails, hackers were able to compromise a few accounts which had administrative privileges, allowing them to use that level of access to add themselves as a “delegate” to be able to see other firm email accounts. Although the firm notified the CFTC in a timely manner after learning that it allowed a fraudulent wire to go out, the CFTC took issue with the firm not disclosing the incident to its clients.

The CFTC also took the opportunity to highlight that the individuals responsible for cybersecurity at the firm, including the CCO, had “limited training in cybersecurity” and that the CCO did not have a background in cybersecurity despite being designated with responsibility to oversee the firm’s cyber training.

What this case reveals for CFTC registrants, and perhaps as a proxy for registrants with the SEC and FINRA, is that cyber is being taken seriously. In addition to the lack of training and cyber expertise by those tasked with implementing the cyber program, other issues cited include:

  • The failure to tailor the information security program to the firm’s particular functions and risks (in some cases, the firm’s cyber policies quoted the rule verbatim without any modification)
  • The failure to follow the firm’s incident response plan when responding to the incident
  • The failure to replace a senior information security professional who departed, and instead delegating his responsibilities to others with less experience (Author’s Note: Admittedly, it is incredibly difficult to hire individuals with cyber expertise given current demand)

If you need help tailoring your information security policies and procedures, with cyber training, phishing testing or general cybersecurity strategies, visit our Shield page to see what we offer, and then contact us.


Subscribe to CSS Blog

CSS frequently publishes blog posts which are written by our team from their observations in the field, at conferences and through experiences with compliance professionals. These posts are designed to further knowledge and share industry best practices. Topics run the gamut, including Form ADV, cybersecurity, MiFID II, position limit monitoring, technology challenges and more. Complete and submit the brief form below to receive notifications when we publish new content.

Loading form...

Latest Content

Cayman Islands Data Protection Law Nears Taking Effect

Cybersecurity regulations have landed ashore on the islands, and life is about to become anything but a beach for firms forced to comply with the Cayman Islands’ new Data Protection Law (DPL), slated to take effect September 30, 2019. With provisions largely mirroring the EU’s General Data Protection Regulation (GDPR), entities with a presence or … Continued

SEC Risk Alert Puts Spotlight on Principal Trading, Agency Cross Trades

On September 4, 2019, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued another risk alert, this time on “Investment Adviser Principal and Agency Cross Trading Compliance Issues.” While not wildly informative, the Risk Alert summarizes several issues identified during examinations of the last three years and reminds us of … Continued

SEC Issues Guidance to Investment Advisers on Proxy Voting

At its August 21, 2019 Open Meeting, the Securities and Exchange Commission (“SEC”) voted 3-2 to issue guidance to assist registered investment advisers (“RIAs”) in carrying out their proxy voting responsibilities. While the guidance didn’t break a lot of new ground, it clarified the SEC’s expectations for investment advisers in voting client proxies and engaging … Continued