The U.S. Commodity Futures Trading Commission has reached a $100,000 settlement with a registered futures merchant, which it charged with failing to diligently supervise an IT provider’s implementation of provisions in the merchant’s written IT security program. This is a rare case of an CFTC enforcement action premised on a cybersecurity failure at a registered entity.
The case involved a defective network-attached storage device installed by the vendor, which exposed unencrypted customer records for 10 months, resulting in them being accessed. The vendor failed to detect the problem in subsequent risk assessments, even though the hacker had blogged about exploiting this vulnerability elsewhere. The merchant only learned about the breach when the hacker contacted them.
The CFTC charged the merchant under Regulation 166.3, which requires that every CFTC registrant “diligently supervise the handling [of confidential information] by its partners, officers, employees and agents,” and Regulation 160.30, which requires them to “adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.”