By: Cameron R. Scullen, Esq., Associate Attorney, Ruddy Gregory, PLLC*
In today’s modern day world, the issue of whether not traders and firms have adequate cybersecurity is constantly discussed. In fact, regulators themselves are noting the potential severity of cyberattacks: “Cybersecurity is a risk that the Division of Swap Dealer and Intermediary Oversight (“DSIO”) and [U.S. Commodity Futures Trading Commission (“CFTC”)] take seriously.”(1) But – it is one thing to take notice and another to protect one’s business with adequate cybersecurity.
The CFTC conveyed the same in its recent public statement that was titled the following: CFTC Encourages Standardized Approaches to Assessing Cybersecurity Preparedness, Including the FSSCC Cybersecurity Profile. Therein, the CFTC reiterates that firms subject to its regulatory oversight must follow “generally accepted standards and best practices with respect to the development, operation, reliability, security, and capacity of their automated systems” pursuant to CFTC regulations(2). However, the CFTC remains flexible in how firms develop and assess their respective cybersecurity framework and permit firms to “self-assess” the sufficiency of their overall cybersecurity. But, with greater flexibility, there comes greater responsibility.
In essence, this so mentioned “responsibility” can result in liability should a firm not adequately develop and maintain an appropriate cybersecurity framework that is adherent to CFTC regulations. This is evidenced in the CFTC’s order against AMP Global Clearing LLC (“AMP”), where the CFTC imposed a total of $100,000 in monetary sanctions against AMP, a registered futures commission merchant, for various cybersecurity related short falls.(3) While it is important to note that AMP ultimately settled with the CFTC for certain charges the agency levied against it, the CFTC Order unveiled that AMP’s customers’ records and information were subject to a breach by cyber criminals and, as the CFTC alleges inter alia, AMP failed “to supervise diligently the implementation of critical provisions in AMP’s information systems security program.”(4) Thus, businesses operating in the futures industry must not take discretion for granted and ensure they prudently review any and all applicable CFTC regulations and guidance to develop an adequate and sufficient cybersecurity framework.
The increasing complexity of technology across the globe requires businesses to apply the utmost scrutiny when determining how best to protect their operations. As stated by former CFTC Director James McDonald:
“Entities entrusted with sensitive information must work diligently to protect that information. That’s not only good business, but when it comes to registrants in our markets, it’s the law. As this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system.”(5)
To further reiterate, firms subject to CFTC oversight – and I would argue businesses in general – need to take the proper steps to protect against what has become a substantial threat in today’s market place … cybercrime.
* This article is for informational purposes only and does not contain or convey legal advice. The information herein should not be used or relied on in regard to any particular facts or circumstances without first consulting a lawyer. The statements herein reflect the views of the author only and do not necessarily reflect the views of the author’s employer or any other natural person or entity.
(1)CFTC Encourages Standardized Approaches to Assessing Cybersecurity Preparedness, Including the FSSCC Cybersecurity Profile, U.S. Commodity Futures Trading Commission, July 16, 2020, https://www.cftc.gov/PressRoom/SpeechesTestimony/commisisonstatementtac071620.
(3)See AMP Global Clearing LLC to Pay $100,000 for Supervision Failures Related to Cybersecurity of its Customers’ Records and Information, U.S. Commodity Futures Trading Commission, February, 12, 2018, https://www.cftc.gov/PressRoom/PressReleases/pr7693-18.
(4)See the full list of CFTC findings against AMP at Id.