Monday, October 21, 2019

Cybersecurity issues top of mind at Chicago-Kent Conference on Futures and Derivatives

By Brad Rosen, J.D.

Representatives of the CFTC, NFA, and CME Group, along with some of the industry’s top lawyers and experts, shared their insights, guidance and advice about the current state of law and regulation at the 11th Annual Chicago Kent Annual Conference on Futures and Derivatives. This year, the gathering of industry compliance and legal professionals heard the usual updates on CFTC enforcement actions and NFA regulatory matters, but also had the opportunity to learn about the intersection of antitrust and derivatives law, ethical issues implicated in regulatory investigations, and lessons on aggressive courtroom tactics from a lawyer who took on the DOJ in United States v. Flotron, a high-profile spoofing prosecution, and won.

Issues surrounding cybersecurity cut across a number of the conference sessions as the current cyberthreat landscape continues to grow increasingly more complex. In the past years, regulators have become more demanding as cyber breaches have clearly implicated supervisory obligations and raised the stakes in connection with CFTC enforcement liability.

NFA guiding members in an everchanging cyber landscape. Cyber security issues were at the top of the NFA’s list, in the second panel of the day led by Patricia Cushing and Jennifer Sunu, both NFA compliance directors. Cushing explained in 2019, the NFA updated its 2016 notice on cybersecurity which required members to adopt and enforce written procedures to secure customer data and access to their electronic systems. That notice also required firms to document their policies and procedures in an Information Systems Security Program (ISSP).

In April 2019, the NFA updated the interpretive notice which, in part, specifies a member’s reporting obligations in the event of cyberbreach. Under the new requirements, a member should promptly notify NFA if there is a cybersecurity incident that results in:
  1. any loss of customer or counterparty funds;
  2. any loss of the member's own capital; or
  3. the member is required to providing notice to customers or counterparties under state or federal law. 
The notice was updated to indicate that firms should be familiar with notice requirements in applicable US and non-US data security and privacy statutes and regulations. Cushing indicated that the NFA is still very much taking an educational approach with respect to working with its members regarding these cybersecurity requirements. However, if history is any guide, the enforcement shoe will drop eventually for NFA members in this area as well.

Cyberbreaches, supervisory failures, and enforcement liabilities from a CFTC perspective. In her presentation, CFTC Department of Enforcement Trial Attorney Allison Passman made it loud and clear that a cyberbreach by a CFTC registrant could clearly implicate CFTC supervisory obligations under Regulation 166.3 or Regulation 23.602, which relates swaps dealers and major swap participants. Passman pointed to In the Matter of Phillip Capital Inc., a case filed in September 2019, where a registered futures commission merchant was found to have violated the Regulation 166.3 by permitting cyber criminals to breach the firm’s email systems, access customer information, and successfully withdraw $1 million in firm customer funds.

The order in that matter also found that the firm failed to disclose the cyber breach to its customers in a timely manner, and the firm failed to supervise its employees with respect to cybersecurity policy and procedures, a written information systems security program, and customer disbursements. The order imposed monetary sanctions totaling $1.5 million, which included a civil monetary penalty of $500,000, and $1 million in restitution. The order also required Phillips Capital to provide reports to the CFTC on its remediation efforts. 

An afternoon of emerging threats. In his well-received presentation, Skadden Arps attorney William Ridgway took conference attendees on a brief, but terrifying, tour of the emerging cyberthreat landscape. He noted that matters are becoming increasingly complex especially with regard to the rise of ransomware. In 2016, ransomware accounted for $1 billion in losses. That figure grew $5 billion in 2017 and $8 billion in 2018, but still many incidents don’t get reported he explained. According to Ridgway’s research, ransomware attacks are increasingly targeting financial institutions, ransom demands are larger, and increasingly perpetrators seek to embarrass their victims. Ransom amounts now often exceed $50,000 while 70 percent of the victims typically pay the required ransom.

Ridgway also observed that the dark web is increasingly facilitating criminal activity. Ransomware as a service has emerged whereby one party can create a ransomware package while another can utilize it for their own nefarious purposes. Moreover, Bitcoin, which is often used to pay ransomware extortionists, can be mixed and laundered so as to make the funds used to pay the ransom untraceable.

Ridgway also observed the trend by which regulations are becoming more demanding. In particular, he pointed to New York Division of Financial Services regulations which require:
  • annual penetration testing and bi-annual vulnerability testing;
  • auditing of third-party vendors;
  • multi-factor authentication for remote access;
  • encryption of all non-public information; and
  • annual board certification of compliance with the regulations. 
In concluding, Ridgway left conference attendees with four key takeaways:
  1. Technology is empowering a more robust cyberthreat.
  2. We are more vulnerable with the rise of the Internet of Things, big data, and the cloud. 
  3. Regulators around the globe are raising the bar.
  4. Basic cybersecurity is essential.