CFTC orders FCM to pay $1.5 million for poor cybersecurity
On September 12, the CFTC issued an order against an Illinois-based futures commission merchant imposing a $1.5 million fine for allegedly failing to protect its systems from cybersecurity threats and not alerting its customers in a reasonable timeframe after a breach occurred. According to the order, the CFTC claims the merchant failed to adequately implement and comply with cybersecurity policies and procedures as well as a written information systems security program, and “policies and procedures related to customer disbursements by its employees.” The CFTC contends that because of these failures the merchant’s email system was breached, which allowed access to customer information and convinced the merchant’s customer service specialist to mistakenly wire $1 million in customer funds. While the merchant approved reimbursement of the funds shortly after discovery, instituted measures to prevent additional fraudulent transfers, and notified regulators the same day, the CFTC alleges it failed to disclosure the breach or the fraudulent wire in a timely manner to current or prospective customers. Under the terms of the order, the merchant must pay a civil money penalty of $500,000 plus post-judgment interest, as well as restitution of $1 million. The merchant’s previous reimbursement of customer funds when the fraud was discovered was credited against the restitution amount.