CFTC asks registered futures participants for response on cloud data breaches - should you be checking your risks? Update

UPDATE:

The CFTC issued a revised notice in this activity this morning to CTAs, CPOs, IBs and RFEDs - there are two changes (underlined and in bold in the letter). They are:

The first clarifies who must respond by tomorrow. It states: "You are only required to submit an email confirmation if your cloud service providers have been affected by this attack". Anyone whose cloud provider was not hacked does not need to respond.

The second exempts CTAs and CPOs from the January 20 response requirement. It changes the first sentence of the state: In addition, only if you are a registered Introducing Broker or Retail Foreign Exchange Dealer, by January 20, 2020, "

This will reduce the burden on CTAs and CPOs in particular and anyone whose cloud provider was not hacked.

Friday, January 3, the CFTC sent two separate "Cyber Threat Alert" letters out from Joshua Sterling, Director, Division of Swap Dealer and Intermediary Oversight - one to all "registered Commodity Pool Operator, Introducing Broker, Commodity Trading Advisor and/or Retail Foreign Exchange Dealer"s and one to all"registered Swap Dealers or Futures Commission Merchants". In this, the CFTC references the Wall Street Journal article of December 30, 2019 reporting on the hacking of multiple cloud services providers being hacked. The CFTC notes it appears "the attackers may have gained access to the providers’ networks, allowing the hackers to freely and anonymously hop from client to client."
The letter requests that the entities:

"confirm no later than January 10, 2020 by email to DSIOAlerts@CFTC.Gov  if your cloud service providers have been affected by this attack. If so, please include information regarding whether and when the provider(s) informed you about the attack and a summary of any steps you have taken to protect your systems and data in response this attack and your plans to notify market participants whose data may have been affected. "

By January 20, these entities must confirm whether they have had any communications from or in current communication with an assortment of entities from the service providers to customers, business partners or industry-related parties regarding the hacking event.

The industry has been moving much more rapidly to cloud based services and support. Many of those systems may include significant individual or corporate sensitive data such as trading activity, positions or even banking information. These CFTC letters could indicate that registered entities may have a risk to these customers if their data is hacked in a cloud environment. If the government starts to assert a duty to counterparties for loss of hacked trading or other information, what is the risk for companies in this environment? 

While cloud based solutions have significant advantages, do the providers provide the indemnifications or warranties to provide assurance for these risks?  Has your trading and compliance risk assessment covered these types of events? It may be time to expand your risk assessments and controls review to include your cloud providers.

A full copy of the CTA/CPO/IB/RFED letter is below:

U.S. COMMODITY FUTURES TRADING COMMISSION
Three Lafayette Centre 1155 21st Street, NW, Washington, DC 20581
Telephone: (202) 418-6700 Facsimile: (202) 418-5407


Division of Swap Dealer and Intermediary Oversight 
  Joshua B. Sterling Director 
​
TO:  CFTC Registrants 
 
FROM:  Joshua B. Sterling, Director   Division of Swap Dealer and Intermediary Oversight 
 
DATE:  January 3, 2020 
 
RE:  Cyber Threat Alert 
 
As registered participants in the markets the CFTC oversees, we recognize that you must react to unexpected events that potentially impact your legal and regulatory obligations. A December 30, 2019 Wall Street Journal article reports that approximately one dozen cloud service providers have been hacked. The reporting indicates that the attackers may have gained access to the providers’ networks, allowing the hackers to freely and anonymously hop from client to client.  
 
We ask you to consider, in light of this reporting, your organization’s systems and data vulnerability.  
 
If you are a registered Commodity Pool Operator, Introducing Broker, Commodity Trading Advisor and/or Retail Foreign Exchange Dealer, please confirm no later than January 10, 2020 by email to DSIOAlerts@CFTC.Gov  if your cloud service providers have been affected by this attack. If so, please include information regarding whether and when the provider(s) informed you about the attack and a summary of any steps you have taken to protect your systems and data in response this attack and your plans to notify market participants whose data may have been affected.  
 
In addition, by January 20, 2020, consistent with CFTC Staff Advisory 14-21 (interpreting CFTC Rule 160.30), please also advise whether you have received any communications from—or are currently communicating with—cloud service providers, customers, clients, counterparties, business partners, or industry-related parties regarding the WSJ-described attack or a related potential cyber event.   
 
We recognize that your evaluation of the situation may evolve and we ask that you notify us promptly, updating us with follow on information as you proceed in your assessment.  
 
If you have questions, please do not hesitate to contact DSIO staff: Amanda Olear, Deputy Director, (202) 418-5283 or AOlear@cftc.gov, Joe Sanguedolce, Deputy Director, (646) 746-9750 or JSanguedolce@cftc.gov, or Barry McCarty, Special Counsel, at (202) 418-6627 or CMcCarty@cftc.gov