Investment Funds Update

URGENT: CFTC Warns Registrants of Cyber Threats and Requests Information by January 10 and/or January 20.

January 7, 2020

On January 3, 2020, the Division of Swap Dealer and Intermediary Oversight (DSIO) of the U.S. Commodity Futures Trading Commission (CFTC) issued two cyber threat alerts regarding the hacking of approximately one dozen cloud service providers, as described in a Wall Street Journal article published December 30, 2019, entitled “Ghosts in the Clouds: Inside China’s Major Corporate Hack.”

One DSIO cyber threat alert was directed to swap dealers (SDs) and futures commission merchants (FCMs). Another was directed to commodity pool operators (CPOs), commodity trading advisors (CTAs), introducing brokers (IBs) and retail foreign exchange dealers (RFEDs). The National Futures Association (NFA) then sent a blast email to all NFA members in these registration categories (on behalf of the CFTC), with the DSIO alerts attached, further emphasizing to NFA members the information requested by DSIO and the deadlines for providing such information.

Each SD, FCM, CPO, CTA, IB and RFED should determine whether any of its cloud service providers has been affected by the cyber attack described in the WSJ article, or if it has received communications or is communicating with cloud service providers or others regarding the attack or any related potential cyber event, and respond as follows:

SDs and FCMs should respond by January 10, 2020, whether any of their cloud service providers were affected by the attack. DSIO has requested that SDs and FCMs respond even if their cloud service providers were not affected by the attack.

CPOs, CTAs, IBs and RFEDs should respond by January 10, 2020, if any of their cloud service providers were affected by the attack. Registrants in these categories whose cloud service providers were not affected by the attack do not need to respond to DSIO pursuant to the cyber threat alerts.

Any CFTC registrant whose cloud service provider or providers were affected by the attack should include information regarding whether and when the provider(s) informed it about the attack, a summary of any steps it has taken to protect its systems and data in response to the attack and its plans to notify market participants whose data may have been affected.

In addition, each registered IB and RFED should respond by January 20, 2020, advising whether it has received any communications from, or is communicating with, cloud service providers, customers, clients, counterparties, business partners or industry-related parties regarding the attack described in the WSJ article or a related potential cyber event. This request is much broader than those described above, as it covers “related potential cyber events” and not merely the attack described in the WSJ article, and it is not limited to events related to cloud service providers. Also, given the phrasing of these sections of the cyber threat alerts, it appears DSIO is requesting responses from all registered IBs and RFEDs, regardless of whether they have any affirmative information to report.

DSIO has requested that registrants notify the staff promptly with updated information as their evaluation of the situation evolves.

Any information submitted to DSIO pursuant to the cyber threat alerts should be sent via email to DSIOAlerts@CFTC.gov.

Attorney Advertising—Sidley Austin LLP is a global law firm. Our addresses and contact information can be found at www.sidley.com/en/locations/offices.

Sidley provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers. Sidley and Sidley Austin refer to Sidley Austin LLP and affiliated partnerships as explained at www.sidley.com/disclaimer.

© Sidley Austin LLP