On September 12, 2019 the Commodity Futures Trading Commission (CFTC) issued an order fining Phillip Capital Inc. (Phillip Capital) $1.5 million related to a cyber breach.1 The order cited the Chicago-based firm for permitting cybercriminals to access its email system, access client information, and successfully withdraw $1 million in client funds. The order further cited the firm for failure to notify victims in a timely manner, failure to supervise its employees with respect to cybersecurity policy and procedures and client disbursements, and an inadequate written information security program.
The CFTC levied a $500,000 civil penalty and ordered $1 million in restitution payments to victims. The CFTC did note in its order that it credited the $1 million restitution to Phillip Capital based on its prompt reimbursement of client funds upon discovery of the breach. The order further requires Phillip Capital to remediate gaps in its cybersecurity governance and provide periodic reports to the CFTC regarding the progress of its remediation efforts.
“Cybercrime is a real and growing threat in our markets,” said CFTC Director of Enforcement James McDonald. “While it may not be possible to eliminate all cyber threats, CFTC registrants must have adequate procedures in place — and follow those procedures — to protect their customers and their accounts from potential harm.” Agio couldn’t agree more – and we’d add the same holds true for all registered advisors, regardless of whether or not their firm engages in futures related business activities.
Similar to the CFTC, the SEC list 6 areas of focus and 28 areas of interest in its cybersecurity Risk Alerts. The vast majority of these require the implementation of cybersecurity controls like those outlined in the NIST Cybersecurity Framework. Preventative or proactive controls such as…
- Identity and access management
- Strong user access credentials
- Controls to limit lateral movement within the network
- Established and tested incident response procedures
- Up-to-date cybersecurity policy and procedure documents
- And myriad other controls are required
Having a full suite of cybersecurity controls that addresses the firm’s people, process and technology, ensuring they’re implemented and configured in accordance with best-practices, periodic assessment and testing to identify gaps and vulnerabilities, and a well-documented cybersecurity governance regimen are now requirements. Until the majority of hedge funds and other registered advisors adopt a comprehensive and programmatic approach to cybersecurity governance and testing, we can expect more orders, enforcement actions and fines similar to the one the CFTC levied against Phillip Capital.
fund isn’t fully addressing all aspects of its people, process, and technology,
then you most certainly have gaps in your cybersecurity governance and testing
regimen. Agio has been helping hedge funds identify and mitigate those
cybersecurity gaps with our SEC
Cybersecurity Governance Program, and we’d love an opportunity to help your
fund do the same.