In response to a Wall Street Journal exposé published on December 30, 2019 (note: article behind a paywall), describing a huge breach of cloud managed service providers, regulators of the futures market have issued letters to firms affected by the breach requesting additional information by January 10.
The WSJ article described a large, multi-year Chinese cyberattack, in which hackers allegedly working for Chinese intelligence services gained access to cloud data storage providers and stole voluminous amounts of corporate data. The attack has been nicknamed “cloudhopper” and was first noticed in 2016. Despite multiple counterintelligence efforts, the attack appears to be ongoing. At least 12 cloud managed service providers have been reportedly hacked, including major players such as Canada’s CGI Group Inc., and IBM in the U.S. The hackers gained access to the cloud data storage providers via phishing and network infiltration efforts, and once in, hopped from firm to firm, illegally accessing sensitive data. Stolen information is reported to include security clearance details, health information, medical research, and a wide range of other intellectual property.
In response to the report, the U.S. Commodity Futures Trading Commission (CFTC) issued letters on January 3 to all firms registered with the regulator. The letter referred to the WSJ report, and requested that all registered commodity pool operators, including introducing brokers, commodity trading advisors, and retail foreign exchange dealers provide additional details to a specified email address indicating if their cloud service providers were affected by the attack. It further requested a summary of steps firms have taken to protect themselves in response to the attack, and how market participants whose data may have been affected have been notified of the breach. The requests responses no later than January 10.
Additionally, the CFTC letter requested that firms provide information regarding any communications with affected parties (cloud service providers, customers, clients, counterparties, business partners or industry-related parties), with regards to the attack described in the WSJ article. This information is requested by January 20.
A similar letter with the same response requests and dates was sent to registered swap dealers and futures commission merchants. Additionally, copies of the CFTC request letters were sent by the National Futures Association (NFA) to its member firms.
ACA Aponix recommends taking the following actions regarding the reported “cloudhopper” breach and the CFTC response request:
- Assess and gather any information regarding possible stolen data that was stored with affected cloud managed service providers.
- CFTC-regulated firms should provide full reports to the regulator, per their requests, at the email address requested. Indicate whether the firm’s cloud service providers were affected, what protective steps the firm has taken, and what notification efforts have been made. Do so by January 10.
- CFTC-regulated firms should provide full reports to the regulator, per their requests, at the email address requested, providing information regarding any communications with affected parties. Do so by January 20.
- Review existing policies and security procedures with cloud service providers to enhance security in light of the reported breach.
- Consider evaluating the protection of data stored on company resources as well, via penetration testing and other preventive measures. Respond with corrective actions as needed.
ACA notes that its software solutions, including the ACA Aponix Portal, vendor management outsourcing service (VMOS) solution, and ComplianceAlpha regulatory technology platform, are not hosted using any of the currently implicated cloud service providers.
How We Help
We offer the following solutions that can help your firm protect its sensitive information from potential exploits and other cyber incidents:
- Risk assessments and testing services
- Phishing testing and cyber awareness
- Penetration testing and vulnerability assessments
- Policies, procedures, and governance
- Cyber incident response planning
- Threat intelligence
- Mock regulatory cyber exams
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.