Regulatory Cyber Update: CFTC Cyber Enforcement Action; FCA Statement on GDPR

February 16, 2018

This advisory contains information about the CFTC cyber enforcement action and the FCA's statement on GDPR.

CFTC Cyber Enforcement Action

On February 12, 2018, the Commodity Futures Trading Commission (CFTC) ordered a registered futures commission merchant ("FCM") to pay a $100,000 fine for their alleged failure to supervise their IT provider's implementation of key provisions in their information systems security program (ISSP). The CFTC charged the FCM with failing to supervise critical provisions, including identifying and performing risk assessments of access routes into their network, performing quarterly network risk assessments to identify vulnerabilities, maintaining strict firewall rules, and detecting unauthorized activity on the network.

As a result of the failure, an unaffiliated third party claimed to access and copy 97,000 files from the FCM's network containing customer data, including personally identifiable information, from the FCM's network and alerted federal authorities of the exposure. The vulnerability was allegedly caused by an open access route in a network-attached storage device. Three successive quarterly risk assessments performed by the FCM failed to identify this vulnerability, leaving customer data exposed for 10 months.

For more information, see the CFTC's alert.

ACA Aponix Guidance

ACA Aponix recommends taking the following precautionary measures to avoid breaches and prevent regulatory fines:

  • Validate the implementation of your security controls to ensure they are adequate and in line with your WISP, regardless of whether those controls are implemented internally or by a third party;
  • Inventory sensitive data; and
  • Ensure access to sensitive data is restricted to staff who need it and periodically review access.

How ACA Aponix Can Help

ACA Aponix can help your firm assess its cybersecurity risk and identify vulnerabilities that could lead to a breach. Our services include:

FCA Statement on GDPR

The Financial Conduct Authority (FCA) indicated in a joint statement with the Information Commissioners Office (ICO) that the European Union's General Data Protection Regulation (GDPR) does not impose requirements that are incompatible with the rules in the FCA Handbook. Although GDPR compliance is being regulated by the ICO, there are a number of requirements that GDPR and FCA share. The FCA will consider GDPR requirements under their rules, including requirements in the Senior Management Arrangements, Systems and Controls (SYSC) module.

How ACA Aponix Can Help

ACA Aponix can assess your organization’s readiness to comply with GDPR requirements. As part of our assessment, we will review your firm’s personal data processing activities to build a data inventory, identify risks and gaps relative to the requirements of GDPR and assist with building a practical action plan to address deficiencies.

If you have any questions, please contact your ACA Aponix consultant or email us at