The CFTC recently announced a settlement with a registered futures commission merchant (FCM) that had tens of thousands of client records compromised after its information technology vendor installed a backup drive on the FCM’s network that included an unsecured port of which the vendor was unaware. Although this case concerned an FCM, it puts all CFTC registrants on notice that they are responsible for protecting sensitive information. “Entities entrusted with sensitive information must work diligently to protect that information,” CFTC Director of Enforcement James McDonald noted, adding that, “[a]s this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system.” Further, the settlement reminds fund managers and other CFTC-registered entities that, under CFTC Regulation 166.3, they must monitor third-party service providers to avoid similar regulatory action. This article analyzes the terms of the settlement order, including the facts that led up to the settlement, the penalties imposed and the remedial steps the FCM agreed to take. For more from the CFTC, see “Virtual Currencies Present Significant Risk and Opportunity, Demanding Focus From Regulators, According to CFTC Chair
” (Feb. 8, 2018).