On January 3, 2020, the Division of Swap Dealer and Intermediary Oversight (DSIO) of the U.S. Commodity Futures Trading Commission (CFTC) issued two cyber threat alerts regarding the hacking of approximately one dozen cloud service providers, as described in a Wall Street Journal article published December 30, 2019, entitled “Ghosts in the Clouds: Inside China’s Major Corporate Hack.”
One DSIO cyber threat alert was directed to swap dealers (SDs) and futures commission merchants (FCMs). Another was directed to commodity pool operators (CPOs), commodity trading advisors (CTAs), introducing brokers (IBs) and retail foreign exchange dealers (RFEDs). The National Futures Association (NFA) then sent a blast email to all NFA members in these registration categories (on behalf of the CFTC), with the DSIO alerts attached, further emphasizing to NFA members the information requested by DSIO and the deadlines for providing such information.
Each SD, FCM, CPO, CTA, IB and RFED should determine whether any of its cloud service providers has been affected by the cyber attack described in the WSJ article, or if it has received communications or is communicating with cloud service providers or others regarding the attack or any related potential cyber event, and respond as follows:
- SDs and FCMs should respond by January 10, 2020, whether any of their cloud service providers were affected by the attack. DSIO has requested that SDs and FCMs respond even if their cloud service providers were not affected by the attack.
- CPOs, CTAs, IBs and RFEDs should respond by January 10, 2020, if any of their cloud service providers were affected by the attack. Registrants in these categories whose cloud service providers were not affected by the attack do not need to respond to DSIO pursuant to the cyber threat alerts.
- Any CFTC registrant whose cloud service provider or providers were affected by the attack should include information regarding whether and when the provider(s) informed it about the attack, a summary of any steps it has taken to protect its systems and data in response to the attack and its plans to notify market participants whose data may have been affected.
- In addition, each CFTC registrant should respond by January 20, 2020, advising whether it has received any communications from, or is communicating with, cloud service providers, customers, clients, counterparties, business partners or industry-related parties regarding the attack described in the WSJ article or a related potential cyber event. This request is much broader than those described above, as it covers “related potential cyber events” and not merely the attack described in the WSJ article, and it is not limited to events related to cloud service providers. Also, given the phrasing of these sections of the cyber threat alerts, it appears DSIO is requesting responses from all registrants, regardless of whether they have any affirmative information to report.
- DSIO has requested that registrants notify the staff promptly with updated information as their evaluation of the situation evolves.
Any information submitted to DSIO pursuant to the cyber threat alerts should be sent via email to DSIOAlerts@CFTC.gov.