Financial regulators continue to expand their reach in the cybersecurity space, and funds, fund sponsors, and advisers should take note. Most recently, on February 12, the CFTC filed a simultaneous Order and Settlement against AMP Global Clearing LLC (AMP), a registered futures commission merchant, related to a breach of its networks in April 2017 by a third party who obtained approximately 97,000 AMP files, including customers’ personal information. Notably, the CFTC did not charge AMP under its regulation requiring that registrants have in place policies and procedures to safeguard customer records and information; rather, the CFTC proceeded under a separate regulation requiring that registrants diligently supervise any delegated entity tasked with performing any aspect of the registrant’s business activities.
Both the CFTC and SEC have in place regulations imposing supervisory obligations on registered fund sponsors and commodity trading advisers, and registered investment companies, advisers, and broker-dealers, respectively. As discussed further in the attached article, the Order and Settlement highlight the importance for funds, fund sponsors, and advisers of adequately supervising their service providers’ cybersecurity measures.