CFTC Fines Financial Trading Platform $6.5 Million for Alleged Reporting and Cybersecurity Risk Assessment and Testing Failures | Practical Law

CFTC Fines Financial Trading Platform $6.5 Million for Alleged Reporting and Cybersecurity Risk Assessment and Testing Failures | Practical Law

The Commodity Futures Trading Commission (CFTC) has issued an order imposing a $6.5 million fine on CX Futures Exchange, L.P., now known as FMX Futures Exchange, L.P., for allegedly violating certain reporting requirements and several CFTC system safeguards rules when it failed to develop comprehensive enterprise technology risk assessments, sufficiently test its IT systems' security controls, and establish and maintain an adequate risk assessment and oversight program.

CFTC Fines Financial Trading Platform $6.5 Million for Alleged Reporting and Cybersecurity Risk Assessment and Testing Failures

by Practical Law Data Privacy & Cybersecurity
Published on 03 Oct 2022USA (National/Federal)
The Commodity Futures Trading Commission (CFTC) has issued an order imposing a $6.5 million fine on CX Futures Exchange, L.P., now known as FMX Futures Exchange, L.P., for allegedly violating certain reporting requirements and several CFTC system safeguards rules when it failed to develop comprehensive enterprise technology risk assessments, sufficiently test its IT systems' security controls, and establish and maintain an adequate risk assessment and oversight program.
On September 29, 2022, the Commodity Futures Trading Commission (CFTC) issued an order filing and settling charges against CX Futures Exchange, L.P. (CX), a designated contract market trading weather-related derivatives, over allegations the company violated several CFTC reporting requirements and cybersecurity safeguards rules. The company, now known as FMX Futures Exchange, L.P., did not admit or deny wrongdoing.
The order requires CX to pay a $6.5 million penalty and remediate its internal controls and procedures to comply with the CFTC contract market safeguards rules. The CFTC issues and enforces system safeguards regulations under the Commodity Exchange Act (7 U.S.C. §§ 1 to 27) that are aimed at ensuring the security of contract markets, including 17 C.F.R. §§ 38.1050 and 38.1051.
Specifically, the CFTC alleges CX violated the CFTC contract market safeguards rules by:
  • Failing to establish and maintain:
    • an adequate program of risk analysis and oversight; and
    • a library of its systems and controls in scope for its risk analysis and oversight program.
  • Not performing adequate enterprise technology risk assessments and failing to review risk assessment and testing results with its board of directors.
  • Failing to conduct:
    • adequate system controls testing necessary to identify vulnerabilities and minimize risks; and
    • sufficient internal and external penetration testing, including after a material change to migrate CX's systems to a cloud-based platform, or inform the CFTC of that change before it occurred.