♦Third-Party Vendor Blues♦
An FCM develops a robust Information System Security Program that requires assessment of potential vulnerabilities in its computer systems. [Sounds reasonable, right?]
The firm hires a third-party IT provider to conduct quarterly network penetration tests, vulnerability scans and firewall audits. [Good idea, right?]
The firm has the IT provider install a Network Attached Storage Device (NASD) on its computer network to store back-up data. [Makes sense; that requires the help of experts.]
The IT provider fails to alert the firm that the NASD can copy data to and from other NASDs over the Internet, and that a data port allowing this functionality is left open by default. [Oops.] The IT provider also fails to detect this vulnerability during three consecutive quarterly reviews. [Oops again.]
An unauthorized individual, whose motivation is not clear, copies 97,000 files over the open port without detection by the firm. The infiltrator boasts about the unauthorized access on blog posts and alerts both the FCM and federal authorities. The CFTC launches an enforcement action.
Who’s left holding the bag? Not the infiltrator. Not the IT provider that overlooked the flaws. The FCM (which may not have acted on the infiltrator’s tip) pays a $100,000 fine for failure to supervise the provider — even though that supervision requires technical expertise the FCM may not possess.
Read about this case in the Feb. 19 issue of the Bridging the Week newsletter by Gary DeWaal, a special counsel with Katten Muchin Rosenman LLP . DeWaal says that this is the second enforcement action settled within the past six months “…where a registrant was held liable for failure to supervise when the registrant expressly engaged a third party to assist it to detect potential regulatory problems when it believed it lacked expertise, and the third party apparently did not fulfill its objective.”
The daunting moral of the story? Firms must find ways to supervise the third-party vendors on whose expertise they rely!
Exchange Analytics’ Training Perspectives Newsletter brings you important issues from compliance professionals. EA can help with your compliance training needs for Anti-Money Laundering, Customer Protection Rule, Cybersecurity, Ethics, Identity Theft Prevention, Market Conduct and Non-Competitive Trading. Learn more today.
Gary DeWaal is Special Counsel with Katten Muchin Rosenman LLP in its New York office focusing on financial services regulatory matters. He provides advisory services and assists with investigations and litigation.