In December 2019, the U.S. government issued indictments against two hackers who were allegedly involved in a multiyear effort to penetrate the systems of several IT Vendors and Managed Services Providers (MSPs). The attack known today as the “Cloud Hopper Mega Hack” was first noticed in 2016, as indicated by the Wall Street Journal.
Preview (opens in a new tab)
The hackers were able to compromise systems used by the MSPs to not only gain deeper access to their networks, but to also gain access to different client networks. It is suspected that these hackers stole a wide range of sensitive data. It is also believed that as many as 12 different service providers have been compromised; some of the names include Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corp. and DXC Technology.

In response to the recently published article by the Wall Street Journal, cyber threat alerts were issued to member firms by regulators from the commodities and futures market. The National Futures Association (NFA) sent a blast email to all NFA members firms (on behalf of the CFTC), with the alerts attached, requiring member firms to provide information regarding relationships they potentially have with any of the affected providers.

The following guidelines were provided to member firms:

  • SDs and FCMs should respond by January 10, 2020, whether any of their cloud service providers were affected by the attack. DSIO has requested that SDs and FCMs respond even if their cloud service providers were not affected by the attack.
  • CPOs, CTAs, IBs and RFEDs should respond by January 10, 2020, if any of their cloud service providers were affected by the attack. Registrants in these categories whose cloud service providers were not affected by the attack do not need to respond to DSIO pursuant to the cyber threat alerts.
  • Any CFTC registrant whose cloud service provider or providers were affected by the attack should include information regarding whether and when the provider(s) informed it about the attack, a summary of any steps it has taken to protect its systems and data in response to the attack and its plans to notify market participants whose data may have been affected.
  • In addition, each CFTC registrant should respond by January 20, 2020, advising whether it has received any communications from, or is communicating with, cloud service providers, customers, clients, counterparties, business partners or industry-related parties regarding the attack described in the WSJ article or a related potential cyber event. This request is much broader than those described above, as it covers “related potential cyber events” and not merely the attack described in the WSJ article, and it is not limited to events related to cloud service providers. Also, given the phrasing of these sections of the cyber threat alerts, it appears DSIO is requesting responses from all registrants, regardless of whether they have any affirmative information to report.
  • DSIO has requested that registrants notify the staff promptly with updated information as their evaluation of the situation evolves.

Any information submitted to DSIO pursuant to the cyber threat alerts should be sent via email to DSIOAlerts@CFTC.gov.

Recommendation

Pretty simple, do as the regulators requested and supply them with the information they have asked for. The worst thing you can do is not respond to their request.