National Data Breach

Just last month hackers obtained millions of names, phone numbers, social security numbers, mailing addresses, and email addresses from US citizens. The breach, which is one of the largest in recent history, involved the unauthorized access to a government database containing sensitive information such as Social Security numbers, addresses, birth dates, and in some cases, financial records. The breach has raised serious concerns about the security of public data and the effectiveness of government cybersecurity measures. To see if you were affected by the national data breach, you can use the lookup tool developed by cybersecurity firm Pentester: https://npd.pentester.com/

How does this data breach impact CFTC registrants and what can you do about it?

Identity Theft Training

At Turnkey we believe ALL individuals working within the industry, whether they be associated persons, principals, or other office staff, should take Identity Theft Training annually. This is why it is included in our training bundle along with Cybersecurity, Market Regulations, Anti-Money Laundering, Ethics, and quarterly updates.

There are six key categories covered in most identity theft training:

  1. Protect personal identifying information to minimize the risk of identity theft.
  2. Recognize patterns, practices, and activities that may signal potential identity theft (“Red Flags”).
  3. Detect Red Flags that indicate possible identity theft situations.
  4. Implement an incident response plan when identity theft is suspected.
  5. Train staff, faculty, and contractors to ensure they are aware of identity theft risks and know how to respond appropriately.
  6. Conduct an annual review of the Identity Theft Prevention Program, including related training and service provider compliance.

Understanding red flag rules and how to respond to an identity theft incident can prevent and help mitigate identity theft. Ask yourself, “If myself or one of my customers had an identity theft incident, do I know how to respond?” Or a better question may be, “Do my employees and coworkers understand red flag behavior to help them identify when a hacker is trying to steal identifying information from myself or my clients?” If you and your team have not taken identity theft training, then the answer is almost certainly no to both.

What are the Regulations for Identity Theft?

NFA Compliance Rule 2-9 requires that all Member firms, including futures commission merchants (FCMs), commodity trading advisors (CTAs), commodity pool operators (CPOs), and introducing brokers (IBs), maintain a continuous responsibility to supervise their employees and agents in their commodity interest activities. Similarly, Compliance Rule 2-36 imposes the same supervisory obligations on retail foreign exchange dealers (RFEDs) for forex activities. Furthermore, NFA Compliance Rules 2-9(d) and 2-49, which incorporate CFTC Regulation 23.602 by reference, extend this supervisory responsibility to Member swap dealers (SDs) and major swap participants (MSPs). These rules are intentionally broad to provide flexibility in creating tailored procedures, with NFA issuing Interpretive Notices on specific issues to clarify acceptable supervisory standards.

As information technology has transformed business practices, Member firms now rely on electronic systems to gather and store sensitive customer and counterparty data, including personally identifying information (PII) and institutional records. Members also use websites for account management, trading, and order entry and connect electronically with other entities, exchanges, and regulators. NFA’s Board of Directors emphasizes the importance of having supervisory practices that mitigate the risks of unauthorized access to information systems and prepare for potential cybersecurity incidents.

What does this Mean for Your Firm?

While regulations may not explicitly require identity theft training for firms that do not hold customer money, and while regulators might not actively enforce such training in these cases, it should still be a significant concern for the industry. Identity theft is a pervasive and evolving threat that can impact individuals and organizations in ways beyond just financial loss. Even firms that do not directly handle customer funds are still entrusted with sensitive personal information, which, if compromised, can lead to severe reputational damage, legal liabilities, and loss of client trust.

The category “Finance and Insurance” is the second-most vulnerable sector to cyberattacks. Identity theft is a huge concern in the financial services industry, with 26% of banks reporting more than 100 cases of identity fraud. It makes sense that cybercriminals would want to infiltrate organizations that move a lot of money around, however as we all know cybersecurity is far more wide reaching than our industry.

Turnkey Training

Take the first step towards a more robust cybersecurity and identity theft training program by signing up for Turnkey Training. We include all of the required NFA trainings such as Cybersecurity, Ethics, and Anti-Money laundering, along with Identity Theft and Market Regulations. To learn more about our training product, or to inquire about how you can build more robust identity theft policies and procedures contact us today.