CFTC Issues Urgent Release to all Registrants Regarding a Cyberattack on Cloud Service Providers

CFTC Issues Urgent Release to all Registrants Regarding a Cyberattack on Cloud Service Providers

On January 3, 2020, the NFA distributed a letter on behalf of the CFTC to all registrants.  The letter addresses serious issues raised by the WSJ as it relates to cloud service providers that may have been compromised by a series of hacking attacks.

The CFTC is requesting that any CPOs, CTAs, IBs and RFEDs affected by the attacks described in its letter, contact the CFTC at [email protected]. Furthermore, the letter instructs all registrants to respond by Jan 20th informing CFTC as to whether you have received any communications from – or are currently communicating with – cloud service providers, customers, clients, counterparties, business partners, or industry-related parties regarding the attack described in the WSJ article or a related potential cyber event.

If you have any questions regarding the CFTC letter or a copy of the letter, contact Braden Perry.

Furthermore, today the FBI Cyber Division issued Flash AC-000112-TT, describing how actors gained unauthorized access to a US financial entity’s research network in August 2019. These intruders remotely exploited a Pulse Secure VPN appliance, which allowed directory transversal and access to a file where login credentials were written in plain text.

After gaining access, the intruders exfiltrated a database of usernames and passwords for the VPN client. Once these usernames and passwords were obtained, the intruders attempted to enumerate and access various segments of the network. The exploited segment was the only one utilizing single-factor authentication. The intruders attempted to access several Outlook web mail accounts but were unsuccessful due to the accounts being on separate domains requiring different credentials not obtained by the intruders.

The FBI Flash was released as TLP: Green and the details, including useful information for preventing access to outsiders, can be shared with clients and contacts, but not via publicly accessible channels. For this report or on ways to monitor and respond to cybercrime, please contact Braden Perry.

About Kennyhertz Perry’s Commodities, Futures, and Derivatives Practice Group

Kennyhertz Perry advises clients on a wide range of commodities and derivatives regulatory matters.  Kennyhertz Perry has experience in all types of derivative transactions and design structures to meet clients’ specific trading, financial and/or credit needs.  The roots of the practice are in the commodities markets, where Kennyhertz Perry partner Braden Perry spent time as a Senior Trial Attorney with the Commodity Futures Trading Commission.  Our lawyers regularly advise our clients on compliance with the complex laws and regulations governing the securities and derivatives industries, including the Commodity Futures Modernization Act of 2000, the Commodity Exchange Act, the Gramm-Leach-Bliley Act, the Securities Acts of 1933 and 1934, the Investment Company Act of 1940, the Investment Advisers Act of 1940, the SEC and CFTC regulations, the rules of the various derivatives exchanges and clearinghouses and other industry self-regulatory organizations and the “Blue Sky” state securities laws. Keeping abreast of regulatory developments is imperative and enables our lawyers to guide clients on comment-making about proposed legislation and regulation, provide ongoing operational and compliance counseling, and offer advice on appropriate modifications of transaction structure and documentation.

Clients also benefit from Kennyhertz Perry’s experience in related areas of law, such as litigation, banking, securities, insurance, and its regular practice before the Commodity Futures Trading Commission. Leaders in the financial industry choose Kennyhertz Perry because the firm’s lawyers tailor their advice to the unique issues presented by each matter they handle.

About Kennyhertz Perry’s Government Enforcement Practice Area

Kennyhertz Perry represents individual and corporate clients faced with the increased use of criminal enforcement to address business practices, particularly as they relate to financial issues. Mr. Perry brings his enforcement experience as well as his substantial prior experience in white-collar criminal defense practice, and as a firm, we represent corporate clients and individual officers and directors at every stage of government investigations and enforcement actions – including white collar criminal matters – initiated by state and federal agencies, including the Department of Justice, SEC, CFTC, FTC, and FINRA.

Kennyhertz Perry’s enforcement practice regularly defends clients against allegations involving a wide array of business contexts in federal and state grand jury investigations, trials, and appeals. In particular, we have represented clients in enforcement matters and related litigation involving a wide range of subject areas including Foreign Corrupt Practices Act (FCPA), consumer financial services, money laundering and Bank Secrecy Act, securities, commodities, options, and derivatives fraud, state and federal RICO laws, False Claims Act, and insurance fraud.

About Kennyhertz Perry’s Privacy, Cybersecurity, and Breach Management Practice Group

Kennyhertz Perry assists clients with data security needs, blending traditional legal experience in the corporate and litigation arenas with technical acumen.

We assist clients in prevention, developing robust information security programs, including administering internal compliance and risk assessments, which include the development and implementation of corporate policies and procedures required for compliance with state and federal privacy and security laws, and information security best practices; information security policies; records retention and management policies.

In addition to prevention, Kennyhertz Perry can prepare security incidence response procedures, identify, assess, contain, and mitigate privacy and security breaches, and work with law enforcement to assist in the investigation of the incident. Businesses that are the victims of cyberattacks also must determine when and how to cooperate with government agencies during investigation of an attack, and how best to do so. The lawyers in our privacy and cybersecurity practice, as well as members of our Government Enforcement practice group have deep experience, from both government and private practice, in this area, and help companies navigate the often complicated interactions with government agencies, and can provide both counseling and representation where the threat of prosecution may arise.

Kennyhertz Perry also assists with IT resiliency understanding and engaging at the top management and board level. Traditionally, IT has been misunderstood, and management would not understand the role and responsibility of IT departments. Kennyhertz Perry bridges this gap at all level. At the Board level, directors not only need to be sophisticated with business issues, they also need to be versed in today’s cyber and IT. Translating an understanding of the importance of a proactive IT security policy, and feeling like the company is “on board” with IT security efforts. Many companies have very robust policies and procedures for their business processes, which sophisticated Board members can understand. IT is different. It’s a different language for a businessperson, and unfortunately most Board members will ignore or defer on issues they don’t understand. So, when an IT department presents a robust plan for proactive IT security, it may go ignored or disregarded. This can lead to a reactive plan only that focuses on the “when” as opposed to prevention. IT is a different language. We serve as Board IT/cybersecurity liaison to be the “go between” and translate the IT language into business and vice versa.

About Kennyhertz Perry, LLC

Kennyhertz Perry, LLC is a business and litigation law firm representing clients in highly regulated industries. The firm was founded by two veteran Kansas City attorneys, John Kennyhertz and Braden Perry. To learn more about the firm, visit

*The choice of a lawyer is an important decision and should not be based solely upon advertisements.