United States: Failure To Prevent A Business Email Compromise, And To Notify Customers Of It, Gives Rise To Sanctions Against Victim Company

Key takeaways:

• Business email compromise now joins the list of criminal cyberattacks that, in the eyes of civil regulators, can be the victim's fault. After an employee of a financial firm fell for a phishing attack, bad actors leveraged access to the firm's email system to craft a phony $1 million wire request purportedly from a firm customer. The firm innocently wired the money to an account under the control of the bad actor.
• The Commodities Futures Trading Commission found the firm violated applicable regulations. In the CFTC's view, the firm had adopted a generic cybersecurity policy rather than one tailored to its business; failed to assign cybersecurity responsibilities to a dedicated employee after the prior responsible employee departed; did not have compliance personnel qualified to assess cybersecurity risks; and failed to fully assess the scope of the breach after it was discovered.
• The CFTC also criticized the firm's alleged failure to follow wire confirmation processes, and its decision not to disclose the breach to current and prospective customers. The CFTC asserted there were "concerted efforts" by the company "to keep the fact of the breach from its customers and the public," including in internal documents that discouraged discussion of the breach because "it will only hurt our company for others to know and it to be talked about."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.