CFTC Cybersecurity Rule 15.06 and Email Domain Protection

This blog post delves into CFTC Rule 15.06, with a particular focus on its implications for email domain protection. We'll explore the rule's core tenets, the rising threats of email spoofing and phishing, and best practices for organizations to fortify their email defenses.

CFTC Rule 15.06, enacted in 2016, mandates Commission Members and Registered Entities to implement a cybersecurity program to address the risks associated with electronic storage of customer information. This program must encompass a set of controls designed to:

While the rule offers flexibility in how entities design their cybersecurity programs, it emphasizes the significance of risk assessment. Organizations must identify and assess the potential threats to their systems and data, and subsequently implement controls that mitigate these risks.

Email remains a primary communication channel in the financial services industry. However, this reliance on email also presents vulnerabilities that malicious actors can exploit. Two prevalent threats are:

Email Spoofing: Involves forging email headers to make them appear as if they originated from a legitimate source, such as a trusted counterparty or regulatory body. Spoofing emails are often used in phishing attacks.

Phishing Attacks: Deceptive emails designed to trick recipients into revealing sensitive information or clicking on malicious links that can infect devices with malware.