It is not enough for a fund manager to have its own cybersecurity defenses; a manager must also exercise appropriate oversight of the defenses of third parties acting on its behalf. A recent CFTC settlement affirms the notion that registrants are not only responsible for their own compliance programs, but are also charged with the duty of supervising third-party vendors and are expected to maintain appropriate procedures to monitor those third parties. Further, a fund manager may be held responsible for the actions of third parties, even when the fund manager itself lacks the power to directly take those actions or when the fund manager itself is the victim of a third party’s missteps. This article analyzes the underlying facts and terms of the CFTC settlement order. For coverage of other recent CFTC enforcement efforts, see “New CFTC Chair Outlines Enforcement Priorities and Approaches to FinTech, Cybersecurity and Swaps Reform” (Nov. 9, 2017); “Newly Revealed CFTC Self-Reporting and Cooperation Regime Could Offer Benefits to Fund Managers, or Lead to Increased Enforcement” (Oct. 19, 2017); and “Two Recent Settlements Demonstrate CFTC’s Continued Focus on Spoofing” (Oct. 12, 2017).