Content of Penalty:
The Commodity Futures Trading Commission (CFTC) issued an Order filing and simultaneously settling charges against AMP Global Clearing LLC (AMP), a registered Futures Commission Merchant since 2010, for its failure between June 21, 2016 and April 17, 2017 to supervise diligently the implementation of critical provisions in AMP’s information systems security program (ISSP). As a result of this failure, a significant amount of AMP’s customers’ records and information were left unprotected for nearly ten months. In April 2017, as a result of this failure, a third party unaffiliated with AMP (Third Party) accessed AMP’s information technology network and copied approximately 97,000 files, which included customers’ records and information, including personally identifiable information. The Third Party thereafter contacted federal authorities about securing the copied information, and subsequently informed AMP that the copied information had been secured and was no longer in the Third Party’s possession. After becoming aware of the vulnerability and unauthorized access, AMP cooperated with the CFTC and worked diligently to remediate the issue.
The Order finds that the vulnerability in AMP’s network involved an open access route in a network attached storage device (NASD). Three successive quarterly network risk assessments failed to identify this vulnerability. Indeed, the Order finds that, before the Third Party accessed the NASD’s contents, the media had reported three other incidents of unauthorized access of NASDs used by organizations other than AMP, including some from the same manufacturer of AMP’s NASD. Yet AMP did not detect the vulnerability until its network was accessed and customer records and information compromised.
The Order requires AMP to pay a $100,000 civil monetary penalty and cease and desist from violating the CFTC regulation governing diligent supervision. The Order further requires AMP to provide two written follow-up reports, within one-year of entry of the Order, to the CFTC verifying AMP’s ongoing efforts to maintain and strengthen the security of its network and its compliance with its ISSP’s requirements.