Digital Assets Report


Like this article?

Sign up to our free newsletter

AMP to pay USD100,000 to settle CFTC cybersecurity charges

Related Topics

Futures commission merchant AMP Global Clearing (AMP) is to pay USD100,000 to settle CFTC charges that it failed to supervise the cybersecurity of customer records and information.

The charges relate to the period between 21 June, 2016 and 17 April, 2017 to supervise. As a result of this failure, a significant amount of AMP’s customers’ records and information were left unprotected for nearly ten months.  In April 2017, as a result of this failure, a third party unaffiliated with AMP (Third Party) accessed AMP’s information technology network and copied approximately 97,000 files, which included customers’ records and information, including personally identifiable information. The Third Party thereafter contacted federal authorities about securing the copied information, and subsequently informed AMP that the copied information had been secured and was no longer in the Third Party’s possession. After becoming aware of the vulnerability and unauthorised access, AMP cooperated with the CFTC and worked diligently to remediate the issue.
James McDonald, the CFTC’s Director of Enforcement, says: “Entities entrusted with sensitive information must work diligently to protect that information.  That’s not only good business, but when it comes to registrants in our markets, it’s the law.  As this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system.” 
Specifically, the Order finds that AMP failed to supervise its IT Provider’s implementation of ISSP provisions it was delegated with implementing under AMP’s supervision, including identifying and performing risk assessments of access routes into AMP’s network, performing quarterly network risk assessments to identify vulnerabilities, maintaining strict firewall rules, and detecting unauthorized activity on the network.  This failure left a significant amount of AMP’s customers’ records and information vulnerable to cyber-exploitation for nearly ten months, until the Third Party accessed AMP’s network. 
The Order finds that the vulnerability in AMP’s network involved an open access route in a network attached storage device (NASD). Three successive quarterly network risk assessments failed to identify this vulnerability. Indeed, the Order finds that, before the Third Party accessed the NASD’s contents, the media had reported three other incidents of unauthorized access of NASDs used by organisations other than AMP, including some from the same manufacturer of AMP’s NASD. Yet AMP did not detect the vulnerability until its network was accessed and customer records and information compromised. 
The Order requires AMP to pay a USD100,000 civil monetary penalty and cease and desist from violating the CFTC regulation governing diligent supervision. The Order further requires AMP to provide two written follow-up reports, within one-year of entry of the Order, to the CFTC verifying AMP’s ongoing efforts to maintain and strengthen the security of its network and its compliance with its ISSP’s requirements.
The Order recognises AMP’s substantial cooperation and remediation during the CFTC’s Division of Enforcement’s investigation of this matter, which included providing important information and analysis to the Division that helped the Division to efficiently and effectively undertake its investigation. The Order notes that the civil monetary penalty imposed on AMP reflects AMP’s cooperation.

Like this article? Sign up to our free newsletter

Most Popular

Further Reading