The Commodity Futures Trading Commission (CFTC) has made another foray into data security, announcing today an order settling charges against AMP Global Clearing LLC (AMP) stemming from AMP’s failure to supervise the implementation of its information systems security program. Between June 21, 2016 and April 17, 2017, AMP stored thousands of customer records in an improperly protected internal network. This fact was discovered after an unknown third-party, with no affiliation to AMP, accessed AMP’s network and copied 97,000 files containing personally identifiable information. The third party then contacted federal authorities, and later AMP. Although AMP cooperated with the CFTC and worked to fix the issue, the CFTC later brought charges against the company for failing to supervise the implementation of critical provisions of AMP’s information systems security program.
Specifically, the order finds that AMP failed to supervise its IT service provider’s implementation of the critical provisions of the security program, including identifying and performing risk assessments of access routes into AMP’s network, performing regular network risk assessments to identify vulnerabilities, maintaining strict firewall rules, and detecting unauthorized activity on the network. AMP’s failure left a significant amount of records and information vulnerable to cyber-criminals for nearly 10 months. The order requires AMP to pay a $100,000 civil monetary penalty, cease and desist from violating the CFTC regulation governing diligent supervision, and provide two written follow-up reports to the CFTC.
James McDonald, the CFTC’s Director of Enforcement, commented about the order: “Entities entrusted with sensitive information must work diligently to protect that information. That’s not only good business, but when it comes to registrants in our markets, it’s the law. As this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system.”
The matter highlights the need for proper vendor management. Companies are obligated under a wide, and ever growing, array of data security laws and regulations to actively supervise vendors with responsibility for implementing the company’s information security program.