Securities Regulation Daily FCM held liable for failure to supervise its IT provider and resulting data breach
News
Tuesday, February 13, 2018

FCM held liable for failure to supervise its IT provider and resulting data breach

By Brad Rosen, J.D.

The CFTC issued an order simultaneously filing and settling charges against AMP Global Clearing LLC (AMP), a Chicago-based futures commission merchant (FCM) registered since 2010, for its failure to diligently supervise the implementation of critical provisions in AMP’s information systems security program (ISSP) for a ten-month period, even though the firm had retained an outside IT provider. As a result, customer records and information were surreptitiously accessed by a Third Party (as referred to in the order) unaffiliated with the firm. In settling this matter, AMP agreed to pay a $100,000 civil penalty and undertake certain remedial actions (In the Matter of AMP Global Clearing LLC, February 12, 2018).

Underlying data breach and failure to supervise. As set forth in the order, AMP’s customer records and information were left unprotected from June 2016 through April 2017, and resulted in an unaffiliated Third Party accessing the firm’s information technology network and copying approximately 97,000 files. This included customer records and information, as well as personally identifiable information. After AMP become aware of the vulnerability and unauthorized access, the firm cooperated with the CFTC and worked diligently to remediate deficiencies.

In particular, the order found that AMP failed to supervise its IT provider’s implementation of ISSP provisions it was delegated, including identifying and performing risk assessments of access routes into AMP’s network, performing quarterly network risk assessments to identify vulnerabilities, maintaining strict firewall rules, and detecting unauthorized activity on the network. As a result, many of AMP’s customers’ records and information were vulnerable to cyber-exploitation until the time the Third Party actually accessed AMP’s network.

More specifically, the order found that the vulnerability in AMP’s network involved an open access route in a network attached storage device (NASD). Three successive quarterly network risk assessments by AMP’s IT provider failed to identify this vulnerability. Moreover, the order found that before the Third Party accessed the NASD’s contents, the media had reported three other incidents of unauthorized access of NASDs used by organizations, including some from the same manufacturer of AMP’s NASD. Notwithstanding these media reports, AMP did not detect the vulnerability until its network was surreptitiously accessed, and customer records and information were compromised.

Director of Enforcement comments. James McDonald, the CFTC’s Director of Enforcement, stated: "Entities entrusted with sensitive information must work diligently to protect that information. That’s not only good business, but when it comes to registrants in our markets, it’s the law. As this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system."

The mysterious unaffiliated Third Party. According to the order, in April 2017, the Third Party unaffiliated with AMP accessed AMP’s information technology networked, copied AMP customer records and information, and thereafter contacted federal authorities about securing the copied information. The Third Party subsequently informed AMP that the copied information had been secured and was no longer in its possession.

The order also indicated that AMP was contacted by the unaffiliated Third Party between June 21, 2016, and April 17, 2017, but AMP was then unaware that significant portions of its customer records and information were unprotected. The order also noted that from December 2016 through March 2017, the Third Party and his colleagues made a series of blogposts describing their surreptitious access through what they describe as the Rsync port to sensitive information stored on NASD’s used by organizations other than AMP, including some from the same manufacturer as relevant in this case.

However, the order does not identify the relationship between the Third Party and AMP, or whether the Third Party is a business competitor with the NASD manufacture, or AMP’s IT provider. Neither does the order indicate the Third Party’s connection or interest with the events surrounding this action. A CFTC spokesperson was not able to provide further clarification with regard to these issues by press time.

Penalty reflects cooperation. The order requires AMP to pay a $100,000 penalty and to cease and desist from violating CFTC Regulation 166.3 which governs diligent supervision. AMP is also required to provide two follow-up reports to the Commission within a year to verify the firm’s ongoing efforts to maintain and strengthen the security of its network and its compliance with its ISSP’s requirements. The order also recognized AMP’s substantial cooperation and remedial efforts during the Division of Enforcement’s investigation of this matter and noted that the civil monetary penalty imposed on the firm reflects its cooperation.

The docket is No. 18-10.

Companies: AMP Global Clearing LLC

MainStory: TopStory CFTCNews CommodityFutures Enforcement ExchangesMarketRegulation

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More