The Commodity Futures Trading Commission (CFTC) today issued an order filing and simultaneously settling charges against AMP Global Clearing LLC (AMP) for its failure to supervise diligently the implementation of critical provisions in AMP’s information systems security program (ISSP) between June 2016 and April 2017.
As a result of this failure, a significant amount of AMP’s customers’ records and information were left unprotected for nearly ten months. The failure was detected in April 2017, when a third party unaffiliated with AMP accessed AMP’s information technology network and copied approximately 97,000 files, including customers’ records and information, including personally identifiable information.
The third party thereafter contacted federal authorities about securing the copied information, and subsequently informed AMP that the copied information had been secured and was no longer in the third party’s possession. After becoming aware of the vulnerability and unauthorized access, AMP cooperated with the CFTC and worked diligently to remediate the issue.
The order requires AMP to pay a $100,000 civil monetary penalty and cease and desist from violating the CFTC regulation governing diligent supervision. It further requires AMP to provide two written follow-up reports, within one-year of entry of the order, to the CFTC verifying AMP’s ongoing efforts to maintain and strengthen the security of its network and its compliance with its ISSP’s requirements. The $100,000 civil penalty imposed on AMP reflects the company’s cooperation and remediation during the investigation.
“Entities entrusted with sensitive information must work diligently to protect that information. As this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system.” James McDonald, the CFTC’s director of enforcement, commented in a statement.