CFTC Settles Charges Against AMP Global Clearing for Failing to Supervise Implementation of its Security Program
Wednesday, February 21, 2018
CFTC, Charges, Data Security, cybersecurity

Related Practices & Jurisdictions
Print Mail Download i

The Commodity Futures Trading Commission (CFTC) has made another foray into data security, announcing today an order settling charges against AMP Global Clearing LLC (AMP) stemming from AMP’s failure to supervise the implementation of its information systems security program. Between June 21, 2016 and April 17, 2017, AMP stored thousands of customer records  in an improperly protected internal network. This fact was discovered after an unknown third-party, with no affiliation to AMP, accessed AMP’s network and copied 97,000 files containing personally identifiable information. The third party then contacted federal authorities, and later AMP.  Although AMP cooperated with the CFTC and worked to fix the issue, the CFTC later brought charges against the company for failing to supervise the implementation of critical provisions of AMP’s information systems security program.

Specifically, the order finds that AMP failed to supervise its IT service provider’s implementation of the critical provisions of the security program, including identifying and performing risk assessments of access routes into AMP’s network, performing regular network risk assessments to identify vulnerabilities, maintaining strict firewall rules, and detecting unauthorized activity on the network. AMP’s failure left a significant amount of records and information vulnerable to cyber-criminals for nearly 10 months. The order requires AMP to pay a $100,000 civil monetary penalty, cease and desist from violating the CFTC regulation governing diligent supervision, and provide two written follow-up reports to the CFTC.

James McDonald, the CFTC’s Director of Enforcement, commented about the order: “Entities entrusted with sensitive information must work diligently to protect that information. That’s not only good business, but when it comes to registrants in our markets, it’s the law. As this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system.”

The matter highlights the need for proper vendor management. Companies are obligated under a wide, and ever growing, array of data security laws and regulations to actively supervise vendors with responsibility for implementing the company’s information security program.

Copyright © by Ballard Spahr LLP

Current Legal Analysis

More from Ballard Spahr LLP

FinCEN Deputy Director Stresses Technological Innovation, Virtual Currency Enforcement and the U.S. Culture of Compliance
by: Brian N. Kearney
The EU’s Efforts to Combat Money Laundering, the Financing of Terrorism and Corruption Seem to Overlook a Very American Approach: Prosecute People
by: Peter D. Hardy , Mary Treanor
California Legislature Adopts Five Amendments to CCPA, But Largely Rejects Industry Efforts
by: Gregory Szewczyk
Should the Financial Industry Be Detecting Future Mass Shooters?
by: Peter D. Hardy , Mary Treanor
Trump Administration to Discharge the Federal Student Loan Debt of Totally and Permanently Disabled Veterans
by: Stacy H. Rubin
FinCEN Advisory Highlights Money Laundering Risks Related to Fentanyl Trafficking
by: Terence M. Grugan
CFPB’s First Remittance Transfer Rule Enforcement Action
by: Bowen "Bo" Ranney , James Kim
FinCEN Announces New “Global Investigations Division” Focused on Foreign Money Laundering Threats
by: Peter D. Hardy
DOL Seeks to Improve Employers’ FMLA Forms
by: Brian D. Pedrow , David S. Fryman
The Federal Reserve’s Entry into Real-Time Payments
by: Christopher D. Ford , Judy Mok

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins