The Commodity Futures Trading Commission issued an order filing and simultaneously settling charges against AMP Global Clearing, a registered Futures Commission Merchant since 2010, because it failed to supervise diligently the implementation of critical provisions in AMP’s information systems security program (ISSP). AMP will pay a $100,000 civil monetary penalty as well as provide follow-up reports to the CFTC.
AMP’s cybersecurity failure meant a significant amount of its customers’ records and information were left unprotected for nearly ten months between June 2016 and April 2017. The vulnerability was brought to light by a third party unaffiliated with AMP, who accessed the information technology network and copied approximately 97,000 files, including customers’ records and information, and personally identifiable information.
The intrusion was possible because of an open access route in a network attached storage device (NASD), a problem that had been reported in the media numerous times, including attacks specific to the same manufacturer of AMP’s NASD. Yet AMP did not detect the vulnerability until its network was accessed and customer records and information compromised.
After accessing the information, the third party contacted federal authorities about securing the copied information and subsequently informed AMP that the copied information had been secured and was no longer in its possession. After becoming aware of the vulnerability and unauthorized access, AMP cooperated with the CFTC and worked diligently to remediate the issue, which was reflected in the amount of the fine.