AMP Global Clearing LLC ("AMP"), a registered futures commission merchant, agreed to pay a $100,000 penalty to settle CFTC charges that AMP failed to supervise the implementation of critical provisions in its information systems security program ("ISSP").
The CFTC alleged that customer records and information were left unprotected for nearly 10 months and, as a result, a third party unaffiliated with AMP accessed the AMP network and copied approximately 97,000 files that included customers' personally identifiable information.
The Order requires AMP to provide two written follow-up reports on ongoing AMP efforts to improve the security of its network and its compliance with the requirements of its ISSP. The CFTC noted that the civil monetary penalty reflects the cooperation AMP exhibited after becoming aware of the unauthorized access.
Commentary / Bob Zwirb
As a general matter, it's not clear to what extent financial firms must become technically more savvy to fulfill their supervision duties under CFTC Rule 166.3 where, like most firms outside the tech sector, they delegate information security programs and the like to outside technology providers. The CFTC faults the FCM for being unaware of and not detecting the faulty work of its IT provider and relying on the provider's quarterly network risk assessments assuring it that its network was free of vulnerabilities. Does this mean that companies must hire in-house technological personnel or a second outside technology firm to review the work of their primary technology provider?
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
