Futures Regulator, Broker Settle Lax Cybersecurity Charges

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch and Daniel R. Stoller

Futures broker AMP Global Clearing LLC settled Commodity Futures Trading Commission charges that its failure to diligently supervise a cybersecurity vendor resulted in a data breach.

The CFTC enforcement action is another example of “a long-standing theme among financial regulators about the critical need for financial institutions to oversee third parties with whom they do business,” Nathan Taylor, a cybersecurity and financial services partner at Morrison Foerster LLP in Washington, told Bloomberg Law.

As a registered futures commission merchant, AMP is obligated to diligently supervise its employees and agents in the security of its information systems, among other activities, according to the Feb. 12 settlement order. Under the agreement, AMP will pay a $100,000 civil penalty and cease and desist from violating CFTC regulations on diligent supervision of information systems. AMP didn’t admit liability under the pact.

Data Breach

AMP failed to adequately supervise an information technology vendor’s implementation of Information Systems Security Program (ISSP) provisions required by CFTC regulations, according to the order. The vendor was tasked with making risk assessments of access routes through AMP’s computer networks and maintaining strict firewalls.

But according to the CFTC, AMP left customer records vulnerable for 10 months until an unnamed third party discovered the vulnerability and made a copy of 97,000 customer files. The third party sent the copied data to federal authorities so they could ensure it was protected, and then alerted AMP.

Cybersecurity is “an area of increasing concern and scrutiny for the CFTC as it goes directly to the core principles of a registered entity, namely to have adequate system safeguards,” Anne Termine, of counsel in the futures and derivatives practice at Covington & Burling LLP in Washington, told Bloomberg Law.

Cybersecurity is a hot topic at CFTC, Termine said. The agency may conduct an enforcement sweep with coordinated investigations of registrants as a way to ensure the registrants are meeting its expectations, she said.

To contact the reporter on this story: George Lynch in Washington at glynch@bloomberglaw.com; Daniel R. Stoller in Washington at dstoller@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security