CFTC Penalizes Registrant for Outsourced IT Security Lapses
Last month, the CFTC settled charges against an organization for its failure to ensure the security of its’ customers’ records and information. The registrant’s third-party vendor gained unauthorized access to more than 90,000 records, and the CFTC’s charges make clear the risks registrants can face when their third parties are derelict in their duties.
with co-authors Michael W. Brooks, Cheri L. Hoff and Chelsea L. O’Donnell
On February 12, 2018, the Commodity Futures Trading Commission (CFTC) settled charges against AMP Global Clearing LLC (AMP), a futures commission merchant (FCM), for the company’s failure to adequately supervise one of its IT providers, which led to the unauthorized access of nearly 100,000 customer records by a third party.1 In order to settle the enforcement action, AMP agreed to a $100,000 civil penalty and to provide written reports to the CFTC “verifying AMP’s ongoing efforts to maintain and strengthen the security of its network and its compliance with its ISSP’s requirements.” This order is a reminder to all CFTC registrants – including but not limited to FCMs, commodity trading advisors (CTAs), commodity pool operators (CPOs) and swap dealers – that they bear the responsibility for protecting customer information.
AMP hired an unnamed IT provider to implement provisions of AMP’s information systems security program (“ISSP”), including the performance of risk assessments, maintenance of the AMP’s firewall and detection of unauthorized activity on AMP’s network. In June 2016, during the installation of a new storage device, the IT firm created an open access route from the internet through the company’s firewall to the new storage device. As a result, information regarding AMP’s customers, including personally identifiable information, could be openly accessed on the internet. The IT firm did not perform a risk assessment on the new storage system and on a quarterly basis informed AMP’s officers that there were no network security concerns based on the firm’s periodic network penetration tests, vulnerability scans and firewall audits. In March 2017, the unprotected information was discovered by a third party, and in April 2017, undetected by AMP, the third party copied approximately 97,000 files from the storage system. One week later, the third party contacted AMP and federal authorities to inform them about the breach. AMP immediately removed the storage device and began an internal investigation to determine the scope of the compromise.
The CFTC Order
In its Order, the CFTC concludes that the “IT Provider’s failure to implement fully the ISSP left unprotected against cyber-exploitation a significant amount of customer information, over a multiple month period.” By failing to diligently supervise the IT firm’s implementation of ISSP provisions, AMP violated Regulation 166.3,2 which requires registrants to diligently supervise the activities of their agents relating to their business as a CFTC registrant. While maintaining the position that “[a] violation of Regulation 166.3 is an independent violation for which no underlying violation is necessary,” the CFTC identified the activities at issue as relating to Regulation 160.30,3 which requires registrants to “adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.”
The CFTC’s order concludes the evidence of AMP’s failure to supervise is simply the fact that a vulnerability and breach went undetected for nearly 10 months, explaining, “for nearly 10 months, a significant amount of Respondent’s customers’ records and information were unprotected and vulnerable to cyber-exploitation – a vulnerability, and ultimately a breach, of which Respondent was unaware until being notified by the Third Party.” The CFTC Order recognizes AMP’s substantial cooperation and remediation during the investigation and states that the civil penalty reflects this cooperation.
Whether accomplished through a third-party vendor or directly, registrants must undertake to comply with both their obligations pursuant to Regulations 166.3 and 160.30 with respect to cybersecurity. This action highlights the risk that registrants that delegate ISSP administration to third-party vendors may be held liable in the event the vendor does not perform its contractual obligations by failing to detect a system flaw. The CFTC has set a high bar for registrants in the supervision of their vendors and demonstrates that taking vendors at their word is not sufficient. Registrants should ensure that they maintain robust ISSPs and diligently supervise vendors tasked with their policies’ implementation.
1 The CFTC Order settling the charges is available here.