As a result of this failure, a significant amount of AMP’s customers’ records and information were left unprotected for nearly ten months. In April 2017, as a result of this failure, a third party unaffiliated with AMP (Third Party) accessed AMP’s information technology network and copied approximately 97,000 files, which included customers’ records and information, including personally identifiable information. The Third Party thereafter contacted federal authorities about securing the copied information, and subsequently informed AMP that the copied information had been secured and was no longer in the Third Party’s possession. After becoming aware of the vulnerability and unauthorized access, AMP cooperated with the CFTC and worked diligently to remediate the issue.
CFTC’s Director of Enforcement Comments
James McDonald, the CFTC’s Director of Enforcement, commented: “Entities entrusted with sensitive information must work diligently to protect that information. That’s not only good business, but when it comes to registrants in our markets, it’s the law. As this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system.”
Specifically, the Order finds that AMP failed to supervise its IT Provider’s implementation of ISSP provisions it was delegated with implementing under AMP’s supervision, including identifying and performing risk assessments of access routes into AMP’s network, performing quarterly network risk assessments to identify vulnerabilities, maintaining strict firewall rules, and detecting unauthorized activity on the network. This failure left a significant amount of AMP’s customers’ records and information vulnerable to cyber-exploitation for nearly ten months, until the Third Party accessed AMP’s network.
The Order finds that the vulnerability in AMP’s network involved an open access route in a network attached storage device (NASD). Three successive quarterly network risk assessments failed to identify this vulnerability. Indeed, the Order finds that, before the Third Party accessed the NASD’s contents, the media had reported three other incidents of unauthorized access of NASDs used by organizations other than AMP, including some from the same manufacturer of AMP’s NASD. Yet AMP did not detect the vulnerability until its network was accessed and customer records and information compromised.
The Order requires AMP to pay a $100,000 civil monetary penalty and cease and desist from violating the CFTC regulation governing diligent supervision. The Order further requires AMP to provide two written follow-up reports, within one-year of entry of the Order, to the CFTC verifying AMP’s ongoing efforts to maintain and strengthen the security of its network and its compliance with its ISSP’s requirements.
The Order recognizes AMP’s substantial cooperation and remediation during the CFTC’s Division of Enforcement’s investigation of this matter, which included providing important information and analysis to the Division that helped the Division to efficiently and effectively undertake its investigation. The Order notes that the civil monetary penalty imposed on AMP reflects AMP’s cooperation.
The CFTC thanks the Securities and Exchange Commission for its assistance in this matter.
Jeremy Christianson and Christopher Beatty from the CFTC’s Office of Data and Technology also provided assistance in this matter.
CFTC Division of Enforcement staff members responsible for this action are Harry E. Wedewer, Trevor Kokal, Candice Aloisi, Lenel Hickson, Jr., and Manal M. Sultan.