A US futures and securities clearing broker has been slapped with a $1.5m fine for failing to implement and enforce adequate cybersecurity measures.
An investigation into Phillip Capital Incorporated (PCI) by the US Commodity Futures Trading Commission (CFTC) revealed a culture in which employees were not monitored to ensure that the cybersecurity of the business was protected and maintained.
Inadequate cybersecurity measures put in place within the Chicago-based company were found to be partially responsible for a data breach and the theft by cyber-criminals of $1m in PCI customer funds.
The theft occurred when one of the company's IT engineers fell victim to a phishing email. The CFTC criticized PCI for taking too long to report the crime to customers after it happened in early 2018.
On September 12, 2019, the CFTC issued an order that filed and simultaneously settled charges against PCI "for allowing cyber criminals to breach PCI email systems, access customer information, and successfully withdraw $1 million in PCI customer funds," and also for failing to disclose the breach to its customers "in a timely manner."
In a statement published on its website, the CFTC said that "the order finds that PCI failed to supervise its employees with respect to cybersecurity policy and procedures, a written information systems security program, and customer disbursements."
PCI was issued a civil monetary penalty of $500,000 and ordered to pay $1m in restitution. The broker was credited with the $1m restitution "based on its prompt reimbursement of the customer funds when the fraud was discovered."
The commission's investigation into PCI may be over, but the CFTC plans to keep an eye on the registered futures commission merchant's cybersecurity practices. The order filed by the CFTC requires PCI to provide reports to the commission on its remediation efforts.
"Cybercrime is a real and growing threat in our markets," said CFTC director of enforcement James McDonald. "While it may not be possible to eliminate all cyber threats, CFTC registrants must have adequate procedures in place—and follow those procedures—to protect their customers and their accounts from potential harm."