The U.S. Commodity Futures Trading Commission today issued an order filing and simultaneously settling charges against Phillip Capital Inc. (PCI), a registered futures commission merchant, for allowing cyber criminals to breach PCI email systems, access customer information, and successfully withdraw $1 million in PCI customer funds.
The order also finds that PCI failed to disclose the cyber breach to its customers in a timely manner. Finally, the order finds that PCI failed to supervise its employees with respect to cybersecurity policy and procedures, a written information systems security program, and customer disbursements.
The order imposes monetary sanctions totaling $1.5 million, which includes a civil monetary penalty of $500,000, and $1 million in restitution. PCI is credited the $1 million restitution based on its prompt reimbursement of the customer funds when the fraud was discovered. The order also requires PCI to, among other things, provide reports to the Commission on its remediation efforts.
“Cybercrime is a real and growing threat in our markets,” said CFTC Director of Enforcement James McDonald. “While it may not be possible to eliminate all cyber threats, CFTC registrants must have adequate procedures in place — and follow those procedures — to protect their customers and their accounts from potential harm.”
The Division of Enforcement staff members responsible for this matter are Ilana Waxman, Alison B. Wilson, and Rick Glaser. The CFTC’s Division of Swap Dealer and Intermediary Oversight provided assistance in this case.