On September 12, 2019, the US Commodity Futures Trading Commission filed and settled charges against Phillip Capital Inc. (PCI), a registered futures commission merchant, in connection with a breach of PCI’s email systems by which cyber criminals withdrew $1 million of customer funds. Immediately following discovery of the breach, PCI approved reimbursement of the funds it had mistakenly wired to the hackers, and notified regulators of the theft.
The CFTC charged, however, that PCI had not only failed to notify its customers of the cyber breach in a timely manner, but had consciously determined not to inform customers, and took steps to keep knowledge of the breach away from them in violation of Regulation 1.55(i), 17 CFR § 1.55(i) (2018). The CFTC also charged that the company’s Information Technology engineer had limited training in cybersecurity, and that the Chief Compliance Officer to whom the IT engineer reported had neither background in nor familiarity with cybersecurity, and could not assess the adequacy of the company’s cybersecurity policy and training. According to the CFTC, the company’s failure to provide adequate supervision to its employees in the field of cybersecurity, customer disbursements and systems security was a violation of Regulation 166.3, 17 CFR § 166.3 (2018).
The CFTC ordered PCI to pay restitution of the amount stolen by the cyber criminals, and credited the full $1 million to PCI as it had already restored the stolen funds to its customers. The CFTC also imposed a civil monetary penalty of $500,000 plus post-judgment interest – half again the entire amount stolen in the breach. The settlement also requires PCI to report to the CFTC’s Division of Enforcement within three months regarding the completion of the remedial steps the company has taken to improve its cybersecurity systems and procedures.