In an order ringing of a General Data Protection Regulation’s privacy ruling, a Chicago-based futures brokerage has been fined $1.5 million for failing to safeguard its email systems from attacks by cyber criminals, allowing hackers to access sensitive customer information and pilfer $1 million in customer funds.
Futures and swaps markets watchdog U.S. Commodities Futures Trading Commission (CFTC) also ruled that Phillip Capital failed to disclose the cyber breach to its customers in a timely manner and didn’t educate its employees on cybersecurity policy and procedures, provide a written information systems security program and supervise staffers on customer disbursements. Under the directive, Phillip must pay monetary sanctions totaling $1.5 million, which includes a civil penalty of $500,000, and $1 million in restitution. PCI is credited the $1 million restitution based on its prompt reimbursement of the customer funds when the fraud was discovered. The order also requires PCI to provide reports to the Commission on its remediation efforts.
The penalties reinforce how serious is the CFTC about registrants' cybersecurity procedures and protections, said CFTC Director of Enforcement James McDonald. “Cybercrime is a real and growing threat in our markets,” he said. “While it may not be possible to eliminate all cyber threats, CFTC registrants must have adequate procedures in place — and follow those procedures — to protect their customers and their accounts from potential harm.”
The nine-year old Phillip Capital’s parent company, Phillip Capital Group, is based in Singapore since 1975. Its U.S. unit's customers covers retail, commercial, and institutional clients. Markets traded by its customers spans financial, equity, agricultural, energy, foreign exchange and metals.