A futures commission merchant (“FCM”) settled CFTC charges for failing to enact sufficient cybersecurity measures and to notify customers of a $1 million cyber breach.
According to the Order, the FCM, Phillip Capital Inc. (“PCI”) failed to implement sufficient cybersecurity and customer disbursement policies and procedures that ultimately allowed hackers to access their email systems and withdraw customer funds. After discovering $1 million in customer funds had been withdrawn, PCI (i) approved reimbursement of the mistakenly wired customer funds, (ii) notified the CFTC Division of Swap Dealer and Intermediary Oversight the day of the fraudulent wire and (iii) implemented measures to prevent further fraudulent transfers. The CFTC found that PCI failed to disclose in a timely manner the material facts of the cyber breach and fraudulent wire to current and prospective customers.
The CFTC credited PCI the $1 million restitution as a result of its prompt reimbursement of the customer funds upon discovery of the fraud. PCI also agreed to (i) cease and desist from further violating CFTC Rules, (ii) report remedial efforts to the CFTC and (iii) pay a civil monetary penalty of $500,000.
This enforcement action is an illustration of both (i) what can go wrong in connection with a cybersecurity failure and (ii) how much the task of compliance has changed as a result of the need to deal with cybersecurity, as well as other technology, issues.
The firm’s initial problems resulted from the fact that its employees were deemed not be up to their cybersecurity tasks. Allegedly, the firm’s IT Manager “had limited training in cybersecurity, and cybersecurity was not broadly within the IT Engineer’s sphere of responsibility.” Apparently, neither the firm’s CCO, who was responsible for maintaining the firm’s Information Systems Security Program (“ISSP”), nor the CCO’s staff was qualified to manage cybersecurity defenses or problems. Even when firm employees discovered the breach, they failed to respond adequately and the hacker immediately rebreached the system. (The firm was arguably lucky that the hacker was so impatient. Had the hacker bided his time following the firm’s initial discovery, it is certainly possible that a second breach might have gone undiscovered for a longer period.)
The firm’s cybersecurity weakness was exacerbated by the fact that it had very weak “change of address” and disbursement policy controls. That was not of itself a cyber failure, but had those policies been up to speed, it is very likely that the major damage from the cyber failure itself could have been averted.
Finally, the firm failed to provide timely notice as to the breach. These days, firms must anticipate the possibility of a breach. While it seems unattractive to go public with information as to the breach, it is also risky not to do so.