Phillip Capital Inc. (“PCI”)., a Chicago-based brokerage firm was ordered to pay $1.5 million dollars due to a cyber attack. Per the CFTC, PCI allowed “cyber criminals to breach PCI email systems, access customer information, and successfully withdraw $1 million in PCI customer funds.” The order also finds that “PCI failed to disclose the cyber breach to its customers in a timely manner. Finally, the order finds that PCI failed to supervise its employees with respect to cybersecurity policy and procedures, a written information systems security program, and customer disbursements.”
Why Is It Noteworthy?
After examining the court documents we found some notable items:
- The IT Engineer responsible for all of PCI’s technology was not a cybersecurity expert and lacked the skills necessary to properly identify the risk presented during his actions.
- PCI’s “Chief Compliance Officer (“CCO”) also had responsibility for certain IT matters, including establishing and maintaining PCI’s Information Security Policies, and directing and overseeing PCI’s employee IT training. However, PCI’s CCO did not have a background in or familiarity with IT generally or cybersecurity specifically and was unable to adequately evaluate the sufficiency of cybersecurity policies and trainings.“
- PCI’s policies were not tailored for their cybersecurity program. In addition, they were not updated to address changes in PCI’s environment.
- PCI did not have proper incident response procedures in place. They failed to prioritize determining the impacts of the breach and disclosing it to the appropriate parties.
If you haven’t performed your annual risk assessment, vulnerability tests, penetration test, policy and procedure or plan updates, incident response plan test, training, or anything else required by regulators or your investors/clients, do it now. Contact us to find out how we can help.