A Chicago-based futures brokerage will pay $1.5 million for letting cyber criminals breach the firm’s email systems and withdraw $1 million from a customer’s account.

The order from The U.S. Commodities Futures Trading Commission also finds that Phillip Capital Inc. failed to disclose the cyber breach to its customers in a timely manner.  The order alsi finds that PCI failed to supervise its employees with respect to cybersecurity policy and procedures, a written information systems security program and customer disbursements.

The order imposes monetary sanctions totaling $1.5 million, which includes a civil monetary penalty of $500,000, and $1 million in restitution. PCI is credited the $1 million restitution based on its prompt reimbursement of the customer funds when the fraud was discovered. The order also requires PCI to, among other things, provide reports to the Commission on its remediation efforts. 

“Cybercrime is a real and growing threat in our markets,” said CFTC Director of Enforcement James McDonald.  “While it may not be possible to eliminate all cyber threats, CFTC registrants must have adequate procedures in place — and follow those procedures — to protect their customers and their accounts from potential harm.”