The U.S. Securities and Exchange Commission (SEC) announced on June 8, 2016 that Morgan Stanley Smith Barney LLC has agreed to pay $1 million to settle civil charges that inadequate data security enabled a former employee to access client data without authorization. In December 2014 Morgan Stanley discovered portions of the data accessed by the employee were posted to Internet sites. The SEC’s order finds that Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer records and information, and that Morgan Stanley willfully violated the Safeguards Rule.
Rule 30 of Regulation S-P, referred to as the Safeguards Rule and adopted pursuant to the Exchange Act and the Advisers Act, requires every broker-dealer and investment adviser registered with the Commission to adopt written policies and procedures reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
In its order, the Commission finds that Morgan Stanley failed to adequately protect two internal web applications, or portals, which contained customers’ personally identifiable information. The portals were web applications on the company’s intranet that enabled employees to run reports that retrieved customer data from company databases. Once populated, these reports contained customers’ full names, account numbers, phone numbers, states of residence, and account balances.
The Commission said that Morgan Stanley did not meet the Rule’s objectives by failing to include in its policies and procedures:
reasonably designed and operating authorization modules for the Portals that restricted employee access to only the confidential customer data as to which such employees had a legitimate business need; auditing and/or testing of the effectiveness of such authorization modules; and monitoring and analysis of employee access to and use of the Portals.
The Commission acknowledged that Morgan Stanley adopted certain policies and restrictions with respect to employee access to sensitive customer information in its Code of Conduct, and some authorization modules and technology controls. However, Morgan Stanley “failed to ensure the reasonable design and proper operation of its policies and procedures” because the authorization modules were “ineffective in limiting access with respect to one report” and absent with respect to another report available through a second portal. In addition, the Commission faulted Morgan Stanley for “fail[ing] to conduct any auditing or testing of the authorization modules for the Portals at any point since their creation at least 10 years ago.”
Both the SEC and the Financial Industry Regulation Authority (FINRA) have brought cases where organizations’ procedures failed to comply with the Safeguards Rule and where organizations failed to follow or enforce their data security procedures. The SEC and FINRA have both brought enforcement actions against organizations failing to perform sufficient periodic assessments of data security procedures, and for failing to respond to deficiencies detected through such assessments.
The SEC and FINRA are likely to continue to focus data security enforcement actions on the issues of adequacy of data security policies, procedures and controls; an organization’s compliance with its data security procedures; the adequacy of periodic assessments of data security procedures and controls; and responding appropriately and promptly to any data security deficiencies detected. FINRA has issued guidance suggesting organizations conduct periodic assessments to detect potential systems vulnerabilities and to ensure that data security procedures and systems are effective in protecting customer personal information.
Organizations should identify sensitive repositories of information and restrict access only to those individuals who require such access to perform their job responsibilities. Once identified, organizations should periodically review employee access credentials to databases containing sensitive customer information to ensure access is appropriate to the employees' job responsibilities. These reviews should identify any changes in the employees’ responsibilities or employee status and ensure access credentials have been appropriately changed if necessary.
Organizations should ensure the internal and external auditing of data security procedures and controls occur as part of annual review of the organizations' data security practices. Additionally, the results of such audits should be reported to a committee of the board of directors responsible for oversight and governance of organization's internal control framework.
Organizations must pay particular attention to the results of periodic assessments, because organizations have also been sanctioned for failing to adopt timely recommendations for improving data security procedures and controls arising out of internal and external audits. In addition, organizations should strive to take timely corrective action in response to detected deficiencies or vulnerabilities.
Finally, organizations should consider engaging outside counsel along with information security experts to conduct a comprehensive risk assessment under the Safeguards Rule, review the technology and controls currently in use to safeguard sensitive information and to develop remediation plans to correct any identified vulnerabilities or deficiencies under the attorney client privilege.