The SEC’s recent settlement with Morgan Stanley highlights the agency’s continued focus on enforcing cybersecurity measures. On June 8, 2016, Morgan Stanley agreed to pay a $1 million penalty to settle charges relating to its alleged failure to adopt written policies and procedures reasonably designed to protect customer records and information, a violation of the “Safeguards Rule.”
Because of these security failures, a Morgan Stanley employee was able to run reports and gather confidential customer data from approximately 730,000 accounts. The employee impermissibly accessed this information from 2011 to 2014 and transferred this data to his personal server, which was ultimately hacked by third parties who then posted the information to at least three internet sites. Morgan Stanley indicated that no fraud had been reported involving client accounts due to the breach.
The Safeguards Rule
Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)), known as the “Safeguards Rule,” was adopted by the SEC in 2000 pursuant to the Gramm-Leach-Bliley Act and subsequently amended in 2005. The rule requires SEC registrants to adopt written policies and procedures addressing administrative, technical and physical safeguards that are reasonably designed to: “1) insure the security and confidentiality of customer records and information; 2) protect against any anticipated threats or hazards to the security or integrity of customers records and information; and 3) protect against unauthorized access to or use of customers records or information that could result in substantial harm or inconvenience to any customer.”
Lessons Learned: What Morgan Stanley Did and Did Not Do
Morgan Stanley did have a number of measures in place relating to employee access of information and the handling of confidential customer data. For example, its Code of Conduct prohibited employees from accessing confidential information other than what employees had been authorized to access. The firm had authorization modules that, if implemented properly, should have permitted employees to run data reports only for customers that employee supported. Morgan Stanley also had technology controls that restricted employees from copying data onto removable storage devices and accessing certain categories of websites.
Despite these actions, the SEC identified that Morgan Stanley failed to ensure the reasonable design and proper operation of these protocols in at least three ways. First, the authorization modules were ultimately ineffective at limiting access since the employee was able to download information for customers he did not support. Second, Morgan Stanley failed to audit or test the authorization modules since their creation over 10 years ago. Finally, the firm did not monitor user activity in the customer data portals to identify unusual or suspicious patterns.
SEC’s Focus on Cybersecurity and Implications for Businesses
The SEC’s settlement with Morgan Stanley is just the latest in a series of actions demonstrating that, in accordance with its announcement in January, the SEC has made cybersecurity an enforcement priority. Consistent with this focus, in early June, the agency announced that it had appointed a new “senior advisor” to the chairman on cybersecurity policy.
This was also not the first enforcement action this year. On April 12, 2016, the SEC also settled with broker-dealer firm Craig Scott Capital, LLC, for the entity’s failure to comply with the Safeguards Rule. There, while there were no allegations that any clients had been harmed, the firm used email addresses other than those within its domain name to electronically receive more than 4,000 faxes from customers and other third parties, which routinely included sensitive customer records and information. The firm and its principals agreed to an order requiring the firm to pay a $100,000 fine, and two of the principals paid an additional $25,000 penalty each. This settlement serves as a reminder that both firms and individuals can be fined and held accountable even if no customer is financially harmed.
These recent enforcement actions drive home the need for businesses to not only implement, but also routinely monitor and review written policies and user protocols to make sure they are tailored to the entity and reflect the realities of practice. The SEC is not likely to look favorably on a compliance policy that is general, unspecific, or not routinely reviewed. Businesses should consider conducting periodic, informal walk-throughs to understand how employees communicate and use confidential customer data, and make sure policies are designed to reasonably protect customer data.