On June 8, 2016, the SEC announced settled administrative proceedings against Morgan Stanley Smith Barney LLC (MSSB), a registered investment adviser and broker-dealer, for failing to adopt written policies and procedures reasonably designed to protect customer records and information in violation of Rule 30(a) of Regulation S-P under the Securities Act (the Safeguards Rule). The Safeguards Rule, which the SEC adopted in 2000 and amended in 2005, requires SEC- registered broker-dealers, investment companies and investment advisers to adopt written policies and procedures reasonably designed to: (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
According to the SEC, from at least August 2001 through December 2014, MSSB stored sensitive personally identifiable information (PII) of individuals to whom MSSB provided brokerage and investment advisory services on two of the firm’s applications: the Business Information System Portal and the Fixed Income Divisions Select Portal (collectively, the Portals). The SEC order states that between 2011 and 2014, Galen J. Marsh (Marsh), then an MSSB employee, misappropriated data of approximately 730,000 customer accounts by gaining unauthorized access to the Portals and downloading and transferring the confidential customer data, including PII, to his personal server. Although MSSB had installed and maintained certain technology controls on its computer systems that, among other things, restricted employees from copying data onto removable storage devices and from accessing certain categories of websites, the SEC order indicates that Marsh was able to transfer customer data to his personal server by using his personal website. The order states that, at the time, MSSB’s Internet filtering software did not prevent employees from accessing “uncategorized” websites, such as Marsh’s website, from MSSB computers. The SEC found that from December 15, 2014 to February 3, 2015, portions of the data stolen by Marsh were posted to at least three different Internet sites with an offer to sell a larger quantity of stolen data in exchange for payment in digital currency.
The SEC order indicates that on December 27, 2014, MSSB discovered the data breach through one of its routine Internet sweeps, promptly took steps to remove the data from the Internet and notified law enforcement and other authorities.
According to the SEC, although MSSB had adopted written policies and procedures relating to the protection of customer PII, those policies and procedures were not reasonably designed to safeguard its customers’ PII as required by the Safeguards Rule. In this regard, the SEC order cites the failure of MSSB’s written policies and procedures to adequately address certain key administrative, technical and physical safeguards, such as: (1) reasonably designed and operating authorization modules for the Portals to restrict employee access to only the confidential customer data as to which such employees had a legitimate business need; (2) auditing and/or testing of the effectiveness of such authorization modules; and (3) monitoring and analyzing employee access to and use of the Portals to identify any unusual or suspicious patterns.
Although the SEC considered the remedial efforts promptly undertaken by MSSB and its cooperation afforded to the SEC staff, the SEC ordered that MSSB cease and desist from committing or causing future violations of the Safeguards Rule, censured the firm and required MSSB to pay a $1 million civil money penalty. By a separate settled administrative proceeding, the SEC barred Marsh from association with any broker, dealer or investment adviser, with the right to apply for reentry after five years. In a related criminal action, Marsh pled guilty to one count of exceeding his authorized access to a computer and thereby obtaining information contained in a financial record of a financial institution, in violation of 18 U.S.C. § 1030(a)(2)(A). Marsh was sentenced to 36 months’ probation and ordered to pay restitution in the amount of $600,000.8
A copy of the order concerning MSSB is available at: http://www.sec.gov/litigation/admin/2016/34-78021.pdf.