Increased focus on cybersecurity by the Security Exchange Commission’s (“SEC”) continues as it recently issued charges against Morgan Stanley Smith Barney (“Morgan Stanley”) for failing to adopt written policies and procedures reasonably designed to protect confidential client information. These charges stemmed from a cybersecurity breach which began in 2011 and continued until 2014, resulting in the misappropriation of confidential client information in over 730,000 client accounts.
Broker-dealers and investment advisers are required pursuant to Regulation S-P and comparable regulation of the Federal Trade Commission to adopt written policies and procedures reasonably designed to protect client records and information. These policies and procedures must address the administrative, technical, and physical safeguards in place, and must be reasonably designed to insure the security and confidentiality of client records and information, protect against unanticipated threats, and prevent unauthorized access.
In this case, Morgan Stanley used web applications residing on an intranet network to store client information on an internal database. These applications could only be accessed through portals by authorized employees. Using these portals, financial advisors could create reports that retrieved and organized customer data from the underlying database. Access to these portals was restricted by firm policies and procedures which prohibited employees from accessing confidential information unless specifically authorized and as needed to perform their duties. In addition, the portals had authorization models in place which were intended to permit employees to create reports and view data relating to the clients in the group whom they serviced. There were also controls in place that prevented employees from downloading or copying data onto removable storage devices.
These policies and procedures were allegedly inadequate. In 2011 an employee accessed the portal through the authorization module and discovered a programming flaw which enabled him to access client information for all Morgan Stanley clients. Between 2011 and 2014 he exploited this flaw by repeatedly downloading confidential client information from various groups to which he was not authorized and by transferring the data onto his personal home computer and private server. The misappropriated data came from over 730,000 client accounts associated with approximately 330,000 different households, and included names, phone numbers, addresses, account numbers, account balances, and securities holdings. This data was subsequently stolen from the employee’s private server by a third party hacker and offered for sale online.
The SEC found that Morgan Stanley’s data security and cybersecurity policies and procedures were inadequate and not reasonably designed to meet its objectives for several reasons. First, Morgan Stanley allegedly failed to ensure that employee access to client information was restricted based on legitimate business need. Second, Morgan Stanley allegedly failed to test the effectiveness of its authorization modules to ensure only properly authorized employees had access to client information. Lastly, Morgan and Stanley allegedly failed to monitor and analyze the access and use of the portals by its employees to identify any unusual or suspicious patterns. The SEC charged Morgan Stanley with violating Rule 30(a) of Regulation S-P. Without admitting or denying the charges, Morgan Stanley agreed to settle and pay a $1 million fine.
Andrew Ceresney, the Director of the SEC Enforcement Division, made the following statement: “Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection. We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.”
Parker MacIntyre provides legal and compliance services to investment advisers, broker dealers, registered representatives, hedge funds, and issuers of securities, among others. Our regulatory practice group assists financial service providers with complex issues that arise in the course of their business, including complying with federal and state laws and rules. Please visit our website for more information.