The Securities and Exchange Commission (SEC) recently forced Morgan Stanley Smith Barney to pay $1 million in a settlement that marked a turning point in the agency’s focus on cybersecurity issues, an area that the agency has proclaimed a top enforcement priority in recent years. The settlement addressed various cybersecurity deficiencies that led to the misappropriation of sensitive data for approximately 730,000 customer accounts. Morgan Stanley violated the “Safeguards Rule.” Adopted in June 2000, the rule requires registered broker-dealers, investment companies and investment advisers to (1) adopt written policies and procedures that address administrative, technical and physical safeguards reasonably designed to insure the security and confidentiality of customer records and information, (2) protect against anticipated threats or hazards to the security or integrity of customer records and information and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The SEC found that MSSB failed to implement sufficient safeguards to protect customer information. MSSB lacked reasonably designed and operating authorization modules restricting employee access to only customer data for which the employee had a legitimate business need, failed sufficiently to audit and/or test module effectiveness and did not adequately monitor and analyze employee access to, and use of, information portals. Because of this, a financial advisor, Galen Marsh, was able to access sensitive personally identifiable information relating to the customers of other financial advisors, including their account balances, securities holdings and other personal information. The information he obtained was then offered for sale on at least three sites. This settlement is the first significant enforcement action undertaken by the SEC since it began prodding financial firms to shore up their cybersecurity defenses five years ago.