SEC Steps Up Cybersecurity Enforcement with $1 Million Fine Against Morgan Stanley
The Security and Exchange Commission’s (“SEC”) recent $1 million settlement with Morgan Stanley Smith Barney LLC (“MSSB”) marked a turning point in the agency’s focus on cybersecurity issues, an area that the agency has proclaimed a top enforcement priority in recent years. The MSSB settlement addressed various cybersecurity deficiencies that led to the misappropriation of sensitive data for approximately 730,000 customer accounts.
Without admitting or denying the findings, MSSB agreed to settle the SEC’s charges that the firm violated Rule 30(a) of Regulation S-P, also known as the “Safeguards Rule.” The Rule, adopted in June 2000, requires registered broker-dealers, investment companies, and investment advisers to adopt written policies and procedures that address administrative, technical, and physical safeguards reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The SEC found that MSSB violated Regulation S-P due to its failure to implement sufficient safeguards to protect customer information. According to the SEC, MSSB lacked reasonably designed and operating authorization modules restricting employee access to only customer data for which the employee had a legitimate business need, failed sufficiently to audit and/or test module effectiveness, and did not adequately monitor and analyze employee access to, and use of, information portals. Because of safeguard deficiencies in two of MSSB’s information portals, Galen Marsh, a financial advisor with the firm, was able to access sensitive personally identifiable information (“PII”) relating to the customers of other financial advisors, including full names, phone numbers, street addresses, account numbers, account balances, and securities holdings. After Marsh accessed this information, he was then able to avoid MSSB controls restricting the copying of data onto removable storage devices by accessing his personal website, “galenmarsh.com,” which had a feature that enabled Marsh to transfer the PII from his MSSB computer to his personal server. This information was subsequently offered for sale on at least three sites in exchange for payment in “speedcoins,” a digital currency. Investigators believe that a third party hacked Marsh’s personal server and copied the confidential customer data he had stored there, leading to the illicit postings.
As part of the settlement, MSSB was ordered to cease and desist from committing further violations of Regulation S-P, censured, and ordered to pay a civil money penalty of $1 million. In a related criminal action, Marsh pled guilty to one count of exceeding his authorized access to a computer to obtain a financial record of a financial institution, in violation of 18 U.S.C. § 1030(a)(2)(A). Marsh was sentenced to 36 months’ probation and ordered to repay $600,000 in restitution.
This settlement is the first significant enforcement action undertaken by the SEC since it began prodding financial firms to shore up their cybersecurity defenses five years ago. In October 2011, the SEC required public companies to disclose material information regarding cybersecurity risks and cyber incidents. In May 2013, the SEC implemented Regulation S-ID, which required broker-dealers, investment companies, and investment advisers to implement reasonable policies and procedures to identify, monitor, and respond to identify theft issues. In March 2014, the SEC held a Cybersecurity Roundtable, during which Chair Mary Jo White described cyber threats as “first on the Division of Intelligence’s list of global threats, even surpassing terrorism.” In April 2014, the SEC announced its first round of cybersecurity examinations of registered broker-dealers and investment advisers focused on cybersecurity governance, risk identifications and assessments, protection, and issue detection. In November 2014, the SEC adopted Regulation SCI, which required certain entities, including exchanges, self-regulatory organizations, and certain other industry actors to take preventative and corrective action with regard to system capacity, integrity, resiliency, availability, and security, including continuity and disaster recovery plans. In February 2015, the SEC published the findings of its initial cybersecurity examinations, and followed up with a second round of examinations in September 2015 focusing on: (1) governance & risk assessment; (2) access rights & controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response. On January 11, 2016 the SEC reaffirmed its focus on cybersecurity when it announced the issue as an examination priority for 2016.
On the tail of a $81 million cyber heist from the Bangladeshi central bank’s account at the Federal Reserve Bank of New York, White doubled down on her March 2014 statement. At the Reuters Financial Regulation Summit on May 17, 2016, White called cybersecurity the biggest risk facing the financial system and added that “we can’t do enough in this sector.”
MSSB’s $1 million fine for access rights and controls and other deficiencies, which the SEC deemed a willful violation of Rule 30(a) of Regulation S-P, demonstrates the SEC’s readiness to back its words with action with respect to cybersecurity. Regulated entities and individuals would therefore be wise to ensure that they have effective and compliant cybersecurity policies, procedures, and controls, monitoring and auditing systems, and crisis management programs.