Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How does the Safeguards Rule pertain to SEC cybersecurity regulations?

The SEC claimed Morgan Stanley violated the Safeguards Rule, but what does that mean? Expert Mike Chapple discusses the federal regulation and what happened with Morgan Stanley.

Financial services firm Morgan Stanley recently paid a $1 million fine for noncompliance with SEC cybersecurity...

regulations. Specifically, the SEC claimed Morgan Stanley violated the federal Safeguards Rule and failed to protect customer data. What is the Safeguards Rule, and how does it pertain to SEC cybersecurity regulations? How did Morgan Stanley violate it?

In the federal regulations applying to financial institutions, the Safeguards Rule is defined to protect customer data. Specifically, CFR 238.40 on "Procedures to safeguard customer records and information; disposal of consumer report information" states that every broker, dealer, investment company, and every investment adviser registered with the Securities and Exchange Commission (SEC) must adopt written policies and procedures "reasonably designed" to:

"Insure the security and confidentiality of customer records and information;

Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and

Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer."

The SEC has been actively investigating broker-dealers and investment advisers to evaluate the measures taken. In particular, it pursued charges against Morgan Stanley in connection with the illegal downloading of customer data by a former Morgan Stanley financial adviser, Galen Marsh. Marsh had stored confidential information of approximately 730,000 Morgan Stanley clients on his personal PC, which was subsequently hacked. Confidential information on at least 900 clients was then found to be offered for sale online.

While Marsh received a sentence of 36 months of probation and a $600,000 fine from a federal court, Morgan Stanley was also deemed by the SEC to have violated the Safeguards Rule. The SEC found that the company had two internal web portals with insufficient authorization controls to restrict employee access to customer data. Morgan Stanley subsequently paid $1 million as a settlement to the SEC, without admitting fault.

In the broader context of its investigations, the SEC noted that while many broker-dealers and investment advisers apply cybersecurity policies and procedures, they often do not tailor their cybersecurity appropriately to their specific risks.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out what the GAO's report on the SEC's cybersecurity weaknesses means for regulations

Learn about the new CFTC regulations on cybersecurity testing

Discover why the FTC is interested in PCI DSS assessments

This was last published in November 2016

Dig Deeper on Government information security management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has been your experience with the Safeguards Rule and SEC regulation?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close