Financial services firm Morgan Stanley recently paid a $1 million fine for noncompliance with SEC cybersecurity...
regulations. Specifically, the SEC claimed Morgan Stanley violated the federal Safeguards Rule and failed to protect customer data. What is the Safeguards Rule, and how does it pertain to SEC cybersecurity regulations? How did Morgan Stanley violate it?
In the federal regulations applying to financial institutions, the Safeguards Rule is defined to protect customer data. Specifically, CFR 238.40 on "Procedures to safeguard customer records and information; disposal of consumer report information" states that every broker, dealer, investment company, and every investment adviser registered with the Securities and Exchange Commission (SEC) must adopt written policies and procedures "reasonably designed" to:
"Insure the security and confidentiality of customer records and information;
Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer."
The SEC has been actively investigating broker-dealers and investment advisers to evaluate the measures taken. In particular, it pursued charges against Morgan Stanley in connection with the illegal downloading of customer data by a former Morgan Stanley financial adviser, Galen Marsh. Marsh had stored confidential information of approximately 730,000 Morgan Stanley clients on his personal PC, which was subsequently hacked. Confidential information on at least 900 clients was then found to be offered for sale online.
While Marsh received a sentence of 36 months of probation and a $600,000 fine from a federal court, Morgan Stanley was also deemed by the SEC to have violated the Safeguards Rule. The SEC found that the company had two internal web portals with insufficient authorization controls to restrict employee access to customer data. Morgan Stanley subsequently paid $1 million as a settlement to the SEC, without admitting fault.
In the broader context of its investigations, the SEC noted that while many broker-dealers and investment advisers apply cybersecurity policies and procedures, they often do not tailor their cybersecurity appropriately to their specific risks.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out what the GAO's report on the SEC's cybersecurity weaknesses means for regulations
Learn about the new CFTC regulations on cybersecurity testing
Discover why the FTC is interested in PCI DSS assessments
Dig Deeper on Government information security management
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.