RomanenkoAlexey - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How does the Safeguards Rule pertain to SEC cybersecurity regulations?

The SEC claimed Morgan Stanley violated the Safeguards Rule, but what does that mean? Expert Mike Chapple discusses the federal regulation and what happened with Morgan Stanley.

Financial services firm Morgan Stanley recently paid a $1 million fine for noncompliance with SEC cybersecurity regulations. Specifically, the SEC claimed Morgan Stanley violated the federal Safeguards Rule and failed to protect customer data. What is the Safeguards Rule, and how does it pertain to SEC cybersecurity regulations? How did Morgan Stanley violate it?

In the federal regulations applying to financial institutions, the Safeguards Rule is defined to protect customer data. Specifically, CFR 238.40 on "Procedures to safeguard customer records and information; disposal of consumer report information" states that every broker, dealer, investment company, and every investment adviser registered with the Securities and Exchange Commission (SEC) must adopt written policies and procedures "reasonably designed" to:

"Insure the security and confidentiality of customer records and information;

Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and

Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer."

The SEC has been actively investigating broker-dealers and investment advisers to evaluate the measures taken. In particular, it pursued charges against Morgan Stanley in connection with the illegal downloading of customer data by a former Morgan Stanley financial adviser, Galen Marsh. Marsh had stored confidential information of approximately 730,000 Morgan Stanley clients on his personal PC, which was subsequently hacked. Confidential information on at least 900 clients was then found to be offered for sale online.

While Marsh received a sentence of 36 months of probation and a $600,000 fine from a federal court, Morgan Stanley was also deemed by the SEC to have violated the Safeguards Rule. The SEC found that the company had two internal web portals with insufficient authorization controls to restrict employee access to customer data. Morgan Stanley subsequently paid $1 million as a settlement to the SEC, without admitting fault.

In the broader context of its investigations, the SEC noted that while many broker-dealers and investment advisers apply cybersecurity policies and procedures, they often do not tailor their cybersecurity appropriately to their specific risks.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out what the GAO's report on the SEC's cybersecurity weaknesses means for regulations

Learn about the new CFTC regulations on cybersecurity testing

Discover why the FTC is interested in PCI DSS assessments

This was last published in November 2016

Dig Deeper on Government information security management