The Securities and Exchange Commission (SEC) told financial firms they must take data security more seriously in the wake of a settlement with Morgan Stanley over the theft of customer data by a former employee. In 2015, the employee transferred information from approximately 730,000 client accounts to his personal server. He copied names, addresses, account numbers, investment information and other data to his home computer so he could work on it. He did this without permission and was interviewing at the time with two Morgan Stanley competitors. Some of the data was posted online and for sale to hackers, who eventually compromised the company and its clients.
Morgan Stanley did not implement sufficient policies or controls to restrict internal access and protect customer data as required under the SEC’s Safeguards Rule. The SEC also sighted flaws in its monitoring of employee access and use of portals to allow access to client data. This is unfortunately a common occurrence in the financial services and other industries. Morgan Stanley was more focused on hackers breaking into the company than on controlling access for authorized employees.
“Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection,” Andrew Ceresney, director of the SEC’s enforcement division, said. “We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.”
Morgan Stanley reached a settlement with the SEC over charges that it breached US law without admitting or denying the findings. As part of the settlement Morgan Stanley agreed to pay the regulator a $1 million penalty. I find this no more than a slap on the wrist. Morgan Stanley probably makes more than this in a day, so the affect to its bottom line is negligible. Unfortunately this may not make the company improve its data security practices, since the risk to its business may be minimal.
The only effective way to restrict access of sensitive data to authorized users is to encrypt it and apply security policies that govern its access. This protects the information regardless of location or file format. The company could have prevented the employee from accessing the information on his home computer by setting appropriate policies. If hackers stole that data, it would be useless to them, since it was encrypted and the hackers had no authorization to access it. Once the employee left the company, his access could be immediately revoked for anything he legitimately had. If Morgan Stanley suspected any behavior out of the norm, a full audit trail of activity could have alerted them to suspicious activities.
These measures can help the financial services industry meet financial regulations and safeguard customer data by ensuring the company is always in control of its digital assets.
Photo credit Chris Potter
