Blog

Tag: Morgan Stanley

SEC Stresses Data Security After Settlement with Morgan StanleyThe Securities and Exchange Commission (SEC) told financial firms they must take data security more seriously in the wake of a settlement with Morgan Stanley over the theft of customer data by a former employee.  In 2015, the employee transferred information from approximately 730,000 client accounts to his personal server.  He copied names, addresses, account numbers, investment information and other data to his home computer so he could work on it.  He did this without permission and was interviewing at the time with two Morgan Stanley competitors.  Some of the data was posted online and for sale to hackers, who eventually compromised the company and its clients.

Morgan Stanley did not implement sufficient policies or controls to restrict internal access and protect customer data as required under the SEC’s Safeguards Rule.  The SEC also sighted flaws in its monitoring of employee access and use of portals to allow access to client data.  This is unfortunately a common occurrence in the financial services and other industries.  Morgan Stanley was more focused on hackers breaking into the company than on controlling access for authorized employees.

“Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection,” Andrew Ceresney, director of the SEC’s enforcement division, said. “We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.”

Morgan Stanley reached a settlement with the SEC over charges that it breached US law without admitting or denying the findings. As part of the settlement Morgan Stanley agreed to pay the regulator a $1 million penalty.  I find this no more than a slap on the wrist.  Morgan Stanley probably makes more than this in a day, so the affect to its bottom line is negligible.  Unfortunately this may not make the company improve its data security practices, since the risk to its business may be minimal.

The only effective way to restrict access of sensitive data to authorized users is to encrypt it and apply security policies that govern its access.  This protects the information regardless of location or file format.  The company could have prevented the employee from accessing the information on his home computer by setting appropriate policies.  If hackers stole that data, it would be useless to them, since it was encrypted and the hackers had no authorization to access it.  Once the employee left the company, his access could be immediately revoked for anything he legitimately had.  If Morgan Stanley suspected any behavior out of the norm, a full audit trail of activity could have alerted them to suspicious activities.

These measures can help the financial services industry meet financial regulations and safeguard customer data by ensuring the company is always in control of its digital assets.

 

Photo credit Chris Potter

Stop Data Breaches by Authorized UsersWith news of data breaches every other day, many companies are now turning their attention to where sensitive files reside, who has access to the sensitive information, how this information is being used and securing it.

The cyber criminals’ techniques for breaking through perimeter defenses are always getting more sophisticated. Everyone realizes that network security alone is no longer a sufficient solution as the perimeter that once held sensitive information safe has been eroded.  Now everyone must adapt to a perimeter-less world.

Today a large number of internal and external users enter company systems and access data daily – vendors, suppliers, partners, customers and employees. This makes it an extremely complicated task to secure sensitive files with the volume of users, applications and various levels of data access. With all of the implemented technology stack, it is daunting – if not near impossible – to secure all the various points of exposure. It only takes one weak point to be compromised and to suffer significant damages.

Whether intentional or in error, authorized users cause a large portion of data breaches and the criminals and hackers are onto this. More and more breaches are due to authorized users doing something they weren’t supposed to do.

This week there was news on Mount Olympus Mortgage Company – $25 million awarded in a lawsuit around corporate espionage. Authorized users of the mortgage company had stolen loan files, borrower information and other confidential information diverting it all to their current employer.

Last January, former GlaxoSmithKline scientists were indicted for stealing trade secrets to seed a startup company where they worked with external parties to profit from the breached information.

On September 2015, a former Morgan Stanley financial advisor pleaded guilty to taking hundreds of thousands of confidential records. The adviser was in discussions with other competitors of Morgan Stanley about a job as the breaches took place.

Last month, news broke out about a data breach within Pulaski County Special School District. An employee was responsible for compromising thousands of current and former employee’s personal information. This individual was emailing health insurance and benefits reports to her supervisor, and blind-copying the information to her personal email address including social security numbers, names, health insurance costs and individuals that did not have insurance.

Companies need to adapt and secure their sensitive data. Perimeter based security is no longer sufficient. The good news is implementing a data-centric security approach for persistent protection is available and easy to deploy.


Former Morgan Stanley Financial Adviser Guilty In Connection with Data Breach

Stop Unauthorized Use of Confidential DataA former employee of Morgan Stanley pleaded guilty to stealing confidential data from about 730,000 customer accounts. He copied names, addresses, account numbers, investment information and other data to his home computer so he could work on it.

While improperly accessing the information, he was interviewing for a new job with two Morgan Stanley competitors.


Challenge

Your employees access sensitive and confidential customer information so they can do their jobs. Once the data leaves the protected confines of an information repository, file share or cloud-based service, your authorized users can share it with anyone, do anything with it and compromise your customer’s confidential information. You may be subject to fines, not to mention losing customers because they can’t trust you to maintain their confidentiality.

You need to persistently protect confidential data so that customer information is protected regardless of where it goes and who has it.


Fasoo Solution

Fasoo Enterprise DRM protects customer information by encrypting the files and applying persistent security policies to protect them regardless of where they are or their format. Once the data is protected, you can safely share sensitive files through email, USB drive, external portal or any file sharing site. File access is tracked in real time for precise auditing and you can revoke access instantly.

Fasoo Enterprise DRM not only ensures that you meet financial regulations and safeguards customer confidentiality, but truly protects and controls sensitive information while at rest, in motion and in use.

Advantages

  • Encrypt customer information to meet consumer and data protection legislation
  • Securely share files internally or externally
  • Control who can View, Edit, Print and take a Screen Capture
  • Limit access time and number of devices
  • Revoke access to shared files immediately regardless of location
  • Trace and control user and file activities in real-time
Categories
Book a meeting