Morgan Stanley’s $1M Settlement with SEC Highlights Importance of Regular Testing of Policies and Procedures to Safeguard Customer Information

June 30, 2016

By Sandra Smalley-Fleming & David D. Coyle

The SEC recently issued a press release announcing “that Morgan Stanley Smith Barney LLC has agreed to pay a $1 million penalty to settle charges related to its failures to protect customer information, some of which was hacked and offered for sale online.”

An order issued by the SEC noted in its findings that the proceedings arose out of Morgan Stanley’s “failure to adopt written policies and procedures reasonably designed to protect customer records and information, in violation of Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the Safeguards Rule).”

The SEC found that from 2001 through December of 2014, Morgan Stanley had been storing “sensitive personally identifiable information” of customers “on two of the firm’s applications: the Business Information System (BIS) Portal and the Fixed Income Division Select (FID Select) Portal.” The SEC also found that between 2011 and 2014, a then-employee of Morgan Stanley “misappropriated data regarding approximately 730,000 customer accounts … by accessing the Portals.” Further, the SEC found that “a third party likely hacked into the then-employee’s personal server and copied the confidential customer data that [the then-employee] had downloaded from the Portals.” According to the SEC’s order, portions of this data were later “posted to at least three internet sites along with an offer to sell a larger quantity of stolen data in exchange for payments in … a digital currency.”

The SEC found that Morgan Stanley violated this Rule “because its policies and procedures were not reasonably designed to meet the objectives [of Rule 30(a)] by failing to include, for example: reasonably designed and operating authorization modules for the Portals that restricted employee access to only the confidential customer data as to which such employees had a legitimate business need; auditing and/or testing of the effectiveness of such authorization modules; and monitoring and analysis of employee access to and use of the Portals.” The SEC made this finding despite the fact that Morgan Stanley “had adopted written policies and procedures relating to the protection of customer” personally identifiable information, as “those policies and procedures were not reasonably designed to safeguard its customers’ [personally identifiable information] as required by the Safeguards Rule.”

It is not enough to have written policies and procedures to safeguard the protection of customer records and information, organizations have to conduct regular auditing and testing of the procedures in order to timely address any issues that may arise over time.