By Ciarra Chavarria
On June 8, 2016, the Securities and Exchange Commission announced that Morgan Stanley Smith Barney LLC (“Morgan Stanley”) had agreed to pay $1 million as a penalty for charges relating to its “failures to protect customer information.”
Morgan Stanley’s settlement with the SEC came several months after a federal court found one of Morgan Stanley’s former financial advisers, Galen Marsh, guilty of illegally uploading confidential information from approximately 730,000 of Morgan Stanley’s clients to his personal computer. Marsh’s server was later hacked by third parties and confidential information of at least 900 clients appeared online for sale. Marsh was sentenced to thirty-six months of probation and a $600,000 fine.
The SEC pursued charges against Morgan Stanley for Mr. Marsh’s conduct based on its determination that the firm had violated the federal “Safeguard Rule,” which requires that broker-dealers and investment advisers adopt written policies and procedures “reasonably designed” to safeguard customer data and protect against threats or unauthorized access to such data. The SEC found that Morgan Stanley’s policies and procedures were not “reasonable” because Morgan Stanley had two internal web portals whose authorization modules did not restrict employee access to customer data based on legitimate business need and because Morgan Stanley did not audit or test the authorization modules or monitor or analyze employee access to the portals. Morgan Stanley settled with the SEC without affirming or denying any charges.
Implications of the Settlement
The settlement follows months of statements from SEC staff members indicating that the SEC is looking to bring cybersecurity-related cases in appropriate circumstances. For example, SEC Chair Mary Jo White gave an interview last month at the Reuters Financial Regulation Summit where she indicated that SEC examiners were actively doing sweeps of broker-dealers and investment advisers to assess cyberattack defense and security measures. She noted that while many financial entities are aware of the risks they face, “what we found, as a general matter so far, is a lot of preparedness, a lot of awareness but also [that] their policies and procedures are not tailored to their particular risks.“ Chair White called cybersecurity the biggest threat facing the domestic and global financial systems.
Due to the fact that this settlement was predicated on the Safeguard Rule, it has few implications for public companies that are not also financial advisers, investment companies or broker dealers. Nevertheless, this case reinforces an important point that we have discussed with many clients – the SEC is actively looking for circumstances in which cybersecurity incidents may involve violations of federal securities law. As a result of these activities, all companies should evaluate their cybersecurity-related policies and procedures and their disclosures regarding cybersecurity incidents for compliance with federal securities law.