The SEC brought its latest cybersecurity case under Regulation S-P today, announcing a settled administrative proceeding against Morgan Stanley Smith Barney LLC. Morgan Stanley agreed to pay a $1 million penalty to settle the agency’s charges that it failed to protect customer data, some of which was hacked and offered for sale online.
Rule 30(a) of Regulation S-P under the Securities Act of 1933 (also known as the “Safeguards Rule”) lays out procedures regulated entities must follow to safeguard customer records and information. According to the SEC’s Order,
