The SEC brought its latest cybersecurity case under Regulation S-P today, announcing a settled administrative proceeding against Morgan Stanley Smith Barney LLC. Morgan Stanley agreed to pay a $1 million penalty to settle the agency's charges that it failed to protect customer data, some of which was hacked and offered for sale online.
Rule 30(a) of Regulation S-P under the Securities Act of 1933 (also known as the “Safeguards Rule”) lays out procedures regulated entities must follow to safeguard customer records and information. According to the SEC's Order,
Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer data. As a result of these failures, from 2011 to 2014, a then-employee impermissibly accessed and transferred the data regarding approximately 730,000 accounts to his personal server, which was ultimately hacked by third parties.
Specifically, the SEC alleged, Morgan Stanley’s policies and procedures were not reasonable with respect to two internal web “portals” that allowed Morgan Stanley employees to access customers’ confidential account information. Morgan Stanley allegedly failed for more than 10 years to restrict employees’ access to customer data based on each employee’s legitimate business need, and also did not monitor or analyze employees’ access to and use of the portals. The SEC says that a former employee downloaded and transferred confidential data to his personal server at home between 2011 and 2014, and that a "likely third-party hack" of the employee's personal server resulted in portions of the confidential data being posted on the Internet with offers to sell larger quantities.
The SEC's Order states that on September 21, 2015, the former Morgan Stanley employee, Galen J. Marsh, pled guilty in a separate criminal case that charged him with one count of "exceeding his authorized access to a computer and thereby obtaining information contained in a financial record of a financial institution." In December 2015, the court sentenced Marsh to 36 months of probation and $600,000 in restitution. In the SEC's case announced today, Marsh also agreed to an industry and penny stock bar with the right to apply for reentry after five years.
The SEC brought Regulation S-P cases against R.T. Jones Capital Equities Management in September 2015 and against Craig Scott Capital, LLC in early April 2016. Later in April 2016, Andrew Ceresney, Director of the SEC's Enforcement Division, warned in a webcast that the Enforcement division was focused on cybersecurity issues and that more cases alleging violations of Regulation S-P were "coming down the pike." In a statement today, Ceresney reiterated that point, stating that “[g]iven the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection. We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.”