SEC Sanctions BD for Compliance Issues Tied to Data Security

Data security has long been a critical issue. Protecting confidential customer information is key for broker-dealers, investment advisers and other Wall Street participants. Cyber security is a related issue of at least equal importance. The Commission’s latest action involving Morgan Stanley combines elements of both. In the Matter of Morgan Stanley Smith Barney LLC, Adm. Proc. File No. 3-17280 (June 8, 2016).

Respondent Morgan Stanley Smith Barney is a registered broker-dealer and investment adviser. The firm is a wholly owned indirect subsidiary of Morgan Stanley. The action centers on the Safeguards Rule, adopted in 2000, as amended five years later. That Rule requires a broker-dealer and investment adviser registered with the SEC to adopt written policies and procedures reasonably designed to insure the security and confidentiality of customer information and records, protect against anticipated threats or hazards to those records and protect against unauthorized access or use. Here the Order alleges that Morgan Stanley Smith Barney failed to comply with the rule.

Morgan Stanley Smith Barney maintains hundreds of computer applications containing customer information protected by the rule in connection with its wealth management business. Two portals available through those applications are concerned here. One portal, available on the firm’s intranet, was used by financial advisors who were typically the primary customer contact. Through this portal reports on the fixed income holdings in customer accounts could be obtained. A second portal could furnish a report containing essential personal data regarding the customer along with account balances.

Firm policies and procedures restricted access to both portals. The Code of Conduct prohibited employees from accessing confidential information beyond their specific authorization and what was required to perform their duties. Other restrictions were designed to limit access so that the reports were only available to those who supported the customer.

Morgan Stanley Smith Barney, however, failed to ensure that the limitations were effective. Specifically, the limitations on securing the reports referenced above were either ineffective or absent. The firm also failed to conduct any auditing or testing of the procedures over the last ten year. As a result employee Galen March accessed the portal and misappropriated data regarding about 730,00 customer accounts associated with approximately 330,000 different households by accessing the portals between 2011 and 2014. He transferred the data to a personal server located at his home.

Between December 15, 2014 and February 3, 2015 portions of the data stored on Mr. Marsh’s personal server was posted to at least three internet cites, purportedly for sale to a third party. Morgan Stanley Smith Barney discovered the data in one of its routine internet sweeps.

Mr. Marsh denied posting the data, although he acknowledged accessing the firm system and taking it. A forensic analysis of Mr. Marsh’s personal server demonstrated that a third party likely hacked into it and copied the customer data. Morgan Stanley Smith Barney began notifying customers of the breach in January 2015. The Order alleges violations of Rule 30(a) of Regulation S-P.

To resolve the proceeding the firm consented to the entry of a cease and desist order based on the Rule cited in the Order and to a censure. Morgan Stanley Smith Barney will also pay a penalty of $1 million.