Morgan Stanley's SEC Penalty Called InadequateSecurity Experts Criticize $1 Million Fine After Insider Breach
The $1 million penalty that the Securities and Exchange Commission imposed on Morgan Stanley for its failure to prevent a now former employee from compromising some 730,000 client accounts is too low to send a strong message to financial services firms about the need for stronger cybersecurity and internal fraud controls, security experts say.
Todd Feinman, a former ethical hacker at PricewaterhouseCoopers who now serves as the president of data management firm Identity Finder, says the penalty is nothing more than a slap on the wrist. "For financial institutions and organizations of all creeds to take protecting customer data seriously, the consequences need to resemble the actions," he says.
"On the one hand, it's positive to see the SEC begin to sink their teeth into organizations lacking the tools and policies to protect customer data," he says. "On the other, the nominal [penalty] ... is something many investment firms and FIs [financial institutions] would be willing to pay to avoid the resources necessary to adequately protect their sensitive data."
Regulator Priorities Questioned
The SEC settlement amount for such an egregious breach illustrates that data security still doesn't seem to be a priority for financial services regulators, contends Al Pascual, head of fraud and security at Javelin Strategy & Research. "The SEC has been pretty busy with insider trading and rogue trader cases, so I don't suspect this will change any time soon," he says.
But Mary Ann Miller, senior director and executive fraud adviser at security firm NICE Actimize, says all regulators are generally expecting financial institutions to implement better controls to protect customer data and money.
"If a large or even catastrophic loss is directly related to an internal threat that was not detected in any external or internal monitoring processes, then I expect stiffer attention to penalties," she says. "As we have seen consolidation of financial institutions globally, the amount of employees who have access to customer data or accounts can represent a small city. Regulators are expecting financial institutions to have the same kind of policy, procedures and technology in place to monitor employees internally as they have to monitor external fraud. This includes profiling behavior, looking for levels of system access permission, and real-time alerts."
Inside Job Went Undetected for Years
In January 2015, Morgan Stanley, the sixth-largest financial firm in the U.S., fired one of its wealth management advisers after discovering data about approximately 900 of its clients had been posted online, presumably for resale on the black market (see Morgan Stanley: Insider Stole Data and Fired Morgan Stanley Insider Sentenced to Probation).
Between June 2011 and December 2014, the former employee, Galen Marsh, illegally accessed account-holder data, along with investment values and earnings, used by Morgan Stanley to manage confidential customer information, according to court records. In September 2015, Marsh pleaded guilty to stealing confidential information linked to more than 700,000 client accounts over a period of several years. At his plea hearing, Marsh admitted that he conducted nearly 6,000 unauthorized searches of confidential client information and then uploaded information about 730,000 clients to a server at his home in New Jersey that was later hacked (see Insider Lessons from Morgan Stanley Breach).
In December 2015, Marsh was sentenced to three years' probation and ordered to pay $600,000 in restitution, according to a statement from the U.S. Attorney's Office for the Southern District of New York.
In its statement about the settlement, the SEC notes that Morgan Stanley "failed to adopt written policies and procedures reasonably designed to protect customer data." As a result of those internal failures, sensitive customer data was stolen and later exposed online, the SEC says.
"Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection," Andrew Ceresney, director of the SEC's enforcement division, says in the statement. "We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information."
The SEC points out that Morgan Stanley's policies and procedures "were not reasonable" because two internal web applications or portals, which should have been locked down, were accessible to employees to view customers' confidential account information.
"For these portals, Morgan Stanley did not have effective authorization modules for more than 10 years to restrict employees' access to customer data based on each employee's legitimate business need," the SEC notes. "Morgan Stanley also did not audit or test the relevant authorization modules, nor did it monitor or analyze employees' access to and use of the portals."
The settlement comes just weeks after Mary Jo White, chairwoman of the SEC, noted that cybersecurity is the biggest risk facing the financial system (see SEC Chair: Cybersecurity Is No. 1 Risk).
Morgan Stanley's Reaction
Morgan Stanley, in a June 13 statement to Information Security Media Group, says it's pleased with the SEC settlement.
"Following the discovery of the incident, Morgan Stanley promptly alerted law enforcement and regulators, and notified affected clients," spokeswoman Christine Jockle says. "Morgan Stanley worked quickly to protect affected clients by changing account numbers and offering credit monitoring and identity theft protection services, and has strengthened its mechanisms for safeguarding client data. No fraud against any client account was reported as a result of this incident."