In October 2008, Morgan Stanley received a $10 billion bailout from the U.S. Government. Morgan Stanley, amongst other financial institutions, were simply “too big to fail.” In 2016, however, the Securities and Exchange Commission (“SEC”) determined that one of Morgan Stanley’s subsidiaries, Morgan Stanley Smith Barney (“MSSB”) was not “too big to fail” an SEC administrative proceeding. On June 8, 2016, the SEC issued an order against MSSB for its violation of the Safeguards Rule (Rule 30(a) of Regulation S-P). The Order instituted an administrative cease and desist for violations of the Safeguard Rule and levied a $1 million civil penalty.[i]
The gist of the underlying facts are as follows. MSSB maintained substantial personally identifiable information (“PII”) in 2 specific Web applications accessible through MSSB’s intranet. MSSB had adopted written policies and procedures intended to restrict employees access to, and handling of, customer PII. Under these policies, MSSB employees were prohibited from accessing PII other than what was necessary to perform specific responsibilities. MSSB also installed technology controls, including: (1) authorization protocols designed to allow employees access to only PII belonging to that employee’s customers; (2) controls restricting employees from copying data onto removable storage devices; and (3) controls restricting employee access to certain categories of websites via MSSB computers.[ii]
In or about 2011, a MSSB employee (“Marsh”) discovered multiple flaws in the security of MSSB’s technology controls which ultimately allowed him to circumvent all restrictions and obtain unauthorized access to customer PII. Marsh was able to download and transfer the PII by accessing his personal website from his MSSB computer and uploading the PII to his personal server. MSSB’s filtering software did not prevent employees from accessing “uncategorized” websites from MSSB computers. During a routine Internet sweep in December 2014, MSSB identified some of the PII for sale on the Internet. Ultimately, MSSB determined that a third party hacked Marsh’s personal server and copied the PII.[iii]
The Safeguards Rule requires covered organization to “adopt written policies and procedures reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.”[iv] According to the Order, MSSB violated the Safeguards Rule because: (1) its existing policies and procedures were not reasonably designed to meet the Rule’s objectives; (2) its technology protocols contained design flaws which rendered them effectively useless; (3) it failed to reasonably audit/test the technology protocols in place; and (4) it failed to monitor and analyze employees’ access to the customer PII.[v]
There are multiple lessons to be taken from MSSB’s settlement:
Lesson 1: The MSSB settlement provides valuable insight into what is clearly the SEC’s very strict definition of “reasonable” security. By most standards, MSSB actually complied with the Safeguards Rule. MSSB had written policies and procedures and technology controls meant to address the Safeguards Rule. Moreover, unlike many companies out there, MSSB’s discovery of, and incident response to, the data breach was quick and effective:
- MSSB discovered the compromised data within what appears to be a matter of a week or so once it was posted for sale online.
- MSSB discovered the exposed PII during a regular sweep of the Internet which demonstrates they have someone actively monitoring potential risks.
- MSSB swiftly took steps to remove the PII from the Internet and notified proper authorities.
- MSSB immediately started an investigation and within a few days of discovering the breach, procured an admission from Marsh.
- MSSB began notifying affected customers by January 5, 2015, just 9 days after discovering the breach.
MSSB recognized its obligation under the Safeguards Rule, devoted resources to the issue, and took meaningful steps to comply. In fact, the Federal Trade Commission declined to bring charges against MSSB under Section 5 for the exact same incident, citing MSSB’s “comprehensive policies designed to protect against insider theft[.]”[vi] Yet, the SEC found MSSB’s violation “willful” and levied its largest monetary sanction to date. It is clear that what the SEC has lacked in terms of quantity of enforcement actions, it intends to make up for in terms of severity.
The MSSB settlement ultimately presents an unavoidable question for entities under SEC jurisdiction: If MSSB’s robust policies, procedures, and protocols (albeit flawed) are insufficient to avoid SEC sanctions under the Safeguards Rule, is the end result even arguable in a case where the organization adopts minimal policies, procedures and protocols, or fails to adopt any whatsoever?
Lesson 2: Perhaps MSSB’s most crucial mistake was to rest on its laurels. MSSB adopted policies and procedures and employed technological safeguards, but then inexplicably stopped. In fact, according to the SEC, MSSB “failed to conduct any auditing or testing of the authorization [protocols] … at any point since their creation at least 10 years” prior.[vii] That is astounding … and likely a contributing factor to the SEC’s determination that MSSB’s violation was willful.
From flawed controls on the Web applications, to the failure to install authorization protocols on certain applications, to inadequate Internet filters, to a breakdown in written policies and managerial oversight, it is safe to say that MSSB’s information security was a house of cards. Further, the evidence indicates that MSSB did not follow its written policies and procedures and that employee training, accountability and supervision were not organizational priorities. While there is no such thing as perfect security, these failings indicate that MSSB’s underlying procedural and technical flaws were exacerbated by an organizational culture of complacency.
Lesson 3: It is dangerous to hyper-focus on external threats. As pointed out repeatedly in this blog, internal threats and insiders (malign or benign) are an increasingly probable threat vector. MSSB was exploited by a single insider, who was then exploited in turn by a single outsider. MSSB managed to keep the external threat at bay, but handed the keys to the kingdom to an insider who them lost them anyway. Organizations must split their focus and keep their own house in order. Employee training and accountability must be meaningful and sustained. Internal access controls must be in place, operational, and enforceable. Auditing, testing, and recalibrating must be an ongoing process. Supervision and accountability from the executive level must be a priority.
Lesson 4: The SEC is getting serious. According to SEC Chair Mary Jo White, cyber security is the biggest risk facing the financial system.[viii] Regulation S-P has been around since 2000, and the requirement of written policies has been in effect since 2005. However, only recently has the SEC ramped up examinations and enforcement actions related to cybersecurity. Cybersecurity compliance and controls, including governance, access controls, training, and incident response, were the focus of the Office of Compliance Inspections and Examinations 2015 Cybersecurity Examination Initiative.[ix] Perhaps more importantly, as indicated in the MSSB settlement, the SEC is taking a hard line on its expectations of reasonable security and will not accept excuses or half measures.
ICKES \ HOLT is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and ICKES \ HOLT is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.
[iv] Id. at ¶3
[vii] https://www.sec.gov/litigation/admin/2016/34-78021.pdf at ¶8