In A First, SEC Fines Morgan Stanley $1 Million For Cybersecurity Lapse

The SEC’s interest in customer information security goes back at least as far as the year 2000, with the promulgation of Rule 30(a) of Regulation S-P. Known as the “Safeguards Rule,” it lays out a number of general requirements, including one that is intended to protect against any unauthorized access to customer records, including unauthorized in-house access. According to the SEC, Morgan Stanley violated this rule by failing to prevent an employee from downloading information regarding clients other than his own. Sometime after he did that, apparently a third party hacked his personal server and put that customer information up for sale for “speedcoins,” a form of digital currency. The employee got 36 months probation for violation of a federal statute pertaining to unauthorized computer access at a financial institution and was required to pay $600,000 in restitution. Morgan Stanley Smith Barney LLC, in a settlement with the SEC, paid $1 million. “This settlement is the first significant enforcement action undertaken by the SEC since it began prodding financial firms to shore up their cybersecurity defenses five years ago,” says a post from Sheppard Mullin.