Last year, the SEC fined Morgan Stanley $1 million for failure to protect information in 730,000 client accounts, which were first stolen by an employee and transferred to a personal server and then hacked and offered for sale online. The SEC alleged that the firm violated the “Safeguards Rule” over a four-year span by failing to adopt written policies and procedures to ensure the security of clients’ personally identifiable information.
The case shines light on what the SEC expects from firms when it comes to their internal web applications and portals that give employees access to customers’ confidential account information.
To try to avoid future enforcement actions, broker-dealers and investment advisors should focus on establishing and implementing written, proactive cybersecurity policies that are regularly updated to account for the latest hacker tactics and techniques.
Examiners are also looking at employee training and vendor relationships, Rubin said, adding that firms should have policies that show they’re actively training their employees and registered persons to try to ensure that each person understands her role and responsibility with regard to cybersecurity. Firms are also responsible for knowing what kind of cybersecurity system their vendors have.
State regulators have already found nearly 700 deficiencies during exams of 1,200 state-level investment advisors—in the first year state regulators reported on cybersecurity incidents.
The North American Securities Administrators Association (NASAA) used the data to generate a list of cybersecurity best practices for investment advisors: prepare and maintain records by backing them up; maintain client information; revise Form ADV and disclosure brochures; implement safeguards through cybersecurity policies and measures; and prepare a written compliance and supervisory procedures manual.
NASAA found policies and procedures to be adequate when firms require and enforce frequent password changes, lock devices, report lost devices, and create specific roles and responsibilities for people to frequently assess these requirements.
To minimize threats posed by data breaches, NASAA recommends that firms routinely back up devices and store the underlying data in a separate, remote location. And they should regularly test backup procedures to ensure their suitability. Similarly, firms should consider whether e-mail communications should be sent securely, especially where they involve identifiable information regarding a client.