Regulators’ Cybersecurity Crackdown Already In Full Swing. Are Firms Ready?

• Cyber-related threats to trading platforms and other critical market infrastructure.

These are all areas firms may want to consider addressing, before facing the SEC in an examination or in an enforcement action, Rubin says.

Last year, the SEC fined Morgan Stanley Smith Barney LLC for failure to protect information in 730,000 client accounts, which were first stolen by an employee and transferred to a personal server and then hacked and offered for sale online. The employee who transferred the personal financial client data was required to pay $600,000 in restitution and barred from the securities industry for five years.

In that case, the SEC alleged that the firm violated the “Safeguards Rule” over a four-year span by failing to adopt written policies and procedures to ensure the security of clients’ personally identifiable information.

The case shines the light on what the SEC expects from firms when it comes to their internal web applications and portals that give employees access to customers’ confidential account information.

Morgan Stanley did not have effective authorization modules restricting employees’ access to customer data based on each employee’s legitimate business need. The firm failed to audit and test its modules and also failed to monitor and analyze employees’ access and use of the modules.

As a result, a Morgan Stanley employee downloaded and transferred confidential data to his personal server at home over a four-year period. A likely third-party hack of the Morgan Stanley employee’s personal server resulted in portions of the confidential data being posted on the Internet with offers to sell larger quantities.

What Advisors Should Do

To try to avoid future enforcement actions, broker-dealers and investment advisors should focus on establishing and implementing written, proactive cybersecurity policies that are regularly updated to account for the latest hacker tactics and techniques. “Cyber is a dynamic, if not volatile, environment—the best laid plans of last year may not mean much this year,” the report says.

Examiners are also looking at employee training and vendor relationships, Rubin said. A great idea is to have policies that show that firms actively train their employees and registered persons to try to ensure that each person understands her role and responsibility with regard to cybersecurity, Rubin said.