The US Securities and Exchange Commission has just settled with Morgan Stanley over the bank's failure to protect information about HNW customers, some of which ended up online.

In its order, the SEC says that the bank failed to write and follow policies and procedures "reasonably designed" to protect customers' records and information, thereby falling foul of the 'safeguards rule,' namely Rule 30(a) of Regulation S-P (in part 248.30(a) of title 17 of the Code of Federal Regulations, the sections of which correspond to rule numbers). This rule dates from 2000 in its original form and 2005 in its present form.

Part 248.30 covers procedures to safeguard customers' records and information and the disposal of consumer report information. It dictates that every SEC-registered broker, dealer, investment company and investment advisor must adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customers' records and information. They must be reasonably designed to: (i) make the information secure and confidential; (ii) protect its security or integrity against any anticipated threats or hazards; and (iii) protect it from unauthorised access that could result in substantial harm or inconvenience to any customer.

The misdeeds of Marsh

Galen Marsh, a financial advisor at Morgan Stanley, misappropriated data regarding 730,000 accounts (associated with approximately 330,000 different households) by accessing the bank's business information system portal and "fixed income division select" portal which staff used for the purposes of running of the bank's wealth management business. The information he purloined included customers’ full names, phone numbers, street addresses, account numbers, account balances and descriptions of the securities they held. In the winter of 2014-15, someone - probably not Marsh - posted some of the data on at least three Internet sites along with an offer to sell a larger quantity in exchange for payment in speedcoins, a digital currency.

The bank took a long time to unmask Marsh. It took more than three years for it to realise that he had been copying forbidden data, and then only by looking outside its own organisation. It first realised that someone was posting its data on websites during an Internet sweep on 27th December 2014, by which time it had been public for nearly a fortnight. It notified the authorities. It then realised that the data corresponded to other data it had in reports that Marsh had compiled in the normal course of his duties and targeted him as a likely suspect, interviewing him on the 29th and 30th.

Marsh admitted to downloading it onto his personal server but not to posting it online. Morgan Stanley now thinks that Marsh was telling the truth and that his server was hacked.

Controls circumvented

Had the bank stuck to its cyber-security policies, no harm would have occurred. In or about June 2011, when he was a client service associate who supported the bank's financial advisors whose ranks he later joined, Marsh discovered that the authorisation module for the aforementioned FID select portal did not work when he ran a report. It should only have allowed him to gain access only to data about customers who were associated with the financial advisors he was helping (he only later became one himself) but he noticed that he could run this report for all Morgan Stanley customers, including those outside his own group. A programming flaw in the authorisation module for that portal stopped the module from 'interfacing' properly with the portal's "employee data entitlements database," as it was called. Marsh could see the data of all financial advisors' groups for all customers throughout the bank.

Again and again, Marsh exploited this programming flaw by first entering a branch ID number other than his own — everybody at the bank knew everybody else's branch ID number — and then entering various possible numbers of financial advisors (or groups thereof) until he discovered a combination that worked. At that point, he could (and did) run reports containing personal information about all the customers of the financial advisor in question or, indeed, of his entire group. Marsh was promoted to financial advisor in March 2014 and his rights to various types of data were supposed to change, but on this portal they did not because the list of things he could access there was kept on a database other than the firm's main database of rights to access. Between October 2013 and December 2014 he went on 4,000 unauthorised searches on that portal.

Marsh also accessed the aforementioned business information portal, starting in 2014. This portal lacked any authorisation module whatsoever for the making of "relationship migration book analysis reports" which contained customers' personal data. Any financial advisor could make reports of this kind, thereby gathering confidential data, for other financial advisors’ customers. In 2014, Marsh conducted about 1,900 unauthorised searches by this means, using the same approach he used to access the FID Select Portal.

What should the bank have done?

The SEC found that the bank failed to conduct any auditing or testing of the authorisation modules for the portals at any point since their creation at least 10 years ago. This would probably have revealed the deficiencies in these modules. Morgan Stanley, moreover, did not monitor the activity of the portals' users to identify any unusual or suspicious patterns.

The bank should also have stopped its staff from accessing certain external websites that posed a threat to its data-security. After downloading the data he had obtained from the portals, Marsh transferred it to a personal server located at his home. The bank had installed and maintained certain controls on its computer systems that, among other things, stopped its employees from copying data onto removable storage devices and from accessing certain categories of websites. Marsh, however, transferred customers' data to his personal server by accessing his personal website, galenmarsh.com, which had a feature that helped him transfer data from his Morgan Stanley computer to his personal server. Morgan Stanley’s Internet filtering software did not prevent employees from accessing such 'uncategorized' websites from bank computers.

Internet filtering programmes generally try to 'categorise' websites according to their content or other attributes and then apply predetermined filters created for the detected website category. One such filtering programme may use such categories as 'social media' or 'e-commerce.' 'Uncategorized' websites are those that a filtering programme has not put in one of its established categories.

With all this in mind, the SEC found that Morgan Stanley "willfully violated Rule 30(a)." The bar for 'wilfulness' is not a high one: the courts have determined that a wilful violation of the securities laws means merely ‘that the person charged with the duty knows what he is doing,’ as stated in Wonsover v SEC (2000).

The bank has already undertaken efforts to remedy its failings and it only remains to pay the $1 million penalty. The bank did not, however, admit the wrongdoing for which the SEC censured it in its order. Marsh, whom US prosecutors unsuccessfully tried to have imprisoned, was sentenced in December to three years of probation and ordered to pay restitution of $600,000 after pleading guilty to the felony of unauthorised access to a computer.

Morgan Stanley Smith Barney is a limited liability company incorporated in Delaware. Its main office is in New York. Morgan Stanley actually offered the terms of the settlement itself and the SEC accepted them.