What You Should Know About MSSB’s Enforcement
Last year’s RT Jones enforcement was a shot across the bow to Investment Advisers of all sizes that the SEC was paying attention to cybersecurity and was taking it seriously. Fast forward to June 8, 2016 and to Morgan Stanley Smith Barney’s (MSSB) cybersecurity enforcement, and the stakes have been raised again, this time with a one million dollar fine.
In the announced settlement, the SEC detailed a trail of DLP failures that led to a breach of client PII. In broad terms, MSSB maintained databases of client information that were theoretically cordoned off by location. The idea of segregating the data was put in place so that an individual within the firm would only have access to the client information that he or she needed to conduct their job. This is role segmentation at its simplest and is something that we wholeheartedly endorse.
Strike 1: The problem that MSSB ran into was that no one ever actually tested this functionality in the production environment. Fast forward ten years and an MSSB employee, Galen Marsh, discovered that he had access to all customer information through a specific report offered by one online system. This was caused by an error in the database code that did not properly implement his user access controls on that specific report. Additionally, he discovered that on another database, he was able to change a unique identifier code that restricted report access to a particular location. By changing the code, he was able to access any location’s information regardless of his need to view such information.
Strike 2: MSSB did have specific controls in place to potentially prevent a data leak. It limited prohibited the use of removable media and limited access to certain websites on its company networks. We assume that MSSB was blocking the typical non-work related websites, such as adult sites, gambling sites, etc. They were not, however, blocking sites that were “unclassified” by the system. An unclassified site was simply one that the system did not have a clear fingerprint on. Mr. Marsh’s personal website was one of these “unclassified”, and so allowed, sites. This permitted Mr. Marsh to upload the data that he obtained from the unrestricted reports to his personal server. It is not entirely clear what Mr. Marsh intended to do with the data, but court proceedings did indicate that he was in active talks with two other employers who were competitive with MSSB.[i]
Strike 3: In December, 2014 Mr. Marsh’s private server was hacked and portions of the information that he had exfiltrated from MSSB’s network were posted to the information-sharing site, Pastebin.
The SEC again used its favorite cudgel, Rule 30(a) of Reg S-P, on MSSB. The enforcement, or administrative settlement, notes that:
MSSB violated the Safeguards Rule because its policies and procedures were not reasonably designed to meet these objectives by failing to include, for example: reasonably designed and operating authorizations modules for the portals that restricted employee access to only the confidential customer data as to which such employees had a legitimate business need; auditing and/or testing of the effectiveness of such authorization modules; and monitoring and analysis of employee access to and use of the Portals.[ii]
We have heard speakers from the SEC recently comment that firms with adequate policies and procedures which still experience breach will not necessarily be enforced. In MSSB’s case, however, it seems that a lack of testing on restrictions indicates a failure great enough to enforce. The other failures that were mentioned should serve as a warning to all Investment Advisers and Broker-Dealers.
What You Should Do
A lot of the nuance of this proceeding stems from proprietary databases and applications that were in use at MSSB that Mr. Galen exploited. Many smaller firms might not have these specific concerns, but it does not mean that there aren’t any take-away items. All firms should use this enforcement as an opportunity for the following:
- If you do not segregate your data based on users, develop a plan and implement it. The SEC has sent a clear message here that they expect firms to be restricting data on a need-to-know basis.
- If you do have these controls in place, test them. Make sure that someone assigned to a specific role isn’t able to see other folders or information that they shouldn’t be able to.
- If you do maintain proprietary tools and databases, take the time to review their access controls.
- If you are not restricting access to mass storage devices (Thumb Drives, etc), you should review your capability to do so and implement controls.
- If your firewall or other device has the possibility of blocking certain websites, we would recommend that you take advantage of the feature. With respect to the specific “uncategorized” sites that caused MSSB’s undoing, you may want to try blocking access to that category and determining if there is a business impact. If there is, we would recommend when you do allow that traffic that you document the reasons.
- Train your employees on acceptable and unacceptable data handling procedures.
This most recent enforcement suggests that cybersecurity is a core issue for the SEC that will pervade its examination process for the foreseeable future. If you or your company have yet to develop a comprehensive strategy for addressing the concerns that the SEC has been outlining for the last two years through releases, sweeps, and now enforcements, your time is running out. You can adopt your cybersecurity program to meet your needs and budget, but you must be addressing the problem in a comprehensive manner.