After Morgan Stanley Data Breach, How to Talk to Clients About Cybersecurity
Morgan Stanley joined a growing list of prominent corporate brands to suffer a data breach, after it revealed an employee stole the information to as many as 350,000 wealth management clients, and that some of the data was posted online.
The event reminds firms, advisors and clients of the ever-evolving and ubiquitous threat of data breaches.
"Unfortunately these incidents are becoming so common," says Howard Diamond, managing director of financial advisor recruiters Diamond Consultants. "It’s a problem for any major company, not just Morgan Stanley. I don’t know what the answer is."
Morgan discovered the breach on Dec. 27, according to a person familiar with the matter. The firm terminated the employee who stole and posted client information, which included some account and transaction information – though not necessarily current data. No social security numbers or account passwords were posted, according to the person. After discovering the breach, Morgan made sure that the posted information was soon taken down.
Advisors at any firm need to be vigilant of the "headline risk" that comes with scandals that pop up in the news, says Danny Sarch, president of Leitner Sarch Consultants. And they need to understand that in the virtual world, any big firm is a target.
"If I am a cyberterrorist and I want to make a splash, then I go after the big boys," Sarch says. "And that's just the cyber stuff. It's hard to pick up a mainstream or niche publication and not see something that is related to the big firms."
There are measures that advisors can follow in the wake of a data breach, says Joel Bruckenstein, a technology expert and consultant to financial firms.
"Assuming that your firm complied with all federal guidelines and went beyond that, then explain what they've done to protect client data," Bruckenstein says. "The first thing is, based on industry best practices, we followed them. Second, nothing is fool-proof. Even banks get hit by bank robbers."
"I would explain, 'Look, even though this is uncomfortable, you didn't lose any money,'" he adds. "And if you did, the company has insurance to make you whole. In types of incidents like these, Morgan Stanley or whoever it is will pay for a data monitoring services to ensure that no one is making use of that data that they may have gotten their hands on."
For its part, Morgan Stanley has provided its financial advisors with talking points, information about the incident and is offering protective services such as credit and fraud monitoring to clients, according to a person knowledgeable about the firm's efforts.
Eleanor Blayney, the CFP Board's consumer advocate, says investors need to remain vigilant that the firm they invest with has proper security measures and data protection policies, and can respond quickly and transparently in such cases.
"It's distracting if not downright disturbing that these things happen, but consumers need to be aware that one of the costs of online efficiency is that there is always this possibility," Blayney says.
One thing that clients can do is examine privacy notices distributed by custodians. "Pay attention to what is in those messages and make sure you are comfortable with the level of privacy," she says.
Blayney adds other steps to consider include freezing an account, although that would leave an account on hiatus for some time. Clients can also ask before opening an account what sort of background checks a firm does for its employees, and the type of security policies it has in place regarding the handling of account information.
"The best a person can do is be aware, be wise, and check their account frequently," she says.
Diamond, who has an account with Morgan Stanley, says the fact that it was an insider leaking information put the data breach into perspective.
"If it can happen at Morgan Stanley, it can happen at Merrill Lynch, it can happen at UBS or Wells," he says. "It's not a breakdown in Morgan Stanley's Internet security protocols; it's just an unscrupulous employee trying to steal something from the company. Employee theft has been going on since John D. Rockefeller started Standard Oil. This is just a new version of it."
Some consumer advocates, though, were less forgiving.
"The person who stole the information needs to be held to account. But how is it that they could get away with it in the first place?" asked Bart Naylor, financial policy advocate at Public Citizen, a consumer advocacy group in Washington. "Were there lapses in supervision, and if so, will those people be held accountable too? How many employees have access to such account information at Morgan Stanley, and can steal them? It seems to be a management problem."
Such incidents will continue as long as there are weak penalties for such data breaches and a lack of deterrents within firms, Naylor adds. "It would be an advance if federal prosecutors bring real penalties against such miscreants."
- Online Threats Drive Cyber Insurance Need
- Protect Clients From ID Theft -- Or Else
- Advisors: What's Your Data Breach Response Plan?