Morgan's data breach: A call for greater scrutiny
As compliance officer for my firm, I’m becoming concerned with the fact that we have confidential client information stored in various locations: Client management software, laptops, backup services, etc. All employees have their own login credentials for these various systems and our policies and procedures require them to change their passwords periodically but I feel like we should be doing more. What are your thoughts?
You’re right to be concerned. On June 8, Morgan Stanley was fined $1,000,000 by the SEC for "failure to adopt written policies and procedures reasonably designed to protect customer information” in violation of Regulation S-P. Morgan Stanley stored sensitive client information in various locations and an employee was able to access information on approximately 730,000 customer accounts.
Read more: SEC fines Morgan Stanley $1M for data breach
Regulation S-P requires every broker-dealer to adopt written policies and procedures reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to, or use of, such information. The SEC found that while Morgan Stanley installed controls that restricted employees from copying data or accessing certain categories of websites, the controls were ineffective and allowed the employee to exploit some holes and access the client information. Regulators also found that the firm failed to conduct any auditing or testing of the controls in the 10 years since they had been created and did not monitor user activity to identify unusual or suspicious patterns. The SEC said that such auditing or testing would likely have revealed the deficiencies in these controls. Relying only on your employees’ use of their login credentials raises several concerns. First, once a user has logged into your network I would imagine that they have the ability to access many folders and files. Even if an employee’s network entitlements are limited, as the Morgan Stanley case shows, a dedicated wrong-doer could still find the right combination of credentials to access otherwise restricted client data. Additionally, you need to make sure you have a tight rein on whether employees are, in fact, changing their passwords as required. Toward that end, you may need to make sure the system forces them to change their passwords periodically or otherwise maintain control of the passwords. In light of the SEC’s 2015 Cyber security Initiative and the 2016 Examination Priorities, I think it is incumbent upon you to: figure out where client information resides; limit access to employees who have a legitimate business need to access that data; and implement on-going monitoring and testing of access rights and controls, credentials, passwords, and restrictions.
I’ve recommended IRA rollovers to clients in the past and will most likely do so in the future where I think it’s appropriate. I understand that this will subject me to the DOL’s new fiduciary rule but what else can you tell me about it. ?
The Department of Labor’s new fiduciary rule is over a thousand pages long and trying to summarize it here would be impossible and there are already hundreds of websites dissecting it. However, I will note a few points of interest. Briefly, when you recommend that a client roll over their employer sponsored retirement account to an IRA you normally receive compensation for doing so (typically in the form of a commission on the sale of the investment). That’s what creates the conflict of interest and generally makes it a prohibited transaction. To avoid the prohibition you need to qualify for an exemption. The new Rule creates what’s called a “best interest contract exemption.” To qualify for the exemption you would need to enter into a contract with the client that includes various provisions. The implementation of those provisions can be complicated and I recommend that you speak with an ERISA attorney for the specifics. If you charge a so-called “level fee” to the client rather than a commission (common among investment advisers or wrap fee programs where no commissions are charged), then you might be able to use a limited version of the exemption which is somewhat easier to implement than the full. You’ll need to consult with ERISA counsel for more information on that.