Today I published an extensive article discussing the key takeaways from the SEC’s recent cybersecurity enforcement action against Morgan Stanley.
This time the SEC hit Morgan Stanley with a $1 million penalty for security lapses that enabled a former financial adviser to tap into its computers and take client data home. Likely hacked while in the possession of the financial adviser, some of the client data appeared online between December 2014 and February 2015.
There are a slew of important takeaways from the SEC action, especially that cybersecurity failures can, and will, happen to any financial firm. And in this instance, after recognizing its cybersecurity failures, Morgan Stanley did just about everything right. Even better than right – Morgan Stanley actually excelled in its response. Here is an excerpt from my article:
Morgan Stanley clearly made a mistake with respect to their internal systems and their slip-up probably allowed a scheming employee to steal private client data – which in turn left that data vulnerable to external threats.
Whether their mistake should have cost them a $1 million penalty and the scarlet letter of an SEC enforcement action is debatable. But under any circumstance, the matter sends two important messages above all else:
First, no firm enjoys perfect cybersecurity, no matter how sophisticated and careful. Mistakes will happen and when they do, the SEC will pounce, enforcing its broad and sweeping Safeguards Rule in its own home field of an SEC administrative courtroom. Second, by responding with speed, transparency, independency and vigor, Morgan Stanley, despite being penalized, actually deserves to be commended.”