The SEC has handed out another (its 2nd overall) cybersecurity fine earlier this month to a not-so-small company you might know. In this case, Morgan Stanley has agreed to a $1 million fine for lacking cybersecurity in some areas that were investigated after a breach was discovered. Let’s breakdown some of the specifics about the SEC’s cybersecurity findings.

1.) WISP

The first item that demands attention is something we are seeing a lot: the lack of written cybersecurity policies and protocol. Its the same reason an RIA was fined $75,000 in 2016.

“The SEC issued an order finding that Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer data.”

This means that Morgan Stanley had a policy, it just wasn’t good enough. In a recent article, we highlighted some basic items needed in a Written Information Security Program, and as your operation grows, your policies must grow as well. Your WISP needs to be written specifically for your operations and must include the right details. Simply saying that certain functions of your cybersecurity are “delegated” is unlikely to be sufficient. Regulators and investors want to know exactly how systems and processes are being protected.

2.) Access Controls

“…Morgan Stanley did not have effective authorization modules for more than 10 years to restrict employees’ access to customer data based on each employee’s legitimate business need.”

This one is tough but really does fall under best practices, even 10 years ago. You can take a free lesson from Morgan and implement proper authorization and access controls starting now. Make sure that employees only have access to data they need for their specific role.


3.) Monitoring and Testing

“Morgan Stanley also did not audit or test the relevant authorization modules, nor did it monitor or analyze employees’ access to and use of the portals.”

They never tested this particular system, but more importantly, it wasn’t tracking user access and use. If any system has Personal Identifying Information (PII) or vital information, it should always be logged and tracked. There are usually multiple ways of achieving this, just ask your IT team.


Lesson Recap

Overall this case confirms what we’ve been seeing at firms of all sizes: a lack of access controls and quality policies. The problem typically stems from IT (whether it’s outsourced or in-house) working solely on the operations of IT. Security is too often assumed. There is also the case of budgets, legacy infrastructure or outside vendors introducing risks that IT does not realize. Most of the time it takes a cybersecurity professional to really help identify potential weak spots in your infrastructure, processes and policies.

If parts of Morgan Stanley’s cybersecurity isn’t good enough for the SEC, how does that make you feel about your current cyber posture? Whether its cyber compliance or cybersecurity, both should have equal attention. Please contact inCybersecurity to schedule a cybersecurity assessment at info@incybersecurity.com


inCyber Security is a cybersecurity and cyber compliance consulting firm that specializes in helping the financial industry adhere to industry cyber regulations and protect themselves from cyber threats and reputation damage. inCyber acts as an Outsourced CISO to most of their clients, but also offer project based services. Using their proprietary security maturity model and unbiased approach, inCyber helps their clients understand and manage relevant cyber risks.

To learn more, contact us at 844-446-2923 or info@incybersecurity.com