Big fines show security risk to funds of sloppy data habits

$1.1bn for poor record keeping, $35m Morgan Stanley fine for lost drives helps SEC show impact of current data rules while preparing for new ones

During the Feb. 9 pitch for a fund-focused cybersecurity regulation, SEC officials talked a lot about how important it was that registered investment firms built defenses that would keep customer data safe if the firms were attacked from outside.

In July the SEC Enforcement Division reinforced the emphasis on keeping bad actors away from good data by announcing it had fined J.P. Morgan Securities LLC, UBS Financial Services, Inc., and TradeStation Securities, Inc. a total of $2.5 million for maintaining inadequate systems providing early warning of possible identity theft.

During the past several weeks, however, the Enforcement Division has shattered any impression that the SEC doesn’t care about compliance with rules requiring proper maintenance and protection of customer data by announcing it had levied big fines against a long list of brokers and investment advisers for recordkeeping that was sloppy enough to put customer data at risk, or that wasn’t happening at all because fund managers weren’t enforcing rules against forbidding employees from discussing business using text or other media on their personal devices.

Regulators made the point that sloppy data governance creates security risks with the Sept. 20 SEC announcement that Morgan Stanley Smith Barney LLC (MSSB) would pay $35 million to settle charges that it put the personal information of 15 million customers at risk by failing to keep track or servers and storage devices is was replacing, some of which were later sold at auction with unprotected, unencrypted customer data still on them.

MSSB fell “woefully short” of its responsibility to protect customers’ data, according to a statement from Gurbir S. Grewal, director of the SEC’s Enforcement Division in the SEC’s announcement of the settlement.

“If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors,” Grewal said.

“We are pleased to be resolving this matter,” according to a prepared statement from MSSB, whose settlement included no admission of fault for a problem that went on for almost five years and was still turning up lost hard drives with sensitive information as recently as June of 2021.

“We have previously notified applicable clients regarding these matters, which occurred several years ago, and have not detected any unauthorized access to, or misuse of, personal client information,” the statement said.

MSSB is the first company punished by the SEC under the Safeguards Rule and Disposal Rule of Regulation S-P solely for the way it disposed of IT hardware, according to a Sept. 26 analysis by Kate Hanniford and Mario Ayoub, of law firm Alston & Bird’s Privacy, Cyber and Data Strategy Team.

The result raises the stakes for registered investment advisers, which might want to tighten supervision of their own compliance, keep a closer eye on the compliance of service providers and take more care in the handling and disposal of customer data and IT hardware, Hanniford and Ayoub wrote.

Fund boards that may now need to re-evaluate the data-management habits of fund advisers and service providers have spent the past several months adjusting to the changes in expectation implied in the language of the fund-specific cybersecurity rule the SEC announced Feb. 9, which was very different than guidance the agency issued just a few years ago, according to Nicole Crum, a partner at Sullivan & Worcester. Trustees know they need to get up to speed on both sides of the security question, however, she said.

“There is wide variation in terms of what people are doing and what resources they’re spending, but we’ve come leaps and bounds since then,” Crum said. “Fund boards and advisers are much more focused on cybersecurity.”

Not every fund- or corporate board is yet fully up to speed, according to a recent survey by fraud-detection-developer Featurespace, Ltd. in which two-thirds of financial executives surveyed said complex regulatory requirements are the biggest challenge for organizations combatting fraud and financial crime.

Complying with old, familiar rules is also a challenge, judging by charges the SEC announced Sept 27 accusing MSSB and 15 other firms of longstanding failures to ensure that internal communication about business issues flowed through secure official channels where they could be recorded and documented, rather than through text and other off-the-books methods via personal devices, which had become the norm in many organizations.

The 16 companies paid a total of $1.1 billion to settle the charges that they had failed to police “pervasive off-channel communications,” according to the SEC statement announcing the settlement.

Both series of charges reflect the long-term failure to enforce well-defined internal policies, which fund boards might never hear about in summary reports of performance from management.

“Today’s actions – both in terms of the firms involved and the size of the penalties ordered – underscore the importance of recordkeeping requirements, they’re sacrosanct. If there are allegations of wrongdoing or misconduct, we must be able to examine a firm’s books and records to determine what happened,” Grewal said in the statement announcing the penalties.

SEC charges 16 for recordkeeping failures

Agreed to penalties of $125 million:

  • Barclays Capital Inc.
  • BofA Securities Inc. , with Merrill Lynch, Pierce, Fenner & Smith Inc.
  • Citigroup Global Markets Inc.
  • Credit Suisse Securities (USA) LLC
  • Deutsche Bank Securities Inc., with DWS Distributors Inc. and DWS Investment Management Americas, Inc.
  • Goldman Sachs & Co. LLC
  • Morgan Stanley & Co. LLC, with Morgan Stanley Smith Barney LLC
  • UBS Securities LLC, with UBS Financial Services Inc.

Agreed to penalties of $50 million:

  • Jefferies LLC
  • Nomura Securities International, Inc.

Agreed to penalty of $10 million:

  • Cantor Fitzgerald & Co.

Cybersecurity has become important enough to be considered a critical service on a par with that of fund custodians or sub-advisors, but few boards are qualified to make decisions about the qualifications or technical justification of specific policies, which was one of the most common objections to the first version of the rule proposal, Crum said.

Boards could recruit members with security backgrounds to take the lead on security issues. But, among those who have spoken to FD about those choices,  most prefer trustees with good judgment and broad experience rather than deep experience in a single function and limited understanding of the business they’re responsible for supervising.

It’s possible to hire external security auditors and rely on their expertise, but the board still needs to understand enough about how security affects their own business to make decisions, according to Crum, who said it might be more effective to look for staff and service providers with the right credentials, who demonstrate their qualifications and the quality of their current work by demonstrating that it adheres to checklists, frameworks and security standards defining effective security policies and practices.

“The board still has to have some understanding of the business, and you do need some expertise, Crum said. “But information ceases to be meaningful at a certain level, so you still have to rely on assurances of some kind. It just depends which you accept.”

The quality of data and recordkeeping has always been important, and continues to rise in the priorities of regulators, according to statements from SEC Chair Gary Gensler supporting both MSSB settlement announcements.

“As technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only official channels,” he said. “As part of our examinations and enforcement work, we will continue to ensure compliance with these laws.”