US regulator stresses importance of data security after settling case with financial firm

Financial firms must put in place policies and procedures to protect against unauthorised accessing of customer data, a US regulator has said.

The Securities and Exchange Commission (SEC) issued the warning after disclosing a settlement with Morgan Stanley over data security issues.

According to the SEC, hackers accessed customer data belonging to the firm after a former employee "impermissibly accessed and transferred" information from approximately 730,000 client accounts to his personal server. Some of the data was subsequently posted online and "larger quantities" of the information was offered for sale, it said.

The SEC said Morgan Stanley did not put in place sufficient policies, procedures or controls to govern and restrict employees' accessing of customer account data. It also highlighted shortcomings in the auditing and testing of the "authorisation modules" the firm used and its monitoring and analysis of employee's access to and use of portals through which client data could be accessed.

Morgan Stanley reached a settlement with the SEC over charges that it breached US law without admitting or denying the findings. As part of the settlement Morgan Stanley agreed to pay the regulator a $1 million penalty.

“Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection," Andrew Ceresney, director of the SEC's enforcement division, said. "We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information."

In a statement Morgan Stanley said: "Morgan Stanley is pleased to settle this matter, which results from the theft by a former employee of certain limited client data that was reported in January, 2015. Following the discovery of the incident, Morgan Stanley promptly alerted law enforcement and regulators, and notified affected clients. Morgan Stanley worked quickly to protect affected clients by changing account numbers and offering credit monitoring and identity theft protection services, and has strengthened its mechanisms for safeguarding client data. No fraud against any client account was reported as a result of this incident."