3 Ways Financial Institutions Can Safeguard Against the SEC’s Safeguards Rule
In 2016, Morgan Stanley, one of America’s largest financial investments firms, was fined $1 million by the Securities and Exchange Commission (SEC) for not complying with the Gramm-Leach-Bliley Act. Also known as the “Safeguards Rule,” this act requires brokers, dealers, and investment companies to safeguard customer information and records, which Morgan Stanley failed to do.
Between 2011 and 2014, a Morgan Stanley employee transferred data from about 730,000 customers to his personal server which was ultimately hacked by third parties and the information subsequently posted on internet sites. Despite no fraud being reported from this breach, Morgan Stanley still was fined.
Even when financial firms thought they were safe…
Although Morgan Stanley had adopted and implemented measures restricting employee access to confidential customer data, as well as their ability to copy data onto removable storage devices, the SEC found that Morgan Stanley failed to guarantee reasonable and proper execution of their security measures.
Another financial firm, Craig Scott Capital LLC, paid a $1 million fine for a customer data breach involving 4,000 customers. Additionally, the SEC fined the firms two principals an extra $25,000 each showing that companies and individuals are being held accountable for protecting customer Personally Identifiable Information (PII). The employee who compromised the data has been banned from the securities and banking industries and was ordered to pay $600,000 in restitution.
These cases highlight the need for businesses to not only implement but to monitor, test and review processes to ensure compliance with the SEC’s Safeguards Rule. This creates a huge burden for small- and mid-sized businesses as proper security practices take a lot of time and expertise. Securing data is best left to professionals who handle technology every day. The price is too high to leave it to nonprofessionals. Outsourcing to a professional Managed Services Provider that manages the security, monitoring and maintenance of multiple financial firms provides economies of scale that result in less expense plus they have the experience and knowledge to ensure that your firm is compliant.
Here are 3 practices your MSP should implement to meet the expectations set forth by the Safeguards Rule:
- Adopt automated security mechanisms
Include filters to block uncategorized websites and effective authorization modules. Make sure to audit, test and monitor security routinely.
- Monitor activity in customer data portals
By monitoring activity, any unusual or suspicious patterns can be detected. If Morgan Stanley had done this, they would have noticed the transferring of customer data to an unauthorized source. Compliance to safeguard policies need to be spot checked, and supervisors need to be aware of how employees are using their computers and the data they do have access to. Do not allow unsupervised, after-hours access to customer PII.
- Prevent transfer of customer data
Configure IT and software to stop data from being transferred outside of your company’s system. Employees should only have access to data they personally work with.