Firms’ internal controls under heavier scrutiny from SEC
The cease-and-desist order and $1 million penalty the SEC imposed on Morgan Stanley Smith Barney (MSSB) last week for inadequate protection of customer data from unauthorized access signal the commission’s determination to shine a brighter light on cyber-security risk.
The enforcement action comes in response to MSSB’s discovery in December 2014 through its own monitoring that customer account information had been put up for sale online. After notifying government authorities and affected customers and attempting to pull the data from the internet, MSSB conducted an internal investigation that found a financial adviser working for the company had violated company policy in downloading personally identifiable information and investment information from 730,000 customer accounts held by 330,000 households, by skirting MSSB’s database application restrictions.
What’s striking about the SEC’s accusation that MSSB violated the Safeguards Rule, which requires broker-dealers and investment advisers to adopt written policies and procedures to protect customer records from such threats, is the commission’s refusal to treat the company as a victim, as Wachtell Lipton Rosen & Katz said in a client alert on June 14. Lacking from the controls MSSB had adopted are an auditing function and a way to monitor employee access and use. It’s also noteworthy, Wachtell Lipton’s alert said, that the SEC targeted ‘an industry leader that had implemented significant cyber-security procedures’ where previously it had ‘disciplined smaller investment firms that had failed to take the most basic cyber-security precautions.’
Suspected violations of the Safeguards Rule aren’t the only area where the SEC is taking a harder look at whether companies have adequate internal controls. The commission has begun to investigate controls at companies that have fallen prey to phishing scams such as wire-transfer fraud. Phishing scams resulted in estimated losses of $2.3 billion between October 2013 and February 2016, according to the FBI, which reports a 270 percent jump in such scams since January 2015. The SEC is arguing that companies that have experienced financial losses are to blame for having insufficient internal controls. While there have yet to be any fines or settlements imposed on companies, these are expected to be seen in the future.
Michael Jones, a partner in Goodwin Procter, says he isn’t sure why the SEC believes weak controls are behind the spike in phishing scams as opposed to more ingenious schemes by hackers. He sees the problem as more of an individual employee issue than one related to inadequate internal controls, and believes the SEC’s perspective ‘is that if you have a set of controls that require certain types of touch points and approvals, these types of schemes would be detected earlier.’
Just how many inquiries the SEC has initiated isn’t public information but inquiries seem to have started in mid-2015 and coincide with a resurgence in the CEO fraud ‒ or business email compromise ‒ scheme, which had been dormant for a while before the FBI realized it was becoming more frequent again last year, Jones says.
At most large companies, multiple approvals from designated employees and managers are needed to initiate a wire transfer. Now that these practices are coming under heavier scrutiny, Jones sees the beginning of a trend to return to ‘to having some actual human interaction rather than automated approval processes and simply using email for acquiring the information and backup for approval, and requesting that people at least [have] a phone call or an in-person conversation with respect to wire transfers where something doesn’t look to be standard.’
Much of the focus of companies’ response to increased cyber-scams has been directed toward educating all employees, and those who handle wire transfers in particular, to be on the lookout for these types of wire-fraud phishing emails. More companies are also hiring outside firms to send faux phishing emails to test how aware employees are. ‘If they respond to or click on attachments from certain emails, they’ll be transferred into some mandatory training protocol just to make sure everyone’s staying on guard,’ says Jones.
‘With respect to inbound email schemes, including Ransomware, we always advise our clients to work with the IT department and perhaps outside vendors to make sure they have adequate protection in terms of pretty aggressive spam-filtering to identify domains that should be blocked and to try to cut off fraudulent emails from certain domains before they even get to employees,’ he says.
And one of the very first things to do when it becomes clear a phishing email has been opened is to confirm there has not been any actual system compromise, which is much more serious than being duped into initiating false wire transfers, Jones adds.