Morgan breach offers universal data security lessons

Advisers need to keep client data safe from internal hacks, not just those from outside cybercriminals.
AUG 12, 2014
Client data breaches by a now-fired Morgan Stanley broker offer a glaring heads-up to advisory firms that they need cybersecurity measures that root out internal hacks as well as outside criminals. Morgan Stanley uncovered the online posting of information about 900 of its wealthy clients last month during routine monitoring. It moved quickly to identify broker Galen Marsh, 30, as the culprit and have the data taken down, the Wall Street firm said earlier this week. Morgan Stanley said no client was impacted by the actions of Mr. Marsh, whom the firm fired. He allegedly took data regarding 350,000 wealthy clients and was looking online for a buyer of login and password information. Many advisory firms today would be challenged to prevent such an internal theft. A lot of firms lack an information security plan that maintains client data in a secure location and restricts it to those who need to access that information, said Gary Davis, Jr., MarketCounsel's vice president for practice management. Firms need to have such policies as part of their compliance manual, he said. “Make sure that your firm has a data security plan in place to help manage the privacy of client information and mitigate breaches from occurring,” he said. “No matter what size the firm is, they need to have this in place.” The plan should be more than just a boilerplate that a firm downloads or that is provided by its custodian, he said. It needs to be customized for the firm's unique procedures and business practices. (More: 10 ways advisers can improve their cybersecurity) Another step firms can take when an employee with access to client passwords leaves the firm is to notify clients they should change their password so there's no opportunity for that former employee to illegally access that account, Mr. Davis said. Broker-dealers and custodians typically subscribe to cybersecurity services that monitor online postings, but advisory firms typically don't have the resources to do that, he said. As part of an adviser's due diligence, though, Mr. Davis said it's appropriate for an advisory firm to ask these larger firms about their efforts to safeguard client information. (More: "SEC exam sweep reveals adviser cyberefforts") Joel Bruckenstein, a technology expert and consultant to financial firms, said the human factor “is one of the most difficult to guard against.” He recommends that firms have strict controls over who is allowed to see client data. “For someone who had recently been promoted to being an adviser, I don't see how [Mr. Marsh] could have had needed access to 350,000 client names,” he said in reference to the Morgan Stanley breach. “Best practices would dictate that employees can only see what they need to do their jobs.”

Latest News

IRA assets swell to $19.2 trillion as 401(k) rollovers drive growth
IRA assets swell to $19.2 trillion as 401(k) rollovers drive growth

IRAs now hold nearly twice the assets of 401(k) plans — and most of that money didn't arrive through annual contributions.

Women feel confident about saving, but many still keep cash in low-yield accounts
Women feel confident about saving, but many still keep cash in low-yield accounts

A new survey finds that many women prioritize financial security but continue to leave savings in accounts that may not keep pace with inflation.

SEC seeks comment on prediction-market ETFs after May pause
SEC seeks comment on prediction-market ETFs after May pause

Roundhill, Bitwise and GraniteShares funds remain on hold while the agency weighs how novel ETFs should be regulated.

Dump investment banks, buy alternative asset managers, says Oppenheimer
Dump investment banks, buy alternative asset managers, says Oppenheimer

"Shares of alternative assets managers have lagged this year as investors grow wary of private-credit exposure."

TaxStatus rolls out rules-based tool to flag advice gaps
TaxStatus rolls out rules-based tool to flag advice gaps

The fintech platform is touting a new AI-free Planning Observations feature, which draws on IRS tax records to uncover opportunities for advisors.

SPONSORED Who builds the income when the pension disappears?

Dan Biagini of American Equity says the steady decline of pensions, longer lifespans and a reset in interest rates are rewriting how advisors build retirement income

SPONSORED Why direct indexing stopped being optional

Direct indexing is on pace to outgrow ETFs and mutual funds. Northern Trust's Ken Lassner explains why the advisors who get it wish they had started sooner.