Insider Threat Realized: Morgan Stanley to pay $1M in SEC Settlement

Share Button

Morgan Stanley will pay a $1M settlement to the Securities and Exchange Commission (SEC) for failing to protect its customers’ personally identifiable information (PII) from unauthorized disclosure. From 2011 – 2014, a former Morgan Stanley employee, Galen Marsh transferred Morgan Stanley client account data to his personal laptop via his personal website. The information was then obtained by hackers who posted it on the Internet for profit. In 2015, Galen Marsh, pled guilty to exceeding his authorized access to a computer, which was a violation of law 18 U.S.C. § 1030(a)(2)(A) regarding Fraud and related activity in connection to computers.

Morgan Stanley did have policies and procedures for access provisioning that followed the principle of least privilege, which involves provisioning the minimum access needed for one to fulfill his/her job duties. However, Mr. Marsh was able to guess branch IDs and employee group numbers until he obtained access beyond what he was authorized. To make matters worse, he had been inappropriately obtaining this information for over three years.

This incident is another reminder of how security measures must be assessed thoroughly for both external and internal parties. Often there is a false sense of comfort that concerns about fellow employees aren’t significant or are less likely than outside attackers. However, companies must sufficiently safeguard both of these fronts to maintain business operations while deterring potential incidents.

How could this situation have been detected sooner or prevented? The usage of Data Loss Prevention (DLP) software could’ve been useful for this type of insider violation. DLP software includes many useful features to manage data transfer in accordance with configured policies. For instance, certain information could be denied for transfer if policies were in place to prevent uploading content to a cloud storage service e.g., Dropbox. A thorough analysis to classify data would be needed prior to the development of policies within a DLP product.

The Aronson LLC Point of View: Insider Threat discusses the significance of implementing a security awareness training program within your organization, in order to decrease the probability of an insider threat security violation. Companies should also assess their policy hierarchy structures to confirm alignment with leading practices or seek an external assessment.  Policies and procedures should be reviewed on a periodic basis to remain reflective of the current environment. These leading practices, in addition to DLP software, comprise an integrated approach to support insider threat prevention and detection.

About Natasha Barnes

Natasha Barnes has written 4 post in this blog.

Natasha Barnes is an IT risk and compliance professional with a focus on IT audit readiness and remediation. She has led large scale remediation efforts for federal clients responding to IT findings from Financial Statement Audits. On these engagements, Natasha became well known for her diplomatic efforts in facilitating discussions with stakeholders across IT and Financial departments. She established an understanding of complex technical issues with these functional team members and helped them to collaboratively execute remediation plans. She has also been involved with establishing and facilitating continuous monitoring programs, which contributed to the closure and severity reduction of several IT findings. In addition, Natasha has experience with security risk analysis, disaster planning, and project management. She holds Certified Associate in Project Management (CAPM) and Certified Information Systems Auditor (CISA) credentials. Natasha has led teams in executing Office of Management and Budget (OMB) A-123 compliance assessments and she has contributed to a Statement on Standards for Attestation Engagements (SSAE-16) engagement. She also led a third party system audit readiness assessment based on National Institute of Standards and Technology (NIST) 800-53 in anticipation of upcoming audit scrutiny. Natasha has developed and instructed trainings for her clients and colleagues on subjects related to Financial Statement Audit IT protocol, Federal Information Security Management Act (FISMA), Federal Information System Controls Audit Manual (FISCAM), NIST, and OMB A-123.

Comments are closed.

View Archives

Blog Authors

Latest Webinar Videos