by T. GormanPosted on Posted in SECActions

Data security has long been a critical issue. Protecting confidential customer information is key for broker-dealers, investment advisers and other Wall Street participants. Cyber security is a related issue of at least equal importance. The Commission’s latest action involving Morgan Stanley combines elements of both. In the Matter of Morgan Stanley Smith Barney LLC, Adm. Proc. File No. 3-17280 (June 8, 2016).

Respondent Morgan Stanley Smith Barney is a registered broker-dealer and investment adviser. The firm is a wholly owned indirect subsidiary of Morgan Stanley. The action centers on the Safeguards Rule, adopted in 2000, as amended five years later. That Rule requires a broker-dealer and investment adviser registered with the SEC to adopt written policies and procedures reasonably designed to insure the security and confidentiality of customer information and records, protect against anticipated threats or hazards to those records and protect against unauthorized access or use. Here the Order alleges that Morgan Stanley Smith Barney failed to comply with the rule.

Morgan Stanley Smith Barney maintains hundreds of computer applications containing customer information protected by the rule in connection with its wealth management business. Two portals available through those applications are concerned here. One portal, available on the firm’s intranet, was used by financial advisors who were typically the primary customer contact. Through this portal reports on the fixed income holdings in customer accounts could be obtained. A second portal could furnish a report containing essential personal data regarding the customer along with account balances.

Firm policies and procedures restricted access to both portals. The Code of Conduct prohibited employees from accessing confidential information beyond their specific authorization and what was required to perform their duties. Other restrictions were designed to limit access so that the reports were only available to those who supported the customer.

Morgan Stanley Smith Barney, however, failed to ensure that the limitations were effective. Specifically, the limitations on securing the reports referenced above were either ineffective or absent. The firm also failed to conduct any auditing or testing of the procedures over the last ten year. As a result employee Galen March accessed the portal and misappropriated data regarding about 730,00 customer accounts associated with approximately 330,000 different households by accessing the portals between 2011 and 2014. He transferred the data to a personal server located at his home.

Between December 15, 2014 and February 3, 2015 portions of the data stored on Mr. Marsh’s personal server was posted to at least three internet cites, purportedly for sale to a third party. Morgan Stanley Smith Barney discovered the data in one of its routine internet sweeps.

Mr. Marsh denied posting the data, although he acknowledged accessing the firm system and taking it. A forensic analysis of Mr. Marsh’s personal server demonstrated that a third party likely hacked into it and copied the customer data. Morgan Stanley Smith Barney began notifying customers of the breach in January 2015. The Order alleges violations of Rule 30(a) of Regulation S-P.

To resolve the proceeding the firm consented to the entry of a cease and desist order based on the Rule cited in the Order and to a censure. Morgan Stanley Smith Barney will also pay a penalty of $1 million.

Tagged with: , ,

by T. GormanPosted on Posted in SECActions

The DOJ declined prosecution in two self-reported potential FCPA actions while the SEC entered into non-prosecution agreements with each issuer. One matter involved Akamai Technologies, Inc. while the other centered on Nortek, Inc.

Akamal Technologies, Inc. provides cloud services for delivering, optimizing and securing online content and business applications. Its shares are listed on NASDAQ Global Select Market. Akamal (Beijing) Technologies, Co. Ltd. is a wholly-owned subsidiary of Akamai in Beijing.

Under China’s regulatory system Akamai-China is required to contract with a third party channel partner to deliver services to end customers. From at least 2013 through 2015 the Regional Sales Manager of the subsidiary schemed with the firm’s channel partner to bribe employees of three firms, two of which were state owned enterprises. To effectuate the scheme the channel partner paid money to the Regional Sales Manager who in turn used portions of the funds to provide expensive gifts to the employees of the firms. Overall about $155,500 was paid to employees of end customers, including about $38,500 in cash to government officials. During the same period gifts worth about $32,000 were given to officials in violation of firm policies. As evidenced by the payments to officials, the firm’s compliance procedures were inadequate.

Akamai self-reported the matter in late December 2014. The misconduct was discovered through a complaint from an employee of the subsidiary. The firm took immediate action to halt the conduct. The sales manager was put on administrative leave and later resigned. The firm also terminated its relationship with the channel partner and undertook a comprehensive review of its compliance programs, implementing remedial measures. Akamai also cooperated with the SEC’s investigation and, in connection with the non-prosecution agreement, paid disgorgement of $662,452 along with prejudgment interest. DOJ declined prosecution, consistent with its Pilot Program.

Nortek, Inc. manufactures and sells a variety of products for residential and commercial constructions and remodeling. Its shares are listed on NASDAQ Global Select Market. Linear Electronics (Shenzhen) Co. was its indirect, wholly owned subsidiary which manufactured products for Nortek from 2009 through 2014.

During the period Nortek owned the subsidiary it systematically made improper gifts to local Chinese officials. Those included cash, gift cards, meals, travel, accommodations and entertainment. In some instances the accounting department entered the illicit payments as entries in various accounts and supported them with false information and documentation. The subsidiary had inadequate internal controls.

After learning of the bribes Nortek took immediate action to end the practice. Those involved were terminated. Significant remedial steps were taken. The firm also cooperated with the SEC’s investigation. In connection with the non-prosecution the firm agreed to pay disgorgement of $291,403 along with prejudgment interest that was paid to secure preferential treatment. The DOJ declined prosecution consistent with its Pilot Program.

Tagged with: , ,