Last week I had a post about the SEC’s recent cybersecurity enforcement action against Morgan Stanley, examining the internal control failures that allowed a now-former employee to swipe the personal data of 730,000 customers.
Well, if you’d like to consider that enforcement action from another angle, go read John Reed Stark’s excellent piece on what Morgan Stanley did right.
Stark (whom I know and respect immensely as a voice of wisdom on cybersecurity compliance) looks at the Morgan Stanley settlement through more of a breach disclosure lens. That is, he examines everything the bank did after it discovered the stolen data, and the bank did just about everything right.
I won’t steal Stark’s thunder; if you want to see all the important lessons in the case, read his column. As a tease, however, let me post a few nuggets:
- Morgan Stanley discovered the stolen data—which the employee had moved onto a personal computer server, and then other hackers stole it from him and posted it online—relatively quickly.
- Morgan Stanley disclosed the breach quickly, and identified the types of stolen data precisely, so regulators and customers would know how much risk they faced.
- The bank fired the employee promptly.
Those actions all drive toward the goals of transparency, accuracy, and accountability, which are the pillars of an effective compliance program. That’s what compliance officers want to demonstrate, and that’s what Morgan Stanley demonstrated here.
I still stand by my column from last week, which reviewed all the internal control failures that allowed the Morgan Stanley breach to happen in the first place—and some of the SEC’s findings on that front do make me wince. (Not auditing the access controls to customer databases for 10 years? Really, Morgan Stanley?) Stark’s column and mine simply look at the same failure from different end points, which is what I love about GRC generally: the subject is so vast and complicated, one problem can be analyzed in multiple ways and generate quite different lessons to learn.
So if you want a comprehensive post-mortem on Morgan Stanley’s case—which, as Stark said, is the most significant SEC enforcement action on cybersecurity we’ve seen yet—read his article as soon as you can.