Morgan Stanley blocks remote network access for China interns

Morgan Stanley has blocked its interns in China from logging on remotely to the bank’s virtual network as foreign companies become increasingly concerned about Beijing’s tough cyber security rules.

China’s cyber security legal regime covers everything from how data are stored to the kind of hardware used and what can be posted online, with stiff penalties meted out to offenders.

The Wall Street bank was basing its interns in China in its offices in the country, where 80 per cent of its staff had returned to work, instead of giving them remote access to work from home, two people familiar with the situation told the Financial Times.

The interns were originally set to do virtual programmes like those at Morgan Stanley’s global peers, they said.

The decision was linked to concerns about China’s cyber security regime, one of the people said, speaking anonymously at a time when multinationals are wary of inflaming already tense relations between China and the west. The potential vulnerability of the bank’s technology system in China was also a worry, the other person added.

Carly Ramsey, a Shanghai-based regulatory specialist at Control Risks, said the Chinese government was constantly issuing new regulations providing additional detail for its 2017 cyber security law, including a June 1 regulation detailing how critical information infrastructure was subject to national security reviews. Banks were also subject to new industry-specific rules that came into force this year on sharing customer data across borders.

“There are generally really strong cyber security rules, with potentially severe penalties, and banks are clear targets for enforcement,” she said, adding that companies might not want to train interns on the complex rules and then give them remote access in an unsupervised environment. 

Companies were responsible for anything their system’s users did or posted that breached the rules. Interns who companies did not know well, and who were operating without supervision in a work-from-home environment, posed particular risks, one lawyer said.

Morgan Stanley’s decision to deny remote access to its China-based interns makes it an outlier among its US peers.

People familiar with the situation said Goldman Sachs was offering remote access in China via the same authentication solution it used globally, which did not rely on virtual network access. Other large US banks including Citigroup and JPMorgan Chase were also offering remote access and virtual internships in China.

Threats to cyber security have been a key factor in deteriorating relations between Washington and Beijing.

The pandemic has disrupted banks’ traditionally immersive internship programmes of eight to 10 weeks. Banks have been forced to move the majority of their global workforces out of their offices, including interns.

“We have been able to provide an in-person experience for our summer interns in China this year with the Covid-19 situation stabilising,” said a Morgan Stanley spokesman. He declined to comment on the role cyber security rules played in the decision or whether the bank had concerns about the security of its technology system.

One of the people familiar with Morgan Stanley’s situation told the FT that, given the complexity of China’s cyber-regime, it did not make sense to bring interns on to the virtual network for only a couple of months.

According to another person, Morgan Stanley had become more focused on the vulnerability of its technology systems to bad actors in China and had decided against giving this year’s interns remote access several weeks before their June 29 start date.

Another large US bank said its systems in China were exposed to frequent cyber attacks that were of “infinitely greater” magnitude than many other countries. 

Goldman Sachs, Bank of America, JPMorgan and Citigroup all declined to comment on their approaches.