Morgan Stanley has agreed to pay a $1 million penalty to settle charges related to its failure to protect customer data, the U.S. Securities and Exchange Commission said in a statement released Wednesday. The SEC action stems from incidents between 2011 and 2014, when Galen Marsh — then a Morgan Stanley broker — took data from roughly 730,000 accounts, some of which were hacked and put for sale online.
“The federal securities laws require registered broker-dealers and investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information,” the SEC said in the statement. “Morgan Stanley’s policies and procedures were not reasonable, however, for two internal web applications or ‘portals’ that allowed its employees to access customers’ confidential account information. For these portals, Morgan Stanley did not have effective authorization modules for more than 10 years to restrict employees’ access to customer data based on each employee’s legitimate business need.”
Morgan Stanley agreed to settle the charges without admitting or denying the SEC’s findings.
“[The bank] is pleased to settle this matter, which results from the theft by a former employee of certain limited client data that was reported in January, 2015. Following the discovery of the incident, Morgan Stanley promptly alerted law enforcement and regulators, and notified affected clients,” Morgan Stanley reportedly said in a statement. “No fraud against any client account was reported as a result of this incident.”
On Wednesday, the SEC also barred Marsh — who pleaded guilty in December and was sentenced to three years’ probation and ordered to pay $600,000 in restitution — from working in the securities industry for at least five years.
“Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection. We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information,” Andrew Ceresney, director of the SEC Enforcement Division, said in the statement.