Morgan Stanley has agreed to pay $1 million in fines for internal security shortfalls that led to stolen customer data and criminal charges for one of its former wealth management employees, the SEC said.
The wirehouse agreed to pay a penalty and settle charges related to its failure to protect customer information in an oversight that remained unaddressed for more than 10 years, according to the regulator. The security flaw was used by a financial adviser to download information related to roughly 730,000 customer accounts off of company servers from 2011 to 2014.
Securities laws require registered broker-dealers and investment advisers to adopt written policies protecting customer information from security concerns, both internally and externally. The SEC said Morgan Stanley did not have “effective authorization modules” for two internal web portals.
The company failed to restrict employees’ access to customer data and it did not have a system in place for testing, monitoring or analyzing employees’ access and use of the portals, according to the regulator. The oversights allowed then-employee Galen Marsh, working in the company’s private wealth management division, to download and transfer confidential material from company computers to his own personal server.
“We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information,” says Andrew Ceresney director of the SEC’s Division of Enforcement. “Data security is a critically important aspect of investor protection.”
Marsh’s server was subsequently breached, likely by a third-party hacker, resulting in confidential customer data being posted online, according to the SEC
In addition to the fine, Morgan Stanley has had to change affected account numbers and offer credit monitoring and identity theft protection services. “Morgan Stanley is pleased to settle this matter,” spokesman James Wiggins said. “Following the discovery of the incident, Morgan Stanley promptly alerted law enforcement and regulators, and notified affected clients.”
“No fraud against any client account was reported as a result of this incident,” he added.
Morgan Stanley agreed to settle the charges without admitting or denying the findings. Marsh was criminally convicted in 2015 for his actions, receiving three years of probation and a $600,000 restitution order. He also agreed to a five-year industry and penny stock bar, with the right to apply for reentry after the bar is lifted.