The U.S. Securities and Exchange Commission has fined Morgan Stanley $1 million for failing to properly safeguard client information, enabling a then-employee to transfer data to his home computer, which was ultimately hacked by third parties.
Between 2011 and 2014, former client services associate Galen Marsh compromised data from about 730,000 accounts by accessing two of Morgan Stanley’s internal web applications or “portals.” A hack of Marsh’s personal computer resulted in portions of the data being posted on the internet with offers to sell larger quantities.
According to an SEC administrative order, Marsh’s breach was facilitated by Morgan Stanley because the bank failed to adopt written policies and procedures reasonably designed to protect customer data as required under the SEC’s Safeguards Rule.
Among other things, the SEC said, Morgan Stanley did not have effective authorization modules for the portals that restricted access to customer data based on each employee’s legitimate business need and did not monitor employees’ access to and use of the portals.
“Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection,” Andrew Ceresney, director of the SEC Enforcement Division, said in a news release. “We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.”
Morgan Stanley settled the charges without admitting or denying liability. Marsh, who accepted a five-year securities industry ban from the SEC, was sentenced last year in a related criminal case to 36 months of probation and ordered to pay $600,000 in restitution.
The Safeguards Rule requires broker-dealers to ensure the security of customer records, protect against any anticipated threats or hazards to data security, and prevent unauthorized access to data. According to the SEC, Marsh compromised clients’ names, addresses, phone numbers, and account holdings and balances after initially finding a programming flaw in the authorization module for one of the portals in June 2011.
“Marsh continued his unauthorized accessing of confidential customer data until shortly before [Morgan Stanley] discovered his misconduct in late December 2014 ,” the SEC said.