Morgan Stanley agreed to pay a $1 million fine to settle a proceeding launched by the Securities and Exchange Commission's (SEC) that the financial services giant failed to set up adequate precautions of customer data.
The charges relate to a former broker at the firm, Galen Marsh, pleaded guilty in September to transferring data of approximately 730,000 customer accounts to his private server.
Marsh was only authorized to access clients in his group. The SEC stated that Morgan Stanley did not establish effective authorization procedures “for more than 10 years to restrict employees' access to customer data based on each employee's legitimate business need.”
Marsh's personal server was “likely” hacked by a third-party, according to the regulator. Some of the client data was posted on the Internet “with offers to sell larger quantities,” the SEC stated.
An industry professional expressed dismay at the lack of serious consequences against Morgan Stanley following its apparent lack of security preparedness. The fee “is something many investment firms and FIs would be willing to pay to avoid the resources necessary to adequately protect their sensitive data,” wrote Identity Finder president Todd Feinman, in an email to SCMagazine.com. “For financial institutions and organizations of all creeds to take protecting customer data seriously, the consequences need to resemble the actions.”
In September, the former Morgan Stanley broker was sentenced to three years' probation and required to pay restitution of $600,000 for obtaining confidential client information. On Wednesday, the SEC banned Marsh from working in the securities industry for at least five years. Morgan Stanley did not admit or deny the SEC's charges.