SEC fines Morgan Stanley $1 million for data-protection failures

SEC fines Morgan Stanley $1 million for data-protection failures
The fine relates to an ex-broker, Galen Marsh, who took data from hundreds of thousands of the wirehouse's clients, some of which ultimately ended up online.
JUN 07, 2016
The Securities and Exchange Commission slapped Morgan Stanley with a $1 million penalty to settle charges related to failures to protect customer data, the agency announced Wednesday. A former broker working in Morgan Stanley's wealth management group, Galen Marsh, was fired early last year for the theft of client data, which affected hundreds of thousands of the firm's clients. Now, the SEC is saying Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer data, and violated what's known as the “Safeguards Rule.” “As a result of these failures, from 2011 to 2014, a then-employee impermissibly accessed and transferred the data regarding approximately 730,000 accounts to his personal server, which was ultimately hacked by third parties,” the SEC said in a news release. “Given the dangers and impact of cyberbreaches, data security is a critically important aspect of investor protection. We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information,” Andrew Ceresney, director of the SEC's enforcement division, said in the release. Morgan Stanley settled without admitting or denying the allegations. In a statement, Morgan Stanley said after it discovered the data breach it had promptly alerted law enforcement and regulators, and notified affected clients. "Morgan Stanley worked quickly to protect affected clients by changing account numbers and offering credit monitoring and identity theft protection services, and has strengthened its mechanisms for safeguarding client data," the statement said. "No fraud against any client account was reported as a result of this incident.” The SEC took issue with two of Morgan Stanley's internal web applications, or portals, that allowed its employees to access clients' confidential account information. Morgan Stanley didn't audit or test modules authorizing access to such portals, and didn't monitor or analyze employees' access to and use of them, according to the SEC. That allowed Mr. Marsh to download and transfer confidential data to his personal server at home over a period of three years. Some of that data was ultimately stolen from him and posted on the internet. Mr. Marsh received a criminal conviction of three years' probation and a $600,000 restitution order for his actions. In August of last year, the Federal Trade Commission said it wouldn't take action against Morgan Stanley for the data breach because it determined the breach was due to a glitch in data security controls and not a failure on the firm's part to secure account information in a reasonable and appropriate manner.

Latest News

Which wealth management teams are the best?
Which wealth management teams are the best?

Entries for InvestmentNews' 5-Star Wealth Management Teams close next week

Emigrant Partners takes minority stake in Novare Capital Management
Emigrant Partners takes minority stake in Novare Capital Management

The strategic PE investor is bolstering its presence in North Carolina through a partnership with the $1.8 billion RIA.

SEC bars faith-based advisor who sold phony promissory notes
SEC bars faith-based advisor who sold phony promissory notes

The advisor “failed to disclose multiple conflicts of interest and misappropriated client assets," the SEC said.

Commodities are booming but too risky for most clients, advisors say
Commodities are booming but too risky for most clients, advisors say

Commodity investments were among the biggest winners in 2024, but advisors remain wary of owning them in client portfolios.

Wamco revamps fixed income strategies as it fights to keep investing staff
Wamco revamps fixed income strategies as it fights to keep investing staff

The CEO says the besieged bond giant is "fine-tuning" its strategies and would soon start integrating back- and mid-office functions with its parent Franklin.

SPONSORED Three key trends that will drive advisors’ planning in 2025

AssetMark Group CEO explains why the great wealth transfer, succession planning, and personalization will be key for advisors in the new year.

SPONSORED Why RIAs might consider investing more in trust services

A trust delivery model not only increases the value of an advisor and a firm but is also a natural addition to any firm’s succession plan.