SEC fines Morgan Stanley $1 million for data-protection failures

SEC fines Morgan Stanley $1 million for data-protection failures
The fine relates to an ex-broker, Galen Marsh, who took data from hundreds of thousands of the wirehouse's clients, some of which ultimately ended up online.
JUN 07, 2016
The Securities and Exchange Commission slapped Morgan Stanley with a $1 million penalty to settle charges related to failures to protect customer data, the agency announced Wednesday. A former broker working in Morgan Stanley's wealth management group, Galen Marsh, was fired early last year for the theft of client data, which affected hundreds of thousands of the firm's clients. Now, the SEC is saying Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer data, and violated what's known as the “Safeguards Rule.” “As a result of these failures, from 2011 to 2014, a then-employee impermissibly accessed and transferred the data regarding approximately 730,000 accounts to his personal server, which was ultimately hacked by third parties,” the SEC said in a news release. “Given the dangers and impact of cyberbreaches, data security is a critically important aspect of investor protection. We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information,” Andrew Ceresney, director of the SEC's enforcement division, said in the release. Morgan Stanley settled without admitting or denying the allegations. In a statement, Morgan Stanley said after it discovered the data breach it had promptly alerted law enforcement and regulators, and notified affected clients. "Morgan Stanley worked quickly to protect affected clients by changing account numbers and offering credit monitoring and identity theft protection services, and has strengthened its mechanisms for safeguarding client data," the statement said. "No fraud against any client account was reported as a result of this incident.” The SEC took issue with two of Morgan Stanley's internal web applications, or portals, that allowed its employees to access clients' confidential account information. Morgan Stanley didn't audit or test modules authorizing access to such portals, and didn't monitor or analyze employees' access to and use of them, according to the SEC. That allowed Mr. Marsh to download and transfer confidential data to his personal server at home over a period of three years. Some of that data was ultimately stolen from him and posted on the internet. Mr. Marsh received a criminal conviction of three years' probation and a $600,000 restitution order for his actions. In August of last year, the Federal Trade Commission said it wouldn't take action against Morgan Stanley for the data breach because it determined the breach was due to a glitch in data security controls and not a failure on the firm's part to secure account information in a reasonable and appropriate manner.

Latest News

RIAs need to visit universities to attract students
RIAs need to visit universities to attract students

RIAs need to find universities that offer financial planning programs and sponsor or host events, advisor suggests.

Orion deepens Capital Group alliance with ETF portfolio tie-up
Orion deepens Capital Group alliance with ETF portfolio tie-up

The leading wealth tech provider is helping more advisors access active ETF models through its exclusive partnership.

JPMorgan client who lost $50M amid dementia battle denied trial
JPMorgan client who lost $50M amid dementia battle denied trial

Case of once-wealthy family highlights risks, raises questions on firms' duties to sophisticated investors suffering cognitive decline.

Stifel loses huge $14.2 million arbitration claim linked to star Miami broker
Stifel loses huge $14.2 million arbitration claim linked to star Miami broker

“The evidence in this case was overwhelming,” says an attorney.

$9B Gateway Investment Advisers names Julie Schmuelling president
$9B Gateway Investment Advisers names Julie Schmuelling president

The move marks the culmination of a decade-long journey for the new leader at the Ohio-based RIA and Natixis affiliate firm.

SPONSORED Leading through innovation – with Tom Ruggie of Destiny Wealth Partners

Uncover the key initiatives behind Destiny Wealth Partners’ success and how it became one of the fastest growing fee-only RIAs.

SPONSORED Client engagement strategies, growth and retention in the down markets

Key insights from Gabriel Garcia on adapting to demographic shifts and enhancing client experience in a changing market