Morgan Stanley Smith Barney will pay $1 million to settle charges that it failed to protect the data security of brokerage and investment advisory service customers, the SEC announced Wednesday.
According to the Securities and Exchange Commission order, Morgan Stanley's failure to adopt written policies and procedures to protect customer data, specifically through two web portals giving employees access to customer data, allowed a now-former employee from 2011 to 2014 to transfer data on about 730,000 accounts to his personal server, which was ultimately hacked by third parties, the agency said. The failure was in violation of the “Safeguards Rule.” Morgan Stanley agreed to settle the charges without admitting or denying the findings.
“Given the dangers and impact of cyberbreaches, data security is a critically important aspect of investor protection. We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information,” said Andrew Ceresney, SEC enforcement director, in a statement.
Morgan Stanley said in a statement it reported the breach in January 2015 to law enforcement, regulators and affected clients, none of whom reported fraud as a result of the incident. The company changed account numbers and offered credit monitoring and identity theft protection services to affected clients, and the firm has strengthened its mechanisms for safeguarding client data, it said.
The former employee, Galen J. Marsh, was criminally convicted for his actions in 2015. He received 36 months of probation and a $600,000 restitution order.