SEC fines Morgan Stanley for failing to safeguard customer data

June 10, 2016 |

Financial regulators are beginning to take great interest in data security.  In Australia the Australian Securities and Investment Commission issued Report 429 titled Cyber resilience: Health check in March 2015.  In this 67 report it stated, in part:

  • To promote cyber resilience, we intend to:
    (a) monitor market developments;
    (b)continue to engage with other Government departments to identify cyber risks and build cyber resilience;
    (c) improve awareness of the importance of cyber resilience and increase the profile of the issues; and
    (d) incorporate cyber resilience in our surveillance programs, where appropriate, across our regulated population.
  • Given the increased threat of cyber attacks, we expect our regulated population, particular licensees,
    to address cyber risks as part of its legal and compliance obligations —including risk management and disclosure requirements. Your approach to cyber resilience should be proportionate to the risks you face, and the nature, scale and complexity of your business. Cyber resilience is an area of ongoing focus for ASIC. It will be considered in our surveillance programs, where appropriate, across our regulated population in the future.
  • We expect our regulated population, particularly licensees, to address cyber risks as part of their legal and compliance obligations—including risk management and disclosure requirements.
  • The Corporate Governance Principles recommend that you should have a committee or committees to oversee risk to review and make recommendations to you about the:
    (a) adequacy of the entity’s processes for managing risk;
    (b) any incident involving fraud or other break down of the entity’s internal controls; and
    (c) the entity’s insurance program, given the entity’s business and the insurable risks associated with its business.You are also expected to review the entity’s risk management framework at least annually to satisfy yourself that it is sound. You must also disclose information about the extent to which you meet theCorporate Governance Principles in your annual report or on your website.


There has been no reported action by ASIC in regard to the issues arising out of this report however it is not uncommon to wait a period before taking action.  ASIC, for all its criticisms, is a frenetic regulator when compared to the Privacy Commissioner.

In the United States the Securities Exchange Commission has fined Morgan Stanley a $1 million penalty for failing protect customer information.  Morgan Stanley was hacked in and personal information was stolen and offered for sale.  The SEC set out the details in a comprehensive media release which provides:

The Securities and Exchange Commission today announced that Morgan Stanley Smith Barney LLC has agreed to pay a $1 million penalty to settle charges related to its failures to protect customer information, some of which was hacked and offered for sale online.
The SEC issued an order finding that Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer data.  As a result of these failures, from 2011 to 2014, a then-employee impermissibly accessed and transferred the data regarding approximately 730,000 accounts to his personal server, which was ultimately hacked by third parties.
“Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection.  We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information,” said Andrew Ceresney, Director of the SEC Enforcement Division.
According to the SEC’s order instituting a settled administrative proceeding:
  • The federal securities laws require registered broker-dealers and investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information.
  • Morgan Stanley’s policies and procedures were not reasonable, however, for two internal web applications or “portals” that allowed its employees to access customers’ confidential account information.
  • For these portals, Morgan Stanley did not have effective authorization modules for more than 10 years to restrict employees’ access to customer data based on each employee’s legitimate business need.
  • Morgan Stanley also did not audit or test the relevant authorization modules, nor did it monitor or analyze employees’ access to and use of the portals.
  • Consequently, then-employee Galen J. Marsh downloaded and transferred confidential data to his personal server at home between 2011 and 2014.
  • A likely third-party hack of Marsh’s personal server resulted in portions of the confidential data being posted on the Internet with offers to sell larger quantities.
The SEC’s order finds that Morgan Stanley violated Rule 30(a) of Regulation S-P, also known as the “Safeguards Rule.”  Morgan Stanley agreed to settle the charges without admitting or denying the findings.  In a separate order, Marsh agreed to an industry and penny stock bar with the right to apply for reentry after five years.  He was criminally convicted for his actions last year and received 36 months of probation and a $600,000 restitution order.

The penalty is heavy though not as damaging as the reputational damage it suffered first with the breach and then the attention of the regulator and then the further negative publicity with the announcement of the penalty, such as the article SEC Says Morgan Stanley Complicit in Giant Hack Attack and Morgan Stanley (MS) Slapped With $1 Million Fine Over Client Data Breach.

Morgan Stanley put out a statement saying:

“Morgan Stanley is pleased to settle this matter, which results from the theft by a former employee of certain limited client data that was reported in January, 2015. Following the discovery of the incident, Morgan Stanley promptly alerted law enforcement and regulators, and notified affected clients. Morgan Stanley worked quickly to protect affected clients by changing account numbers and offering credit monitoring and identity theft protection services, and has strengthened its mechanisms for safeguarding client data. No fraud against any client account was reported as a result of this incident.”

To paraphrase Mandy Rice Davies put it “They would say that, wouldn’t they.”

It was entirely avoidable with proper data protection systems.

One Response to “SEC fines Morgan Stanley for failing to safeguard customer data”

  1. SEC fines Morgan Stanley for failing to safeguard customer data | Australian Law Blogs

    […] SEC fines Morgan Stanley for failing to safeguard customer data […]

Leave a Reply

Verified by MonsterInsights