Stolen Client Data Costs Morgan Stanley $1 Million; Broker Got Probation
(Updates to include comment from Marsh’s attorney in eighth and ninth paragraphs.)
The Securities and Exchange Commission sent a message about safeguarding customer data to retail brokerage firms on Wednesday, fining Morgan Stanley $1 million for cybersecurity lapses that allowed a former broker to steal data on 730,000 wealth management accounts.
The regulator slammed the world’s biggest retail brokerage firm for failing to adopt written policies and procedures for two of its many internal web applications, or portals. The lapses did not effectively restrict employees from accessing customer data through authorization modules for more than 10 years, the regulator said in announcing its settlement with Morgan Stanley.
The gaps allowed former broker Galen Marsh to view data on all of the firm’s wealth management clients and transfer much of it to his personal computer. Marsh reportedly hoped to use the data that was misappropriated between 2011 and 2014 to build a book at his next job.
He was sentenced to three years of probation in December 2015 and ordered to pay $600,000 in restitution. Morgan Stanley fired Marsh, who had worked at the firm since early 2008, in January 2015. The SEC also has banned Marsh from working in the securities industry for five years.
The theft was discovered when Marsh’s home computer server was likely hacked by a third party that posted some of the customer data on the Internet with offers to sell larger quantities of the information, the SEC said.
“Morgan Stanley is pleased to settle this matter,” the company said in a prepared statement, which noted its voluntary reporting of the theft to law enforcement authorities and regulators in January, 2015. “Morgan Stanley worked quickly to protect affected clients by changing account numbers and offering credit monitoring and identity theft protection services, and has strengthened its mechanisms for safeguarding client data.”
The company said no fraud has been reported against any client account as a result of the incident.
Marsh’s attorney Robert Gottlieb of Gottlieb & Gordon in New York said that they were “very grateful” the case was resolved and that the SEC’s bar was “only five years.”
Marsh, who is currently working for a “small company,” hopes to return to the financial industry later in his career, Gottlieb said.
The SEC used the incident to hammer home its intent to monitor compliance with its Regulation S-P, or “safeguards rule,” in an era of rampant computer crime. In addition to its failure to have “reasonable” policies and procedures for protecting client data on all its systems, Morgan Stanley did not audit or test relevant authorization modules nor monitor or analyze employees’ access to and use of the portals, it said.
The regulator’s sanction clashes with a Federal Trade Commission finding last year that the data leak resulted from “a narrow set of reports [that] were improperly configured” and that found Morgan Stanley’s client data controls to be “reasonable and appropriate.”