Mumbai : Morgan Stanley has agreed to pay a $1 million fine to settle U.S. Securities and Exchange Commission civil charges that security lapses at the Wall Street bank enabled a former financial adviser to tap into its computers and take client data home, the regulator said on Wednesday. The SEC said the bank did not adequately limit staff access to confidential customer account data, and that some of the data taken by the former employee eventually was posted for sale on the Internet by a third party.
The SEC said the employee, Galen Marsh, downloaded the confidential records between 2011 and 2014 and transferred them to his home computer server. Then, according to the agency, "a likely third party" hacked into Marsh's server to access the data, some of which was then posted for sale online. When the case first came to light in early 2015, Morgan Stanley said there was no evidence that customers had incurred any financial losses due to the data theft.
Marsh was later convicted for the theft and was sentenced to 36 months of probation and ordered to pay USD 600,000 in restitution. "Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection," said Andrew Ceresney, director of the SEC Enforcement Division, in a statement. "We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information," he said.