Morgan Stanley To Pay $1 Million SEC Fine For Security Lapse
Wall Street bank penalized for violating Safeguards Rule leading to theft of customer data.
Morgan Stanley will pay a fine of $1 million to the Securities and Exchange Commission (SEC) for failing to protect customer data, reports Security Week.
The banking giant reportedly violated the Safeguards Rule, which allowed then employee Galen J. Marsh to transfer client details to his home computer, which was later hacked by a third party.
In January 2015, confidential details of around 900 of Morgan Stanley’s 730,000 clients were released online by the hackers briefly with an offer to sell more, says Security Week, quoting the federal agency. Marsh was soon criminally charged and ordered to pay $600,000 in restitution and sentenced to 36 months of probation.
“We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information,” said Andrew Ceresney of SEC.
Morgan Stanley has agreed to pay the fine.
Banking giant Morgan Stanley will pay $1 million as penalty for failure to protect information on roughly 730,000 of its clients, the Securities and Exchange Commission (SEC) said Wednesday.
According to the SEC, the bank “failed to adopt written policies and procedures reasonably designed to protect customer data,” which enabled a then-employee to access and transfer data on the customer accounts accounts to a personal server, which the was ultimately hacked by third parties.
“A likely third-party hack of Marsh’s personal server resulted in portions of the confidential data being posted on the Internet with offers to sell larger quantities,” the SEC said.
In January 2015, Morgan Stanley acknowledged that account information for about 900 of its clients, including account numbers and names, was briefly posted on the Internet and, once detected, was "promptly removed."
The employee at the time, Galen J. Marsh, was was criminally convicted for his actions in 2015 and received 36 months of probation and ordered to $600,000 in restitution.
According to the SEC, Morgan Stanley violated Rule 30(a) of Regulation S-P, also known as the “Safeguards Rule.”
“Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection. We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information,” Andrew Ceresney, Director of the SEC Enforcement Division, said in a statement.
The SEC alleges that Morgan Stanley didn’t audit or test the “relevant authorization modules” or monitor or analyze employees’ access to portals containing sensitive data.
Morgan Stanley agreed to settle the charges and pay the $1 million without admitting or denying the findings.
Source:DarkReading
No comments:
Post a Comment