The Wall Street bank is being forced to pay up for not safeguarding data that ultimately ended up in the hands of hackers.
The Securities and Exchange Commission announced on Wednesday (June 8) that Morgan Stanley will be fined $1 million for failing to protect its customers from an internal data breach, Financial Times reported.
The high-profile breach came as a result of ex-financial adviser Galen Marsh, who illegally accessed client data and then transferred it to his personal server over the course of three years. Last year, Marsh pled guilty and was sentenced to three years of probation for stealing the data of nearly 730,000 wealth management clients at Morgan Stanley.
Marsh was also forced to pay $600,000 in restitution and turn over all hardware used to access and store the data.
That data was eventually hacked by cybercriminals, who made a portion of the data available online and then requested money to supply the rest, FT reported.
“Given the dangers and impact of cyberbreaches, data security is a critically important aspect of investor protection,” Andrew Ceresney, director of the SEC’s enforcement division, explained. “We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.”
Morgan Stanley is considered at fault for not establishing access controls around portals containing confidential client data. The bank is also being accused of going 10 years without auditing access authorizations and for failing to monitor which employees were accessing the information and portals as well.
Insider threats remain a top cybersecurity concern for organizations as they try to curb the threat and damages of cybercrime.
Last year, the Insider Threat Report found that 62 percent of the more than 500 cybersecurity professionals surveyed said the number of instances surrounding insider threats have increased over the last 12 months. Despite this, the study still found less than 50 percent of organizations have the right controls in place to prevent insider attacks.