Morgan Stanley has agreed to pay $60 million as part of a settlement with the Office of the Comptroller of the Currency (OCC) for failing to adequately protect customer data when the bank decommissioned two U.S.-based wealth management data centers.
According to the OCC’s consent order, Morgan Stanley Bank and Morgan Stanley Private Bank failed to maintain an appropriate inventory of the customer data stored on the hardware in a 2016 decommissioning; failed to recognize the potential risks of a data breach during the decommissioning; and failed to properly assess the potential data breach risks incurred by using third-party subcontractors to conduct the decommissioning. The third-party threats were exacerbated by inadequate due diligence and monitoring, the OCC noted.
