OCC fines Morgan Stanley $60M for data inventory risk failures

According to the OCC’s consent order, Morgan Stanley Bank and Morgan Stanley Private Bank failed to maintain an appropriate inventory of the customer data stored on the hardware in a 2016 decommissioning; failed to recognize the potential risks of a data breach during the decommissioning; and failed to properly assess the potential data breach risks incurred by using third-party subcontractors to conduct the decommissioning. The third-party threats were exacerbated by inadequate due diligence and monitoring, the OCC noted.

The banks “engaged in unsafe or unsound practices that were part of a pattern of misconduct,” the order said. The OCC added Morgan Stanley experienced similar deficiencies in the decommissioning of wide-area application services devices in 2019.

Morgan Stanley notified potentially impacted customers about its 2016 lapses at the OCC’s direction, while voluntarily notifying potentially impacted customers regarding 2019’s deficiencies. The bank has since been hit with a class-action lawsuit regarding the breaches.

Morgan Stanley “is committed to taking all necessary and appropriate steps to remedy the deficiencies,” the order said. The bank neither admitted nor denied the OCC’s allegations, but has agreed to pay the fine.

In a statement, Morgan Stanley said it has “instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information. Safeguarding our client’s information is of paramount importance.”

Just last month, Morgan Stanley was fined $5 million by the Securities and Exchange Commission for violations related to short sales and another $5 million by the Commodity Futures Trading Commission for failing to comply with swap data reporting obligations.