The U.S. Securities and Exchange Commission (SEC) announced Wednesday that Morgan Stanley Smith Barney LLC agreed to pay a US$1 million penalty to settle charges related to its failures to protect customer information.
The firm agreed to settle the charges without admitting or denying the findings.
The SEC’s order finds that the firm: failed to adopt written policies to protect customer data for two portals that allowed employees to access client information; didn’t restrict access to that information based on legitimate business need; and didn’t audit or test employees’ use of the portals.
As a result of these failures, an employee of the firm, Galen Marsh, transferred the data regarding approximately 730,000 accounts to his personal server, which was ultimately hacked, the SEC says.
“Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection. We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information,” says Andrew Ceresney, director of the SEC’s enforcement division, in a statement.
Separately, Marsh agreed to an industry and penny stock ban, with the right to apply for reentry after five years. He was also criminally convicted last year, and sentenced to 36 months of probation and ordered to pay US$600,000 in restitution.