Morgan Stanley hit with $60m penalty for failing to properly decommission old kit hosting 'wealth management' data

Banking giant Morgan Stanley has been ordered to pay a $60m civil penalty over allegations it failed to properly decommission hardware from two of its US data centres in 2016.

The servers belonged to Morgan Stanley's wealth management business. According to the penalty order [PDF] from the snappily named Office of the Comptroller of the Currency (OCC), Morgan Stanley failed to properly asses the risks involved in retiring old kit from service. These included lapses in subcontracting the work to third parties, and a failure to keep an inventory of customer data stored on obsolete hardware.

The OCC did not allege any data breach occurred, but rather argued the bank's conduct was egregious, claiming Morgan Stanley had "engaged in unsafe or unsound practices that were part of a pattern of misconduct".

The body also neglected to name the third-party subcontractor used by the bankers but said Morgan Stanley failed to "exercise adequate due diligence in selecting the third-party vendor" and properly oversee its performance.

At the OCC's direction, Morgan Stanley, which does not admit liability, alerted customers who may have been affected. According to the penalty notice, it also voluntarily warned clients following a similar incident in 2019 involving the improper decommissioning of "wide area application services devices".

Withdrawing old kit can be a data protection minefield on the UK side of the pond, as demonstrated by repeated regulatory wrist-slappings. But while data protection practices in the US overall have been criticised – especially in comparison to the EU's General Data Protection Regulation – banking firms, which tend to handle "special" categories of data, are heavily regulated.

Morgan Stanley's fine relates to a lack of compliance with the Code of Federal Regulations, Part 30, Appendix B, "Interagency Guidelines Establishing Information Security Standards." These security rules specifically relate to guidelines about the "proper disposal" of banking customers' information.

In 2016, the OCC and several other federal and state banking regulators banded together to tighten up rules related to third-party vendors. They said that risk management practices used by financial institutions "for internal operations will have to be applied to vendor relationships and operations".

Among other things, they said firms should "mutually design risk management and disaster recovery strategies with each vendor to ensure that critical operations continue uninterrupted during a man-made or natural disaster, including security breaches" – and spell all of this out in the contract.

The Register has asked Morgan Stanley for comment. ®