Morgan Stanley pays $60 for decommissioning deficiencies
The OCC issued a consent order with a civil money penalty of $60 million to Morgan Stanley Bank, N.A. (Salt Lake City, Utah) and Morgan Stanley Private Bank, N.A. (Purchase, New York). The Comptroller found, and the banks neither admitted no denied that, in 2016, the banks failed to exercise proper oversight of the decommissioning of two Wealth Management business data centers located in the U.S. In connection with the decommissioning, the Bank, among other things, failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices. The Bank failed to exercise adequate due diligence in selecting the third party vendor engaged by Morgan Stanley and failed to adequately monitor the vendor’s performance.
The OCC also found, and the banks neither admitted nor denied, that , 2019, the banks experienced similar vendor management control deficiencies in connection with the decommissioning of wide area application services devices.
The OCC determined that the banks were in noncompliance with 12 C.F.R. Part 30, Appendix B, “Interagency Guidelines Establishing Information Security Standards,” and engaged in unsafe or unsound practices that were part of a pattern of misconduct.