Morgan Stanley headquarters in New York.

Morgan Stanley agreed Wednesday to pay a $1 million penalty to the Securities and Exchange Commission to settle charges that it failed to protect customer information, some of which the agency says was hacked and offered for sale online.

The SEC order finds that Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect customer data from 2011 to 2014.

During that time, then-employee Galen Marsh impermissibly accessed and transferred customer data regarding approximately 730,000 accounts associated with 330,000 different households to his personal server, which was ultimately hacked by third parties.

The misappropriated data included customers’ full names, phone numbers, street addresses, account numbers, account balances and securities holdings.

“Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection,” said Andrew Ceresney, director of the SEC Enforcement Division, in a statement. “We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.”

The SEC’s order finds that Morgan Stanley violated Rule 30(a) of Regulation S-P, also known as the “Safeguards Rule.”

Morgan Stanley agreed to settle the charges without admitting or denying the findings. In a separate order, Marsh agreed to an industry and penny stock bar with the right to apply for reentry after five years. 

He was criminally convicted for his actions last year and received 36 months of probation and a $600,000 restitution order, the SEC states.

According to the SEC, Morgan Stanley’s policies and procedures were not reasonable for two internal web applications or “portals” that allowed its employees to access customers’ confidential account information.

For these portals, Morgan Stanley “did not have effective authorization modules for more than 10 years to restrict employees’ access to customer data based on each employee’s legitimate business need,” the SEC states.

Because Morgan Stanley also did not audit or test the relevant authorization modules, nor did it monitor or analyze employees’ access to and use of the portals, Marsh was able to download and transfer confidential data to his personal server at home between 2011 and 2014.

The SEC order states that a “likely third-party hack of Marsh’s personal server resulted in portions of the confidential data being posted on the Internet with offers to sell larger quantities.”

Morgan Stanley said in a statement on Wednesday that the theft by Marsh, a former employee, was “of certain limited client data that was reported in January, 2015.”

Following the discovery of the incident, Morgan Stanley says that it “promptly alerted law enforcement and regulators, and notified affected clients.” The BD says that it “worked quickly to protect affected clients by changing account numbers and offering credit monitoring and identity theft protection services, and has strengthened its mechanisms for safeguarding client data. No fraud against any client account was reported as a result of this incident.”

– Related on ThinkAdvsior: