Advisor Domain: Lessons from the Morgan Stanley Recycling Debacle


Last week, the Treasury Department announced it was fining Morgan Stanley $60 million over mishandled data center decommissioning back in 2016. The agency said several Morgan Stanley hardware assets still contained customer data after these retired assets reached a recycling station. 

Although the bank had shuttered these data centers four years ago, Morgan Stanley didn’t notify wealth management customers until this past summer about the possible breach. 

As you know, wealth management customers needed to know that their advisors had poorly discarded their personal information… right after watching the markets tank during a global pandemic.

What Comes Next 

The OCC fine of $60 million might not be a lot to a bank that made $3.2 billion in profit during the second quarter. But one can expect the scrutiny to increase and the fines to climb over time. Eventually, someone will find themselves made “an example” by an ambitious regulator. 

We’re not talking about hacking computer networks or dynamic phishing scams. We’re talking about something straightforward. The banks didn’t assess the risks of subcontracting the decommissioning of these data centers. You’ll hear me say this – over and over and over and over again. Third-party vendors remain the single biggest threat, and failure to assess their capabilities and take inventory of these groups will cause massive headaches for companies.

No evidence of a breach or unauthorized data access exists. But the class action lawsuits have already started. Morgan Stanley has said it will pay for two years of credit monitoring for affected customers and any “identity restoration” services if the data has been compromised. 

Morgan might take legal action against the third party hired to “scrub the data.” But again, none of these services matter to the customer. Kyle Marks, CEO of Retire-It, said that lawsuits against Morgan Stanley would center on whether the firm ignored obligations and cut any corners in the process.

“Naturally, we should expect plaintiffs to ask, how do we know only a ‘small’ number of servers is missing?”wrote Marks on LinkedIn in August. Marks argues that discovery in the legal process could be brutal. What else is missing, the plaintiffs will ask? And future investigations into existing IT asset disposition programs may reveal VERY large gaps. 

From there, Marks raises an even more significant concern: That one day we’ll witness a massive Black Swan event due to IT asset disposition, one that reveals a massive coverup.

Companies must follow a rigid schedule on how to dispose of customer data. Though it might not be the individual broker’s responsibility, it could impact their reputation should a breach transpire. As I noted recently, customers are far less likely to work with a company that has experienced a breach. Even if it’s out of your control, ensure that a client’s departure or the destruction of existing hardware and systems is taken to the full conclusion.

I encourage you to follow Retire-It and the work of Kyle Marks. This world is quite eye-opening.

The Talent War Cometh

Finally, this is a bit off subject, but it warrants attention. Last week, Goldman Sachs announced it had hired away Mathew Chung from Morgan Stanley to become Chief Information Security Officer at the bank. Chung will join the company as a partner.

That’s not very common

Chung comes with a solid reputation. He built cyber defenses for Barclays and Morgan Stanley. When banks are facing sharp increases in compliance and cybersecurity costs, a talent war is likely going to be next. 

Goldman continues to build out its investment banking business – and it’s taking cybersecurity quite seriously with this hire. The question is where other talent is going to come across the entire industry. Already, two-thirds of CISOs say that they’re struggling to recruit new talent and that they expect shortages to get worse. The lack of technical knowledge, the lack of practical experience, and the difficultly to locate the right cultural fit all sit at the top of concerns for CISOs as they attempt to find cybersecurity experts. 

But add on the financial sector’s regulatory structure, and it will only make it more difficult. I expect that companies like Goldman, Morgan Stanley, JPMorgan, and Barclays aren’t struggling to find the right people with their deep pockets.

But go down the ladder toward mid-level brokerages, banks, and wealth management, and the talent war will only get more complex.