International bank Morgan Stanley have been hit with a $60 million fine from the US Treasury Dept. for “engaging in unsafe or unsound practices relating to information security and noncompliance”; this was brought about by failures in their ITAD (IT Asset Disposition) policies and procedures.
The “Office of the Comptroller of the Currency” (OCC) – which, as part of the Treasury Dept. regulates and supervises all national banks, and federally licensed branches of foreign banks, in the United States of America – issued a “consent order” that gave more details on the issues. They found that, in 2016, Morgan Stanley fell short in several areas and failed to:
- Exercise proper oversight of the decommissioning of two datacentres
- Effectively assess/address risks associated with the decommissioning of its hardware
- Adequately assess the risk of using third party vendors, including subcontractors
- Maintain an appropriate inventory of customer data stored on the devices
- Exercise adequate due diligence in selecting the third-party vendor
- Adequately monitor the vendor’s performance
They then experienced “similar vendor management control deficiencies” in 2019, prompting further action. It seems that data was left on devices post-decommissioning and that they were also unable to account for some of the server hardware after it had been retired. As well as the OCC fine, Morgan Stanley now face a range of class-action lawsuits that have been brought by customers.
We have highlighted several times this year that, with the rise of remote working driven by COVID-19, Hardware Asset Management (HAM) and IT Asset Disposition (ITAD) are more critical than ever before. This case helps highlight some of the elements that must be considered when implementing these areas within the business and shows that simply passing it off to a third-party isn’t the end of it. If engaging with an ITAD provider, you must ensure that you have procedures in place to:
- Select the right partner and assess the risks
- Check their credentials and certifications, as well as their lifecycle management processes
- Continually monitor that they’re doing what they should be
- Regular checks, a set of benchmark criteria, a process for remediation
While this multi-million dollar ITAD fine is perhaps an above average penalty, it does highlight the possible risks – financial and reputational – that can accompany less than stellar ITAD management. Consider this as you work with your business to identify priorities for 2021.
About Rich Gibbons
A Northerner renowned for his shirts, Rich is a big Hip-Hop head, and loves travel, football in general (specifically MUFC), baseball, Marvel, and reading as many books as possible. Finding ways to combine all of these with ITAM & software licensing is always fun!
Connect with Rich on Twitter or LinkedIn.