<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Morgan Stanley's $100+ Million Vendor Management Mistake

author
4 min read
Oct 22, 2023

Forget about your favorite Halloween horror movie. If you really want a scare, take a look at how poor vendor management has come back to haunt Morgan Stanley to the tune of more than $100 million.

In 2016 Morgan Stanley closed two data centers. The investment bank hired a vendor with no experience or expertise in data destruction to decommission thousands of hard drives and servers.

Based on the headline, you can guess what happened next. They vendor did a bad job. It not only failed to delete the personally identifiable information (PII) of millions of clients, it sold the equipment in an online auction.

It was an expensive mistake that cost:

Related: Top 10 Risks Third-Party Vendors Pose to Your Firm

What Went Wrong?

The SEC and OCC say Morgan Stanley failed to oversee the decommissioning process, neglecting many steps of the vendor management lifecycle. More specifically, the bank failed to:

  • Effectively assess or address the risks associated with the decommissioning of its hardware
  • Adequately assess the risk of using third-party vendors, including subcontractors
  • Maintain an appropriate inventory of customer data stored on the devices
  • Exercise adequate due diligence in selecting the third-party vendor
  • Adequately monitor the vendor’s performance

If that weren’t enough, Morgan Stanley did it again. In 2019 the bank “experienced similar vendor management control deficiencies” when decommissioning devices, the OCC says.

Read also: One Ransomware Attack. 60 Credit Union Outages. Countless Upset Members. 

Breakdowns in the Vendor Management Lifecycle

Let’s take a closer look at where the vendor management lifecycle broke down.

Risk Assessment

Bankers know they need to identify critical vendors. These are vendors that present a high level of risk because they have access to sensitive data or could have a major impact on consumers or bank operations if it failed.

But what Morgan Stanley forgot is that it’s also required to identify and assess the risks of outsourcing an activity before selecting a vendor. A company needs to know its risk appetite and assess whether the costs, benefits, and risks of outsourcing an activity align with its overall strategic goals and objectives. It’s basic enterprise risk management (ERM). In this case, the activity outsourced involves protected data, making it a high-risk activity.

It’s also a question of resources. Financial companies needs to assess whether it has the systems and staffing in place to ensure appropriate oversight of vendor relationships. In the case of Morgan Stanley, its large size and deep pockets might have given it a false sense of security. Despite its vast resources, its vendor management failed.

Due Diligence

Is the third-party vendor you’re considering hiring capable of doing the job safely and reliably while remaining compliant with all applicable laws, regulations, and policies? These are the questions due diligence should answer. The more risk a vendor presents (i.e. critical vendors), the deeper the diligence should go.

Areas to review include the vendor’s financials, experience, legal and regulatory knowledge, reputation, operations, and internal controls. The results should be reported to the board to inform their decision making.

While Morgan Stanley’s consent order doesn’t go into great detail on what happened, it’s clear that the third-party vendor they hired to help with the decommissioning had less-than-satisfactory internal controls. Maintaining an inventory of machines in their custody and ensuring all data was a basic duty. This means the mistake was not a small oversight. It’s a fundamental flaw.

Contract Negotiation

Contracts should outline the rights and responsibilities of both the vendor and the financial institution, yet the consent order suggests at least one key area of contract management was overlooked: outsourcing.

Unless a contract specifically prohibits outsourcing or requires the vendor to inform the financial institution of any outsourcing arrangements, vendors are free to outsource to other vendors. The fact that the OCC specifically calls out Morgan Stanley for not assessing the risk of using third-party vendors, including subcontractors, suggests that this problem may have stemmed from a fourth-party vendor.

A contract should also include specific information about reporting, including audits and performance. Failure to include these may have led to problems with vendor oversight and ongoing monitoring.

Ongoing Monitoring

Initial due diligence is not enough. Financial companies must also engage in ongoing monitoring. This includes the strength of the vendor’s internal controls, complying with legal and regulatory requirements, and fulfilling service-level agreements, performance metrics, and other contractual terms. Controls should be regularly tested and significant findings should be documented and reported. Critical vendors should be risk assessed at least annually.

The OCC says Morgan Stanley Failed to adequately monitor the vendor’s performance.

The vendor management lifecycle is supposed to ensure strong vendor management. When conducted properly, it provides many opportunities to uncover and mitigate risk. Yet it appears no one was watching this vendor. No one used a vendor management process. Instead, this task was handled carelessly—as though the bank were taking out last week’s leftovers instead of disposing of critical data.

How strong is your firm’s vendor management program? Do you have a centralized approach to vendor management? Is your staff—including IT and operations—aware that hiring a vendor is about more than cost and that there is a process to follow to ensure the safety of your institution?

Don’t wait for an examiner to uncover vendor management deficiencies. Make sure your firm is consistently applying vendor management across your institution.

 

New call-to-action


Subscribe to the Nsight Blog