On June 8, 2016, the SEC announced that "Morgan Stanley Smith Barney LLC has agreed to pay a $1 million penalty to settle charges related to its failures to protect customer information, some of which was hacked and offered for sale online."

On June 8, 2016, the SEC instituted settled administrative and cease-and-desist proceedings against Morgan Stanley Smith Barney LLC ("MSSB"). According to the SEC: "This proceeding arises out of MSSB's failure to adopt written policies and procedures reasonably designed to protect customer records and information, in violation of Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the 'Safeguards Rule'). From at least August 2001 through December 2014, MSSB stored sensitive personally identifiable information ('PII') of individuals to whom MSSB provided brokerage and investment advisory services (referred to herein as "customers") on two of the firm's applications: the Business Information System ("BIS") Portal and the Fixed Income Division Select ('FID Select') Portal (collectively, 'the Portals'). Galen Marsh ('Marsh'), then an MSSB employee, misappropriated data regarding approximately 730,000 customer accounts, associated with approximately 330,000 different households, by accessing the Portals between 2011 and 2014. The misappropriated data included PII, such as customers' full names, phone numbers, street addresses, account numbers, account balances and securities holdings."