In 2022, the SEC fined Morgan Stanley $35 million for failing to properly dispose of customer data. The problem wasn't a sophisticated cyberattack. It was retired equipment with customer information that wasn't destroyed properly. Some of it ended up at auctions. Some went to third-party vendors without proper oversight. The data on those devices was recoverable.
That case sent a message to every financial institution: IT asset disposal isn't just an operational task. It's a regulatory compliance requirement with teeth. Get it wrong, and you're looking at millions in fines, customer notification costs, regulatory investigations, and damaged reputation.
The Financial Services Threat Landscape in 2026
Financial services remains one of the most targeted industries for cyberattacks. In 2025, the sector experienced 1,858 cyber incidents, more than double the 864 incidents in 2024. That's not a typo. The threat doubled in a single year.
According to Verizon's 2025 Data Breach Investigations Report, 95% of attacks on financial services are financially motivated, with organized crime groups as the primary threat actors. The average cost of a financial services data breach hit $6.08 million in 2025.
The attack methods are evolving. Ransomware hit financial services with a 65% attack rate in 2024, the highest level since tracking began. Phishing attempts targeting financial institutions accounted for 27.7% of all phishing attacks globally. And here's what's concerning: about 15% of breaches now involve third-party vendors, which includes IT asset disposition providers.
Financial data commands premium prices on dark web marketplaces. Account credentials, payment card information, transaction histories, and personally identifiable information are all high-value targets. That's why proper data destruction isn't optional. It's a critical security control.
SOX Requirements for IT Disposal
The Sarbanes-Oxley Act doesn't have a chapter on throwing away computers. But Section 404 requires companies to establish and maintain adequate internal controls over financial reporting. That includes controls over the data systems that store financial records.
When IT equipment that contains financial data is retired, you need documented controls for how that data is destroyed. The SEC's enforcement action against Morgan Stanley made this explicit. The lack of proper controls over equipment disposal was a SOX violation.
What SOX Actually Requires
First, you need documented policies and procedures for IT asset disposition. These policies must address how equipment is inventoried when retired, what data destruction methods are used, how the process is monitored, and how documentation is maintained.
Second, you need actual implementation of those controls. Having a policy isn't enough if nobody follows it or if there's no enforcement. The controls need to be operational, not just documented for compliance purposes.
Third, executives must certify that controls are effective. Under SOX Section 302, CEOs and CFOs personally certify the adequacy of internal controls. If your ITAD process fails and leads to a data breach, those executives have certified inadequate controls. That exposure is significant.
Fourth, you need regular testing and monitoring of the controls. Your internal audit function or external auditors will test whether the ITAD process is being followed. If they find gaps, those need to be remediated and documented.
The Criminal Exposure
SOX violations aren't just civil penalties. Section 906 provides for criminal prosecution of executives who certify financial reports knowing they don't fairly present the company's financial condition. Penalties include fines up to $5 million and up to 20 years imprisonment.
While most IT disposal failures don't rise to that level, the potential exposure exists if there's evidence that executives knew about inadequate controls and certified them anyway. That's why board-level oversight of cybersecurity and data protection has increased dramatically.
PCI-DSS Requirements
If your organization handles payment card data, PCI-DSS compliance is mandatory. Version 4.0.1 became fully mandatory on March 31, 2025, with enhanced requirements for data security throughout the card data lifecycle.
PCI-DSS Requirement 9 specifically addresses physical security of cardholder data. This includes secure disposal of media containing cardholder information. Requirement 9.8 states that media containing cardholder data must be destroyed or rendered unrecoverable when no longer needed.
What Counts as Secure Destruction Under PCI-DSS
For paper documents, that means cross-cut shredding, pulping, or incineration. For electronic media, it means either degaussing hard drives, physical destruction that makes the drive unrecoverable, or secure wiping using software that meets industry standards.
The standard specifically requires that you maintain control of materials to be destroyed and verify that destruction occurred. That means documented chain of custody from the time media is identified for destruction through final disposition.
Hard copy materials must be cross-cut shredded, incinerated, or pulped so they cannot be reconstructed. Electronic media must be rendered unrecoverable via purging, degaussing, or physical destruction.
The Documentation Requirements
PCI-DSS requires detailed records. You need to log what media was destroyed, when it was destroyed, how it was destroyed, and who performed the destruction. For electronic media, this includes device serial numbers.
If you use a third-party vendor for destruction (which most organizations do), you need contracts that specify the vendor's responsibilities and security requirements. The vendor should provide certificates of destruction with all the required information.
PCI-DSS Penalties
Non-compliance with PCI-DSS can result in fines from $5,000 to $100,000 per month from the payment card brands. But the bigger risk is having your ability to process card payments restricted or revoked. For most businesses, that's existential.
Additionally, if a breach occurs and you're found non-compliant, you can be liable for fraud losses. The per-cardholder costs range from $50 to $90 for affected customers. For a breach affecting thousands of customers, that adds up quickly.
GLBA and the Safeguards Rule
The Gramm-Leach-Bliley Act requires financial institutions to protect customer information. The FTC's Safeguards Rule (updated in 2021 and actively enforced) specifies that financial institutions must securely dispose of customer information.
The Rule requires written policies for secure disposal of consumer information, including both paper and electronic records. Disposal must be done in a way that makes the information unreadable or undecipherable.
Who GLBA Covers
GLBA applies broadly to financial institutions, which the FTC defines as any business significantly engaged in financial activities. This includes banks, credit unions, mortgage lenders, credit counseling agencies, tax preparers, and many fintech companies.
If you're collecting consumer financial information, you're probably covered. And that means your IT disposal process needs to meet GLBA requirements.
Enforcement and Penalties
GLBA violations can result in fines up to $100,000 per violation. Criminal penalties for individuals include fines up to $10,000 and imprisonment up to 5 years. For executives who knowingly violate GLBA, penalties can be even higher.
The FTC has been actively enforcing the Safeguards Rule. Cases have focused on inadequate data security practices, including improper disposal of consumer information. The enforcement trend is increasing, not decreasing.
SEC Disclosure Requirements
In July 2023, the SEC adopted comprehensive cybersecurity disclosure rules under Regulation S-K Item 106. These rules are being actively enforced in 2026 and create new obligations for public companies.
Material cybersecurity incidents must be disclosed on Form 8-K within four business days of determining materiality. This includes data breaches resulting from improper IT disposal. If retired equipment leads to a breach that's material to investors, you have four days to disclose it.
Companies must also describe their cybersecurity risk management processes in annual 10-K filings. This includes how the organization addresses risks related to IT asset disposition. If you don't have documented ITAD controls, that gap needs to be disclosed or remediated.
The board's role in overseeing cybersecurity must be described, including how often they receive briefings on cyber risks. IT disposal is part of that risk landscape, particularly after high-profile cases like Morgan Stanley.
Where Financial Institutions Go Wrong
The most common mistake is treating branch closures or office moves as facilities management projects rather than data security events. When a branch closes, there's often a rush to clear the space. Equipment gets moved to storage or disposed of quickly without proper attention to data destruction.
Another frequent problem is inadequate vendor oversight. Organizations hire third-party movers or asset disposal companies without verifying their security practices or requiring proper destruction certification. The Morgan Stanley case highlighted exactly this issue.
Technology refreshes often focus on deploying new equipment while treating old equipment as an afterthought. The project timeline emphasizes getting new systems operational. Old equipment sits in a back room until someone decides to get rid of it, often without proper data destruction.
Mergers and acquisitions create IT disposal nightmares. Acquired companies may have different standards or no standards at all. Their equipment needs to be inventoried and properly disposed of, but that often gets lost in the integration chaos.
Small and mid-size financial institutions sometimes assume they're not attractive targets. They use less rigorous disposal practices than large banks. But attackers don't discriminate by institution size. Any financial data has value.
What Proper Financial Services ITAD Looks Like
Start with a comprehensive inventory. Every device being retired needs to be documented with make, model, serial number, location, and what data it contained. This inventory drives the entire process.
Classify the data that was on each device. Customer financial information gets the highest level of data destruction. Administrative systems might require lower levels. The destruction method should match the data sensitivity.
For devices with customer or financial data, professional data destruction is required. Certified wiping software that meets NIST SP 800-88 standards, degaussing, or physical destruction are the options. Factory resets and basic formatting don't meet compliance requirements.
Maintain strict chain of custody. Every movement of equipment must be logged. Who packed it? When did it leave the facility? Who transported it? Where did it go? Who performed destruction? When? All of this must be documented.
Get Certificates of Destruction for all equipment. These certificates must include serial numbers, destruction date, method used, and verification that destruction was completed. These documents are your proof of compliance in an audit or investigation.
The Vendor Vetting Process
Not every ITAD vendor is qualified to handle financial services equipment. You need vendors with specific certifications, financial services experience, and appropriate insurance coverage.
Look for NAID AAA certification for data destruction. This certifies that the vendor's processes have been audited and meet industry standards. It's the gold standard for secure data destruction.
R2v3 or e-Stewards certification covers environmental and recycling practices. These ensure proper handling throughout the disposal process.
The vendor must carry substantial liability insurance. You're looking for millions of dollars in coverage for data breaches and errors and omissions, not thousands. If something goes wrong, you need to know they can cover it.
Conduct on-site assessments of vendor facilities. See where your equipment will be processed. Verify their security controls. Check their chain of custody procedures. If a vendor won't let you tour their facility, that's a red flag.
Review vendor financials if possible. You're establishing a long-term relationship with a company that will handle sensitive data. You want to know they're financially stable and will be around to support their commitments.
Check references from other financial institutions. Not general businesses, specifically financial services companies. The compliance requirements are different, and you want vendors who understand the regulatory landscape.
Special Considerations for Different Financial Services
Large banks and financial institutions have dedicated information security teams and formal ITAD programs. The challenge is ensuring consistent execution across hundreds or thousands of locations. Centralized policies need local implementation, which requires training and monitoring.
Regional and community banks often have the regulatory obligations of large banks but with smaller security teams. The key is establishing clear processes that don't require extensive security expertise at each branch. Work with qualified vendors who can handle much of the complexity.
Credit unions face similar challenges to small banks. Cooperative ownership structures sometimes mean slower decision-making on security investments. But the regulatory requirements are just as strict. Don't let organizational structure become an excuse for inadequate ITAD practices.
Fintech companies sometimes assume that being cloud-native means IT disposal isn't an issue. But offices have workstations, mobile devices are issued to employees, and physical security devices exist. All of that needs proper disposal when retired.
Mortgage lenders and loan servicers handle extensive customer financial data. When branch offices close or when systems are upgraded, proper data destruction is critical. These organizations are specifically covered under GLBA and must meet its disposal requirements.
Investment firms and broker-dealers are subject to SEC oversight and have fiduciary duties to clients. Data breaches from improper disposal can create significant liability. The regulatory scrutiny is intense, particularly for firms handling high-net-worth clients.
Mobile Devices and Remote Work
Financial services employees increasingly work remotely or use mobile devices for customer interactions. These devices create unique disposal challenges.
Smartphones and tablets are small, easy to lose track of, and often contain significant amounts of customer data. Email access means customer communications. Apps may cache financial information locally. Photos might document transactions or account details.
Company-issued devices should be enrolled in Mobile Device Management systems. When devices are retired, ensure they're properly wiped using MDM capabilities and then physically returned for additional destruction if they contained sensitive data.
Personal devices used for work (BYOD policies) create complexity. When an employee leaves or upgrades their personal device, how do you ensure work data is removed? Clear policies and technical controls are essential.
Laptops used for remote work may have cached customer data, downloaded reports, or locally stored files. These devices need the same level of data destruction as office equipment, even though they're dispersed geographically.
The Cost-Benefit Analysis
Financial institutions often hesitate at the cost of professional ITAD services. Let's put this in perspective.
A typical bank branch closure might involve 20-30 workstations, a few servers, networking equipment, and peripherals. Professional ITAD services for that volume might cost $3,000-5,000, including pickup, data destruction, documentation, and environmentally responsible recycling.
Compare that to the cost of a data breach. The average financial services breach costs $6.08 million. Even a small breach affecting a few hundred customers can easily hit six figures when you factor in investigation, notification, credit monitoring, legal fees, and regulatory penalties.
The Morgan Stanley fine was $35 million. For improper disposal. That's 7,000 times the cost of doing it right for a typical branch closure.
The ROI calculation is straightforward. Proper ITAD costs tens of thousands of dollars annually for most institutions. The risk of not doing it properly is measured in millions.
Building a Compliant ITAD Program
If your organization doesn't have a formal ITAD program, here's how to build one that meets financial services regulatory requirements.
Write policies that cover when equipment is retired, who authorizes disposal, what data destruction methods are required based on data sensitivity, how chain of custody is maintained, what vendor requirements exist, what documentation is required, and how long records are kept.
Get executive and board approval for the policies. Given the regulatory exposure and the Morgan Stanley precedent, this needs board-level awareness and approval. Document that approval.
Select and vet ITAD vendors using the criteria outlined above. Don't just take bids and pick the cheapest. Verify certifications, check references, tour facilities, and review insurance coverage. Negotiate contracts that clearly specify vendor obligations.
Train all relevant staff. This includes IT teams, branch managers, facilities staff, and anyone else involved in equipment retirement. They need to understand the policy and their specific responsibilities.
Implement the program with a pilot at one or two locations. Work through the process, identify problems, fix them, then roll out enterprise-wide.
Establish monitoring and audit procedures. Regularly review a sample of disposed equipment to verify the process was followed. Have internal audit include ITAD in their annual audit plan.
Review and update the program annually. Regulations change. Technology changes. Your processes need to evolve. Build annual policy review into the program.
Documentation and Record Retention
Financial services regulations generally require retention of records for at least six years. Your ITAD documentation falls under those requirements.
Maintain copies of: the written ITAD policy, all equipment inventories, chain of custody forms, Certificates of Destruction, vendor contracts and certifications, training records, audit reports, and incident reports if any issues occurred.
Store this documentation securely. It contains details about your IT infrastructure, which is sensitive. But make sure it's accessible if needed for regulatory examination, audit, or investigation.
Don't rely solely on vendors to maintain records. Get your copies of everything and keep your own files. If there's an investigation years later and the vendor is out of business, you still need to produce documentation.
The Bottom Line for Financial Services
IT asset disposition is a regulated activity in financial services. SOX, PCI-DSS, GLBA, and SEC rules all create compliance obligations for how you handle end-of-life IT equipment.
The regulatory exposure is real. $35 million for Morgan Stanley wasn't a one-time anomaly. It established that improper IT disposal is a SOX violation that regulators will pursue. Other enforcement actions will follow that precedent.
The cost of compliance is modest compared to the risk. Professional ITAD services cost tens of thousands annually for most institutions. The average breach costs over $6 million. The math is clear.
Building a compliant ITAD program isn't complicated. Written policies, qualified vendors, proper documentation, and regular monitoring. Those four elements address most of the regulatory requirements.
If your institution doesn't have a documented ITAD program that meets regulatory requirements, that's a compliance gap that needs board-level attention. The Morgan Stanley case made IT disposal a board-level issue. Treat it accordingly.
Need help assessing your current ITAD practices against SOX, PCI-DSS, and GLBA requirements? We provide free compliance analysis for financial services organizations, identifying gaps and providing clear recommendations.
Get Your Free Financial Services ITAD Assessment | Schedule a Consultation
Related Reading:
Financial Services ITAD Compliance
The Complete Guide to ITAD
HIPAA Compliance & Healthcare ITAD