When Morgan Stanley agreed to pay a $35 million SEC penalty in 2022, most headlines focused on the exposure of customer data. Less attention was paid to the nature of the underlying failure.
This wasn’t a sophisticated cyberattack. It wasn’t a zero-day exploit. It wasn’t ransomware.
The records showed the assets as retired. The disposal was assumed to be handled. On paper, it all looked right.
It wasn’t.
That gap between what the data says and what reality looks like is one of the most common and costly problems in IT asset management. And the Morgan Stanley case is its most expensive public example.
For IT leaders, the case offers five lessons that go beyond compliance and cut to the heart of a question most organizations struggle to answer honestly: Can you trust your data?
Lesson 1: Data That Looks Complete Is Not the Same as Data That Is Complete
Many organizations approach asset management as a documentation exercise.
A device is logged as retired. A license is marked as reclaimed. An employee’s offboarding is checked off.
The record looks right. The reality may not match.
Morgan Stanley’s asset records showed thousands of devices as properly decommissioned. The SEC found otherwise: the disposal vendor, a moving company with no experience in data destruction, sold devices on with customer data intact. The firm lost track of 42 decommissioned servers separately.
The failure wasn’t in the system. It was on the assumption that a record of completion meant completion had actually happened.
IT leaders should regularly ask: how do we verify that what our records say actually happened?
Lesson 2: You Can Outsource a Process. You Cannot Outsource the Record.
Third-party vendors were involved in Morgan Stanley’s asset disposal process. This is common. Many organizations rely on external partners for device retirement, data destruction, and lifecycle management.
The problem is not vendor involvement. The problem is when vendor involvement creates gaps in the data chain — moments where the record stops updating because someone assumed the process was being handled elsewhere.
Regulators don’t distinguish between internal and external failures. The organization’s records are the organization’s responsibility.
If your asset data depends on a vendor manually updating something, that’s a gap that seems invisible until it isn’t.
Lesson 3: A Process Without Verification Is Just an Assumption That Looks Like a Process
Morgan Stanley handed asset retirement to a vendor and assumed the process was working. What regulators ultimately examined was the outcome — not the documentation.
This is a critical distinction. In many organizations, process documentation creates a false sense of security. The checklist exists. The policy exists. The workflow exists. But if no one is verifying that the process produces accurate results, the documentation records an assumption, not a fact.
IT leaders should regularly audit whether their data reflects reality:
- Are devices marked as returned actually back in inventory?
- Are licenses marked as reclaimed actually unassigned?
- Are offboarding tasks marked as complete actually completed?
A record that looks right is only as trustworthy as the last time someone verified it.
Lesson 4: Data Drift Accelerates as Organizations Scale
Small organizations can often compensate for data gaps through institutional knowledge and informal processes. As organizations grow — more employees, more devices, more locations, more systems — manual processes quietly break down.
The data doesn’t suddenly become wrong. It drifts. Gradually. Record by record. Offboarding by offboarding. Transfer by transfer.
This is why so many IT leaders struggle to answer questions that should be straightforward:
- Which laptops are currently assigned to active employees?
- Which software licenses belong to people who’ve already left?
- Which assets are approaching the end of life?
The data exists somewhere. The challenge is whether anyone can vouch for it still being current.
Lesson 5: Small Gaps Compound into Large Exposures
One missed offboarding task isn’t a crisis. One unreclaimed license isn’t a crisis. One inaccurate device record isn’t a crisis.
The problem is accumulation. Over months and years, small discrepancies between what the data shows and what reality looks like compound into significant blind spots.
Morgan Stanley’s exposure wasn’t the result of a single decision. It was the result of many small gaps that accumulated over time — each one invisible on its own, collectively significant. By the time those gaps became visible to regulators, the cost of the underlying issue was a fraction of the cost of the outcome.
The Question Every IT Leader Should Be Able to Answer
The Morgan Stanley case wasn’t really about asset disposal. It was about the gap between what the data said and what was actually true.
The organizations that manage this risk best aren’t necessarily the ones with the most sophisticated tools. They’re the ones that can answer a simple set of questions with confidence:
- Where is this asset?
- Who has access to what?
- Which licenses are actually in use?
- Which offboardings are genuinely complete?
The moment an organization struggles to answer those questions, it’s carrying more risk than its records show.
Not because the data is wrong.
Because the data looks right.
