Morgan Stanley has agreed to pay $1 million to settle charges for failing to protect consumer data, after some customers had they data offered for sale online after a hacking incident, federal officials said Wednesday.

The Securities and Exchange Commission has issued an order finding that the investment bank failed to adopt adequate written policies and procedures to protect customer data. The SEC’s action stemmed from incidents between 2011 and 2014 when an employee (since departed) accessed and transferred confidential data of about 730,000 customer accounts to his personal server.

That server was subsequently hacked by a third party, resulting in some of the data being posted on the internet with offers to sell larger quantities, the SEC said. “Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection.  We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information,” said Andrew Ceresney, director of the SEC Enforcement Division.

In a separate order, the former employee Galen Marsh agreed to an industry and penny stock bar with the right to apply for re-entry after five years. Marsh pleaded guilty to unauthorized access to a computer and received 36 months of probation and a $600,000 restitution order.

Morgan Stanley agreed to settle the charges without admitting or denying any wrongdoing. In a statement, the bank said that it “is pleased to settle this matter, which results from the theft by a former employee of certain limited client data that was reported in January, 2015. Following the discovery of the incident, Morgan Stanley promptly alerted law enforcement and regulators, and notified affected clients.”

“Morgan Stanley worked quickly to protect affected clients by changing account numbers and offering credit monitoring and identity theft protection services, and has strengthened its mechanisms for safeguarding client data,” the company statement continues. “No fraud against any client account was reported as a result of this incident.”