EXCLUSIVE - SEC left computers vulnerable to cyber attacks - sources

WASHINGTON Fri Nov 9, 2012 7:24am IST

A sign for the Securities and Exchange Commission (SEC) is pictured in the foyer of the Fort Worth Regional Office in Fort Worth, Texas June 28, 2012. REUTERS/Mike Stone/Files

A sign for the Securities and Exchange Commission (SEC) is pictured in the foyer of the Fort Worth Regional Office in Fort Worth, Texas June 28, 2012.

Credit: Reuters/Mike Stone/Files

Related Topics

Stocks

   
Priyanka Gandhi Vadra, daughter of Congress party chief Sonia Gandhi, adjusts her flower garlands as she campaigns for her mother during an election meeting at Rae Bareli in Uttar Pradesh April 22, 2014. REUTERS/Pawan Kumar

Election 2014

More than 814 million people — a number larger than the population of Europe — are eligible to vote in the world’s biggest democratic exercise.  Full Coverage 

WASHINGTON (Reuters) - Staffers at the U.S. Securities and Exchange Commission failed to encrypt some of their computers containing highly sensitive information from stock exchanges, leaving the data vulnerable to cyber attacks, according to people familiar with the matter.

While the computers were unprotected, there was no evidence that hacking or spying on the SEC's computers took place, these people said.

The computers and other electronic devices in question belonged to a handful of employees in an office within the SEC's Trading and Markets Division. That office is responsible for making sure exchanges follow certain guidelines to protect the markets from potential cyber threats and systems problems, one of those people said.

Some of the staffers even brought the unprotected devices to a Black Hat convention, a conference where computer hacking experts gather to discuss the latest trends. It is not clear why the staffers brought the devices to the event.

The security lapses in the Trading and Markets Division are laid out in a yet-to-be-released report that by the SEC's Interim Inspector General Jon Rymer.

NO DATA BREACHED

The revelation comes as the SEC is encouraging companies to get more serious about cyber attacks. Last year, the agency issued guidance that public companies should follow in determining when to report breaches to investors.

Cyber security has become an even more pressing issue after high-profile companies from Lockheed Martin Corp to Bank of America Corp have fallen victim to hacking in recent years.

Nasdaq OMX Group, which runs the No. 2 U.S. equities exchange, in 2010 suffered a cyber attack on its collaboration software for corporate boards, but its trading systems were not breached.

One of the people familiar with the SEC's security lapse said the agency was forced to spend at least $200,000 and hire a third-party firm to conduct a thorough analysis to make sure none of the data was compromised.

The watchdog's report has already been circulated to the SEC's five commissioners, as well as to key lawmakers on Capitol Hill, and is expected to be made public soon.

SEC spokesman John Nester declined to comment on the report's findings.

SEC NOTIFIED EXCHANGES

Rich Adamonis, a spokesman for the New York Stock Exchange, said the exchange operator is "disappointed" with the SEC's lapse.

"From the moment we were informed, we have been actively seeking clarity from the SEC to understand the full extent of the use of improperly secured devices and the information involved, as well as the actions taken by the SEC to ensure that there is proper remediation and a complete audit trail for the information," he said.

A spokesman for Nasdaq OMX declined to comment on the security lapse at the SEC.

Since the internal investigation was concluded, the SEC initiated disciplinary actions against the people involved, one of the people familiar with the matter said.

The SEC also notified all of the exchanges about the incident.

The SEC's Trading and Markets Division, which has several hundred staffers, is primarily responsible for overseeing the U.S. equity markets, ensuring compliance with rules and writing regulations for exchanges and brokerages.

Among the division's tasks is to ensure exchanges are following a series of voluntary guidelines known as "Automation Review Policies," or ARPs. These policies call for exchanges to establish programs concerning computer audits, security and capacity. They are, in essence, a road map of the capital markets' infrastructure.

Although they are only voluntary guidelines, exchanges take them seriously.

Under the ARP, exchanges must provide highly secure information to the SEC such as architectural maps, systems recovery and business continuity planning details in the event of a disaster or other major event.

That is the same kind of data used by exchanges last week after Hurricane Sandy forced U.S. equities markets to shut down for two days.

Prior to re-opening, all of the U.S. stock market operators took part in coordinated testing for trading on NYSE's backup system.

SEC Chairman Mary Schapiro recently said the SEC is working to convert the voluntary ARP guidelines into enforceable rules after a software error at Knight Capital Group (KCG.N) nearly bankrupt the brokerage and led to a $440 million trading loss. (Reporting by Sarah N. Lynch; Editing by Karey Wutkowski and Lisa Shumaker)

FILED UNDER:
Comments (0)
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.

  • Most Popular
  • Most Shared

Apple

REUTERS SHOWCASE

Hacking Threat

Hacking Threat

All at sea: global shipping fleet exposed to hacking threat.  Full Article 

Mt. Gox Update

Mt. Gox Update

Tokyo Court orders bankruptcy trustee to begin Mt. Gox liquidation .  Full Article 

Net Neutrality

Net Neutrality

U.S. regulators to propose new net neutrality rules in May.  Full Article 

Facebook Results

Facebook Results

Facebook Q1 revenue grows 72 percent on rising mobile ads.  Full Article | Related Story 

Huawei Shrugs

Huawei Shrugs

China's Huawei says reports of NSA spying won't impact growth  Full Article 

Betting on Content

Betting on Content

AOL, Microsoft lure advertisers with TV-style shows.  Full Article 

Restructuring Plans

Restructuring Plans

Zynga's Pincus withdraws from operations amid turnaround.  Full Article 

Security Threat

Security Threat

FBI warns healthcare sector vulnerable to cyber attacks.  Full Article 

Online Streaming

Online Streaming

Amazon grabs rights to stream older HBO shows.  Full Article 

Reuters India Mobile

Reuters India Mobile

Get the latest news on the go. Visit Reuters India on your mobile device.  Full Coverage