* Chertoff tapped by NYSE following SEC computer incident
* SEC computers with sensitive data left unencrypted
* NYSE concerned about its data on those devices
By Sarah N. Lynch
WASHINGTON, Nov 16 NYSE Euronext hired
former Homeland Security Secretary Michael Chertoff to make sure
sensitive exchange data was not breached after U.S. securities
regulators left their computers unencrypted, according to a
person familiar with the matter.
The computers, iPads, and other Apple devices
belonged to employees in an office within the Securities and
Exchange Commission's Trading and Markets Division that is
responsible for making sure exchanges protect themselves from
cyber threats.
The security lapses were detailed in a non-public Aug. 30
report by Interim Inspector General Jon Rymer that Reuters wrote
about earlier this month.
According to the SEC, no breach of data occurred, the
problem has been fixed, and two of the staffers responsible for
the vulnerabilities have left the agency.
But NYSE Euronext, operator of the New York Stock Exchange,
is not convinced that the SEC thoroughly investigated the issue,
this person said.
In early October, when the SEC first notified the exchange
about the issue, the NYSE hired Chertoff, now an attorney at
Covington & Burling, to look into the matter.
The New York Stock Exchange is the victim of "a gross
mishandling of data that would get an F from any security
official," said this person, who spoke on the condition of
anonymity.
A New York Stock Exchange spokesman confirmed it had hired
Chertoff. A spokesman for the SEC had no immediate comment.
The SEC's Office of Inspector General started its
investigation in January of 2011 after an anonymous complaint.
Its report said SEC staffers failed to install basic virus
protection on computers and various Apple devices, let alone
encrypt them.
One employee acknowledged the laptops had "vulnerability
assessments and maps and networking diagrams of how to hack into
the exchanges."
The report said the SEC staffers may have brought the
devices to a Black Hat Convention, where hacking experts convene
to discuss cyber security trends. The report does not say why
they attended the convention.
The staffers also used the devices to tap into wireless
networks in hotels, to download music and movies and for
personal banking, the report said.
In at least one case, a staffer admitted to using his
personal e-mail to send sensitive data to his SEC e-mail account
about the Depository Trust & Clearing Corp, the U.S. equities
market's clearing agency, the inspector general's report said.
QUESTIONS REMAIN
The SEC spent nearly $350,000 to hire an outside forensics
team to test some of the laptops to be sure they had not been
hacked, according to Rymer's report. It also strengthened its
internal policies to protect non-public data.
The NYSE, however, has reason to believe there were other
unsecured devices containing exchange data which are only now
being reviewed, well after the outside forensics firm Stroz
Friedberg completed its independent analysis, the person
familiar with the matter said.
The inspector general's report states that while there were
28 laptops in question, the outside firm conducted forensic
testing on "several select laptops" to determine if a breach
occurred.
The NYSE is concerned the review was not broad enough and
did not cover all of the affected devices, the person said.
It has been promised, but still has not seen, a copy of
Stroz Friedberg's report, according to the source. A
representative of Stroz Friedberg was not immediately available
for comment.
Moreover, this person said, the exchange operator is upset
that the SEC knew about this problem for months, but only told
the exchange in early October.
The issue could require corrective steps on NYSE's part, and
because it is a publicly traded company, it is subject to
certain disclosure obligations mandated by the SEC.
Last year, the SEC released guidance that encouraged public
companies to disclose cyber threats to investors. The issue has
become more pressing after a series of high-profile companies
such as Lockheed Martin Corp and Bank of America Corp
fell prey to hackers.
The SEC office where the security problems occurred is
responsible for making sure exchanges and clearing agencies
follow a series of voluntary guidelines known as "Automation
Review Policies," or ARPs.
Under the ARPs, exchanges must provide highly secure
information to the SEC such as architectural maps, systems
recovery and business continuity planning details in the event
of a disaster or other major event.