By Sarah N. Lynch
| WASHINGTON, April 17
Exchange Commission has failed to protect its data network
against possible breaches, to encrypt highly sensitive
information, or to use strong enough passwords, the Government
Accountability Office said on Thursday.
In addition to the cybersecurity failings, even the physical
security in place to protect SEC data and equipment from being
accessed or stolen is lax, a 25-page GAO report said, with
workstations located in an area open to all agency staff.
The report comes just two days after the SEC issued a
nine-page blueprint that put Wall Street firms on notice that
they should brace themselves for some tough questions from
agency examiners about their cybersecurity policies and
practices.
"Information security control weaknesses in a key financial
system's production environment may jeopardize the
confidentiality, integrity, and availability of information
residing in and processed by the system," the GAO wrote.
"Cumulatively, these weaknesses decreased assurance
regarding the reliability of the data processed by the key
financial system and increased the risk that unauthorized
individuals could gain access to critical hardware or software."
Some of the weaknesses identified by the GAO stem from the
SEC's ineffective oversight over a contractor who was tasked
with migrating the agency's system to a new production
environment, the report said.
The GAO said SEC officials had failed to confirm that
certain security checks had been completed before the new system
went live.
In a letter responding to the GAO's findings, SEC Chief
Information Officer Thomas Bayer acknowledged a lack of
oversight over the contractor.
After GAO flagged the issue, he wrote, the SEC "immediately
shut down that system and reverted to the original, properly
configured environment."
Bayer added that despite this error, the SEC is confident
that its "layered defense architecture" would still have allowed
the agency to detect potential cyber intrusions.
Washington has been paying more attention to cybersecurity
threats in general after companies including Target Corp
and Neiman Marcus Group suffered major data breaches.
The incidents have sparked a public policy debate about how
customers should be alerted, who should bear the cost of
breaches, and how such information should be disclosed both to
government and the public.
U.S. lawmakers have considered weighing in on how consumers
should be notified of data theft. But progress on legislation is
not guaranteed in a busy election year.
The SEC in 2011 drafted informal staff-level guidance for
public companies to use when considering whether to disclose
cyber attacks and their impact on a company's financial
condition.
Last month, it asked experts to weigh in on whether the
agency can and should do more to ensure that public companies,
brokerages, asset managers and exchanges are protected and
properly disclosing cyber incidents.
Thursday's GAO findings are the latest in a string of
reports highlighting information security flaws at the SEC.
In addition to prior GAO reports, the SEC also came under
fire from its inspector general in 2012 after it was revealed
that some agency staff had failed to encrypt computers
containing highly sensitive data from U.S. stock exchanges.
The report can be seen here
(Reporting by Sarah N. Lynch; Editing by Mohammad Zargham)