A Bad Report Card for a Security-Righteous SEC

Last week, the Government Accountability Office issued a report on information security lapses at the Securities and Exchange Commission. The report, an elaboration on problems identified in GAO's December 2013 audit report, warned that these problems created risks to "the confidentiality, integrity, and availability of a key financial system" at the SEC. In short, "information security weaknesses placed SEC financial data at risk" and the commission needs to work harder to fix them. That's not a great report card for an agency that is supposed to be keeping tabs on information security in the financial sector.

The GAO identified a number of specific problems with respect to the SEC's protection of a key financial system. For example, the SEC did not properly employ password protection, firewall settings, or encryption. The SEC also put the key financial system at risk by using outdated software products, failing properly to log potential security events, and not adequately controlling physical access to computer systems. The commission also failed to ensure that its contingency and disaster recovery plans were current and functioning properly. In connection with moving the financial system, the SEC "did not have timely awareness of potential security vulnerabilities, which resulted in pervasive control weaknesses in the system when the new production environment went live." The GAO concluded with the warning that until the SEC addresses its information security lapses, "it will continue to be at risk of ongoing deficiencies in the security controls over its financial and support systems and the information they contain."

Even without the GAO's warning, the SEC is keenly aware of the importance of information technology, the risks associated with employing it, and the need for strong security measures. In March, the SEC held a cybersecurity roundtable. Last week, the SEC's Office of Compliance Inspections and Examinations announced a mass cybersecurity examinationplan for broker-dealers and investment advisers. Ironically, compliance staffers will be examining for many of the same weaknesses that the GAO identified in its report.

In addition, the SEC is working on finalizing proposed Regulation Systems Compliance and Integrity ("Regulation SCI"), which would replace voluntary information technology standards for financial industry self-regulatory organizations (SROs)-such as the stock exchanges-with mandatory standards. The goal is to ensure that SROs' computer systems "have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets." Among the concerns the SEC raised in its proposal was the degree to which vulnerabilities in the SROs' financial and accounting systems could put the SROs' core operations at risk. Proposed Regulation SCI would require SROs to give SEC personnel access to key systems, including their security systems.

In light of the SEC's own problems, SROs could not be faulted for questioning the wisdom of granting the SEC access to their systems. Adding to concerns raised in the GAO's report are problems identified by the SEC's Office of Inspector General. An August 2012 reportlooked at the SEC office charged with overseeing SROs' information security. The report identified a number of troubling security lapses by that office, including the use of unencrypted laptops and unfiltered internet access. More recently, a March 2014 inspector general report on the SEC's information security found that the Office of Information Technology had not corrected certain previously identified problems and "needs to enhance its efforts regarding contractor systems, multi-factor authentication, user accounts, and configuration management."

Information security is challenging for the government and private sector alike, but these challenges weigh even more heavily on the SEC given its role in monitoring regulated entities. The SEC will be in a better position to set, inspect for compliance with, and enforce information technology standards if it takes the GAO's warnings and recommendations to heart.