Security Experts:

Connect with us

Hi, what are you looking for?



GAO Report Knocks SEC for Cybersecurity Failings

A new report from the U.S. Government Accountability Office (GAO) criticizes the Securities and Exchange Commission (SEC) for failing short in the area of cybersecurity.

A new report from the U.S. Government Accountability Office (GAO) criticizes the Securities and Exchange Commission (SEC) for failing short in the area of cybersecurity.

While noting the SEC had made progress in strengthening security controls, the report took the agency to task for several security gaps, including failing to consistently identify and authenticate users and encrypt sensitive data. The GAO also criticized the SEC for other issues as well, such as not consistently applying software patches intended to fix vulnerabilities to servers and databases in a “timely manner.” Other criticisms included an inadequate segregation of duties in the SEC’s development and production environments and a failure to develop and disaster recovery plan that ensured the redundancy of a critical server.

“The information security weaknesses existed, in part, because SEC did not effectively oversee and manage the implementation of information security controls during the migration of this key financial system to a new location,” according to the report. “Specifically, during the migration, SEC did not (1) consistently oversee the information security-related work performed by the contractor and (2) effectively manage risk.”

The report follows the announcement earlier this week of a new SEC initiative to analyze the cybersecurity practices of Wall Street firms.

“SEC continues to make progress in improving information security controls over its key financial systems,” according to the report. “However, information security control weaknesses in a key financial system’s production environment may jeopardize the confidentiality, integrity, and availability of information residing in and processed by the system. These included deficiencies in SEC’s controls over access control, configuration management, segregation of duties, and contingency and disaster recovery planning.”

“In addition, SEC did not consistently provide adequate contractor oversight and implement an effective risk management process during the migration of an important financial system to its new location,” the reported noted.

In a letter responding to the GAO’s findings, SEC Chief Information Officer Thomas Bayer stated that the findings in the report were due to a lack of oversight of a contractor during the migration of a financial system to one of the agency’s two new data centers. While he agreed that the appropriate oversight was not present during the process and the system was deployed without meeting the agency’s normal configuration requirements, he added that the situation was addressed as soon as the SEC was notified by the GAO.

“While we regret the lack of contractor oversight of the system migration, we remain confident that our layered defense architecture would have allowed us to detect and respond to attempted intrusions in a timely fashion, and our forensic investigation yielded no evidence of compromise to that system,” Bayer wrote.

The report is available online.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.