Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

GAO Report Knocks SEC for Cybersecurity Failings

A new report from the U.S. Government Accountability Office (GAO) criticizes the Securities and Exchange Commission (SEC) for failing short in the area of cybersecurity.

A new report from the U.S. Government Accountability Office (GAO) criticizes the Securities and Exchange Commission (SEC) for failing short in the area of cybersecurity.

While noting the SEC had made progress in strengthening security controls, the report took the agency to task for several security gaps, including failing to consistently identify and authenticate users and encrypt sensitive data. The GAO also criticized the SEC for other issues as well, such as not consistently applying software patches intended to fix vulnerabilities to servers and databases in a “timely manner.” Other criticisms included an inadequate segregation of duties in the SEC’s development and production environments and a failure to develop and disaster recovery plan that ensured the redundancy of a critical server.

“The information security weaknesses existed, in part, because SEC did not effectively oversee and manage the implementation of information security controls during the migration of this key financial system to a new location,” according to the report. “Specifically, during the migration, SEC did not (1) consistently oversee the information security-related work performed by the contractor and (2) effectively manage risk.”

The report follows the announcement earlier this week of a new SEC initiative to analyze the cybersecurity practices of Wall Street firms.

“SEC continues to make progress in improving information security controls over its key financial systems,” according to the report. “However, information security control weaknesses in a key financial system’s production environment may jeopardize the confidentiality, integrity, and availability of information residing in and processed by the system. These included deficiencies in SEC’s controls over access control, configuration management, segregation of duties, and contingency and disaster recovery planning.”

“In addition, SEC did not consistently provide adequate contractor oversight and implement an effective risk management process during the migration of an important financial system to its new location,” the reported noted.

In a letter responding to the GAO’s findings, SEC Chief Information Officer Thomas Bayer stated that the findings in the report were due to a lack of oversight of a contractor during the migration of a financial system to one of the agency’s two new data centers. While he agreed that the appropriate oversight was not present during the process and the system was deployed without meeting the agency’s normal configuration requirements, he added that the situation was addressed as soon as the SEC was notified by the GAO.

“While we regret the lack of contractor oversight of the system migration, we remain confident that our layered defense architecture would have allowed us to detect and respond to attempted intrusions in a timely fashion, and our forensic investigation yielded no evidence of compromise to that system,” Bayer wrote.

Advertisement. Scroll to continue reading.

The report is available online.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Jared Bartel has been named CISO at Idaho State University.

Automated phishing protection and scam prevention company Bolster has appointed Rod Schultz as CEO.

Bugcrowd has appointed Trey Ford as CISO for the Americas.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.