A new report from the U.S. Government Accountability Office (GAO) criticizes the Securities and Exchange Commission (SEC) for failing short in the area of cybersecurity.
While noting the SEC had made progress in strengthening security controls, the report took the agency to task for several security gaps, including failing to consistently identify and authenticate users and encrypt sensitive data. The GAO also criticized the SEC for other issues as well, such as not consistently applying software patches intended to fix vulnerabilities to servers and databases in a “timely manner.” Other criticisms included an inadequate segregation of duties in the SEC’s development and production environments and a failure to develop and disaster recovery plan that ensured the redundancy of a critical server.
“The information security weaknesses existed, in part, because SEC did not effectively oversee and manage the implementation of information security controls during the migration of this key financial system to a new location,” according to the report. “Specifically, during the migration, SEC did not (1) consistently oversee the information security-related work performed by the contractor and (2) effectively manage risk.”
The report follows the announcement earlier this week of a new SEC initiative to analyze the cybersecurity practices of Wall Street firms.
“SEC continues to make progress in improving information security controls over its key financial systems,” according to the report. “However, information security control weaknesses in a key financial system’s production environment may jeopardize the confidentiality, integrity, and availability of information residing in and processed by the system. These included deficiencies in SEC’s controls over access control, configuration management, segregation of duties, and contingency and disaster recovery planning.”
“In addition, SEC did not consistently provide adequate contractor oversight and implement an effective risk management process during the migration of an important financial system to its new location,” the reported noted.
In a letter responding to the GAO’s findings, SEC Chief Information Officer Thomas Bayer stated that the findings in the report were due to a lack of oversight of a contractor during the migration of a financial system to one of the agency’s two new data centers. While he agreed that the appropriate oversight was not present during the process and the system was deployed without meeting the agency’s normal configuration requirements, he added that the situation was addressed as soon as the SEC was notified by the GAO.
“While we regret the lack of contractor oversight of the system migration, we remain confident that our layered defense architecture would have allowed us to detect and respond to attempted intrusions in a timely fashion, and our forensic investigation yielded no evidence of compromise to that system,” Bayer wrote.
The report is available online.