GAO cites SEC for cybersecurity lapses

Weaknesses found in way agency authenticated users, authorized access and encrypted data

Apr 18, 2014 @ 11:32 am

By Mark Schoeff Jr.

In the same week that the Securities and Exchange Commission told advisers what kind of cybersecurity protections it wants them to implement, a government watchdog said the SEC should get its own house in order when it comes to defending against Internet threats.

In a report released Thursday, the Government Accountability Office said that SEC has not consistently protected itself from potential intrusions into its computer network. The GAO found weaknesses in the way the agency identified and authenticated users, authorized access and encrypted data, among other shortcomings.

The GAO study, conducted as part of GAO audits of the SEC's fiscal 2013 and 2014 financial statements, also found that the SEC did not exercise tight enough control over contractors working on its data system, failed to implement sufficiently strong password controls and poorly managed the migration of a key financial system to a new location.

“Cumulatively, these weaknesses decreased assurance regarding the reliability of the data processed by the key financial system and increased the risk that unauthorized individuals could gain access to critical hardware or software and intentionally or inadvertently access, alter, or delete sensitive data or computer programs,” the GAO report states.

“Until the SEC mitigates its control deficiencies and strengthens oversight of contractors performing security-related tasks as part of its information security program, it will continue to be at risk of ongoing deficiencies in the security controls over its financial and support systems and the information they contain,” the report continued.

Earlier this week, the SEC released a detailed checklist designed to give financial advisers guidance on what the agency will assess in cybersecurity exams of advisory firms and brokerages later this year.

Within the GAO report, the SEC said it has made significant investments in information-technology protection over the last three years and achieved improvements.

“While we regret the lack of contract oversight of the system migration, we remain confident that our layered defense architecture would have allowed us to detect and respond to attempted intrusions in a timely fashion, and our forensic investigation yielded no evidence of compromise to that system,” Thomas A. Bayer, the SEC's chief information officer, wrote in a March 31 letter attached to the report. “In 2014, the SEC will continue to optimize our controls and further improve the security of our systems that support financial processes and our overall risk management process.”

0
Comments

What do you think?

View comments

Recommended for you

Sponsored financial news

Featured video

INTV

Why some retirement plan advisers think Fidelity is invading their turf

InvestmentNews editor Frederick P. Gabriel Jr. and reporter Greg Iacurci talk about this week's cover story that looks at whether Fidelity Investments is stepping on the toes of retirement plan advisers.

Latest news & opinion

Is Fidelity competing with retirement plan advisers?

As the Boston-based mutual fund giant expands the products and services it brings to the retirement market, some financial advisers say the firm is encroaching on their turf.

Gun violence hits investment strategies, sparks political debates with advisers

Screening out weapons companies has limited downside.

Whistleblower said to collect $30 million in JPMorgan case

The bank did not properly disclose that it was steering asset-management customers into investments that would be profitable for JPMorgan Chase.

Social Security underpaid 82% of dually entitled widows and widowers

Agency failed to tell survivors that they could switch to a higher retirement benefit later.

If Finra eases firm oversight of outside business activities, broker-dealers could lose revenue

Brokerage firms would no longer be able to charge reps for supervising nonaffiliated RIAs.

X

Hi! Glad you're here and we hope you like all the great work we do here at InvestmentNews. But what we do is expensive and is funded in part by our sponsors. So won't you show our sponsors a little love by whitelisting investmentnews.com? It'll help us continue to serve you.

Yes, show me how to whitelist investmentnews.com

Ad blocker detected. Please whitelist us or give premium a try.

X

Subscribe and Save 60%

Premium Access
Print + Digital

Learn more
Subscribe to Print