SEC’s IT Security Under Attack as It Attacks Others

McGuireWoods LLP

The Inspector General (IG) of the U.S. Securities and Exchange Commission (SEC) reported last week that the SEC has not sufficiently implemented information technology security upgrades in order to protect highly sensitive information from data breaches. The IG reported that SEC officials failed to deactivate idle user accounts, did not ensure that owners kept their systems performing consistently, and failed to monitor risks. The Office of Information Technology did not implement a risk committee or ensure that employees follow best practices.  Inspector General Carl Hoecker made more specific recommendations which were not released because of sensitive information. A spokesman for the SEC said the agency agreed with the recommendations but declined to comment further.  The SEC did implement some changes since last year following the Federal Information Security Modernization Act of 2014.  The SEC improved its personal identity verification, established multifactor authentication and generally improved identity and access management.

The IG report mirrors similar Government Accountability Office findings released late last month. The GAO report outlined key areas of weakness in the SEC’s information security controls, including a lack of segregation between the agency’s computing environments and a failure to review and update plans for how systems could be recovered in the case of a disaster. The GAO particularly focused on the SEC’s failure to control access to its network, finding that the agency did not always restrict traffic passing through firewalls and did not ensure that only authorized people could access its filing systems. Weaknesses also were found in the physical securities of SEC facilities.  Stephanie Avakian, deputy director for the agency’s enforcement division, said in February that the agency was monitoring on how companies react in the wake of data breaches.

Cybersecurity is the biggest risk facing the financial system, the SEC has said repeatedly. While the SEC has been criticized for its porous cybersecurity, the SEC has led numerous cybersecurity enforcement efforts on Wall Street. The SEC has fined various investment advisers tens of thousands of dollars for failing to implement proper cybersecurity policies before systems were hacked.  Such enforcement efforts are expected to continue.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McGuireWoods LLP | Attorney Advertising

Written by:

McGuireWoods LLP

McGuireWoods LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.