The inspector general (IG) of the U.S. Securities and Exchange Commission (SEC) reported last week that the SEC has not sufficiently implemented information technology security upgrades in order to protect highly sensitive information from data breaches. The IG reported that SEC officials failed to deactivate idle user accounts, did not ensure that owners kept their systems performing consistently, and failed to monitor risks. The Office of Information Technology did not implement a risk committee or ensure that employees follow best practices. Inspector General Carl Hoecker made more specific recommendations which were not released because of sensitive information. A spokesman for the SEC said the agency agreed with the recommendations but declined to comment further. The SEC did implement some changes since last year following the Federal Information Security Modernization Act of 2014. The SEC improved its personal identity verification, established multifactor authentication and generally improved identity and access management.
The IG report mirrors similar Government Accountability Office findings released late last month. The GAO report outlined key areas of weakness in the SEC’s information security controls, including a lack of segregation between the agency’s computing environments and a failure to review and update plans for how systems could be recovered in the case of a disaster. The GAO particularly focused on the SEC’s failure to control access to its network, finding that the agency did not always restrict traffic passing through firewalls and did not ensure that only authorized people could access its filing systems. Weaknesses also were found in the physical securities of SEC facilities. Stephanie Avakian, deputy director for the agency’s enforcement division, said in February that the agency was monitoring on how companies react in the wake of data breaches.
Cybersecurity is the biggest risk facing the financial system, the SEC has said repeatedly. While the SEC has been criticized for its porous cybersecurity, the SEC has led numerous cybersecurity enforcement efforts on Wall Street. The SEC has fined various investment advisers tens of thousands of dollars for failing to implement proper cybersecurity policies before systems were hacked. Such enforcement efforts are expected to continue.