April 22, 2014 - The Securities and Exchange Commission has been criticised by a US congressional watchdog over cybersecurity weaknesses, including the failure to authenticate users and encrypt sensitive data.
In an information security report (PDF), the Government Accountability Office (GAO) says that the SEC did not "consistently protect its system boundary from possible intrusions".
In addition, the regulator failed to audit and monitor actions taken on its networks, systems and databases. It even failed to restrict physical access to "sensitive assets".
In particular, the GAO found that the SEC did not securely configure the system at a new data centre, was lax in applying software patches and sloppy in disaster recovery planning. This was in part because of a failure to adequately oversee a contractor brought in to migrate to the new data centre last year.
The report comes just days after the SEC warned more than 50 registered broker-dealers and investment advisors that it would be checking their ability to counteract cyber-security threats.
The GAO says that because the SEC plays such an important role in the securities markets and relies heavily on computerised systems, it is essential that the commission has strong controls in place to protect information from misuse, fraudulent use, improper disclosure, manipulation, or destruction.
It is recommending that more effective oversight of contractors is introduced and risk management processes are tightened up.