According to the Government Accountability Office (GAO), frequently referred to as the Congressional Watchdog Office, the SEC has failed to implement a number of protective measures for their computer networks. The Securities and Exchange Commission (SEC) exists primarily to secure and regulate investments—basically everything the Federal Trade Commission (FTC) had formerly managed. Since 1997, the GAO warned that the cybersecurity of the FTC “[was] a continuing concern.” In their latest report, the Watchdog Office revealed that the cyber infrastructure still caused concern.
In an unassuming 27-page report incidentally released on July 27, the Watchdog Office reported that the SEC had failed in the following areas:
- Encrypting sensitive information while in transmission;
- Auditing and monitoring actions taken on its systems and network;
- Consistently protecting its network boundaries from possible intrusions;
- Patching vulnerable systems;
- Replacing unsupported software;
- Ensuring comprehensive testing and evaluation of their security on a regular basis;
- And, discouragingly far from being the final failure in the report, the SEC failed in strengthening accountability and oversight of IT employees.
Cyber ”incidents” grew 1,300 percent between fiscal year 2006 and fiscal year 2015. Yet, the GAO wrote, “the commission also did not fully [monitor] their systems’ security configurations.” As of September 2016, 26 recommendations related to 26 deficiencies in the SEC’s financial systems remained unresolved. The report warned that unless the Securities and Exchange Commission implemented the long-overdue patches, compromisation could be in the agency’s near future. Of all the OIG and GAO reports, very few federal agencies receive a remotely adequate “grade” in cyber or financial security sectors.
Ironically, the Securities and Exchange Commission—a federal agency designed to prevent another Great Depression—threatens the nation’s economy. The SEC accomplishes more than “standing in the way of preventing another Great Depression.” They regulate the market, protect investments, restore consumer trust in the market, and encourage capital formation. (The SEC was established in the early 1930s, shortly after the stock market crash in 1929 that pushed the US into the Great Depression). Yet, in spite of the indispensable position the agency has on the US’s future, the SEC continually neglects major finsec vulnerabilities.
The report gave credit to the SEC for successfully fixing numerous vulnerabilities from a prior inspection, but concluded on a more negative note. The GAO noted that fifteen more deficiencies have been discovered. The report urged the SEC to both monitor its network religiously and to continuously scan for vulnerabilities.
With that said, many government bodies fail to do well—per government inspection standards. The bar is clearly a high one.