US Accountability Body Criticizes SEC Infosec Approach

In its findings summary, the GAO said that the SEC did not adequately protect its system boundaries from intrusion, and failed to consistently authenticate users, monitor network activity, implement proper authorization procedures for sensitive data and restrict access at physical locations. Damningly, the GAO also found that the SEC did not properly segregate its development and production environments, with accounts for the former live on the latter's servers. The GAO also noted that despite the SEC had put a disaster recovery and contingency plan in place, this did not include a critical system.
"[The] SEC continues to make progress in improving information security controls over its key financial systems," the GAO report summarizes. "However, information security control weaknesses in a key financial system's production environment may jeopardize the confidentiality, integrity, and availability of information residing in and processed by the system. These included deficiencies in [the] SEC's controls over access control, configuration management, segregation of duties, and contingency and disaster recovery planning. In addition, [the] SEC did not consistently provide adequate contractor oversight and implement an effective risk management process during the migration of an important financial system to its new location."
The report recommends that the SEC increases its oversight of contractors, and institute a proper risk management program. A separate document, which was not widely distributed, makes 49 specific suggestions.
In its comments, the SEC acknowledged issues with the oversight of contractors and the wider criticisms made in the report, but said that once weaknesses were identified with server configurations, they were immediately rectified.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@waterstechnology.com
More on Trading Tech
LSEG-AWS extend partnership, Deutsche Bank’s AI plans, GenAI (and regular AI) concerns, and more
The Waters Cooler: Nasdaq and MTFs bicker about data fees, Craig Donohue to take the reins at Cboe, and Clearwater closes its Beacon deal, in this week’s news roundup.
From server farms to actual farms, ‘reuse and recycle’ is a winning strategy
The IMD Wrap: Max looks at the innovative ways that capital markets are applying the principles of “reduce, reuse, and recycle” to promote efficiency and keep datacenters running.
Analysts cast doubt on Deutsche Börse’s tech strategy
Exchange execs countered that the company is having success moving clients from on-prem to SaaS, and expanding in the US.
M&A activity, syndicated loans, a new tariff tool, and more
The Waters Cooler: LSEG and LeveL Markets partner for new order type, QuantHouse gets sold to Baha Tech, and Fitch Ratings has a new interactive tool in this week’s news roundup.
Nasdaq, AWS offer cloud exchange in a box for regional venues
The companies will leverage the experience gained from their relationship to provide an expanded range of services, including cloud and AI capabilities, to other market operators.
Bank of America reduces, reuses, and recycles tech for markets division
Voice of the CTO: When it comes to the old build, buy, or borrow debate, Ashok Krishnan and his team are increasingly leaning into repurposing tech that is tried and true.
Crypto exchange EDX takes its tech into its own hands
The crypto exchange and clearinghouse, founded in 2022 by industry heavyweights, has built out its technology to meet the needs of the institutional market. In the process, it has learned important lessons about partnering with vendors, building in-house, and, ultimately, control.
FCA sets up shop in US, asset managers collab, M&A heats up, and more
The Waters Cooler: Nasdaq and Bruce ATS partner for overnight market data, Osttra gets sold to KKR, and the SEC takes on DOGE in this week’s news roundup.