Exclusive - SEC left computers vulnerable to cyber attacks - sources
By Sarah N. Lynch | November 9, 2012 1:00 PM EST
Staffers at the U.S. Securities and Exchange Commission failed to encrypt some of their computers containing highly sensitive information from stock exchanges, leaving the data vulnerable to cyber attacks, according to people familiar with the matter.
While the computers were unprotected, there was no evidence that hacking or spying on the SEC's computers took place, these people said.
The computers and other electronic devices in question belonged to a handful of employees in an office within the SEC's Trading and Markets Division. That office is responsible for making sure exchanges follow certain guidelines to protect the markets from potential cyber threats and systems problems, one of those people said.
Some of the staffers even brought the unprotected devices to a Black Hat convention, a conference where computer hacking experts gather to discuss the latest trends. It is not clear why the staffers brought the devices to the event.
The security lapses in the Trading and Markets Division are laid out in a yet-to-be-released report that by the SEC's Interim Inspector General Jon Rymer.
NO DATA BREACHED
The revelation comes as the SEC is encouraging companies to get more serious about cyber attacks. Last year, the agency issued guidance that public companies should follow in determining when to report breaches to investors.
Cyber security has become an even more pressing issue after high-profile companies from Lockheed Martin Corp to Bank of America Corp have fallen victim to hacking in recent years.
Nasdaq OMX Group, which runs the No. 2 U.S. equities exchange, in 2010 suffered a cyber attack on its collaboration software for corporate boards, but its trading systems were not breached.
One of the people familiar with the SEC's security lapse said the agency was forced to spend at least $200,000 and hire a third-party firm to conduct a thorough analysis to make sure none of the data was compromised.
The watchdog's report has already been circulated to the SEC's five commissioners, as well as to key lawmakers on Capitol Hill, and is expected to be made public soon.
SEC spokesman John Nester declined to comment on the report's findings.
SEC NOTIFIED EXCHANGES
Rich Adamonis, a spokesman for the New York Stock Exchange, said the exchange operator is "disappointed" with the SEC's lapse.
"From the moment we were informed, we have been actively seeking clarity from the SEC to understand the full extent of the use of improperly secured devices and the information involved, as well as the actions taken by the SEC to ensure that there is proper remediation and a complete audit trail for the information," he said.
A spokesman for Nasdaq OMX declined to comment on the security lapse at the SEC.
Since the internal investigation was concluded, the SEC initiated disciplinary actions against the people involved, one of the people familiar with the matter said.
The SEC also notified all of the exchanges about the incident.
The SEC's Trading and Markets Division, which has several hundred staffers, is primarily responsible for overseeing the U.S. equity markets, ensuring compliance with rules and writing regulations for exchanges and brokerages.
Among the division's tasks is to ensure exchanges are following a series of voluntary guidelines known as "Automation Review Policies," or ARPs. These policies call for exchanges to establish programs concerning computer audits, security and capacity. They are, in essence, a road map of the capital markets' infrastructure.
Although they are only voluntary guidelines, exchanges take them seriously.
Under the ARP, exchanges must provide highly secure information to the SEC such as architectural maps, systems recovery and business continuity planning details in the event of a disaster or other major event.
That is the same kind of data used by exchanges last week after Hurricane Sandy forced U.S. equities markets to shut down for two days.
Prior to re-opening, all of the U.S. stock market operators took part in coordinated testing for trading on NYSE's backup system.
SEC Chairman Mary Schapiro recently said the SEC is working to convert the voluntary ARP guidelines into enforceable rules after a software error at Knight Capital Group nearly bankrupt the brokerage and led to a $440 million trading loss.
(Reporting by Sarah N. Lynch; Editing by Karey Wutkowski and Lisa Shumaker)
Join the Conversation
- Tourre on stand says email in SEC case 'not accurate'
- Syrian authorities blocking access to needy in Homs - Red Cross
- Faith in European Union at low ebb, EU poll says
- Former UBS banker gets 18 months, $1 million fine, for muni bid-rigging scheme
- U.S. judge halts challenges to Detroit's bankruptcy bid
- Russia's New Tactical Nuclear Weapons Program Growing Confident Against the US: Talks of World War III
- Apple and Google Engage in Thermonuclear War, New Google Translate Chat App in the Works
- Chris Algieri’s Battered Face Trends On Social Media
- Walmart Offers the Best 2014 Black Friday Deals on iPhone 6, iPad Ai2 & Other Gadgets – Reports
- Highest Paid NBA Players 2014: NBA Stars Who Earn More Than LeBron James
- Kobani ISIS Fighter Sends Out Desperate Message For Prayers And Support: Euphoria Turns Into Desperation As Kurds Advance
- Update Samsung Galaxy S5 to Android 4.4.4 KitKat, Sprint Release and Installation