Who regulates the regulator? When it comes to keeping sensitive Securities and Exchange Commission financial data safe, it’s the job of the Government Accountability Office to make sure the SEC is keeping its internal controls strong. A new report from the GAO, however, says that the SEC’s data security is improving but still fallible.
To be sure, by 2006 the SEC had fixed 58 of the 71 weaknesses in its internal controls that the GAO had found in its 2005 audit. Besides the 13 lingering flaws, 15 new weaknesses were found. The SEC corrected 11 of thee new problems during the course of the review and successfully passed its audit last September.
But that’s not nearly enough, according to the GAO report. “Despite this progress, SEC has not consistently implemented certain key controls to effectively safeguard the confidentiality, integrity, and availability of its financial and sensitive information,” the accountability office said.
A basic flaw in its controls “is that SEC had not consistently implemented elements of its information security program, the GAO said. “Until SEC does, it will have limited assurance that it will be able to manage risks and protect sensitive information on an ongoing basis.”
The SEC has been inconsistent in implementing its policies and procedures, hasn’t tested and evaluated the effectiveness of major-system, and didn’t always act effectively and in a timely way to correct glitches identified in remedial-action plans, the authors of the report says.
One key weak spot was SEC computer applications that are simultaneously connected to the Internet and the SEC’s network, according to the GAO, which noted that the gap allowed potential hackers remote access to sensitive materials. Another flaw was a failure to ensure that database accounts were locked with the most secure passwords, preventing unauthorized users from accessing SEC systems. And servers reportedly weren’t restricted enough to bar unauthorized users from performing specific tasks.
Further, the GAO criticized the SEC for being vulnerable to physical breaches because of poor security at key locations and a relaxed approach to checking photo-identification.
As part of its audit of the commission’s fiscal year 2006 financial statements, the GAO took stock of the effectiveness of the SEC’s information security controls over key financial systems, data, and networks. The watchdog’s specific objectives were to assess the status of SEC actions to correct or improve previously reported information security weaknesses and the effectiveness of the SEC’s information system controls for ensuring confidentiality, integrity, and availability of the data.
SEC Chairman Christopher Cox said earlier this week in testimony before Congress that the agency wasn’t exempt from the need to modernize and that it would continue to improve its internal financial controls, upgrade its financial system, and provide better security for its information systems. In a letter enclosed with the GAO report, Cox said, “Information security is a critical priority for the SEC. We are committed to proper stewardship of the sensitive information that is entrusted to us.”
Despite its at-best-middling grades from the GAO, the SEC has been pushing for companies begin using eXtensible Business Reporting Language, or XBRL, to digitally organize financial information in its filings with the commission to improve accessibility and security. But as the SEC continues to handle more information digitally, potential holes in security could become an even bigger issue.