What’s worse than neglecting to encrypt the data on the government-issue laptop you use to handle sensitive data related to the workings of U.S. equities markets? How about hopping on a plane and bringing said laptop with you to the Black Hat conference in Las Vegas, one of the world’s largest gatherings of hackers.
That’s just one of the allegations in an as-yet unreleased Inspector General report on irregularities at the U.S. Securities and Exchange Commission (SEC), according to a report on Friday by Reuters.
The Inspector General’s report, a copy of which was reviewed by Reuters, found evidence of widespread lapses in information security within the agency that acts as a watchdog over stock markets and exchanges within the U.S. Among other errors, staff at the SEC failed to encrypt laptops containing sensitive stock exchange data or even install antivirus software on those systems, Reuters reported.
The Inspector General found that four SEC staff used unencrypted computers – a violation of SEC policy. However, the investigation didn’t uncover evidence that data on the devices had been compromised, according to an e-mail statement from SEC spokesman Kevin Callahan.
Callahan told Security Ledger that the “problem was fixed” and that two SEC staffers responsible for “maintaining and configuring the equipment” were “no longer with the agency.”
The SEC is responsible for enforcing U.S. securities laws and regulating the nation’s stock and options exchanges. The agency is based in Washington, D.C. and employs 3,500 people, with another 1,400 full-time contractors working at its headquarters and in 11 regional offices located throughout the country.
The SEC isn’t shy about faulting publicly traded firms for failing to protect their information assets. Internally, however, Commission staff appeared to play fast and loose with the rules: ordering more than $1 million of unneeded equipment, including Apple iPads and bringing government systems home for personal use and to conferences.
SEC staff are alleged to have carried unencrypted laptops to Las Vegas to attend the Black Hat convention – a risky proposition – and to connect them to public wireless networks when traveling to conduct inspections, the Reuters report said. Employees also used personal e-mail accounts to transmit sensitive data, including information about the Depository Trust & Clearing Corp.
Those practices wouldn’t pass muster at publicly traded firms and options markets that the SEC policies. In fact, the Commission has bolstered its reporting requirements for cyber security. In 2011, for example, the SEC released guidance that called on companies to encrypt sensitive data and to disclose data breaches and other cyber attacks in quarterly filings (10-Q) or annual reports (10-K) in order to keep investors appraised of cyber incidents that may be material to the company.
This isn’t the first time that the SEC has been faulted for poor management of its information technology assets. Recent Inspector General reports faulted the agency (PDF) for failing to capture and monitor audit logs for critical servers operating within its network and for failing to adequately track, manage and audit government furnished IT equipment (PDF) used by its contractors.