SEC Has Info Security Weaknesses, GAO Says

Stay up-to-date with the latest developments in securities law through access to both news and all statutes and regulations. Find relevant corporate filings through a searchable EDGAR database. And...

By Phyllis Diamond

April 28 — The Securities and Exchange Commission needs to improve its controls over information security, the Government Accountability Office said April 28.

While the agency has addressed previously identified problems, including separating the user production network from the internal management network, “weaknesses continue to limit the effectiveness of other security controls.”

The report was based on GAO's audit of the commission's financial statements for fiscal years 2014 and 2015.

Inconsistent Protection

Although the agency had security policies and controls, it didn't consistently protect access to its systems, GAO said. In particular, it reported, the commission didn't consistently protect its network from possible intrusions, authenticate users, authorize access to resources, monitor actions taken on its systems or restrict access to sensitive assets. It also didn't consistently manage the configuration of its systems or appropriately separate incompatible duties, according to the report. A single individual shouldn't control all critical stages of a process, according to GAO.

In addition, it wrote, the agency's contingency and disaster recovery plans for its information systems weren't up to date. These and other weaknesses existed in part because SEC didn't fully implement an agency-wide information security program.

In other matters, GAO said that of 20 previously identified weaknesses that weren't resolved as of the end of fiscal 2014, the SEC had resolved five and made progress on the other 15 as of the end of the following fiscal year. 2015.

The weaknesses increase the risk that SEC's systems could be compromised, jeopardizing the confidentiality sensitive financial information, GAO said. “While not constituting material weaknesses or significant deficiencies, they warrant SEC management's attention.”

Recommended Action

In addition to the 15 earlier recommendations that haven't been fully implemented, GAO said, it is recommending that the SEC:

  •  update its information-tchnology and guidance
  •  document a physical inventory of the systems and applications in the production environment;
  •  update configuration baseline settings for the operating systems;
  •  give employees access to continuous monitoring reports and tools to remedy problems; and
  •  institute a process for reviewing information gathered by vulnerability scanning tools and remedying any problems.


GAO added that in a separate report with limited distribution, it recommended that the SEC take 30 actions to address newly identified control weaknesses.

In comments on a draft report, Chief Information Officer Pamela Dyson concurred with GAO's recommendations.

To contact the reporter on this story: Phyllis Diamond in Washington at

To contact the editor responsible for this story: Susan Jenkins at

For More Information

To see GAO Report No. 16-493, Opportunities Exist for SEC to Improve Its Controls Over Financial Systems and Data, go to

Request Securities & Capital Markets on Bloomberg Law