A security lab in the Division of Trading and Markets at the Securities and Exchange Commission did not properly protect data it collected from stock exchanges and clearing agencies during examinations of their computer systems and networks.
An investigation by the SEC’s Office of the Inspector General found that members of the lab took laptops on examinations without proper virus protection software, opened personal email that could launch malware that would infect data collected on their machines and did not encrypt messages being sent from or received by their machines.
The lab is part of the SEC’s Automation Review Policy (ARP) program, set up after the Black Monday stock market crash of 1987 to ensure that “market participants would acquire appropriate technology and assure its functionality — with regular capacity planning and testing exercises, and with system vulnerability assessments.’
The program also would include an annual independent review of those systems by all market participants. After the May 6, 2010, Flash Crash, chairman Mary L. Schapiro said the reviews could become required of a wide variety of organizations processing trades in American markets. But the inspector’s review of the SEC’s own ARP security lab’s practices found them wanting.
In a document dated August 30, 2012, and released this week with heavy editing, investigators say they found that lab staff were using laptops that lacked both virus protection and encryption capabilities during insepctions of self-regulatory organizations, stock exchanges and clearing agencies.
The findings come in a year where investor confidence in exchange operations have been marred by repeated problems with their computer systems. Most notable: the March 23 inability of BATS Global Markets to take its own shares public on its own exchange; and, the May 19 flubbing of the initial offering of shares in Facebook to the public, on the Nasdaq Stock Market.
The inspector general’s office said it confirmed in testimony with an unidentified party that at least four laptops that it identified as among the lab’s 28 total laptops were in fact unprotected and used in inspections. The OIG also found that an additional laptop identified by lab staff as having encryption did not have encryption during the period in question, which lasted from 2008 through October of last year.
But, the inspector general said, “it is not currently known how many of those laptops (when) taken off site contained SRO, clearing agency, or exchange data.”
The SEC’s Office of Information Technology has contracted with an outside agency to perfrom a forensice evaluation of the 28 laptops to determine if any such data was procured without proper protection.
The Automation Review program is “to eventually take maps of SRO trading and business platforms and bring them into lab for testing,’’ the inspector general’s report says. But, one SEC official interviewed but not identified in the document said, the lab will “need to tighten things up significantly” first.
In testimony, one lab official “acknowledged the risk of infecting the SEC laptop that he takes on SRO inspections with viruses and malware by opening personal e-mails.””
But identities of lab personnel were redacted from the report.
Management did not “put in place policies and procedures to protect SRO, exchange, and clearing agency data collected by lab staff or take any steps to ensure that lab. Staff were abiding” by policies set by the Office of Information Technology for protecting data collected during inspections, according to the report.
“Although we found no evidence that data was compromised, the problem was fixed and the two staffers responsible for maintaining and configuring the equipment are no longer with the agency,” SEC spokesman John Nester said.
But the New York Stock Exchange confirmed Wednesday that it has hired former Homeland Security Secretary Michael Chertoff to look into the failure. Cherthoff’s charge is to determine if any sensitive data belonging to the exchange was breached, during or after the inspections.
The other three major exchange operators, Nasdaq OMX Group, Direct Edge and BATS Global Markets, all declined comment.
