By Sarah N. Lynch
WASHINGTON (Reuters) - The U.S. Securities and Exchange Commission has failed to protect its data network against possible breaches, to encrypt highly sensitive information, or to use strong enough passwords, the Government Accountability Office said on Thursday.
In addition to the cybersecurity failings, even the physical security in place to protect SEC data and equipment from being accessed or stolen is lax, a 25-page GAO report said, with workstations located in an area open to all agency staff.
The report comes just two days after the SEC issued a nine-page blueprint that put Wall Street firms on notice that they should brace themselves for some tough questions from agency examiners about their cybersecurity policies and practices.
"Information security control weaknesses in a key financial system's production environment may jeopardize the confidentiality, integrity, and availability of information residing in and processed by the system," the GAO wrote.
"Cumulatively, these weaknesses decreased assurance regarding the reliability of the data processed by the key financial system and increased the risk that unauthorized individuals could gain access to critical hardware or software."
Some of the weaknesses identified by the GAO stem from the SEC's ineffective oversight over a contractor who was tasked with migrating the agency's system to a new production environment, the report said.
The GAO said SEC officials had failed to confirm that certain security checks had been completed before the new system went live.
In a letter responding to the GAO's findings, SEC Chief Information Officer Thomas Bayer acknowledged a lack of oversight over the contractor.
After GAO flagged the issue, he wrote, the SEC "immediately shut down that system and reverted to the original, properly configured environment."
Bayer added that despite this error, the SEC is confident that its "layered defense architecture" would still have allowed the agency to detect potential cyber intrusions.
Washington has been paying more attention to cybersecurity threats in general after companies including Target Corp
The incidents have sparked a public policy debate about how customers should be alerted, who should bear the cost of breaches, and how such information should be disclosed both to government and the public.
U.S. lawmakers have considered weighing in on how consumers should be notified of data theft. But progress on legislation is not guaranteed in a busy election year.
The SEC in 2011 drafted informal staff-level guidance for public companies to use when considering whether to disclose cyber attacks and their impact on a company's financial condition.
Last month, it asked experts to weigh in on whether the agency can and should do more to ensure that public companies, brokerages, asset managers and exchanges are protected and properly disclosing cyber incidents.
Thursday's GAO findings are the latest in a string of reports highlighting information security flaws at the SEC.
In addition to prior GAO reports, the SEC also came under fire from its inspector general in 2012 after it was revealed that some agency staff had failed to encrypt computers containing highly sensitive data from U.S. stock exchanges.
The report can be seen at http://www.gao.gov/assets/670/662612.pdf
(Reporting by Sarah N. Lynch; Editing by Mohammad Zargham)