By Sarah N. Lynch
WASHINGTON, April 3 (Reuters) - Sensitive non-public
information could be compromised if the U.S. Securities and
Exchange Commission fails to take additional steps to improve
its internal controls, an agency watchdog has found.
In two separate audits completed late last month, the SEC's
new inspector general, Carl Hoecker, found vulnerabilities in
the SEC's information technology system.
The first audit, dated March 25, examined how well the SEC
maintains controls to protect sensitive information that it
shares with the U.S. Financial Stability Oversight Council, or
FSOC, a body of regulators that guards against systemic risks.
The second audit, dated March 29, reviewed the SEC's
compliance with the Federal Information Security Management Act,
a federal law that lays down a framework for government agencies
to protect themselves against threats and ensure data is secure.
Both audits were conducted as routine reviews to ensure
compliance with federal rules and regulations, and were not
investigating any wrongdoing.
The inspector general's audits come as Congress and the
White House are restarting negotiations on legislation aimed at
improving U.S. defenses against cyber attacks.
The White House wants critical companies to comply with
minimum security standards and also wants to help protect
private information turned over to the government.
Protection of private company data is particularly important
for financial market regulators, who routinely use it to help
police the marketplace.
Hoecker's March 25 audit found that the SEC needs to take
more steps to safeguard critical information that companies such
as hedge funds provide to the SEC on a confidential basis.
That information, which often includes proprietary data, is
later reviewed by the FSOC.
The audit found that the SEC does not have controls to
restrict or prevent employees and contractors who are accessing
their e-mail remotely via the Internet from uploading or saving
non-public information to a non-government computer.
"As a result, sensitive or nonpublic information could
potentially be saved to a non-SEC computer," Hoecker wrote.
"There is a risk that an unauthorized person could gain access
to sensitive or nonpublic SEC information."
The SEC said the audit did not inquire whether any
information was actually compromised.
The second audit found that generally the SEC needs to do
more to continually monitor the security of its systems. It also
found the SEC did not always properly disable network accounts
for employees or contractors who have left the SEC.
"By not disabling these accounts, unauthorized
employees/contractors can have access to the SEC's network," the
report said, adding it was "putting the SEC at a higher risk for
SEC spokesman John Nester declined to comment beyond the
agency's comments attached to the two audits.
The SEC concurred with the recommendations and said it would
take steps to correct the problems.