Financial Markets:

Computer Security Controls at Five Stock Exchanges Need Strengthening

IMTEC-91-56: Published: Aug 28, 1991. Publicly Released: Aug 28, 1991.

Additional Materials:

Contact:

Howard G. Rhile, Jr
(202) 512-6418
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

GAO reviewed the automated order routing and execution systems and operations at the American Stock Exchange, National Association of Securities Dealers (NASD), New York Stock Exchange, Midwest Stock Exchange, Pacific Stock Exchange, and Philadelphia Stock Exchange to determine whether internal control weaknesses existed.

GAO found that: (1) although the exchanges had controls in place to mitigate many of the risks associated with automation, inadequate system security and internal control weaknesses existed in all of the exchanges except NASD; (2) the lack of adequate controls at the five stock exchanges could impede their ability to maintain continuous service, protect critical computer equipment and operations, and process correct information; (3) at the exchanges where weaknesses existed, officials said that they had taken and planned to take additional steps to improve systemic and operational controls; and (4) stock market officials were concerned that the costs of eliminating certain weaknesses could be prohibitive.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: A GAO review of the automated operations at the American, Midwest, New York, Pacific, and Philadelphia stock exchanges identified 68 security and control weaknesses. The exchanges have corrected 22 of these weaknesses. SEC plans to monitor and assess the exchanges' actions on the remaining 46 weaknesses.

    Recommendation: The Chairman of the Securities and Exchange Commission (SEC) should ensure, as part of the Commission's oversight responsibilities, that the American, New York, Midwest, Pacific, and Philadelphia stock exchanges take corrective action to control the weaknesses found during the GAO review.

    Agency Affected: United States Securities and Exchange Commission

  2. Status: Closed - Implemented

    Comments: SEC noted that the Midwest Stock Exchange will have an independent review of all of the security control areas covered in the GAO report. In addition, the finding of the independent review will be verified by the SEC Office of Automation and International Markets.

    Recommendation: The Chairman, SEC, should ensure, as part of the Commission's oversight responsibilities, that the Midwest Stock Exchange has an independent risk assessment performed to evaluate the areas where GAO was denied access, and that appropriate corrective action is taken to control any weaknesses found.

    Agency Affected: United States Securities and Exchange Commission

  3. Status: Closed - Implemented

    Comments: SEC is taking steps to monitor security control weaknesses. SEC will provide the oversight needed to ensure that: (1) risks are reduced through the actions taken to correct weaknesses; or (2) an assessment is conducted of the vulnerability related to weaknesses when the exchanges decide to assume the risk.

    Recommendation: The Chairman, SEC, should ensure, as part of the Commission's oversight responsibilities, that the stock markets keep the Commission apprised of the market risks associated with any outstanding weaknesses that are not corrected.

    Agency Affected: United States Securities and Exchange Commission

 

Explore the full database of GAO's Open Recommendations »

Sep 20, 2016

Sep 15, 2016

Jun 29, 2016

Jun 21, 2016

Apr 28, 2016

Apr 14, 2016

Apr 12, 2016

Mar 23, 2016

Dec 17, 2015

Nov 17, 2015

Looking for more? Browse all our products here