Financial Markets:

Tighter Computer Security Needed

IMTEC-90-15: Published: Jan 5, 1990. Publicly Released: Feb 21, 1990.

Additional Materials:


Howard G. Rhile, Jr
(202) 512-6418


Office of Public Affairs
(202) 512-4800

Pursuant to a congressional request, GAO reviewed the Securities Industry Automation Corporation's (SIAC) Common Message Switch and Intermarket Trading Systems, and the National Association of Securities Dealers' (NASD) Automated Quotations System, focusing on the: (1) number of instances of hacker or virus attacks on certain securities trading networks and their related systems; (2) reasonableness of existing controls used to prevent or detect securities trading systems misuse; and (3) existing regulatory framework under which securities trading systems are accessed, operated, and overseen.

GAO found that: (1) the Securities and Exchange Commission (SEC), the stock exchanges, NASD, and SIAC reported no known instances of hacker or virus attacks on their systems; (2) the risk of such a threat was low, since NASD and SIAC implemented a wide range of security controls to protect their systems and the systems were not designed with features that would propagate a virus; (3) NASD had insufficient internal controls to protect its system against security intrusions and such interrelated weaknesses as computer staff performing tasks in excess of their normal responsibilities or inadequately performing their responsibilities; (4) both NASD and SIAC had inadequate quality assurance, physical security, contingency planning, and internal auditing; (5) SEC did not use rule reviews or inspection and surveillance activities to oversee financial market operations; (6) SEC relied on the exchanges and NASD to ensure information security over their systems, since it did not have sufficient technical expertise to conduct such reviews; and (7) NASD and SIAC did not establish formal information security programs, since they believed that a number of controls protected their information integrity.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: SEC Office of Automation and International Markets staff have met with staff from NASD, NYSE, AMEX, and SIAC to confirm that the steps taken to correct these weaknesses were reasonable. Specific corrective actions for each weakness were included in the SEC response.

    Recommendation: The Chairman, SEC, should immediately follow up on the security weaknesses identified in this report to ensure that they have been corrected.

    Agency Affected: United States Securities and Exchange Commission

  2. Status: Closed - Implemented

    Comments: SEC continues to believe it is not necessary to mandate by Commission rule that the exchanges and NASD conform to the recommendation regarding risk analyses, written procedures, and awareness training. However, SEC has begun to explore the development of generally accepted security standards for the exchanges and NASD.

    Recommendation: The Chairman, SEC, should oversee the exchanges' and NASD plans as they expand the role of their computer security administration functions. Specifically, SEC should require that they: (1) conduct periodic risk analyses; (2) develop written information security plans, policies and procedures; (3) conduct information security awareness training; and (4) obtain independent assessments of the reasonableness of network security controls.

    Agency Affected: United States Securities and Exchange Commission

  3. Status: Closed - Implemented

    Comments: At the exchanges and NASD, independent assessments are being conducted as to the vulnerability of their systems to external and internal threats. Some assessments will be done by the end of calendar year 1991. The rest will be done by the end of calendar year 1992. SEC will review these assessments.

    Recommendation: The Chairman, SEC, should periodically conduct or oversee independent assessments of the exchanges' and NASD information security programs to ensure that they provide reasonable assurance that the networks and systems are adequately secured.

    Agency Affected: United States Securities and Exchange Commission

  4. Status: Closed - Implemented

    Comments: In IMTEC-91-21, April 2, 1991, GAO concluded that SEC still needs to aggressively establish the technical expertise to control the risks of automation. GAO will continue to monitor the extent to which SEC obtained this expertise to effectively carry out its security oversight responsibilities.

    Recommendation: The Chairman, SEC, should acquire the necessary technical expertise to conduct these activities.

    Agency Affected: United States Securities and Exchange Commission


Explore the full database of GAO's Open Recommendations »

Oct 9, 2020

Sep 22, 2020

Sep 21, 2020

Sep 17, 2020

Sep 16, 2020

Aug 18, 2020

May 27, 2020

May 13, 2020

Apr 24, 2020

Apr 13, 2020

Looking for more? Browse all our products here