Financial Markets:
Tighter Computer Security Needed
IMTEC-90-15: Published: Jan 5, 1990. Publicly Released: Feb 21, 1990.
Additional Materials:
- Full Report:
Contact:
(202) 512-6418
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
Pursuant to a congressional request, GAO reviewed the Securities Industry Automation Corporation's (SIAC) Common Message Switch and Intermarket Trading Systems, and the National Association of Securities Dealers' (NASD) Automated Quotations System, focusing on the: (1) number of instances of hacker or virus attacks on certain securities trading networks and their related systems; (2) reasonableness of existing controls used to prevent or detect securities trading systems misuse; and (3) existing regulatory framework under which securities trading systems are accessed, operated, and overseen.
GAO found that: (1) the Securities and Exchange Commission (SEC), the stock exchanges, NASD, and SIAC reported no known instances of hacker or virus attacks on their systems; (2) the risk of such a threat was low, since NASD and SIAC implemented a wide range of security controls to protect their systems and the systems were not designed with features that would propagate a virus; (3) NASD had insufficient internal controls to protect its system against security intrusions and such interrelated weaknesses as computer staff performing tasks in excess of their normal responsibilities or inadequately performing their responsibilities; (4) both NASD and SIAC had inadequate quality assurance, physical security, contingency planning, and internal auditing; (5) SEC did not use rule reviews or inspection and surveillance activities to oversee financial market operations; (6) SEC relied on the exchanges and NASD to ensure information security over their systems, since it did not have sufficient technical expertise to conduct such reviews; and (7) NASD and SIAC did not establish formal information security programs, since they believed that a number of controls protected their information integrity.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: SEC Office of Automation and International Markets staff have met with staff from NASD, NYSE, AMEX, and SIAC to confirm that the steps taken to correct these weaknesses were reasonable. Specific corrective actions for each weakness were included in the SEC response.
Recommendation: The Chairman, SEC, should immediately follow up on the security weaknesses identified in this report to ensure that they have been corrected.
Agency Affected: United States Securities and Exchange Commission
Status: Closed - Implemented
Comments: SEC continues to believe it is not necessary to mandate by Commission rule that the exchanges and NASD conform to the recommendation regarding risk analyses, written procedures, and awareness training. However, SEC has begun to explore the development of generally accepted security standards for the exchanges and NASD.
Recommendation: The Chairman, SEC, should oversee the exchanges' and NASD plans as they expand the role of their computer security administration functions. Specifically, SEC should require that they: (1) conduct periodic risk analyses; (2) develop written information security plans, policies and procedures; (3) conduct information security awareness training; and (4) obtain independent assessments of the reasonableness of network security controls.
Agency Affected: United States Securities and Exchange Commission
Status: Closed - Implemented
Comments: At the exchanges and NASD, independent assessments are being conducted as to the vulnerability of their systems to external and internal threats. Some assessments will be done by the end of calendar year 1991. The rest will be done by the end of calendar year 1992. SEC will review these assessments.
Recommendation: The Chairman, SEC, should periodically conduct or oversee independent assessments of the exchanges' and NASD information security programs to ensure that they provide reasonable assurance that the networks and systems are adequately secured.
Agency Affected: United States Securities and Exchange Commission
Status: Closed - Implemented
Comments: In IMTEC-91-21, April 2, 1991, GAO concluded that SEC still needs to aggressively establish the technical expertise to control the risks of automation. GAO will continue to monitor the extent to which SEC obtained this expertise to effectively carry out its security oversight responsibilities.
Recommendation: The Chairman, SEC, should acquire the necessary technical expertise to conduct these activities.
Agency Affected: United States Securities and Exchange Commission
Explore the full database of GAO's Open Recommendations
»
Oct 9, 2020
-
Aviation Cybersecurity:
FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics RisksGAO-21-86: Published: Oct 9, 2020. Publicly Released: Oct 9, 2020.
Sep 22, 2020
-
Cybersecurity:
Clarity of Leadership Urgently Needed to Fully Implement the National StrategyGAO-20-629: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.
Sep 21, 2020
-
Information Security and Privacy:
HUD Needs a Major Effort to Protect Data Shared with External EntitiesGAO-20-431: Published: Sep 21, 2020. Publicly Released: Sep 21, 2020.
Sep 17, 2020
-
Critical Infrastructure Protection:
Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation EffortsGAO-20-631: Published: Sep 17, 2020. Publicly Released: Sep 17, 2020.
Sep 16, 2020
-
Veterans Affairs:
VA Needs to Address Persistent IT Modernization and Cybersecurity ChallengesGAO-20-719T: Published: Sep 16, 2020. Publicly Released: Sep 16, 2020.
Aug 18, 2020
-
Cybersecurity:
DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring ProgramGAO-20-598: Published: Aug 18, 2020. Publicly Released: Aug 18, 2020.
May 27, 2020
-
Cybersecurity:
Selected Federal Agencies Need to Coordinate on Requirements and Assessments of StatesGAO-20-123: Published: May 27, 2020. Publicly Released: May 27, 2020.
May 13, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.
Apr 24, 2020
-
Information Security:
FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its ProgramGAO-20-265: Published: Mar 25, 2020. Publicly Released: Apr 24, 2020.
Apr 13, 2020
-
Cybersecurity:
DOD Needs to Take Decisive Actions to Improve Cyber HygieneGAO-20-241: Published: Apr 13, 2020. Publicly Released: Apr 13, 2020.
Looking for more? Browse all our products here