Financial Markets:
Tighter Computer Security Needed
IMTEC-90-15: Published: Jan 5, 1990. Publicly Released: Feb 21, 1990.
Additional Materials:
- Full Report:
Contact:
(202) 512-6418
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
Pursuant to a congressional request, GAO reviewed the Securities Industry Automation Corporation's (SIAC) Common Message Switch and Intermarket Trading Systems, and the National Association of Securities Dealers' (NASD) Automated Quotations System, focusing on the: (1) number of instances of hacker or virus attacks on certain securities trading networks and their related systems; (2) reasonableness of existing controls used to prevent or detect securities trading systems misuse; and (3) existing regulatory framework under which securities trading systems are accessed, operated, and overseen.
GAO found that: (1) the Securities and Exchange Commission (SEC), the stock exchanges, NASD, and SIAC reported no known instances of hacker or virus attacks on their systems; (2) the risk of such a threat was low, since NASD and SIAC implemented a wide range of security controls to protect their systems and the systems were not designed with features that would propagate a virus; (3) NASD had insufficient internal controls to protect its system against security intrusions and such interrelated weaknesses as computer staff performing tasks in excess of their normal responsibilities or inadequately performing their responsibilities; (4) both NASD and SIAC had inadequate quality assurance, physical security, contingency planning, and internal auditing; (5) SEC did not use rule reviews or inspection and surveillance activities to oversee financial market operations; (6) SEC relied on the exchanges and NASD to ensure information security over their systems, since it did not have sufficient technical expertise to conduct such reviews; and (7) NASD and SIAC did not establish formal information security programs, since they believed that a number of controls protected their information integrity.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: SEC Office of Automation and International Markets staff have met with staff from NASD, NYSE, AMEX, and SIAC to confirm that the steps taken to correct these weaknesses were reasonable. Specific corrective actions for each weakness were included in the SEC response.
Recommendation: The Chairman, SEC, should immediately follow up on the security weaknesses identified in this report to ensure that they have been corrected.
Agency Affected: United States Securities and Exchange Commission
Status: Closed - Implemented
Comments: SEC continues to believe it is not necessary to mandate by Commission rule that the exchanges and NASD conform to the recommendation regarding risk analyses, written procedures, and awareness training. However, SEC has begun to explore the development of generally accepted security standards for the exchanges and NASD.
Recommendation: The Chairman, SEC, should oversee the exchanges' and NASD plans as they expand the role of their computer security administration functions. Specifically, SEC should require that they: (1) conduct periodic risk analyses; (2) develop written information security plans, policies and procedures; (3) conduct information security awareness training; and (4) obtain independent assessments of the reasonableness of network security controls.
Agency Affected: United States Securities and Exchange Commission
Status: Closed - Implemented
Comments: At the exchanges and NASD, independent assessments are being conducted as to the vulnerability of their systems to external and internal threats. Some assessments will be done by the end of calendar year 1991. The rest will be done by the end of calendar year 1992. SEC will review these assessments.
Recommendation: The Chairman, SEC, should periodically conduct or oversee independent assessments of the exchanges' and NASD information security programs to ensure that they provide reasonable assurance that the networks and systems are adequately secured.
Agency Affected: United States Securities and Exchange Commission
Status: Closed - Implemented
Comments: In IMTEC-91-21, April 2, 1991, GAO concluded that SEC still needs to aggressively establish the technical expertise to control the risks of automation. GAO will continue to monitor the extent to which SEC obtained this expertise to effectively carry out its security oversight responsibilities.
Recommendation: The Chairman, SEC, should acquire the necessary technical expertise to conduct these activities.
Agency Affected: United States Securities and Exchange Commission
Explore the full database of GAO's Open Recommendations
»
Explore the full database of GAO's Open Recommendations
Sep 17, 2018
Cybersecurity:
Office of Federal Student Aid Should Take Additional Steps to Oversee Non-School Partners' Protection of Borrower InformationGAO-18-518: Published: Sep 17, 2018. Publicly Released: Sep 17, 2018.
Sep 7, 2018
-
Data Protection:
Actions Taken by Equifax and Federal Agencies in Response to the 2017 BreachGAO-18-559: Published: Aug 30, 2018. Publicly Released: Sep 7, 2018.
Sep 6, 2018
-
High-Risk Series:
Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the NationGAO-18-622: Published: Sep 6, 2018. Publicly Released: Sep 6, 2018.
Jul 31, 2018
-
Information Security:
IRS Needs to Rectify Control Deficiencies That Limit Its Effectiveness in Protecting Sensitive Financial and Taxpayer DataGAO-18-391: Published: Jul 31, 2018. Publicly Released: Jul 31, 2018.
Jul 25, 2018
-
High-Risk Series:
Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the NationGAO-18-645T: Published: Jul 25, 2018. Publicly Released: Jul 25, 2018.
Jul 12, 2018
-
Information Security:
Supply Chain Risks Affecting Federal AgenciesGAO-18-667T: Published: Jul 12, 2018. Publicly Released: Jul 12, 2018.
Jun 14, 2018
-
Cybersecurity Workforce:
Agencies Need to Improve Baseline Assessments and Procedures for Coding PositionsGAO-18-466: Published: Jun 14, 2018. Publicly Released: Jun 14, 2018.
May 14, 2018
-
Protecting Classified Information:
Defense Security Service Should Address Challenges as New Approach Is PilotedGAO-18-407: Published: May 14, 2018. Publicly Released: May 14, 2018.
Apr 24, 2018
-
Cybersecurity:
DHS Needs to Enhance Efforts to Improve and Promote the Security of Federal and Private-Sector NetworksGAO-18-520T: Published: Apr 24, 2018. Publicly Released: Apr 24, 2018.
Mar 7, 2018
-
Cybersecurity Workforce:
DHS Needs to Take Urgent Action to Identify Its Position and Critical Skill RequirementsGAO-18-430T: Published: Mar 7, 2018. Publicly Released: Mar 7, 2018.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
