SEC ignored years of warnings about cybersecurity before massive breach

For years before the Securities and Exchange Commission suffered a massive breach last year, federal watchdogs had warned the agency to encrypt the sensitive financial data stored in its networks.

The Government Accountability Office delivered the admonition most recently in July, a month before the SEC’s leadership learned of the 2016 hack. But the agency’s advice to the SEC on this issue dates to at least 2008, when the GAO said the SEC’s lack of encryption would make it easier for attackers to gain access to sensitive information.

The SEC declined to say whether the lack of encryption made it easier for hackers to gain access to sensitive filings. But encryption technology is widely used across corporate America and on consumer products such as smartphones and laptop computers. Without it, cybersecurity experts say, hackers can immediately read and use the data they steal. While it does not prevent all types of data theft, it can limit the seriousness of the loss in many cases, they say.

“There isn’t really any excuse for organizations that hold deeply sensitive data not to be using disk encryption,” said Peter Eckersley, chief computer scientist for the Electronic Frontier Foundation, a civil liberties group. “The tools for doing so are mature, fairly easy to use and free.”

The agency’s apparent failure to heed the GAO’s warnings came as the Wall Street regulator aggressively pushed the companies it oversees to improve their cybersecurity. The agency fined Morgan Stanley $1 million for failing to protect customers’ information last year and chided R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, in 2015 for failing to establish cybersecurity policies, including on encryption.

“Maybe this means the SEC will be more sympathetic to the companies it is investigating,” said Scott H. Kimpel, a partner at Hunton & Williams and a former SEC lawyer.

The GAO found that the SEC had improved its security in many areas but still lagged in some critical places, including encryption. Until the SEC acts, “its financial and support systems and the information they contain will continue to be at unnecessary risk of compromise,” the watchdog said in July.

Read more…
Source: The Washington Post