WASHINGTON — Staffers at the U.S. Securities and Exchange Commission failed to encrypt some of their computers containing highly sensitive information from stock exchanges, leaving the data vulnerable to cyber attacks, according to people familiar with the matter.
While the computers were unprotected, there was no evidence that hacking or spying on the SEC’s computers took place, these people said.
The computers and other electronic devices in question belonged to a handful of employees in an office within the SEC’s Trading and Markets Division. That office is responsible for making sure exchanges follow certain guidelines to protect the markets from potential cyber threats and systems problems, one of those people said.
Some of the staffers even brought the unprotected devices to a Black Hat convention, a conference where computer hacking experts gather to discuss the latest trends. It is not clear why the staffers brought the devices to the event.
The security lapses in the Trading and Markets Division are laid out in a yet-to-be-released report that by the SEC’s Interim Inspector General Jon Rymer.
The revelation comes as the SEC is encouraging companies to get more serious about cyber attacks. Last year, the agency issued guidance that public companies should follow in determining when to report breaches to investors.
Cyber security has become an even more pressing issue after high-profile companies from Lockheed Martin Corp to Bank of America Corp have fallen victim to hacking in recent years.
Nasdaq OMX Group, which runs the No. 2 U.S. equities exchange, in 2010 suffered a cyber attack on its collaboration software for corporate boards, but its trading systems were not breached.
One of the people familiar with the SEC’s security lapse said the agency was forced to spend at least $200,000 and hire a third-party firm to conduct a thorough analysis to make sure none of the data was compromised.
The watchdog’s report has already been circulated to the SEC’s five commissioners, as well as to key lawmakers on Capitol Hill, and is expected to be made public soon.
SEC spokesman John Nester declined to comment on the report’s findings.
Rich Adamonis, a spokesman for the New York Stock Exchange, said the exchange operator is “disappointed” with the SEC’s lapse.
“From the moment we were informed, we have been actively seeking clarity from the SEC to understand the full extent of the use of improperly secured devices and the information involved, as well as the actions taken by the SEC to ensure that there is proper remediation and a complete audit trail for the information,” he said.
A spokesman for Nasdaq OMX declined to comment on the security lapse at the SEC.
Since the internal investigation was concluded, the SEC initiated disciplinary actions against the people involved, one of the people familiar with the matter said.
The SEC also notified all of the exchanges about the incident.
The SEC’s Trading and Markets Division, which has several hundred staffers, is primarily responsible for overseeing the U.S. equity markets, ensuring compliance with rules and writing regulations for exchanges and brokerages.
Among the division’s tasks is to ensure exchanges are following a series of voluntary guidelines known as “Automation Review Policies,” or ARPs. These policies call for exchanges to establish programs concerning computer audits, security and capacity. They are, in essence, a road map of the capital markets’ infrastructure.
Although they are only voluntary guidelines, exchanges take them seriously.
Under the ARP, exchanges must provide highly secure information to the SEC such as architectural maps, systems recovery and business continuity planning details in the event of a disaster or other major event.
That is the same kind of data used by exchanges last week after Hurricane Sandy forced U.S. equities markets to shut down for two days.
Prior to re-opening, all of the U.S. stock market operators took part in coordinated testing for trading on NYSE’s backup system.
SEC Chairman Mary Schapiro recently said the SEC is working to convert the voluntary ARP guidelines into enforceable rules after a software error at Knight Capital Group nearly bankrupt the brokerage and led to a $440 million trading loss.
