maxkabakov - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What does the GAO's SEC cybersecurity report mean for regulation?

The GAO reported on SEC cybersecurity weaknesses, even though the SEC regulates cybersecurity. Expert Mike Chapple discusses the effects of this report.

The General Accountability Office recently posted a report on the U.S. Securities and Exchange Commission's cybersecurity efforts, which the GAO found to be lacking in several critical areas. What were the main takeaways from the GAO's SEC cybersecurity report? And what does this report mean for the SEC's own authority to regulate cybersecurity for private companies?

The Government Accountability Office (GAO) provides independent, external audits for government agencies. The GAO recently performed an audit of cybersecurity at the Securities and Exchange Commission (SEC) and issued a report finding that there were four key weaknesses that put SEC systems at risk.

The four findings about SEC cybersecurity were typical of those that might be found during an audit of any large organization. They included:

  1. Inconsistent use of access controls to prevent, limit and detect unauthorized access to computer systems. While there were SEC cybersecurity policies and controls in place, they were not consistently enforced.
  2. Inconsistent configuration management and baselining of computer systems.
  3. Inadequate separation of duties in several SEC computing systems.
  4. Failure to fully review and update disaster recovery and contingency plans for information systems.

The report stated that these problems were a direct result of the SEC not fully implementing an organization-wide information security program. It is important to note that the GAO put these four findings in context by saying "While not constituting material weaknesses or significant deficiencies, they warrant SEC management's attention." These SEC cybersecurity findings are not unlike those that information security managers around the world receive at the end of any comprehensive audit.

The GAO recommended that the SEC take several actions to full implement its information security program and correct these issues. But there is no reason to believe that this audit will have any impact on the SEC's regulatory authority. The SEC's authority comes from Congress and the GAO does not have the ability to remove any of its regulatory powers, nor has it expressed any desire to do so in the audit report.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out what CISOs should include in security reports

Learn the differences between mandatory access control and application sandboxing

Discover whether backup or disaster recovery is better

This was last published in September 2016

Dig Deeper on Government information security management