SEC Encryption Fail: Simple is So Hard

Anthony Freed
By | November 09, 2012

Posted in: Network Security Trends

Even in the face of a never ending barrage of headlines about security lapses, it seems that some people must feel they are somehow immune to the threat of data loss and fail to follow basic security best practices. Reuters is reporting that staff members from the Securities and Exchange Commission's Trading and Markets Division brought laptops and mobile devices to the Black Hat conference in Las Vegas earlier this year which contained potentially sensitive data which was left completely unencrypted. You heard that right, unencrypted devices at Black Hat.

The Trading and Markets Division is responsible for establishing and maintaining "standards for fair, orderly, and efficient markets," according to their website, which includes elements of cybersecurity, according to the Reuters report. The Division primarily oversees compliance with a set of voluntary Automation Review Policies which direct securities exchanges to establish policies and procedures for conducting systems audits to ensure network security and continuity in the event of a disaster or other emergency.

The incident is potentially embarrassing for the agency, as they have been making a concerted effort in the last few years to encourage publicly traded companies to bolster their cybersecurity efforts and provide more transparency for stakeholders when a security-related incident occurs.

In October of 2011, the SEC's Division of Corporation Finance released guidance designed to assist publicly traded companies in assessing disclosure requirements regarding cybersecurity risks and incidents. The guidelines suggested companies evaluate security risks and disclose "the nature of the material risks and specify how each risk affects the [company]," taking into account any preventative actions taken by the company to reduce cybersecurity risks.

Now the agency itself is faced with evaluating their own policies and procedures, and will be disclosing the nature of the the security lapse at the Trading and Markets Division. While the SEC thus far maintains that there is no evidence that any data on the devices was compromised, SEC's Interim Inspector General Jon Rymer is expected to make public a report on the incident, and those involved with the lapse are being subjected to disciplinary action.

You May Also Be Interested In: