SEC Commissioner Encourages Commission to Bolster its Own Cybersecurity

Cybersecurity and Privacy   |   Securities Litigation and Enforcement   |   Securities Transactions and Compliance   |   December 17, 2015


On December 16, SEC Commissioner Luis Aguilar issued a statement regarding the SEC’s cybersecurity protocols for its data gathering efforts. Commissioner Aguilar’s statement follows various SEC initiatives to gather information about the securities markets that have led some market participants to worry about the strength of the SEC’s cybersecurity. In his statement, Commissioner Aguilar addressed current SEC cybersecurity measures and made recommendations he believes would allow the SEC to shore up its role as steward of sensitive personal and financial data.

In his statement, Commissioner Aguilar observed that “the most useful tool any regulator can possess is accurate and complete information on which to base its decisions.” Gathering this data has become increasingly difficult as the network of trading venues has increased to include 11 exchanges, approximately 44 alternative trading systems, and more than 200 broker-dealers.  Monitoring these venues requires the SEC to access and safeguard vast amounts of information, information that is constantly at risk of a data breach.

Acknowledging the SEC’s data modernization efforts, Commissioner Aguilar notes the various ways in which the SEC has revolutionized data including the planned Consolidated Audit Trail (CAT), which will allow the Commission to track trading activity for all major stocks in the United States; and the Division of Economic and Risk Analysis’s Quantitative Research Analytical Data Support program, which generates standardized quantitative reports of financial markets and registrant activities. Commissioner Aguilar cautioned that while the data marshalled by these efforts is invaluable to the SEC, it is also invaluable to cyber criminals.

Concerns about the SEC’s insufficient cybersecurity measures partly stem from reports from the Governmental Accounting Office (GAO) and the Inspector General. The GAO’s April 2015 report found that the SEC has “not consistently implement[ed] effective internal controls over its informational systems operations,” and found weaknesses relating to “baseline standards” and “security configurations” for “password settings and network services.” The Inspector General’s February 2015 report similarly noted several specific weaknesses, including a “lack of full implementation of continuous monitoring” and “outdated procedures and inconsistences with policies.”

Remedying these concerns requires a multi-pronged attack, according to Commissioner Aguilar, with efforts including training personnel to help them recognize and manage key cybersecurity threats, monitoring and updating policies and processes, focusing on internal defenses in addition to perimeter defenses, and insuring that third-party software developers incorporate sufficient security at the outset into products they sell to the SEC.

©2023 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.