On June 2, 2016, the Office of Inspector General (OIG) of the Securities and Exchange Commission (SEC) issued Report No. 535 highlighting data security risks. In its executive summary
, the OIG observed that the SEC stores significant amounts of data that is personally sensitive, has commercial value, or is market-sensitive. The OIG noted that the SEC’s Office of Information Technology (OIT) “had not fully addressed some areas of potential risk identified in prior Federal Information Security Management Act evaluations.” The OIG also found that the OIT’s risk management program did not adequately monitor risks associated with system authorizations. Additionally, the OIT’s configuration management program failed to ensure that system owners adhered to baseline requirements. The executive summary attributes these weaknesses, in part, to a lack of effective implementation of the OIT Risk Committee that was supposed to manage risk and also to a failure to establish adequate controls. The OIG is requiring the SEC to prepare and submit a written corrective action plan within 45 days of the report’s issuance. Due to its sensitive nature, the full report is not being released publicly.