Last week the Inspector General of the Securities and Exchange Commission announced that it issued a report to Congress related to the security of confidential personally identifiable information collected and retained by the Commission. However, because “this report contains sensitive information about the SEC’s security program” the Inspector General declined to publicly release the report or even a high-level summary.
My View: Label me paranoid, but the SEC Inspector General’s decision not to share with the public the bottom line of its assessment of the SEC’s cybersecurity effectiveness included in a report provided to Congress – even in some sanitized form – may suggest that something is terribly wrong. But if there are material deficiencies in the SEC’s protection of personally identifiable information that it collects and maintains, the public has the right to know! This is particularly the case as the SEC progresses to implement its plan to create a single consolidated audit trail (known as “CAT”) to track all equities and options trading on US markets. (Click here to access background on the SEC’s CAT initiative, in the article, “SEC Seeks Views on Whether Proposal for Single Consolidated Audit Trail of All Equity and Equity Options Trading Is CAT’s Meow” in the May 1, 2016 edition of Bridging the Week.)