Summary

Pursuant to a congressional request, GAO reviewed the Securities Industry Automation Corporation's (SIAC) Common Message Switch and Intermarket Trading Systems, and the National Association of Securities Dealers' (NASD) Automated Quotations System, focusing on the: (1) number of instances of hacker or virus attacks on certain securities trading networks and their related systems; (2) reasonableness of existing controls used to prevent or detect securities trading systems misuse; and (3) existing regulatory framework under which securities trading systems are accessed, operated, and overseen.

GAO found that: (1) the Securities and Exchange Commission (SEC), the stock exchanges, NASD, and SIAC reported no known instances of hacker or virus attacks on their systems; (2) the risk of such a threat was low, since NASD and SIAC implemented a wide range of security controls to protect their systems and the systems were not designed with features that would propagate a virus; (3) NASD had insufficient internal controls to protect its system against security intrusions and such interrelated weaknesses as computer staff performing tasks in excess of their normal responsibilities or inadequately performing their responsibilities; (4) both NASD and SIAC had inadequate quality assurance, physical security, contingency planning, and internal auditing; (5) SEC did not use rule reviews or inspection and surveillance activities to oversee financial market operations; (6) SEC relied on the exchanges and NASD to ensure information security over their systems, since it did not have sufficient technical expertise to conduct such reviews; and (7) NASD and SIAC did not establish formal information security programs, since they believed that a number of controls protected their information integrity.