Summary

The September 11, 2001, terrorist attacks on the World Trade Center exposed the vulnerability of the financial markets to disruption by such events. As part of a series of reviews we have performed at the request of Members of Congress, we have examined and reported on the adequacy of the steps that financial market participants have taken to reduce their vulnerability to attacks and to be better able to recover from such events when they occur. In addition to taking steps to reduce the likelihood that physical attacks will damage their facilities, financial market organizations must also implement protections to reduce the potential for electronic attacks to disrupt their operations. Electronic attacks can be the result of individuals (such as hackers) or groups, such terrorist organizations or foreign governments, attempting to gain unauthorized access to a specific organization's networks or systems or from malicious computer programs or codes, such as viruses or worms, that seek to damage data or deny access to legitimate users. Given the importance of this topic, Congress asked us to review the measures taken by selected critical financial market organizations, including exchanges, clearing organizations, and payment system processors, to protect themselves from attacks and we reported our results in September 2004. At the time we prepared that report, we were still completing our reviews of the seven selected organizations' information security protections. For this report, our objective was to assess the information security programs in place at these organizations. To maintain the confidentiality of the sensitive information we examined, this report refrains from naming the organizations we reviewed and presents the results of our work in an high-level, aggregated manner.

We found that all seven of the selected financial market organizations are taking steps to prevent their operations from being disrupted by electronic attacks. Each of the organizations had implemented the five major elements of a sound information security program. However, we identified actions that each organization could take to further improve their protections against attacks or unauthorized access. At the time of this report, many of the organizations had already implemented some of these improvements and had developed plans to address almost all of the other actions we identified. As regulators of these organizations, staff from the Securities and Exchange Commission (SEC) and the Federal Reserve Board of Governors (Federal Reserve) were briefed on the detailed results of our reviews and both indicated that they plan to monitor the progress of the organizations they oversee in implementing the information security improvements we raised during our reviews.