WASHINGTON (Reuters) - The Securities and Exchange Commission is warning staffers that their personal brokerage account information may have been compromised, after it uncovered security flaws with an ethics compliance program.
The SEC put the program in place after its internal watchdog raised concerns about possible insider trading among SEC staffers.
In an October 7 letter to SEC employees, Chief Information Officer Thomas Bayer said that the contractor hired to operate a computer program that tracks trades had violated its agreement with the SEC by providing names and account numbers to a subcontractor without permission.
“We are not aware of any actual misuse of the data,” Bayer wrote. “Nevertheless, it is the SEC’s policy to provide notification of any incident that presents the potential for unauthorized access to personal information.”
The SEC said employees should consider placing a fraud alert on their credit files. The agency also said it will offer employees a free year of credit monitoring.
The contractor, Financial Tracking Technologies LLC, was selected by the SEC in the second quarter of 2009 to set up the new ethics system.
The changes came after the agency’s inspector general, David Kotz, issued a March 2009 report alleging that two agency employees possibly engaged in insider trading.
Although no civil or criminal actions have resulted from that report, it prompted a major shake-up in how the SEC tracks the trades of its employees.
In a May 2009 announcement, SEC Chairman Mary Schapiro called for the SEC to have a “world class compliance program” to help prevent “not only an actual impropriety, but the appearance of one as well.”
In addition to developing the computer system now the subject of the security breach, the agency also issued new internal rules requiring the preclearance of all trades and prohibiting the trading in securities of any company under investigation.
According to the SEC’s letter to employees, the Office of Information Technology initiated on September 16 a security review that discovered FTT had failed to comply with contractual obligations.
Bayer said the SEC had directed FTT to “immediately terminate all access to SEC systems” by the unauthorized parties.
Anthony Turner, the principal at Financial Tracking Technologies, could not be immediately reached for comment.
SEC spokesman John Nester said the agency first learned of the possible breach after a former FTT employee came forward with concerns about how the data was being handled.
The SEC’s IT office found that since June 2009, FTT had engaged one or more consultants and subcontracted with a global technology and business services firm.
The SEC said FTT had given those firms access to personal data without notifying or seeking approval from the market regulator. As a result, none of those third parties had been properly vetted.
Since September, the system has been offline and employees have been getting preclearance for their trades by sending emails to the SEC’s ethics office.
Nester said no decision has been made yet on whether or not the SEC will keep its contract with FTT.
The letter to staff did not identify the third parties and the SEC declined to identify them for Reuters.
Reporting by Sarah N. Lynch; Editing by Tim Dobbyn