SEC rapped on systems oversight

Information Systems: Opportunities Exist to Strengthen SEC's Oversight of Capacity and Security

In an eerie precursor to this week's devastation, a General Accounting Office report released Sept. 10 expressed concern that a lack of backup securities trading facilities would severely hurt trading in the event of "a terrorist attack or a natural disaster."

The GAO report, dated July 25 but released this week, said the Securities and Exchange Commission's Automation Review Policy does an adequate job of assuring the capacity and security of the agency's information systems. But there is room for improvement in the ARP program, which establishes exchanges and clearing organizations as self-regulatory organizations (SROs).

SROs "voluntarily follow SEC guidance and submit to the oversight of their information systems," the report stated, adding that the program had room for improvement in the areas of a consolidation, compliance with recommendations and the voluntary nature of the program.

The report also said that "because some SROs have not addressed ARP staff concerns over the lack of backup trading facilities, securities trading in the United States could be severely limited if a terrorist attack or a natural disaster damaged one of these exchange's trading floor."

The GAO report recommended that the SEC take these actions:

* Ensure that the ARP program develops a consolidated inspection guide for its staff to be updated on a periodic basis.

* Ensure that significant ARP program recommendations and concerns that have not been addressed by the SROs be brought to the chairman's and the commissioners' attention.

* Develop formal criteria to assess SROs' cooperation with the ARP program, while determining if the voluntary status of the program is appropriate.

As an example, the GAO report noted that in 1996, "ARP staff recommended that that [National Association of Securities Dealers] establish capacity alternatives to meet unexpected system demand," but those words were not heeded, and systems were still being disrupted this summer when NASD couldn't handle a spike in user demands.

The report did acknowledge that the ARP program is hindered by a lack of resources and high turnover among its staff.

The SEC was given a draft of the GAO report and disagreed with the recommendations. "We believe the draft report is based on an inaccurate view of the ARP program and does not reflect the current operation and effectiveness of the program," wrote Annette Nazareth, director of SEC's Division of Market Regulation, in a July 18 letter.

Specifically addressing the GAO recommendations, the SEC letter said:

* The agency did not need a consolidated guide because such a guide would quickly become outdated.

* It already has a process in place to bring concerns to the attention of the chairman and commissioners.

* ARP program staff conducts an annual risk-assessment of processes for each SRO, and if recommendations are not followed, additional inspections and reviews are conducted.

* There's no basis to believe the voluntary nature of the program is problematic.

GAO took the SEC's response into account and clarified its language to say that it did not mean to suggest that the SEC make the ARP program mandatory, only that it "develop formal criteria to assess whether the program is working as it is currently structured." However, the watchdog agency stood behind its other recommendations.