By Sarah N. Lynch
WASHINGTON (Reuters) - A leading Senate Republican is seeking a hearing to explore the U.S. Securities and Exchange Commission's failure to encrypt some computers containing highly sensitive stock exchange data.
Staff for Senator Richard Shelby this week told Senate Banking Chairman Tim Johnson's staff that they believe a hearing is in order, after they were briefed by SEC officials about the security lapse, a senior Senate Republican aide told Reuters.
The security lapses were detailed in a non-public August 30 report by Interim Inspector General Jon Rymer that has been reviewed by Reuters.
Only the chairman of a congressional panel has the authority to call a hearing. A Democratic aide for the Senate Banking Committee said, "The Committee has begun its bipartisan due diligence, including a briefing with the SEC and the Interim Inspector General, and will continue to examine the situation."
The August report found that a group of people in the SEC's Trading and Markets Division did not encrypt computers, iPads and other devices containing confidential data from the exchanges and clearing agencies they were overseeing.
Those employees were responsible for reviewing the cyber security policies and practices at the exchanges, and urged exchanges to tighten up their cyber protections at the same time they were using unprotected computers themselves.
They also brought the devices to a Black Hat convention, where cyber experts convene to discuss hacking and other trends.
An outside firm hired by the SEC found no evidence that any of the data was compromised. The SEC has said that two of the employees involved have left the agency, and the SEC has tightened up its policies since the incident.
On Thursday, the SEC announced that Todd Scharf, the agency's chief information security officer, would take on an expanded role of helping to coordinate on security issues with regulated entities such as exchanges. The SEC did not mention the security lapse in its statement.
But exchanges and clearing agencies are not comforted, partly because the inspector general's report says only "several select laptops" of 28 were tested for potential breaches.
They are pushing the SEC for more details about what kind of data was on the computers, how extensive the testing was, and whether they might need to make changes to their systems.
The New York Stock Exchange has gone so far as to hire former Homeland Security Secretary Michael Chertoff to help look into the matter.
Options Clearing Corp is working with the SEC to strengthen procedures for the future, said OCC Chief Security Officer Dan DeWaal in an e-mailed statement. "With respect to data that may have been exposed, the SEC is working with the (self-regulatory organizations) impacted."
Exchanges are hoping for details of an analysis conducted by Stroz Friedberg, the firm hired by the SEC to do the testing.
Exchanges are particularly annoyed that the SEC waited until October of this year to inform them of the incident, even though the inspector general's office had been investigating the matter since early 2011.
Earlier this week, staffers from the Senate Banking and Homeland Security and Government Affairs committees were briefed by SEC officials about the inspector general's report. Staff for Republican Senator Charles Grassley of Iowa are also expected to meet with SEC officials.
Representative Randy Neugebauer, the Republican chairman of the House Financial Services oversight subcommittee, said in a statement on Friday that he was disappointed by the security problems at the SEC.
"It appears no information was compromised, which is fortunate," said Neugebauer of Texas. "But leaving sensitive market information unprotected shows a frightening lapse of judgment by the SEC."
There are only a few weeks left in the current session of Congress, which is focused on trying to reach agreement to avoid automatic spending cuts and tax increases set to go into effect early next year unless it acts. In addition, SEC Chairman Mary Schapiro has announced she will step down from her post in two weeks.
(Reporting By Sarah N. Lynch; Editing by Tim Dobbyn)