SEC to make online authentication more stringent
Connecting state and local government leaders
'We're looking at implementing a new authentication system to prevent people from fraudulently filing,' SEC chief security officer Chrisan Herrod says.
The Securities and Exchange Commission wants to be sure it knows whom it is dealing with when documents are filed through its Electronic Data Gathering, Analysis and Retrieval system.
'We're looking at implementing a new authentication system to prevent people from fraudulently filing,' SEC chief security officer Chrisan Herrod said.
Thousands of companies must file corporate and financial documents via EDGAR. The agency is considering using digital certificates to strengthen authentication.
'We're not very far along the path toward a digital certificate solution,' Herrod said. 'It's more a glimmer in the eye at this point.'
Herrod talked about the new authentication scheme today during a Capitol Hill panel discussion on information security hosted by the Business Software Alliance.
One hot issue discussed by the panel of government and industry speakers was difficulty authenticating data and its origin.
Herrod called the EDGAR system SEC's crown IT jewel. The commission began using the online filing system in 1992, and in 2001 completed a $22.5 million modernization program that included adding a Web interface. The system receives up to 2,500 filings each day.
About five years ago, SEC began standardizing on two-factor authentication for new filers, requiring they use passwords and either personal identification numbers or user names. There usually is one designated person in each organization with authority to make EDGAR filings.
'We do vet that individual, to a certain degree,' Herrod said. Checks are done to ensure that corporations are valid and that the designated users are employees with authority to file documents.
Herrod said SEC wants to use strong encryption with whatever system is chosen, but no decision has been made on whether that will mean a public-key infrastructure.
The commission will probably implement the new system gradually, with digital certificates issued first to new filers. Getting legacy filers to adopt digital certificates will require developing a clear business case for the technology, Herrod said.
'We are going to have to be very clear about why it is important,' she said
NEXT STORY: Putnam tags IT security amendment to 9/11 bill