SEC to make online authentication more stringent

Find opportunities — and win them.

The Securities and Exchange Commission wants to be sure of who is using its Electronic Data Gathering, Analysis and Retrieval system. So it's looking to implement a new authentication system to prevent fraudulently filed documents, according to the agency's security chief.

The Securities and Exchange Commission wants to be sure of who is using its Electronic Data Gathering, Analysis and Retrieval system. So it's looking to implement a new authentication system to prevent fraudulently filed documents, according to the agency's security chief.

Chrisan Herrod, SEC chief security officer, talked about the new authentication scheme today during a Capitol Hill panel discussion on information security hosted by the Business Software Alliance.

Thousands of companies must file corporate and financial documents via Edgar. The agency is considering using digital certificates to strengthen authentication.

"We're not very far along the path toward a digital certificate solution," he said. "It's more a glimmer in the eye at this point."

One hot issue discussed by the panel of government and industry speakers was the difficulty of authenticating data and its origin.

Herrod said the Edgar system is SEC's IT crown jewel. The commission began using the online filing system in 1992, and in 2001 it completed a $22.5 million modernization program that added a Web interface among other updates. The system receives up to 2,500 filings each day.

About five years ago, SEC began standardizing on two-factor authentication for new filers, requiring they use passwords and either personal identification numbers or user names. There usually is one designated person in each organization with authority to make Edgar filings.

"We do vet that individual, to a certain degree," Herrod said. Checks are done to ensure that corporations are valid and that the designated users are employees with authority to file documents.

Herrod said SEC wants to use strong encryption with whatever system is chosen, but no decision has been made on whether that will mean a public-key infrastructure.

The commission will implement the new system gradually, with digital certificates issued first to new filers. Getting legacy filers to adopt digital certificates will require developing a clear business case for the technology, Herrod said.

"We are going to have to be very clear about why it is important," she said