Special Review: Avoidable Errors Led to the Loss of Former SEC Chair Gary Gensler’s Text Messages, Report No. 587

View Report

Title Full

Date Issued

Wednesday, September 3, 2025

Submitting OIG

Securities and Exchange Commission OIG

Agencies Reviewed/Investigated

Securities and Exchange Commission

Report Number

587

Report Type

Review

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 5 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
We recommend that OIT update policies and procedures to ensure that OIT (a) thoroughly documents and understands changes to the SEC’s mobile device management system before such changes are implemented; (b) maintains an accurate inventory of mobile devices enrolled in the SEC’s mobile device management system (including timely follow-up and removal of inactive devices); (c) reviews and escalates mobile device management system notifications involving Capstone officials’ devices; and (d) regularly obtains and, as necessary, responds to information about technical risks from vendors whose products may impact the SEC’s mobile devices.
2	No	$0	$0
We recommend that OIT ensure that all SEC Capstone officials’ devices were backed up at the time OIT removed the texting application from SEC devices, and (for each device) document the date OIT verified that all electronic records, including text messages, were successfully saved (as of the October 2022 Capstone initiative and with each subsequent backup). If text messages from any Capstone officials’ devices were not successfully saved, work with ORMS to determine if NARA notification is required.
3	No	$0	$0
We recommend that OIT update the applicable system security plan(s) to accurately reflect the mobile device management system audit events and logs that should be forwarded to the SEC’s security information and event management tool, and ensure that those logs support after-the-fact investigations of incidents.
4	No	$0	$0
We recommend that OIT develop procedures to periodically verify that the mobile device management system audit events and logs identified in the applicable system security plan(s) are successfully retained in the SEC’s security information and event management tool.
5	No	$0	$0
We recommend that OIT update policies and procedures to require OIT management’s approval of commands during troubleshooting activities that result in a factory reset of Capstone officials’ devices, and verification that appropriate device logs and forensic data have been collected and retained beforehand.