"We dodged a bullet this time."
More like the SEC employees tried to fire at us, but missed.
This isn't about policy. This is about common sense. Why wasn't the data encrypted? Why were the employees allowed to leave the company buildings with the information? Why didn't they have the common sense to leave them at home before attending said conference?
And, that being said... You would assume that those attending a hacking convention would normally be smart enough to know the risks (and especially not to bring an official work laptop). Alas, it's funny and worrisome to see that Wall Street is being run by people incompetent with technology.
That's perhaps paranoid, but a bit of paranoia isn't harmful in such a situation.
Have some important looking documents in an open SMB share for example (or put a password for those past security 101)
Have a WiFi AP 'free' (or maybe with a simple password) see who tries to use it, log connections, maybe even try to MITM some popular sites (this may be illegal)
It would probably take 3 weeks for an SEC guy to have his laptop reimaged. A request for another laptop to attend the 2012 conference would probably be fulfilled in time for the 2015 conference.