The U.S. Securities and Exchange Commission, the watchdog of Wall Street, said this week that hackers infiltrated one of its systems last year, something that likely facilitated insider trading.
The SEC waited nearly nine months to disclose the hack. SEC Chairman Jay Clayton devoted four sentences of a lengthy post titled “Statement on Cybersecurity” to the incident, posted to the SEC’s site on Wednesday.
The Commission insists it didn’t learn until last month that the incident may have benefited what Clayton referred to as “illicit gain through trading.”
“In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.” Clayton wrote.
The Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system, is an online database used by the SEC to collect, validate, index, and accept forms filed by companies with the SEC. The system is regularly used by companies who file documents like annual and quarterly statements, information on holdings, investors, and the like with the SEC.
It’s unclear exactly when attackers managed to poke a hole in EDGAR, what vulnerability they may have used to do so, and why it took so long for the SEC to disclose the attack.
Anyone that has a computer can use EDGAR to access more than 21 million filings but according to the SEC the intrusion occurred on the database’s test filing system.
Perhaps ironically Clayton used the rest of the statement to trumpet the importance of cybersecurity, in particular how it relates to the SEC as a regulatory body.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton said. “We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
This isn’t the only issue the SEC has had with EDGAR. Earlier this year the SEC’s Division of Enforcement observed individuals filing fake SEC filings on the system in order to profit from market movements. In 2015 someone filed a phony regulatory filing that an unknown firm was buying Avon. Shares jumped more than $1 before the company and securities regulators realized it was an attempt to manipulate the market.
Taking so long to disclose the breach runs counter to what the SEC has advocated companies do over the last few years. In 2011, in the wake of high-profile data security breaches, the Commission released guidance regarding disclosure obligations calling on companies to disclose when they’ve been breached in a timely manner.
The SEC launched an investigation earlier this year over whether Yahoo should have reported two data breaches that impacted hundreds of millions of credentials to investors sooner. Yahoo told the SEC it knew about the breach in 2014 but didn’t disclose it until September 2016.
News of the SEC hack of course comes less than two weeks after Equifax disclosed that an attacker managed to exploit an Apache Struts vulnerability in its system, something that has put the data of 143 million Americans at risk. Politicians are using both incidents to renew talk around creating a comprehensive data breach standard in Washington.
Sen. Mark R. Warner (D-VA) said Thursday he plans to ask Clayton on Tuesday, when he appears before the Senate Banking Committee, how effective current SEC guidelines around breach disclosures are.
“The SEC’s disclosure, which comes not even two weeks after Equifax revealed that it had been hacked, shows that government and businesses need to step up their efforts to protect our most sensitive personal and commercial information. Information has become one of our country’s most valuable resources, and control of that information comes with significant responsibility. The SEC should not retreat from its important market oversight role in order to limit its exposure to sensitive information.”
*SEC image by AgnosticPreachersKid (Own work) [CC BY-SA 3.0], via Wikimedia Commons