The Securities and Exchange Commission (SEC) is Wall Street’s top regulator. It is an independent agency of the federal government that among other things is responsible for regulating the nation’s stock and options exchanges and protecting investors.
And it is not safe from hackers.
Last Wednesday, the SEC announced a hacking incident that “may have provided a basis for illicit trading gains.” This news comes less than two weeks after an Equifax data breach exposed over 140 million Americans to identity theft.
“The risks from cyber breaches continue to threaten consumers and our financial markets,” warns Ohio Senator Sherrod Brown (D). “We expect corporations that hold sensitive data to disclose information about breaches as soon as possible, and the SEC is no different.”
The SEC system that was breached, nicknamed “EDGAR,” is an electronic database that stores millions of public-company filings. These documents have the power to send billions of dollars into motion within seconds.
Hackers gained access to the nonpublic information stored in the system by exploiting a software vulnerability. According to SEC Chairman Jay Clayton, the vulnerability was patched “promptly” after it was discovered in 2016.
The full extent of the hack was discovered this August as part of a cybersecurity review launched by Clayton after he was confirmed to his post in May. Clayton has agreed to testify before the Senate Banking Committee on Tuesday.
According to Clayton, the SEC has reason to believe “the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.” But many questions remain unanswered, including:
• Who is responsible
• What information was stolen
• When hackers gained access to the system
Baker Botts lawyer Doug Henkin says the hackers were obviously after specific information on publicly traded companies. “The real question is whether this breach could have been used to get into other systems,” says Henkin. If so, the breach could be worse than we think.
Rhode Island Rep. Jim Langevin (D) is disappointed that he is just now learning of the breach.
“The scope of a cybersecurity incident is not always readily apparent, and transparency can help affected entities take measures to protect themselves and lead to improvements in risk management processes,” says Langevin. “Government needs to lead by example in this space, and I will be interested to learn how the SEC notified other governmental entities of the breach.”
This isn’t the first time EDGAR has been compromised. In 2015, hackers posted fake information that temporarily sent Avon Products’ stock soaring. In 2014, researchers discovered an instance in which some users had access to valuable trading information about 30 seconds before it went public (this is more than enough time for high-speed traders to make a trade).
The SEC “clearly has not held itself to the same standard that it expects regulated companies to adhere to,” argues David Weber, a professor at the University of Maryland’s business school. The agency “needs to up its game.”
“Effective management of internal cybersecurity risk is critical to the SEC achieving its mission and to protecting the nonpublic information that is entrusted to this agency,” says SEC Commissioner Michael S. Piwowar.
The agency has come under fire for being hacked despite warnings about cybersecurity, and the announcement about the EDGAR hack comes as Americans are already nervous about the Equifax hack.
The Investment Company Institute (ICI) is calling for a full inquiry by the Government of Accountability Office.
“The SEC is in an interesting situation here because, on the one hand, they obviously are dealing with their own security issues. On the other hand, they are responsible to enforce disclosure of incidents to the market to investors,” explains Jack Olcott, who formerly worked as a legal adviser for the Senate Commerce Committee.
SEC’s revelation “shows that government and businesses need to step up their efforts to protect our most sensitive personal and commercial information,” says Virginia Senator Mark Warner (D).