In a statement on cybersecurity issued on September 20, Securities and Exchange Commission Chairman Jay Clayton disclosed that the SEC was the victim of a hack of its EDGAR test filing system in 2016.
After a lengthy discussion of the SEC’s own cybersecurity efforts and recent initiatives, Clayton disclosed that the SEC itself was the victim of a cybersecurity breach, saying. “Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems.”
Here is how Clayton described the breach, and its discovery. Although the incident was initially detected in 2016, it is not clear if there was any previous disclosure of the incident to the general public prior to the September 20 statement, which reads in part:
In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.
As Bloomberg reported, Hackers may have profited from SEC corporate filing system attack. However, based on the SEC’s statement, it appears any illegal profits would have been from access to nonpublic information with the potential for illegal insider trading, rather than profiting from unauthorized access to any personal identifiable information, which the SEC states they believe did not occur – although the investigation is also described as ongoing.
The SEC offers advice to the public in a spotlight section on its website, entitled, Cybersecurity, the SEC and You. Read the full text of the SEC Chairman’s Statement on Cybersecurity and the related press release.
Congressional hearing on Equifax: Will there be new legislation/regulation?
Following the announcement made by the SEC of its own cybersecurity breach – albeit thus far, there was reportedly no personally identifiable information accessed, unlike the earlier OPM breach – it will be interesting to see if the SEC breach is referenced during the upcoming Congressional hearing slated for October 3 on the recent and massive Equifax breach.
In a related article, Congressman on Equifax: Can’t legislate against stupidity but can hold people accountable, Rep. Greg Walden (R) Oregon, Chair of the House Energy and Commerce Committee, notes that he will be interested in hearing from the Equifax CEO not only about the breach itself, but also about the sale of $2 million in shares in the company by three Equifax executives, within days of discovery of the breach. “Boy, the timing sure doesn’t look good,” Walden states in the article.
Will the Equifax breach be the proverbial straw that broke the camel’s back, and lead to more legislation or regulation? Walden stated at a CNBC Power Lunch, “You can’t stop stupidity. You can’t legislate against it, but you can hold people accountable for it.” He observed, “in past cybersecurity hearings almost every witness has cautioned about overregulating.” However, he adds, “I want to know all the answers here. I want to ask all the questions, then we’ll get to what the actions are going forward.”
Additional resources:
Why the United States was wide open to a disaster like Equifax (CNBC)
Ten steps to consider taking after the Equifax breach (L.K. Benson & Company)
Surviving the Equifax data breach (AICPA Insights)