Personal Details Compromised in SEC Hack

The US Securities and Exchange Commission (SEC) revealed on September 20, 2017, that its online system for company filings, the Electronic Data Gathering, Analysis and Retrieval System, or Edgar, had been compromised during 2016. The agency said that illicit trading may have taken place thanks to intruders accessing the confidential information contained there.

Things have only gotten worse from there. On October 2, the SEC provided an update, saying that it had determined that a test filing accessed by intruders had resulted in the loss of names, dates of birth and social security numbers of at least two people being accessed. The discovery came to light on September 29, the agency said, and it has been in touch with the individuals concerned.

“The 2016 intrusion and its ramifications concern me deeply,” said SEC chairman Jay Clayton, in a statement. “I am focused on getting to the bottom of the matter and, importantly, lifting our cybersecurity efforts moving forward.”

Clayton, who took over as chairman of the regulator in May 2017, was grilled by Senate lawmakers in a public session on September 26, who pressed him on the agency’s standards relating to cybersecurity at a time when the SEC is making rules for the industry around the same topics, and in light of a serious cybersecurity breach at credit ratings company Equifax weeks before.

Senators also pointed to the fact that the SEC is seeking to collect vast amounts of data on stock-market activity through the Consolidated Audit Trail (CAT) program, and expressed skepticism that it was properly equipped to handle that information.

“It is critical that the SEC safeguards the data it collects and maintains—especially as [the CAT] becomes operational,” said Mike Crapo, a Republican senator from Idaho, and the chairman of the banking committee. “The recent Equifax breach has highlighted the need to protect this sensitive and valuable information.”

Other senators were more direct in their criticisms, with Sherrod Brown, the ranking Democrat senator from Ohio, asking what else the public had not been told, in reference to the long gap between when the incident occurred and when it was disclosed.

“How can you expect companies to do the right thing when your agency has not?” he asked.

Vulnerabilities

The SEC has responded to outrage over the incident by announcing plans to expand its capabilities in cybersecurity. On September 25, the agency announced the creation of a new cyber unit, which would not only police hacking attempts but also the dissemination of false information in order to support market-manipulation schemes. Robert Cohen, the co-chief of the agency’s market abuse unit, will become the chief of the new division, the SEC said.

Such a scheme also occurred on Edgar in 2015, when fake information about a takeover of Avon Products was posted to the database, driving the stock price up before it was removed. Other such filing systems have also been subject to fraudulent postings, such as Companies House in the UK, where it was revealed that fraudsters had created fake companies using the names of US exchange groups, although no market manipulation was detected as a result.

However, the Edgar intrusion appears to be the most serious cyber-attack suffered by US regulators to date. It is doubly embarrassing for the agency after not only releasing a series of rules in 2014 to govern cybersecurity practices at financial firms, known as Regulation Systems Compliance and Integrity (Reg SCI), but also after state regulators such as the New York State Department of Financial Services have moved to implement increasingly stringent guidelines around best practice for cyber defenses.

“This incident clearly exposes how vulnerable our global financial ecosystem is, and how unprepared we are to fight skyrocketing cybercrime,” says Ilia Kolochenko, CEO of web-security firm High-Tech Bridge.