Following months of public revelations about security breaches big and small, the U.S. Securities and Exchange Commission (SEC) announced that hackers had previously breached its own cache of files on publicly traded companies, possibly leading to their illegal profit.
Late Wednesday, SEC Chairman Jay Clayton released an eight-page statement on cybersecurity that describes a 2016 system breach of EDGAR, a platform which pools detailed financial reports on publicly traded companies that they’re required by law to release. According to Clayton, the company didn’t discover until last month that the breach could have provided the information needed to make illegal trades.
He said the hack resulted from a “software vulnerability” in the system’s test-filing component that “[was] exploited and resulted in access to nonpublic information.” Clayton also commented, “Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems.”
The incident raises questions about vulnerabilities within the SEC–an agency that is itself charged with protecting investors and markets–and with how it has handled the situation.
The Washington Post pointed out, the “unusual [statement] didn’t explain the delay in the announcement, the exact date the system was breached and whether information about any specific company was targeted.” Nor is this the first time EDGAR has gone awry, or simply askew.
As Reuters reported, the congressional watchdog Government Accountability Office also found in a 2016, 27-page report that the SEC wasn’t always using encryption, supported software, well-tuned firewalls, and other key security tools while going about its business. Meanwhile, rules governing the securities industry already require that companies disclose cybersecurity breaches to investors, and the SEC itself has investigated firms regarding their expediency in this area.
The SEC also noted, “It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.” Nevertheless, it is reportedly working with relevant parties to determine if data from millions of corporate disclosures have been put to illegal use.