The hack last year has spurred an internal probe and a further review of the regulator’s cybersecurity protections.
Jay Clayton, chairman, SEC
In a major policy statement about the threats that hackers pose, the SEC’s Chairman Jay Clayton acknowledged on Wednesday that there was “a 2016 intrusion of the Commission’s EDGAR test filing system,” that may have given perpetrators “the basis for illicit gain through trading.”
SEC officials learned last month that “an incident previously detected in 2016 may have provided the basis for illicit gain through trading,” according to a release from the SEC.
The widely used EDGAR platform, whose acronym means the Electronic Data Gathering, Analysis, and Retrieval, had “a software vulnerability in the test filing component … [which] was patched promptly after discovery,” say SEC officials.
While the security breach “resulted in access to nonpublic information,” SEC officials say there was no improper access to “personally identifiable information” and that the incident did not impact the SEC’s operations “or result in systemic risk.” Clayton began an internal investigation once the breach was identified.
The discovery of the attack followed a directive by Clayton in May 2017 for a review of the SEC’s internal cybersecurity risk profile and its approach to cybersecurity from “a regulatory and oversight perspective,” according to the SEC. This initiative included the creation of “a senior-level cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency,” officials add.
“Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems,” Clayton says in his long policy statement. “In August 2017, the commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. … Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities. As another example, our Division of Enforcement has investigated and filed cases against individuals who we allege placed fake SEC filings on our EDGAR system in an effort to profit from the resulting market movements.”
While the SEC ascertains the full extent of the hacking, there are key areas that would be attractive to hackers such as the EDGAR system.
A cyber-attack could “compromise the credentials of authorized users” and let hackers get “unauthorized access to filings data, place fraudulent filings on the system, and prevent the public from accessing our system through denial of service attacks,” Clayton says in his statement. “We also face the risks of actors attempting to access nonpublic data relating to our oversight of, or enforcement actions against, market participants, which could then be used to obtain illicit trading profits.”
Beyond EDGAR, Clayton expresses concern that the “significant, nonpublic, market sensitive data and personally identifiable information” that is part of the Consolidated Audit Trail (CAT) market surveillance database could be vulnerable.
“CAT is intended to provide SROs [self-regulatory organizations] and the Commission access to comprehensive data that will facilitate the efficient tracking of trading activity across U.S. equity and options markets. CAT, which is being developed and operationalized by the SROs, is in the later stages of its multi-year development, and its first stage of operation is scheduled to commence in November 2017. Cybersecurity has been and will remain a key element in the development of CAT systems,” Clayton says.
“Similarly, with respect to CAT, we expect we will face the risk of unauthorized access to the CAT’s central repository and other efforts to obtain sensitive CAT data. Through such access, intruders could potentially obtain, expose and profit from the trading activity and personally identifiable information of investors and other market participants,” Clayton adds.
In addition, the SEC “receives, stores and transmits includes nonpublic information, including personally identifiable information, generally related to our supervisory and enforcement functions,” which the regulator must keep safe from hackers, SEC officials add. A data breach at this level could impact the operations of issuers, broker-dealers, investment advisers, investment companies, SROs, ATSs, clearing agencies, credit rating agencies, municipal advisors and other market participants.
“By promoting effective cybersecurity practices in connection with both the commission’s internal operations and its external regulatory oversight efforts, it is our objective to contribute substantively to a financial market system that recognizes and addresses cybersecurity risks and, in circumstances in which these risks materialize, exhibits strong mitigation and resiliency,” Clayton concludes.
The full statement by Clayton can be found here.
Need a Reprint?