As the fallout resulting from the October 2016 hacker breach of the Securities and Exchange Commission’s (SEC) EDGAR computer system continues, it further underscores why compliance and appropriate processes and procedures matters — even for the regulators.
SEC Chairman Jay Clayton today provided an update on the status of the agency’s review and investigation of the 2016 intrusion into the EDGAR system. In addition to updating the previous disclosures and remediation we’d discussed in last week’s blog, SEC Chairman Jay Clayton has also just announced that his staff investigation has now determined, based on new forensic evidence, that one of the EDGAR test filings hacked did contain the names, dates of birth and social security numbers of two individuals.
Someone’s got your number!
According to Chairman Clayton, as of Friday (September 29) his team is reaching out to the two individuals to notify them and offer to provide them with identity theft protection and monitoring services. He also added that should the agency’s review uncover additional individuals whose sensitive information may have been accessed, the staff will contact them and offer them identity protection and monitoring as well.
“The 2016 intrusion and its ramifications concern me deeply. I am focused on getting to the bottom of the matter and, importantly, lifting our cybersecurity efforts moving forward,” he said. “While our review and remediation efforts are ongoing and may take substantial time to complete…it is important to provide new information regarding the scope of the 2016 intrusion and provide an update on the steps we are taking to assess and improve the cybersecurity risk profile of our EDGAR system and of the agency’s systems more broadly.”
SEC security efforts
The Commission’s efforts to improve security has been organized into five principal work streams:
Remember the following line when you’re under the microscope
Cautioning that building a more secure barn door after the horses have been stolen does not happen overnight, Chairman Clayton cautioned that each of the SEC’s efforts is moving forward and, as is the nature of matters of this type, will require substantial time and effort to complete. Remember that statement when it’s your turn under the microscope…”These things take TIME!”
Looking forward, the Commission also plans to immediately hire additional staff and outside technology consultants to aid in its efforts to protect its network, systems, and data. Chairman Clayton also has directed his staff to assess the types of data the SEC takes in through the EDGAR system, and whether EDGAR is even the appropriate mechanism to obtain that data. The Commission also will review the security systems, processes, and controls in place to protect data submitted through EDGAR.
SEC staff also will conduct similar reviews of other systems in use at the Commission, assessing the types of data the agency keeps and the related security systems, processes and controls. Additionally, the SEC also will work to enhance escalation protocols for cybersecurity incidents in order to enable greater agency-wide visibility and understanding of potential cyber vulnerabilities and attacks. More broadly, the agency is evaluating its cybersecurity risk governance structure, which has included the establishment of a senior-level cybersecurity working group and may include additional enhancements to promote the management and oversight of cybersecurity across the SEC’s divisions and offices.
According to Chairman Clayton, the SEC already is launching internal, Commission-level incident response exercises and continued interaction on cybersecurity efforts with other government agencies and committees, including the Department of Homeland Security, the Government Accountability Office and the Financial and Banking Information Infrastructure Committee. The goal is to have the appropriate processes and procedures in place to be ready and responsive in the event of another hacker/digital strike.
Why YOU also need appropriate processes and procedures
Both the SEC/Equifax hacks underscore the challenges compliance professionals face in keeping their organizations on the “straight and narrow.” At its most elemental, one must have appropriate processes and procedures in place and then develop a culture of compliance that follows them.
So…what are you doing? Are you prepared? Or…perhaps we should talk (212-233-1155) about instituting appropriate support systems like Patrina’s cost-effective and comprehensive, 8-module compliance solution, and/or compliant data capture, file storage, and records archiving specifically designed for the financial services community. Be smart. Be covered. Let’s chat.