SEC hack took advantage of companies using real data for EDGAR tests

Who’s watching the watchers? That’s what the U.S. Senate Committee on Banking, Housing and Urban Affairs wondered during testimony delivered by Securities and Exchange Commission (SEC) Chairman Jay Clayton this week. According to reports posted Reuters and other news outlets, the SEC did not reveal the 2016 hack of its EDGAR system for nearly one year. The breach is now being investigated privately by the Federal Bureau of Investigation (FBI) and the U.S. Secret Service.

At issue, said several senators is “How can you expect companies to do the right thing when the [SEC] has not?

In October 2016, hackers breached the SEC’s EDGAR computer system to exploit the filings of “authentic data” some companies used in their tests of the Commission’s corporate filing system. Note: The SEC discourages companies from using their real financial data for these tests.

Quickly detected later that same month, internal SEC memos indicate that the attack appears to have been routed through a server in Eastern Europe, although there appears to be no evidence of improper data retrieval. The matter was handled internally by the SEC’s Office of Information Technology. But, the SEC’s Enforcement Division detected a pattern of suspicious trading ahead of company public disclosures prompting the Commission to review whether some companies used authentic data instead of “dummy” data running tests of the EDGAR system. But dummy data or no, all data submitted is supposed to be protected.

When to report?

In the earlier Equifax security breach, senators took issue with that company for waiting six weeks to disclose its security breach. They asked Clayton by what standards disclosures should or should not occur. He explained that he favors companies disclosing more complete risk profiles when it comes to cyber security, as the livelihood of some companies, either because of the nature or volume of data collected or used, is more vulnerable than others.

Regarding the delay in the SEC’s disclosure, Clayton noted: “When you make a public disclosure, other people try to test and probe. We are under constant attack from nefarious actors.”

Looking outside its own glass house

In light of this experience and in wake of the recent Equifax hack, Clayton urged all organizations to realize “we all are constantly under attack” and to prepare accordingly, including calling for better disclosure from companies whose computer systems have been hacked.

Clayton called the current level of information coming from companies inadequate, adding: “Companies should be providing better disclosure about their risk profile. Companies should be providing sooner disclosure about intrusions that may affect shareholder investment decision. Across our markets, there should be better disclosure as to the cyber risks we face.” When [companies] have notice of a cyber breach we expect people to constantly assess whether that breach is material to investors, and when they determine that it is, make appropriate disclosure promptly.”

In the case of the SEC breach, Clayton said he “immediately” initiated an investigation once aware of the matter and decided that “disclosure was necessary” because he determined it was “a serious matter.” He said the investigation is ongoing to determine who knew about the breach and why it wasn’t disclosed.

Vulnerabilities exist

In that review, a software vulnerability in the test filing component of the Commission’s EDGAR system was identified and promptly patched, but not before it was exploited by the hackers who accessed nonpublic information. The SEC believes the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.

Nonetheless, said SEC Chairman Jay Clayton, “cyber security is critical to the operations of our markets and the risks are significant and, in many cases, systemic. We [all] must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

Clayton further outlined the SEC’s plans for managing internal cyber security risks. These include the incorporation of cybersecurity considerations in the Commission’s disclosure-based and supervisory efforts, coordination with other government entities, and the enforcement of the federal securities laws against cyber threat actors and market participants that do not meet their disclosure obligations.

“By promoting effective cyber security practices,” he continued, “in connection with both the Commission’s internal operations and its external regulatory oversight efforts, it is our objective to contribute substantively to a financial market system that recognizes and addresses cyber security risks and, in circumstances in which these risks materialize, exhibits strong mitigation and resiliency.”

The SEC’s Office of Inspector General has been asked to investigate the intrusion itself, the scope of non-public information that was stolen and how the SEC responded to the incident, which he said was properly reported to the Department of Homeland Security’s Computer Emergency Readiness Team.

Ya gotta start somewhere

Whether the use of authentic data was deliberate or “operator error,” the SEC/Equifax hacks underscore the challenges compliance professionals face in keeping their organizations on the “straight and narrow.” At its most elemental, one must have appropriate processes and procedures in place and then develop a culture of compliance that follows them.

What are you doing? Are you prepared? Perhaps we should talk (212-233-1155) about instituting appropriate support systems like Patrina’s cost-effective and comprehensive, 8-module compliance solution, and/or compliant data capture, file storage, and records archiving specifically designed for the financial services community. Be smart. Be covered. Let’s chat.