SEC reveals 2016 hack that may have been used for illegal trades
WASHINGTON — The top financial markets regulator in the U.S. has revealed that its computer system was hacked last year and that private information might have been used to make “illicit gains” through stock trades.
Jay Clayton, chair of the Securities and Exchange Commission, said in a statement posted on the agency’s website Wednesday night that officials learned last month that the “previously detected” 2016 incident might have been exploited by the hackers for financial gains. The SEC has launched an internal investigation.
The intrusion into the SEC’s EDGAR online database, which companies use to make required securities filings that often contain highly sensitive information, comes on the heels of the revelation by the Equifax credit reporting firm that a hack of its computer system exposed the Social Security numbers and birth dates of as many as 143 million people.
“The SEC’s disclosure, which comes not even two weeks after Equifax revealed that it had been hacked, shows that government and businesses need to step up their efforts to protect our most sensitive personal and commercial information,” said Sen Mark Warner, a leading lawmaker on cybersecurity matters.
Clayton said the 2016 hack was caused by “a software vulnerability” in the widely used EDGAR system that was “patched promptly after discovery.”
The system processes over 1.7 million electronic filings in any given year, the agency said.
The hack did not result in unauthorized access to personally identifiable information, jeopardize the SEC’s operations or cause any systemic risk to the financial system, Clayton said.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton said.
“We must be vigilant,” he said. “We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
A July report from the Government Accountability Office found that the SEC had not fully implemented 11 of 58 recommendations spurred by previous audits to secure its computer network, include failing to authenticate users and encrypt sensitive information.
The report also identified 15 new deficiencies that “limited the effectiveness of SEC’s controls for protecting the confidentiality, integrity and availability of its information systems.”
In response to the report, Gregory C. Wilshusen, the agency’s director of information security issues, said in July that the agency was “committed to continuously assessing and strengthening our information security posture.”
The SEC is continuing to investigate the breach and its possible consequences and co-ordinating with the “appropriate authorities,” according to the statement.
Clayton ordered a review of the SEC’s cybersecurity profile in May 2017, which led to the discovery of the possible illegal trading. The statement did not explain why the hack itself was not revealed when it was discovered last year.