SEC fails to follow its own advice on disclosing cyberattacks
In a 2014 speech, the then-chair of the Securities and Exchange Commission, Mary Jo White, offered a stern reminder to corporate America: If hit by hackers, they had to tell the public about it.
Now, the agency, the country’s top Wall Street regulator, has acknowledged that hackers penetrated one of its most sensitive databases last year and may have been able to use the information to gain a trading advantage over the investing public to pocket illicit profits.
But the agency didn’t follow its admonition to corporations. It offered few details about the hack, mentioning it only briefly in a larger policy statement about cybersecurity issued this week by Jay Clayton, the current head of the agency.
“So this appears to be a situation of ‘Do as I regulate, not as I demonstrate,’ ” said Bradley Bondi, a former senior SEC official.
The system that was breached, known as Edgar, serves as a clearinghouse for the public filings that companies must make to the agency, including reports on periodic financial results and newsworthy developments. For various reasons, there can often be a lag between the time when reports are electronically filed with the agency and when they can be viewed by the public, making the system a potentially lucrative target to hackers hoping to learn sensitive information before the rest of the market.
The SEC declined to comment for this story.
News of the breach follows on the heels of revelations that Equifax, the huge credit reporting company, also had been the victim of a cyberattack. Equifax, too, delayed in disclosing the breach as it sought to understand the extent of the damage.
The SEC detected the breach last year, but didn’t learn until last month that the vulnerability could have been used for improper trading. The breach did not lead to the release of personally identifiable information, the agency said.