SEC under fire for being hacked after warnings on security
WASHINGTON — The Securities and Exchange Commission waited until Wednesday to disclose a hack of its corporate filing system that occurred last year. The disclosure raises questions about the agency’s ability to protect important financial information and comes as Americans are still weighing the consequences of the massive hack at Equifax.
The SEC, the federal agency responsible for protecting investors and ensuring markets function properly, is under fire after disclosing the hack of its electronic network that whisks company news and data to investors. The breach occurred despite repeated warnings in recent years about weaknesses in the agency’s cybersecurity controls.
Experts question the length of time taken to disclose the breach, and why the SEC isn’t meeting the same security standards it demands of corporate America.
“Public companies have a clear obligation to disclose material information about cyber risks and cyber events. I expect them to take this requirement seriously,” SEC Chairman Jay Clayton warned in a speech in July.
While it discovered the breach to its corporate filing system last year, the agency says it only became aware last month that information obtained by the intruders may have been used for illegal trading profits.
“It took quite a while,” said Robert Cattanach, an attorney at Dorsey & Whitney and former trial attorney for the Justice Department, whose work includes cybersecurity and data breaches. “The integrity of our whole trading system is dependent on keeping this information secure. … People have got some ’splaining to do.”
The SEC didn’t explain why the initial hack was not revealed sooner, or which individuals or companies may have been affected. The disclosure came two months after a government watchdog said deficiencies in the corporate filing system put the system, and the information it contains, at risk.
The agency also didn’t disclose any information about who might have carried out the breach. A hack by Chinese or Russian actors can’t be ruled out, experts say.
“Certainly state actors would be on the list of suspects that come to mind,” said Marcus Christian, a former federal prosecutor who is an attorney working in Mayer Brown’s cybersecurity and national security practices. Still, he added, the list also would include “regular old criminal actors.”
U.S. prosecutors in Manhattan brought criminal charges in December against three Chinese traders, accusing them of using nonpublic information stolen from two New York law firms to rack up nearly $3 million in illegal profits. The SEC filed a similar civil action, marking the first time the agency laid charges of hacking into a law firm’s computer network. The confidential information was said to be linked to clients of the firm considering mergers or acquisitions.