Sun Sentinel Palm Beach Edition
SEC: Hackers may have made illegal trades
‘Software vulnerability’ allowed 2016 breach
WASHINGTON — The nation’s top financial markets regulator has revealed that its computer system was hacked last year and that private information might have been used to make “illicit gains” through stock trades.
Jay Clayton, the chairman of the Securities and Exchange Commission, said in a statement posted on the agency’s website Wednesday night that officials learned last month that the “previously detected” 2016 incident might have been exploited by the hackers for financial gains. The SEC has launched an internal investigation.
The intrusion into the SEC’s EDGAR online database, which companies use to make required securities filings that often contain highly sensitive information, comes on the heels of the revelation by the Equifax credit reporting firm that a hack of its computer system exposed the Social Security numbers and birth dates of as many as 143 million people.
“The SEC’s disclosure, which comes not even two weeks after Equifax revealed that it had been hacked, shows that government and businesses need to step up their efforts to protect our most sensitive personal and commercial information,” said Sen Mark Warner, D-Va., a leading lawmaker on cybersecurity matters.
Warner said he plans to question Clayton about the incident when he appears before the Senate Banking Committee on Tuesday for a previously scheduled hearing.
Clayton said Wednesday that the 2016 hack was caused by “a software vulnerability” in the widely used EDGAR system that was “patched promptly after discovery.”
The system processes over 1.7 million electronic filings in any
given year, the agency said.
The hack did not result in unauthorized access to personally identifiable information, jeopardize the SEC’s operations or cause any systemic risk to the financial system, Clayton said.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton said.
“We must be vigilant,” he said. “We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
A July report from the Government Accountability Office found that the SEC had not fully implemented 11 of 58 recommendations spurred by previous audits to secure its computer network, including failing to authenticate users and encrypt sensitive information.
The report also identified 15 new deficiencies that “limited the effectiveness of SEC’s controls for protecting the confidentiality, integrity and availability of its information systems.”
In response to the report, Gregory Wilshusen, the agency’s director of information security issues, said in July that the agency was “committed to continuously assessing and strengthening our information security posture.”
Clayton’s statement also mentioned that a 2014 internal review was unable to locate some agency laptops that may have contained confidential information.
The agency also discovered instances in which its personnel used private, unsecured email accounts to transmit confidential information.
The SEC is continuing to investigate the breach and its possible consequences and coordinating with the “appropriate authorities,” according to the statement.
Clayton ordered a review of the SEC’s cybersecurity profile in May 2017, which led to the discovery of the possible illegal trading. The statement did not explain why the hack itself was not revealed when it was discovered last year.