Ad­vi­sors Wary Af­ter SEC Breach

The Bond Buyer - - Front Page - BY KYLE GLAZIER

PHOENIX - Mu­nic­i­pal ad­vi­sors are con­cerned that per­sonal in­for­ma­tion could have been com­pro­mised in a re­cently re­vealed se­cu­rity breach of the Se­cu­ri­ties and Ex­change Com­mis­sion’s on­line EDGAR sys­tem.

The Na­tional As­so­ci­a­tion of Mu­nic­i­pal Ad­vi­sors ex­pressed its con­cerns in an Oct. 2 let­ter ad­dressed to SEC chair­man Jay Clay­ton and also sent to the other com­mis­sion­ers.

NAMA mem­bers, as reg­u­lated MAs re­quired to reg­is­ter with the SEC and the Mu­nic­i­pal Se­cu­ri­ties Rule­mak­ing Board, pro­vide sen­si­tive per­sonal in­for­ma­tion that could have fallen into the hands of hack­ers. The breach oc­curred in 2016, but was not pub­licly ad­dressed by the SEC un­til Sept. 20.

While the SEC said at that time that in­for­ma­tion gleaned in the cy­ber-at­tack may have con­trib­uted to il­licit trad­ing,

Clay­ton dis­closed on Oct. 2 that some per­sonal in­for­ma­tion was also com­pro­mised.

“The on­go­ing staff in­ves­ti­ga­tion of the 2016 in­tru­sion has now de­ter­mined that an EDGAR test fil­ing ac­cessed by third par­ties as a re­sult of that in­tru­sion con­tained the names, dates of birth and so­cial se­cu­rity num­bers of two in­di­vid­u­als,” the SEC said in a state­ment.

The SEC said that its staff are reach­ing out to the two in­di­vid­u­als to no­tify them and of­fer them iden­tity theft pro­tec­tion and mon­i­tor­ing ser­vices, and if the agency’s re­view should un­cover more af­fected in­di­vid­u­als, the com­mis­sion will of­fer them those same ser­vices as well.

NAMA ex­ec­u­tive di­rec­tor Su­san Gaffney, who signed the let­ter, asked that the SEC pro­vide fur­ther in­for­ma­tion about the in­ci­dent to al­low MAs the chance to take steps to pro­tect them­selves if nec­es­sary.

“Mu­nic­i­pal ad­vi­sors must sub­mit con­fi­den­tial and per­sonal in­for­ma­tion di­rectly into the EDGAR sys­tem that, if ex­posed, could lead to dis­rup­tion in their per­sonal and pro­fes­sional well-be­ing,” Gaffney wrote.

“The in­for­ma­tion that MAs must in­put in­cludes so­cial se­cu­rity num­bers, ad­dresses and work history, that is not in­tended for pub­lic con­sump­tion,” she wrote.

NAMA would like the chance to work with the com­mis­sion to ad­dress se­cu­rity con­cerns and what reme­dies ad­vi­sors might take to pro­tect them­selves in the event that they were af­fected, Gaffney added.

Clay­ton, whom the SEC said was not briefed on the new in­for­ma­tion un­til Sept. 29, said in a state­ment that the com­mis­sion is tak­ing the mat­ter very se­ri­ously and in­tends to in­ves­ti­gate it thor­oughly.

The SEC has al­ready au­tho­rized the hir­ing of ad­di­tional staff and out­side tech­nol­ogy con­sul­tants to beef up cy­ber­se­cu­rity.

“The 2016 in­tru­sion and its ram­i­fi­ca­tions con­cern me deeply,” said Clay­ton. “I am fo­cused on get­ting to the bot­tom of the mat­ter and, im­por­tantly, lift­ing our cy­ber­se­cu­rity ef­forts mov­ing for­ward.”

Clay­ton said those ef­forts might take “sub­stan­tial time.”

The breach of the Se­cu­ri­ties and Ex­change Com­mis­sion’s on­line EDGAR sys­tem took place in 2016, but was not ad­dressed by the SEC un­til two weeks ago.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.