SEC under fire for being hacked despite warnings
WASHINGTON » The Securities and Exchange Commission waited until Wednesday to disclose a hack of its corporate filing system that occurred last year. The disclosure raises questions about the agency’s ability to protect important financial information and comes as Americans are still weighing the consequences of the massive hack at Equifax.
The SEC, as the federal agency responsible for ensure that markets function properly and for protecting investors, is under fire after disclosing the hack of its electronic network for whisking company news and data to investors. The breach occurred despite repeated warnings in recent years about weaknesses in the agency’s cybersecurity controls.
Experts question the length of time taken to disclose the breach, and why the SEC isn’t meeting the same security standards it demands of corporate America.
While it discovered the breach to its corporate filing system last year, the agency says it only became aware last month that information obtained by the intruders may have been used for illegal trading profits.
“It took quite a while,” said Robert Cattanach, an attorney at Dorsey & Whitney and former trial attorney for the Justice Department, whose work includes cybersecurity and data breaches. “The integrity of our whole trading system is dependent on keeping this information secure . ... People have got some ‘splaining to do.”
The SEC didn’t explain why the initial hack was not revealed sooner, or which individuals or companies may have been affected. The disclosure came two months after a government watchdog said deficiencies in the corporate filing system put the system, and the information it contains, at risk.
The agency also didn’t disclose any information about who might have carried out the breach. A hack by Chinese or Russian actors can’t be ruled out, experts say.
The hack was disclosed by SEC Chairman Jay Clayton in a statement posted to the agency’s website. It comes just two weeks after the credit agency Equifax revealed a stunning cyberattack that exposed highly sensitive personal information of 143 million people.
Clayton is scheduled to appear Tuesday before the Senate Banking Committee, and he is certain to be questioned about the hack. Democratic Sen. Mark Warner of Virginia, a member of the committee, said in a statement Thursday that the disclosures by the SEC and Equifax show “that government and businesses need to step up their efforts to protect our most sensitive personal and commercial information.”
Clayton blamed the breach on “a software vulnerability” in its filing system known as EDGAR, short for Electronic Data Gathering, Analysis and Retrieval system. EDGAR processes more than 1.7 million electronic filings a year. Those documents can cause enormous movements in the stock market, sending billions of dollars into motion in fractions of a second.
Clayton, a Wall Street attorney appointed by President Donald Trump early this year to the SEC post, said the agency has been assessing its cybersecurity since he took over as chairman in May. Experts note, however, that both agency and congressional investigators have been critical for years of the SEC’s handling of its information technology security.
Early this decade, the SEC inspector general’s office uncovered security lapses involving SEC staffers who examined the data-protection systems of the stock exchanges. Some of the staffers used unencrypted laptops to store sensitive exchange information — and then carried the laptops to a Las Vegas conference for informationsecurity professionals that is known to attract hackers. The 2011-12 investigation raised concerns of a potential breach of the exchanges’ information.