SEC says ’16 hack may have led to ‘illicit gains’
Hackers might have exploited database breach to make stock trades, agency says.
WASHINGTON — The nation’s top financial markets regulator has revealed that its computer system was hacked last year and that private information might have been used to make “illicit gains” through stock trades.
Jay Clayton, chairman of the Securities and Exchange Commission, said in a statement posted on the agency’s website Wednesday night that officials learned last month that the “previously detected” 2016 incident might have been exploited by the hackers for financial gains. The SEC has launched an internal investigation.
The intrusion into the SEC’s EDGAR online database, which companies use to make required securities filings that often contain important financial information, comes on the heels of the revelation by the Equifax credit reporting firm that a hack of its computer system exposed the Social Security numbers and birth dates of up to 143 million people.
“The SEC’s disclosure, which comes not even two weeks after Equifax revealed that it had been hacked, shows that government and businesses need to step up their efforts to protect our most sensitive personal and commercial information,” said Sen. Mark Warner (DVa.), a leading lawmaker on cybersecurity matters.
Warner said he plans to question Clayton about the incident when he appears before the Senate Banking Committee on Tuesday for a previously scheduled oversight hearing.
The SEC is a repository of massive amounts of information, much of it data that companies are required by law to file each quarter. In addition to the EDGAR system, the agency’s enforcement division has information systems with highly sensitive data about investigations of companies, said Matt Rossi, a former SEC official
“Anything that calls into question the security of the information systems at the SEC is obviously the source of significant concern,” said Rossi, a partner at the law firm Mayer Brown in Washington who specializes in cybersecurity matters.
Clayton said Wednesday that the 2016 hack was caused by “a software vulnerability” in the widely used EDGAR system that was “patched promptly after discovery.” The system — an acronym for Electronic Data Gathering, Analysis and Retrieval — processes more than 1.7 million electronic filings in any given year, the agency said.
While the EDGAR system is designed to give investors public access to company securities filings, the system has a test-filing option that allows companies to check that their submissions are properly prepared, including having the right security codes, before filing deadlines.
Test filings are not made public and “are routinely removed from the internal system after a short period, generally six calendar days,” according to EDGAR’s manual.
The 2016 hack did not result in unauthorized access to personally identifiable information, jeopardize the SEC’s operations or cause systemic risk to the financial system, Clayton said.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton said.
A July report from the Government Accountability Office found that the SEC had not fully implemented 11 of 58 recommendations spurred by previous audits to secure its computer network, include failing to authenticate users and encrypt sensitive information.
The report also identified 15 new deficiencies that “limited the effectiveness of SEC’s controls for protecting the confidentiality, integrity and availability of its information systems.”
In response to the report, Gregory C. Wilshusen, the agency’s director of information security issues, said in July that the agency was “committed to continuously assessing and strengthening our information security posture.”
Clayton’s statement also mentioned that a 2014 internal review was unable to locate some agency laptops that may have contained confidential information.
The agency also discovered instances in which its personnel used private, unsecured email accounts to transmit confidential information.
The SEC is continuing to investigate the breach and its possible consequences and coordinating with the “appropriate authorities,” according to the statement.
Clayton ordered a review of the SEC’s cybersecurity profile in May 2017, which led to the discovery of the possible illegal trading. The statement did not explain why the hack itself was not revealed when it was discovered last year.
Hackers can use confidential financial information to make money from stock trades before the data are available to the public.
In December, the SEC said it had filed suit against three Chinese traders, accusing them of using malware to steal emails containing “nonpublic market-moving information” from two New York law firms. The traders earned almost $3 million in illegal profits in the first SEC case involving allegations of hacking into a law firm’s computer network, the agency said.