The Securities and Exchange Commission (SEC) released a statement on Sept. 20, which said that it learned in August 2017 of a cyberattack previously detected in 2016 might have allowed illicit gain through trading.
In May 2017, SEC Chairman Jay Clayton initiated an assessment of the agency’s internal cybersecurity risk profile and approach to cybersecurity. The agency established a senior-level cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency.
SEC found a software vulnerability in the test filing component of the commission’s EDGAR system, which was exploited and gave hackers access to nonpublic information. The SEC said that the breach did not result in unauthorized access to personally identifiable information (PII), jeopardize the operations of the agency, or result in systemic risk.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” said Clayton. “We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
The SEC uses the EDGAR system for oversight of the system of public reporting by issuers and other registrants. Investors can use the EDGAR system to access more than 50 million pages of disclosure documents. The system receives and processes more than 1.7 million electronic filings per year.
“In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading,” Clayton said in a statement. “Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities. As another example, our Division of Enforcement has investigated and filed cases against individuals who we allege placed fake SEC filings on our EDGAR system in an effort to profit from the resulting market movements.”
Clayton said that the SEC has experienced cybersecurity vulnerabilities before, including an incident in 2014 when the inspector general found that certain SEC laptops that may have contained nonpublic information could not be located, and found instances in which SEC employees transmitted nonpublic information through nonsecure personal email accounts.
Clayton said that the vendors that SEC works with have also exposed the agency to vulnerabilities because “a weakness in vendor systems or software products may provide a mechanism for a cyber threat actor to access SEC systems or information through trusted paths.”
The SEC said it plans to hire additional cyber talent to mitigate these issues.
The SEC has guidances for disclosing cybersecurity issues to companies that could be affected by vulnerabilities, which include company risk factors, analysis of the financial consequences of breaches, description of business, discussion of legal proceedings, financial statements, and disclosure controls and procedures. The guidance was written in 2011, but Clayton maintains that it “remains relevant today.”
“By promoting effective cybersecurity practices in connection with both the commission’s internal operations and its external regulatory oversight efforts, it is our objective to contribute substantively to a financial market system that recognizes and addresses cybersecurity risks and, in circumstances in which these risks materialize, exhibits strong mitigation and resiliency,” Clayton said.