SEC hacked

The Securities and Exchange Commission in America has quietly admitted that EDGAR, its corporate filing system was hacked in 2016. 

In an eight page statement about cybersecurity, the nation’s top Wall Street regulator stated that the intruders who were able to breach its systems could have made an illegal profit.

Background

The U.S. Securities and Exchange Commission (SEC) is an independent body that is part of the US federal government. It is the top Wall Street regulator in the nation, responsible for enforcing federal security laws and regulating the securities industry. It also plays a role in proposing security rules and plays a key role in maintaining electronic security in the nation.

The main function of the SEC plays is to ensure fair and efficient markets. It is also takes on the responsibility of protecting investors. It makes sure that company reports are available for the public at any given time of the year.

In 2015, hackers were able to post fake information on the site, publishing erroneous information about the takeover of Avon Products. This drove the company’s stock price up significantly at the time.

Analysis

According to the SEC, the hack that breached its system took place in 2016, and this was not disclosed  at the time. Disclosure took place in August 2017, when the agency became privy to the fact that the intruders who facilitated the hack may have had access to data. This data would have allowed them to illegally make profits. The breach took place in the system that stored documents of publicly traded companies. Suppose a company was going to announce that their third quarter earnings were going to be well below expectations due to some outside event, they have to notify the SEC of this and they will do so through the EDGAR system. Under some circumstances the report is actually filed before it is released in the public. If a company was going to issue a warning on Wednesday morning that may affect its stock price, how helpful would it be if someone knew it the day before!

The eight page document that SEC released to disclose the breach is unusual in nature. The document was simply titled – Statement on Cybersecurity. Additionally, the agency’s Chairman Jay Clayton did not reveal the hacking until the 22nd paragraph of the document.

In his statement, Clayton said, “I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face.  That stark reality makes adequate disclosure no less important.  Malicious attacks and intrusion efforts are continuous and evolving, and in certain cases they have been successful at the most robust institutions and at the SEC itself.  Cybersecurity efforts must include, in addition to assessment, prevention and mitigation, resilience and recovery.”

Clayton added, “Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton said in a statement. “We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

Further details regarding the intruders has not been made public. 

Assessment

Our assessment is that IT systems of large government agencies, industrial and financial giants are extremely vulnerable to a data breach. The SEC considers its database of company filings as an innovation that has boosted corporate transparency. We believe that governments must only compel companies to digitize its operations if they are able to guarantee digital security. This is not possible for any government to do as they do not have the bandwidth to protect private infrastructure.