WASHINGTON – The Securities and Exchange Commission waited until Wednesday to disclose a hack of its corporate filing system that occurred last year. The disclosure raises questions about the agency's ability to protect important financial information and comes as Americans are still weighing the consequences of the massive hack at Equifax.
Continue Reading Below
The SEC, the federal agency responsible for protecting investors and ensuring markets function properly, is under fire after disclosing the hack of its electronic network that whisks company news and data to investors. The breach occurred despite repeated warnings in recent years about weaknesses in the agency's cybersecurity controls.
Experts question the length of time taken to disclose the breach, and why the SEC isn't meeting the same security standards it demands of corporate America.
"Public companies have a clear obligation to disclose material information about cyber risks and cyber events. I expect them to take this requirement seriously," SEC Chairman Jay Clayton warned in a speech in July.
While it discovered the breach to its corporate filing system last year, the agency says it only became aware last month that information obtained by the intruders may have been used for illegal trading profits.
"It took quite a while," said Robert Cattanach, an attorney at Dorsey & Whitney and former trial attorney for the Justice Department, whose work includes cybersecurity and data breaches. "The integrity of our whole trading system is dependent on keeping this information secure. ... People have got some 'splaining to do."
Continue Reading Below
The SEC didn't explain why the initial hack was not revealed sooner, or which individuals or companies may have been affected. The disclosure came two months after a government watchdog said deficiencies in the corporate filing system put the system, and the information it contains, at risk.
The agency also didn't disclose any information about who might have carried out the breach. A hack by Chinese or Russian actors can't be ruled out, experts say.
"Certainly state actors would be on the list of suspects that come to mind," said Marcus Christian, a former federal prosecutor who is an attorney working in Mayer Brown's cybersecurity and national security practices. Still, he added, the list also would include "regular old criminal actors."
U.S. prosecutors in Manhattan brought criminal charges last December against three Chinese traders, accusing them of using nonpublic information stolen from two New York law firms to rack up nearly $3 million in illegal profits. The SEC filed a similar civil action, marking the first time the agency laid charges of hacking into a law firm's computer network. The confidential information was said to be linked to clients of the firm considering mergers or acquisitions.
Clayton disclosed the hack in a statement posted to the SEC's website. It comes just two weeks after the credit agency Equifax revealed a stunning cyberattack that exposed highly sensitive personal information of 143 million people.
Clayton is scheduled to appear Tuesday before the Senate Banking Committee, and he is certain to be questioned about the hack. Democratic Sen. Mark Warner of Virginia, a member of the committee, said in a statement Thursday that the disclosures by the SEC and Equifax show "that government and businesses need to step up their efforts to protect our most sensitive personal and commercial information."
The SEC chief blamed the breach on "a software vulnerability" in the filing system known as EDGAR, short for Electronic Data Gathering, Analysis and Retrieval system. EDGAR processes more than 1.7 million electronic filings a year. Those documents can cause enormous movements in the stock market, sending billions of dollars into motion in fractions of a second.
Clayton, a Wall Street attorney appointed by President Donald Trump to the SEC post, said the agency has been assessing its cybersecurity since he took over as chairman in May. Experts note, however, that both agency and congressional investigators have been critical for years of the SEC's handling of its information technology security.
Early this decade, the SEC inspector general's office uncovered security lapses involving SEC staffers who examined the data-protection systems of the stock exchanges. Some of the staffers used unencrypted laptops to store sensitive exchange information — and then carried the laptops to a Las Vegas conference for information-security professionals that is known to attract hackers. The 2011-12 investigation raised concerns of a potential breach of the exchanges' information.
David Weber, a professor at the University of Maryland's business school and a former assistant SEC inspector general for investigations, worked on that probe. The agency "clearly has not held itself to the same standard that it expects regulated companies to adhere to" and "needs to up its game," he said in an interview Thursday.
In 2015, an impostor slipped through the EDGAR filing system with a bogus $8 billion takeover bid for Avon Products. The stock rocketed 20 percent, but it quickly dropped, burning anyone who'd bought shares of the cosmetics giant at pumped-up prices. The SEC later sued a Bulgarian investor for allegedly orchestrating bogus acquisition bids for Avon and two other companies.
The hack of EDGAR is especially concerning because of how widely investors have used and trusted the system, which first came online in the early 1990s. Companies periodically file earnings and a range of financial information, and they alert investors to important developments that could affect their share prices, like government investigations, executive shake-ups and approaches for a takeover.
Some experts say gaining access to the system is too easy and the SEC should consider stricter vetting, though they caution that doing so wouldn't guarantee blocking scammers from getting through.
Experts say stricter requirements could include passwords, personal ID, secret questions and answers, security tokens that continuously flash new ID numbers, fingerprints, eye scans or voice recognition.