Wall Street’s top regulator faced questions on Thursday about its defenses against cyber criminals after admitting hackers breached its electronic database of corporate announcements and may have used it for insider trading.
The incursion at the Securities and Exchange Commission struck at the heart of the U.S. financial system. The SEC’s EDGAR filing system is the central repository for market-moving information on corporate America with millions of filings ranging from quarterly earnings to statements on acquisitions.
Accessing documents before they are released publicly would offer hackers a lucrative opportunity to trade on that information.
The SEC said late on Wednesday that a hack occurred in 2016 but it had only discovered last month that the cyber criminals may have used the information to make illicit trades.
SEC Chairman Jay Clayton gave members of Congress a “courtesy call” about the hack late on Wednesday afternoon, said Rep. Bill Huizenga, chairman of the House subcommittee on Capital Markets, Securities, and Investment, which oversees the SEC.
“I’m glad that Jay Clayton has decided to acknowledge this and release it, warts and all,” Huizenga said. “It’s hugely problematic and we’ve got to be serious about how we protect that information as a regulator. I’m hoping that this leads to some vast improvements and an uptick in the vigilance that all the regulators are going to have with information that’s coming to them.”
The U.S. Department of Homeland Security had detected five “critical” cyber security weaknesses on the SEC’s computers as of Jan. 23, 2017, according to a confidential weekly report reviewed by Reuters.
The SEC disclosure has rattled investors’ faith in the security of their data. It comes two weeks after credit-reporting company Equifax said hackers had stolen data on more than 143 million U.S. customers, and in the wake of last year’s cyber attack on SWIFT, the global bank messaging system.
It is particularly embarrassing for the SEC and its new boss Clayton, who has made tackling cyber crime one of the top enforcement issues during his tenure.
“The Chairman obviously recognizes the irony of the SEC potentially serving as the unwitting tipper in an insider trading scheme,” said John Reed Stark, a former SEC staff member and cyber expert.
The SEC has said it was investigating the source of the hack but it did not say when exactly it happened or what sort of non-public data was retrieved. The agency said the attackers had exploited a weakness in part of the EDGAR system and it had “promptly” fixed it.
CYBER SLEUTHS NEEDED
Clayton will be grilled on the incident and its aftermath at a hearing by the Senate Banking Committee on Tuesday. In particular, questions are likely about how prepared the SEC was against such an attack and why it waited until now to disclose it.
Securities industry rules require companies to disclose cyber breaches to investors and the SEC has investigated firms over whether they should have reported incidents sooner.
In July, months after the breach was detected, a congressional watchdog office warned that the Wall Street regulator was “at unnecessary risk of compromise” because of deficiencies in its information systems.
The 27-page report by the Government Accountability Office found the SEC did not always fully encrypt sensitive information, used unsupported software, failed to fully implement an intrusion detection system and made missteps in how it configured its firewalls, among other things.
It also shut down a specialized unit on cyber crimes as part of a reorganization in 2010 despite former SEC chair Mary Jo White, in office when the hack occurred, telling Reuters in 2016 that cyber security posed the biggest risk to the U.S. financial system.
“Cyber crimes have continued to spread, thrive and become more innovative. Now, more than ever, the SEC needs a dedicated and specialized corps of cyber sleuths to track down and deter hackers,” said Stark, currently president of a cyber consulting firm.
The SEC has scored some victories in tackling cyber criminals. In 2015, the commission unmasked a ring of stock traders and hackers who had accessed company press releases from distributors Marketwire, PR Newswire, and Business Wire before the information was made public to make $100 million in illegal profits.