On Thursday, the top regulator of Wall Street came under fire over its practices of disclosures and cybersecurity after it admitted that its database of corporate announcements had been breached by hackers in 2016 and possibly used for insider trading. The breach also included the EDGAR filing system of the US Securities and Exchange Commission, which houses information that can move markets. It comprises of millions of filings that range from statements of acquisitions to quarterly earnings of companies. On Wednesday evening, the SEC disclosed that it had only found out in August that hackers may have used data from a hack in 2016 for making illicit trades.
Jay Clayton, the Chairman of the SEC, gave a ‘courtesy call’ to members of the Congress on Wednesday afternoon regarding the hack before its public announcement. This information was provided by chairman of the US House subcommittee, Representative Bill Huizenga, which is responsible for overseeing the SEC. He said that the situation was undoubtedly problematic and they had to go about carefully in order to protect the information. A credit-reporting company called Equifax Inc. had stated two weeks ago that sensitive personal data of around 143 million US customers had been exposed by a breach and it was confirmed by the SEC.
This cyber-attack is followed by the one made last year on the global bank messaging system called SWIFT. The hack is quite embarrassing not just for the SEC, but also for the new boss Clayton, who has declared cybercrime as one of the top enforcement issues. The irony of the situation is not lost on anyone. The SEC disclosed that they were investigating the source of the cyber-attack, but they did not reveal exactly when the incident had occurred and neither did they tell the sort of non-public data that had been recovered.
The agency asserted that a weakness in the EDGAR system had been exploited by the hackers, but it had been ‘fixed’ since then. Some analysts stated that most reports filed by companies with the SEC don’t contain a lot of sensitive information. They said that insider trading would have occurred immediately after the filings and just before the information was made public. Most of the publicly traded companies that file reports with the SEC are now going to take a look at their trading reports for detecting any unusual activity that could be connected to the disclosures.
The protection of federal agency networks had been made a priority by the administration of President Donald Trump after breaches had occurred during the Obama administration, which included those at the Internal Revenue Service, Office of Personal Management and the State Department. In May, an executive order had been signed by Trump that required these agencies to make use of a specific framework for the assessment and management of cyber risk and they also had to make a report within 90 days about how it was implemented. The SEC did not say anything when questioned about this review or whether the disclosure had occurred because of it.