The biggest news from the U.S. Securities and Exchange Commission (SEC) on September 20, 2017 was less about the $100 million requested by Chair Jay Clayton to boost cybersecurity at the federal agency and more about the underlying reason for the cybersecurity initiative at all: a 2016 hack of the agency’s EDGAR filing system.
Writing this week in the Securities Law Blog (Part 1), West Palm Beach attorney Laura Anthony, a securities investment specialist and founder of Legal and Compliance, LLC, tackled the issue bluntly: “EDGAR was hacked! Based on the SEC’s statements and testimony on the matter, there remains a lot of secrecy surrounding the incident,” she writes, including the date of the hack, reasons why the Department of Homeland Security was notified but SEC commissioners were not, and a lack of information on the types of compromised data and the companies involved.
The hack occurred in May 2016, but Clayton was not informed until August 2017 and did not publicly announce it until September 20. Even though it was patched as soon as it was discovered, the hack involved EDGAR’s test filing system. The stolen information—which included names, dates of birth and Social Security numbers of at least two individuals—was used to make illicit trading gains. EDGAR stands for the Electronic Data Gathering, Analysis and Retrieval System.
SEC asks House Committee for $100 million As a result of the hack, Clayton has asked the House Committee on Financial Services for an additional $100 million to protect the agency and its electronic reporting infrastructure, which foreign and domestic companies use heavily to file required reports, forms and statements.
Clayton also has hired additional staff and external cybersecurity experts to protect the SEC’s network, systems and data. His $100 million initiative includes a review to assess whether EDGAR is the appropriate mechanism to funnel financial, company and investor data; an identification of all potentially sensitive and vulnerable data; and a renewed look at procedural responses to attacks.
Because of the valuable data that is fed to EDGAR, Clayton points out that the system is under constant threat of attacks from “identity thieves, unscrupulous contractors and vendors, malicious employees, business competitors, prospective insider traders and market manipulators, hackers, terrorists, state-sponsored actors and others.”
Additionally, cyberattacks can lead to loss or exposure of consumer data, theft or exposure of intellectual property, theft of investor funds, declines in companies’ market value as a result of attacks, and risk of regulatory actions, lawsuits and reputational damage.