WASHINGTON — The Securities and Exchange Commission waited until Wednesday to disclose a hack of its corporate filing system that occurred last year. The disclosure raises questions about the agency’s ability to protect important financial information and comes as Americans are still weighing the consequences of the massive hack at Equifax.
The SEC, as the federal agency responsible for ensure that markets function properly and for protecting investors, is under fire after disclosing the hack of its electronic network for whisking company news and data to investors. The breach occurred despite repeated warnings in recent years about weaknesses in the agency’s cybersecurity controls.
Experts question the length of time taken to disclose the breach, and why the SEC isn’t meeting the same security standards it demands of corporate America.
While it discovered the breach to its corporate filing system last year, the agency says it only became aware last month that information obtained by the intruders may have been used for illegal trading profits.
“It took quite a while,” said Robert Cattanach, an attorney at Dorsey & Whitney and former trial attorney for the Justice Department, whose work includes cybersecurity and data breaches. “The integrity of our whole trading system is dependent on keeping this information secure. … People have got some ‘splaining to do.”
The SEC didn’t explain why the initial hack was not revealed sooner, or which individuals or companies may have been affected. The disclosure came two months after a government watchdog said deficiencies in the corporate filing system put the system, and the information it contains, at risk.
The agency also didn’t disclose any information about who might have carried out the breach. A hack by Chinese or Russian actors can’t be ruled out, experts say.
The hack was disclosed by SEC Chairman Jay Clayton in a statement posted to the agency’s website. It comes just two weeks after the credit agency Equifax revealed a stunning cyberattack that exposed highly sensitive personal information of 143 million people.
Clayton is scheduled to appear Tuesday before the Senate Banking Committee, and he is certain to be questioned about the hack. Democratic Sen. Mark Warner of Virginia, a member of the committee, said in a statement Thursday that the disclosures by the SEC and Equifax show “that government and businesses need to step up their efforts to protect our most sensitive personal and commercial information.”
Clayton blamed the breach on “a software vulnerability” in its filing system known as EDGAR, short for Electronic Data Gathering, Analysis and Retrieval system. EDGAR processes more than 1.7 million electronic filings a year. Those documents can cause enormous movements in the stock market, sending billions of dollars into motion in fractions of a second.
Clayton, a Wall Street attorney appointed by President Donald Trump early this year to the SEC post, said the agency has been assessing its cybersecurity since he took over as chairman in May. Experts note, however, that both agency and congressional investigators have been critical for years of the SEC’s handling of its information technology security.
Early this decade, the SEC inspector general’s office uncovered security lapses involving SEC staffers who examined the data-protection systems of the stock exchanges. Some of the staffers used unencrypted laptops to store sensitive exchange information — and then carried the laptops to a Las Vegas conference for information-security professionals that is known to attract hackers. The 2011-12 investigation raised concerns of a potential breach of the exchanges’ information.
David Weber, a professor at the University of Maryland’s business school and a former assistant SEC inspector general for investigations, worked on that probe. The agency “clearly has not held itself to the same standard that it expects regulated companies to adhere to” and “needs to up its game,” he said in an interview Thursday.
In 2015, an impostor slipped through the EDGAR filing system with a bogus $8 billion takeover bid for Avon Products. The stock rocketed 20 percent, but it quickly dropped, burning anyone who’d bought shares of the cosmetic giant at pumped-up prices. The SEC later sued a Bulgarian investor for allegedly orchestrating bogus acquisition bids for Avon and two other companies.
The hack of EDGAR is especially concerning because of how widely investors have used and trusted the system, which first came online in the early 1990s. Companies periodically file earnings and a range of financial information, and they alert investors to important developments that could affect their share prices, like government investigations, executive shake-ups and approaches for a takeover.
Some experts say gaining access to the system is too easy and the SEC should consider stricter vetting, though they caution that doing so wouldn’t guarantee blocking scammers from getting through.
Experts say stricter requirements could include passwords, personal ID, secret questions and answers, security tokens that continuously flash new ID numbers, fingerprints, eye scans or voice recognition.
The SEC said in its statement that an investigation into the breach and its possible consequences is ongoing, and that it is cooperating with the “appropriate authorities.”
James Cox, a professor of securities law at Duke University, noted that Republican lawmakers and administration officials have been pressing for cuts to the SEC’s budget — at a time when “they need to make the kind of hires” that would bolster their cybersecurity efforts.