Equifax may be now getting its public lashings for a cybersecurity breach that resulted in personal information of 143 million Americans being exposed to hackers, but it appears that the Securities and Exchange Commission (SEC) has a few skeletons in its closet as well.
The regulatory agencies announced late last night that its EDGAR database was hacked last year. At the time, the SEC did not make any public disclosures regarding the hack, which took advantage of a vulnerability in the EDGAR test filing system. However, once it discovered the intrusion, it quickly patched it and went about its normal activities.
However, in August 2017, the SEC noticed that the prior EDGAR infiltration might have given bad actors the means to make "illicit gains through trading." Before the vulnerability was patched, the hackers were able to access non-public information, but did not get their digital mitts on "personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk."
“We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery," wrote SEC Chairman Jay Clayton in a statement.
“By promoting effective cybersecurity practices in connection with both the Commission’s internal operations and its external regulatory oversight efforts, it is our objective to contribute substantively to a financial market system that recognizes and addresses cybersecurity risks and, in circumstances in which these risks materialize, exhibits strong mitigation and resiliency.”
SEC Chairman Jay Clayton
What's interesting is that the SEC decided to bury that news somewhat by issuing a statement after 7PM EST (the major nightly news broadcasts air at 6:30 PM EST). It's also well outside of the hours that financial investors would be paying attention to what actually took place. Given that the SEC is alleging that insider trading took place as a result of this reach, it's definitely rather curious timing. However, it's not nearly as underhanded as issuing a press release on a Friday night (where news goes to die).
We still have many questions regarding this [now] disclosed cybersecurity incident at the SEC. Why did it take nearly a year for the regulatory agency to disclose the breach, which we now know may have impacted investors via insider trading? Why did the SEC take a month -- after it realized what had taken place with regards to insider trading -- to bring this information to the public?
We have the feeling that there will be a least a few hearings up on Capitol Hill to see who really knew what and when with regards to this latest cybersecurity slip-up.