U.S. Securities and Exchange Commission Chairman Jay Clayton is under fire after releasing a statement late on Sept. 20 that focused more on the regulator’s efforts to promote effective cybersecurity practices, and in the same breath issuing a startling revelation: EDGAR, the Commission’s Electronic Data Gathering, Analysis and Retrieval system had been compromised in 2016.
Clayton released a lengthy cybersecurity statement aptly titled, “Statement on Cybersecurity,” a roughly 4,100-word statement that was mostly benign, promising to “prioritize efforts” and “promote effective cybersecurity practices, however, nearly 1,400 words into the Clayton revealed a software compromise that may have aided in “illicit gain through trading.”
“In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” Clayton said in the statement. “We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”
While Clayton’s risk assessment may be true, the incident “accessing documents before they are released publicly would offer hackers a lucrative opportunity to trade on that information,” Fortune reported.
Though the Commission has been aware of the SEC EDGAR hack since 2016 and fixed it promptly, only last month did it conclude that the hackers likely used their access to initiate illicit trades, and ultimately make money from knowing information before investors and the general public. Just days after being sworn in as chairman in May 2017, Clayton ordered “an assessment of our internal cybersecurity risk profile and our approach to cybersecurity from a regulatory and oversight perspective.” Given that the SEC EDGAR hack took place in 2016, the event would have occurred under previous SEC Chair Mary Jo White or Interim Chair Michael Piwowar.
In an accompanying statement, Piwowar said, “In connection with that review, I was recently informed for the first time that an intrusion occurred in 2016 in the SEC’s EDGAR system. I fully support Chairman Clayton and Commission staff in their efforts to conduct a comprehensive investigation to understand the full scope of the intrusion and how to better manage cybersecurity risks related to the SEC’s operations.”
Politico has reported that several members of Congress and the Senate have previously questioned the security of the massive data repository. In May 2015, Senator Chuck Grassley asked the SEC for “information about EDGAR vulnerabilities after an apparent hoax involving Avon Products Inc.” In October 2014, Representative Carolyn Maloney voiced alarm over an “academic study that revealed stock prices were moving about thirty seconds prior to public filings being made available on the SEC’s website.”
In July, the SEC announced that Christopher Hetner will continue to serve as senior advisor to Clayton for cybersecurity policy, having previously served in this role under former Chair Mary Jo White and Acting Chairman Michael Piwowar. In his role, he is expected to “continue to coordinate efforts across the agency to address cybersecurity policy, engage with external stakeholders, and help enhance the SEC’s mechanisms for assessing cyber-related market risk.”
The SEC EDGAR hack announcement comes on the heels of noticeable and continued outages of the EDGAR system earlier this year. The intermittent outage issues were something that the SEC’s Public Dissemination Service (PDS) group struggled to keep pace with. A steady stream of PDS notifications this year indicated “service issues remain ongoing as the SEC continues to investigate and work on the problem internally.”