SEC Discloses 2016 Hack of EDGAR System

The commission says cybercriminals obtained access to nonpublic information and may have used it to make illicit trades.
Matthew HellerSeptember 21, 2017

In another illustration of the vulnerability of financial infrastructure, the U.S. Securities and Exchange Commission has disclosed a data breach that may have resulted in cyber criminals using its EDGAR online database to make illicit trades.

SEC Chairman Jay Clayton said hackers had obtained access to nonpublic information by exploiting a vulnerability in the test filing component of the EDGAR system, which is the central repository for millions of corporate filings ranging from quarterly earnings to statements on acquisitions.

The hack was detected in 2016 and the vulnerability was promptly patched but according to Clayton, the SEC learned last month that the cyber criminals may have used the nonpublic information for insider trading.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

“We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk,” Clayton said in a statement, adding, however, that “Our investigation of this matter is ongoing.”

The disclosure follows a July report from the Government Accountability Office that found the SEC had not fully implemented 11 of 58 recommendations spurred by previous audits to secure its computer network, include failing to authenticate users and encrypt sensitive information.

Other recent breaches of financial infrastructure have included a hack of credit reporting firm Equifax’s computer system, which exposed the Social Security numbers and birth dates of as many as 143 million people, and a scheme in which hackers posing as students may have compromised the personal data of as many as 100,000 taxpayers.

According to Reuters, the SEC hack “is particularly embarrassing for the SEC and its new boss Clayton, who has made tackling cyber crime one of the top enforcement issues during his tenure.” He is likely to be questioned about it at a congressional hearing next week.

“It’s hugely problematic and we’ve got to be serious about how we protect that information as a regulator,” said Rep. Bill Huizenga, chairman of the House subcommittee on Capital Markets, Securities, and Investment. “I’m hoping that this leads to some vast improvements and an uptick in the vigilance that all the regulators are going to have with information that’s coming to them.”