The Boston Herald and the Associated Press reports the following:
Hackers who breached a Securities and Exchange Commission filing system may have used information to make illegal trades in 2016, the agency’s chairman said in an extended statement last night.
SEC Chairman Jay Clayton said in a statement posted last night on the SEC’s website that a review of the agency’s cybersecurity risk profile determined that the previously detected “incident” was caused by “a software vulnerability” in its EDGAR filing system. The SEC chairman said this breach did not result in exposing “personally identifiable information.”
“Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems,” Clayton’s statement said.
“In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading,” the statement said. “Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities. As another example, our Division of Enforcement has investigated and filed cases against individuals who we allege placed fake SEC filings on our EDGAR system in an effort to profit from the resulting market movements.”
The statement didn’t detail the nature of the information that was taken or how it was used. The SEC files financial market disclosure documents through its EDGAR system, which processes over 1.7 million electronic filings in any given year.
Clayton’s statement also mentioned that a 2014 internal review was unable to locate some agency laptops that may have contained nonpublic information.
The lengthy statement details a series of measures that Clayton initiated. A post on the SEC site said Clayton’s statement “is part of an ongoing assessment of the SEC’s cybersecurity risk profile that Chairman Clayton initiated upon taking office in May. Components of this initiative have included the creation of a senior-level cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency.”
Clayton’s statement added, “Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic. We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”