SEC says it told U.S. security officials of hack months ago
(Bloomberg) -- The U.S. Securities and Exchange Commission told government cybersecurity officials about a hack into its database of corporate filings soon after it happened last year, months before the agency’s new chairman made the breach public.
Since disclosing the incident on Sept. 20, Jay Clayton has come under mounting pressure to provide additional details about the 2016 intrusion into the SEC’s Edgar system that may have led to illicit trades. In remarks prepared for a Senate hearing on Tuesday, Clayton said the agency told the Department of Homeland Security’s U.S. Computer Emergency Readiness Team about the breach last year.
“In August 2017, in connection with an ongoing investigation by our Division of Enforcement, I was notified of a possible intrusion into our Edgar system,” Clayton, who became SEC chairman in May, said in the remarks obtained by Bloomberg News. “In response to this information, I immediately commenced an internal review.”
The study he initiated, along with the enforcement unit’s probe, led to the conclusion that someone may have accessed nonpublic information and used it for illegal trades, Clayton said. In his statement last week, he said the intrusion involved a part of Edgar that lets firms fill out dummy forms to test their ability to use the system. Edgar houses millions of filings on disclosures ranging from corporate earnings to mergers and acquisitions.
With the number of hacks and their scope rising, the SEC and other regulators face growing pressure to show the government is trying to fight back.
On Monday, the SEC announced it had started a cyber unit within the Enforcement Division. The types of misconduct the new group will focus on include market-manipulation schemes in which hackers try to spread false information about companies electronically, breaches that lead to the theft of nonpublic information that can move markets and intrusions into retail brokerage accounts, the SEC said.
The SEC also said it will also establish a “retail strategy task force” to try to protect mom-and-pop investors from hacks that lead to widespread misconduct.
The regulator hasn’t revealed which companies may have been affected by the intrusion it experienced last year. In his prepared remarks, Clayton repeated his assertion that the SEC doesn’t believe the breach led to unauthorized access to personal identification information. He also said the agency successfully fixed the software defect that was exploited in the attack.
At Tuesday’s Senate Banking Committee hearing, Clayton is likely to face questions from lawmakers about the breach, the delay in making it public and the SEC’s cybersecurity policies. In his prepared remarks, he said the agency will hire additional staff to bolster its network, systems and data. He said escalation protocols would be improved to ensure “agency-wide visibility and understanding” of vulnerabilities and attacks.
Clayton’s disclosure of the SEC breach came two weeks after credit-reporting company Equifax Inc. said it had been victimized by a hack that may have led to the theft of personal data on 143 million Americans. The attacks have sparked renewed calls for federal agencies and companies to do more to secure data.
“We are continuing to examine whether public companies are taking appropriate action to inform investors, including after a breach has occurred, and we will investigate issuers that mislead investors about material cybersecurity risks or data breaches,” Clayton said. “I would like to see more and better disclosure in this area.”