The Securities and Exchange Commission (SEC) has disclosed that hackers accessed sensitive information from its systems about publicly traded companies. And while the SEC has so far been tight-lipped about what kind of fallout the hack will have, the agency acknowledges that the hackers have probably conducted trades using the information.
Head of the SEC Jay Clayton being sworn in before the Senate Banking Committee during his confirmation hearing on Capitol Hill on 23 March 2017 in Washington, DC (Photo by Chip Somodevilla/Getty Images)
The revelation from the SEC was buried in a lengthy and otherwise boring statement earlier this week. Titled “A Statement on Cybersecurity”, the 4110-word statement (not including footnotes) is bizarre for both its length and its ability to say almost nothing of substance.
But it sure has a lot of generalities about “enhanc[ing] the Commission’s ability to oversee and enforce rules governing market infrastructure” and “improv[ing] resiliency when systems problems do occur”.
What can we pull from the statement that actually matters? Hackers accessed the SEC’s EDGAR system, which is the electronic database used to store filings from publicly traded companies. Hackers gained access at some point in 2016 and the SEC supposedly just learned about it in August of 2017. To top it all off, the hackers have probably profited from the information.
From the SEC statement:
In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorised access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities. As another example, our Division of Enforcement has investigated and filed cases against individuals who we allege placed fake SEC filings on our EDGAR system in an effort to profit from the resulting market movements.
And there you have it. That’s all they will say about the matter. For now, at least. The FBI and SEC won’t comment further and nobody is talking about why it took so long for the SEC to issue a statement, even if it didn’t have much information at all.
“The Commission will continue to prioritise its efforts to promote effective cybersecurity practices within the Commission itself and with respect to the markets and market participants it oversees,” SEC chairman Jay Clayton said in his unenlightening and boring-arse statement.
“This requires an ongoing, thoughtful evaluation of the data we obtain,” Clayton continued. “When determining when and how to collect data, we must continue to thoughtfully evaluate our approach in light of the importance to our mission of each type of data we receive, particularly in the case of sensitive data, such as personally identifiable and nonpublic information.”
The agency doesn’t “believe” that the intrusion resulted in access to personal information, but who on Earth actually believes that in this day and age? It’s always worse than they first believe. We’ve learned that in everything from the massive Equifax hack to the criminal operations of banks such as Wells Fargo.
It can always get worse. That seems to be the slogan for 2017. And it doesn’t bode well for 2018.
[SEC and Wall Street Journal]