Lawmakers on Capitol Hill were demanding answers Thursday as the Securities and Exchange Commission tries to assess the damage after admitting hackers breached its database of public company filings last year and may have used that knowledge for insider stock trades.
The announcement by Wall Street’s top regulator Wednesday comes close on the heels of revelations of the massive cyberattack on credit rating agency Equifax, which may have compromised highly sensitive personal and financial information of up to 143 million people.
“The SEC’s disclosure, which comes not even two weeks after Equifax revealed that it had been hacked, shows that government and businesses need to step up their efforts to protect our most sensitive personal and commercial information,” Sen. Mark R. Warner, Virginia Democrat and co-founder of the bipartisan Senate Cybersecurity Caucus, said Thursday.
Rep. Bill Huizenga, the Michigan Republican who chairs the House Financial Services subcommittee that oversees the SEC, said lawmakers had gotten a “courtesy call” from SEC Chairman Jay Clayton Wednesday as the agency was going public about the breach of its systems.
“It’s hugely problematic, and we’ve got to be serious about how we protect that information as a regulator,” Mr. Huizenga told the Reuters news agency.
In a 4,000-word statement posted on the agency’s website, Mr. Clayton said a security review determined that the previously detected “incident” was caused by “a software vulnerability” in its EDGAR filing system.
The EDGAR system processes more than 1.7 million electronic corporate disclosure filings a year, and those documents can cause enormous movements in the market, sending billions of dollars in motion in fractions of a second.
Mr. Clayton added that the breach of the filing system could have allowed the hackers to trade illegally on sensitive corporate data.
The SEC chairman is scheduled to appear before the Senate Banking Committee next week, on Sept. 26. The CEO of Equifax is slated to go before the same committee to answer questions on its data breach Oct. 4.
On Thursday Mr. Warner, who is on the banking panel, said he intends to question SEC officials on their authority to force firms to disclose cybersecurity breaches in a timely fashion — a highly sensitive subject among global investors.
“Last fall it was reported that Yahoo took more than two months to disclose to the public and its shareholders after learning that 500 million user accounts were hacked in 2014,” Mr. Warner’s office noted in a statement. “In fact, despite the flurry of high-profile data breaches reported in recent years, published reports have indicated fewer than 100 of approximately 9,000 publicly listed companies have reported a material data breach to the SEC since 2010.”
SEC officials said the penetration of its EDGAR filing system software was patched quickly after the hack was uncovered last year, although the possibility that some may have used it to make illegal profits was only discovered last month.
Unlike the Equifax hack, the SEC chairman said agency security officials now believe the hack did not result in exposing identifiable information on individuals, but the incident did highlight other security concerns at the agency.
“We must be vigilant,” Mr. Clayton said in his Wednesday statement. “We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
Mr. Clayton said that a 2014 internal review was unable to locate some agency laptops that may have contained confidential information.
The agency also discovered instances in which SEC personnel used private unsecured email accounts to transmit confidential information.
The SEC is continuing to investigate the breach and its possible consequences and coordinating with the “appropriate authorities,” according to the statement.
Mr. Clayton, nominated by President Trump for the SEC post in January, has targeted cybercrime since taking charge and ordered a review of the SEC’s cybersecurity profile in May 2017. That review led to the discovery of the possible illegal trading. The statement did not explain why the hack itself was not revealed when it was discovered last year.
According to a confidential weekly report reviewed by Reuters, the U.S. Department of Homeland Security had detected five “critical” cybersecurity weaknesses on the SEC’s computers as of Jan. 23, 2017.
⦁ This article is based in part on wire service reports.
• Dan Boylan can be reached at dboylan@washingtontimes.com.
Please read our comment policy before commenting.