(CN) – The federal agency responsible for ensuring that markets function properly and for protecting investors is under fire after disclosing its computer system was hacked despite repeated warnings about deficiencies in its cybersecurity measures.
The Securities and Exchange Commission said late Wednesday that it discovered a breach to its corporate filing system last year but only became aware last month that information obtained by the attackers may have been used for illegal trading gains.
The agency did not explain why the initial hack was not revealed sooner, or which individuals or companies may have been impacted. The disclosure arrived two months after a government watchdog said deficiencies in the SEC’s filing system put the system, and the information it contains, at risk.
The hack was disclosed by SEC Chairman Jay Clayton in a statement posted to the agency’s website and comes just two weeks after the credit agency Equifax revealed a cyberattack there had exposed highly sensitive personal information of 143 million people.
Clayton is scheduled to appear Tuesday before the Senate Banking Committee. Democratic Sen. Mark Warner of Virginia, a member of the committee, said in a statement Thursday that the disclosures by the SEC and Equifax show “that government and businesses need to step up their efforts to protect our most sensitive personal and commercial information.”
In a statement, Clayton said a review of the agency’s cybersecurity risk profile determined that the previously detected incident was caused by “a software vulnerability” in its filing system known as EDGAR, short for Electronic Data Gathering, Analysis, and Retrieval system. EDGAR processes more than 1.7 million electronic filings in any given year. Those documents can cause enormous movements in the market, sending billions of dollars in motion in fractions of a second.
Clayton said the SEC has been conducting an assessment of its cybersecurity since he took over as chairman in May. Experts note, however, that both agency and congressional investigators have been critical of the SEC’s handling of its information technology security for years.
Early this decade, the SEC inspector general’s office uncovered security lapses involving SEC staffers who examined the data-protection systems of the stock exchanges. Some of the staffers used unencrypted laptops to store sensitive exchange information — and then carried the laptops to a Las Vegas conference for information security professionals that is known to attract hackers. The 2011-12 investigation raised concerns of a potential breach of the exchanges’ information.
David Weber, a professor at the University of Maryland’s business school and a former assistant SEC inspector general for investigations, worked on that probe. The agency “clearly has not held itself to the same standard that it expects regulated companies to adhere to” and “needs to up its game,” he said in an interview Thursday.
In 2015, an impostor slipped through the EDGAR filing system with a bogus $8 billion takeover bid for Avon Products. The stock rocketed 20 percent, but it quickly dropped, burning anyone who’d bought shares of the cosmetic giant at pumped-up prices. The SEC later sued a Bulgarian investor for allegedly orchestrating bogus acquisition bids for Avon and two other companies.
The hack of EDGAR is especially concerning because of how widely investors have used and trusted the system, which first came online in the early 1990s. Companies periodically file earnings and a range of financial information, and they alert investors to important developments that could affect their share prices, like government investigations, executive shake-ups and approaches for a takeover.
Gaining access to file into the system “is as easy as getting an email address,” says James Moloney, a former special counsel at the SEC. He says the SEC should consider stricter vetting, though he cautions that doing so wouldn’t guarantee blocking scammers from getting through.
Experts say stricter requirements could include passwords, personal ID, secret questions and answers, security tokens that continuously flash new ID numbers, fingerprints, eye scans or voice recognition.
The SEC said in its statement that an investigation into the breach and its possible consequences is ongoing, and that it is cooperating with the “appropriate authorities.”