Hack of Wall Street regulator rattles investors, lawmakers

Published Sep 23, 2017

Share

WASHINGTONG - Wall Street's top regulator came under fire about its cyber security and disclosure practices after admitting

hackers had breached its database of corporate announcements in 2016 and may

have used it for insider trading. 

The breach involved Securities and Exchange Commission's

EDGAR filing system, which houses market-moving information with millions of

filings ranging from quarterly earnings to statements on acquisitions. 

The SEC said on Wednesday evening it discovered last month

that cyber criminals may have used a hack detected in 2016 to make illicit

trades. 

SEC Chairman Jay Clayton gave members of Congress a

"courtesy call" about the hack on Wednesday afternoon before it was

announced publicly, said Representative Bill Huizenga, chairman of the US House

subcommittee that oversees the SEC.

"It's hugely problematic and we've got to be serious

about how we protect that information as a regulator," Huizenga said. The SEC

disclosure came two weeks after credit-reporting company Equifax Inc said a

breach has exposed sensitive personal of data up to 143 million US customers,

and follows last year's cyber attack on SWIFT, the global bank messaging

system. 

It is particularly embarrassing for the SEC and its new boss

Clayton, who has made tackling cyber crime one of the top enforcement

issues.  "The chairman obviously recognizes the irony of the SEC

potentially serving as the unwitting tipper in an insider trading scheme,"

said John Reed Stark, president of a cyber consulting firm and a former SEC

staff member. 

The SEC has said it was investigating the source of the hack

but it did not say exactly when it happened or what sort of non-public data was

retrieved. The agency said the attackers had exploited a weakness in a part of

the EDGAR system and it had "promptly" fixed it. 

Most reports filed with the SEC "generally don't

contain super-sensitive information," and any insider trading would have

taken place soon after company filings were made but before they were released

to the public, said Gary LaBranche, president of National Investor Relations

Institute. 

"People are shocked and disappointed," LaBranche

said. NIRI members, who work with 1,600 publicly-traded companies, will be

examining their trading reports for any unusual activity that could be tied to

disclosures, he said.    

The Trump administration has prioritized protection of

federal agency networks after breaches including at the Office of Personnel

Management, Internal Revenue Service and State Department during the Obama

administration. US President Donald Trump in May signed an executive order

requiring agencies to use a specific framework to assess and manage cyber risk,

and to prepare a report within 90 days about how they implement it.

The SEC did not respond when asked about that review or

whether it triggered the disclosure, but Clayton said in his Wednesday

statement that he began reviewing the agency's cyber risk in May.  

SEC Commissioners did not learn of the breach until

recently. In a statement, Republican SEC Commissioner Mike Piwowar, who for

part of 2017 also served as Acting Chairman, said he was "recently

informed for the first time that an intrusion occurred in 2016." 

CYBER SLEUTHS NEEDED 

Clayton will be grilled on the incident and its aftermath at

a hearing by the Senate Banking Committee on Tuesday.  Banking Committee

member Senator Mark Warner said in a statement he intends to ask about SEC

thresholds for requiring companies to disclose breaches, and flagged the

connection between the SEC's disclosure and its market oversight role.  

"Government and businesses need to step up their

efforts to protect our most sensitive personal and commercial

information," Warner said.   

Securities industry rules require companies disclose cyber

breaches to investors and the SEC has investigated firms over whether they

should have reported incidents sooner. 

"There is an element of, 'Do as we say, not as we do'

to this," said Matt Rossi, a former counsel in the SEC's enforcement

division.  And the lack of details from the SEC about the breach will

likely raise questions about what other EDGAR data may have been exposed, such

as information related to ongoing financial investigations and sensitive personal

information, Rossi said.  

The disclosure followed public and non-public reports that

detailed the SEC's cyber vulnerabilities as well as acknowledgement by the SEC

itself of the scope of the risks posed by cyber attacks. Former SEC chair

Mary Jo White, in office when the hack occurred, told Reuters in 2016 that

cyber security posed the biggest risk to the U.S. financial system.

The US Department of Homeland Security had detected five

"critical" cyber security weaknesses on the SEC's computers as of

Jan. 23, according to a confidential weekly report reviewed by Reuters on

Thursday.  And in July, months after the breach was detected, a

congressional watchdog warned that the SEC was "at unnecessary risk of

compromise" because of deficiencies in its information systems. 

The SEC shut down a specialized unit on cyber crimes as part

of a 2010 reorganization.  The EDGAR system has sustained data breaches

before.  

In 2015 hackers broke into EDGAR and published false

information about plans a financial firm had to purchase Avon Products,

prompting stock of the beauty products company to briefly surge. Researchers

found in 2014 that some users could see information posted to EDGAR before the

public.

- REUTERS 

Related Topics: