Fed agency urging cybersecurity upgrades gets hacked
The federal agency responsible for ensuring that markets function as they should and for protecting investors was hacked last year, and the intruders may have used the nonpublic information they obtained to profit illegally.
The disclosure arrived two months after a government watchdog said deficiencies in the computer systems of the Securities and Exchange Commission put the system, and the information it contains, at risk.
In July, the Government Accountability Office issued a critical report about the security measures employed by the SEC, citing a number of deficiencies in “the effectiveness of SEC’s controls for protecting the confidentiality, integrity, and availability of its information systems.” It issued 26 recommendations that it said would make SEC systems more secure.
According to the SEC, the breach was discovered last year, but the possibility of illicit trading was uncovered only last month. It did not explain why the hack itself was not revealed sooner, or which individuals or companies may have been impacted.
In a prepared statement, SEC Chairman Jay Clayton said a review of the agency’s cybersecurity risk profile determined that the previously detected incident was caused by “a software vulnerability” in its filing system known as EDGAR, short for Electronic Data Gathering, Analysis, and Retrieval system. Clayton said SEC has been conducting an assessment of its cybersecurity since he took over as chairman in May.
The SEC files financial market disclosure documents through its EDGAR system, which processes more than 1.7 million electronic filings in any given year. Those documents can cause enormous movements in the market, sending billions of dollars in motion in fractions of a second.
The revelation from the critical agency comes as Americans grapple with the repercussions of a massive, months-long hack at the credit agency Equifax, which exposed highly sensitive personal information of 143 million people. Clayton said the agency’s breach did not result in exposing personally identifiable information.
The SEC hasn’t said whether it is investigating the hack at Equifax, but the agency for years has leaned on publicly traded corporations to strengthen their own cybersecurity systems.
An investigation into the breach and its possible consequences is ongoing, and the SEC said that it is cooperating with the “appropriate authorities.”