SEC victim of hacking, filing system breached

Posted September 22, 2017

Securities and Exchange Commission Chairman Jay Clayton disclosed in a lengthy statement late Wednesday that a hack was detected past year.

The SEC files financial market disclosure documents through its EDGAR system, which processes over 1.7 million electronic filings in any given year.

A major computer hack at America's top stock market regulator is the latest sign that data stored in the highest reaches of USA government remains vulnerable to cyber attacks, despite efforts across multiple presidencies to limit high-profile breaches that are so frequent many consider them routine.

"Effective management of internal cybersecurity risk is critical to the SEC achieving its mission and to protecting the nonpublic information that is entrusted to this agency", SEC Commissioner Michael Piwowar said in a statement. It issued 26 recommendations that it said would make SEC systems more secure.

Hackers may have used information stolen from the U.S. financial regulator to make "illicit gain" through insider trading, the body's chairman admitted. Although the vulnerability in question "was patched promptly after discovery", the regulator has not disclosed when the loophole was introduced or how long it took to patch.

U.S. President Donald Trump in May signed an executive order requiring agencies to use a specific framework to assess and manage cyber risk, and to prepare a report within 90 days about how they implement it.

The statement is part of an ongoing assessment of the SEC's cybersecurity risk profile that Clayton initiated upon taking office in May. He admitted that an attacker infiltrated the agency's EDGAR database in 2016 by exploiting a software vulnerability to gain access to non-public info.

The SEC has also been dealing with attempts to seed EDGAR with bad data to affect financial markets. The SEC sometimes handles its own sensitive information, including disclosures that companies are allowed to keep away from investors.

The SEC discussed the 2016 hack in a lengthy statement by Clayton on the agency's cybersecurity efforts. Insider trading refers to buying or selling of a stock by a trader who has inside knowledge that the investing public is not aware of, creating an unfair advantage.

While the SEC handles non-public drafts of rules and personally-identifiable information, it said it doesn't believe the breach led to unauthorized access of that type of data, endangered the operations of the agency, or resulted in "systemic risk".

Here's what we know about the SEC data hack.