October 20, 2014

When Will the SEC’s EDGAR Get Hacked? (Or Has It Already?)

About a decade ago, I blogged: “Personally, I am always amazed that there have not been any reported hacks of the EDGAR system – as that has to be one of the most popular targets of the hacking community, even for the youngsters for whom it’s just a sport. It is easy to imagine the harm that could be caused by someone that hacked EDGAR (e.g. post a fake 8-K with some drastic news that is a market-mover).”

I imagine that if EDGAR had been hacked, the SEC would make an announcement – or at least the SEC’s Inspector General would eventually mention it in one of their reports about the SEC’s security systems. And of course, the company (or companies) impacted by a hacking episode would tell the investor community of the problem. Falsified numbers in financials filed on EDGAR would truly undermine confidence in the markets. So I’m glad that there hasn’t been any cybersecurity incidents of this nature so far…

The SEC’s Long History of Laptop Security Issues

As picked up by this Fortune article, the SEC’s Inspector General recently issued a report that over 200 of the agency’s laptops could be missing. The SEC has 5525 laptops in total, with about half in DC. Here’s an excerpt from the article:

The SEC’s Office of Inspector General said it reviewed a statistical sample of 488 laptops assigned to the agency’s headquarters and three regional offices to determine laptop accountability. Of those devices, 24 laptops couldn’t be accounted for, while incorrect user information was listed for about 22% of the laptops and incorrect location information was found for 17% of the sample size.

This type of thing is not new news for the SEC. Problems with laptops dates back at least to this GAO report in 2005 through this SEC Inspector General report in 2012, as highlighted by this report about the federal government’s sketchy track record with cybersecurity safeguards for critical infrastructure by Senator Tom Coburn…

Friday Night Spamming by the SEC

And here’s something more light-hearted. After accidentally pumping out dozens of unnecessary alerts on Friday night, the SEC sent out this email:

Subject: Inadvertent email notifications

Last night, you may have received multiple email notifications inadvertently triggered by system enhancements that were installed after midnight. The notifications do not contain new information or changes. The problem was resolved this morning.

As Latham’s Steve Wink noted to me, it was the SEC’s own version of the Knight Capital glitch. If you want to sign up for updates from the SEC directly, here’s their sign-up page

– Broc Romanek