October 3, 2017

The SEC’s Edgar Hacking: Serious Business

I’m concerned that some folks aren’t worried enough about the SEC’s Edgar being hacked. I’ve seen a number of blogs about SEC Chair Clayton’s cybersecurity statement that didn’t bother to even mention the most important item in that statement: Edgar was hacked! Perhaps that was a byproduct of the SEC “burying the lead” when it stuck that revelation in the middle of a 5-page statement about cybersecurity generally.

But make no mistake about it, this is a huge development. Don’t be numb because hacking news has become so routine. John’s blog about the Chair’s statement keyed in on this theme with his title of “Wow! Edgar Hacked!”

This Bloomberg article notes the significance – here’s an excerpt:

If such breaches continue, or if the SEC is too underfunded or outgunned to fix them, it could undermine company and investor confidence in the agency. That might threaten the regulator’s ability to provide a bedrock principle of the U.S. financial system: market transparency.

The SEC’s Hacking Incident: What We Know (& Don’t Know)

The SEC is certainly now taking the hacking seriously. Yesterday, SEC Chair Jay Clayton issued this update on the breach since the agency has now found that personal information for at least two individuals was hacked (see this Reuters article).

And culling through the written testimony from Chair Clayton before the Senate Banking Committee last week – and the media pieces about that (WSJ’s Andrew Ackerman has penned several pieces; this is the latest), here’s a few things we know – and don’t know:

1. Management Kept in the Dark – Although the breach was reported in 2016 to the Department of Homeland Security and the security gaps were patched, SEC Commissioners and the SEC’s then-COO were unaware of the 2016 hack. It’s not known when in 2016 the hacking took place.

2. SEC Has Enforcement Action Pending – An ongoing enforcement probe prevents the SEC from revealing many details about the cyber incident – so there’s a probe into possible illegal trading (or “outside trading” as John Stark describes it). Chair Clayton did disclose that the investigation, which he learned about last month, spurred a second look at the breach.

3. Sparse Facts Known So Far – The SEC hasn’t revealed the type of information accessed by hackers in 2016 nor which companies were affected. So we don’t know which filings were hacked – nor which companies might have been affected by the breach. Chair Clayton’s statement says the SEC’s Inspector General is probing the source of the hack, the type of information obtained and how the SEC responded internally to the breach – he decided to disclose the SEC’s own breach as soon as he had enough information to accurately inform market participants and investors.

4. “Customized” Part of Edgar Enabled the Hack – The hackers exploited a vulnerability in the “customized” part of Edgar that allows companies to test the accuracy of data transmitted in new forms. The SEC has hired outside consultants to test the vulnerability of its systems.

Survey: Boards Not Sharing Cyber Incident News

It apparently isn’t only the SEC that is slow to share the fact that a cyber incident occurred. This recent BDO survey found that just one-quarter of boards (25%) are sharing information gleaned from cyber-attacks with external entities! The survey also found that boards are more involved with cybersecurity than they were 12 months ago – and a similar percentage (78%) say they have increased company investments during the past year to defend against cyber-attacks, with an average budget expansion of 19%.

Broc Romanek