The U.S. Securities and Exchange Commission faced criticism Thursday (Sept. 21) over its cybersecurity practices and disclosures after it revealed its EDGAR database for corporate filings was hacked last year and could have been used for insider trading.
According to a report in Reuters, the SEC said it discovered in August that hackers may have broken into EDGAR to make illegal trades on the information. SEC Chairman Jay Clayton informed members of Congress of the hack earlier this week before it was made public, Reuters reported, citing Representative Bill Huizenga, chairman of the U.S. House subcommittee that oversees the SEC.
“It’s hugely problematic and we’ve got to be serious about how we protect that information as a regulator,” Huizenga told Reuters. The revelation is embarrassing to the SEC given that the regulator’s new head, Clayton, has made it a point to focus on enforcement of cybersecurity issues.
“The chairman obviously recognizes the irony of the SEC potentially serving as the unwitting tipper in an insider trading scheme,” said John Reed Stark, president of a cyber consulting firm and a former SEC staff member, in an interview with Reuters.
The SEC said it is looking into the hack to determine the source, but wouldn’t disclose what non-public data was accessed. The hackers took advantage of a weakness in the EDGAR system, which has already been fixed.
Gary LaBranche, president of the National Investor Relations Institute, told Reuters that many of the corporate reports that are filed with the SEC don’t contain very sensitive information. He did note that people are shocked and disappointed by the breach, and said that members who work with 1,600 public companies will be looking at trading reports to pinpoint unusual trading activity tied to any disclosures. The report noted that SEC commissioners weren’t alerted to the cyberattack until recently.