The SEC announced that its corporate filing system was hacked in 2016. But depending on what was stolen, it may be too little, too late.
The Securities and Exchange Commission (SEC) recently revealed that its systems were hacked in 2016, and the stolen information may have been used by hackers to trade on the stock market.
The SEC is responsible for keeping the markets fair and orderly, which naturally means its servers are rich with insider information that could be used to make a fortune—it's for that very reason that hackers likely attacked.
The SEC briefly mentioned the hack in a Statement on Cybersecurity released by chairman Jay Clayton, but went into very little detail on the incident aside from mentioning that the hack targeted its Electronic Data Gathering, Analysis, and Retrieval system (EDGAR), which companies use to report information to the SEC.
EDGAR contained a hole in its test filing system that was exploited by hackers to gain access to nonpublic information. The test filing portion of EDGAR is used to verify that information submitted through EDGAR is accurate before it is sent on to the SEC and then to the public.
Corporations send a lot of different information through EDGAR: Earnings statements, business developments, and other disclosures that could affect stock prices are all included in its databases. After the SEC releases the information to the public, EDGAR can be used as a searchable database for stockbrokers and other financial entities.
SEE: How a data breach can negatively impact your company's stock price (TechRepublic)
Much of the information that flows through EDGAR is released to the public immediately. Some of it, however, is temporarily, or even permanently, withheld. That's the data that hackers want.
The hole that was exploited in 2016 was patched as soon as it was discovered and an investigation into the hack is ongoing. The SEC hasn't said what kind of information was stolen, which companies may have been affected, or if hackers made a profit.
Strengthening security at the SEC
The hacking revelation was contained in a general statement on cybersecurity from the SEC chairman, with a brief mention in a subsection on internal security risks. The statement also detailed steps the SEC is taking to shore up its cybersecurity through the appointment of a new senior-level security workgroup, risk monitoring, and incident response improvements.
SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
Clayton admits that "there will be intrusions, and that a key component of cyber risk management is resilience and recovery." If, however, hackers were able to use nonpublic information to affect stock prices, then bouncing back from a hack may not matter: The damage is done to the market, its investors, and its affected companies.
Insider trading, which is essentially what hackers are doing if they're using stolen SEC filings to buy and sell stock, can have a huge effect on the supply and demand of a stock, and thus the price. When the chairman of the SEC says he wants his organization to create a resilient market it's difficult to think that can happen if "there will be intrusions."
If the right information gets into the wrong hands it can greatly upset the stability of the market, and if hacks happen it's hard to trust trading on Wall Street to be fair.
The top three takeaways for TechRepublic readers:
- The SEC revealed that a hack that occurred in 2016 may have resulted in illicit trades using nonpublic information. The SEC provided little information, so it's still unknown which companies may have been affected or if hackers made a profit.
- SEC chairman Jay Clayton revealed the hack in a larger statement on cybersecurity at the agency. Also included in the statement were SEC cybersecurity plans stemming from an ongoing audit Clayton initiated when he took control earlier in the year.
- If sensitive nonpublic information was stolen it may already be too late to repair market damage. Insider trading can undermine trust in the stock market, as well as damaging a company's stock price.
- Security alert: 1.4M new phishing sites created each month, report says (TechRepublic)
- SEC admits data breach, suggests illicit trading was key (ZDNET)
- Report: Average enterprise data breach cost rises to $1.3M (TechRepublic)
- The Four Volume Cyber Security Bundle (TechRepublic Academy)
- IT leader's guide to big data security (Tech Pro Research)