Hackers breached the U.S. Securities and Exchange Commission's EDGAR document filing system and may have used nonpublic information stored on the database to profit from insider trading, the regulatory body disclosed on Wednesday.
Detected in 2016, the intrusion was made possible by a software vulnerability in the test filing component of the EDGAR system, according to a Sept. 20 statement on cybersecurity from SEC Chairman Jay Clayton, as well as an accompanying press release. The flaw was quickly patched upon discovery, but not before malicious actors may have capitalized on a bounty of sensitive information on publicly traded companies.
EDGAR, which stands for Electronic Data Gathering, Analysis, and Retrieval, contains not only public documents like annual reports, but also private filings related to proposed mergers and acquisitions and other matters that could persuade a trader to buy or sell. In this case, however, the breach appears that it may be limited to only documents entered as test filings.
"We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk," wrote Clayton in his statement, which summarized the SEC's efforts to bolster its cybersecurity preparedness since the chairman ordered an ongoing assessment of the agency's cyber risk profile back in May 2017. "Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities."
Additionally, Clayton said that other actors have planted fake filings in the EDGAR system in order to profit from the market's reaction. Earlier this year, for instance, the SEC filed charges against Virginia-based mechanical engineer Robert Murray for allegedly gaining fraudulent access to the EDGAR system and filing a document falsely claiming that a company called ABM Capital LTD intended to acquire Fitbit's outstanding shares at a premium.
Since 2011, the SEC's staff of the Division of Corporation Finance has issued disclosure guidance to publicly traded companies regarding cyber issues that could potentially impact their financial results. But ironically in this case, the agency itself was hacked and manipulated for profit, and the repercussions for the investment market could be substantial.
“The disclosed breach may have disastrous consequences outshining Equifax," said Ilia Kolochenko, CEO of web security company High-Tech Bridge, referring to a recent breach of the credit reporting agency. "Cybercriminals could have manipulated the entire stock market and make billions of illicit profit. Ethical investors, including pension and sovereign funds, without the insider information could have lost fortunes as a result."
Jeff Hill, director of product Management at third-party risk management firm Prevalent, drew a parallel between the SEC incident and a previous case involving hackers who pleaded guilty to breaching wire services Business Wire, PR Newswire and Marketwired in order to view corporate announcements before they were released to the general public. This allowed them to rake in more than $100 million from insider trading.
"The EDGAR episode is also tantalizingly efficient for bad actors: Penetrate once, compromise many," said Hill. "Rather than hacking multiple public companies to illicitly gather valuable insider information, the EDGAR perpetrators could parlay a single breach into a potential monetizable data bonanza."
Acknowledging that cybersecurity is "critical to the operations of our markets," SEC Chairman Clayton in his statement further elaborated on the progress of his agency's ongoing cybersecurity assessment, a key component of which is the establishment of a a senior-level working group to coordinate information sharing, risk monitoring, and incident response efforts.
To protect sensitive SEC data, which can include personally identifiable information, proposed rules filings, drafts of applications for exemptive relief, and records related to internal and external investigations, "the Commission employs an agency-wide cybersecurity detection, protection and prevention program for the protection of agency operations and assets," Clayton explained. "This program includes cybersecurity protocols and controls, network protections, system monitoring and detection processes, vendor risk management processes, and regular cybersecurity and privacy training for employees."
Clayton also said that the agency expects to hire additional cybersecurity expertise.
Jake Olcott, VP at security ratings firm BitSight, believes that the statement may possibly portend a change at the regulatory body.
“The SEC's statement is remarkable for a number of reasons and might suggest that the agency is considering changes in a number of approaches, from data collection to vendor risk management to regulatory oversight," said Olcott, a former legal adviser to the Senate Commerce Committee and former counsel to the House of Representatives Homeland Security Committee. "Though the disclosure lacks specifics around the damage caused by the incident, the thoroughness of the descriptions of its efforts to secure its own systems, the standards it follows, and the involvement of external 3rd parties is very unique for a government agency. It seems like the SEC is 'tasting its own medicine' with respect to cyber disclosure, something that other agencies should follow.”
SC Media has reached out to the SEC for further comment on specifically what kinds of private information is accessible via EDGAR.