SEC Chief Outlines Cybersecurity Steps in Wake of EDGAR Hack

Chris Gaetano
Published Date:
Oct 3, 2017

SEC Chair Jay Clayton outlined what the commission plans to do in the wake of a data breach that allowed hackers to potentially access market-moving information in the EDGAR system. He said that the agency's efforts will be organized into five principle "work streams:"

1)    The review of the 2016 EDGAR intrusion by the Office of Inspector General.  Staff have been instructed to provide their full cooperation with this effort

2)    The investigation by the Division of Enforcement into the potential illicit trading resulting from the 2016 EDGAR intrusion

3)    A focused review of and, as necessary or appropriate, uplift of the EDGAR system. The EDGAR system has been undergoing modernization efforts.  The agency has added, and expects to continue to add, additional resources to these efforts, which are expected to include outside consultants, and will increase the focus on cybersecurity matters

4)    The more general assessment and uplift of the agency’s cybersecurity risk profile and efforts that were initiated shortly after the Chairman’s arrival at the Commission this past May, including, without limitation, the identification and review of all systems, current and planned (e.g., the Consolidated Audit Trail or CAT), that hold market sensitive data or personally identifiable information

5)    The agency’s internal review of the 2016 EDGAR intrusion to determine, among other things, the procedures followed in response to the intrusion. This review is being overseen by the Office of the General Counsel and has an interdisciplinary investigative team that includes personnel from regional offices and will involve outside technology. 

The chairman also said that he has authorized the immediate hiring of additional staff and outside technology consultants to bolster the commission's cybersecurity efforts, as well as directed staff to take their own measures to reduce cyber risks. This includes assessing the types of data the SEC takes in through the EDGAR system, and whether EDGAR is the appropriate mechanism to obtain that data.  Another part of this effort includes reviewing the security around EDGAR and other sensitive systems, which will include assessing the types of data the agency keeps and the related security systems, processes and controls.  The staff also will work to enhance escalation protocols for cybersecurity incidents in order to enable greater agency-wide visibility and understanding of potential cyber vulnerabilities and attacks. 

More broadly, he said that the agency is evaluating its overall cybersecurity risk governance structure. The chair added that other initiatives that were already in place are set to begin shortly. These include internal, Commission-level incident response exercises and continued interaction on cybersecurity efforts with other government agencies and committees, including the Department of Homeland Security, the Government Accountability Office and the Financial and Banking Information Infrastructure Committee.

“The 2016 intrusion and its ramifications concern me deeply.  I am focused on getting to the bottom of the matter and, importantly, lifting our cybersecurity efforts moving forward,” said Chairman Clayton.  “While our review and remediation efforts are ongoing and may take substantial time to complete, I believe it is important to provide new information regarding the scope of the 2016 intrusion and provide an update on the steps we are taking to assess and improve the cybersecurity risk profile of our EDGAR system and of the agency’s systems more broadly.”

In addition to accessing nonpublic company filings, the intruders were also able to get the personal information of two individuals, who have since been notified by the SEC and offered free identity theft and monitoring services. 

Click here to see more of the latest news from the NYSSCPA.