The Washington PostDemocracy Dies in Darkness

Wall Street’s watchdog fails to follow its own counsel on disclosing cyberattacks

September 21, 2017 at 6:27 p.m. EDT
Securities and Exchange Commission Chairman Jay Clayton (Pablo Martinez Monsivais/Associated Press)

In a 2014 speech, the then-chair of the Securities and Exchange Commission, Mary Jo White, offered a stern reminder to corporate America: If hit by hackers, they had to tell the public about it.

Now, the agency, the country’s top Wall Street regulator, has acknowledged that hackers penetrated one of its most sensitive databases last year and may have been able to use the information to gain a trading advantage over the investing public to pocket illicit profits.

But the agency didn't follow its admonition to corporations. It offered few details about the hack, mentioning it only briefly in a larger policy statement about cybersecurity issued after 7 p.m. Wednesday by Jay Clayton, the current head of the agency.

“So this appears to be a situation of ‘Do as I regulate, not as I demonstrate,’ ” said Bradley J. Bondi, a partner at Cahill Gordon & Reindel and a former senior SEC official.

The system that was breached, known as Edgar, serves as a clearinghouse for the public filings that companies must make to the agency, including reports on periodic financial results and newsworthy developments. For various reasons, there can often be a lag between the time when reports are electronically filed with the agency and when they can be viewed by the public, making the system a potentially lucrative target to hackers hoping to learn sensitive information before the rest of the market.

"Edgar is the equivalent of Fort Knox for sensitive corporate filings before they are released publicly. It is a gold vault for insider traders," Bondi said.

The SEC declined to comment for this report.

News of the breach follows on the heels of revelations that Equifax, the huge credit reporting company, also had been the victim of a cyberattack. Equifax announced earlier this month that sensitive information, including Social Security numbers, on 143 million people had been stolen.

Equifax, too, delayed in disclosing the breach as it sought to understand the extent of the damage.

For nearly a decade now, regulators have been sounding the alarm about ever-aggressive cyberattacks aimed at manipulating the public markets.

In 2015, federal investigators said an international hacking ring armed with tens of thousands of corporate secrets pocketed more than $100 million from illicit trades. The hackers stole more than 150,000 news releases that were scheduled to be delivered to investors. Twice last year, the SEC said it identified overseas hacking rings that had targeted nonpublic information.

The SEC is grappling with how to respond to the onslaught. In 2014, it began requiring stock exchanges, such as the New York Stock Exchange, to call the agency within hours of learning of a cyber-breach. Earlier this year, Clayton initiated a review of the agency’s internal cybersecurity risks, including setting up a ­senior-level working group.

“I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face,” Clayton said in the statement released Wednesday evening. “That stark reality makes adequate disclosure no less important.”

But even as the SEC increased pressure on corporations and the entities it regulates to beef up their systems against cyber­security risks, it has struggled to keep up as the markets have increasingly become controlled by computers that can make decisions in fractions of a second. In July, the Government Accountability Office noted that the agency had yet to fully implement nearly a dozen recommendations related to "security controls over its key financial systems and information."

“There is a certain irony here because the SEC has been increasingly bellicose in bringing enforcement cases against registered entities that have been victims of cyberattacks,” said Scott H. Kimpel, a partner at Hunton & Williams and a former SEC attorney. “It seems like the SEC wouldn’t qualify for the standard it set.”

John Reed Stark, a nearly 20-year veteran of the SEC's enforcement division and founder of its Office of Internet Enforcement, suggested that the agency bring back its specialized cyber enforcement unit, which was shut down in an 2010 reorganization.

The breach made the SEC an "unwitting tipper in an insider-trading scheme," said Stark, who now runs his own security firm. "Now, more than ever, the SEC needs a dedicated and specialized corp of cyber sleuths to track down and deter hackers like the ones who compromised Edgar in a possible insider trading scheme."

The hack of Edgar was the result of a “software vulnerability” that was “exploited and resulted in access to nonpublic information,” according to the SEC. The agency detected the breach last year, but didn’t learn until last month that the vulnerability could have been used for improper trading. The breach did not lead to the release of personally identifiable information and an investigation into the matter is ongoing, the agency has said.

"This is not the state of the art in terms of what we expect a consumer-facing company to disclose," said Kimpel, the former SEC attorney. "It's a little bit disconcerting that there is not more detail."

The SEC may have determined that disclosing the breach earlier or in another way would have sparked unnecessary concern, said Chris Hart, a cybersecurity expert and attorney at Foley Hoag. "We don't know what the SEC knew and when they knew it."

This is not the first time Edgar has been compromised. The system receives thousands of documents a day. In 2015, fraudsters posted fake information on the site about the takeover of Avon Products, driving the company's stock price up significantly before it was detected. And in 2014, several researchers found that information submitted to Edgar was available to some users for 30 seconds before it became publicly available, potentially giving some traders an unfair advantage. (High-speed traders, for example, can make thousands of trades in a blink of an eye.) "It should give businesses pause," Kimpel said. "They are required to give increasing amount of information to the government about all sorts of proprietary matters, much of the data is in Edgar. How can they ensure it will be safe."

The latest announcement could also hamper the SEC's efforts to collect more detailed information about stock trades into a central database that could make it easier for the agency to detect market manipulation. Some key Wall Street institutions, including the New York Stock Exchange, have warned that the database could become a target for hackers.