By Jack J. Kelly
The premiere marquee US regulator, The Securities and Exchange Commission (SEC), reported yesterday that their EDGAR (Electronic Data Gathering, Analysis and Retrieval system) database, which maintains and processes over 1.7 million electronic documents and filings on corporate disclosures, including quarterly earnings and data on mergers and acquisitions, was hacked in a cyber attack.
Although it was announced Wednesday, the actual database hack occurred back in 2016. Curiously, it took a while for the SEC to consider the crazy possibility that whoever hacked EDGAR may have had impure motives. The SEC announces that the hacked information may have enabled bad guys to engage in insider trading and illegally profit by trading on the stolen insider information.
The SEC’s admission came after the epic Equifax, a major U.S. consumer credit reporting agency, hack in which data on 143 million customers was stolen.
Reports indicate that 1.9 billion records were stolen or lost to cyber attacks in 2017 alone. This number exceeds the total amount of breaches in 2016. For example, in 2017 companies such as HBO, Bithumb, the world’s fourth largest Bitcoin exchange, Chipotle, Disney’s “Pirates of the Caribbean”, Gamestop, Gmail, World Wrestling Entertainment, CNN, Twitter, Verizon, and people including French President Emmanuel Macron were victimized by hackers.
A congressional watchdog office had previously warned that the regulator was “at unnecessary risk of compromise” due to information system deficiencies. The big question today is “where are the proactive regulators?” and “what are they doing to stop the unrelenting attacks?”. According to Reuters, the Government Accountability Office found the SEC did not always fully encrypt sensitive information, used unsupported software, failed to fully implement an intrusion detection system and made missteps in how it configured it’s firewalls, among other things. Cyber criminals have previously targeted financial information hubs including the Hong Kong stock exchange and the Nasdaq stock exchange.
It is also ironic and embarrassing as the SEC’s new head, Jay Clayton, has made cyber crime one of the top enforcement issues during his tenure (https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20).
According to Gizmodo, a tech oriented blog,
” …the revelation from the SEC was buried in a lengthy and otherwise boring statement late Wednesday. Titled “A Statement on Cybersecurity,” the 4,110-word statement (not including footnotes) is bizarre for both its length and its ability to say almost nothing of substance.
But it sure has a lot of generalities about “enhanc[ing] the Commission’s ability to oversee and enforce rules governing market infrastructure” and “improv[ing] resiliency when systems problems do occur.”
The agency doesn’t “believe” that the intrusion resulted in access to personal information, but who on Earth actually believes that in this day and age? It’s always worse than they first believe. We’ve learned that in everything from the massive Equifax hack to the criminal operations of banks like Wells Fargo.
It can always get worse. That seems to be the slogan for 2017. And it doesn’t bode well for 2018.”
What do you think the SEC would do to a firm that forgot to inform people of a major breach? What do you think will happen to the SEC? Do you think the regulators will stop future cyber attacks? Let’s be honest, I think we all know the true answer.