SEC Chairman Jay Clayton released additional information about the investigation of the 2016 intrusion into the EDGAR system and efforts to strengthen the SEC’s cybersecurity risk profile going forward. The investigation of the cyber breach found that an EDGAR test filing accessed by third parties contained personal information of two individuals. SEC staff are reaching out to the two individuals to notify them and offer to provide them with identity theft protection and monitoring services, according to Clayton’s statement. The SEC’s Office of Inspector General also issued a report detailing the results of an audit of the SEC’s management of its data centers. The report listed several issues, including that: a contractor-developed plan to relocate the agency’s data centers was not properly followed or executed; certain SEC data and equipment were exposed to physical and environmental control vulnerabilities that disrupted SEC operations and resulted in increased costs to the agency; and the SEC did not adequately manage or monitor its data center contracts.
Clayton last week testified before a Senate panel on several topics, including cybersecurity, the agency’s regulatory agenda, enforcement and examinations. Senators were particularly critical of the SEC’s disclosure of and response to the 2016 cyber intrusion. Clayton testified that the breach deeply concerned him and acknowledged that the breach raises questions about the agency’s cyber-risk profile. He said the agency would move ahead with the November launch of the Consolidated Audit Trail system, under which exchanges will disclose detailed information about trades and executions to the agency. Since the SEC’s cyber breach became public, industry participants have expressed concerns about the vast amounts of customer data to be stored in the SEC’s repository. Meanwhile, the SEC announced the creation of a Cyber Unit that will focus on targeting cyber-related misconduct and the establishment of a retail strategy task force that will implement initiatives to identify misconduct impacting retail investors.