SEC Under Fire for Delayed Disclosure of Hacking Incident

The SEC has disclosed that it learned in August 2017 that hackers may have traded on information obtained from a cyber breach detected in 2016.  “Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information.  We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk,” SEC Chair Jay Clayton wrote in a statement that described various specific cybersecurity risks the agency faces along with other internal cybersecurity matters.  Clayton wrote that investigation of the hack is ongoing and the SEC is coordinating with appropriate authorities. The Wall Street Journal reported that Clayton, who is due to testify before the Senate Banking Committee next week, is likely to face questions from lawmakers about the SEC’s cyber vulnerabilities. A report earlier this year from the U.S. Government Accountability Office on its assessment of the SEC’s internal control structure and procedures for financial reporting found, among other things, that five “newly identified control deficiencies limited the effectiveness of SEC’s controls for protecting the confidentiality, integrity, and availability of its information systems.”  The SEC has come under fire for what some see as a delayed response to and disclosure of the hacking incident, the Wall Street Journal reported. Commissioners Michael Piwowar and Kara M. Stein said they were only recently informed of the 2016 breach. Some industry participants predict renewed calls for delays in rule implementations, particularly rules that impose increased filing obligations and expose sensitive company data.