Hackers breach SEC data for illicit trading gain

The US Securities and Exchange Commission (SEC) has revealed that hackers broke into its Electronic Data Gathering, Analysis, and Retrieval (EDGAR) online filing system to access non-public information. The incident, which the SEC detected in 2016, may have paved the way for illicit gain through trading. The SEC learned about the illegal activity stemming from the breach in August 2017.

Cyber criminals targeted a software vulnerability in EDGAR’s test filing component, an area of the system where companies can submit dummy filings. Start-ups and large corporations use the testing area to become acquainted with database functions, test file formatting, and  communicate with the SEC – all commonplace functions.

The SEC admits that hackers attempted to compromise authorized user credentials, such as username and passwords. “We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk,” said SEC chairman Jay Clayton in an official statement made Wednesday, September 20. The SEC patched the vulnerability soon after it was discovered. But the data breach compromised insider information that could influence stock prices.

After investigating, the SEC’s Division of Enforcement filed cases against persons who allegedly placed fake SEC filings to profit from the market data they obtained.

SEC breach reflects need for tighter, standardized cybersecurity regulations

Since 2008, companies that file with the SEC have reported at least 123 breaches. The fact that a breach within the SEC detected in 2016 is just surfacing has drawn criticism from top officials. These two points, among others, raise the question as to how the SEC is protecting its data.

The SEC is fully aware that EDGAR is in need of modernization (the filing system was conceived in 1983 and rolled out in 1996). Yet the SEC is subject to the same bureaucratic and funding issues as other federal government agencies. In 2014, lawmakers slashed its $50 million technology initiatives budget in half.

Similarities between the SEC cyber crime and Equifax’s data breach cannot be ignored – a testament that cyber criminals do not discriminate by sector. Each attack compromised a web application vulnerability to exploit non-public data and both took months to discover.

In an ironic twist, the SEC – considered the top US financial regulator – will, without a doubt, be placed under investigation. It will most likely also come under the scrutiny of the NYDFS, which implemented its cybersecurity regulation earlier this year. On September 14, the NYDFS launched an investigation into the Equifax breach.

Safeguard your organization’s data and information systems

Cybersecurity should be a primary objective in ensuring the success of your business. An information security management system (ISMS) as outlined in ISO 27001 will help your organization prevent data breaches while preparing you in case one occurs. Becoming accredited to ISO 27001 will also send a powerful message to peers, clients, and other companies that you have taken precautions to protect personal data.