Wall Street's top regulator says that a 2016 breach at its corporate disclosure database may have enabled hackers to profit from trading on inside information.
The Securities and Exchange Commission says the infiltration of the Edgar system - which houses non-public filings on upcoming corporate earnings statements and pending mergers and acquisitions - was detected in 2016 but it only realised last month that data stolen from the database may have been used for illicit trading.
The revelations were made by SEC chairman Jay Clayton in a statement highlighting the importance of cybersecurity to the agency and market participants.
"In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading," says Clayton. "Specifically, a software vulnerability in the test filing component of the Commission’s Edgar system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. It is believed the intrusion did not result in unauthorised access to personally identifiable information, jeopardise the operations of the Commission, or result in systemic risk."
The statement is part of an ongoing assessment of the SEC’s cybersecurity risk profile that Clayton initiated upon taking office in May. Components of this initiative have included the creation of a senior-level cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency.
The watchdog was hauled over the coals by the US Government Accountability Office (GAO) in July, in a report which accused the agency of failing to consistently protect its network boundaries, authenticate users and encrypt sensitive information while in transmission.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” says Clayton. “We must be vigilant. We also must recognise — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”