SEC Chairman Jay Clayton issued a public statement on Cybersecurity (the “Clayton Statement”) last week, disclosing a 2016 attack on the SEC’s database of corporate filings. The intrusion exploited a vulnerability in the test filing component of the EDGAR system, a document repository for disclosures from public companies and issuers, through which the intruder was able to gain access to nonpublic (and potentially sensitive) corporate information. Though the intrusion was detected in 2016, Clayton stated that the agency learned only in August 2017 that the incident, “may have provided the basis for illicit gain through trading.” The Clayton Statement further alludes to other breaches of the agency’s systems, including a “fake filer” incident earlier this year.
The statement additionally elaborates on the specific cybersecurity risks faced by the SEC and its regulated entities. The Clayton Statement is, according to the SEC, one part of the agency’s effort to analyze, improve and communicate its work in the area of cybersecurity to market participants and the American public. The statement details the SEC’s approach to cybersecurity, including an overview of the agency’s collection and use of data and its own management of internal cybersecurity risks. Going forward, the agency’s stated objective is to “contribute substantively” to a financial market system that addresses cybersecurity risks and “exhibits strong mitigation and resiliency.” The SEC concedes, however, that successful malicious attacks and intrusions have occurred at even the most robust institutions (and, of course, the SEC itself).
The Clayton Statement comes in the wake of a July 27, 2017 U.S. Government Accountability Office report on the GAO’s 2016 review of the SEC’s cybersecurity systems. The report revealed that although the SEC has improved the security controls over its key financial systems and information, additional steps are needed, including completing the implementation of the GAO’s prior security recommendations. The GAO concluded that “[a]s a result, SEC may not be able to detect or investigate some unauthorized system activity.” The report did not specify whether the identified deficiencies relate to the security of the SEC’s EDGAR system.
The Clayton Statement and the SEC’s delay in disclosing the intrusion into its own systems is also contemporaneous with the agency’s investigation into the Yahoo, Inc. data breaches, and specifically whether Yahoo should have publicly disclosed the breaches sooner. Though the facts of Yahoo’s disclosure are unique (the breaches were announced years after they occurred, and only on the brink of Verizon’s multi-billion dollar acquisition of the company), SEC inquiries and investigations into corporate victims of hacking are not. For example, Target Corporation also faced an SEC investigation after its infamous 2013 data breach, which was resolved without an SEC enforcement action. It remains to be seen whether and how the SEC will harmonize its past and ongoing investigations with its own apparent vulnerabilities and delays in disclosing known exploitations of the agency’s systems.