Newsletter Signup

Search Our Blog

SEC Reveals It Was Hacked in 2016

By Jonah A. Toleno, Esq. of Shustak Reynolds & Partners, P.C. posted on Friday, September 22, 2017.

Jonah A. Toleno, Esq.
619.696.9500 ex. 104
[email protected]

On the heels of the recent Equifax hack disclosure, the U.S. Securities and Exchange Commission (SEC), the government agency responsible for regulating the nation’s securities and financial services industry, issued a press release September 20, 2017, announcing a significant security breach. According to a concurrent statement by SEC Chairman Jay Clayton, the SEC detected the breach in 2016. Clayton disclosed, “Specifically a software vulnerability in the test filing component of our EDGAR [Electronic Data Gathering, Analysis and Retrieval] system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” and the incident “may have provided the basis for illicit gain through trading.” While the SEC’s investigation is ongoing, the security invasion and the SEC’s delay in disclosing it are disconcerting to many.The SEC maintains – and transmits – three categories: publicly available disclosure documents filed by issuers and other registrants; nonpublic and personally identifiable information related to the SEC’s supervisory and enforcement functions including data on broker-dealers, investment companies, credit rating agencies and municipal advisors; and nonpublic and personally identifiable information related to the SEC’s internal operations – obviously, an enormous amount of sensitive data requiring the strictest of protections.

According to the July 2017 U.S. Government Accountability Office (GAO) Report to the SEC Chairman, the GAO found that in 2015 and 2016 the “SEC improved control of financial systems but needs to take additional actions.” As of September 30, 2016, the GAO issued 29 information security recommendations to the SEC. In its report, it reported that a staggering 14 of these recommendations had not been implemented as of July 2017. Sounds like the SEC has some ‘splainin’ to do to the broker-dealers and investment advisory firms it regulates and audits for - you guessed it - cybersecurity compliance.

Chairman Clayton assures the public he is focused on maintaining and improving SEC cybersecurity. He initiated an assessment of the SEC’s internal cybersecurity risk profile and its approach to cybersecurity from a regulatory and oversight perspective in May of this year. But Clayton’s and the SEC’s work is cut out for them. “I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important….Cybersecurity efforts must include, in addition to assessment, prevention and mitigation, resilience and recovery”, he writes.

Clayton’s sentiment is especially pertinent in light of the recently Equifax hack, potentially affecting over 143 million people and rendering countless others even more fearful of cyberattacks.

Shustak Reynolds & Partners, P.C. regularly represents firms and individuals in SEC, FINRA, securities, investment, and financial services matters, including litigation, arbitration, enforcement and investigation matters. If you or your company require counsel in these areas, contact us today for a confidential, complimentary consultation.

Jonah Toleno is a partner in our San Diego office and has extensive experience representing individuals and firms before the SEC, FINRA, state courts and federal courts. She acts as trial counsel in a range of litigation and arbitration matters and offers outside counsel services to various financial services firms.

Share This Article linkedin