By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She now spends much of her time in Asia and is currently working on a book about textile artisans.
Securities and Exchange Commission (SEC) chair Jay Clayton announced late yesterday that the agency’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) filing system had been breached last year.
Only last month did the agency realize that the vulnerability “may have provided the basis for illicit gain through trading.” Oops. The agency is investigating who may have profited, but has not released any details about exactly what information was gleaned and which companies were concerned.
To elaborate (from Clayton’s statement):
Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. An internal investigation was commenced immediately at the direction of the Chairman.
The SEC announcement follows recent revelations of the massive data breach at Equifax– in which confidential personal financial information for 143 million individuals was exposed– and raises further concerns about the parlous state of cybersecurity for information collected by private and public entities alike.
Clayton’s remarks coincided with release of a broader SEC Statement on Cybersecurity, which described the EDGAR system:
Since its creation in 1934, a critical part of the SEC’s mission has been its oversight of the system of public reporting by issuers and other registrants, and in 1984 the Commission began collecting, and making publicly available, disclosure documents through its EDGAR system. In 2017, on a typical day, investors and other market participants access more than 50 million pages of disclosure documents through the EDGAR system, which receives and processes over 1.7 million electronic filings per year.
As Bloomberg observes:
[EGDAR] houses millions of filings on corporate disclosures ranging from quarterly earnings to statements on mergers and acquisitions. Infiltrating the SEC’s system to review announcements before they are released publicly would serve as a virtual treasure trove for a hacker seeking to make easy money.
SEC Procedures to Safeguard Information Previously Criticized
Wednesday’s announcement makes clear that the SEC’s efforts to safeguard information from hackers and cyber thieves is inadequate– a failing that has previously subjected the agency to outside criticism. As The New York Times reports:
In July, months after the breach was detected, a congressional watchdog office warned that the Wall Street regulator was “at unnecessary risk of compromise” because of deficiencies in its information systems.
The 27-page report by the Government Accountability Office found the SEC did not always fully encrypt sensitive information, used unsupported software, failed to fully implement an intrusion detection system and made missteps in how it configured its firewalls, among other things.
Consolidated Audit Trail: Misguided Project?
The weaknesses in the SEC’s cybersecurity protocols are especially worrying, given ambitious ongoing plans to collect more equity trading data– including significant, nonpublic, market sensitive data that if compromised could be illicitly exploited, as well as detailed customer information that could facilitate identity theft. From Bloomberg:
Still, Wednesday’s disclosure may heighten concerns around the Consolidated Audit Trail, an enormous database of equity trades that is being built to give regulators better transparency into markets and help them figure out more quickly the causes of disruptions.
Financial firms have expressed concern about data breaches once the new database is completed. The repository could include personal information such as names and addresses from more than 100 million customer accounts.
The Wall Street Journal reports that executives at the New York Stock Exchange and the BATS Global System have warned “that a planned data repository of all U.S. equity and options orders could become a juicy target for hackers”– a fact also acknowledged in the broader SEC statement.
And, as the Journal further notes:
The audit trail has been in the works for nearly seven years and the SEC approved its final design last year. However, exchange executives have recently cited the Equifax hack as evidence that the audit trail should be pared back, even if that takes away information that could help regulators spot manipulative traders more quickly.
Stock and options exchanges, as well as the Financial Industry Regulatory Authority, which oversees brokers, are due to begin reporting data to the repository in November.
Robert Cook, chief executive of Finra, also has questioned whether the audit trail should be scaled back in light of the Equifax data breach. Speaking Wednesday at a banking luncheon in Washington, Mr. Cook questioned whether the database designed to help regulators sort through flash crashes and spot market manipulation should include personal information about stockbrokers’ customers.
“Especially post-Equifax when we are trying to win back investor confidence in the markets, it seems to be a useful question to ask whether we’ve got the right approach here or we need to revisit it,” he said.
This is not the first time that deficiencies in the EDGAR system have bedevilled the SEC. The system was originally intended to make it easier for ordinary retail investors to get access to information previously the province of more privileged investors. From the Journal:
Academic researchers found in 2014, for instance, that hedge funds and other rapid-fire investors got earlier access to market-moving documents from Edgar than other users of the standard, web-based system, giving them a potential edge on other traders. The SEC later said it fixed the problem.
The SEC has provided few details on the course of its ongoing investigation to determine who might have profited from successfully exploiting the data breach– a topic that will no doubt be probed further when Clayton testifies before the Senate Banking Committee next week.
In its broader statement, the agency also summarized recent enforcement actions targeting the use of hacked information to place illicit trades:
The Commission recently has brought several cases alleging the hacking and stealing of nonpublic information in connection with illicit trading activity. For example, in December 2016, the Commission charged three traders for allegedly participating in a scheme to hack into two prominent New York-based law firms to steal information pertaining to clients that were considering mergers or acquisitions, which the hackers then used to trade. The Commission also brought charges against two defendants who allegedly hacked into newswire services to obtain non-public information about corporate earnings announcements, as well as dozens of other defendants who allegedly traded on the information (citations omitted).
The SEC’s disclosure of its own cybersecurity lapses at minimum considerably embarrasses the agency at a time when all US financial regulators are stepping up their focus on these issues in the wake of the Equifax debacle. There’s no small irony in the SEC’s EDGAR filing system itself being the source of non-public information that may have generated illicit trading gains.