SEC HACKED AND HACKERS GOT THE GOODS TO MAKE KILLER TRADES
So this isn’t good. The Securities and Exchange Commission (SEC) recently let it be known that they were hacked, and while they’re not saying much at all, what they are saying isn’t reassuring. Compromised systems allowed hackers to get access to data about publicly traded companies. The SEC won’t say who, how much or almost anything at all about the breach, but they have acknowledged that it is likely that the hackers have made informed trades using the compromised and compromised info. That’s not good.
SEC HIDES BREACH IN MASSIVE RELEASE ABOUT NOTHING, OFFERS FEW DETAILS AND FEWER DETAILS
This massive bit of news was let out via a SEC statement last Wednesday, but was buried as a detail in an otherwise boring release titled, “A Statement on Cybersecurity.” This release was over 4,000 words long (not including citations) and pushes the envelope both in its length and the fact that it says almost nothing at all. Well, except for that tidbit that the SEC got hacked, buried in between sections on “enhanc[ing] the Commission’s ability to oversee and enforce rules governing market infrastructure” and “improv[ing] resiliency when systems problems do occur.”
SEC LEARNS OF EDGAR SYSTEM HACKED A YEAR AFTER THE FACT
What can we pull from the statement that actually matters? Hackers accessed the SEC’s EDGAR system, which is the electronic database used to store filings from publicly traded companies. Hackers gained access at some point in 2016 and the SEC supposedly just learned about it in August of 2017. To top it all off, the hackers have probably profited from the information.
In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities. As another example, our Division of Enforcement has investigated and filed cases against individuals who we allege placed fake SEC filings on our EDGAR system in an effort to profit from the resulting market movements.
SEC: WE TURNED OUR HEAD, WE COUGHED, NOTHING TO SEE HERE, MOVE ALONG
And there you have it. That’s all they’ll say about the matter. For now, at least. The FBI and SEC won’t comment further and nobody is talking about why it took so long for the SEC to issue a statement, even if it didn’t have much information at all.
“The Commission will continue to prioritize its efforts to promote effective cybersecurity practices within the Commission itself and with respect to the markets and market participants it oversees,” SEC chairman Jay Clayton said in his unenlightening and boring-ass statement.
“This requires an ongoing, thoughtful evaluation of the data we obtain,” Clayton continued. “When determining when and how to collect data, we must continue to thoughtfully evaluate our approach in light of the importance to our mission of each type of data we receive, particularly in the case of sensitive data, such as personally identifiable and nonpublic information.”
The agency doesn’t “believe” that the intrusion resulted in access to personal information, but who on Earth actually believes that in this day and age? It’s always worse than they first believe. We’ve learned that in everything from the massive Equifax hack to the criminal operations of banks like Wells Fargo.
It can always get worse. That seems to be the slogan for 2017. And it doesn’t bode well for 2018.