US Securities and Exchange Commission suffers data breach through a hack attack
September 22, 2017 |
It doesn’t get much more embarrassing than this. The US Securities and Exchange Commission (“the SEC”), that branch of the US Government charged with regulating the financial sector and taking action against those who breach the rules has been hacked. Not last week, or last month, but last year. This is the body that puts the cuffs on insiders and puts them through a perp walk to court. Here the breach likely resulted in “illicit gain through trading.” Insider trading of a different specie.
The source of the breach was a software vulnerability. That is all it takes against a determined hacker. Hence the need to audit and do penetration testing, tasks many organisations regard as unnecessary or too expensive.
Mortifying doesn’t even begin to describe this incident. Because the SEC is a hub of data collection and processing, particularly of filings by companies, the value of that data is almost incalculable.
The anodyne statement, Discloses the Commission’s Cyber Risk Profile, Discusses Intrusions at the Commission, and Reviews the Commission’s Approach to Oversight and Enforcement provides:
SEC Chairman Jay Clayton today issued a statement highlighting the importance of cybersecurity to the agency and market participants, and detailing the agency’s approach to cybersecurity as an organization and as a regulatory body.
The statement is part of an ongoing assessment of the SEC’s cybersecurity risk profile that Chairman Clayton initiated upon taking office in May. Components of this initiative have included the creation of a senior-level cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency. The statement provides an overview of the Commission’s collection and use of data and discusses key cyber risks faced by the agency, including a 2016 intrusion of the Commission’s EDGAR test filing system. In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. An internal investigation was commenced immediately at the direction of the Chairman.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” said Chairman Clayton. “We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
The statement also outlines the management of internal cybersecurity risks, including the incorporation of cybersecurity considerations in disclosure-based and supervisory efforts, coordination with other government entities, and the enforcement of the federal securities laws against cyber threat actors and market participants that do not meet their disclosure obligations.
Chairman Clayton writes, “By promoting effective cybersecurity practices in connection with both the Commission’s internal operations and its external regulatory oversight efforts, it is our objective to contribute substantively to a financial market system that recognizes and addresses cybersecurity risks and, in circumstances in which these risks materialize, exhibits strong mitigation and resiliency.”
To date there has been no dollar figure ascribed to the breach. That has not stopped the financial media from getting excited with reports from Zdnet, Fortune, Bloomberg, The Australian, the register and the Financial Times (amongst others).
[…] US Securities and Exchange Commission suffers data breach through a hack attack […]