In the September 20, 2017, Statement on Cybersecurity at the Securities and Exchange Commission, Securities & Exchange Commission (SEC) Chairman Jay Clayton provides a 12-page, detailed inventory of the cybersecurity risks the agency faces today along with the measures that will address any attacks in terms of prevention, mitigation, resilience, and recovery.
Clayton ordered the risk profile when he became Commission Chairman in May 2017. The most interesting sections of the report offer frank disclosures of successful breaches and several interrupted attempts on information and process centers at the SEC. From these examples emerge a relatively new image for black-hat hackers—that of deft, criminal investors.
According to the report, the problem of security at the SEC is not unlike the way it exists everywhere else on the internet, but here it’s compounded by a large field of players. The report admits, “In today’s environment, cyberattacks are perpetrated by identity thieves, unscrupulous contractors and vendors, malicious employees, business competitors, prospective insider traders and market manipulators, so-called ‘hactivists,’ terrorists, state-sponsored actors, and others.”
And attacks on SEC information centers affect financial markets, which can be interrupted by massive DDoS (dedicated denial-of-service) attacks or manipulated by false information inserted by opportunists. Private information can be tapped and resold in the darker regions of the web. And further damage can be inflicted on the already victimized because, “Market participants also face regulatory, reputational and litigation risks resulting from cyber incidents, as well as the potential of incurring significant remediation costs.” The threat horizon is wide, far reaching, and, unfortunately, still expanding.
Two of the exploits disclosed in the Statement pages involve a breach-then-invest strategy and the injection of false information in EDGAR reports in order to create market movement. The EDGAR (Electronic Data Gathering, Analysis and Retrieval) system was created in 1934 and is a critical part of the SEC’s public oversight for those entities reporting. This year, on an ordinary day, investors and other interested parties access more than 50 million pages of disclosure documents through the system.
The SEC admits that there are frequent attempts to disrupt access to its public-facing systems and even to damage the technology infrastructure. In August 2017, the SEC came to the conclusion that an intrusion, previously detected in 2016, “may have provided the basis for illicit gain through trading.” The target was in the test filing component of the EDGAR system. There was a software vulnerability that, once detected, was quickly patched. The investigation into this particular event isn’t closed.
A second category of tampering with EDGAR filings involves those cases being prosecuted by the SEC’s Division on Enforcement, “brought against individuals who we allege placed fake SEC filings on our EDGAR system in an effort to profit from the resulting market movements.”
Other internal problems mentioned include certain SEC laptops that may have contained nonpublic information that went missing and instances of SEC personnel sending nonpublic information through nonsecure email accounts, all adding to the inventory of security in house.
But not all the problems can be controlled within the SEC’s own operations centers. The agency is also tasked with “supervisory oversight of broker-dealers, investment advisers, investment companies, credit-rating agencies, and other market participants registered with the Commission.”
In December 2016, the SEC charged three traders who tried to hack into two New York law firms. The traders were looking for information about several of the firm’s clients that were considering mergers or acquisitions. The hackers intended to use that information in future trades. In another case brought by the SEC, two individuals tried to hack into newswire services to get nonpublic information about corporate earnings announcements. They also intended to make trades based on the stolen information.
These investor-hackers reach into the brokerage houses as well. The SEC interrupted a plan to gain unauthorized access to online brokerage accounts of U.S. investors in order to make unauthorized trades. The intention was to drive up prices that the hackers could leverage in other related trades.
The complications for locking down the SEC’s information centers and all of its external partners are daunting. To get an idea of how the agency plans to cover all the vulnerabilities, you can read the complete Statement at: