Chairman of the Securities and Exchange Commission Jay Clayton confirmed in testimony before the Senate Banking Committee on Tuesday that a 2016 breach of the regulatory body's EDGAR document filing system was made possible due to a defect in custom software code that was subsequently remediated.
Although Clayton said he only learned of the cyber intrusion last August, some committee members took the SEC to task for not disclosing the incident more promptly, suggesting that the agency didn't live up to the standards it imposes on publicly traded companies regarding timely reporting of cyber incidents.
Clayton first disclosed the incident in a Sept. 20 statement, revealing that unknown attackers likely used nonpublic corporate information stored on the breached database to profit from insider trading.
"We expect that companies that hold America's personal and financial data will keep that information secure and be up front with the public, with regulators, with lawmakers, when breaches in fact occur. Our regulatory agencies must abide by the same or, frankly, a higher standard," said Sen. Sherrod Brown (D-Ohio), ranking member of the Banking Committee. "So when we learn a year after the fact that SEC had its own breach and that likely it led to illegal stock trades, it raises questions about why this SEC seems to have swept this under the rug. What else are we not being told? What other information is at risk? What are the consequences to the American investing public?"
Sen. Mike Crapo (R-Idaho), Banking Committee chairman, said he was also "disturbed" by the delayed disclosure, and expressed concerns over the agency's development of a new Consolidated Audit Trail (CAT) system, designed to comprehensively aggregate trading activity across multiple trading venues. Such a system would collect highly sensitive nonpublic market data and even personally identifying information such as Social Security numbers, he noted. “The recent Equifax breach has highlighted the need to protect this sensitive and valuable information,” said Crapo.
Clayton, however, was insistent that CAT data will help the agency detect insider trading activity that would otherwise go unnoticed. "This is not the time for the SEC to pull back from our important market oversight role by limiting our access to sensitive information," the chairman asserted.
Clayton also defended the timing of his disclosure, explaining that he wanted to make sure the agency's internal investigation was far enough along that he would accurately convey the facts. “Once I knew enough to understand that the 2016 intrusion provided access to nonpublic EDGAR test filings and that this may have resulted in the misuse of nonpublic information for illicit gain, it was important to disclose the incident and our cyber risk profile more generally to the American public and Congress,” said Clayton, in written testimony.
The software defect that was exploited in the breach specifically resided in the EDGAR system's test filing component. According to a Reuters report, companies process test files into the EDGAR system prior to making an official public announcement, in order to make sure that there are no submission errors or formatting quirks. Normally, these test files contain fake "dummy" data, which would not be damaging if stolen. But in a few cases, companies reportedly entered real corporate data, exposing this sensitive information to the cyber intruders.
Citing various sources and an internal government memo, Reuters reported that the breach was both executed and detected in October 2016, and that the attack seems to have routed through an Eastern European server. Clayton did not provide any such details at the hearing however, and he told lawmakers that the time frame of the breach was still under investigation.
Reuters further reported that the SEC's Office of Information Technology originally handled the breach internally because there was no evidence that any data had been improperly retrieved. But the incident took a serious turn when the agency's Enforcement Division found evidence of anomalous trading activity, leading officials to suspect that a few companies were inputting real data into the test filing system.
In his testimony, Clayton stated he has no reason to believe that the SEC's previous chair Mary Jo White was aware of the situation while serving in 2016. He did, however, say that the SEC is actively investigating how the cyber event was internally managed, as well as the incident's scope, whether there are more system vulnerabilities, and the insider trading activity that followed the intrusion.
The SEC wasn't the only organization under scrutiny today. Banking Committee members saved much of their disdain the credit reporting company Equifax, whose CEO Richard Smith announced his retirement today in the wake of a breach that impacted 143 million Americans.
Senators lambasted the company for failing to patch a publicly reported software vulnerability that allowed attackers to steal sensitive consumer data, and for waiting approximately six weeks to disclose the incident. They also slammed company executives who sold their stock shares in advance of the announcement.
"The Equifax breach is so egregious, one in terms of the sloppiness of their defense, two in terms of the fact that this was clearly a knowable vulnerability," said Sen. Mark Warner (D-Va.). "I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cyber security.
Clayton would not address the Equifax case directly, nor would he confirm that the company is under SEC investigation. But he did agree that companies should be "providing better disclosure about their risk profile" and "providing sooner disclosure about intrusions that may affect shareholders' investment decisions.”