By Sarah N. Lynch and Dustin Volz
WASHINGTON (Reuters) – Wall Street’s top regulator came under fire on Thursday over its cyber security and disclosure practices after admitting hackers had breached its database of corporate announcements in 2016 and may have used it for insider trading.
The breach involved the U.S. Securities and Exchange Commission’s EDGAR filing system, which houses market-moving information with millions of filings ranging from quarterly earnings to statements on acquisitions.
The SEC said on Wednesday evening it discovered in August that cyber criminals might have used a hack detected in 2016 to make illicit trades.
On Wednesday afternoon, SEC Chairman Jay Clayton gave members of Congress a “courtesy call” about the hack before it was announced publicly, said Representative Bill Huizenga, chairman of the U.S. House subcommittee that oversees the SEC, in a phone call.
“It’s hugely problematic and we’ve got to be serious about how we protect that information as a regulator,” Huizenga said.
The SEC disclosure came two weeks after credit-reporting company Equifax Inc <EFX.N> said a breach had exposed sensitive personal of data up to 143 million U.S. customers. This followed last year’s cyber attack on SWIFT, the global bank messaging system.
It is particularly embarrassing for the SEC and its new boss Clayton, who has made tackling cyber crime one of the top enforcement issues.
“The chairman obviously recognizes the irony of the SEC potentially serving as the unwitting tipper in an insider trading scheme,” said John Reed Stark, president of a cyber consulting firm and a former SEC staff member.
The SEC has said it was investigating the source of the hack but did not say exactly when it happened or what sort of non-public data was retrieved. The agency said the attackers had exploited a weakness in a part of the EDGAR system and it had “promptly” fixed it.
Most reports filed with the SEC “generally don’t contain super-sensitive information,” and any insider trading would have taken place soon after company filings were made but before they were released to the public, said Gary LaBranche, president of National Investor Relations Institute.
“People are shocked and disappointed,” LaBranche said. Members of the institute, who work with 1,600 publicly traded companies, will be examining their trading reports for any unusual activity that could be tied to disclosures, he said.
U.S. President Donald Trump’s administration has prioritized protection of federal agency networks after breaches during the Obama administration, including at the Office of Personnel Management, Internal Revenue Service and State Department.
Trump in May signed an executive order requiring agencies to use a specific framework to assess and manage cyber risk, and prepare a report within 90 days about how they implement it.
The SEC did not respond when asked about that review or whether it triggered the disclosure. But Clayton said in his Wednesday statement that he began reviewing the agency’s cyber risk in May.
SEC Commissioners did not learn of the breach until recently. In a statement, Republican SEC Commissioner Mike Piwowar, who for part of 2017 also served as acting chairman, said he was “recently informed for the first time that an intrusion occurred in 2016.”
Erica Elliott Richardson, a spokeswoman for the Commodity Futures Trading Commission (CFTC),the top U.S. derivatives regulator, said in an emailed statement the agency constantly reviewed and updated its cybersecurity protections to guard against the growing threat of a breach.
“Our agency has successfully thwarted hundreds of attempted breaches,” she added.
The Canadian Securities Administrators, an umbrella group representing Canada’s provincial securities regulators, said on Thursday it would conduct an additional security review.
CYBER SLEUTHS NEEDED
Clayton will be grilled on the incident and its aftermath at a hearing by the Senate Banking Committee on Tuesday.
Banking Committee member Senator Mark Warner said in a statement he intended to ask about SEC thresholds for requiring companies to disclose breaches, and flagged the connection between the SEC’s disclosure and its market oversight role.
“Government and businesses need to step up their efforts to protect our most sensitive personal and commercial information,” Warner said.
Securities industry rules require companies disclose cyber breaches to investors and the SEC has investigated firms over whether they should have reported incidents sooner.
“There is an element of, ‘Do as we say, not as we do’ to this,” said Matt Rossi, a former counsel in the SEC’s enforcement division.
The lack of details from the SEC about the breach will likely raise questions about what other EDGAR data may have been exposed, such as information related to ongoing financial investigations and sensitive personal information, Rossi said.
Former SEC Chair Mary Jo White, in office when the hack occurred, told Reuters in 2016 that cyber security posed the biggest risk to the U.S. financial system.
The U.S. Department of Homeland Security had detected five “critical” cyber security weaknesses on the SEC’s computers as of Jan. 23, according to a confidential weekly report reviewed by Reuters on Thursday.
And in July, months after the breach was detected, a congressional watchdog warned that the SEC was “at unnecessary risk of compromise” because of deficiencies in its information systems.
The SEC shut down a specialized unit on cyber crimes as part of a 2010 reorganization.
In 2015 a trader filed false information through EDGAR about plans a financial firm had to purchase Avon Products <AVP.N>, prompting a brief surge in the stock of the beauty products company.
(Additional reporting by Jonathan Spicer in New York, Bryan Sims in Houston; Writing by Lisa Lambert and Meredith Mazzilli; Editing by Carmel Crimmins, Nick Zieminski and Richard Chang)