WASHINGTON (Reuters) – Wall Street’s top regulator came under fire on Thursday about its cyber security and disclosure practices after admitting hackers had breached its database of corporate announcements in 2016 and may have used it for insider trading.
The incursion at the Securities and Exchange Commission struck at the heart of the U.S. financial system. The SEC’s EDGAR filing system houses market-moving information with millions of corporate filings ranging from quarterly earnings to statements on acquisitions.
The SEC said on Wednesday evening it had discovered last month that cyber criminals may have used a hack detected in 2016 to make illicit trades.
SEC Chairman Jay Clayton gave members of Congress a “courtesy call” about the hack on Wednesday afternoon before it was announced publicly, said Rep. Bill Huizenga, chairman of the U.S. House subcommittee that oversees the SEC.
”I’m glad that Jay Clayton has decided to acknowledge this and release it, warts and all,” Huizenga said.
”It’s hugely problematic and we’ve got to be serious about how we protect that information as a regulator. I’m hoping that this leads to some vast improvements and an uptick in the vigilance that all the regulators are going to have with information that’s coming to them.
The SEC disclosure came two weeks after credit-reporting company Equifax Inc (EFX.N) said a breach has exposed sensitive personal of data up to 143 million U.S. customers, and follows last year’s cyber attack on SWIFT, the global bank messaging system.
It is particularly embarrassing for the SEC and its new boss Clayton, who has made tackling cyber crime one of the top enforcement issues.
“The chairman obviously recognizes the irony of the SEC potentially serving as the unwitting tipper in an insider trading scheme,” said John Reed Stark, president of a cyber consulting firm and a former SEC staff member.
The SEC has said it was investigating the source of the hack but it did not say exactly when it happened or what sort of non-public data was retrieved. The agency said the attackers had exploited a weakness in a part of the EDGAR system and it had “promptly” fixed it.
Clayton will be grilled on the incident and its aftermath at a hearing by the Senate Banking Committee on Tuesday.
Banking Committee member Senator Mark Warner said in a statement that he intends to ask about SEC thresholds for requiring companies to disclose cyber breaches, and flagged the connection between the SEC’s disclosure and its market oversight role.
“The SEC’s disclosure … shows that government and businesses need to step up their efforts to protect our most sensitive personal and commercial information,” Warner said.
Securities industry rules require companies disclose cyber breaches to investors and the SEC has investigated firms over whether they should have reported incidents sooner.
“There is an element of, ‘Do as we say, not as we do’ to this,” said Matt Rossi, a former counsel in the SEC’s enforcement division.
And the lack of clear details from the SEC about the breach will likely raise questions about what other EDGAR data may have been exposed, such as information related to ongoing financial investigations and sensitive personal information, Rossi said.
The disclosure followed public and non-public reports about the SEC’s cyber vulnerabilities as well as acknowledgement by the SEC itself of the scope of the risks posed by cyber attacks.
Former SEC chair Mary Jo White, in office when the hack occurred, told Reuters in 2016 that cyber security posed the biggest risk to the U.S. financial system.
The U.S. Department of Homeland Security had detected five “critical” cyber security weaknesses on the SEC’s computers as of Jan. 23, according to a confidential weekly report reviewed by Reuters on Thursday.
And in July, months after the breach was detected, a congressional watchdog warned that the SEC was “at unnecessary risk of compromise” because of deficiencies in its information systems.
The SEC shut down a specialized unit on cyber crimes as part of a 2010 reorganization.
The EDGAR system used by SEC has sustained data breaches before.
In 2015 hackers broke into EDGAR and published false information about plans a financial firm had to purchase Avon Products (AVP.N), prompting stock of the beauty products company to briefly surge more than 10 percent. Researchers also found in 2014 that some users could see information posted to EDGAR before the public, fueling concerns about trading advantages.
Foreign governments and other hackers have accessed millions of personal records and other forms of sensitive data in recent years from U.S. government agencies, with virtually every federal entity from the State Department to the National Security Agency suffering data breaches.
Additional reporting by Jonathan Spicer in New York; Writing by Lisa Lambert and Meredith Mazzilli; Editing by Carmel Crimmins and Nick Zieminski