SEC suspects hackers used stolen insider info for trading

Nichole Vega
September 22, 2017

If the data stolen from the SEC's Edgar system was used by hackers to trade in stocks and reap profits, it would represent the latest in a new area of concern for regulators in the United States - an area in which the underbelly of the internet is joining forces with the darker corners of Wall Street. The credit reporting agency Equifax announced a massive hack earlier this month that affected 143 million Americans, sparking outrage on Capitol Hill and multiple investigations. The statement provides an overview of the Commission's collection and use of data and discusses key cyber risks faced by the agency, including a 2016 intrusion of the Commission's EDGAR test filing system. The system, called Edgar, is used by companies to make legally required filings to the agency.

The hack was first detected in 2016, but the SEC didn't realize until last month that the hackers may have benefited from the data accessed. The software was patched after the incident, Clayton said.

The hacking, it said, "may have provided the basis for illicit gain through trading".

However, it was not until August 2017 that the agency realised criminals may have used the hack to give themselves an advantage on the stock market.

The statement is part of an ongoing assessment of the SEC's cybersecurity risk profile that Clayton initiated upon taking office in May.

Warner said he'd press SEC Chairman Jay Clayton on the agency's rules dictating when companies must report data breaches when he appears before the Banking panel next week. In the case of the Equifax breach, credit card numbers for about 209,000 USA consumers, and certain dispute documents with personal identifying information for 182,000 U.S. consumers were accessed. Clayton says authorities are still investigating the issue, but the commission believes the hackers didn't gain unauthorized access to personally identifiable information or anything that can jeopardize its operations. Hackers also got their hands on names, Social Security numbers, birth dates, addresses, and some driver's license numbers. The SEC regulates what companies must disclose to shareholders about breaches. "We must be vigilant".

The admission of the potential insider trading that may have resulted from the SEC breach came 1,400 words into a post of more than 4,000 words about how the SEC "is focused on identifying and managing cybersecurity risks".

Brad Keller, senior director of third-party strategy at risk management company Prevalent Inc., told SearchSecurity "this suggests is that the SEC, like most companies, doesn't fully understand how the information in its various databases can be used".

Other reports by AllAboutTopnews

Discuss This Article