Jay Clayton, the head of the Securities and Exchange Commission, plans to tell a Senate panel Tuesday that he didn’t become aware of a 2016 security breach of key agency software until last month when the issue emerged as part of a separate investigation.
After he learned of the incident, Clayton says in prepared remarks, he ordered an internal review. That is when Clayton discovered that the breach may have allowed hackers to make an illegal profit trading stock, according to the testimony.
“Our review and investigation of these matters, however, as well as the extent and impact of the intrusion and related illicit activity, is ongoing and may take substantial time to complete,” Clayton writes in the testimony.
Clayton is scheduled to deliver the remarks before the Senate Banking Committee on Tuesday morning. It will be Clayton’s first time to go before the committee since his nomination hearing earlier this year.
He is likely to face tough questions from lawmakers about the breach, particularly about the unusual way the agency disclosed it. Clayton mentioned the intrusion in passing as part of an unusual, lengthy statement on cybersecurity issued late last Wednesday night.
The system that was breached, known as Edgar, serves as a clearinghouse for the public filings that companies must make to the agency, including reports on periodic financial results and newsworthy developments. There can sometimes be a lag between the time when the reports are electronically filed with the agency and when they can be viewed by the public, making the system a potentially lucrative target to hackers hoping to learn sensitive information before the rest of the market.
“This matter involving our EDGAR system concerns me deeply,” Clayton says in his testimony. “Rightfully, it will cause this Committee and others to increase their focus on whether the Commission’s approach to cybersecurity appropriately addresses our cyber risk profile.”
In the wake of the breach, the SEC is immediately hiring additional personnel to aid in its cybersecurity efforts, Clayton plans to tell the committee. “I also directed the staff to enhance our escalation protocols for cybersecurity incidents in order to enable greater agencywide visibility and understanding of potential cyber vulnerabilities and attacks,” he plans to testify.
This comes as a time when regulators have been sounding the alarm about ever-aggressive cyberattacks aimed at manipulating the public markets.
In 2015, federal investigators said an international hacking ring armed with tens of thousands of corporate secrets pocketed more than $100 million from illicit trades. The hackers stole more than 150,000 news releases that were scheduled to be delivered to investors. Twice last year, the SEC said it identified overseas hacking rings that had targeted nonpublic information.
This isn’t the first time Edgar, which receives millions of documents a day, has been compromised. In 2015, fraudsters posted fake information on the site about the takeover of Avon Products, driving the company’s stock price up significantly before it was detected. In 2014, several researchers found that information submitted to Edgar was available to some users for 30 seconds before it became publicly available, potentially giving some traders an unfair advantage.
The SEC has been grappling with how to respond to the onslaught. In 2014, it began requiring stock exchanges, such as the New York Stock Exchange, to call the agency within hours of learning of a cyber-breach. “We must remain on top of evolving threats when it comes to securing our own networks and systems against intrusion,” Clayton will testify.
But the latest announcement could also hamper the SEC’s efforts to collect more detailed information about stock trades into a central database that could make it easier for the agency to detect market manipulation. Some key Wall Street institutions, including the New York Stock Exchange, have warned that the database could become a target for hackers.
How data breaches grew to massive proportions in 11 years
Before the breach, Equifax sought to limit exposure to lawsuits
Equifax manages 1,200 times more data than the Library of Congress. That’s why people are so worried.