As the SEC brings to a close its review of the 2016 breach of its EDGAR filing system, the commission is proposing reforms to its cybersecurity practices and also says it is investigating whether anyone gained from illicit trading activity based on the hacked information.
In testimony submitted to the House Financial Services Committee, SEC Chairman Jay Clayton outlined changes the commission is putting in place in response to the incident. He acknowledged that the SEC is still working to get its house in order on the cyber front as it prods the firms that it oversees to take steps to shore up their own systems.
"I want to continue to work with companies and the investing public on how we should be approaching this issue," Clayton told members of the committee.
Clayton said that he learned of the breach in August 2017, not long after he took the top job at the commission. The hackers gained access to the test filing section of the EDGAR system, creating the potential for trading on corporate information that had yet to be made public.
In response, Clayton tasked a number of units within the commission to analyze the security gaps that had facilitated the breach. While those reviews continue, agency staffers and outside consultants found a number of areas for improvement.
"It appears that these deficiencies, taken together, contributed to internal delays in both the recognition of the intrusion itself and the internal appreciation of its scope and impact," Clayton said in his written testimony to the House committee.
The reforms within the commission that Clayton outlined could serve as a checklist for firms looking to enhance their own cybersecurity posture in light of the SEC's increasing scrutiny of the issue.
The SEC's review concluded that the agency was weak on governance and oversight in cybersecurity. Following the breach, the agency created the position of chief risk officer to harmonize the commission's work on identifying and responding to threats. The SEC is also in the midst of reorganizing its IT security office and adding dedicated cybersecurity staffers, Clayton said.
The legal team's review also cited lax system controls as a potential contributing factor to the breach, and Clayton said that his team has been retooling the agency's information policies to improve both its "preventative and detective security and controls."
Acknowledging that cybersecurity isn't just a technical challenge, the SEC has been working to address the organizational culture on the issue, including efforts to boost awareness and share information about emerging threats across the various units within the agency. The commission has also been working to mitigate the severity of a potential future breach by limiting the sensitive information it collects, and no longer includes filers' Social Security numbers or dates of birth in its EDGAR records.
"It is very important to me to foster a culture that recognizes the great responsibility we have with respect to the data entrusted to us by our registrants and the public," Clayton said. "We are closely scrutinizing how we can reduce any potential exposure of personally identifiable information contained in SEC systems, including EDGAR."
Other reforms undertaken include a revision to the commission's incident response plan and IT modernization effort to overhaul the agency's aging legacy systems.
Those are all good steps, Clayton said, though he offered the pragmatic — if positive — assessment that there is no enduring victory to be had in cybersecurity. The SEC's systems, which house sensitive and valuable financial information, are subject to persistent attacks of increasing sophistication, presenting an ongoing challenge for the agency's cyber team.
"To be sure, no system can be 100% safe from a cyber intrusion, particularly in a world where cyber threat actors are backed by substantial resources," Clayton said. "But we are working through recommendations from our internal offices and several outside experts to improve, and we expect more recommendations to come."