WASHINGTON (Reuters) – A global investor group on Friday called for an independent investigation into a cyber breach at the U.S. Securities and Exchange Commission (SEC) and urged the regulator to delay new data-gathering rules until it could assure investors that its computer systems were secure.
Wall Street’s top regulator came under fire on Thursday after admitting hackers had breached its database of corporate announcements in 2016 and might have used it for insider trading.
The Investment Company Institute (ICI), which represents over 95 million U.S. shareholders, wants the SEC to clear up concerns about its cyber defenses before requiring funds to submit monthly performance data to the regulator, Paul Schott Stevens, the group’s chief executive, told Reuters in a phone interview.
“What the SEC breach now makes very clear is precisely what we were concerned about – that market-sensitive information of that nature can be exploited to the disadvantage of millions and millions of investors,” Stevens said.
ICI, whose members hold $20 trillion plus in assets, has raised concerns about how the SEC safeguarded industry data it gathers since 2015.
“I‘m certain there will be a full inquiry by the Government of Accountability Office – and there should be, so we understand exactly what happened here,” Stevens said.
In a July report, the Government Accountability Office (GAO), a congressional watchdog, criticized the SEC for failing to fully protect its computer networks from cyber attacks and recommended a slew of improvements. Some of recommendations it had made in previous reports had still not been implemented, it noted.
Former SEC Chair Mary Jo White, in office when the hack occurred, told Reuters in 2016 that cyber security posed the biggest risk to the U.S. financial system.
Her successor, Jay Clayton, uncovered the full extent of the hack after launching a review of the SEC’s cyber security standards earlier this year.
“Some recommendations the GAO made haven’t yet been implemented. There’s obviously a failure here of some kind. That’s why we’re so glad Chairman Clayton has moved to address this,” said Stevens.
New reporting rules which start to come into force in December would require funds for the first time to confidentially file complete monthly portfolio holdings with the SEC, data which the ICI has said could easily be used for insider trading if obtained by hackers.
“Until that information security environment has been established, funds should continue to collect data quarterly, not monthly information, as quarterly data is not nearly as sensitive,” said Stevens.
The SEC disclosure came two weeks after credit-reporting company Equifax Inc said a breach had exposed sensitive personal of data up to 143 million U.S. customers. This followed last year’s cyber attack on SWIFT, the global bank messaging system.
Stevens said rules governing the disclosure of such breaches should be tighter for both public and private organizations.
“That disclosure obligation fixes the mind on need to fix the breach in the first instance.”
Following months of public revelations about security breaches big and small, the U.S. Securities and Exchange Commission (SEC) announced that hackers had previously breached its own cache of files on publicly traded companies, possibly leading to their illegal profit.
Late Wednesday, SEC Chairman Jay Clayton released an eight-page statement on cybersecurity that describes a 2016 system breach of EDGAR, a platform which pools detailed financial reports on publicly traded companies that they’re required by law to release. According to Clayton, the company didn’t discover until last month that the breach could have provided the information needed to make illegal trades.
He said the hack resulted from a “software vulnerability” in the system’s test-filing component that “[was] exploited and resulted in access to nonpublic information.” Clayton also commented, “Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems.”
The incident raises questions about vulnerabilities within the SEC–an agency that is itself charged with protecting investors and markets–and with how it has handled the situation.
The Washington Post pointed out, the “unusual [statement] didn’t explain the delay in the announcement, the exact date the system was breached and whether information about any specific company was targeted.” Nor is this the first time EDGAR has gone awry, or simply askew.
As Reuters reported, the congressional watchdog Government Accountability Office also found in a 2016, 27-page report that the SEC wasn’t always using encryption, supported software, well-tuned firewalls, and other key security tools while going about its business. Meanwhile, rules governing the securities industry already require that companies disclose cybersecurity breaches to investors, and the SEC itself has investigated firms regarding their expediency in this area.The SEC also noted, “It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.” Nevertheless, it is reportedly working with relevant parties to determine if data from millions of corporate disclosures have been put to illegal use.