SEC: hackers may have traded on 'insider' corporate info

Posted September 22, 2017

"Malicious attacks and intrusion efforts are continuous and evolving, and in certain cases they have been successful at the most robust institutions and at the SEC itself", he said. The statement didn't explain the delay in the announcement, the exact date the system was breached and whether information about any specific company was targeted. "Given the cryptic release from the SEC it is impossible to know the extent of the intrusion from May 2016 until almost a year later, but one has to assume if these private files are all controlled through EDGAR they are in the zone of likely information to have been targeted and exfiltrated".

See, EDGAR is an automated system that processes forms and other paperwork submitted by companies. Clayton said the agency's breach did not result in exposing personally identifiable information.

Clayton revealed in a statement last night that hackers exploited a software vulnerability in the regulator's EDGAR filing system.

While the "incident" had been detected when it occurred in 2016, an internal audit ordered by Chairman Clayton discovered this August that nonpublic information was disclosed that could have been used by someone to gain an advantage in stock transactions.

The country's top Wall Street regulator says a cyberattack past year breached its system for storing documents filed by companies, possibly allowing hackers to make illegal profits.

The agency announced the hack in the wake of a massive months-long hack of Equifax, a credit reporting agency, through which sensitive personal information of 143 million people was exposed.

Insider trading, which is essentially what hackers are doing if they're using stolen SEC filings to buy and sell stock, can have a huge effect on the supply and demand of a stock, and thus the price.

A top United States financial regulator faces questions about its preparation for cyber attacks, after disclosing a breach of its database of company filings. It also found that the SEC did not always encrypt information and had failed to fully implement recommendations from the GAO that would help detect intrusion.

SEC Chairman Jay Clayton said the agency's review of the breach is ongoing and that it's "coordinating with the appropriate authorities".

The SEC discussed the 2016 hack in a lengthy statement by Clayton on the agency's cybersecurity efforts. "We must be vigilant. We also must recognise - in both the public and private sectors, including the SEC - that there will be intrusions, and that a key component of cyber risk management is resilience and recovery".