SEC reviews cybersecurity policy after EDGAR hack

The breach enabled the attackers to trade on the information they gained, the agency said.

The Securities and Exchange Commission has stepped up its cybersecurity program after an attack on its own system allowed hackers to make “illicit gains” using compromised information.

Chairman Jay Clayton said the agency has created a senior-level cybersecurity working group to co-ordinate information sharing, risk monitoring and incident response efforts throughout the agency.

“We must be vigilant. We must also recognize – in both the public and private sectors, including the SEC – that there will be intrusions, and that a key component of cyber risk management is resilience and recovery,” Clayton said.

The agency’s corporate filings system EDGAR was breached in 2016, but it only learned in August this year that the attackers had used the information to make profitable trades. The software vulnerability exploited by the attackers was patched promptly after discovery, Clayton said.

“It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission or result in systemic risk,” the regulator said.

Cybersecurity remains a key compliance priority for the SEC. A recent sweep found that while most private fund firms now have a policy in place, there are still shortcomings. Many have implemented a uniform policy, for example, that does not take into account a firm’s nuances.