Stinson Leonard Street Dodd Frank

MAKING SENSE OF DODD-FRANK

The Dodd-Frank Act has broad and deep implications that will touch every corner of financial services and multiple other industries. This site, developed and maintained by attorneys at Stinson Leonard Street, is dedicated to making sense of this complex legislation and helping businesses understand how it will affect them specifically. Our Bloggers »

Dodd-Frank

SEC Chair Clayton’s Statement on Cybersecurity: EDGAR Was Hacked

by   |   September 20, 2017

SEC Chairman Jay Clayton today issued an unusual statement highlighting the importance of cybersecurity to the agency and market participants, and detailing the agency’s approach to cybersecurity as an organization and as a regulatory body.

The statement is part of an ongoing assessment of the SEC’s cybersecurity risk profile that Chairman Clayton initiated upon taking office in May. Components of this initiative have included the creation of a senior-level cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency.   The statement provides an overview of the Commission’s collection and use of data and discusses key cyber risks faced by the agency.

Perhaps the first-ever news that EDGAR was hacked will be the most widely reported facet of the statement. According to Chairman Clayton:

“Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems. In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading.  Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information.  We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.  Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.”

While the SEC may be investigating the matter, they apparently did not tell Commissioner Piwowar. Commissioner Piwowar issued a separate statement which said “I was recently informed for the first time that an intrusion occurred in 2016 in the SEC’s Electronic Data Gathering, Analysis, and Retrieval (“EDGAR”) system.”