In a speech on cybersecurity, SEC Chair Jay Clayton acknowledged that the SEC's own EDGAR filing system was breached by hackers in 2016. Chair Clayton explained that a "software vulnerability" in the EDGAR test filing system resulted in the exposure of nonpublic information.

Chair Clayton said that while the vulnerability was "patched promptly," the nonpublic information that was accessed may have been used as the basis of illicit trading. He explained that while the SEC detected and fixed the vulnerability in 2016, the Commission did not learn about the potential theft of data and illicit trading until August 2017. He asserted that the breach did not result in any systemic risk or exposure of personally identifiable information and that the SEC was cooperating with "appropriate authorities" to investigate the breach.

Chair Clayton did not provide any additional information on the breach, such as details on what information was stolen, the names of the companies affected, the timing, volume, shares, amounts involved in any illicit trades, or any information about the hackers responsible. It also remains unclear why the SEC was not able to determine that a breach occurred until August 2017.

In addition, Chair Clayton revealed other security lapses at the SEC, including findings from a 2014 internal review that determined that SEC laptops containing nonpublic information could not be located, and that SEC staff transmitted nonpublic information through their personal email accounts.

Generally, Chair Clayton affirmed that the SEC is consistently targeted by "bad actors" who try to infiltrate SEC systems to gain access to nonpublic information, disrupt technology platforms or damage technological infrastructure. He noted that the SEC already has many policies, procedures and structures in place to protect against and respond to cyberattacks, but acknowledged that the evolving landscape demands a consistent commitment to remaining capable of effectively managing cybersecurity risk.

Commentary / Joseph Facciponti

Although it is impossible to determine how serious the breach of the SEC's EDGAR filing system was, this announcement is a stark reminder that hackers seek to steal not just personal information, but any information they can exploit for profit, including material nonpublic information. Any entity – public or private – that maintains databases of valuable information is a target for hackers, and those entities should have policies and procedures in place to safeguard their data and respond appropriately when they are attacked.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.