SEC Chair Jay Clayton provided an update on the investigation into the 2016 EDGAR system security breach and highlighted efforts to improve cybersecurity measures (see previous coverage of initial disclosure and first SEC update).

Mr. Clayton reported that hackers were able to obtain personal information including the names, birthdates and social security numbers of two individuals. He stated that the SEC is offering these individuals identity theft protection. Mr. Clayton detailed the following elements of the SEC's cybersecurity review:

  • an Office of the Inspector General review of the EDGAR system data breach;
  • an SEC Division of Enforcement examination of potential illicit trading related to the breach;
  • an exploration of potential improvements to the EDGAR system;
  • a general assessment of the SEC cybersecurity risk profile, including a review of all systems that house personally identifiable information; and
  • an internal review of the EDGAR system breach, including response procedures (to be overseen by the Office of the General Counsel).

Chair Clayton noted that the process will require "substantial time and effort," and vowed to keep Congress updated on the results. He said that the SEC is hiring additional staff and outside consultants to bolster cybersecurity efforts. Finally, Chair Clayton expressed a commitment to coordinate efforts on cybersecurity with other government agencies.

Commentary / Joseph Facciponti

With the revelation that the SEC's data breach exposed the personal information of two individuals, the EDGAR system hack can now be said to illustrate the full range of cybersecurity issues confronting businesses and entities. This breach shows the perils of failing to promptly address known cybersecurity issues in an entity's computer network, the difficulties and delay often involved in detecting a data breach, questions regarding if and when to disclose the breach, and, now, the challenges in determining the full extent of information compromised as a result of the breach. It is too soon to determine whether and how this experience will inform the SEC in their handling of future data breaches involving regulated entities. Businesses should prepare to address similar issues in the event that their networks are targeted by hackers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.