The SEC Got Hacked, Took A Year To Learn People Might've Traded On It, Disclosed These Facts Parenthetically In A Bizarre Statement, And Wants Companies To Do None Of These Things

We've got some questions.
Author:
Publish date:
(Getty Images)

(Getty Images)

If there's an iron law of cybersecurity, it's that everyone gets hacked. It doesn't matter how big and powerful you are. They've hacked the Office of Management and Budget. They've hacked the NSA. They've even hacked Brazzers.

So we should have a little sympathy for the Securities and Exchange Commission, which announced Wednesday that they, too, had been hacked: an “intrusion of the Commission’s EDGAR test filing system.” But like Equifax before it, the SEC seemed to be laying it all out there for transparency's sake when really it was keeping quite a lot of detail close to its chest. Here's Chairman Jay Clayton's full remarks on the matter, which came sandwiched in the middle of a much longer statement on cyber risks at the agency:

Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems. In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.

Here's the relevant passage from the accompanying press release:

In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. An internal investigation was commenced immediately at the direction of the Chairman.

Though it should be clear, all the passive tense and murky chronology makes it somewhat difficult to get a coherent picture of what happened. Here's an attempt at a timeline, according to the above.

  • For an unknown period of time: EDGAR test filing system has vulnerability.
  • Sometime in 2016: SEC learns about vulnerability.
  • “Promptly” thereafter: SEC fixes vulnerability.
  • Perhaps concurrent with the above, perhaps not: SEC learns vulnerability was exploited, internal investigation commenced.
  • August 2017: Hack may have led to insider trading.

The statement leaves vague how long it was, exactly, that the vulnerability existed. Also when, relative to discovering the vulnerability, they learned it had been exploited. Also why it took somewhere between eight and 20 months for them to learn that the hack “may” have led to insider trading. And finally, why they remain uncertain about this fact. We've got a lot of questions!

Granted, matters of cybersecurity are really touchy and hacked parties ought to be prudent before rushing out and telling the world they've been compromised. It can take ages to get to the bottom of something. And the Consolidated Audit Trail is still just an idea, so the SEC can't just wave a wand quite yet and know immediately who traded what when.

But we have to wonder whether tucking the announcement parenthetically within a long-winded and frankly boring speech about cybersecurity protocols is really the best way to let the public know that the nation's top securities watchdog – for which cybersecurity has become a chief focus – was itself hacked. Would the SEC be happy with this disclosure coming from a publicly traded company?

In some ways, that comparison isn't fair to the SEC. For one thing, the agency doesn't have shareholders. But for its own good, the agency needs to maintain trust with the public and model decent disclosure practices. Leaving all these gaping questions in what was already a strange statement does not instill confidence.

Related

SEC Staffers Have Made Remarkable Progress Re: Learning What Constitutes Appropriate Use Of A Work Computer

If you had asked us two years or two months or two days ago if we thought that there would be a time in the near future when Securities and Exchange employees would not be getting reprimanded for watching porn on their work-issued computers, we would have said absolutely not. No judgment, but in our professional opinion, people do not go from, among other things: * Receiving "over 16,000 access denials for Internet websites classified by the Commission's Internet filter as either "Sex" or "Pornography" in a one-month period" * Accessing "Internet pornography and downloading pornographic images to his SEC computer during work hours so frequently that, on some days, he spent eight hours accessing Internet pornography...downloading so much pornography to his government computer that he exhausted the available space on the computer hard drive and downloaded pornography to CDs or DVDs that he accumulated in boxes in his office." * www.ladyboyx.com, www.ladyboyjuice.com, www.trannytit.com, and www.anal-sins.com ...to living a porn-free existence at l'office. Did we think they'd take baby steps toward that goal sure? But when you've tried to log on to your websites of choice, on average, 533 times a day, assuming weekends were worked, baby steps means getting yourself to a place where you can do a solid two hours of work each week without hitting up anal-sins.com. So you can imagine (and probably share in) our surprise to hear that, according to a probe by Interim Inspector General Jon Rymer re: "misuses of government resources," the worst offenses one office was charged with claiming they needed iPads to do their jobs when really they just wanted to watch movies on them at home and going to hacker conferences without encrypting the data on their computers. Granted, it doesn't look so great that the group that was running around with computers that didn't even have anti-virus programs on their computers was the one that "is responsible for ensuring exchanges are following a series of voluntary guidelines...concerning computer audits, security, and capacity" but still, no ladyboyjuice while on the job-- that's huge. In a 43-page investigative report that probed the misuse of government resources, SEC Interim Inspector General Jon Rymer discovered that an office within the SEC's Trading and Markets division spent over $1 million on unnecessary technology. The report also found that the staffers failed to protect their computers and devices from hackers, even as they were urging exchanges and clearing agencies to do just that. Although no breaches occurred, the staffers left sensitive stock exchange data exposed to potential cyber attacks because they failed to encrypt the devices or even install basic virus protection programs...On Friday Reuters reviewed a copy of the full report, which details an even broader array of problems, from misleading the SEC about the office's need to buy Apple Inc products, to cases in which staffers took iPads and laptops home and used them primarily for pursuits such as personal banking, surfing the Web and downloading music and movies. The report says the staff may have brought the unprotected laptops to a Black Hat convention where hacking experts discuss the latest trends. They also used them to tap into public wireless networks and brought the devices along with them during exchange inspections...The report also found that some people who worked in the office had little or no experience with exchange technical matters. SEC staffers used govn't computers for personal use - report [Reuters] Earlier: SEC Supervisor Surfed Tranny Porn To Cope With Stress Of The Job; SEC Official Who Surfed Tranny Porn To Deal With Stress Of The Job– Not Alone!;

Who Wants To Be Chair(wo)man Of The SEC? (Update)

Dealbook reports that Mary Schapiro has given official notice and come December 14th, she's out of there. Names being floated as possible successors are said to include Sallie Krawcheck and the SEC's director of enforcement, Robert Khuzami, but on the off-chance they're not interested, want to throw yours or a loved one's C.V. in the mix? Update: Apparently Obama plans to nominate Elisse Walter, an SEC commissioner and former FINRA VP, to take over. So you've probably got less of a shot at this point but anything can happen!