Last week the SEC took an unusually hands-on approach to investor education when it modeled precisely what not to do when your organization becomes the victim of a hack. The agency's untimely disclosure, buried in the middle of a long-winded speech and lacking in basic chronological details, posed far more questions than it answered.
Now, thanks to bits of leaked Senate testimony from SEC Chairman Jay Clayton, we have a slightly fuller answer to one of our central questions: Why did it take the SEC several months to realize that its previously discovered software glitch might have let crooks in the backdoor? The answer: The inquiry was coming from inside the agency:
The Securities and Exchange Commission looked anew at a 2016 hack of its electronic corporate filing system as part of an enforcement investigation, its chairman said in testimony prepared for a Senate hearing on Tuesday.... Clayton’s testimony said the commission began reviewing the hack of the Edgar filing system in August due to “an ongoing enforcement investigation,” according to remarks prepared for the Senate Banking Committee. The SEC hadn’t previously disclosed that it looked into the 2016 hack because of an investigation into possible illegal trading.
To review, it was sometime in 2016 that the SEC noticed it had a gaping hole in its EDGAR filing system, potentially allowing hackers to see market-moving releases before they went live. But it was only in August of this year that the agency determined the vulnerability “may have provided the basis for illicit gain through trading.”
The natural question, given those two data points, is how the SEC could have known about the bug in the system back in 2016, but somehow failed to imagine that hackers could exploit for pecuniary gain it until a year later. Wouldn't that be the first thing you'd check if you were an information security professional at the SEC? What else would there be to worry about?
Now we have an answer, kind of. Evidently some other office at the SEC, following the trail of some kind of fishy trading, traced the clues right back to the SEC. Which must have made for a tense conversation once the two teams interfaced:
ENFORCEMENT: Hey, so uh, did you know you had a EDGAR vulnerability last year?
INFOSEC: Oh, yeah, the pre-filing thing. We patched that up.
ENFORCEMENT: Did you ever consider the possibility that hackers could use that vulnerability to do insider trading on pre-public information?
On one hand, this revelation speaks pretty well of the abilities of the SEC's insider trading enforcement team; the agency found out the consequences of its IT weaknesses only because investigators found evidence those weaknesses were exploited, apparently. Then again, it speaks pretty poorly of the agency's overall effectiveness in safeguarding the kind of information that, when mishandled by corporations, becomes the focus of insider trading probes. Overall: not a good look.
UPDATE: Reuters has confirmed that what actually happened is more or less the scenario described above.