The federal agency responsible for ensuring that markets function properly and for protecting investors is under fire after disclosing its computer system was hacked despite repeated warnings about deficiencies in its cybersecurity measures.

The Securities and Exchange Commission said late Wednesday that it discovered a breach to its corporate filing system last year but only became aware last month that information obtained by the attackers may have been used for illegal trading gains.

The agency did not explain why the initial hack was not revealed sooner, or which individuals or companies may have been impacted.

The disclosure arrived two months after a government watchdog said deficiencies in the SEC’s filing system put the system, and the information it contains, at risk.

The hack was disclosed by SEC Chairman Jay Clayton in a statement posted to the agency’s website and comes just two weeks after the credit agency Equifax revealed a cyberattack there had exposed highly sensitive personal information of 143 million people.

Clayton is scheduled to appear Tuesday before the Senate Banking Committee. Democratic Sen. Mark Warner of Virginia, a member of the committee, said Thursday that the disclosures by the SEC and Equifax show “that government and businesses need to step up their efforts to protect our most sensitive personal and commercial information.”

Advertisement

Clayton said a review of the agency’s cybersecurity risk profile determined that the previously detected incident was caused by “a software vulnerability” in its filing system known as EDGAR, short for Electronic Data Gathering, Analysis, and Retrieval system.

EDGAR processes more than 1.7 million electronic filings in any given year. Those documents can cause enormous movements in the market, sending billions of dollars in motion in fractions of a second.

Clayton said the SEC has been conducting an assessment of its cybersecurity since he took over as chairman in May. Experts note, however, that both agency and congressional investigators have been critical of the SEC’s handling of its information technology security for years.

Early this decade, the SEC inspector general’s office uncovered security lapses involving SEC staffers who examined the data-protection systems of the stock exchanges.

Some of the staffers used unencrypted laptops to store sensitive exchange information – and then carried the laptops to a Las Vegas conference for information security professionals that is known to attract hackers. The 2011-12 investigation raised concerns of a potential breach of the exchanges’ information.


Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.