Security and Exchange Commission Chairman John Clayton released a lengthy statement yesterday on cybersecurity. Buried about 1,400 words in, you'll find an eyebrow-raising disclosure -- the SEC was apparently hacked in 2016.
"In certain cases, threat actors have managed to access or misuse our systems," Clayton writes, adding, "In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading."
Specifically, hackers exploited a software vulnerability in the SEC's "EDGAR" system, a vast archive of financial records for companies listed on the US stock exchange. Hackers who knew what to look for could potentially use that data to gain an advantage on the stock market.
In another instance, Clayton alleges that individuals placed fake SEC filings in the EDGAR system in an effort to profit from the resulting market movements.
"We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk," Clayton says, adding that all of EDGAR's software vulnerabilities were "patched promptly after discovery."
Clayton goes on to disclose some of the potential ways the breach could have happened in the first place, including missing laptops containing nonpublic information, as well as instances where nonpublic information was transmitted through non-secured personal email accounts.
"We recognize that cybersecurity is an evolving landscape, and we are constantly learning from our own experiences as well as the experiences of others," Clayton writes. He adds that the SEC expects to hire additional expertise in this area.
Sounds like a good and necessary idea for an organization devoted to "promoting a market environment that is worthy of the public's trust."