Securities and Exchange Commission Chairman Jay Clayton said late Wednesday that the agency learned in August that a cyber breach incident previously detected in 2016 involving its Electronic Data Gathering, Analysis and Retrieval, or EDGAR, corporate filing system “may have provided the basis for illicit gain through trading.”
Specifically, Clayton said in a sweeping cybersecurity statement, “a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information.”
The chairman explained Wednesday: “Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems.”
SEC Commissioner Michael Piwowar issued a separate statement late Wednesday, noting that he was just “recently informed for the first time that an intrusion occurred in 2016” in the SEC’s EDGAR system.
“I fully support Chairman Clayton and Commission staff in their efforts to conduct a comprehensive investigation to understand the full scope of the intrusion and how to better manage cybersecurity risks related to the SEC’s operations,” Piwowar said.
In his statement, Clayton said the SEC believes the intrusion into EDGAR “did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission or result in systemic risk,” adding that the agency’s “investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.”
Clayton’s statement, according to the Commission, is part of an ongoing assessment of the SEC’s cybersecurity risk profile that Clayton initiated when he took office in May.
Clayton’s initiative has included the creation of a senior-level cybersecurity working group to coordinate information sharing, risk monitoring and incident response efforts throughout the agency.
The statement issued late Wednesday provides an overview of the Commission’s collection and use of data and discusses key cyber risks faced by the agency, including the 2016 intrusion of the Commission’s EDGAR test filing system.
Clayton said that cybersecurity “has been and will remain a key element” in the development of the Consolidated Audit Trail systems, or CAT, being developed and operationalized by the self-regulatory organizations such as the Financial Industry Regulatory Authority.
“It is expected that the Commission will have access to significant, nonpublic, market-sensitive data and personally identifiable information in connection with the implementation” of the CAT.
CAT, he continued, is “intended to provide SROs and the Commission access to comprehensive data that will facilitate the efficient tracking of trading activity across U.S. equity and options markets.”
CAT is in “the later stages of its multi-year development, and its first stage of operation is scheduled to commence in November 2017,” Clayton stated.