Securities and Exchange Commission Chairman Jay Clayton said late Wednesday that the agency learned in August that a cyber breach incident previously detected in 2016 involving its Electronic Data Gathering, Analysis and Retrieval, or EDGAR, corporate filing system “may have provided the basis for illicit gain through trading.”
Specifically, Clayton said in a sweeping cybersecurity statement, “a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information.”
The chairman explained Wednesday: “Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems.”
SEC Commissioner Michael Piwowar issued a separate statement late Wednesday, noting that he was just “recently informed for the first time that an intrusion occurred in 2016” in the SEC’s EDGAR system.
“I fully support Chairman Clayton and Commission staff in their efforts to conduct a comprehensive investigation to understand the full scope of the intrusion and how to better manage cybersecurity risks related to the SEC’s operations,” Piwowar said.
In his statement, Clayton said the SEC believes the intrusion into EDGAR “did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission or result in systemic risk,” adding that the agency’s “investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.”
Clayton’s statement, according to the Commission, is part of an ongoing assessment of the SEC’s cybersecurity risk profile that Clayton initiated when he took office in May.