SEC Chairman Jay Clayton. (Photo: Diego Radzinschi/NLJ)

Further probing of the 2016 cyberattack of the Securities and Exchange Commission’s corporate filing system, EDGAR, has found that a test filing in the EDGAR system accessed by third parties contained the names, birthdates and Social Security numbers of two individuals, according to a Monday statement by SEC Chairman Jay Clayton. 

Clayton provided the update as part of the ongoing internal investigation of the hack, which he announced on Sept. 20.

The most recent data on the hack, Clayton said, “is based on forensic data analysis” conducted since Sept. 20 when the intrusion was announced.

Clayton said that SEC staff told him about the new information on Friday, and that “staff are reaching out to the two individuals to notify them and offer to provide them with identity theft protection and monitoring services.”

Should the agency uncover additional individuals whose sensitive information may have been accessed, the staff will contact them and offer them identity protection and monitoring as well, he said.

“The 2016 intrusion and its ramifications concern me deeply,” Clayton said in a statement announcing the latest information. “I am focused on getting to the bottom of the matter and, importantly, lifting our cybersecurity efforts moving forward.” 

He noted that while the agency’s review and remediation efforts are ongoing and “may take substantial time to complete, I believe it is important to provide new information regarding the scope of the 2016 intrusion and provide an update on the steps we are taking to assess and improve the cybersecurity risk profile of our EDGAR system and of the agency’s systems more broadly.”

Beyond an internal investigation of the intrusion by the agency’s Office of Inspector General and an investigation by the Division of Enforcement into the potential illicit trading resulting from the intrusion, Clayton said three additional steps are being taken.

EDGAR, which has been undergoing modernization efforts, will see further updates. The agency, Clayton said, “has added, and expects to continue to add, additional resources to these efforts, which are expected to include outside consultants, and will increase the focus on cybersecurity matters.”

The agency will review its cybersecurity risk profile and efforts initiated shortly after Clayton became chairman in May, including, “the identification and review of all systems, current and planned (e.g., the Consolidated Audit Trail or CAT), that hold market sensitive data or personally identifiable information.”

An internal review of the EDGAR intrusion will attempt to determine, among other things, the procedures followed in response to the intrusion. “This review is being overseen by the Office of the General Counsel and has an interdisciplinary investigative team that includes personnel from regional offices and will involve outside technology consultants,” Clayton said.

Clayton said Monday that he has also authorized the immediate hiring of additional staff and outside technology consultants “to aid in the agency’s efforts to protect the security of its network, systems and data.”

SEC staff have also been directed to take a number of steps designed to strengthen the agency’s cybersecurity risk profile, with an initial focus on EDGAR. 

“This effort includes assessing the types of data the SEC takes in through the EDGAR system, and whether EDGAR is the appropriate mechanism to obtain that data,” Clayton said. “Another part of this effort includes reviewing the security systems, processes and controls in place to protect data submitted through EDGAR.”

— Check out SEC to Gather Data on Unregistered Advisors, Brokers on ThinkAdvisor.