SEC let companies practice on Edgar: That's how it got hacked

Companies that took advantage of the chance to practice filing sensitive information with the U.S. Securities and Exchange Commission might wish they hadn’t.

While the SEC is providing few details, the regulator did say the hack of its online database of corporate filings targeted what the agency calls its test Edgar system. It lets startups unfamiliar with filling out SEC forms get comfortable with the process without publicly blasting out market-moving announcements.

Now an initiative that was grounded in good intentions is causing the SEC headaches. The agency disclosed Wednesday that not only had cybercriminals breached Edgar, but they may have stolen corporate secrets that they profited from. The SEC blamed the 2016 intrusion -- which it was slow to reveal -- on a software vulnerability in its test system.

Edgar houses millions of filings on disclosures ranging from corporate earnings to statements on mergers and acquisitions. Infiltrating it to review announcements before they are released publicly would serve as a virtual treasure trove for a hacker seeking to make easy money. SEC Chairman Jay Clayton said the agency’s review of the breach is ongoing and that it’s “coordinating with the appropriate authorities.”

No secrets

The SEC encourages companies to take advantage of test filings. In a December 2015 press release, it advised corporations seeking to raise money through crowdfunding that they could practice filling out forms.

To its credit, the SEC said at the time that companies shouldn’t “submit confidential or personally identifiable information in the test filings.” That doesn’t mean companies followed its advice.

The disclosure of the SEC hack comes just two weeks after credit-reporting company Equifax Inc. said it had been a victim of a breach that may have led to the theft of personal data on 143 million Americans. With the public still reeling from Equifax’s breach, the SEC intrusion is triggering renewed calls for federal agencies and companies to do more to secure data.

“Government and businesses need to step up their efforts to protect our most sensitive personal and commercial information,” Senator Mark Warner, a Virginia Democrat, said in a statement. “Information has become one of our country’s most valuable resources, and control of that information comes with significant responsibility. The SEC should not retreat from its important market oversight role in order to limit its exposure to sensitive information.”

The SEC is one of several regulators charged with the first phase of a joint rulemaking for the Financial Data Transparency Act.
The SEC is one of several regulators charged with the first phase of a joint rulemaking for the Financial Data Transparency Act.Photographer: Al Drago/Bloomberg

‘Quickly patched’

While the SEC didn’t reveal which companies may have been impacted by the intrusion, it did say the software weakness was “patched promptly after discovery.” Chris Carofine, a spokesman for Clayton, declined to comment when asked what type of information was improperly accessed.

The SEC discussed the 2016 hack in a lengthy statement by Clayton on the agency’s cybersecurity efforts. He described some of the threats and data that the agency routinely handles, its role in policing the online world, and how it coordinates with other federal agencies.

While the SEC handles non-public drafts of rules and personally identifiable information, it said it doesn’t believe the breach led to unauthorized access of that type of data, endangered the operations of the agency, or resulted in “systemic risk.”

Still, Wednesday’s disclosure may heighten concerns around the Consolidated Audit Trail, an enormous database of equity trades that is being built to give regulators better transparency into markets and help them figure out more quickly the causes of disruptions.

Financial firms have expressed concern about data breaches once the new database is completed. The repository could include personal information such as names and addresses from more than 100 million customer accounts.

Fake filings

The SEC has had other issues with Edgar, including people posting phony takeover offers and other hoaxes on the system that have temporarily driven up companies’ share prices.

The SEC said it has been conducting an assessment of its cybersecurity since Clayton took over as chairman in May. The former Wall Street deals lawyer has discussed cyber-risks on multiple occasions in the context of the threats public companies face and their responsibilities to protect themselves. The SEC regulates what companies must disclose to shareholders about breaches.

Last week, in response to a reporter’s question about the fallout from the recent Equifax hack, Clayton said the agency was working to increase public awareness of the “substantial systemic risks” associated with cybersecurity.

The data stolen from Equifax included Social Security numbers, drivers license information and birth dates. Banks rely on the information that Equifax and other credit-reporting companies provide in determining whether consumers should get loans.

Bloomberg News
Financial reporting Data breaches Jay Clayton SEC
MORE FROM ACCOUNTING TODAY