Clayton Reveals Potential Harm from Past SEC Cybersecurity Incident
SEC chairman Jay Clayton, in a September 20 cybersecurity statement providing an overview of how the agency is addressing its own cybersecurity threats, revealed that the SEC last month discovered that an earlier-detected agency breach had created an opportunity for "illicit gain."
"In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading," he said in the statement. "Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information."
"We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk," he said. The SEC’s investigation of the matter "is ongoing," he said, and the agency is "coordinating with appropriate authorities."
This was not the only hacking attempt at the agency. Clayton noted that, in May of this year, the agency filed charges against individuals for allegedly "plac[ing] fake SEC filings on our EDGAR system in an effort to profit from the resulting market movements."
SEC commissioner Michael Piwowar, in a separate statement, said that he was "recently informed for the first time" of the 2016 EDGAR incident.
"The statement is important, as it shows that the SEC recognizes cyber risks and has itself been humbled by a breach," said ACA Aponix partner Raj Bakhru. "I think we can expect that in light of the SEC’s breach, the agency will be increasing its own defenses, and will likely expect that others that house material nonpublic information, like asset managers, law firms and press release firms, will do the same.
"The SEC has the ability to focus on ensuring that the barrier to stealing this information is higher, so it would stand to reason that it will expect those it regulates to do so," he said. "It also stands to reason that, as the agency responds to the incident, it will recognize the need for everyone else housing sensitive data to plan for incident response."
"The revelation by Clayton that the SEC was the victim of a cybersecurity incident highlights the risks faced by not only the financial services industry, but also the agencies regulating the industry," said Mayer Brown partner Jeffrey Taft. "Like the regulated entities, the SEC has valuable non-public information that hackers, thieves and market manipulators can exploit for financial gain."
The larger statement
Clayton discussed these incidents in the context of his larger statement, which provided an overview of the SEC’s approach to cybersecurity as an organization. The statement touched on the following points:
The types of data the agency collects, holds and makes public;
How the SEC manages cybersecurity risks and responds to cyber events related to its operations;
How the agency incorporates cybersecurity considerations in its risk-based supervision of the entities it regulates;
How the SEC coordinates with other regulators to identify and mitigate cybersecurity risks; and
How the agency uses its oversight and enforcement authorities in the cybersecurity context, including pursuing cyber threat actors that seek to harm investors and our markets.
The purpose behind Clayton’s statement was to highlight the importance of cybersecurity to the SEC and to detail the agency’s approach to cybersecurity "as an organization and as a regulatory body," the agency said in a press release accompanying the statement.
"The statement is part of an ongoing assessment of the SEC’s cybersecurity risk profile that chairman Clayton initiated upon taking office in May," the agency said. "Components of this initiative have included the creation of a senior-level cybersecurity working group to coordinate information about sharing, risk monitoring and incident response efforts throughout the agency."
"Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic," Clayton said. "We must be vigilant. We also must recognize – in both the public and private sectors, including the SEC – that there will be intrusions, and that a key component of cyber risk management is resilience and recovery."
Piwowar, in his statement, said that "effective management of internal cybersecurity risk is critical to the SEC achieving its mission and to protecting the nonpublic information that is entrusted to this agency." He commended Clayton for "initiating an assessment of the SEC’s internal cybersecurity risk profile and approach to cybersecurity from a regulatory perspective."
Following are some of the parts of the statement that would be of the most interest to asset managers.
Cybersecurity and adviser/fund oversight
Investment advisers, investment companies, broker-dealers and other financial entities "act as the primary interface between the securities markets and investors, including Main Street investors," said Clayton. "Not only do their systems provide investors access to their securities accounts, but those systems in many cases also hold customers’ personally identifiable information."
Certain SEC regulations, he said, "directly implicate information security practices" for regulated entities. He particularly cited:
Regulation S-P. This rule requires registered advisers, funds and broker-dealers to adopt written policies and procedures governing safeguards to protect customer information and records.
Regulation S-ID. Under this rule, advisers, funds and broker-dealers are required, to the extent they maintain certain types of covered accounts, to establish programs addressing how to identify, detect and respond to potential identity theft red flags.
In addition, Clayton noted, the SEC staff has issued guidance on cybersecurity practices. He called particular attention to the April 2015 Division of Investment Management guidance, which discussed measures that advisers and funds should consider when addressing cybersecurity risks.
Separately, Clayton focused on the examinations that the agency’s Office of Compliance Inspections and Examinations has performed, "which have included reviews of risk management programs and other operational components in order to evaluate compliance with Regulations S-P and S-ID, as well as with other federal securities laws and regulations."
"In recent years," he said, OCIE has placed increasing emphasis on cybersecurity practices and has included cybersecurity in its examination priorities." OCIE in August 2017 also published a risk alert containing a summary of observations from its second sweep exam of cybersecurity preparedness. "Recognizing that there is no single correct approach to cybersecurity, the publication was not intended to provide a checklist of required practices, but rather to share information about practices the staff identified that may be useful to firms as they engage in cybersecurity planning," he said.