The Securities and Exchange Commission's EDGAR filing system was breached through a software vulnerability in 2016, allowing access to non-public information, Jay Clayton, SEC chairman, said in a statement Wednesday night.
The breach was originally detected and patched "promptly after discovery," but it was determined last month to have possibly provided "illicit gain through trading" by hackers, Mr. Clayton said.
"We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the commission or result in systemic risk," Mr. Clayton said. "Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities."
The disclosure was made in a statement on SEC cybersecurity issued by Mr. Clayton that included how the agency is incorporating cybersecurity measures into its governance, public company disclosure, market infrastructure oversight and supervision of broker-dealers and money managers.
"We recognize that cybersecurity is an evolving landscape, and we are constantly learning from our own experiences as well as the experiences of others," Mr. Clayton said. "To aid in this effort, and notwithstanding limitations on our hiring generally, we expect to hire additional expertise in this area."
Mr. Clayton acknowledged that there are "certain types of sensitive data that we must obtain from market participants in order to fulfill our mission. When determining when and how to collect data, it is important that we regularly review whether our related data protections are appropriate in light of the sensitivity of the data and the associated risks of unauthorized access. We should also continue to evaluate whether alternatives exist that may allow us to further our mission while reducing the sensitivity of data we collect."
Mr. Clayton's statement is on the SEC's website.