The Securities and Exchange Commission's announcement this month that its EDGAR corporate filing system was hacked a year ago is sparking concern that the agency is pushing others on cybersecurity when the SEC itself isn't prepared for an attack.
"Since the SEC's focus on cybersecurity, certainly managers have wondered from time to time — '(The SEC) asks how secure we are, but how secure are their systems?' " said Paulita Pike, partner in the investment management practice of Ropes & Gray LLP, Chicago. "That question has been batted around before, and it's being discussed now."
Ms. Pike said SEC Chairman Jay Clayton's comments after the Sept. 20 announcement of the breach "have augmented the discussion. This will be a concern (for managers) until there's some comfort in what the SEC is doing."
The breach of the SEC's Electronic Data Gathering, Analysis and Retrieval system was made through what Mr. Clayton in the Sept. 20 statement called "a software vulnerability." Although he said the breach was originally detected and patched "promptly after discovery," the determination of what information might have been hacked — data that could be used in illegal trading — wasn't made until August. He said that personally identifiable information was not obtained in the hack, nor did the hack present systemic risk, but the full extent and impact of the breach was not known.
The delay in determining what was hacked and what the stolen information could have been used for creates concern among investors — not only for what information the SEC already has, but for future data collection proposed by the agency, including a proposal for a consolidated audit trail for trades and any further market-structure testing such as the ongoing tick-size pilot.
"In addition to these corporate filings getting hacked, that's bad enough," said Steven Glass, president and CEO of Zeno Consulting Group LLC, a Bethesda, Md., consultant to pension funds on trading issues. "But for me, the potential of something like the consolidated audit trail being hacked, or hackers finding out about enforcement actions being considered (by the SEC), that's a concern. To me, aside from EDGAR, that the SEC could be hacked is frightening enough — especially since part of their charter is to maintain confidence in the markets. Hopefully steps will be taken to ensure that appropriate measures are made and disclosed in a timely fashion."
Added David Holmgren, chief investment officer of Hartford HealthCare, which manages $3 billion in pension, endowment and other assets: "Filings in the investment section (of EDGAR) are delayed. I'm not worried about that. Hackers can get that (somewhere else) sooner. What I'm worried about is information on managers getting out ... I feel very badly for asset managers … If you're a manager, you don't want that information disclosed."
Mr. Clayton acknowledged the public concerns over the agency's cybersecurity capabilities. At a Sept. 26 hearing of the Senate Committee on Banking, Housing and Urban Affairs, which oversees the SEC, Mr. Clayton said the agency must "up its game" on cybersecurity.
"We must recognize there will be breaches," Mr. Clayton said in testimony before the panel. "We are under constant attack from high-level actors."
He said the SEC's inspector general and the Department of Homeland Security are investigating the 2016 breach.
The disclosure of the breach was followed by an SEC announcement Sept. 25 that it launched an enforcement cyber unit that has been in the planning stages for months. The cyber unit, to be run by Robert A. Cohen, co-chief of the enforcement division's market abuse unit, will look for cyber-related threats to trading platforms and other critical market infrastructure, market manipulation schemes involving false information spread through electronic and social media, and hacking to obtain material non-public information such as what was believed to have been taken in the 2016 SEC breach.
Mr. Clayton also told the Senate panel that the SEC can't go it alone on cybersecurity.
"Cybersecurity must be more than a firm-by-firm or agency-by-agency effort," Mr. Clayton said. "Active and open communication between and among regulators and the private sector also is critical to ensuring the nation's financial system is robust and effectively protected. Information sharing and coordination are essential for regulators to anticipate potential cyberthreats and respond to a major cyberattack, should one arise."
The SEC overall has a good track record with the industries it regulates in terms of two-way communication, which should be beneficial in developing cybersecurity protections, said Ms. Pike from Ropes & Gray.
"This is another example of how the SEC should work with (entities it regulates)," Ms. Pike said. "This has opened a new topic — can the SEC as keeper of information be trusted? I think the commission will listen to industry concerns about cybersecurity and be transparent and let industries know what it is doing."
As to what the SEC ultimately will do on cybersecurity, Ms. Pike said, "Chairman Clayton strikes me as pretty practical. He's asking for a self-evaluation. I imagine the commission will re-evaluate EDGAR, but they certainly can't get rid of EDGAR any time soon. I think they'll shore up what they have in place … But with all the data the SEC holds, we don't know what kind of data was compromised. The SEC may not even know for a while what was compromised. Once they do, then they can take steps to make sure something similar doesn't happen. Chairman Clayton is obviously taking a whole host of approaches, including an evaluation of what they currently have."
Ms. Pike noted the issue of filing required documents with an agency that is being viewed as having suspect cybersecurity measures in place. "There's a real conundrum — though not really a conundrum since that implies choice," Ms. Pike said. "Entities that the SEC regulates are required to file with the agency. There is no choice involved … The SEC can compel production. I don't think anyone they request information from can refuse without significant reasons …
"At least the disclosure (by Mr. Clayton) lets people begin to know what's happening at the SEC on cybersecurity and how the SEC will communicate with those it regulates on issues related to breaches and its own cybersecurity. You can't begin to have that conversation without knowing what's going on at the SEC. Chairman Clayton references a dialogue between the SEC and its regulated industries, which is a good first step."
Reporter Hazel Bradford contributed to this story.