Why Didn’t The SEC Say It Was Hacked?

Print Email

The hack of the U.S. Securities and Exchange Commission database shares something in common with most other recent large hacks of corporate and government databases. It did not get around to mentioning the problem until well after it happened.

Given how sensitive SEC information can be, the decision is a puzzler.

The agency’s management released a statement, which said in part:

In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information

Two things stand out. First, the announcement was made fairly late in September. Second, the 2016 “detection” was not made public, although the SEC is a public agency used by thousands of companies and hundreds of thousands of investors.

The SEC statement did say the agency will take a number of measures to protect data in the future. SEC Chairman Jay Clayton said:

By promoting effective cybersecurity practices in connection with both the Commission’s internal operations and its external regulatory oversight efforts, it is our objective to contribute substantively to a financial market system that recognizes and addresses cybersecurity risks and, in circumstances in which these risks materialize, exhibits strong mitigation and resiliency.

So far, no person or group has been accused of the hack. The SEC may not know whether data collected was used by hackers to make money through trading of publicly traded financial instruments. If the event is like many other hacks, no one may ever know.

As hacking of important databases becomes more frequent and is likely to continue to grow, two things stand out about the responsibility of those who control the databases. First, they need to improve security, which every single victim organization says it will do. Whether the actions will be effective is an open question. The other responsibility is to disclose hacking as quickly as possible. That has been a problem. Organizations have developed the habit mentioning hacks well after they have happened. For those who might be affected, that may be as bad as the hack itself.