The Securities and Exchange Commission has launched a two-part investigation into a 2016 data breach of its online filing system that was first disclosed last week, the commission’s Chairman Jay Clayton told lawmakers Tuesday.
The first part of the review is focused on the breach itself, how far it spread and if there are any other undiscovered hackable vulnerabilities in the commission’s Electronic Data Gathering, Analysis, and Retrieval system, or EDGAR, an online filing system for company financial forms, Clayton told members of the Senate Banking Committee.
The second part of the review will focus on if and how hackers used the breach to trade stocks and other financial securities based on non-public information, Clayton said.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
The reviews will include an inspector general investigation into why it took so long for the SEC to discover and disclose the 2016 breach, Clayton said. Executive branch agencies are required to notify Congress of major cyber incidents within seven days.
It’s unclear precisely when SEC investigators learned about the breach. Clayton first learned of the breach in August, he told lawmakers.
Clayton declined to speak in detail about the beach or the investigations because the investigations are ongoing.
The 2016 breach resulted from hackers spotting a defect in custom software used by the EDGAR system, Clayton said. That defect has been patched, he said.
Clayton authorized the commission to hire additional cybersecurity staff to improve agency protections in the wake of the breach, he said, and the commission will conduct incident response exercises to prepare for future breaches or other incidents.
Senators pressed Clayton repeatedly on whether companies and investors should feel comfortable sharing information with the commission in the wake of the breach.
They also questioned a commission plan to launch a Consolidated Audit Trail system, which will collect additional personal information from traders and help auditors spot suspicious activity such as insider trading.
Clayton insisted the new audit system will be “vital” for enforcement efforts but said the SEC will not collect any information that’s not absolutely necessary.
On Monday, the commission announced a new cyber enforcement unit focused on digital misdeeds such as hacking to obtain non-public trading information, cyber threats to stock exchanges and other trading platforms and market manipulation schemes that rely on spreading false information on social media.