SEC still probing data breach

Securities and Exchange Commission Chairman Jay Clayton told a Senate panel that the agency was expanding its probe into a 2016 data breach.

SEC Chairman Jay Clayton

SEC Chairman Jay Clayton updated the Senate Banking Committee on an agency probe into a breach of a critical financial data system.

The Securities and Exchange Commission chairman is expanding a probe into a 2016 data breach to include an inspector general investigation and a review of when agency officials first learned that the public-facing financial filing system EDGAR had been hacked.

SEC Chairman Jay Clayton told the Senate Banking Committee on Sept. 26 that the intrusion "involved the exploitation of a defect in custom software in the EDGAR system," which is used by public companies to file financial reports and make disclosures about events that could affect securities markets.

"My understanding of this landscape," Clayton said, is that "the more custom software is the more likely it is to be vulnerable."

Clayton first announced the breach in a lengthy Sept. 20 press statement.

EDGAR, which is short for Electronic Data Gathering Analysis and Retrieval, is an old system, first launched in the 1990s. The current version dates back to 2001, although it has been periodically updated and expanded.

The system is due to be replaced, but not in the near term.

In September 2016, Sapient Government Services was awarded a $6.1 million contract to gather requirements for an EDGAR redesign. According to the timeline supplied in contacting documents, the SEC anticipates the requirements-gathering process to extend through March 2018. The statement of work also calls for a possible extension to provide acquisition support to the SEC to actually procure a new system through March 2019.

Clayton told lawmakers that the agency's response includes hiring outside consultants and conducting penetration testing. He noted that one issue with making a disclosure is that "other people try to test and probe" your systems.

Discovery of the breach was made by the SEC's enforcement division, as part of an ongoing investigation. "Information they gained caused them to question whether there had been a breach of the system," Clayton said.

It's not clear what kind of information was breached. Corporate filings contain detailed financial information about company performance, but such information is usually available to investors via press releases in advance of SEC disclosure.  A former SEC employee told FCW that one likely target for hackers looking for information to trade on could be 8-Ks, unscheduled filings regarding material events that companies are legally required to disclose. The machinery for submitting this kind of disclosure in EDGAR begins before the official announcements go out to the world.

Clayton told senators that he did not believe personally identifiable information was taken. He couldn't specify when in 2016 the initial breach took place. He first learned of the breach in August 2017 and said he had no reason to believe his predecessor, Obama administration appointee Mary Jo White, knew of the breach.

"I cannot tell you with 100 percent certainty that this is the only breach we have had," Clayton said.

The review of the breach and possible insider trading arising from the fruits of the breach, Clayton said in prepared testimony, "is ongoing and may take substantial time to complete."