Skip to site navigation Skip to main content Skip to footer content Skip to Site Search page Skip to People Search page

In The News

There May Be 'No Do-Overs,' but SEC Hack Provides Important Security Lessons

By Ed Silverstein
September 25, 2017
The National Law Journal

There May Be 'No Do-Overs,' but SEC Hack Provides Important Security Lessons

By Ed Silverstein
September 25, 2017
The National Law Journal

Read below

Mauro Wolfe
Mauro Wolfe

Even the Securities and Exchange Commission (SEC) can get hacked – and the recently announced cyber-attack against the SEC is providing an important wake-up call for U.S. companies regulated by the powerful agency and the attorneys they work with.

What We’ve Learned

Mauro Wolfe, a former federal prosecutor now working as an attorney at Duane Morris, noted there were some initial media reports suggesting that the SEC’s impacted electronic system – known as EDGAR – the Electronic Data Gathering, Analysis, and Retrieval test filing system was perhaps “an old system.”

If that’s true, it sends a reminder to companies that they need to check the cybersecurity on their own legacy systems, Wolfe said. The same is true of more up-to-date systems found in companies.

“I certainly think that every company should spend some time … analyzing their cybersecurity risk,” Wolfe said. “It should be done on a routine basis.”

Wolfe said special emphasis should be given to the “high-risk targets”—in another words, “the jewels.” Look at where these targets are stored and is the best method in place to protect them. …

The SEC’s Response

It was just a few days ago that SEC Chairman Jay Clayton announced the 2016 intrusion of EDGAR. Last month, the SEC learned that the 2016 incident may have provided the basis for illicit gain through trading, Clayton said.

“A software vulnerability in the test filing component of the … EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” a statement from Clayton revealed. “It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”

“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton said in the statement. “We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.” …

Based on initial information, the SEC revealed that nonpublic information in its EDGAR system, where companies file both public and non-public data, was hacked and possibly used for illegal stock trading purposes, according to Corporate Counsel.

The SEC breach follows a 2015 breach at the Office of Personnel Management (OPM). That breach into the OPM impacted more than 21 million people. …

Reprinted with permission from The National Law Journal, © ALM Media Properties LLC. All rights reserved.