News

Why did it take the SEC a whole year to figure out hackers used corporate data to make illegal profits?

Published

12 months ago

September 21, 2017

It seems like an obvious conclusion to me that anyone hacking the Securities and Exchange Commission’s EDGAR corporate filing system did it to make illicit insider trades. Not to be dismissive or overly colloquial about this, but haven’t they seen “Trading Places“? In the 1980’s classic, Clarence Beeks steals the orange crop report, then Louis Winthorpe and Billy Ray Valentine replace it with a fake version, making millions while bankrupting the Duke Brothers.

Knowing valuable trading information before it is officially released is really the definition of insider trading. Yet the SEC took months to figure out the motive. From their statement:

The statement provides an overview of the Commission’s collection and use of data and discusses key cyber risks faced by the agency, including a 2016 intrusion of the Commission’s EDGAR test filing system. In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading.

Spare us the technical details about software vulnerabilities, exploits, and responses. The main point here is that it took so long for the agency to “learn” what should have been blindingly obvious to anyone.

Perspectives

Hackers May Have Profited From SEC Corporate Filing System Attack – Bain & Robinson, Bloomberg

Edgar houses millions of filings on corporate disclosures ranging from quarterly earnings to statements on mergers and acquisitions. Infiltrating the SEC’s system to review announcements before they are released publicly would serve as a virtual treasure trove for a hacker seeking to make easy money.

“This hack illustrates that protecting against hackers isn’t as easy as the government sometimes expects of companies,” said Bradley Bondi, a former SEC enforcement attorney now in private practice. “Everyone is vulnerable at any time.”

SEC reveals it was hacked, information may have been used for illegal stock trades – Renae Marie, The Washington Post

The latest announcement could hamper the SEC’s efforts to collect more detailed information about stock trades into a central database that could make it easier for the agency to detect market manipulation. Some key Wall Street figures, including the New York Stock Exchange, have warned the database could become a target for hackers.

Final thoughts

The SEC and the U.S. government enforce the Sarbanes-Oxley Act (SOX), which requires public companies to jump through hoops and do trapeze jumps to protect corporate data from intruders. A whole industry has grown around SOX compliance, and likely billions of dollars are spent every year by companies to keep up. Why is the government itself not at least as secure as the companies they regulate?

If EDGAR isn’t reliable and secure enough for companies to use without fearing hackers using or selling insider information, then they’ll not be so confident about using it at all.

The SEC did a very poor job of announcing this intrusion, which in my opinion should have been disclosed immediately. Hoping that this was the work of teenagers on a lark is not a successful strategy to deal with the data security of thousands of companies like Apple, Exxon and Ford Motor Company.