Articles Marketmedia

SEC Hack Raises Questions

Written by Rob Daly | Sep 21, 2017 8:24:35 PM

Some on Wall Street might feel a little schadenfreude that the authors of Regulation Systems and Compliance and Integrity have themselves been a victim of hackers.

In the six-page statement on cybersecurity issued by US Securities and Exchange Commission on Wednesday, Chairman Jay Clayton revealed that hackers exploited a software weakness in the regulator's Electronic Data Gathering, Analysis, and Retrieval database in 2016.

The public filing platform processes 1.7 million filings annually and serves up more than 50 million pages of disclosure information daily.

Jay Clayton, SEC

“We believe the intrusion did not result in the unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or resulted in systemic risk,” Chairman Clayton wrote in the statement.

The Commission learned in August that the event might have provided the perpetrators with information used for illicit gain through trading and is participating in an ongoing investigation with appropriate authorities

Clayton also noted that the SEC patch the EDGAR software vulnerability as soon as soon as staff discovered it as part of the regulator's internal policies and procedures, which the regulator developed using the standards set forth by the National Institute of Standards and Technology.

“The Commission also in the process of implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity,” he noted. "The framework is expected to help the agency define and achieve appropriate cybersecurity goals and outcomes, including identifying key assets, protecting against intrusions, detecting incidents, containing impacts and planning for recovery.”

It should not be surprising that victims of the worst hacks are government agencies, according to Avi Gesser, a litigation partner at Davis Polk who specializes in cybersecurity.

Avi Gesser,
Davis Polk

"The SEC is probably one of the richest targets in the world for a hack because it has all of this material non-public information from a variety of sources in one place, much of which is, by definition, important," he told Markets Media. "On the litigation side and enforcement side, you have all these juicy company details. On the regulatory side, you have lots of non-public information that is about to become public."

Now that the SEC made the hack public, it may change the dialogue between regulators and those whom they regulate.

"One question now is how will regulators respond if you say 'I do not want to give you this super-sensitive business or personal because I am worried you may get hacked, and I will be really harmed because all of my deepest darkest secrets will become public,'" Gesser asked. "Prospectively, what assurances can you get that they will be able to protect your data?"

Whether the SEC may stand behind the legal concept of sovereign immunity to fend off any potential litigation from those affected by the breach is hard to say.

Earlier this week, Judge Amy Berman Jackson of the US District Court in Washington, DC dismissed two consolidated lawsuits brought by American Federation of Government Employees and the National Treasury Employees Union against the Office of Personnel and Management over a June 2015 data breach that affected personal data of approximately 21 million government employees.

In her 74-page opinion, Judge Jackson found that "neither the Supreme Court nor the US Court of Appeals for the D.C. Circuit has held that the fact that a person’s data was taken is enough by itself to create standing to sue; a plaintiff who claims an actual injury must be able to connect it to the defendant’s actions, and a person who is pointing to a threat of future harm must show that the harm is certainly impending or that the risk is substantial."

Until plaintiffs meet that standard, they will lack the standing to bring suit, she stated.