The U.S. Securities and Exchange Commission provided companies with a crash course in what to do - and what not to do - when it recently revealed that its electronic public document filing system had been hacked previous year.
In a prepared statement, SEC Chairman Jay Clayton said a review of the agency's cybersecurity risk profile determined that the previously detected incident was caused by "a software vulnerability" in its filing system known as EDGAR, short for Electronic Data Gathering, Analysis, and Retrieval system.
"It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk", the SEC said, adding that it was also liaising with the relevant authorities without naming them. Two years ago it charged a group of mainly USA -based stock traders and computer hackers in Ukraine with the theft of thousands of corporate press statements ahead of their public release, resulting in more than $100 million in illegal profit.
It is particularly embarrassing for the SEC and its new boss Clayton, who has made tackling cyber crime one of the top enforcement issues during his tenure. The agency said the attackers had exploited a weakness in part of the EDGAR system and it had "promptly" fixed it.
The revelation left lingering questions about whether the SEC before the attack exercised the same level of data security. Securities industry rules require companies to disclose cyber breaches to investors and the SEC has investigated firms over whether they should have reported incidents sooner. The SEC says a cyber breach of a filing system it uses may have provided the basis for some illegal trading in 2016.
The SEC has scored some victories in tackling cyber criminals in recent years.
ICI's call for the probe comes after it was revealed that hackers had breached the SEC's system for public-company filings and may have profited from stolen insider information.