Why Didn’t The SEC Say It Was Hacked?

By Douglas A. McIntyre Updated Jan 12, 7:58AM EST · Published Sep 21, 6:35AM EDT

Follow 24/7 Wall St. on Google

This post may contain links from our sponsors and affiliates, and Flywheel Publishing may receive compensation for actions taken through them.

Why Didn’t The SEC Say It Was Hacked? — © Wikimedia Commons

The hack of the U.S. Securities and Exchange Commission database shares something in common with most other recent large hacks of corporate and government databases. It did not get around to mentioning the problem until well after it happened.

Given how sensitive SEC information can be, the decision is a puzzler.

The agency’s management released a statement, which said in part:

In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information

Two things stand out. First, the announcement was made fairly late in September. Second, the 2016 “detection” was not made public, although the SEC is a public agency used by thousands of companies and hundreds of thousands of investors.

[nativounit]

The SEC statement did say the agency will take a number of measures to protect data in the future. SEC Chairman Jay Clayton said:

By promoting effective cybersecurity practices in connection with both the Commission’s internal operations and its external regulatory oversight efforts, it is our objective to contribute substantively to a financial market system that recognizes and addresses cybersecurity risks and, in circumstances in which these risks materialize, exhibits strong mitigation and resiliency.

So far, no person or group has been accused of the hack. The SEC may not know whether data collected was used by hackers to make money through trading of publicly traded financial instruments. If the event is like many other hacks, no one may ever know.

As hacking of important databases becomes more frequent and is likely to continue to grow, two things stand out about the responsibility of those who control the databases. First, they need to improve security, which every single victim organization says it will do. Whether the actions will be effective is an open question. The other responsibility is to disclose hacking as quickly as possible. That has been a problem. Organizations have developed the habit mentioning hacks well after they have happened. For those who might be affected, that may be as bad as the hack itself.

[wallst_email_signup]

About the Author Douglas A. McIntyre →

Douglas A. McIntyre is the co-founder, chief executive officer and editor in chief of 24/7 Wall St. and 24/7 Tempo. He has held these jobs since 2006.

McIntyre has written thousands of articles for 24/7 Wall St. He is an expert on corporate finance, the automotive industry, media companies and international finance. He has edited articles on national demographics, sports, personal income and travel.

His work has been quoted or mentioned in The New York Times, The Wall Street Journal, Los Angeles Times, The Washington Post, NBC News, Time, The New Yorker, HuffPost USA Today, Business Insider, Yahoo, AOL, MarketWatch, The Atlantic, Bloomberg, New York Post, Chicago Tribune, Forbes, The Guardian and many other major publications. McIntyre has been a guest on CNBC, the BBC and television and radio stations across the country.

A magna cum laude graduate of Harvard College, McIntyre also was president of The Harvard Advocate. Founded in 1866, the Advocate is the oldest college publication in the United States.

TheStreet.com, Comps.com and Edgar Online are some of the public companies for which McIntyre served on the board of directors. He was a Vicinity Corporation board member when the company was sold to Microsoft in 2002. He served on the audit committees of some of these companies.

McIntyre has been the CEO of FutureSource, a provider of trading terminals and news to commodities and futures traders. He was president of Switchboard, the online phone directory company. He served as chairman and CEO of On2 Technologies, the video compression company that provided video compression software for Adobe’s Flash. Google bought On2 in 2009.