Cybersecurity Alert: SEC Issues Statement on Cybersecurity and Announces 2016 EDGAR System Breach

September 21, 2017

Threat Summary

On September 20, 2017, U.S. Securities and Exchange Commission (SEC) Chairman Jay Clayton issued a statement on cybersecurity. As part of this statement, Clayton announced that the test filing component of EDGAR (the SEC’s Electronic Data Gathering, Analysis, and Retrieval system) was breached in 2016 due to a vulnerability that the SEC patched immediately after detecting the breach. However, the SEC did not learn until August 2017 that as a result of the breach hackers were able to access material non-public information (MNPI) that may have resulted in "an illicit gain through trading."

The SEC believes the EDGAR breach did not lead to the access of "personally identifiable information, jeopardize the operations of the commission or result in systemic risk." SEC Chairman Jay Clayton added, "We must be vigilant. We also must recognize... that there will be intrusions, and that a key component of cyber risk management is resilience and recovery."

ACA Aponix Commentary

EDGAR is a database of information submitted by companies and others who are required by law to file forms with the SEC such as Form 10-K and 10-Q. In the past, attackers have targeted public relations firms to obtain earnings release data prior to public disclosure. The 2016 EDGAR breach is similar in that attackers were looking to obtain MNPI for front-running purposes.

Given the recent hacker focus on obtaining MNPI for illegal profit, it stands to reason that public firms, investment advisers, board of directors, law firms, and others that hold MNPI will be subject to similar attacks.

How ACA Aponix Can Help

ACA Aponix can help your firm assess its cybersecurity risk and identify vulnerabilities that could lead to a breach. Our services include:

  • Penetration Testing and Vulnerability Assessments - Helps determine the attack surface, vulnerabilities, and likelihood of a breach.
  • Risk Assessments - Help determine if business processes and system or network configurations could expose the business to cyber risks.
  • Threat Intelligence (such as monitoring hacker chat forums) - Helps identify potential targeted attacks or an ongoing breach.
  • Domain Registration Monitoring - Helps identify potential targeted phishing attacks that could lead to a breach.
  • Cyber Incident Response Planning and Table-Top Exercises - Helps develop and validate your firm’s ability to appropriately respond to a potential cyber incident.

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.