The head of the Securities and Exchange Commission has asked the agency’s inspector general to investigate a 2016 cyberattack that infiltrated its electronic corporate filings system last year, according to prepared congressional testimony seen by CNNMoney on Monday.
Jay Clayton said he was “deeply concerned” to learn last month that the SEC’s electronic system, known as EDGAR, had been breached, and that the information hackers stole may have been used to make illegal trades.
“This matter … concerns me deeply,” Clayton is expected to tell lawmakers when he testifies before the Senate Banking Committee on Tuesday. “This is all the more reason it was appropriate to disclose the 2016 intrusion now even though our review and investigation are still ongoing.”
EDGAR contains information about company earnings, share dealings by top executives and corporate activity, such as mergers and acquisitions. Accessing that information before it’s disclosed publicly could allow hackers to make money by anticipating how a share price would respond.
It’s still unclear what information hackers obtained or which companies might have been affected.
The breadth of the inspector general’s review will include the scope of nonpublic information that may have been compromised, as well as the SEC’s response to the matter, according to the chairman’s testimony. Clayton, who took over the agency in May, said he’s also asked investigators to provide recommendations on how to fix and control any deficiencies.
“We must remain on top of evolving threats when it comes to securing our own networks and systems against intrusion,” said Clayton.
The IG’s review will be in addition to the agency’s own inquiry into the 2016 breach.
Clayton first revealed news of the breach on September 20 in a lengthy statement released by the agency. He said he waited to disclose the episode to Congress and the public until he “knew enough” to understand the details of the 2016 intrusion.
Notice of the cyberattack comes on the heels of another major security breach at Equifax, which affected 143 million individuals — nearly half of all Americans.
According to Clayton’s testimony, the 2016 breach of EDGAR was first discovered as part of a separate ongoing enforcement investigation by the markets regulator.
Once learned, Clayton said, “I immediately commenced an internal review.”
The chairman said the agency believes hackers were able to get into the system via a “defect [in] custom software” of the EDGAR system. Steps were taken to fix the broken software, and a department within Homeland Security was notified, he said.
The agency’s initial review shows that “intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the commission or result in system risk,” said Clayton.
Still, he said the agency’s review and investigation is still ongoing and would take “substantial time to complete.”
The SEC is still looking into the intrusion itself and whether there are other vulnerabilities in EDGAR’s system, as well as illicit trading that may have occurred as a result of the breach.