“The EDGAR system was taken offline while the intrusion was being investigated and immediate steps were taken to enhance cybersecurity monitoring,” the agency said... a year later.
First Published 22nd September 2017
The Insecurities and Exchange Commission.
3 min read | Reflare Research Team
In a public statement by the U.S. Securities and Exchange Commission’s (SEC’s) Chairman, Jay Clayton released on September 20th, a breach of the commission’s EDGAR system in 2016 was disclosed. In this briefing, we will have a look at potential abuse and political implications.
What is EDGAR?
EDGAR is a submission system used by the SEC to accept, review and publish filings from companies. Most importantly, these include quarterly earnings filings. While in principle all filings are made public, there is a short delay between the submission of a filing, and it becoming publicly available. Attackers with access to the EDGAR system can then place buy or sell orders shortly before newly released filings will lead the stock of a company to rise or fall. This practice of using insider information to illicitly profit from the stock market is commonly known as “insider trading”.
According to the SEC, the EDGAR system was compromised in 2016. Why the agency chose not to publicize this breach is unknown at this point in time. The information was only released now because the SEC believes to have found criminals engaged in insider trading based on this 2016 hack.
What are the implications?
The implications of a hack of the SEC are two-fold:
For one, unlike the widely covered hacks of DNC servers in 2016, SEC networks are official government infrastructure, thus under significant regulation and much harder to breach. While preliminary information indicates that a programming issue created the vulnerability, the attackers have demonstrated significantly more skill in this attack than in the DNC hacks or Equifax hacks.
For another, the late disclosure of the breach will likely cause headaches for US government officials down the road. As companies globally are either implicitly urged or explicitly required to disclose breaches in a timely manner, a disclosure delay of at least 9 months coming from a US government agency will likely lessen compliance from the private sector.