The Securities and Exchange Commission delayed for at least eight months before notifying the public that hackers had penetrated its network, even as it urged the companies it regulates to promptly disclose cyber attacks.
The commission so far has released only a four-sentence description of the 2016 hack into its online EDGAR company filings system, which officials belatedly realised last month had permitted criminals to obtain nonpublic information and trade profitably on it.
Publicly traded companies are required to disclose to investors any hack that has a material effect on their operations. Government agencies such as the SEC are governed by a different set of rules that generally require notification within seven days to law enforcement authorities, congressional oversight committees and a federal information security incident centre, though not the public.
“They have a real glass house problem,” said Jonathan Shapiro, a partner at Baker Botts in San Francisco. “One would hope and expect they’d hold themselves to as demanding a standard as they’d expect from registrants.”
The commission’s tight-lipped approach, which attorneys said may have been intended to protect efforts to identify the hackers, has left companies and investors in the dark. Apart from SEC chairman Jay Clayton’s unusual cyber security statement, which was released on Wednesday after normal business hours, the commission has provided scant details.
On Thursday, an SEC spokesman confirmed that the incident had not been previously revealed, but said that the commission would not comment on its disclosure obligations.
EDGAR is used by 5,700 public companies to file routine financial statements, including annual reports and quarterly results. The almost 20-year-old network hosts 21m filings.
Word of the hack comes as the SEC is under pressure to investigate the credit reporting agency Equifax’s delay in telling investors about a massive data breach. Company officials learnt of the incident on July 29, which potentially exposed 143m Americans’ personal information, but did not tell the public or SEC regulators until September 7.
Earlier this year, Yahoo confirmed that the SEC was investigating its two-year delay in disclosing a 2014 breach involving 500m users’ data.
The commission has never brought an enforcement action against a publicly traded company for failing to disclose a cyber security problem. But officials have been looking for a suitable case to send a signal to the markets. “They’ve been doing a lot of sabre-rattling in that space,” said John Stark, former director of the SEC’s office of internet enforcement.
Mr Clayton is likely to face questions about the cyber attack when he appears on Tuesday at a Senate banking committee oversight hearing. In March, Carl Hoecker, the SEC’s inspector general, identified numerous weak spots in the commission’s information security approach, which he said failed to qualify as “effective” under federal law.
SEC security officials took up to 14 days to notify the US Department of Homeland Security’s computer emergency readiness team about particularly serious cyber incidents, which are supposed to be reported within one hour, Mr Hoecker found.
“This breach is potentially a game-changer for the SEC in how it executes its mission,” said Paul Rosen, former DHS chief of staff. “Companies are rightly asking themselves: what’s the SEC going to do to protect their data?”
Though the commission says that no information readily linked to specific individuals was involved in the hack, the incident has triggered concern among companies using EDGAR.
The hackers gained access to nonpublic information, which the commission defined as “generally related to our supervisory and enforcement functions”, according to Mr Clayton.
Mr Rosen, a partner at Crowell & Moring, said that language suggested that criminals may have accessed “some of the investigative crown jewels of the commission”.
Federal agencies do have discretion over how much to tell individuals affected by a network breach, according to Steven Chabinsky, a partner at White & Case.
“Reasonableness is what federal regulators are looking for, which means the proper adoption of risk management principles, not perfect security,” said Mr Chabinsky, who was once the FBI’s top cyber lawyer.
Follow David J Lynch on Twitter: @davidjlynch
Get alerts on Cyber Security when a new story is published