At first blush, the Securities and Exchange Commission press release, entitled “Chairman Clayton Issues Statement on Cyber-Security,” doesn’t seem unusual.
Dig deep into the lengthy statement, however, and the impetus reveals itself: “In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading.”
“Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to non-public information,” Clayton wrote. “It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”
The disclosure comes amid still-escalating public furor over a massive data breach that hit consumer credit rating firm Equifax, potentially exposing the personal information of 143 million customers.
That case, although unrelated to the Commission’s current woes, nevertheless amplifies them. It is a one-two cyber-punch. Public awareness, which typically wanes as a singular breach controversy rotates out of its news cycle, is once again fully focused on these high-profile attacks.
Not a good look. There is most assuredly some schadenfreude to be enjoyed by those the Commission has previously chastised over material breach notifications. The SEC, through business continuity measures—such as Regulation SCI, and exam priorities for broker-dealers—has pledged to make cyber-security, data protection, and prompt reach notifications a priority. A late 2017 discovery of a 2016 breach is hardly what the SEC itself would deem to be prompt.
Clayton spent much of his post-breach statement on “an ongoing assessment of the SEC’s cyber-security risk profile” he initiated upon taking office in May. It includes the creation of a senior-level cyber-security working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency.
“Cyber-security is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton said. “We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber-risk management is resilience and recovery.”
“The SEC has not yet, I don’t think, dealt with the reality that they have a weakness. This is going to continue to happen until stricter measures are taken to protect the process. If there is a way to exploit a system to make money, people are going to do it.”
David Axelrod, Partner, Ballard Spahr
Clayton discussed the collection and use of data by the Commission.
One category includes public-facing data that is transmitted to and accessed through Commission systems. In 1984 the Commission began collecting, and making publicly available, disclosure documents through its EDGAR system. In 2017, on a typical day, investors and other market participants access more than 50 million pages of disclosure documents through the EDGAR system, which receives and processes over 1.7 million electronic filings per year.
Another category of data the Commission receives, stores, and transmits includes non-public information, including personally identifiable information related to supervisory and enforcement functions. This data, which relates to the operations of issuers, broker-dealers, investment advisers, investment companies, self-regulatory organizations, alternative trading systems, clearing agencies, credit rating agencies, and municipal advisers may be sensitive to individuals, organizations, and the markets.
For example, staff in the Division of Trading and Markets often receive non-public drafts of proposed rule filings by SROs; staff in the Division of Investment Management and Division of Corporation Finance often receive drafts of applications for exemptive relief under the federal securities laws.
The Office of Compliance Inspections and Examinations receives non-public data, including personally identifiable information, in connection with ongoing oversight and examinations of broker-dealers, investment advisers, and other regulated entities. The Division of Enforcement receive non-public and personally identifiable information for investigations into potential violations of the federal securities laws.
Data, and the need to secure it, will be even more important in the near future.
The implementation of the SEC’s long-in-development Consolidated Audit Trail will mean nearly real-time access to significant, non-public, market-sensitive data and personally identifiable information as it parses out red flags and warning signs. The CAT system is intended to provide SROs and the Commission access to comprehensive data that will facilitate the efficient tracking of trading activity across U.S. equity and options markets.
The system, developed and operationalized by the SROs, is in the later stages of its multiyear development, and its first stage of operation is scheduled to commence in November 2017.
“Cyber-security has been and will remain a key element in the development of CAT systems,” Clayton promised.
THE SEC AND CYBER-SECURITY
The following is from a Sept. 20 statement issued by Jay Clayton, chairman of the Securities and Exchange Commission.
Management of Internal Cyber-security Risks
As described above, the Commission receives, stores and transmits substantial amounts of data, including sensitive and nonpublic data. Like many other governmental agencies, financial market participants and other private sector entities, we are the subject of frequent attempts by unauthorized actors to disrupt access to our public-facing systems, access our data, or otherwise cause damage to our technology infrastructure, including through the use of phishing, malware and other attack vectors.
For example, with respect to our EDGAR system, we face the risks of cyber threat actors attempting to compromise the credentials of authorized users, gain unauthorized access to filings data, place fraudulent filings on the system, and prevent the public from accessing our system through denial of service attacks.
We also face the risks of actors attempting to access nonpublic data relating to our oversight of, or enforcement actions against, market participants, which could then be used to obtain illicit trading profits.
Similarly, with respect to CAT, we expect we will face the risk of unauthorized access to the CAT's central repository and other efforts to obtain sensitive CAT data. Through such access, intruders could potentially obtain, expose and profit from the trading activity and personally identifiable information of investors and other market participants.
Notwithstanding our efforts to protect our systems and manage cyber-security risk, in certain cases cyber threat actors have managed to access or misuse our systems. In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading.
Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.
As another example, our Division of Enforcement has investigated and filed cases against individuals who we allege placed fake SEC filings on our EDGAR system in an effort to profit from the resulting market movements.
In addition, like other organizations, we are subject to the risk of unauthorized actions or disclosures by Commission personnel. For example, a 2014 internal review by the SEC's Office of Inspector General, an independent office within the agency, found that certain SEC laptops that may have contained nonpublic information could not be located. The OIG also has found instances in which SEC personnel have transmitted nonpublic information through non-secure personal email accounts. We seek to mitigate this risk by requiring all personnel to complete privacy and security training and we have other relevant risk mitigation controls in place.
Similarly, we are subject to cyber-security risk in connection with vendors we utilize. For example, a weakness in vendor systems or software products may provide a mechanism for a cyber threat actor to access SEC systems or information through trusted paths. Recent global supply chain security incidents such as compromises of reputable software update services are illustrative of this type of occurrence.
In light of the nature of the data at risk and the cyber-related threats faced by the SEC, the Commission employs an agency-wide cyber-security detection, protection and prevention program for the protection of agency operations and assets. This program includes cyber-security protocols and controls, network protections, system monitoring and detection processes, vendor risk management processes, and regular cyber-security and privacy training for employees.
That said, we recognize that cyber-security is an evolving landscape, and we are constantly learning from our own experiences as well as the experiences of others. To aid in this effort, and notwithstanding limitations on our hiring generally, we expect to hire additional expertise in this area.
It is our experience, consistent with the President's Executive Order on Strengthening the Cyber-security of Federal Networks and Critical Infrastructure, that a focus by senior management on cyber-security is an important contributor to the effective identification and mitigation of cyber-security risks.
To that end, SEC Commissioners and senior management have emphasized cyber-security awareness and compliance.
Senior management across the SEC's offices and divisions are required to coordinate with respect to cyber-security efforts, including through risk reporting and the development and testing of agency-wide procedures and exercises for responding to both internal and external cyber threats.
Although all SEC personnel are responsible for employing practices that minimize cyber-security risks, the SEC's Office of Information Technology has overall management responsibility for the agency's information technology program, including cyber-security. The Chief Information Officer and Chief Information Security Officer lead cyber-security efforts within the agency, including with respect to maintaining and monitoring adherence to the agency's Information Security Program Plan.
The SEC periodically assesses the effectiveness of its cyber-security efforts, including through penetration testing of internal and public-facing systems, ongoing monitoring by the Department of Homeland Security, independent verification and validation, and security assessments conducted by impartial third parties.
Policies and procedures
The SEC maintains a number of internal policies and procedures related to cyber-security, as set forth in the agency's Information Security Program and Program Plan. These documents, which are developed in accordance with standards set forth by the National Institute of Standards and Technology, delineate the roles and responsibilities of various agency officials, offices, committees and system owners in carrying out the SEC's information security objectives, including our training efforts.
The Commission also is in the process of implementing the NIST Framework for Improving Critical Infrastructure Cyber-security. Among other things, the NIST Framework is expected to help the agency define and achieve appropriate cyber-security goals and outcomes, including identifying key assets, protecting against intrusions, detecting incidents, containing impacts and planning for recovery.
Independent audits and reviews
The SEC's cyber-security program is subject to review from internal and external independent auditors. The SEC's OIG audits the agency's information technology systems, and components of these audits have included cyber-security controls. The OIG also audits compliance with applicable federal cyber-security requirements in accordance with the Federal Information Security Modernization Act of 2014.
In addition, the Government Accountability Office, an external audit agency, performs annual audits of the effectiveness of the Commission's internal control structure and procedures for financial reporting. In connection with these audits, the GAO has examined the effectiveness of information security controls designed to protect the confidentiality, integrity, and availability of key financial systems and information.
The Commission takes seriously identified deficiencies, documents the corrective actions it undertakes, and provides documentation to auditors to close out recommendations.
The SEC submits reports on its cyber-security performance to the Office of Management and Budget. The agency also reports privacy and cyber-security incidents to the Department of Homeland Security's Computer Emergency Readiness Team in accordance with established protocols.
Further, the SEC has established relationships with the National Cyber-security and Communications Integration Center, the Financial and Banking Information Infrastructure Committee, and Financial Services Information Sharing and Analysis Center to share information regarding cyber-security threats.
“With respect to CAT, we expect we will face the risk of unauthorized access to the CAT’s central repository and other efforts to obtain sensitive CAT data,” he added. “Through such access, intruders could potentially obtain, expose, and profit from the trading activity and personally identifiable information of investors and other market participants.
Haven’t we been here before? Clayton’s focus on cyber-security is both commendable and necessary, says Paulita Pike, an investment management partner for the law firm Ropes & Gray.
“Particularly as the SEC continues to demand more information from the fund industry, it is critical that registrant information be protected and kept safe,” she says. “The SEC, I assume, carefully weighs rule initiatives and requests that yield significantly more data for the agency with its ability to safeguard that information. An industry regulator who has the ability to, and does, compel production of information arguably has a higher bar than do others to ensure the integrity of its systems.”
The SEC’s first priority must be “making sure this doesn’t happen again,” says Ballard Spahr Partner David Axelrod, former supervisory trial counsel at the SEC’s Philadelphia Regional Office. “They need to address and fix the vulnerabilities they have, and it sounds like they are taking steps to do that.”
The fallout, nevertheless, will bring comparisons to the IRS, Department of Justice, and other government agencies that have suffered breaches. It doesn’t help matters that a study of the SEC’s data security measures earlier this year by the Government Accountability Office yielded less than stellar grades.
“There is the realization that it may be difficult, if not impossible, to protect their systems,” Axelrod says. “For an agency that has been really critical of companies in the securities fields about protecting their data from cyber-attacks, they need to figure out how much damage has been done by their own hacking. The Commission needs to figure out, as best it can, if there is a digital trail, what information was accessed, and if that information was used to make securities trades.”
“If you want regulated entities in the securities industry to take you seriously, you have to practice what you are preaching and set a good example,” he adds.
This isn’t the first time the SEC’s defenses have either been infiltrated or criticized using the EDGAR filing system.
Earlier this year, the Commission filed fraud charges against a Virginia-based mechanical engineer it accused of scheming to manipulate the price of Fitbit stock with a phony regulatory filing.
According to the SEC’s May 18 complaint, the perpetrator purchased Fitbit call options minutes before a fake tender offer that he orchestrated was filed on the SEC’s EDGAR system. That filing purported to be a company named ABM Capital that was acquiring Fitbit’s outstanding shares at a substantial premium.
It was all a sham.
Fitbit’s stock price temporarily spiked when the tender offer became publicly available.
The SEC alleges that the perpetrator profiting from the price fluctuation created an e-mail account under the name of someone he found on the Internet, and the e-mail account was used to gain access to the EDGAR system. He then listed that person as the CFO of ABM Capital and used a business address associated with that person in the fake filing.
The problem of “fake news” and fictitious filings is becoming a surprisingly common (albeit not yet rampant) problem for the SEC.
In June 2015, the Commission sued a Bulgarian trader behind fake tender offers that were posted to the Commission’s online EDGAR database. He falsely claimed, on behalf of private equity firm PTG Capital Partners, that it had offered to buy cosmetics giant Avon for $18.75 a share. In less than 30 minutes, $91 million worth of Avon shares changed hands before trading was halted by the NYSE.
In 2012, another fraudulent takeover bid, for the Rocky Mountain Chocolate Factory, was announced on EDGAR. A similar effort in 2014 tried to manipulate the stock price of insurance company Tower Group International with a fake press release announcing it was the target of a takeover bid. Other recent, but unrelated, EDGAR-based scams, have targeted Berkshire Hathaway, Phillips 66, and Alphabet/Google.
While with the SEC, Axelrod worked on fake press release and EDGAR filing cases. “It is amazing to see the lengths that people would go to trying to compromise the system,” he says. “The SEC has not yet, I don’t think, dealt with the reality that they have a weakness. This is going to continue to happen until stricter measures are taken to protect the process. If there is a way to exploit a system to make money, people are going to do it.”
“There may be more to this story behind the scenes,” says Marcus Christian, a former federal prosecutor and current partner in Mayer Brown’s global Cyber-security & Data Privacy practice. “One of the difficulties companies find when they encounter a serious event, however, is the way they tell the story and the way they disclose it can be to their benefit or detriment. We’ve see the rollout of information handled poorly and CEOs lost their jobs. Here, with the SEC, many people are saying that they don’t really love the way it was rolled out.”
“When you see the information disclosed in the middle of a long release, it creates the impression that the SEC is trying to hide it,” he adds. “That is what I have heard from several people. When that happens, and people start to fill in factual voids with their own conclusions and speculation, that is not going to be flattering to the Commission.”
The SEC’s woes are all the more troubling given that companies are struggling with securing information that is shared with third parties and vendors.
“The whole idea of providing information to third parties keeps a a lot of people awake at night,” Christian says. “When you are dealing with third-party vendors, you want to put protections in your contracts and ensure due diligence. But when you are providing this information to the SEC, they don’t exactly let you negotiate the terms of how you get to provide the information. You don’t get to go in and assess their security. All you can do is comply with the law, worry, and hope.”