Jay Clayton, chairman of the Securities and Exchange Commission, has published an update on the status of the agency’s review and investigation of the 2016 intrusion into the EDGAR system.
In addition to updating previous disclosures, the Oct. 2 announcement includes additional information on the agency’s efforts to strengthen its cyber-security risk profile going forward.
The ongoing staff investigation of the 2016 intrusion has determined that an EDGAR test filing accessed by third parties as a result of that intrusion contained the names, dates of birth and social security numbers of two individuals. This determination is based on forensic data analysis conducted since the agency's Sept. 20 disclosure of the intrusion, which relied on the latest information available at that time.
Clayton was informed by staff of this new information this past Friday, and staff are reaching out to the two individuals to notify them and offer to provide them with identity theft protection and monitoring services.
Should the agency’s review uncover additional such individuals whose sensitive information may have been accessed, the staff will contact them and offer them identity protection and monitoring as well.
“The 2016 intrusion and its ramifications concern me deeply. I am focused on getting to the bottom of the matter and, importantly, lifting our cyber-security efforts moving forward,” Clayton said. “While our review and remediation efforts are ongoing and may take substantial time to complete, I believe it is important to provide new information regarding the scope of the 2016 intrusion and provide an update on the steps we are taking to assess and improve the cyber-security risk profile of our EDGAR system and of the agency’s systems more broadly.”
The agency’s efforts going forward are organized into principal work streams: the review of the 2016 EDGAR intrusion by the Office of Inspector General; the investigation by the Division of Enforcement into the potential illicit trading resulting from the 2016 EDGAR intrusion; and a focused review of EDGAR modernization efforts. The agency has added, and expects to continue to add, additional resources to these efforts, which are expected to include outside consultants, and will increase the focus on cyber-security matters;
This reviews are overseen by the Office of the General Counsel and has an interdisciplinary investigative team that includes personnel from regional offices and will involve outside technology consultants.
Clayton has authorized the immediate hiring of additional staff and outside technology consultants to aid in the agency’s efforts to protect the security of its network, systems and data. He also has directed the staff to take a number of steps designed to strengthen the agency’s cybersecurity risk profile, with an initial focus on EDGAR. This effort includes assessing the types of data the SEC takes in through the EDGAR system, and whether it is the appropriate mechanism to obtain that data. Another cmponent of this effort includes reviewing the security systems, processes and controls in place to protect data submitted through EDGAR.
Staff will conduct similar reviews of other systems in use at the SEC, assessing the types of data the agency keeps and the related security systems, processes and controls. They will also work to enhance escalation protocols for cyber-security incidents in order to enable greater agency-wide visibility and understanding of potential cyber vulnerabilities and attacks.
More broadly, the agency is evaluating its cyber-security risk governance structure, which has included the establishment of a senior-level working group and may include additional enhancements to promote the management and oversight of cyber-security across the SEC’s divisions and offices.
Other initiatives include internal, Commission-level incident response exercises and continued interaction on cyber-security efforts with other government agencies and committees, including the Department of Homeland Security, the Government Accountability Office and the Financial and Banking Information Infrastructure Committee.