The agency discovered the breach last year but didn’t get until last month that it could have obtained used for inappropriate trading. The event was briefly discussed in an unusual eight-page statement on cybersecurity issued by SEC Chairman Jay Clayton late Wednesday. The report didn’t explain the delay in the release, the exact date the operation was breached and whether data about any particular company was targeted.
“Notwithstanding our forces to protect our operations and manage cybersecurity risk, in certain circumstances cyber threat actors have succeeded to access or misuse our systems,” Clayton said in the announcement.
The system that was breached, known as EDGAR, is a favorite way for investors to obtain the detailed financial records corporations that sell stock to the public must regularly release. It had a “software vulnerability” that was “used and resulted in access to nonpublic information,” Clayton said in the report.
The breach didn’t start to the release of individually identifiable information, but “may have given the basis for illicit gain through speculation,” Clayton said. An inquiry into the matter is ongoing, he said.
This is not the first time EDGAR has been agreed. The system receives thousands of reports a day and in 2015, fraudsters posted fake data on the site about the takeover of Avon Products, driving the company’s stock value up significantly before it was detected. And in 2014, several researchers found that data submitted was accessible to some users for 30 seconds before it displayed publicly available, possibly giving some traders an unfair advantage. High-speed traders, for example, can make thousands of contracts in a blink of an eye.
“Effective management of internal cybersecurity risk is important to the SEC achieving its purpose and to protecting the nonpublic data that is entrusted to this agency,” SEC Commissioner Michael S. Piwowar said in a statement.
Take your time to comment on this article.