Cybersecurity is hard. It’s nearly impossible to stop an attack. If someone really wants in, they can continue to attack and attack until they find a gap. It’s hard to know that you have been breached until well after the breach. It may be just as hard to figure out what was accessed and what damage has been done. It’s hard to know what the right response should be.
Of course, I could be talking about the enormous Equifax breach. But this time it’s the Securities and Exchange Commission.
“Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems. … Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information.”
SEC Chair Clayton noted that the breach did not “result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”
If that is the standard for cybersecurity, then that is what the SEC should also use in its enforcement against investment advisers and broker/dealers. Instead we have cases like the one against R.T. Jones where there was no resulting losses to its clients, only the potential loss of data.
As is typical with a company with bad news, it buries the bad news in a pile of other disclosures. The SEC did the same thing. It spent one paragraph revealing the breach in an eight-page statement chiding the industry to be better about cybersecurity and touting its own initiatives.
The SEC’s statement, like Equifax’s revelation, did not explain why there was a such a lengthy delay between the announcement and the discovery of the breach.
The likely result of the breach is that the hackers were able to access EDGAR filings before the general public and trade on that information before the general public.