Equifax isn’t the only entity with some explaining to do to Wall Street investors about hacks and delayed notifications of potential damage. The watchdog responsible for protecting investors may have unwittingly contributed to insider trading damage itself. The Securities and Exchange Commission admitted yesterday that it knew for at least a month that a hack in 2016 had breached EDGAR, a confidential reporting system for publicly traded companies — information that would give malefactors a big advantage on the stock market:
The Securities and Exchange Commission, the country’s top Wall Street regulator, announced Wednesday that hackers breached its system for storing documents filed by publicly traded companies last year, potentially accessing data that allowed the intruders to make an illegal profit.
The agency detected the breach last year, but didn’t learn until last month that it could have been used for improper trading. The incident was briefly mentioned in an unusual eight-page statement on cybersecurity released by SEC Chairman Jay Clayton late Wednesday. The statement didn’t explain the delay in the announcement, the exact date the system was breached and whether information about any specific company was targeted.
“Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems,” Clayton said in the statement.
If all of this sounds familiar, it should. It parallels to some extent the Equifax scandal, which also has some allegations (yet unproven) of potential illegal insider trading. Both involve hacks, both involve long delays in disclosure, and both suggest that the organizations didn’t have much focus on security despite holding incredibly sensitive information. In both cases, the delays in disclosure put off accountability for the people responsible for protecting that information.
Another parallel: Neither organization got that information willingly from consumers. Equifax gets that information from creditors about consumers. The SEC requires publicly traded companies to disclose this information. As a result, neither organization has direct accountability to consumers or investors … and they clearly act like it, too.
In this case, the damage might be impossible to calculate. The Washington Post’s Renae Merle recounts a couple of incidents where vulnerabilities within the EDGAR system raised serious concerns over its security. In 2014, researchers discovered a 30-second gap in the publication process that could have fueled big gains for high-speed traders. In this case, we’re not talking 30 seconds, but perhaps 30 weeks or more of unfettered access to undisclosed information about corporations. It will be impossible to unwind all of the trades to determine just how much money the hackers or their patrons managed to make off of this data at the expense of everyone else in the market, assuming of course that they knew what they had.
The SEC will have lots of explaining to do, preferably to Congressional committees, and soon; the Senate Banking Committee will call Clayton to testify on September 26. He’ll get a chance to chat with Equifax CEO Richard Smith, who will appear at the same time — and he’s got more explanations to give too. No doubt the Banking Committee members will have a few questions about this report from the NYT’s Maggie Astor on their bungling approach to security after their hack:
People create fake versions of big companies’ websites all the time, usually for phishing purposes. But the companies do not usually link to them by mistake.
Equifax, however, did just that after Nick Sweeting, a software engineer, created an imitation of equifaxsecurity2017.com, Equifax’s page about the security breach that may have exposed 143 million Americans’ personal information. Several posts from the company’s Twitter account directed consumers to Mr. Sweeting’s version, securityequifax2017.com. They were deleted after the mistake was publicized.
By Wednesday evening, the Chrome, Firefox and Safari browsers had blacklisted Mr. Sweeting’s site, and he took it down. By that time, he said, it had received about 200,000 hits.
Cybersecurity experts wondered why Equifax set up an entirely new domain for its website dealing with the security breach. The better and safer option, Sweeting and others Astor contacted advise, is using a subdomain on the company’s main domain, which would make it much more difficult to spoof, if not impossible. Their conclusion? Equifax is still just winging it on security:
Mr. Telang said Equifax’s actions suggested that the company had never anticipated or planned for a data breach.
“If you don’t have a plan in place, you will find different ways to screw it up,” he said. “Equifax is just a perfect example of that.”
There seems to be a lot of that going around these days.