On September 20th, the SEC indicated that a cybersecurity breach that occurred in 2016 may have provided the basis through which cyber threat actors achieved illicit gains. Accordingly, SEC Chairman Jay Clayton issued a statement detailing the importance of cybersecurity to the agency and market participants. The statement also reviews the SEC’s approach to cybersecurity in an effort to mitigate the risk of further incidents.
In an ongoing effort to curtail cyberattacks, Clayton initiated an ongoing assessment of the SEC’s cybersecurity risks and response measures when he took office in May. Included in this initiative was the creation of a senior-level cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts. These measures, which also entail enhanced staff training, are being taken throughout the SEC. In addition, the statement describes the SEC’s collection and use of data, both publicly and internally.
The security incident in question occurred in 2016 and was due to a software vulnerability that has since been patched. However, in August 2017, it was discovered that this breach lead to access of nonpublic information and subsequent data exploitation. The SEC does not believe the intrusion resulted in unauthorized access to personally identifiable information, any risk to the operation of the agency, or any systemic damage or vulnerability,
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton said. “We must be vigilant. We also must recognize - in both the public and private sectors, including the SEC - that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
Clayton’s statement also provides an overview of the management of internal cybersecurity risks. This includes the incorporation of cybersecurity considerations in disclosure-based and supervisory efforts, as well as implementing security measures in coordination with other government entities. Also, federal securities laws must be enforced against cyber threat actors and market participants who do not meet their disclosure obligations.
This breach serves to highlight again the importance of implementing solid cybersecurity practices. In a separate blog post, we will cover the varying safeguards and good habits filers should employ to protect themselves from cyber attacks.
Sources
SEC Chairman Clayton Issues Statement on Cybersecurity (sec.gov)
Statement on Cybersecurity (sec.gov)
