Breach may have allowed trading that profited from nonpublic information, regulator says
WASHINGTON—The top U.S. markets regulator disclosed Wednesday that hackers penetrated its electronic system for storing public-company filings last year and may have traded on the information.
The Securities and Exchange Commission’s chairman, Jay Clayton, revealed the breach in an unusual and lengthy statement issued Wednesday evening that didn’t provide many details about the intrusion, including the extent of any illegal trading.
The SEC said it was investigating the source of the hack, which exploited a software vulnerability in a part of the agency’s Edgar system, a comprehensive database of filings made by thousands of public companies and other financial firms regulated by the SEC.
The commission said the hack was detected in 2016, but that regulators didn’t learn about the possibility of related illicit trading until August, when they started an investigation and began cooperating with what the SEC called “appropriate authorities.”
A spokesman for the Federal Bureau of Investigation declined to comment on the SEC disclosure.
The commission’s disclosure follows a major breach of Equifax Inc. that affected 143 million Americans and warnings from executives of the New York Stock Exchange and Bats Global Markets Inc. that a planned data repository of all U.S. equity and options orders could become a juicy target for hackers.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Mr. Clayton said in a written statement. “We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
The intrusion shows how confidential information that can yield easy trading profits has increasingly become a target of hackers.
The SEC in December sued three Chinese traders who allegedly earned more than $4 million in illegal gains after they stole information from the computer systems of Cravath, Swaine & Moore LLP and Weil, Gotshal & Manges LLP, which represent Wall Street banks and Fortune 500 companies.
The SEC’s Electronic Data Gathering, Analysis and Retrieval system, or Edgar, is used by investors who access the online system to view companies’ earnings statements and other disclosures on material developments at companies. Some companies purchase and resell electronic feeds of the filings that cater to electronic and algorithmic traders.
Mr. Clayton’s statement didn’t identify the precise date of the intrusion or what sort of nonpublic data was obtained. The agency said the hackers exploited a vulnerability in part of the Edgar system that allows companies to test the accuracy of data transmitted in new forms. Many corporate filings are made public as soon as they are received through Edgar, although other forms may have to be reviewed first by SEC staff.
The SEC’s statement also didn’t explain why the SEC waited to reveal the breach until Wednesday.
An SEC spokesman didn’t respond to a message seeking more information about the filings or what companies might have been affected.
SEC officials have sometimes indicated they could take enforcement action against a public company that misled investors about a significant hack that affected share prices.
Mr. Clayton, who is due to testify before the Senate Banking Committee next week, is sure to face questions about his own agency’s cyber vulnerabilities.
“We face the risks of cyber threat actors attempting to compromise the credentials of authorized users, gain unauthorized access to filings data, place fraudulent filings on the system, and prevent the public from accessing our system through denial of service attacks,” Mr Clayton said. “We also face the risks of actors attempting to access nonpublic data relating to our oversight, or enforcement against, market participants, which could then be used to obtain illicit trading profits,” he added.
The Edgar system, which was launched to equalize access to information among retail and sophisticated investors, has occasionally caused headaches for the commission. Academic researchers found in 2014, for instance, that hedge funds and other rapid-fire investors got earlier access to market-moving documents from Edgar than other users of the standard, web-based system, giving them a potential edge on other traders. The SEC later said it fixed the problem.
The system has also been exploited by traders who submitted fake corporate filings. In 2015, a 37-year-old man in Bulgaria filed a fake takeover offer for Avon Products Inc., which succeeded in sending the beauty-product company’s shares soaring but netted the mastermind just $5,000, regulators alleged.
Mr. Clayton’s statement acknowledged that the planned data repository, known as the Consolidated Audit Trail, could be targeted by cyber thieves looking to steal personal information of stockbrokers’ customers. The audit trail has been in the works for nearly seven years and the SEC approved its final design last year. However, exchange executives have recently cited the Equifax hack as evidence that the audit trail should be pared back, even if that takes away information that could help regulators spot manipulative traders more quickly.
Stock and options exchanges, as well as the Financial Industry Regulatory Authority, which oversees brokers, are due to begin reporting data to the repository in November.
Robert Cook, chief executive of Finra, also has questioned whether the audit trail should be scaled back in light of the Equifax data breach. Speaking Wednesday at a banking luncheon in Washington, Mr. Cook questioned whether the database designed to help regulators sort through flash crashes and spot market manipulation should include personal information about stockbrokers’ customers.
“Especially post-Equifax when we are trying to win back investor confidence in the markets, it seems to be a useful question to ask whether we’ve got the right approach here or we need to revisit it,” he said.