The U.S. Securities and Exchange Commission (SEC) this week admitted the Social Security numbers and other personal information of two unnamed people were exposed in a 2016 cyber breach into its "EDGAR" corporate filing system, according to a prepared statement. Both people involved in the data breach have been alerted, the SEC stated, and the number of affected individuals may increase.
SEC Chairman Jay Clayton found out about the updated leak information Friday and released details about it yesterday. He indicated that the SEC's cyber breach review and remediation efforts are ongoing and "may take substantial time to complete."
SEC officials now are exploring ways to strengthen the commission's cybersecurity risk profile, as well as potential upgrades to the EDGAR system, the agency noted.
SEC Unveils Cyber Unit
The SEC last week announced the creation of a Cyber Unit to complement the commission's initiatives to implement an internal cybersecurity risk profile and create a cybersecurity working group to drive information sharing, risk monitoring and incident response, the agency said in a prepared statement.
The Cyber Unit will focus on cyber-related misconduct, such as:
- Cyber threats to trading platforms and other critical market infrastructure.
- Hacking to obtain material non-public information.
- Intrusions into retail brokerage accounts.
- Market manipulation schemes involving false information spread through electronic and social media.
- Misconduct perpetrated using the dark web.
- Violations involving distributed ledger technology and initial coin offerings
Robert Cohen, co-chief of the SEC Enforcement Division's Market Abuse Unit, will serve as Cyber Unit chief.
How Does the SEC Currently Approach Cybersecurity?
The SEC currently uses a commission-wide cybersecurity detection, protection and prevention program to safeguard agency operations and assets, Clayton stated. This program emphasizes the following areas:
- Cybersecurity protocols and controls.
- Cybersecurity and privacy training for employees.
- Network protections.
- System monitoring and detection processes.
- Vendor risk management processes.
In addition, the SEC expects to hire more cybersecurity personnel and has advocated for additional funding in this area.
"Single actors dwarf the amount we have available (for cybersecurity)," Clayton said last week, The Washington Post reported.