Content, Breach

Homeland Security Discovers 5 ‘Critical’ SEC Cybersecurity Weaknesses

The U.S. Department of Homeland Security (DHS) in January identified five "critical" cybersecurity weaknesses on U.S. Securities and Exchange Commission (SEC) computers, according to Reuters. At that time, the SEC had the fourth-most critical vulnerabilities among federal civilian government agencies.

In addition, it is unclear whether the January 2017 cybersecurity vulnerabilities detected by DHS are related to a 2016 cyber breach into the SEC's "EDGAR" corporate filing system, Reuters reported.

SEC officials last month discovered that hackers may have exploited the 2016 cyber breach for illegal insider trading, Chairman Jay Clayton said in a prepared statement. However, the SEC "promptly" patched the software vulnerability, Clayton stated.

"A software vulnerability in the test filing component of our EDGAR system ... was exploited and resulted in access to nonpublic information," Clayton noted. "We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the commission or result in systemic risk."

Investigation into the 2016 cyber breach is ongoing, Clayton said, and the SEC is coordinating its investigation with "appropriate authorities."

EDGAR provides free access to more than 21 million electronic SEC filings. It processes roughly 1.7 million electronic filings per year, Clayton indicated.

How Does the SEC Approach Cybersecurity?

The SEC currently employs an agency-wide cybersecurity detection, protection and prevention program for the security of agency operations and assets, according to Clayton. This program includes:

  • Cybersecurity protocols and controls.
  • Network protections.
  • Regular cybersecurity and privacy training for employees.
  • System monitoring and detection processes.
  • Vendor risk management processes.

Going forward, the SEC will continue to prioritize its efforts to promote effective cybersecurity practices within the commission itself and the markets and market participants it oversees, Clayton indicated.

The SEC recognizes that cybersecurity is "an evolving landscape" and expects to hire additional expertise in this area, Clayton said. It also will perform "ongoing, thoughtful evaluation" of cybersecurity data, Clayton stated, to discover the best ways to safeguard sensitive data.

"We must continue to thoughtfully evaluate our approach in light of the importance to our mission of each type of data we receive," Clayton noted.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.