Jay Clayton, the chairman of the Securities and Exchange Commission, revealed on Sept. 20 that hackers gained access to the agency's EDGAR system for corporate filings and might have used the information for trading purposes. Clayton said that the hack was discovered in 2016, but the agency did not realize until August 2017 that the intrusion may have provided the basis for illicit gain through trading.
At a Congressional hearing on Sept. 25, Clayton said the SEC is hiring additional personnel to protect the security of the agency's network, systems and data, but added that he plans to ask Congress to provide more funding so that the agency can modernize its technology infrastructure.
“If you look at the resources that private actors in our capital markets devote to information technology and cybersecurity … [they] dwarf the amount that we have available to spend in this area. To me, that just tells me we’re a bit out step and we need to up our game,” Clayton said at the hearing.
On the same day, the SEC announced two enforcement-related initiatives that address cyber-based threats in the markets that it regulates: the creation of a special unit to focus on misconduct such as hacking into brokerage accounts and the spreading of false information, and a "retail strategy task force" that will identify largescale misconduct affecting retail investors.
The revelations about the hacking into EDGAR have raised concerns about the potential vulnerability of other SEC systems, and in particular the Consolidated Audit Trail, a data repository currently under development that will track the life cycle of every order in the U.S. stock and options markets. Executives from the New York Stock Exchange and CBOE Holdings have noted that the CAT will contain information about the identity of market participants that could be used to track trading strategies, and have urged the SEC to rethink the project's data security standards.