The SEC’s recent disclosure that its Electronic Data Gathering, Analysis and Retrieval (EDGAR) system was hacked in 2016 has been receiving a lot of attention in the press. After several years of examining firms to determine whether their cybersecurity policies and procedures are sufficiently robust, and advising public companies to disclose the risk of cyber incidents, it appears that the SEC itself was the target of one or more persons looking to exploit a vulnerability in the “test filing” component of the EDGAR system to obtain non-public information and profit by using it to trade in the markets. According to the SEC, the vulnerability was quickly corrected after discovery and an internal investigation began immediately. Although the intrusion occurred in 2016 and was, according to the SEC, corrected and investigated immediately, the matter was only disclosed recently, and there are indications that neither the new Chairman, Jay Clayton, or his predecessor, Mary Jo White, were made aware of it until recently.

The purpose of discussing this matter here is not to criticize the SEC in any way for what happened, but rather to highlight the fact that all participants in the financial services community – even those charged with acting as its watchdogs – are vulnerable to those who seek to gain access to that information for nefarious purposes or simply for mischief. What will be interesting to see is how the SEC responds to this revelation. We expect there to be a renewed emphasis on cybersecurity generally, and Chairman Clayton has already said publicly that the SEC “will continue to prioritize its efforts to promote effective cybersecurity practices within the Commission itself.”

However, what may be more interesting, and ultimately more important, is whether this causes the SEC to change or modify any of its current initiatives or information-gathering efforts. For example, in the Wall Street Journal article we reference below, there is a discussion of the Consolidated Audit Trail (CAT) database being developed by the securities self-regulatory organizations (SROs) that will record and provide the SEC and the SROs with access to data relating to virtually every trade and order in the US stock and option markets, including personal customer information. Serious concerns are now being raised as to whether that information, which is likely to become the target of a wide array of hackers, can be adequately protected. The security of various other types of highly confidential data the SEC routinely obtains is also being questioned.

It is too soon to tell whether these events will result in any changes to the proposed CAT system or a delay in its implementation, or whether there will be any other changes to the scope or type of information that the SEC obtains or how it secures that information. However, it is likely that any SEC or SRO rule proposals that in any way involve the gathering and/or retention of data by the SEC or SRO will draw strong comments demanding significant detail on how the information will be protected.

We will, of course, continue to monitor these developments. 

United States

SEC Chairman discusses cyberattack. In a front page article, the Wall Street Journal discussed the testimony Chairman Jay Clayton had prepared for a Senate hearing, discussing the SEC’s handling of a 2016 cyberattack on its Electronic Data Gathering, Analysis and Retrieval (EDGAR) system.

Canada

OSC Publishes Corporate Finance Branch 2016-2017 Annual Report. The OSC announced that it has published OSC Staff Notice 51-728 Corporate Finance Branch 2016-2017 Annual Report, which focuses on issues and trends related to Management's Discussion and Analysis, non-GAAP financial measures, and forward-looking information. (9/21/2017)

Canadian securities regulators publish MFDA oversight review report. The CSA announced the release of its Oversight Review Report of the Mutual Fund Dealers Association of Canada (MFDA), which evaluates whether specific regulatory processes are operating effectively, and outlines findings that require corrective action. (9/15/2017)