In September 2017, SEC Chairman Jay Clayton issued a public statement on cybersecurity that described a cyber hacking incident involving an intrusion into the SEC’s EDGAR test filing system in 2016 in which a third party exploited a software weakness to gain access to nonpublic information that may have provided the basis for illicit trading gains. Chairman Clayton stated that the weakness was patched “promptly after discovery.” In October 2017, Chairman Clayton provided an update to the September statement, noting that the SEC staff’s ongoing investigation of the 2016 incident revealed that one of the test filings accessed by the perpetrators included the names, dates of birth and social security numbers of two individuals. The press release containing the update stated that the SEC staff was reaching out to the two affected individuals to notify them of the breach and to offer them identify theft protection and monitoring services. The press release further indicated that the same procedures would be followed should it be discovered that any additional individuals were affected.

Chairman Clayton’s September statement also outlined the various cybersecurity risks faced by the SEC, noting that in May 2017 the SEC initiated an assessment of its internal cybersecurity risk profile and its approach to cybersecurity from the perspective of its regulatory and oversight functions. In the September statement, Chairman Clayton noted that the SEC receives, stores and transmits data in three broad categories—public-facing data in the form of publicly available filings; nonpublic information, including personally identifiable information, related to supervisory and enforcement functions; and nonpublic information, including personally identifiable information, related to the SEC’s internal operations. Chairman Clayton stated that the SEC is subject to frequent attempts by unauthorized actors to disrupt access to public-facing systems, access its data or cause other damage to its technological infrastructure. In particular, he noted that the EDGAR system is subject to risks involving attempts by cyber actors to compromise credentials of authorized users, gain access to data, submit fraudulent filings and prevent public access through denial-of-service attacks. He further noted that the SEC faces risks involving actors seeking to gain access to nonpublic information relative to its oversight and enforcement functions that could be used as a means to obtain illicit trading gains. Chairman Clayton further noted that the SEC is subject to cybersecurity risk in connection with its use of outside vendors as well as risks related to unauthorized actions or disclosures by its own personnel. 

Chairman Clayton noted that the SEC employs an agency-wide cybersecurity detection, protection and prevention program in light of the nature of the data it obtains and stores and the cyber-related threats it faces. He stated that the program includes cybersecurity protocols and controls, network protections, system monitoring and detection processes, vendor risk management and training for employees and is subject to periodic independent audits and reviews. Chairman Clayton noted the creation of a senior-level cybersecurity working group to coordinate information sharing, risk monitoring and incident response efforts. He also described the SEC’s coordination efforts with other government entities as well as non-U.S. regulators on cyber matters, and noted the use by the SEC of its enforcement power both to ensure that market participants comply with their disclosure obligations regarding cybersecurity risks and “to vigorously pursue cyber threat actors who seek to harm investors and our markets.”

In a press release issued in connection with his September 2017 statement, Chairman Clayton stated that “[c] ybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systematic,” further noting that “[w]e must be vigilant,” and that “[w]e also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

In October 2017, updating his September statement, Chairman Clayton described the steps the SEC has taken to improve the cybersecurity risk profile of the EDGAR system, which included a review of the 2016 intrusion by the Office of Inspector General, an investigation by the Division of Enforcement into potential illicit trading, modernization of the EDGAR system, a general assessment of the agency’s cybersecurity risk profile and an internal review of the response to the 2016 intrusion. Chairman Clayton also noted that the SEC has plans to hire additional staff and to retain outside technology consultants and that a review is underway of the types of data the SEC takes in through its EDGAR system. “The 2016 intrusion and its ramifications concern me deeply,” he said. “I am focused on getting to the bottom of the matter and, importantly, lifting our cybersecurity efforts moving forward.”

Chairman Clayton’s September 2017 public statement on cybersecurity is available at:

https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20

The SEC’s press release relating to Chairman Clayton’s September 2017 public statement is available at:

https://www.sec.gov/news/press-release/2017-170

The SEC’s press release relating to the October 2017 update to Chairman Clayton’s public statement is available at:

https://www.sec.gov/news/press-release/2017-186