Franklin, Andrews, Kramer & Edelstein

[scion]

Top SEC Officials Only Recently Learned of 2016 Company-Database Hack

Edgar system stores confidential forms that could be juicy targets for hackers

By Dave Michaels and Jean Eaglesham Sept. 21, 2017 2:13 p.m. ET
https://www.wsj.com/articles/top-sec-officials-only-recently-learned-of-2016-company-database-hack-1506017614

WASHINGTON—Top Securities and Exchange Commission officials weren’t told until recently about a 2016 cyberattack that penetrated its system for public-company filings, raising questions about how the breach was initially handled.

The SEC revealed the hack, which occurred and was detected last year, for the first time on Wednesday. SEC Commissioner Michael Piwowar, who ran the SEC as acting chairman for three months earlier this year, said late Wednesday that he was only recently informed. Another SEC commissioner, Kara Stein, was informed of the breach this week, a person familiar with the matter said.

SEC Chairman Jay Clayton, who started work in May after his nomination by President Donald Trump, revealed the breach and a related investigation on Wednesday night, saying the commission learned this August that the breach could have enabled illegal trading. The report follows Equifax Inc.’s disclosure of a major breach of its systems that affected 143 million Americans.

Mr. Piwowar, who led the agency from late January until early May, said he was “recently informed for the first time” about the hack into the SEC’s Electronic Data Gathering, Analysis, and Retrieval System, known as Edgar.

Former SEC Chairman Mary Jo White, who led the agency in 2016, declined to comment when asked about the hack.

The agency appeared not to have followed the typical protocols for public companies, where cybersecurity issues are overseen by the board of directors, said Thomas Sporkin, a former SEC enforcement official.

“You would have expected the commission to have been informed of a breach to an SEC database that houses information critical to investors,” said Mr. Sporkin, now a partner at law firm Buckley Sandler LLP.

Mr. Clayton’s statement described other SEC vulnerabilities to hackers, but provided few details about intrusion, possible trading or which companies might have been affected. The SEC hasn’t responded to requests for additional details.

Mr. Clayton, a former corporate lawyer, has a deeper background in cybersecurity than many of his predecessors. He led Sullivan & Cromwell LLP’s cybersecurity practice and retained a cybersecurity adviser, Christopher R. Hetner, who was formerly chief information security officer at GE Capital.

SEC officials routinely examine the cybersecurity defenses of brokerage firms and investment advisers and have sometimes indicated they could take enforcement action against a public company that misled investors about a significant hack affecting share prices.

Mr. Clayton is sure to face questions about the event next week, when he is scheduled to testify before the Senate Banking Committee. Sen. Mark Warner (D., Va.), a member of the panel, said he planned to ask Mr. Clayton about the duties of public companies to disclose when they are hacked. Yahoo Inc. took two months to disclose to the public and its shareholders after learning that 500 million user accounts were hacked in 2014.

“The SEC’s disclosure, which comes not even two weeks after Equifax revealed that it had been hacked, shows that government and businesses need to step up their efforts to protect our most sensitive personal and commercial information,” said Mr. Warner. The Senate Banking Committee oversees the SEC.

The Edgar system was launched during the 1990s to equalize access to information among retail and sophisticated investors, but has occasionally caused headaches for the commission. Academic researchers found in 2014, for instance, that hedge funds and other rapid-fire investors got earlier access to market-moving documents from Edgar than other users of the standard, web-based system, giving them a potential edge on other traders. The SEC later said it fixed the problem.

The system ingests a mountain of data, filed by thousands of public companies and brokerage firms and mutual funds. While most filings are made public as soon as they are received, some other forms aren’t meant to be disclosed immediately and could be juicy targets for hackers.

One example: correspondence that shows the SEC’s feedback on key corporate disclosures such as annual and quarterly reports. The letters often focus on questions of accounting judgment and lead to companies updating the language in their filings. The letters typically become public 20 days after the SEC closes the file.

Seeing that type of information before it is released publicly could allow a hacker to gain insight into a pending accounting restatement, which would hurt a company’s stock price, said Richard Truesdell, head of capital markets at law firm Davis Polk & Wardwell LLP.

Mro was interim chairman of the regulator earlier this year, said late Wednesday that he was ‘recen. Piwowar, who was interim chairman of the regulator earlier this year, said late Wednesday that he was ‘recently informed for the first time’ about the hack into the agency’s Edgar system.

The Edgar system also stores confidential forms that companies file when they sell shares for the first time, known as registration statements, said Brian Lane, a partner at Gibson Dunn & Crutcher LLP. The forms are withheld from investors as companies receive feedback on the disclosures from the SEC staff. Seeing the forms during that phase would provide fascinating insight into a private company’s earnings, but a hacker couldn’t immediately profit from the information because the stock isn’t yet trading on an exchange, Mr. Lane said.

Mr. Clayton’s statement didn’t identify the precise date of the intrusion or what sort of nonpublic data was obtained. The agency said the hackers exploited a vulnerability in part of the Edgar system that allows companies to test the accuracy of data transmitted in new forms. Newly appointed corporate directors and officers often file test forms that reveal the extent of their ownership of the company’s stock or options, Mr. Lane said.

“We face the risks of cyberthreat actors attempting to compromise the credentials of authorized users, gain unauthorized access to filings data, place fraudulent filings on the system, and prevent the public from accessing our system through denial of service attacks,” Mr. Clayton said in his statement Wednesday.

David Smyth, a former SEC enforcement official who is now a partner at law firm Brooks, Pierce, McLendon, Humphrey & Leonard LLP, said the SEC is in a difficult position because it is subject to the same cyberthreats as the rest of Wall Street.

“But it’s not great optics if the agency itself is hacked,” he said. “I do find the fact that the hack wasn’t disclosed to the commissioners themselves quite surprising,” he added.

—Tatyana Shumsky contributed to this article.

Write to Dave Michaels at dave.michaels@wsj.com and Jean Eaglesham at jean.eaglesham@wsj.com

https://www.wsj.com/articles/top-sec-officials-only-recently-learned-of-2016-company-database-hack-1506017614