Posted: October 28th, 2017
By: Emily Marcum *| Staff Writer
What do a consulting firm, a regulatory agency, and a consumer credit reporting bureau have in common? They are all members of the financial industry who recently fell victim to hacking. In the past month, hackers have successfully stolen sensitive information from the SEC, Equifax, and Deloitte. Although these three hacks varied in scope and severity, together they illuminate the “Achilles’ heel” of the financial industry, cybersecurity! Targeting the financial industry is an obvious choice. When asked why he robbed banks, the infamous American bank robber, Willie Sutton, said it best, “Because that’s where the money is.”
The SEC recently revealed to the public that it was hacked in 2016. On September 20th, the Chairman of the SEC, Jay Clayton, released a lengthy statement describing the past intrusions and acknowledging the dramatic increase in cybersecurity risks that the regulatory entity faces. Clayton only learned in August that hackers had last year breached the regulator’s electronic data gathering, analysis, and retrieval system, commonly referred to as EDGAR. Although the agency quickly remedied the software vulnerability, the SEC believes that the 2016 breach allowed hackers to collect nonpublic information. The agency has not released what this nonpublic information consisted of, or which companies were affected, but they did say they have reason to believe that this information allowed hackers to illicitly trade stock. Clayton stated that the agency has reason to “believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”
Though Clayton claims that the EDGAR software was quickly patched, a report by the Department of Homeland Security detected five critical cybersecurity weaknesses in January. The Department of Homeland Security scans the computers of federal civilian agencies weekly in an effort to proactively detect cyber weaknesses. During its scanning in January, the Department of Homeland Security found that the SEC had “the fourth most critical vulnerabilities.” This report is particularly unsettling because it calls into question the adequacy of the SEC’s “prompt” patch to the EDGAR software, and its capability in remedying exposed vulnerabilities.
Clayton is extremely candid about the obstacles the SEC faces and the steps they are taking to mitigate risks. In his statement, he identified four major cybersecurity risks within the entity, which include: individuals submitting fake SEC filings to the EDGAR database in an attempt to manipulate the market, missing employee laptops containing nonpublic information, failure of Commission personnel to encrypt emails, and weaknesses in the vendor systems and software. Clayton explained that in response to the fake filings the Division of Enforcement has investigated and filed actions against individuals. For example, in May an action was filed against a mechanical engineer accused of manipulating the price of Fitbit stock by way of sham filings. In an effort to address the missing laptops and employees failure to encrypt emails, Clayton ensures that all employees must undergo significant privacy and security compliance training. But is this enough?
In the press release, Clayton asserted that even “the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important.” Perhaps, Equifax should take note. After the recent breach that affected 143 million consumers, adequate disclosure does not seem like Equifax’s top priority. Equifax, who discovered the breach on July 29th, did not disclose it to the public until September 7th. To make matters worse, several Equifax top executives are being investigated for insider trading, after selling stock prior to the breach becoming public knowledge.
Members of the financial industry are unquestionably aware of the inherently greater cybersecurity risks they face due to the monetary motivations of cybercriminals and the volume of sensitive data they store. However, although aware, are they taking sufficient action? After this month’s trifecta of security breaches, it seems that there is still much work to be done. Hopefully, in the near future, Americans will be able to bank on security and protection.
Emily Marcum is a third-year law student at Wake Forest University School of Law. She graduated from the University of South Carolina, where she received her degree in political science with a minor in business administration. Upon graduation, Emily plans to stay in the Carolinas in hopes of working for a business’s general counsel or compliance team.