SEC hack sparks fears about investment safety

News that hackers had invaded the corporate electronic filing platform of the nation's premier securities regulatory body, the Securities and Exchange Commission, is raising questions about how safe financial data are. 

Unknown hackers breached the agency's Electronic Data Gathering, Analysis and Retrieval system, known as EDGAR, SEC Chairman Jay Clayton announced in a statement Wednesday. "Cybersecurity is critical to the operations of our markets, and the risks are significant and, in many cases, systemic," Clayton said. "We must be vigilant."  

Making matters worse, the hackers appear to have made a profit trading on the stolen information, he said. Details of what happened are sketchy. One way the thieves could have benefited: By learning ahead of time that a company was planning a big stock sale, then betting that its share price will fall as a result. Such price dips often occur when a company's equity base expands because it dilutes the stock's worth.

"The chairman obviously recognizes the irony of the SEC potentially serving as the unwitting tipper in an insider trading scheme," said John Reed Stark, president of a cyberconsulting firm and a former SEC staff member, in an interview with Reuters.  

The SEC attack came to light in August, three months after Clayton had ordered a review of the agency's security. The review discovered that some agency employees used private emails to transfer sensitive data. He said that no personal information was compromised and the hackers' entryway has since been blocked. The agency is investigating further what happened, he said.

But many questions are lingering. "What's unclear is how long the system was compromised," said Matthew Rossi, a former SEC official and now an attorney specializing in cybersecurity for law firm Mayer Brown.  

The trouble is, the crooks have many junctures to break into a system, whether the SEC's or a company's. Software upgrades, for instance, mark good points of entry, said Christopher Hart, a counsel with the Foley Hoag law firm. Hackers are ever alert for human error, such as disclosing sensitive matters in emails, and may zero in on merging corporations because they're switching over their systems, he noted.

This week's revelation wasn't the first time the SEC's defenses were called into question. The Government Accountability Office in July sent out a report about the agency's security, naming a number of deficiencies in the SEC's systems, including failure to encrypt certain information. 

In 2015, someone posted fake information on the SEC site about an acquisition of cosmetics maker of Avon Products (AVP). This sent the company's stock soaring, until the trick was detected. In 2014, an academic study found that subscribers to an SEC service learned of new company filings 30 seconds before they were made public -- which gave high-speed traders an unfair advantage. 

That same year, according to news reports, Fidelity Investments and JPMorgan Chase (JPM) were among 13 financial institutions that were breached. JPMorgan, the largest U.S. bank by assets, said 76 million households had their names, addresses, phone numbers and emails stolen. Fidelity insisted no data were looted.

The assault on the SEC comes after it emerged that Equifax (EFX), one of the three main credit bureaus, had been compromised, with personal data on 143 million Americans filched. That has spurred new anxiety about cybersecurity among the public, and on Capitol Hill lawmakers are planning hearings about the Equifax imbroglio.  

For financial service firms, investors can take partial comfort from knowing that the industry is highly regulated, with good reporting structures and employee training, said lawyer Hart. Financial companies, he said, "have the resources" to button up their security better. 

How can you safeguard your accounts? Reviewing them at least monthly is a good idea. Ditto for getting transaction alerts, where you set up notifications when unusual activity occurs with your account. Also check your credit ratings -- by law, every American can request one free credit report yearly from the three ratings agencies. 

Still, the sad reality remains that no system is perfect. No matter how scrupulous food preparation is, germs sneak in. As Mayer Brown lawyer Marcus Christian pointed out: "You can't have perfect security."

  • Larry Light

    Larry Light is a veteran financial editor and reporter who has worked for the Wall Street Journal, Forbes, Business Week, Money, AdviceIQ and Newsday.