The Equifax breach, which focused on a database that contained the personal information of 143 million Americans, focused attention on the vulnerabilities of private companies that handle sensitive personal financial information. The S.E.C. sometimes handles its own sensitive information, including disclosures that companies are allowed to keep away from investors. Such information could give traders an edge.
The S.E.C. may have presented a ripe target.
The Government Accountability Office in July released a 27-page report that found deficiencies in the S.E.C.’s information systems that “limited the effectiveness of the S.E.C’s controls for protecting confidentiality, integrity and availability.” It also found that the S.E.C. did not always encrypt information and had failed to fully implement recommendations from the G.A.O. that would help detect intrusion.
In its response, the S.E.C. said it agreed with the recommendations of the report but added that it had implemented a number of its suggestions.
“Information sharing and coordination are essential for regulators to assess potential cyberthreats and respond to a major cyberattack, should one arise,” he said in July in a speech. “We at the S.E.C. are working closely with our fellow financial regulators to improve our ability to receive critical information and alerts and react to cyberthreats.”
If the data stolen from the S.E.C.’s Edgar system was used by hackers to trade in stocks and reap profits, it would represent the latest in a new area of concern for regulators in the United States — an area in which the underbelly of the internet is joining forces with the darker corners of Wall Street.
In 2015, the S.E.C. brought the first insider trading case of its kind against a group of rogue stock traders who used hackers in Ukraine to get nonpublic information about companies. Insider trading refers to buying or selling of a stock by a trader who has inside knowledge that the investing public is not aware of, creating an unfair advantage. Typically, insider trading cases concern corporate insiders who leak information to friends, family or business associates in return for a personal benefit.
In this case, the men were accused of using hackers to break into companies like Business Wire and PR Newswire over a period of five years to steal 150,000 not-yet-public news releases of publicly traded companies. Federal prosecutors alleged that 32 traders and hackers reaped more than $100 million in illegal proceeds in a scheme so brazen that the traders would send shopping lists of corporate news releases for sneak-peeking purposes to the hackers in order to place trades.
The agency said it did not believe that the breach had involved personal information or that it would jeopardize the agency’s activities.
“Cybersecurity is critical to the operations of our markets, and the risks are significant and, in many cases, systemic,” said Mr. Clayton, the agency’s chairman, in the statement. “We must be vigilant. We also must recognize — in both the public and private sectors, including the S.E.C. — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”