Congress questions SEC chairman on security of files after Equifax hacking

Senate hearing seeks to answer if the SEC breach held the potential for insider trading and how long the SEC knew about the security breach before disclosing it.

Jonathan Ernst/Reuters
Jay Clayton, current chairman of the Securities and Exchange Commission, is shown during his nomination hearing at Capitol Hill in March 2017. Mr. Clayton will attend a Sept. 26, 2017 hearing in Washington on the SEC data breach that occurred last year.

The chairman of the Securities and Exchange Commission is likely to face an especially tough hearing in front of Congress on Tuesday, after the agency acknowledged that it also was a victim to a hack.

News about the breach of an SEC network that delivers company news and data to investors follows the disclosure of the massive data breach from credit company Equifax that allowed hackers to access or steal the personal information of 143 million Americans.

Jay Clayton, who has been at the head of the SEC since May, is not likely to face calls for his removal since the breach happened a year ago, before he was sworn in. But he may be questioned about whether the SEC – the federal government's main arm for enforcing rules and regulations on Wall Street – is up to the task of keeping data secure.

Two major issues in this SEC breach are the potential for insider trading and whether the SEC knew about the security breach for months and only recently decided to disclose it.

The SEC operates a system known as EDGAR, which allows publicly traded companies to upload digitally the documents they are required to share with investors. What appeared to happen is that hackers were able to get into the system in a way that allowed them to see companies filing their documents to the SEC but before those documents would be dispersed to the general public.

Clayton will likely have to answer how probable it is that insider trading took place and what the scope of it might be. He is also likely to be asked why the commission sat on the news of this breach until August when it happened a year ago. The hack occurred despite repeated warnings in recent years about weaknesses in the agency's data security controls. Members of the Senate Banking Committee may well want to know what the SEC has done to secure its systems.

On Monday the SEC said it had created a new cyber unit that will target market manipulation, hacking, and dark web operatives.

The agency also revealed a new team tasked with protecting every day investors from unsafe offers like pump-and-dump schemes in which the value of an investment is driven artificially high before being sold aggressively.

The hack of the document system is especially worrisome because of how widely investors have used and trusted the system, which came online in the early 1990s. Companies use EDGAR to alert investors to important developments that could affect their share prices, like government investigations, executive shake-ups and approaches for a takeover. If hackers were able to see information before the rest of the investment community did, they would have a trading advantage.

The SEC's disclosure also follows one from Equifax, which said this month that information about millions of people was exposed. The SEC is currently investigating the Equifax breach, and news of the hack will raise questions about whether an agency that is tasked with sanctioning companies is unable to keep their own house in order.

The SEC hasn't said which individuals or companies may have been affected or who might have carried out the breach. Experts say a hack by Chinese or Russian actors can't be ruled out.

While it discovered the breach last year, the agency says it only became aware last month that information obtained by the intruders may have been used for illegal trading profits.

Critics say the SEC isn't meeting the same security standards it demands of corporate America.

This story was reported by The Associated Press.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.