Hack of SEC files opens door to illegal insider trading

Breach has experts questioning government security, transparency, encryption, more

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

First Equifax. Now the SEC. Who’s next?

Last week the U.S. Secu­ri­ties and Exchange Com­mis­sion announced that hack­ers breached the SEC’s EDGAR data­base … back in May 2016!

SEC Chair­man Jay Clay­ton issued a care­ful­ly word­ed state­ment putting this spin on the agency’s mea cul­pa: “We believe the intru­sion did not result in unau­tho­rized access to per­son­al­ly iden­ti­fi­able infor­ma­tion, jeop­ar­dize the oper­a­tions of the Com­mis­sion, or result in sys­temic risk.”

Relat­ed arti­cle: Experts dis­cuss impli­ca­tions of Equifax data breach

EDGAR—an acronym for Elec­tron­ic Data Gath­er­ing, Analy­sis, and Retrieval—is a store­house of dis­clo­sures com­pa­nies make to every­one, such as annu­al and quar­ter­ly reports. Cru­cial­ly, EDGAR also hous­es pri­vate fil­ings relat­ing to news releas­es, pro­posed merg­ers and acqui­si­tions, and oth­er del­i­cate mat­ters that can impact stock prices. Third­Cer­tain­ty con­vened a round­table of experts to flesh out the wider implications.

Chris Pier­son, View­post chief secu­ri­ty officer

Chris Pier­son, Chief Secu­ri­ty Offi­cer, View­post

Giv­en the cryp­tic release from the SEC it is impos­si­ble to know the extent of the intru­sion … but one has to assume if these pri­vate files are in the zone of infor­ma­tion (they were) like­ly to have been tar­get­ed and exfil­trat­ed. Pri­vate fil­ings com­mu­ni­cate deals that are about to hap­pen or may not be hap­pen­ing any longer. If some­one was to buy or sell shares using this inside infor­ma­tion, huge prof­its could result. This is a direct finan­cial moti­va­tion that would ben­e­fit both cyber crim­i­nals and nation-states—either by their act­ing on the infor­ma­tion or sell­ing it for profit.”

Tom Keller­mann, Strate­gic Cyber Ven­tures CEO

Tom Keller­mann, CEO, Strate­gic Cyber Ventures

This SEC breach is once again anoth­er exam­ple that government’s secu­ri­ty archi­tec­ture has failed. Nation-states are tar­get­ing reg­u­la­tors to coun­ter­act eco­nom­ic sanc­tions through dig­i­tal insid­er trad­ing and front run­ning. The Lazarus Group has been doing this for a year. I am con­cerned that the attack on the SEC could allow for island hop­ping into all who vis­it (the) net­works … thus allow­ing non­pub­lic mar­ket data to be manipulated.”

Atiq Raza, Vir­sec Sys­tems CEO

Atiq Raza, CEO, Vir­sec Systems

This attack is espe­cial­ly alarm­ing because of the clear path to mon­e­tize this data through illic­it trad­ing. We’re also see­ing con­tin­ued ero­sion of the trust that orga­ni­za­tions like the SEC, as well as cred­it bureaus, finan­cial insti­tu­tions, health care providers, and gov­ern­ment agen­cies need to oper­ate. It’s crit­i­cal that the SEC do a bet­ter job than Equifax in being trans­par­ent about the hack and data exposed. Wait­ing months to act on a breach dis­cov­ered in 2016 is not a good start.”

Jeff Hill, Preva­lent direc­tor of prod­uct management

Jeff Hill, Direc­tor of Prod­uct Man­age­ment, Preva­lent

The EDGAR episode is tan­ta­liz­ing­ly effi­cient for bad actors: pen­e­trate once, com­pro­mise many. Rather than hack­ing mul­ti­ple pub­lic com­pa­nies to illic­it­ly gath­er valu­able insid­er infor­ma­tion, the EDGAR per­pe­tra­tors could par­lay a sin­gle breach into a poten­tial mon­e­ti­z­able data bonan­za. Fur­ther, trad­ing on insid­er infor­ma­tion could be expo­nen­tial­ly more lucra­tive than sell­ing stolen cred­it card num­bers on the dark web. It appears from ini­tial reports that the attack­ers weren’t dis­cov­ered by tra­di­tion­al secu­ri­ty meth­ods, but rather their insid­er trad­ing behav­ior may have been the activ­i­ty that aroused sus­pi­cion, a par­tic­u­lar­ly dis­con­cert­ing real­i­ty for the SEC’s secu­ri­ty pro­fes­sion­als if, in fact, that’s the case.”

Kunal Anand, Pre­vo­ty CTO

Kunal Anand, CTO, Pre­vo­ty

The dis­clo­sure by the SEC fur­thers the point that strength­en­ing appli­ca­tion secu­ri­ty is crit­i­cal. In this case, a vul­ner­a­ble piece of soft­ware was used to exfil­trate sen­si­tive and ephemer­al­ly pri­vate infor­ma­tion. On the heels of the now his­tor­i­cal Equifax breach, two burn­ing ques­tions are top of mind. Was the vul­ner­a­ble soft­ware com­po­nent pre­vi­ous­ly known and did EDGAR fail to patch it? Also, why wasn’t this infor­ma­tion encrypt­ed, or was it encrypt­ed and did attack­ers com­pro­mise sen­si­tive keys?”

Gabriel Gumbs, STEALTH­bits Tech­nolo­gies VP of prod­uct strategy

Gabriel Gumbs, VP of Prod­uct Strat­e­gy, STEALTH­bits Technologies

In 2015 Busi­ness Wire, PR Newswire and Mar­ketwired were all hacked by the same group of per­pe­tra­tors. They stole 100,000 news releas­es, trad­ed ahead of more than 800 com­pa­ny finan­cial releas­es and made more than $30 mil­lion in fraud­u­lent stock mar­ket trades on this infor­ma­tion. Oth­er finan­cial­ly moti­vat­ed hack­ers were clear­ly pay­ing atten­tion, as the SEC hack tar­get­ed the same type of infor­ma­tion. Pro­tect­ing infor­ma­tion that will be made pub­lic but has to remain pri­vate for some peri­od of time is very dif­fi­cult to govern.”

More sto­ries relat­ed to gov­ern­ment cybersecurity:
Bridg­ing the gap between gov­ern­ment and Sil­i­con Valley
Trump’s efforts to address nation­al cyber­se­cu­ri­ty should be applauded
Trump’s order to strength­en cyber­se­cu­ri­ty is a step in right direction


Posted in Featured Story