The U.S. Securities and Exchange Commission (SEC) has revealed that attackers might have used data they stole in a security breach for illicit insider trading.
SEC officials first learned about the incident back in 2016. They discovered that attackers had exploited a software vulnerability in the test filing component of EDGAR, a corporate filing system. The Commission doesn't believe the event exposed personally identifiable information or produced systemic risk. But it does concede that the attack likely compromised large volumes of "nonpublic" data.
IT personnel patched the bug upon shortly following its discovery of the incident. A year later, the event has once again resurfaced with the SEC's admission that the attack "may have provided the basis for illicit gain through trading."
Walter J. Clayton, Chairman of the SEC, reflects on that possibility in a press release:
"Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic. We must be vigilant. We also must recognize - in both the public and private sectors, including the SEC - that there will be intrusions, and that a key component of cyber risk management is resilience and recovery."
It's a good thing Clayton feels that way, for it appears the SEC has a long way to go towards strengthening its digital resilience.
In a July 2017 report, the U.S. Government Accountability Office (GAO) revealed that the SEC overall improved the security controls of its key systems by "resolving 47 of the 58 recommendations) set forth by the GAO in its 2015 audit. But it fell short in other areas. The GAO counted 15 deficiencies that limited the effectiveness of the SEC's security controls. It also found the SEC hadn't implemented certain parts of its information security program, such as maintaining up-to-date network diagrams and monitoring key systems' security configurations.
As we've described before, hacking gangs have made millions through the exploitation of sensitive corporate information they steal from companies, law firms and press newswires... taking advantage of the privileged knowledge through insider trading before it becomes public knowledge.
Ukrainian hackers, for instance, compromised the networks of agencies such as Business Wire, PR Newswire, Marketwire for five whole years, stealing more than 150,000 news releases (including quarterly financial results) from publicly traded companies before they were made public.
Groups like the FIN4 hacking gang have specifically targeted high-level executives, attorneys and those who work with so-called "black edge" (reliable, rock solid) trading information.
Let's hope this latest admission of possible illicit insider trading, not to mention the shadow cast by the Equifax breach, spurs the SEC to enact these changes and shore up its security posture so that it can avoid events similar to the 2016 security incident.