WASHINGTON (Reuters Breakingviews) - The Securities and Exchange Commission’s failure to respond properly to hacks into its systems puts U.S. cyber security on the back foot. Unlike the breach at credit-grading agency Equifax, the watchdog’s woes don’t put people’s data at risk. It’s the clumsy way it is dealing with the aftermath that’s the problem.
The regulator waited until Wednesday night to unveil that its corporate-disclosure filing system, known as EDGAR, was breached in 2016. And only this August did it discover that the intrusion led to the hackers using non-public information to make illicit trading profits.
Equifax was no better on timing. It delayed disclosing for almost two months a cyber attack discovered in July that compromised the personal information of some 143 million customers – during which time a couple of executives sold some stock. Now it appears the hackers went undetected for four months. And customers are still struggling to work out whether and how they might be affected.
That sounds like a juicy case for the SEC to dig its teeth into. But it, too, is providing a textbook case of what not to do in the event of a cyber attack. Not only did the SEC take a long time to make the breach public. It buried the news in a more wide-ranging statement on such issues by Chairman Jay Clayton, who said he wanted to highlight “importance of cybersecurity to the agency and market participants.” In addition, the watchdog has so far provided scant details.
The Government Accountability Office warned the SEC about its cyber vulnerabilities in April 2016. The SEC’s financial systems and data, it said, lacked consistent protection; it didn’t monitor its network properly and didn’t always embed proper security in its software and hardware.
That hasn’t stopped the regulator dinging those under its purview. It slapped a $75,000 fine on an investment adviser for poor cyber procedures after a hack affecting 100,000 customers. And last year it extracted $1 million from Morgan Stanley after criminals sold online some of the customer information they had stolen.
Cyber attacks, as Clayton noted, are a fact of life. The key is to be swift and transparent in addressing them. It sets a terrible example when one of the chief overseers of public companies and the nation’s financial firms cannot meet its own standards.
Reuters Breakingviews is the world's leading source of agenda-setting financial insight. As the Reuters brand for financial commentary, we dissect the big business and economic stories as they break around the world every day. A global team of about 30 correspondents in New York, London, Hong Kong and other major cities provides expert analysis in real time.
Sign up for a free trial of our full service at https://www.breakingviews.com/trial and follow us on Twitter @Breakingviews and at www.breakingviews.com. All opinions expressed are those of the authors.