WASHINGTON (Reuters) - The Securities and Exchange Commission (SEC) did not fully comply with federal controls when making enhancements to its corporate filing system, according to a September report by the regulator’s Office of the Inspector General (OIG) which found the SEC needed to improve its governance of EDGAR IT upgrades.
The report dated Sept. 28 followed a disclosure by SEC chairman Jay Clayton last month that hackers may have profited by illegally trading on information stolen from the EDGAR system, which houses millions of corporate filings.
On Monday, Clayton further disclosed that additional forensic analysis had found that the Social Security numbers, dates of birth, and names of two individuals were made available to the hackers after they breached the system.
The OIG report, which has been redacted due to the sensitive nature of the content, did not say when the audit was performed or if it was conducted in response to the EDGAR hack.
The report outlined nine recommendations for improving the SEC’s management of the EDGAR system-enhancement and redesign process following an audit of six software releases deployed by the SEC to enhance the system between October 1, 2013, and September 30, 2016.
The audit found the SEC did not properly follow its own or Federal change management controls when enhancing the EDGAR system, and added that the SEC should improve its management of the EDGAR system engineering contract
“The SEC’s governance of EDGAR system enhancements...needs improvement,” the OIG wrote.
“Although the SEC has taken steps to improve its ability to develop and implement a new electronic disclosure system that meets agency needs, further improvements can strengthen the agency’s [EDGAR redesign] program governance and planning,” the OIG wrote in the report.
The SEC declined to comment. The report noted that SEC management concurred with its recommendations. The regulator had 45 days as of the date of the report to draw up a plan to remedy the problems identified.
Reporting by Michelle Price and Sarah N. Lynch; additional reporting by Pete Schroeder; Editing by Andrew Hay