For years before the Securities and Exchange Commission suffered a massive breach last year, federal watchdogs had warned the agency to encrypt the sensitive financial data stored in its networks.
The Government Accountability Office delivered the admonition most recently in July, a month before the SEC's leadership learned of the 2016 hack. But the agency's advice to the SEC on this issue dates to at least 2008, when the GAO said the SEC's lack of encryption would make it easier for attackers to gain access to sensitive information.
The SEC declined to say whether the lack of encryption made it easier for hackers to gain access to sensitive filings. But encryption technology is widely used across corporate America and on consumer products such as smartphones and laptop computers. Without it, cybersecurity experts say, hackers can immediately read and use the data they steal. While it does not prevent all types of data theft, it can limit the seriousness of the loss in many cases, they say.
“There isn’t really any excuse for organizations that hold deeply sensitive data not to be using disk encryption,” said Peter Eckersley, chief computer scientist for the Electronic Frontier Foundation, a civil liberties group. “The tools for doing so are mature, fairly easy to use and free.”
The agency's apparent failure to heed the GAO's warnings came as the Wall Street regulator aggressively pushed the companies it oversees to improve their cybersecurity. The agency fined Morgan Stanley $1 million for failing to protect customers' information last year and chided R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, in 2015 for failing to establish cybersecurity policies, including on encryption.
“Maybe this means the SEC will be more sympathetic to the companies it is investigating,” said Scott H. Kimpel, a partner at Hunton & Williams and a former SEC lawyer.
The GAO found that the SEC had improved its security in many areas but still lagged in some critical places, including encryption. Until the SEC acts, “its financial and support systems and the information they contain will continue to be at unnecessary risk of compromise,” the watchdog said in July.
The SEC, which declined to comment for this report, has launched an extensive investigation of the 2016 hack and said it is working to address the watchdog’s concerns. The agency is “modernizing a major financial system and completing a major enhancement to our vulnerability management capability,” Pamela C. Dyson, the SEC’s chief information officer, said in response to the GAO’s most recent report.
News of the attack comes at a time when government officials and market experts have become increasingly concerned about the risks cybercriminals pose to the financial system. Last year, hackers stole millions by targeting a messaging service, known as Swift, used by banks to move trillions of dollars from one country to another. Stephanie Avakian, co-director of the SEC's enforcement division, recently called cyberthreats "among the greatest risks facing investors and the securities industry."
In the SEC breach, hackers focused on one of the agency's oldest and most critical networks, known as Edgar. The network, which dates to the 1980s, serves as a clearinghouse for the thousands of documents companies file every year, including periodic reports on their financial performance and newsworthy developments such as an acquisition or retirement of a high-ranking executive.
The trove of sensitive information has been a repeated target for fraudsters. In 2015, hackers posted fake information on the site about a takeover of Avon Products, driving the company's stock price up significantly before the hack was detected. It happened again earlier this year when the SEC accused a Virginia mechanical engineer of pretending to be an executive with ABM Capital — a fake company — that was planning a takeover of Fitbit. The engineer submitted phony documents through Edgar, sending Fitbit's stock price up 10 percent in just a few minutes. The fraudster allegedly made a 350 percent profit of $3,118, according to the SEC.
But the most recent hack is more troublesome for securities experts. This time the hackers were potentially able to view corporate filings before they were made public, according to the SEC. Securities experts have long warned that the lag time between when a company submits information to Edgar and when it is made public offered hackers and high-frequency traders, who can make thousands of trades in a blink of an eye, a potentially unfair advantage over average investors.
Corporations “work very hard to ensure that all investors receive the same information at the same time” and there is no alternative to Edgar, said Gary LaBranche, president of the National Investor Relations Institute, an association that works with 1,600 publicly traded companies.
“Edgar is the plumbing, the infrastructure of the investor community,” LaBranche said. Many issuers have begun checking trading reports for unusual activity that could be tied to the SEC hack, he said.
The SEC began to tackle the threats posed by cybercriminals in 1998 with the creation of a special unit. At the time, the unit’s focus was on fraudsters trolling Internet chat rooms to pump up the price of a stock. It also pursued hackers who would break into a brokerage account and use the victim’s money to buy up shares in a micro-cap company so they could profit from a rise in its price.
“This was 20 years ago. It was absolutely cutting edge 20 years ago,” said John Reed Stark, the first director of the unit. (The unit was eventually merged with another SEC office.)
The threat posed by hackers scooping up corporate secrets or manipulating that information for profit was just emerging, Stark said. But that has begun to change, he said.
“It is a serious threat that has been growing,” said Stark, who now runs a consulting firm and often serves as an expert witness on cybersecurity, including for the SEC.
The danger raised by these types of fraudsters has been compounded by Wall Street’s growing reliance on computer algorithms and artificial intelligence to make trading decisions, securities experts said. Stocks are being bought and sold instantly, making it easier for someone to profit from obtaining nonpublic information before the rest of the market, securities experts said. And the speed of the transactions could make it easier to hide illegal trades from regulators.
“Machines are making a lot of these trades now and cannot discern whether these filings are authentic or not,” said Tom Lin, a law professor at Temple University who has studied the impact of technology on the financial sector. “Transactions are happening in a fraction of a second, so it is too fast for you to intervene even if you do spot it.”
In 2015, federal investigators said an international hacking ring armed with tens of thousands of corporate secrets pocketed more than $100 million from illicit trades. The hackers stole more than 150,000 news releases that were scheduled to be delivered to investors by posing as news-wire employees and customers. They then recruited traders by sending them videos proving they could hack into different networks, according to the SEC.
The case showed that there is a “global market for nonpublic corporate information on the dark Web,” Lin said.
Since the latest breach, the SEC has implemented a flurry of new cybersecurity measures. It is hiring additional cybersecurity specialists and may create a new chief risk office, SEC Chair Jay Clayton told lawmakers recently. He said he also plans to reopen the cybersecurity unit that was closed several years ago and to ask Congress for an increase in the agency's $1.6 billion budget next year to help address its security concerns.
Cybersecurity “is an area where we need to devote significant resources and attention to respond to market developments and meet the expectations of the American people,” Clayton told lawmakers recently.
Craig Timberg and Aaron Gregg contributed to this report.