SEC Chairman Jay Clayton today provided an update on the status of the agencys review and investigation of the 2016 intrusion into the EDGAR system. In addition to updating previous disclosures, today's announcement also includes additional information on the agencys efforts to strengthen its cybersecurity risk profile going forward.

The ongoing staff investigation of the 2016 intrusion has now determined that an EDGAR test filing accessed by third parties as a result of that intrusion contained the names, dates of birth and social security numbers of two individuals. This determination is based on forensic data analysis conducted since the agency's Sept. 20thdisclosure of the intrusion which relied on the latest information available at that time.

Chairman Clayton was informed by staff of this new information this past Friday, and staff are reaching out to the two individuals to notify them and offer to provide them with identity theft protection and monitoring services. Should the agencys review uncover additional such individuals whose sensitive information may have been accessed, the staff will contact them and offer them identity protection and monitoring as well.

The 2016 intrusion and its ramifications concern me deeply. I am focused on getting to the bottom of the matter and, importantly, lifting our cybersecurity efforts moving forward, said Chairman Clayton. While our review and remediation efforts are ongoing and may take substantial time to complete, I believe it is important to provide new information regarding the scope of the 2016 intrusion and provide an update on the steps we are taking to assess and improve the cybersecurity risk profile of our EDGAR system and of the agencys systems more broadly.

The agencys efforts going forward are organized into five principal work streams:

1) The review of the 2016 EDGAR intrusion by the Office of Inspector General. Staff have been instructed to provide their full cooperation with this effort

2) The investigation by the Division of Enforcement into the potentialillicit trading resulting from the 2016 EDGAR intrusion

3) A focused review of and, as necessary or appropriate, uplift of the EDGAR system. The EDGAR system has been undergoing modernization efforts. The agency has added, and expects to continue to add, additional resources to these efforts, which are expected to include outside consultants, and will increase the focus on cybersecurity matters

4) The more general assessment and uplift of the agencys cybersecurity risk profile and efforts that were initiated shortly after the Chairmans arrival at the Commission this past May, including, without limitation, the identification and review of all systems, current and planned (e.g., the Consolidated Audit Trail or CAT), that hold market sensitive data or personally identifiable information

5) The agencys internal review of the 2016 EDGAR intrusion to determine, among other things, the procedures followed in response to the intrusion. This review is being overseen by the Office of the General Counsel and has an interdisciplinary investigative team that includes personnel from regional offices and will involve outside technology consultants

Each of these efforts is moving forward and, as is the nature of matters of this type, will require substantial time and effort to complete. Chairman Clayton has pledged to keep Congress informed of the ultimate findings and conclusions of the agencys internal review into the 2016 intrusion.

Looking forward, and to further the efforts discussed above, Chairman Clayton has authorized the immediate hiring of additional staff and outside technology consultants to aid in the agencys efforts to protect the security of its network, systems and data. Chairman Clayton also has directed the staff to take a number of steps designed to strengthen the agencys cybersecurity risk profile, with an initial focus on EDGAR. This effort includes assessing the types of data the SEC takes in through the EDGAR system, and whether EDGAR is the appropriate mechanism to obtain that data. Another part of this effort includes reviewing the security systems, processes and controls in place to protect data submitted through EDGAR.

The staff also will conduct similar reviews of other systems in use at the SEC, assessing the types of data the agency keeps and the related security systems, processes and controls. The staff also will work to enhance escalation protocols for cybersecurity incidents in order to enable greater agency-wide visibility and understanding of potential cyber vulnerabilities and attacks.

More broadly, the agency is evaluating its cybersecurity risk governance structure, which has included the establishment of a senior-level cybersecurity working group and may include additional enhancements to promote the management and oversight of cybersecurity across the SECs divisions and offices.

Other initiatives resulting from the general cybersecurity assessment Chairman Clayton initiated in May are ongoing or will commence shortly. These include internal, Commission-level incident response exercises and continued interaction on cybersecurity efforts with other government agencies and committees, including the Department of Homeland Security, the Government Accountability Office and the Financial and Banking Information Infrastructure Committee.

This update also is being included as part of Chairman Claytons written testimony submitted to the U.S. House of Representatives Committee on Financial Services in connection with the Committees upcoming hearing titled Examining the SECs Agenda, Operations, and Budget.

Order by: 
Per page:
  • There are no comments yet
   Comment Record a video comment
Related Feed Entries
Yesterday, the Securities and Exchange Commission voted unanimously to approve a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. I believe that providing the Commissions views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors, said SEC Chairman Jay Clayton. In particular, I urge p…
49 minutes ago · From Securities Exchange Commission
Security researcher at FireEye break down the arsenal of APT37, a North Korean hacker team coming into focus as a rising threat.Source: Wired - Emerging technologies News
Despite its Olympics diplomacy towards the South, the Kim regime is still engaged in brazen cybercrime targeting its neighbor.Source: Wired - Emerging technologies News
In a Senate hearing Tuesday, the heads of the three-letter intelligence agencies detailed their greatest concerns.Source: Wired - Emerging technologies News
Infraud may not have been as famous as dark web markets like the Silk Road and Alphabay, but it far outlasted both.Source: Wired - Emerging technologies News
0 votes
Michael Blair
Time is your GREATEST asset
02.10.2017 (02.10.2017)
0 Subscribers