US SEC says hackers may have traded using stolen insider information

US SEC says hackers may have traded using stolen insider information

Photo The Securities and Exchange Commission said a digital attack previous year may have exposed information that could have been exploited for trading purposes.

Wall Street's top regulator says that a 2016 breach at its corporate disclosure database may have enabled hackers to profit from trading on inside information. The test filing portion of EDGAR is used to verify that information submitted through EDGAR is accurate before it is sent on to the SEC and then to the public.

By specifically targeting this system, the threat actors may have gained access to information which had the power to change the market, which in turn could be used to trade illicitly thanks to the stolen, "insider" information contained therein, whether they were company financial statements or merger announcements. Through the flaw, the intruders were able to obtain information that hadn't been made public, Clayton said.

The hacking, it said, "may have provided the basis for illicit gain through trading".

Corporations send a lot of different information through EDGAR: Earnings statements, business developments, and other disclosures that could affect stock prices are all included in its databases.

The SEC said it has been conducting an assessment of its cybersecurity since Clayton took over as chairman in May.

The SEC has said it was investigating the source of the hack but it did not say exactly when it happened or what sort of non-public data was retrieved.

Ben Johnson, co-founder and CTO for infosec startup Obsidian Security, said the fact that the SEC breach occurred more than one year ago and the SEC didn't disclose it is troubling. The statement said that it didn't believe any personally identifiable information or SEC operations were compromised and that an investigation was continuing.

"It's hugely problematic and we've got to be serious about how we protect that information as a regulator", Huizenga said.

The revelations were made by SEC chairman Jay Clayton in a statement highlighting the importance of cybersecurity to the agency and market participants.

"Failure to do so may result in an enforcement action", he warned, although the SEC is yet to ever bring any such action against a non-complying company.

Last week, in response to a reporter's question about the fallout from the recent Equifax hack, Clayton said the agency was working to increase public awareness of the "substantial systemic risks" associated with cybersecurity. Federal prosecutors alleged that 32 traders and hackers reaped more than $100 million in illegal proceeds in a scheme so brazen that the traders would send shopping lists of corporate news releases for sneak-peeking purposes to the hackers in order to place trades.

Related Articles