On October 2, 2017, the SEC provided an update on its ongoing staff investigation of the 2016 cyber intrusion into the EDGAR system. The SEC announced that the third party performing the intrusion acquired the names, birth dates and social security numbers of at least two individuals. In response to this data breach, the SEC has stated that it will provide identity theft protection and monitoring services to the two affected individuals and any other individuals whose sensitive information may have been accessed.
THE SEC’s NEXT STEPS
Chairman Clayton has provided an update on steps the SEC will take to evaluate and improve the cybersecurity risk profile of its EDGAR system. The SEC’s efforts will be organized into the following five key work streams:
- The Office of Inspector General’s examination of the 2016 EDGAR intrusion;
- The Division of Enforcement’s investigation into the 2016 EDGAR intrusion and its facilitation of potential illicit trading;
- An assessment and overall enhancement of the EDGAR system through various modernization efforts, such as the use of outside consultants focused on cybersecurity issues;
- A more generalized assessment and enhancement of the entire SEC’s cybersecurity risk profile, which will include the identification and evaluation of all systems holding market sensitive data or personally identifiable information; and
- The SEC’s internal assessment of the procedures taken in response to the 2016 EDGAR intrusion.
The SEC has supported these efforts through the immediate hiring of additional staff and outside technology consultants. The SEC will utilize these additions to perform the following tasks:
- Evaluate the types of data that is sent to the EDGAR system and whether it maintains adequate mechanisms for obtaining the data;
- Assess the security systems, processes and controls implemented to protect all data received through EDGAR and other related systems used by the SEC;
- Improve escalation protocols for cybersecurity threats to enhance agency-wide identification and awareness of potential cyber risks; and
- Fortify the agency’s cybersecurity risk governance structure through establishing a management team consisting of cybersecurity experts.
WHAT DOES THIS MEAN FOR ME?
Chairman Clayton’s announcement reiterates the importance for firms to make cybersecurity a top priority of their compliance program. Written cybersecurity policies and procedures should be implemented and periodically reviewed to ensure that all risks can be effectively identified. Protocols should also be established for mitigating these risks if they were to occur.
Fairview will continue to assist clients with updating their cybersecurity policies and procedures so that they are better prepared to address potential cybersecurity threats. Please contact Fairview if you have any questions or concerns about the SEC’s announcement and how it might apply to your firm.