The SEC disclosed on Wednesday that EDGAR, its corporate filing system, was hacked in 2016 and information was potentially used for illegal stock trades.
EDGAR is where Corporate America goes to file statements on their businesses. Brad Bondi, an attorney with Cahill Gordon and Reindel and former council at the SEC, called it “the Fort Knox” of the SEC. It’s where the important stuff is stored: quarterly earnings reports, market-moving news, IPOs, mergers and acquisitions, it all goes into the EDGAR system, and is often filed before the news is made public.
I’ll oversimplify this a bit with an example: suppose a company was going to announce that their fourth quarter earnings were going to be well below expectations due to some outside event. They have to notify the SEC of this, and they would do it through a filing in the EDGAR system.
Under some circumstances, they may file the report before it is actually released to the public.
Think about this: if a company was going to issue a warning on Friday morning that may affect its stock price, would it be helpful if someone had the news the day before?
It sure would be.
That’s what we are facing, potentially.
As with all these breaches, we know very little. We don’t know what data was retrieved, only that there was “access to nonpublic information.” We don’t know who did it. We don’t even know the date of the hack. The SEC said it occurred in 2016, but they only discovered it last month. The SEC did say that they had “promptly” fixed the source of the breach.
Here’s a simple rule about these breaches: it’s always worse than initially reported. Just look at Equifax.
Here’s what makes this so rich: in 2014, the SEC issued a series of regulations called Reg SCI, that basically told Wall Street it had to improve its technology infrastructure. One of the key components of Reg SCI was that companies needed to do more to protect themselves from cyberattacks, particularly around making sure their systems could get up and running if they were tampered with, and to promptly notify the SEC if they got hacked.
You get the irony: the agency in charge of telling Wall Street to get its act together on cyberattacks was the one that was attacked. And it’s taken a while for them to notify everyone.
There’s a big reason for Wall Street to worry about hackers at the SEC: they are about to begin implementing a system that will track every trade made, and if hackers get into it would reveal a treasure-trove of secret trading information.
It’s called the Consolidated Audit Trail (CAT), and it’s been under discussion for seven years. After the Flash Crash in May, 2010, the SEC realized they could not reconstruct trading activity to get at the real cause of the crash, or even who might have caused it. They did not have all the data they needed.
The answer was to develop the CAT, which will be a giant data base—the biggest financial data base ever assembled—that would include all trades a company made, including cancelled bids and offers. Each trade would be accompanied by an identifier that would tag the identity of the person making the trade (and include personal information) and the identity of the firm.
Wall Street pushed back, arguing against the cost (no one knows), who will pay for it, and—most importantly—who has access to the data?
You get where I’m going: the Street is terrified someone will hack the data base. Once you hack the data base, not only do you have access to personal information, you have access to the trading history of Wall Street.
“You would be able to reconstruct positions and trades for everyone on Wall Street,” David Franasiak, a securities attorney with Williams & Jensen, told me.
That means even the big guys: Goldman Sachs. JP Morgan. Citadel. Renaissance. Everyone.
That would be the Fort Knox of Wall Street for real.
The first implementation stage for the CAT is set to begin in November. Oh boy.
“This has the potential to seriously delay the CAT,” Franasiak told me.
As for Wall Street—the brokerage firms, the asset managers, the exchanges–cyberattacks have been a hot topic for a long time. I called Kenneth Bentsen, a former Congressman who now heads up the Securities Industry and Financial Markets Association (SIFMA), the trade group that represents Wall Street in Washington.
“Cyber security is a C-Suite and Board level issue and has been a top industry priority for several years,” he told me. “The financial services industry is a top target facing tens of thousands of attacks each day. We are constantly working to improve cyber defenses, resiliency and recovery through massive monetary investment in technology and personnel, regular training, industry exercises, and close coordination between the financial sector and the government including our regulators.”
The new SEC Chair, Jay Clayton, will appear before the Senate Banking Committee next Tuesday. The Committee chairman, Mark Warner (D-VA), has already issued a statement saying that “government and businesses need to step up their efforts to protect our most sensitive personal and commercial information.”
You can say that again. One of the only good things that may come out of these recent security debacles is better legislation. There is no uniform standard for how companies should respond to a cyberattack, believe it or not. There have been attempts to craft legislation that would create a nationwide and uniform data breach standard that would require more timely notification of breaches, and setting data protection standards, but it has gone nowhere.
You can bet that has a better chance of passing now.