SEC Chairman Jay Clayton will confirm the enforcement division’s ongoing investigation when he testifies Tuesday before the Senate Banking Committee, according to prepared testimony reviewed by Reuters.
He has also asked the SEC’s Office of Inspector General to investigate the intrusion itself, the scope of non-public information that was stolen and how the SEC responded to the incident, which he said was properly reported to the Department of Homeland Security’s Computer Emergency Readiness Team.
The FBI’s investigation, which is being led out of New Jersey, is focusing specifically on the trading activity in connection with the breach, according to several sources.
One possibility the FBI is considering is that the SEC breach was connected to a group of hackers that intercepted electronic corporate press releases in a previous case which the FBI in New Jersey helped investigate, several of the sources said.
In that case, federal prosecutors in the New York borough of Brooklyn and New Jersey, as well as the SEC, charged an alliance of stock traders and suspected computer hackers based in the United States and Ukraine.
Clayton, who was installed as chairman in May, only learned of the 2016 breach in August through the enforcement investigation. SEC Commissioners Kara Stein and Mike Piwowar, who are the only other two sitting members of the agency at the moment, also only learned of it recently.
Some SEC enforcement attorneys not involved in the matter learned about it when they read it in the newspaper, sources said.
The delay in disclosing the hack and the months-long gap between uncovering it and discovering the potential insider trading are particularly embarrassing for an agency that has pushed companies to bolster their cyber capabilities and which investigates companies for failing to disclose breaches to investors faster.
While no company has ever been charged for flawed disclosures, the SEC has previously brought charges against brokerage firms over poor cyber security practices.
The SEC has experienced other cyber incidents in recent months.
Between October 2016 and April 2017, the SEC documented a variety of various cyber security incidents, according to one source familiar with the matter.
Reuters was not immediately able to ascertain the nature of all of the incidents, though the source said several involved EDGAR.
In one other case that was not related to EDGAR, a server being set up for SEC use had not been updated to fix known vulnerabilities, one person familiar with the matter said.
The SEC detected unauthorized communications from it. The FBI watched the traffic, which was early signaling or beaconing rather than the export of important information, and the hole was closed. In that case, the signal from the beacon was sent to a server in Ukraine, the person added.
The SEC has been criticized for its cyber defenses. The U.S. Department of Homeland Security detected 5 “critical” vulnerabilities that needed to be fixed when it scanned a sample of the agency’s computers and devices the week of Jan. 23.