The system, called EDGAR, houses millions of documents that companies are required to file to the SEC so they can be accessed by investors.
The hackers gained access by exploiting a software glitch in the test filing component of the system to gain access to non-public information, the agency said.
Kimpel said companies often make test filings in the hours or days before the actual filings are done. He now suggests companies wait to do it until the last possible second.
“If you would do a test filing at night, for example, before you file the next morning that data sits on the server 12, 14 hours, giving a cybercriminal … plenty of time to play with whatever information they’re able to obtain,” he said.
The SEC “promptly” patched the vulnerability after detecting it in 2016, but the regulator only became aware last month that the glitch “may have provided the basis for illicit gain through trading,” it said.
According to a report reviewed by Reuters, the U.S. Department of Homeland Security detected five “critical” cybersecurity weaknesses on the SEC’s computers as of Jan. 23, 2017.
— CNBC’s Kerima Greene and Reuters contributed to this report.