SEC Charges Itself With Violating Fair Disclosure Rules
FOR IMMEDIATE RELEASE
Washington D.C., Oct. 3, 2017— The Securities and Exchange Commission today charged itself with violating rules requiring fair disclosure of information when it failed to establish cybersecurity policies and procedures in advance of a breach that compromised nonpublic corporate filings.
Regulation FD requires material nonpublic information to be disclosed publicly in a broad manner and not selectively. An SEC investigation found that the SEC violated Regulation FD and Rule 30(a) of Regulation S-P during an unknown period when it failed to adopt any written policies and procedures to ensure the security of the EDGAR corporate filing system and protect the database from anticipated threats or unauthorized access.
According to the SEC’s complaint:
- The Securities and Exchange Commission stored nonpublic market-moving information as well as personally identifiable information (PII) of investors on the agency’s EDGAR system, a comprehensive database of filings made by thousands of public companies and other financial firms regulated by the SEC.
- The agency neglected to identify a software vulnerability in its EDGAR system, which was exploited in 2016 by an unknown hacker who gained access to the data on the server. The unauthorized access made thousands of nonpublic corporate filings available for illicit trading profits. In addition, the breach rendered the PII of at least 2 individuals vulnerable to theft.
- The commission failed entirely to adopt written policies and procedures reasonably designed to safeguard material nonpublic information. For example, the SEC failed to conduct periodic risk assessments, implement a firewall, encrypt data stored on its server, or maintain a response plan for cybersecurity incidents.
- After the SEC discovered the breach, the agency promptly stuck its thumb up its ass and waited until September of the following year to disclose the breach to the public.
- A year after the incident, the SEC provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider.
“As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this,” said Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit. “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
The SEC’s complaint charges itself with violating Regulation FD and Rule 30(a) of Regulation S-P under the Securities Act of 1933. The SEC seeks a final judgment permanently enjoining itself from violating the federal securities laws. In addition to the injunction, the SEC seeks an increased budget allocation for the creation of a Cyber Unit that will pretend to focus on targeting cyber-related misconduct when really we just want faster computers for watching porn on the internet.
The SEC’s investigation was conducted by the beneficiaries of FDR’s makework programs and staff in the SEC’s Information Technology Forensics Group. This update is also being included as part of Chairman Clayton’s written testimony submitted to the U.S. House of Representatives Committee on Financial Services in connection with the Committee’s upcoming hearing titled “Examining the SEC’s Agenda, Operations, and Budget, Which Obviously Needs to Be Much Much Bigger.”