Hackers breached SEC's financial filing system

The US Securities and Exchange Commission has revealed hackers gained access to its financial document filing system and may have profited from what they were able to see.

In a statement, SEC chairman Jay Clayton said that the commission had only last month learned of the potential impact of “an incident previously detected in 2016”.

Clayton said that the intrusion “may have provided the basis for illicit gain through trading”.

He said the hackers exploited a software vulnerability “in the test filing component” of EDGAR, which is the system used by SEC to collect and publish disclosures from listed companies.

The system processes around 1.7 million electronic filings a year, while people access about 50 million pages of the documents on any given day.

But it is what the unknown hackers were able to see and make use of that has forced SEC to disclose the breach.

It said that while the vulnerability was “patched promptly after discovery”, that did not occur before it “was exploited and resulted in access to nonpublic information.”  

“We believe the intrusion did not result in unauthorised access to personally identifiable information, jeopardise the operations of the commission, or result in systemic risk,” Clayton said in a long statement on cyber security risks.

“Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.”

Separately, SEC said it is looking at cases of individuals “who we allege placed fake SEC filings on our EDGAR system in an effort to profit from the resulting market movements.”

However, it did not appear this was being performed using illegitimate means of access.

Clayton said that intrusions were a reality in the current environment.

“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” he said.

“We must be vigilant. We also must recognise - in both the public and private sectors, including the SEC - that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”