September 21, 2017 / 7:19 PM / 10 months ago

Q&A-What we know and don't know about the SEC hack

    WASHINGTON, Sept 21 (Reuters) - The top U.S. markets
regulator has revealed that hackers accessed its corporate
disclosure database and may have illegally profited by trading
on the information stolen.             
    Q: When did it happen?
    A: Some time in 2016. The Securities and Exchange Commission
determined in August 2017 that the hack may have led to insider
trading. It disclosed the possibility of illegal trades on Sept.
20, 2017.
    Q: How did it happen?
    A: Hackers were able to access information that the public
could not see by coming through a software vulnerability in part
of the SEC's EDGAR system for test filings.
    Q: Who was behind the hack?
    A: The SEC has not said who the perpetrators are. It has
said it was liaising with the relevant authorities without
naming them.
    Q: What information was accessed?
    A: The SEC has not said what information or which companies
may have been exposed by the 2016 breach.
    The SEC said the vulnerability was found in the test filing
component of the system. 
    “The test filing component is where filings are uploaded on
a test basis before going public,” said Timothy Harkness, U.S.
partner at Freshfields. 
    Since virtually every filing is tested this way before going
live, “essentially any of them could have potentially been
compromised. It could be anything from an 8-K announcing
terrible news for a company to a 10-Q announcing
stronger-than-expected earnings”, said Harkness.
    Many filings are released publicly shortly after the market
closes, meaning that there would likely be test runs during
trading hours that could give a hacker time to place an illicit
trade, said Peter Jaffe, a senior associate at Freshfields.  
    Q: What is the SEC doing to address the breach?
    A: The SEC said the vulnerability was patched promptly and
it immediately began an investigation. It does not believe that
the hack involved personally identifiable information,
jeopardized the operations of the Commission, or put the
financial system at risk. 
    Since May, it has worked on an initiative to bolster cyber
security, including creating a working group "to coordinate
information sharing, risk monitoring, and incident response
efforts throughout the agency," according to the SEC.
    Q: What is EDGAR?
    A: The Electronic Data Gathering, Analysis, and Retrieval
system is more than 20 years old. Publicly traded companies file
registration statements, annual and quarterly reports, ownership
statements, disclosures of material events and other information
that investors can access and read for free. Infiltrating the
SEC system to review announcements before they are released
publicly would offer hackers an opportunity to trade on that
    Q: What other information does the SEC store?
    A: The SEC stores confidential market listing plans and
non-public drafts of proposed rules by stock exchanges.
    The regulator also stores data on the operations of public
companies, broker-dealers, investment advisers, investment
companies, private “dark pool” trading venues, clearing
agencies, credit rating agencies, municipal advisors and other
market participants.

 (Reporting by Lisa Lambert, Carl O'Donnell, John McCrank and
Michelle Price; Editing by Carmel Crimmins and Meredith
0 : 0
  • narrow-browser-and-phone
  • medium-browser-and-portrait-tablet
  • landscape-tablet
  • medium-wide-browser
  • wide-browser-and-larger
  • medium-browser-and-landscape-tablet
  • medium-wide-browser-and-larger
  • above-phone
  • portrait-tablet-and-above
  • above-portrait-tablet
  • landscape-tablet-and-above
  • landscape-tablet-and-medium-wide-browser
  • portrait-tablet-and-below
  • landscape-tablet-and-below