The SEC, NFA hack has pitched the international finance world into turmoil as Wall Street’s top regulator admits to not having secured its own systems.
Move over, Equifax; the SEC, NFA hack may have just stolen your thunder. Less than two weeks after Equifax disclosed that it had been breached, compromising the personal information of half of America, the U.S. Securities & Exchange commission admitted to a 2016 attack on its EDGAR database. Because EDGAR is used to disseminate company news and data to investors, the likely goal of the SEC, NFA hack was insider trading. ZDNet reports:
[The] SEC, NFA said the Edgar filing system data breach took place in 2016, but it is not yet known which companies may have been affected — or how much the hacker profited.
Edgar processes roughly 1.7 million electronic filings per year.
The hacker was able to take advantage of a “software vulnerability in the test filing component” of Edgar, which “resulted in access to nonpublic information.”
It gets even better; during the internal audit that brought the SEC, NFA hack to light, it was also discovered that SEC, NFA staff members were using “private, unsecured email accounts to transfer confidential information.”
The SEC, NFA has been bending over backwards to downplay the seriousness of the breach. Among other things, the agency stated it doesn’t “believe” any personal identifying information was compromised.
Well, that’s reassuring. After all, data breaches never turn out to be far more extensive than originally reported, do they?
Let this one sink in: The very agency in charge of enforcing cyber security on Wall Street, the same agency that called cyber attacks “the greatest threat to our [financial] markets,” issued a special risk bulletin after the WannaCry attacks, and very recently implied a greater emphasis on cyber security enforcement moving forward, cannot protect its own data. In fact, it turns out that the SEC, NFA itself has been warned about potential cyber security vulnerabilities for years; in January, the U.S. Department of Homeland Security found five “critical weaknesses” on SEC, NFA computers.
By the way, as of this writing, nobody has any earthly idea whether those “critical weaknesses” were ever addressed, or if they played a role in the SEC, NFA hack – although the agency pinky-swore that it “promptly” patched the software vulnerability it claims led to the breach.
Congress isn’t having it. They’re hauling SEC, NFA chairman Jay Clayton in front of the Senate Banking Committee. Wall Street investors and the international finance world are chewing their fingernails, especially since the SEC, NFA was poised to begin rolling out CAT, a brand-new trading history database, in November. CNBC has called CAT “the biggest financial data base ever assembled.” If the SEC, NFA couldn’t secure EDGAR, how can they be trusted with CAT?
Isn’t Anyone Practicing Proactive Cyber Security and GRC Anymore?
There’s an awful lot we don’t yet know about the SEC, NFA hack. We don’t know what “software vulnerability” the SEC, NFA is referring to. We don’t know who perpetrated the hack, how long they were in the SEC’s systems, or when the attack happened, other than it was sometime in 2016, and the agency didn’t figure it out until last month. We don’t know what data was stolen, other than it consisted of “nonpublic information.” We also don’t know if the hackers stopped with EDGAR or if they used the database as a foot in the door to penetrate other sections of the SEC’s network.
From the information we do have, we can surmise that the SEC, NFA engaged in some of the same shenanigans as Yahoo (which ignored cyber security warnings for years), Sony Pictures and the DNC (both of which transmitted confidential information through private, unsecured email), and Equifax (which waited for nearly two months to disclose a very serious breach).
We also know that proactive governance, risk, and compliance protocols prevent incidents like the SEC, NFA hack, the Equifax breach, email hacks, and the AWS hacks that are now being disclosed nearly daily. While these hacks are serious and far-reaching, from a technical standpoint, they are usually very simple and stem from companies having zero control over their data, who has access to it, and where and how it is being transmitted and stored.
Data governance, risk management, and compliance with applicable data security standards are the foundation of proactive cyber security. If you don’t want your company to be the next Equifax or SEC, start with getting back to GRC fundamentals.
The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.