US Securities and Exchange Commission chief Jay Clayton has made a couple of security-related revelations in his recently published "Statement on Cybersecurity." He admitted that an attacker infiltrated the agency's EDGAR database in 2016 by exploiting a software vulnerability to gain access to non-public info. SEC patched the flaw as soon as it was discovered, but it found out just last month that the attackers may have used the insider information they stole to profit from financial trades.
See, EDGAR is an automated system that processes forms and other paperwork submitted by companies. Since SEC's role is to protect and regulate the country's stock and options exchanges, the documents it processes typically contain sensitive info that an unscrupulous individual can profit from. Clayton says authorities are still investigating the issue, but the commission believes the hackers didn't gain unauthorized access to personally identifiable information or anything that can jeopardize its operations.
As Reuters said, the event shines a spotlight on SEC's shortcomings when it comes to security. In July, the Government Accountability Office published a report revealing that SEC doesn't always fully encrypt sensitive info and uses unsupported software. It also hasn't fully implemented a system to detect intruders and doesn't always configure its firewalls properly, which are definitely a cause for concern, since Clayton made cybersecurity his priority. Nevertheless, Clayton reiterated in his statement, that he aims to "promote effective cybersecurity practices within the Commission itself and with respect to the markets and market participants it oversees."