http://www.marketwatch.com/story/sec-staff-forced-to-tell-chairman-about-hack-when-stolen-data-used-
http://www.marketwatch.com/story/sec-staff-forced-to-tell-chairman-about-hack-when-stolen-data-used-by-inside-trader-2017-09-25
SEC staff forced to tell chairman about hack when stolen data used by inside trader
Published: Sept 25, 2017 6:51 p.m. ET
Securities and Exchange Commission lawyers reluctantly realized while investigating an insider-trading case in August that it was time to tell new chairman Jay Clayton about a major breach of the agencys systems that happened in 2016. Why now? Because despite immediately patching the hole that hackers went through, their case was based on the non-public information stolen from the SECs own systems. In an unexpected 4,000-word statement on general cybersecurity issues published Sept. 20, Clayton buried the news of the 2016 hack at the halfway point.
He will tell the Senate Banking Committee on Tuesday that the agency believes the 2016 intrusion was caused by the exploitation of a defect in custom software in its Edgar filing system. According to his prepared congressional testimony seen by MarketWatch on Monday, Clayton says he wasnt told about it until three months into his new job.
The SEC Office of Information Technology staff took steps in 2016 to fix the defect in the custom-developed software code and reported the incident to the Department of Homeland Securitys Computer Emergency Readiness Team. Then SEC staff crossed their fingers and hoped that the thieves would never use the non-public Edgar filing information for illegal insider trading.
Those prayers were not answered. The agency, and fellow self-regulators like Nasdaq and Finra, are getting too good at identifying unusual trading patterns. They look for the too good to be true wins that likely come from timely confidential information. Recent insider-trading cases highlight the SECs enhanced capabilities in tracking and zeroing in on traders who are cheating. Clayton will tell senators on Tuesday that the investigations and enforcement actions are incomplete but ongoing.
(snip)