Two men share securities regulation news

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Securities Regulation Daily, October 2, 2017

2016 EDGAR breach exposed two people’s information, Clayton says

By Anne Sherry, J.D.

In an update that will become part of his testimony Wednesday before the House Financial Services Committee, SEC Chairman Jay Clayton said that the 2016 EDGAR intrusion compromised the names, dates of birth, and social security numbers of two individuals. The update does not foreclose the possibility that other individuals may also have been affected.

SEC staff notified Clayton of the new information on Friday, and are in the process of notifying the individuals and offering them identity theft protection and monitoring services, according to the statement. The determination that the two individuals’ information was accessed by third parties "is based on forensic data analysis conducted since the agency’s Sept. 20th disclosure of the intrusion which relied on the latest information available at that time."

The update adds that if the agency uncovers additional individuals whose information may have been accessed, those individuals will also be contacted and offered identity theft services.

Going forward, the SEC has organized its response to the breach into five main work streams:

  1. The Office of Inspector General’s review into the 2016 EDGAR breach;
  2. The Division of Enforcement’s investigation into possible illicit trading resulting from the breach;
  3. A focused review and possible "uplift" of the EDGAR system;
  4. A more general assessment and uplift of the agency’s cybersecurity risk profile, which involves identifying and reviewing all current and planned systems (including the Consolidated Audit Trail) that hold market sensitive data or personally identifiable information; and
  5. The SEC’s internal review, overseen by the Office of the General Counsel, to determine the procedures followed in response to the 2016 intrusion.

Clayton authorized the immediate hiring of additional staff and outside IT consultants and directed SEC staff to strengthen the agency’s cybersecurity risk profile. Staff are looking at whether EDGAR is the appropriate mechanism to obtain certain types of data and reviewing the security systems, processes, and controls in place to protect EDGAR data. While EDGAR is the initial focus, staff will conduct similar reviews of other systems at the SEC. They also will work to enhance escalation protocols for cybersecurity incidents.

The agency is also evaluating its cybersecurity risk governance structure, which includes the establishment of a senior-level cybersecurity working group. Other ongoing and upcoming initiatives include Commission-level incident response exercises and continued interaction with other government agencies and committees on cybersecurity.

MainStory: TopStory CyberPrivacyFeed RiskManagement SECNewsSpeeches

Back to Top

Securities Regulation Daily

Introducing Wolters Kluwer Securities Regulation Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.