SEC Victim of Cyberattack
The Securities and Exchange Commission, the critical, independent government agency that oversees our stock markets, regulates the securities industry, and enforces federal securities laws, reported on Thursday that a cyberattack may have permitted criminals to trade on insider information. Only two weeks after Equifax suffered what we dubbed an “unprecedented data breach,” new precedent may have been set.
Our securities laws are premised on the belief that equal access to information ensures fairness and integrity in our markets. To ensure equal access to information, Congress enacted the Securities Act of 1933 and the Securities and Exchange Act of 1934. The overarching, critical purpose of federal securities laws is to protect investors from fraud — particularly, the sorts of fraud that arise from asymmetric information (such as misstatements and omissions in financial filings). Among other reasons, the SEC was formed to stamp out a particularly egregious form of fraud that had become commonplace among high-level executives — insider trading.
Insider trading is considered a severe threat to public trust in securities markets. In the words of one federal court, to permit trading on material, non-public information would undermine the intent of Congress that “all members of the investing public should be subject to identical market risks” and that investors should be “trading on equal footing.”
Initial Implications of the Incident are Appaling
While the SEC is still investigating the cyberattack and the potential insider trading stemming from the incident, the initial implications of the SEC’s disclosure are appalling. The hackers were able to exploit a vulnerability in EDGAR – the SEC’s mandatory electronic filing portal that is used by companies to submit all manner of regulatory documents and disclosures that total more than 1.7 million filings each year. EDGAR provides the filed information to the public without charge, and it is monitored closely by investors worldwide as the official source for new financial data that is used to make investment choices. In sum, the EDGAR system is the most critical component used to implement federal securities laws’ transparency objectives.
The SEC’s only official comment about the incident is that hackers infiltrated a portion of EDGAR that is used to submit test filings. Oftentimes, companies that are preparing to submit a filing to the SEC (including annual and periodic financial reports and press releases) use a non-public test filing to make sure that the filing is in the correct format. Companies also use the test filings to obtain feedback from the SEC about the filing.
Potential Concern Over Separate Private Database
Hackers may have been able to obtain and trade on the test filings, taking advantage on the lag-time between the company submitting the test filing and submitting the official public filing. Worse yet, some SEC officials are concerned that the “internal Edgar,” a private database used by SEC officials to store confidential corporate information, may have also been accessed.
We are all familiar with “doomsday” predictions centered around the fragility of our digital economy. Some even argue that we are just one electromagnetic pulse away from returning to gold and bartering. (Some will even sell you that gold at a hefty markup.) While overly-fatalist views about the market’s susceptibility to bad actors can be unhealthy, the SEC’s disclosure yesterday is a universal cause for alarm. All should recognize that as we further integrate technology into our critical infrastructure – such as securities exchanges – efficiency and convenience should not completely overshadow security. Otherwise, the EDGAR hack may be a prelude of what’s yet to come.