Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

There May Be 'No Do-Overs,' but SEC Hack Provides Important Security Lessons

By Ed Silverstein
October 02, 2017

Even the Securities and Exchange Commission (SEC) can get hacked — and the recently announced cyber attack against the SEC is providing an important wake-up call for U.S. companies regulated by the powerful agency and the attorneys they work with.

|

What We've Learned

Mauro Wolfe, a former federal prosecutor now working as an attorney at Duane Morris, noted there were some initial media reports suggesting that the SEC's impacted electronic system — known as EDGAR — the Electronic Data Gathering, Analysis, and Retrieval test filing system was perhaps “an old system.”

If that's true, it sends a reminder to companies that they need to check the cybersecurity on their own legacy systems, Wolfe says. The same is true of more up-to-date systems found in companies.

“I certainly think that every company should spend some time … analyzing their cybersecurity risk,” Wolfe says. “It should be done on a routine basis.”

Wolfe says special emphasis should be given to the “high-risk targets” — in another words, “the jewels.” Look at where these targets are stored and is the best method in place to protect them.

Similarly, Timothy Blank, an attorney at Dechert, sees the SEC incident as a reminder to businesses to “pay close attention to all software vendor or industry notices regarding vulnerabilities, and install patches immediately across [the] entire network. Criminals count on delayed implementation.”

“Also, assume that all or any of your stored data has value in the dark market — even data that is destined to become public in a matter of a few seconds or minutes,” he advises.

David Axelrod, a former SEC attorney now working at Ballard Spahr, says there are two important takeaways from the SEC hack. “First, no company or agency is hack-proof. This incident shows that if a company does not think it's been hacked, they either don't know that they have been or it's only a matter of time.”

Second, this incident also shows that hackers are attacking “the gate-keepers,” he adds. “They've attacked law firms and business wire firms, and now they have attacked the ultimate gate-keeper, the SEC. This incident shows that companies that are in the business of working with publicly-traded companies, such as law firms, accounting firms, consultant groups, must know they have a target on their backs.”

“Every public company has to assume that cyber criminals want their material non-public information,” Axelrod warns. “This means two things. First, it means that companies need to devote resources to sufficiently protect their data. Second, it means that companies need to be very careful about choosing third-parties to work with and share their data with.”

Marcus Christian, a former federal prosecutor who now is an attorney at Mayer Brown, adds that when dealing with cybersecurity incidents, there are no do-overs.

“However, there is the ability to learn and improve from this incident and from others,” he explains. “Also, to the extent this incident exposes areas where the SEC and other governmental entities must improve their cybersecurity practices, some companies will be looking into ways that they can help bring about such changes.”

He identified “critical lessons” from this latest headline-grabbing breach. “First, cybersecurity is never finished. Yesterday's and today's improvements often become tomorrow's vulnerabilities,” Christian says. “Second, cybersecurity requires ongoing vigilance and vigor. Attackers don't take timeouts, and potential victims cannot afford to either. And third, America needs its government agencies that collect, store, and transfer sensitive information to exceed the standards they set for businesses and other nongovernmental organizations.”

|

The SEC's Response

It was just last month that SEC Chairman Jay Clayton announced the 2016 intrusion of EDGAR. In August, the SEC learned that the 2016 incident may have provided the basis for illicit gain through trading, Clayton says.

“A software vulnerability in the test filing component of the … EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” a statement from Clayton on September 20 revealed. “It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”

“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton said in the statement. “We must be vigilant. We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

However, the SEC's response to the incident was seen by many as a double-standard for regulators versus when companies have breaches. “It goes without saying that many view the SEC's incident as evidence of a 'do as I say, not as I do' regulatory approach,” Christian says. “In the end, corporations will need to make sure that they incorporate cybersecurity … to their enterprise risk management programs and maintain the appropriate administrative, physical, and technical controls to meet their business needs as well as government requirements.”

But do not expect the government to take cybersecurity less seriously just because the SEC was hacked. “This hasn't changed — nor should it — commitment to robust cybersecurity programs tailored to the particular risks your company faces,” Blank says. “I don't think it would be prudent to expect the SEC or any other regulatory body to lighten up.”

Based on initial information, the SEC revealed that nonpublic information in its EDGAR system, where companies file both public and non-public data, was hacked and possibly used for illegal stock trading purposes, according to our ALM sibling Corporate Counsel.

The SEC breach follows a 2015 breach at the Office of Personnel Management (OPM), which impacted more than 21 million people.

“Other government agencies have been hacked, such as the Department of Justice and the Social Security Administration, so it's not as if this is the first time that this has occurred,” Axelrod notes. “What makes this incident so important is that the SEC has been leading the charge in emphasizing cybersecurity and recently announced that it was an agency priority. I think this incident will rightly cause the SEC to invest even more resources from a technological and human standpoint to ensure that public companies and the markets themselves are taking appropriate steps to protect their data.”

*****
Ed Silverstein
writes for Legaltech News, an ALM sibling of Cybersecurity Law & Strategy.

Even the Securities and Exchange Commission (SEC) can get hacked — and the recently announced cyber attack against the SEC is providing an important wake-up call for U.S. companies regulated by the powerful agency and the attorneys they work with.

|

What We've Learned

Mauro Wolfe, a former federal prosecutor now working as an attorney at Duane Morris, noted there were some initial media reports suggesting that the SEC's impacted electronic system — known as EDGAR — the Electronic Data Gathering, Analysis, and Retrieval test filing system was perhaps “an old system.”

If that's true, it sends a reminder to companies that they need to check the cybersecurity on their own legacy systems, Wolfe says. The same is true of more up-to-date systems found in companies.

“I certainly think that every company should spend some time … analyzing their cybersecurity risk,” Wolfe says. “It should be done on a routine basis.”

Wolfe says special emphasis should be given to the “high-risk targets” — in another words, “the jewels.” Look at where these targets are stored and is the best method in place to protect them.

Similarly, Timothy Blank, an attorney at Dechert, sees the SEC incident as a reminder to businesses to “pay close attention to all software vendor or industry notices regarding vulnerabilities, and install patches immediately across [the] entire network. Criminals count on delayed implementation.”

“Also, assume that all or any of your stored data has value in the dark market — even data that is destined to become public in a matter of a few seconds or minutes,” he advises.

David Axelrod, a former SEC attorney now working at Ballard Spahr, says there are two important takeaways from the SEC hack. “First, no company or agency is hack-proof. This incident shows that if a company does not think it's been hacked, they either don't know that they have been or it's only a matter of time.”

Second, this incident also shows that hackers are attacking “the gate-keepers,” he adds. “They've attacked law firms and business wire firms, and now they have attacked the ultimate gate-keeper, the SEC. This incident shows that companies that are in the business of working with publicly-traded companies, such as law firms, accounting firms, consultant groups, must know they have a target on their backs.”

“Every public company has to assume that cyber criminals want their material non-public information,” Axelrod warns. “This means two things. First, it means that companies need to devote resources to sufficiently protect their data. Second, it means that companies need to be very careful about choosing third-parties to work with and share their data with.”

Marcus Christian, a former federal prosecutor who now is an attorney at Mayer Brown, adds that when dealing with cybersecurity incidents, there are no do-overs.

“However, there is the ability to learn and improve from this incident and from others,” he explains. “Also, to the extent this incident exposes areas where the SEC and other governmental entities must improve their cybersecurity practices, some companies will be looking into ways that they can help bring about such changes.”

He identified “critical lessons” from this latest headline-grabbing breach. “First, cybersecurity is never finished. Yesterday's and today's improvements often become tomorrow's vulnerabilities,” Christian says. “Second, cybersecurity requires ongoing vigilance and vigor. Attackers don't take timeouts, and potential victims cannot afford to either. And third, America needs its government agencies that collect, store, and transfer sensitive information to exceed the standards they set for businesses and other nongovernmental organizations.”

|

The SEC's Response

It was just last month that SEC Chairman Jay Clayton announced the 2016 intrusion of EDGAR. In August, the SEC learned that the 2016 incident may have provided the basis for illicit gain through trading, Clayton says.

“A software vulnerability in the test filing component of the … EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” a statement from Clayton on September 20 revealed. “It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”

“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton said in the statement. “We must be vigilant. We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

However, the SEC's response to the incident was seen by many as a double-standard for regulators versus when companies have breaches. “It goes without saying that many view the SEC's incident as evidence of a 'do as I say, not as I do' regulatory approach,” Christian says. “In the end, corporations will need to make sure that they incorporate cybersecurity … to their enterprise risk management programs and maintain the appropriate administrative, physical, and technical controls to meet their business needs as well as government requirements.”

But do not expect the government to take cybersecurity less seriously just because the SEC was hacked. “This hasn't changed — nor should it — commitment to robust cybersecurity programs tailored to the particular risks your company faces,” Blank says. “I don't think it would be prudent to expect the SEC or any other regulatory body to lighten up.”

Based on initial information, the SEC revealed that nonpublic information in its EDGAR system, where companies file both public and non-public data, was hacked and possibly used for illegal stock trading purposes, according to our ALM sibling Corporate Counsel.

The SEC breach follows a 2015 breach at the Office of Personnel Management (OPM), which impacted more than 21 million people.

“Other government agencies have been hacked, such as the Department of Justice and the Social Security Administration, so it's not as if this is the first time that this has occurred,” Axelrod notes. “What makes this incident so important is that the SEC has been leading the charge in emphasizing cybersecurity and recently announced that it was an agency priority. I think this incident will rightly cause the SEC to invest even more resources from a technological and human standpoint to ensure that public companies and the markets themselves are taking appropriate steps to protect their data.”

*****
Ed Silverstein
writes for Legaltech News, an ALM sibling of Cybersecurity Law & Strategy.

Read These Next
COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

How Secure Is the AI System Your Law Firm Is Using? Image

What Law Firms Need to Know Before Trusting AI Systems with Confidential Information In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

Generative AI and the 2024 Elections: Risks, Realities, and Lessons for Businesses Image

GenAI's ability to produce highly sophisticated and convincing content at a fraction of the previous cost has raised fears that it could amplify misinformation. The dissemination of fake audio, images and text could reshape how voters perceive candidates and parties. Businesses, too, face challenges in managing their reputations and navigating this new terrain of manipulated content.