There May Be 'No Do-Overs,' but SEC Hack Provides Important Security Lessons

Wolfe says special emphasis should be given to the “high-risk targets” — in another words, “the jewels.” Look at where these targets are stored and is the best method in place to protect them.

Similarly, Timothy Blank, an attorney at Dechert, sees the SEC incident as a reminder to businesses to “pay close attention to all software vendor or industry notices regarding vulnerabilities, and install patches immediately across [the] entire network. Criminals count on delayed implementation.”

“Also, assume that all or any of your stored data has value in the dark market — even data that is destined to become public in a matter of a few seconds or minutes,” he advises.

David Axelrod, a former SEC attorney now working at Ballard Spahr, says there are two important takeaways from the SEC hack. “First, no company or agency is hack-proof. This incident shows that if a company does not think it's been hacked, they either don't know that they have been or it's only a matter of time.”

Second, this incident also shows that hackers are attacking “the gate-keepers,” he adds. “They've attacked law firms and business wire firms, and now they have attacked the ultimate gate-keeper, the SEC. This incident shows that companies that are in the business of working with publicly-traded companies, such as law firms, accounting firms, consultant groups, must know they have a target on their backs.”

“Every public company has to assume that cyber criminals want their material non-public information,” Axelrod warns. “This means two things. First, it means that companies need to devote resources to sufficiently protect their data. Second, it means that companies need to be very careful about choosing third-parties to work with and share their data with.”

Marcus Christian, a former federal prosecutor who now is an attorney at Mayer Brown, adds that when dealing with cybersecurity incidents, there are no do-overs.

“However, there is the ability to learn and improve from this incident and from others,” he explains. “Also, to the extent this incident exposes areas where the SEC and other governmental entities must improve their cybersecurity practices, some companies will be looking into ways that they can help bring about such changes.”

He identified “critical lessons” from this latest headline-grabbing breach. “First, cybersecurity is never finished. Yesterday's and today's improvements often become tomorrow's vulnerabilities,” Christian says. “Second, cybersecurity requires ongoing vigilance and vigor. Attackers don't take timeouts, and potential victims cannot afford to either. And third, America needs its government agencies that collect, store, and transfer sensitive information to exceed the standards they set for businesses and other nongovernmental organizations.”

The SEC's Response

It was just last month that SEC Chairman Jay Clayton announced the 2016 intrusion of EDGAR. In August, the SEC learned that the 2016 incident may have provided the basis for illicit gain through trading, Clayton says.

“A software vulnerability in the test filing component of the … EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” a statement from Clayton on September 20 revealed. “It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”

“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton said in the statement. “We must be vigilant. We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

However, the SEC's response to the incident was seen by many as a double-standard for regulators versus when companies have breaches. “It goes without saying that many view the SEC's incident as evidence of a 'do as I say, not as I do' regulatory approach,” Christian says. “In the end, corporations will need to make sure that they incorporate cybersecurity … to their enterprise risk management programs and maintain the appropriate administrative, physical, and technical controls to meet their business needs as well as government requirements.”

But do not expect the government to take cybersecurity less seriously just because the SEC was hacked. “This hasn't changed — nor should it — commitment to robust cybersecurity programs tailored to the particular risks your company faces,” Blank says. “I don't think it would be prudent to expect the SEC or any other regulatory body to lighten up.”

Based on initial information, the SEC revealed that nonpublic information in its EDGAR system, where companies file both public and non-public data, was hacked and possibly used for illegal stock trading purposes, according to our ALM sibling Corporate Counsel.

The SEC breach follows a 2015 breach at the Office of Personnel Management (OPM), which impacted more than 21 million people.

“Other government agencies have been hacked, such as the Department of Justice and the Social Security Administration, so it's not as if this is the first time that this has occurred,” Axelrod notes. “What makes this incident so important is that the SEC has been leading the charge in emphasizing cybersecurity and recently announced that it was an agency priority. I think this incident will rightly cause the SEC to invest even more resources from a technological and human standpoint to ensure that public companies and the markets themselves are taking appropriate steps to protect their data.”

*****
Ed Silverstein writes for Legaltech News, an ALM sibling of Cybersecurity Law & Strategy.

Even the Securities and Exchange Commission (SEC) can get hacked — and the recently announced cyber attack against the SEC is providing an important wake-up call for U.S. companies regulated by the powerful agency and the attorneys they work with.

What We've Learned

Mauro Wolfe, a former federal prosecutor now working as an attorney at Duane Morris, noted there were some initial media reports suggesting that the SEC's impacted electronic system — known as EDGAR — the Electronic Data Gathering, Analysis, and Retrieval test filing system was perhaps “an old system.”

If that's true, it sends a reminder to companies that they need to check the cybersecurity on their own legacy systems, Wolfe says. The same is true of more up-to-date systems found in companies.

“I certainly think that every company should spend some time … analyzing their cybersecurity risk,” Wolfe says. “It should be done on a routine basis.”

Wolfe says special emphasis should be given to the “high-risk targets” — in another words, “the jewels.” Look at where these targets are stored and is the best method in place to protect them.

Similarly, Timothy Blank, an attorney at Dechert, sees the SEC incident as a reminder to businesses to “pay close attention to all software vendor or industry notices regarding vulnerabilities, and install patches immediately across [the] entire network. Criminals count on delayed implementation.”

“Also, assume that all or any of your stored data has value in the dark market — even data that is destined to become public in a matter of a few seconds or minutes,” he advises.

David Axelrod, a former SEC attorney now working at Ballard Spahr, says there are two important takeaways from the SEC hack. “First, no company or agency is hack-proof. This incident shows that if a company does not think it's been hacked, they either don't know that they have been or it's only a matter of time.”

Second, this incident also shows that hackers are attacking “the gate-keepers,” he adds. “They've attacked law firms and business wire firms, and now they have attacked the ultimate gate-keeper, the SEC. This incident shows that companies that are in the business of working with publicly-traded companies, such as law firms, accounting firms, consultant groups, must know they have a target on their backs.”

“Every public company has to assume that cyber criminals want their material non-public information,” Axelrod warns. “This means two things. First, it means that companies need to devote resources to sufficiently protect their data. Second, it means that companies need to be very careful about choosing third-parties to work with and share their data with.”

Marcus Christian, a former federal prosecutor who now is an attorney at Mayer Brown, adds that when dealing with cybersecurity incidents, there are no do-overs.

“However, there is the ability to learn and improve from this incident and from others,” he explains. “Also, to the extent this incident exposes areas where the SEC and other governmental entities must improve their cybersecurity practices, some companies will be looking into ways that they can help bring about such changes.”

He identified “critical lessons” from this latest headline-grabbing breach. “First, cybersecurity is never finished. Yesterday's and today's improvements often become tomorrow's vulnerabilities,” Christian says. “Second, cybersecurity requires ongoing vigilance and vigor. Attackers don't take timeouts, and potential victims cannot afford to either. And third, America needs its government agencies that collect, store, and transfer sensitive information to exceed the standards they set for businesses and other nongovernmental organizations.”

The SEC's Response

It was just last month that SEC Chairman Jay Clayton announced the 2016 intrusion of EDGAR. In August, the SEC learned that the 2016 incident may have provided the basis for illicit gain through trading, Clayton says.

“A software vulnerability in the test filing component of the … EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” a statement from Clayton on September 20 revealed. “It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”

“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton said in the statement. “We must be vigilant. We also must recognize — in both the public and private sectors, including the SEC — that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

However, the SEC's response to the incident was seen by many as a double-standard for regulators versus when companies have breaches. “It goes without saying that many view the SEC's incident as evidence of a 'do as I say, not as I do' regulatory approach,” Christian says. “In the end, corporations will need to make sure that they incorporate cybersecurity … to their enterprise risk management programs and maintain the appropriate administrative, physical, and technical controls to meet their business needs as well as government requirements.”

But do not expect the government to take cybersecurity less seriously just because the SEC was hacked. “This hasn't changed — nor should it — commitment to robust cybersecurity programs tailored to the particular risks your company faces,” Blank says. “I don't think it would be prudent to expect the SEC or any other regulatory body to lighten up.”

Based on initial information, the SEC revealed that nonpublic information in its EDGAR system, where companies file both public and non-public data, was hacked and possibly used for illegal stock trading purposes, according to our ALM sibling Corporate Counsel.

The SEC breach follows a 2015 breach at the Office of Personnel Management (OPM), which impacted more than 21 million people.

“Other government agencies have been hacked, such as the Department of Justice and the Social Security Administration, so it's not as if this is the first time that this has occurred,” Axelrod notes. “What makes this incident so important is that the SEC has been leading the charge in emphasizing cybersecurity and recently announced that it was an agency priority. I think this incident will rightly cause the SEC to invest even more resources from a technological and human standpoint to ensure that public companies and the markets themselves are taking appropriate steps to protect their data.”

*****
Ed Silverstein writes for Legaltech News, an ALM sibling of Cybersecurity Law & Strategy.