The hacking of company information at the U.S. Securities and Exchange Commission is a matter of significant concern to financial markets, was badly underplayed in the SEC’s announcement, and has been inadequately explained to companies and investors, several experts told Corporate Counsel Thursday.

“What a doozy! And they buried it in their statement,” complained Amar Sarwal, vice president and chief legal strategist of the Association of Corporate Counsel in Washington, D.C. The SEC issued a statement in the format of an overview of the agency’s policies and procedures, with the hacking disclosure buried deep inside it, failing to give it “the attention that it deserves,” he said.

The SEC also issued a press release Wednesday that discussed various aspects of the statement, including, in the second paragraph, the hacking incident.

Sarwal also criticized the lack of information the SEC made available. He said general counsel and their companies “deserve to have a better understanding of what kind of information was put at risk, and how it can affect their share price and liabilities.” 

So far the SEC has said only that nonpublic information in its electronic EDGAR system, where companies file both public and non-public data, was hacked and possibly used for illegal stock trading purposes.

The announcement from chairman Jay Clayton explained that the agency collects and stores nonpublic information “related to our supervisory and enforcement functions.” He added that this data “relates to the operations of issuers, broker-dealers, investment advisers, investment companies, self-regulatory organizations (SROs), alternative trading systems (ATSs), clearing agencies, credit rating agencies, municipal advisers and other market participants.”

The hack was discovered in 2016, and the possible illegal trades were detected in August of this year, according to Clayton. The SEC is coordinating “with appropriate authorities” as the investigation continues, he added.

“We recognize that cybersecurity is an evolving landscape, and we are constantly learning,” Clayton said. “To aid in this effort, and notwithstanding limitations on our hiring generally, we expect to hire additional expertise in this area.”

But that didn’t mollify Sarwal. In the private sector, he said, “you feel the regulatory and prosecutorial pressure intensely on cyber issues, with people not only being held liable but also losing their jobs, like the general counsel at Yahoo and the chief security officer at Equifax [both companies recently dealt with major breaches]. The regulators need to take a little bit less of a punitive approach over cyber breaches. We’re all in this together.”

Matthew Rossi, a former assistant chief litigation counsel at the SEC and now co-leader of Mayer Brown’s securities litigation and enforcement practice, said some of the criticisms are valid. “It was hardly a disclosure that was given a high profile on the SEC website, and you had to read into a lengthy statement from the chairman to get to it,” Rossi said.

On the plus side, Rossi noted, the agency did detect the breach, patched the problem and made a disclosure, as it would demand of any company. But many questions remain for the SEC.

Rossi asked: Why did they take so long to disclose a breach discovered in 2016? How long did it exist before they discovered it? And with all their investigative resources, why didn’t they detect the illegal trading much earlier?

“They [SEC] have been pushing investment advisers and broker-dealers to adopt and implement more stringent cybersecurity procedures and to make more disclosures,” Rossi said. He suggested the SEC regulation might be seen as “do as we say and not as we do.”

And more questions arose Thursday after Reuters reported that the U.S. Department of Homeland Security detected five “critical” cybersecurity weaknesses on the SEC’s computers as of Jan. 23. Reuters got this information from a confidential weekly report reviewed by journalists.

Sarwal at the ACC was more blunt in his evaluation of the commission, saying: “They need to practice what they preach.”

Marcus Christian, a colleague of Rossi’s at Mayer Brown, said the SEC may later release information to show whether or not it practices what it preaches. Christian, a former federal prosecutor, is a partner in the law firm’s cybersecurity and data privacy and national security practices.

Both he and Rossi urged general counsel to use the incident to underscore the vulnerabilities and cyber risks that exist throughout the global financial system.

“Seeing an attack that hits at the mother ship, so to speak, of financial information, should make us look at how widespread this is,” Christian said. “Our greatest concern should be for systemic risk on the markets.”

For general counsel, he said, “It boils down to being less important to find out how this incident is affecting them than to use this example to make sure their own systems and procedures are in order.”

Sue Reisinger can be contacted at sreisinger@alm.com.