News about cyberattacks and data breaches that compromise personal and private information has begun to feel like a daily occurrence. The trend has affected not only the private sector; increasingly, government is also a target. Recently, the Securities and Exchange Commission disclosed that its EDGAR database, which functions as its online repository for periodic reports and registration statements filed by public companies and mutual funds, had been breached last year, and that it only recently discovered that non-public information, including corporate information and personal data, had been accessed. The disclosure of the cyberattack on the SEC coincides with the cybersecurity initiatives and directives that SEC Chairman Jay Clayton has made a priority, including the creation of a new Cyber Unit within the SEC’s Enforcement Division. As the SEC presses on with its various initiatives, some have expressed concerns that the SEC is not fully equipped to handle the host of cybersecurity issues that will continue to come its way. Nonetheless, the SEC appears focused on the mission of increasing cybersecurity and determined to address the growing threat to markets.
EDGAR Breach and SEC’s New Efforts
On Sept. 20, 2017, the SEC published a statement by Chairman Clayton containing an overview of the SEC’s approach to cybersecurity, after having initiated an assessment of the SEC’s internal cybersecurity risk profile and approach to cybersecurity from a regulatory and oversight perspective in May 2017. Chairman Clayton noted that in today’s environment, cyberattacks are perpetrated by a host of bad actors, including “identity thieves, unscrupulous contractors and vendors, malicious employees, business competitors, prospective insider trades and market manipulators, so-called ‘hacktivists,’ terrorists, [and] state-sponsored actors” that “create significant risks to the operational performance of market participants and of markets as a whole.” Statement on Cybersecurity, Chairman Jay Clayton (Sept. 20, 2017). He also recognized that “even the most diligent cybersecurity efforts will not address all cyber risks that enterprises risk.”
