SEC Hacked - Illegal Profits Made; Investor Information At Risk

Last week, the SEC announced that its online filing system, Edgar, had been hacked last year, information of which may have been exploited for illicit trading gains.

Following the Equifax breach, in which personal and financial data of 143 million Americans were stolen, the SEC disclosure foregrounds the seriousness in which even top financial institutions are vulnerable to cyberattack.

Similar to Equifax, which handled sensitive customer data, the SEC handles sensitive corporate information, such as confidential filings to which the investing public is not privy. These filings can be used for illicit gains, as they provide traders with inside information. Of alarming concern is the emerging trend of collaboration between the dark cyber underworld and rogue traders on Wall St.

In 2015, the SEC uncovered a brazen scheme in which a group of rogue traders hired hackers from the Ukraine to obtain nonpublic news releases for over a period of five years, reaping more than $100 million in illegal profits.

On a separate account, also in 2015, it was discovered that the catalyst behind the surprising 20% rise in Avon shares was due to the efforts of a Bulgarian hacker who fabricated a takeover bid for the company. Having made a meager $5,000 in profits, he was subsequently arrested and charged with up to six counts of fraud, possibly facing up to 20 years for each count.

Last July, the Government Accountability Office published a 27-page report detailing several deficiencies in the SEC’s cybersecurity measures. This report described the limited “effectiveness of the SEC’s controls for protecting confidentiality” and access to the sensitive information it contained. The report also states that the SEC not only failed to encrypt information but also failed to implement recommendations by the GAO to help prevent breaches.

The SEC’s response was less notable, as its new director, Walter J Clayton stated during a speech in July: “Information sharing and coordination are essential for regulators to assess potential cyberthreats and respond to a major cyberattack, should one arise...We at the S.E.C. are working closely with our fellow financial regulators to improve our ability to receive critical information and alerts and react to cyberthreats.”

Currently, a major concern is the release of the Consolidated Audit Trail due November--a data repository designed to help regulators quickly detect individual market manipulators, but one that contains sensitive personal customer information; making it an ideal target for cyberhackers.

This repository has been in development over the last seven years and is due for implementation in November. Stock and options exchanges and FINRA are due to begin uploading reports into this system. But some are beginning to voice concerns, such as FINRA’s chief executive, Robert Cook, who stated that perhaps the system should not include personal information on stockbroker customers: “Especially post-Equifax when we are trying to win back investor confidence in the markets, it seems to be a useful question to ask whether we’ve got the right approach here or we need to revisit it.”

Is your personal and financial information safe in the hands of the regulatory and financial  institutions whose responsibility is not only to ensure market fairness but also to protect the investing public?

The problem of cybersecurity is not a linear one; it’s cyclical; a perpetual field of engagement, one characterized by a constant shifting toward ever more sophisticated virtual battlegrounds.

Unlike a physical “arms race,” an additive game limited by space and economic resources, cyberwarfare is a race without accumulation, as it simply upgrades and transforms every tool at its disposal. With no real space other than the virtual, its arena is virtually infinite; its contentions virtually never-ending, limited only by the technology that gives it the space to exist.

In other words, the creation of a cyberterritory is also the creation of a cyberintrusion. Sophisticated cybersecurity spurs on even more sophisticated cyberattackers. It’s the nature of technological progress and the negativity that accompanies each step.

As an investor, such a progressive risk tests your resolve toward fulfilling the basic need of keeping your wealth and private information safe. It makes you wonder whether you really want to or should take part in this game whose risks and countermeasures seem to escalate without any true resolution.