SEC’s review of intrusion into EDGAR database finds information compromised

A 2016 intrusion by a third party into the Securities and Exchange Commission (SEC) EDGAR test filing contained the names, dates of birth and social security numbers of two individuals, according to an analysis by the SEC.

This determination is based on forensic data analysis conducted since the agency’s Sept. 20 disclosure of the intrusion.

SEC staff is reaching out to the two individuals to notify them and offer them identity theft protection and monitoring services.  Should the agency’s review uncover additional such individuals whose information may have been accessed, the staff will contact them and offer them identity protection and monitoring.

“The 2016 intrusion and its ramifications concern me deeply,” SEC Chairman Jay Clayton said. “I am focused on getting to the bottom of the matter and, importantly, lifting our cybersecurity efforts moving forward. While our review and remediation efforts are ongoing and may take substantial time to complete, I believe it is important to provide new information regarding the scope of the 2016 intrusion and provide an update on the steps we are taking to assess and improve the cybersecurity risk profile of our EDGAR system and of the agency’s systems more broadly.”

Clayton today provided an update on the status of the agency’s review and investigation of the 2016 intrusion into the EDGAR system.  In addition to updating previous disclosures, today’s announcement also includes additional information on the agency’s efforts to strengthen its cybersecurity risk profile going forward.

Going forward, the agency will investigate potential illicit trading resulting from the 2016 EDGAR intrusion. It will also modernize the EDGAR filing system and increase its focus on cybersecurity.

Clayton has authorized the immediate hiring of additional staff and outside technology consultants to aid in the agency’s efforts to protect the security of its network, systems, and data. The agency will also review the security systems, processes and controls in place to protect data submitted through EDGAR.