On September 20, 2017, the US Securities and Exchange Commission (“SEC” or “Commission”) announced that its online database for receiving, storing, and publishing corporate securities filings, known as the Electronic Data Gathering, Analysis, and Retrieval system or “EDGAR,” had been compromised in 2016 by hackers who may have traded on material nonpublic information obtained through the cyber attack.1
Public companies, some private companies, and certain financial intermediaries regulated by the SEC are required to submit various corporate and compliance filings to the Commission through EDGAR. Most of those filings are quickly published by the SEC in connection with its public reporting regime (e.g., quarterly earnings announcements). However, filings submitted after 5:30 p.m. Eastern Time are not deemed filed, and therefore not made public, on EDGAR until the following business day.2 Additionally, filers have the option of submitting “test” filings to ensure correct formatting or allow informal review by SEC staff, and certain regular filings must be reviewed by SEC staff prior to being accepted and published.3 Accordingly, EDGAR effectively acts as a temporary storage system for public companies’ material nonpublic information. While the SEC has indicated that the compromise involved the “test” filing component of EDGAR, it did not identify the specific type of information compromised in the attack (beyond saying it was not personally identifiable information) or how the hackers may have been able to trade on nonpublic information.
Information security at the SEC has been a recurring topic of concern. In a July 2017 report, the US Government Accountability Office (“GAO”) noted that the SEC failed to “consistently: (1) protect its network boundaries from possible intrusions; (2) identify and authenticate users; (3) authorize access to resources; (4) audit and monitor actions taken on the commission’s systems and network; and (5) encrypt sensitive information while in transmission.”4 While EDGAR was in-scope for the GAO’s audit, the GAO’s public report does not specifically mention the public reporting system or the recently disclosed breach. Initial media reports indicate some confusion as to whether the breach was reported to the GAO during its audit.5 Separately, however, EDGAR has been subject to public criticism for allowing certain algorithmic trading-focused hedge funds to gain early access to filings with important information and for a market manipulation cyber attack in 2015 in which a Bulgarian man filed a fake takeover offer for a public company to cause a short-term material increase in its share price.6
Public companies are legally required to submit filings to the SEC using EDGAR and are unlikely to reconsider participation in the securities markets merely because of potential vulnerabilities in the reporting system. However, it is possible that this breach will make public companies less likely to submit draft or test documents containing nonpublic information to the SEC through EDGAR. Further, filers may become more sensitive to the timing aspects of EDGAR and be reluctant to make filings after 5:30 p.m. Eastern Time in order to avoid any delay in their filings becoming public. It also remains to be seen what effect, if any, the EDGAR breach will have on the development of the Consolidated Audit Trail (“CAT”), which is a new system that would track all equity and options trades on US markets and could create a new central repository of nonpublic information for hackers to target.7
As previously noted, the new co-directors of the SEC’s Division of Enforcement have emphasized cybersecurity as an enforcement priority.8 Similarly, the Commission continues to pursue its cybersecurity examination initiative, which has resulted in its Office of Compliance Inspections and Examinations developing recommendations for robust compliance measures at investment advisers, broker-dealers, and registered funds.9 The breach of EDGAR and the development of CAT seem likely to make cybersecurity an even more pervasive topic of concern at the Commission and in the securities industry.
1 Jay Clayton, SEC Chair, Statement on Cybersecurity (Sept. 20, 2017), https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20.
2 SEC, EDGAR Filer Help Sheet (Apr. 30, 2013), https://www.sec.gov/info/edgar/besttips.htm.
3 SEC, Filing Review Process (Jan. 19, 2017), https://www.sec.gov/divisions/corpfin/cffilingreview.htm.
4 GAO, Information Security: SEC Improved Control of Financial Systems but Needs to Take Additional Actions (July 27, 2017), https://www.gao.gov/products/GAO-17-469.
5 Evan Weinberger, SEC Failed to Heed Warnings of Weak Cyber Defenses (Sept. 21, 2017), https://www.law360.com/banking/articles/966446/sec-failed-to-heed-warnings-of-weak-cyber-defenses.
6 Ryan Tracy and Scott Patterson, Fast Traders Are Getting Data From SEC Seconds Early, Wall Street Journal (Oct. 29, 2014), https://www.wsj.com/articles/fast-traders-are-getting-data-from-sec-seconds-early-1414539997; see also Clayton, Statement on Cybersecurity.
7 SEC, Rule 613 (Consolidated Audit Trail) (July 19, 2017), https://www.sec.gov/divisions/marketreg/rule613-info.htm.
8 Mayer Brown, New Heads of Enforcement at the US Securities and Exchange Commission Continue Agency’s Focus on Cybersecurity (July 12, 2017), https://www.mayerbrown.com/New-Heads-of-Enforcement-at-the-US-Securities-and-Exchange-Commission-Continue-Agencys-Focus-on-Cybersecurity-07-12-2017/.
9 Mayer Brown, US Securities and Exchange Commission’s Office of Compliance Inspections and Examinations Announces Results of Cybersecurity Examination Initiative (Aug. 15, 2017), https://www.mayerbrown.com/US-Securities-and-Exchange-Commissions-Office-of-Compliance-Inspections-and-Examinations-Announces-Results-of-Cybersecurity-Examination-Initiative-08-15-2017/.