The U.S. Securities and Exchange Commission hails its database of company filings as an innovation that’s dramatically boosted corporate transparency. But a hack that led to the theft of market-moving secrets is the latest sign that technology also brings dangers the SEC is struggling to combat.
The breach adds to a growing list of SEC embarrassments over Edgar, a massive online system where companies are required to disclose everything from stock sales by top executives to regulatory investigations. Past setbacks include fraudsters posting fake takeover announcements and allegations that some traders were getting access to market-moving news before others.
The cyberattack that occurred last year -- but wasn’t disclosed until Wednesday -- could be the most problematic incident, because it casts doubt on the SEC’s ability to safeguard data that fuels billions of dollars in daily financial transactions. The regulator was already grappling with hackers infiltrating companies to profit from insider trading, and now it turns out its own systems are a target.
If such breaches continue, or if the SEC is too underfunded or outgunned to fix them, it could undermine company and investor confidence in the agency. That might threaten the regulator’s ability to provide a bedrock principle of the U.S. financial system: market transparency.
‘Profit Trove’
Edgar has “all sorts of stuff that could possibly move the market,” said Larry Tabb, founder and research chairman of Tabb Group LLC, a research firm that specializes in capital markets. “If you can break in, there’s a trove of market-influencing information that you can find and mine. There’s profit in there.”
SEC Chairman Jay Clayton, who took over in May, is slated to testify before the Senate Banking Committee on Sept. 26. He’s expected to be grilled on the hack and why the agency waited so long to reveal it. The SEC said it doesn’t believe the breach led to the exposure of personally-identifiable information, such as Social Security numbers.
Among the few details that the SEC has shared about the intrusion is that it hit a corner of Edgar where companies can submit dummy filings. These forms, which are never meant to be released publicly, allow startups to get comfortable with using the database. Well-established corporations also use test filings to make sure their announcements format correctly on Edgar and to solicit feedback from the SEC.
The information hackers obtained and may have illegally traded on could have come from these filings.
No Secrets