The SEC has cautioned companies about what they put in test announcements. In a 2015 press release, the agency advised businesses seeking to raise money through crowdfunding not to include “confidential or personally identifiable information” in practice filings. Still, companies often don’t follow that advice, according to securities lawyers and corporate executives.
One person who frequently submitted test filings to Edgar said he can’t recall stripping out sensitive information. Another person said preliminary filings regularly include data that could move share prices, and are submitted so companies can engage in a back-and-forth with SEC staffers.
SEC spokesman Chris Carofine declined to comment on Edgar or the hack.
Questions about the scope of the breach remain unanswered. The SEC hasn’t said whether the intrusion was limited to Edgar’s test filing system, or if attackers merely used a vulnerability there to reach a bounty of additional records in the massive database. On average, people access 50 million-plus pages of disclosure documents through Edgar each day. It processes more than 1.7 million electronic filings each year.
Internal Edgar
There’s also a ton of confidential corporate data that the SEC houses. In addition to the publicly-accessible Edgar, the agency maintains a private repository that its officials can peruse, according to two people familiar with the matter who requested anonymity to discuss more sensitive SEC systems. The database is known as internal Edgar among the regulator’s staffers, one of the people said.
The SEC has long considered Edgar to be a centerpiece of its mission of making sure corporations provide full and timely disclosure to investors. The regulator began experimenting with electronic filings in 1984, and within 10 years, it was mandating that public companies submit information in digital form through its Electronic Data Gathering, Analysis and Retrieval System, now universally known as Edgar.
On Wall Street, Edgar is tracked with a laser focus. Traders sign up for data feeds to peruse new filings, using superfast computers to mine announcements and make instantaneous investment decisions.
But the SEC is now struggling to keep up with the deluge of information flowing through a database that was created more than two decades ago.
Complex, Expensive