Isn’t it obvious to everyone that hackers targeting the Securities and Exchange Commission’s EDGAR corporate filing system did it to make illicit insider trades?
Not to be dismissive or smug about this, but, duh!
Haven’t they seen “Trading Places“? In the 1980s classic, Clarence Beeks steals the orange crop report, then Louis Winthorpe and Billy Ray Valentine replace it with a fake version, making millions while bankrupting the Duke Brothers. So, obviously, with the SEC, Clarence Beeks did it.
I’m being serious. A real-life Clarence Beeks hacked the regulator to get insider data, either to sell or to use. This conclusion is not difficult to arrive at.
Knowing valuable trading information before it is officially released is the definition of insider trading. Yet the SEC took months to figure out the motive. From their statement:
The statement provides an overview of the Commission’s collection and use of data and discusses key cyber risks faced by the agency, including a 2016 intrusion of the Commission’s EDGAR test filing system. In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading.
Spare us the tech talk about software vulnerabilities, exploits, and responses. The focus here is that it took so long for the agency to “learn” what should have been blindingly obvious.
They expect us to believe it took nearly a year for the government to conclude that data security is hard?
This hack illustrates that protecting against hackers isn’t as easy as the government sometimes expects of companies,” said Bradley Bondi, a former SEC enforcement attorney now in private practice. “Everyone is vulnerable at any time.”
The SEC enforces the Sarbanes-Oxley Act (SOX), which requires public companies to jump through hoops and juggle chainsaws to protect corporate data from intruders. A billion dollar industry has grown around SOX compliance. Why is the government itself not at least as secure as the companies they regulate?
It’s not a stroke of genius to conclude that If EDGAR isn’t reliable and secure enough for companies to use without fearing hackers using or selling insider information, then they might not be so enthusiastic about using it at all.
The SEC should have publicly disclosed the intrusion last year when it happened. Hoping that this was the work of teenagers on a lark is not a successful strategy to deal with the data security of public companies like Apple, Amazon, Goldman Sachs and Northrop Grumman.