In August 2017, shortly after my arrival at the Commission, I was informed that an intrusion into the SEC’s Electronic Data Gathering, Analysis, and Retrieval (“EDGAR”) system took place in 2016. We immediately initiated a series of review and response initiatives, including promptly disclosing the incident and our anticipated response to the public and to Congress.[1]
In the subsequent months, we have pursued various review and uplift efforts around the EDGAR system and the SEC’s information technology systems more broadly. These efforts are discussed in more detail in my Congressional testimony and our agency financial report.[2]
Importantly, one of the agency’s principal efforts around the EDGAR intrusion has been the Division of Enforcement’s investigation into potentially illicit trading related to information that was stolen from the SEC. We have conducted our investigative efforts in valuable partnership with law enforcement.
Earlier today [January 15], we announced charges against several defendants for their participation in a fraudulent scheme centered on the EDGAR intrusion.[3] Our complaint alleges that certain individuals hacked into EDGAR and accessed test filings, including test filings containing material nonpublic information pertaining to earnings announcements of publicly-traded companies. We allege that certain defendants then traded based on the hacked information and profited once the information became public. The defendants in this action include a Ukrainian hacker, six individual traders in California, Ukraine, and Russia, and two entities.
I commend the Division of Enforcement, and in particular the Cyber Unit and the Market Abuse Unit, for their thoughtful work on this matter. As in other actions, they have done an admirable job responding to cyber threats in order to protect American markets and investors. I also want to note my appreciation for the assistance provided by the SEC’s Office of Information Technology and Division of Economic and Risk Analysis for their significant contributions. Similarly, I appreciate the constructive collaboration with our law enforcement partners at the U.S. Attorney’s Office for the District of New Jersey, the Federal Bureau of Investigations and the U.S. Secret Service.
This action illustrates that the SEC faces many of the same cybersecurity threats that confront exchange-listed companies, other SEC-registered entities and market participants of all types. These threats to our marketplace are significant and ongoing and often involve threats from actors outside our borders. No system can be entirely safe from a cyber intrusion. Here at the SEC, we recognize that we must continuously use the resources available to us efficiently and effectively to bolster our cybersecurity defenses and reduce our cyber risk profile. Our recent and ongoing work on both enhanced security and risk reduction has involved many of our divisions and offices as well as external consultants and government partners. I appreciate the significant contributions from the Office of the General Counsel, Office of Inspector General, Office of the Chief Operating Officer, and the Office of Information Technology to these efforts.
Today’s enforcement action reinforces our dedication to protecting our markets and the over 50 million households invested in those markets. Speaking more broadly, I believe that our exchange-listed companies and other market participants should continue to improve their disclosure of cyber risks and cyber incidents as well as their individual and collective efforts to combat cyber risk.[4]
[1] See Press Release 2017-170, SEC Chairman Clayton Issues Statement on Cybersecurity: Discloses the Commission’s Cyber Risk Profile, Discusses Intrusions at the Commission, and Reviews the Commission’s Approach to Oversight and Enforcement (Sept. 20, 2017), available at https://www.sec.gov/news/press-release/2017-170; Statement on Cybersecurity (Sept. 20, 2017), available at https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20; Testimony on “Oversight of the U.S. Securities and Exchange Commission” (Sept. 26, 2017), available at https://www.sec.gov/news/testimony/testimony-clayton-2017-09-26; Testimony on “Examining the SEC’s Agenda, Operation, and Budget” (Oct. 4, 2017), available at https://www.sec.gov/news/testimony/testimony-examining-secs-agenda-operation-and-budget.
[2] See, e.g., Testimony on “Examining the SEC’s Agenda, Operation, and Budget” (Oct. 4, 2017), supranote 1; Testimony before the Financial Services and General Government Subcommittee of the Senate Committee on Appropriations (June 5, 2018), available at https://www.sec.gov/news/testimony/testimony-financial-services-and-general-government-subcommittee-senate-committee; Testimony on “Oversight of the U.S. Securities and Exchange Commission” (June 21, 2018), available at https://www.sec.gov/news/testimony/testimony-oversight-us-securities-and-exchange-commission; Testimony on “Oversight of the U.S. Securities and Exchange Commission” (Dec. 11, 2018), available at https://www.sec.gov/news/testimony/testimony-oversight-us-securities-and-exchange-commission-0; Fiscal Year 2018 Agency Financial Report, available at https://www.sec.gov/files/sec-2018-agency-financial-report.pdf.
[3] See Press Release 2019-1, SEC Brings Charges in Edgar Hacking Case (Jan. 15, 2019), available at https://www.sec.gov/news/press-release/2019-1
[4]S ee Press Release 2018-22, SEC Adopts Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures (Feb. 21, 2018), available at https://www.sec.gov/news/press-release/2018-22.