The US Securities and Exchange Commission (SEC), the country’s top Wall Street regulator, came under fire for failing to adequately respond to a data breach of corporate announcements in 2016.
To make matters worse, the latest reports suggested that the hacked documents may have been used for insider trading.
The SEC detected the breach in 2016, but didn’t learn until August that intruders could have used data to make illegal profits through improper trading.
The breach was serious enough for the regulator to notify members of Congress about the hack before it was announced publicly.
Following a report by Reuters, the agency came clean about the breach in a statement. SEC Chairman Jay Clayton said: “Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases cyber threat actors have managed to access or misuse our systems.”
The hack involved the SEC’s filing system, known as EDGAR, which features the detailed financial reports that public companies periodically release, such as quarterly earnings and statements on acquisitions.
Clayton described the breach as “a software vulnerability that was exploited and resulted in access to non-public information. However, the SEC disclosure didn’t explain the delay in the announcement, the exact date the filing system was hacked and which firms were targeted.
The SEC is facing criticism not only for the long delay between the 2016 breach and its announcement to the public, but also for not informing the affected companies that their data had been stolen.