Hack of SEC May Have Yielded Illicit Trading Gains

By Jerri-Lynn Scofield, who has worked as a securities lawyer and a derivatives trader. She now spends much of her time in Asia and is currently working on a book about textile artisans.

Securities and Exchange Commission (SEC) chair Jay Clayton announced late yesterday that the agency’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) filing system had been breached last year.

Only last month did the agency realize that the vulnerability “may have provided the basis for illicit gain through trading.”  Oops. The agency is investigating who may have profited, but has not released any details about exactly what information was gleaned and which companies were concerned.

To elaborate (from Clayton’s statement):

Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. An internal investigation was commenced immediately at the direction of the Chairman.

The SEC announcement follows recent revelations of the massive data breach at Equifax– in which confidential personal financial information for 143 million individuals was exposed– and raises further concerns about the parlous state of cybersecurity for information collected by private and public entities alike.

Clayton’s remarks coincided with release of a broader SEC Statement on Cybersecurity, which described the EDGAR system:

Since its creation in 1934, a critical part of the SEC’s mission has been its oversight of the system of public reporting by issuers and other registrants, and in 1984 the Commission began collecting, and making publicly available, disclosure documents through its EDGAR system. In 2017, on a typical day, investors and other market participants access more than 50 million pages of disclosure documents through the EDGAR system, which receives and processes over 1.7 million electronic filings per year.

As Bloomberg observes:

[EGDAR]  houses millions of filings on corporate disclosures ranging from quarterly earnings to statements on mergers and acquisitions. Infiltrating the SEC’s system to review announcements before they are released publicly would serve as a virtual treasure trove for a hacker seeking to make easy money.

SEC Procedures to Safeguard Information Previously Criticized

Wednesday’s announcement makes clear that the SEC’s efforts to safeguard information from hackers and cyber thieves is inadequate– a failing that has previously subjected the agency to outside criticism. As The New York Times reports:

In July, months after the breach was detected, a congressional watchdog office warned that the Wall Street regulator was “at unnecessary risk of compromise” because of deficiencies in its information systems.

The 27-page report by the Government Accountability Office found the SEC did not always fully encrypt sensitive information, used unsupported software, failed to fully implement an intrusion detection system and made missteps in how it configured its firewalls, among other things.

Consolidated Audit Trail: Misguided Project?

The weaknesses in the SEC’s cybersecurity protocols are especially worrying, given ambitious ongoing plans to collect more equity trading data– including significant, nonpublic, market sensitive data that if compromised could be illicitly exploited, as well as detailed customer information that could facilitate identity theft.  From Bloomberg:

Still, Wednesday’s disclosure may heighten concerns around the Consolidated Audit Trail, an enormous database of equity trades that is being built to give regulators better transparency into markets and help them figure out more quickly the causes of disruptions.

Financial firms have expressed concern about data breaches once the new database is completed. The repository could include personal information such as names and addresses from more than 100 million customer accounts.

The Wall Street Journal reports that executives at the New York Stock Exchange and the BATS Global System have warned  “that a planned data repository of all U.S. equity and options orders could become a juicy target for hackers”– a fact also acknowledged in the broader SEC statement.

And, as the Journal further notes:

The audit trail has been in the works for nearly seven years and the SEC approved its final design last year. However, exchange executives have recently cited the Equifax hack as evidence that the audit trail should be pared back, even if that takes away information that could help regulators spot manipulative traders more quickly.

Stock and options exchanges, as well as the Financial Industry Regulatory Authority, which oversees brokers, are due to begin reporting data to the repository in November.

Robert Cook, chief executive of Finra, also has questioned whether the audit trail should be scaled back in light of the Equifax data breach. Speaking Wednesday at a banking luncheon in Washington, Mr. Cook questioned whether the database designed to help regulators sort through flash crashes and spot market manipulation should include personal information about stockbrokers’ customers.

“Especially post-Equifax when we are trying to win back investor confidence in the markets, it seems to be a useful question to ask whether we’ve got the right approach here or we need to revisit it,” he said.

This is not the first time that deficiencies in the EDGAR system have bedevilled the SEC. The system was originally intended to make it easier for ordinary retail investors to get access to information previously the province of  more privileged investors. From the Journal:

Academic researchers found in 2014, for instance, that hedge funds and other rapid-fire investors got earlier access to market-moving documents from Edgar than other users of the standard, web-based system, giving them a potential edge on other traders. The SEC later said it fixed the problem.

SEC Investigation

The SEC has provided few details on the course of its ongoing investigation to determine who might have profited from successfully exploiting the data breach– a topic that will no doubt be probed further when Clayton testifies before the Senate Banking Committee next week.

In its broader statement, the agency also summarized recent enforcement actions targeting the   use of hacked information to place illicit trades:

The Commission recently has brought several cases alleging the hacking and stealing of nonpublic information in connection with illicit trading activity. For example, in December 2016, the Commission charged three traders for allegedly participating in a scheme to hack into two prominent New York-based law firms to steal information pertaining to clients that were considering mergers or acquisitions, which the hackers then used to trade. The Commission also brought charges against two defendants who allegedly hacked into newswire services to obtain non-public information about corporate earnings announcements, as well as dozens of other defendants who allegedly traded on the information (citations omitted).

Bottom Line

The SEC’s disclosure of its own cybersecurity lapses at minimum considerably embarrasses the agency at a time when all US financial regulators are stepping up their focus on these issues in the wake of the Equifax debacle. There’s no small irony in the SEC’s EDGAR filing system itself being the source of non-public information that may have generated illicit trading gains.

 

Print Friendly, PDF & Email

22 comments

  1. Eustache de Saint Pierre

    I have to admit to being totally out of my depth in regards to the ins & outs of the technical side of the above, but i have been struck recently by the seemingly ever growing incidence of hacks. From what I can gather the whole situation reminds me of the 17th century in which large slow moving Spanish galleons loaded with wealth, were deprived of it by swift moving, ever adaptable & much smaller pirate ships

    The authorities were eventually able to root out the above pirates, but I wonder if it would be possible to achieve the same with the modern equivalents. The galleons also remind me of corporations in terms of them being unable to adapt, or put up a suitable defense that could guarantee long term protection, from those who might well have the ability to constantly invent ways to gain access to the goodies. I also imagine that the potential rewards could attract very talented people.

    Perhaps one day we will realise that the only thing that wasn’t hacked was the 2016 US election & if the above makes any sense at all, it also perhaps does note bode well for demonetisation.

    I look forward in hope to someone who knows what they are talking about, ( Clive springs to mind ) putting me straight on this.

    1. JTMcPhee

      A lot of those galleons were “taken” not by pirates, but by the warships of other nations. Back then intelligence-gathering and “hacking’ were pretty rudimentary, but somehow the Admiralty and French and British and other nations’ ships’ captains got some clues to the timing and location of their prey’s voyages (not by dumb-luck sitting on the trade wind routes at times of the annual galleon sailings from the New World.) And many just sank, due to weather or incomplete charting of ocean hazards like reefs, to be plundered by modern-day treasure hunters playing out their version of the great-wealth lottery, facilitated by much more sophisticated imaging and detection technology…

      Concentrated wealth of that sort wants to distribute itself. Too bad the “hackers” are picking on the low-hanging fruit of us mopes’ identities, so poorly “protected” by even the equivalents of the Spanish warships that accompanied the treasure fleets… The filthy rich get the best protection money can buy, of course, so I bet it is harder than the movies make it look for Robin Hood types to steal black money elecronically…

      And then there’s this prescient and perspicacious bit of wisdom from old Alexander Pope:

      “…
      P. But bribes a senate, and the land ’s betray’d.
      In vain may heroes fight and patriots rave,
      If secret gold sap on from knave to knave.
      Once, we confess, beneath the patriot’s cloak, 35
      From the crack’d bag the dropping guinea spoke,
      And jingling down the back-stairs, told the crew
      ‘Old Cato is as great a rogue as you.’
      Blest paper-credit! last and best supply!
      That lends Corruption lighter wings to fly! 40
      Gold imp’d by thee, can compass hardest things,
      Can pocket states, can fetch or carry kings;
      A single leaf shall waft an army o’er,
      Or ship off senates to some distant shore;
      A leaf, like Sibyl’s, scatter to and fro 45
      Our fates and fortunes as the winds shall blow;
      Pregnant with thousands flits the scrap unseen,
      And silent sells a King or buys a Queen….”

      The whole discourse is worth a read, it’s not that long: http://www.bartleby.com/203/145.html

    2. L

      Part of your analogy holds. But in part you also have to keep in mind Clauswitz’ point that attack is always easier than defense. Simply put crafting a spear phishing against any organization that is a million strong will always be easier than blocking all such attacks.

      And, as with CCTV, sometimes even in defense it is a lot easier to focus on tracking down the perps then it is to identify or even stop them in advance.

      1. JTMcPhee

        So basically, since the “legal system” does not enforce even the tilted laws against the wealthy and connected, and since the enforcement mechanisms like CCTV and “forensic hacker tracking” will only even detect a fraction of the infractions, then maybe there is only a tiny bit of “deterrence” in the system any more? And no driving organizing principle that directs the political-economic equivalent of a biological immune system to seek out and deal with the pathogens and cancers, as far as I can see. Absent that, we mopes end up massively vulnerable, don’t we?

        One of my hobby horses is the notion of vulnerability. Seems to me there are a few who can profit from any calamity (FEMA trailers, the TBTF wealth transfer, etc.) But the rest of us, who live on low ground in flimsy housing that we rent or are subject to mortgages and “illegal” dispossession”, and who have little ability to “autark” our lives with food and water, who depend on electronic recording of our savings and transactions, who depend on rented electricity from aptly named “power companies” that own their regulators, who live under the looming threat of mushroom clouds (and subsequent environmental collapse) of nuclear-armed idiots playing destabilizing games of domination (to what end?), {add your own threats here}, we are, as a species, massively vulnerable to our own end products and excreta. (Though I see that “entrepreneurs” are finding economic opportunity across the world in profiting from processing poop — like this higher-end approach (read through to the end for a nice cookie), “Gold in Faeces Worth Millions!”, https://www.theguardian.com/science/2015/mar/23/gold-in-faeces-worth-millions-save-environment . Or this article that is right down the “markets will fix it” alley: “Profiting from Poop: How Selling Human Waste Could Revolutionize Sanitation,” http://www.globalenvision.org/2014/02/27/profiting-poop-how-selling-human-waste-could-revolutionize-sanitation.

        And then there is stuff we can learn from the past that might reduce some vulnerabilities in the present: “Edo Period of Japan: Model of Sustainability,” http://www.museumofthecity.org/project/edo-period-japan-a-model-of-ecological-sustainability-2/

        And since corruption is a hallmark of humanity and one of the reasons why the species is so vulnerable, here’s a quick look at the usage and etymology of the notion: “What Is Corruption?” https://www.liquisearch.com/what_is_corruption

  2. PKMKII

    More signs that the hackers are setting their sites on bigger financial fish than ransomware or digital pickpocketing. Things are getting more and more cyberpunk.

    1. Wukchumni

      What if in lieu of piracy on the high seize digitally, the assorted jolly rogers online were to go the other direction and insert huge amounts of money into the system on the sly?

      1. JTMcPhee

        Injecting huge amounts of “money” into the trade stream? Isn’t that the Fed’s metier? And of course Congress? And how about those “‘notional dollars” that make up the quadrillion’s in arrangements and nominal obligations (plus the fees generated) in that unregulated derivatives “trade” that has caused so much horror for the benefit of a tiny few in recent years? I don’t begin to understand the cryptocurrency phenom, but it seems like “money” is being created (counterfeited, like derivatives seem to me to also be) in a form that mopes are willing to take, from the Few, in exchange for labor and valuable stuff and property. I’d say it’s already happening…

        1. Geoph

          I don’t pretend to truly understand the depth of complexity in any of these systems but I agree about the cryptocurrency criticism often leveled by the financial press about its instability and lack of real value. Just thinking back to Allen Greenspan’s congressional hearing where he admitted his whole philosophy about the free market was mistaken and then seeing the entire banking system propped up by the government is enough to make anyone question what, if any, stability and value there is in our “real” currency and how much of it is just casino chips that are only valuable because the house says they are.

        2. Wukchumni

          Think of non state actors getting in on the action of creating money in such amounts out of the ether, that even the homeless could claim to be millionaires?

          Sleight of and, if you will.

          1. JTMcPhee

            Finally, some of us would have something to point to regarding that thing about wheelbarrows full of worthless paper scrip — of course one would be carrying thumb drives and memory sticks (the modern tally stick?) and such to the bakery, rather than pushing a wheelbarrow…

              1. Wukchumni

                p.s.

                Future requests from the downtrodden might include this phrase:

                “Brother, can you spare a line, of code?”

  3. Norb

    When your whole economy is based on piracy, is it any wonder that more sophisticated forms of looting emerge? It will be interesting to see if the trend of elite lawlessness can be curtailed, or if a larger catastrophe will be needed to bring about accountability.

    1. JTMcPhee

      That catastrophe would likely only bring about death and despair, not ‘accountability.” It’s governments that have the wherewithal to impose sanctions on such looting and “piracy.” Government in a catastrophe kind of goes away, leaving individuals and small groups to try to stay alive and protect themselves, while the pirates sail away, consequence-free, to their lairs and retreats.

      1. polecat

        It seems as though we’re getting ever closer to a point where ‘the parable of the sower’ becomes the real-life norm.

  4. Wukchumni

    What if the hacks become so onerous that we have to fall back on old school money out of desperation, as in greenbacks?

    Well Houston, there’s a problem there as well…

    To be able to pull off reasonably decent looking counterfeit cash about 30 years ago, you needed about $100k worth of equipment, and somebody competent in the art of creating plates in which to print up the long green, and typically the engraved plates would have a static set of serial numbers, making it hard to pass many at one time.

    But that was then and this is now. Virtually everything you need to go into ‘banking’ is on your computer, aside from the paper, which is the trickiest part.

    About 5 years ago I went to the horse races @ Santa Anita, and pulling into the parking lot, I fished out a Benjamin to pay for the $5 parking fee, and the moneytaker told me she couldn’t accept my hundred, so I gave her a $20 instead, and when I got to the turnstile, I asked the clerk what was up, and he told me that a gang of counterfeiters had passed many hundreds of thousands of dollars into wagers a few days prior, by bleaching $5 bills out, and printing Franklin’s mug on em, a nice 2,000% gain.

    The banknotes of course passed muster when one of those counterfeit detector ink pens was dabbed on them, and why wouldn’t they, as the paper was certainly legit.

  5. Self Affine

    Here is a link to a recent report by a retired IBM exec. (security) debunking the “Russian Hack”

    https://nef4rhc.wordpress.com/

    The report is interesting onto itself but the section that leapt out at me was the following (while talking about criminal organizations}:

    “They provide fundamental support for the international banking system, the latter dependent upon non-state player’s cash flow. They provide support for increased price / earnings ratios of the Market, e.g., Wall Street. They provide support, directly and indirectly, at all levels of federal and local elected officials. Their financial foundation exceeds some nations. Laws are not an impedance to them. From the above, it can be seen that there are incentives to handle with care.

    These are the world-wide set of international organized crime (IOC) organizations. The last I heard, their annual profits, from the narcotics trade alone, was in the area of $800,000,000,000 – that’s billions. They collectively don’t bury this money. It is invested in control.”

    Mind boggling – to say the least, And it implies that hacking will only increase

Comments are closed.