In an update that will become part of his testimony Wednesday before the House Financial Services Committee, SEC Chairman Jay Clayton said that the 2016 EDGAR intrusion compromised the names, dates of birth, and social security numbers of two individuals. The update does not foreclose the possibility that other individuals may also have been affected.
SEC staff notified Clayton of the new information on Friday, and are in the process of notifying the individuals and offering them identity theft protection and monitoring services, according to the statement. The determination that the two individuals’ information was accessed by third parties "is based on forensic data analysis conducted since the agency’s Sept. 20th disclosure of the intrusion which relied on the latest information available at that time."
The update adds that if the agency uncovers additional individuals whose information may have been accessed, those individuals will also be contacted and offered identity theft services.
Going forward, the SEC has organized its response to the breach into five main work streams:
The Office of Inspector General’s review into the 2016 EDGAR breach;
The Division of Enforcement’s investigation into possible illicit trading resulting from the breach;
A focused review and possible "uplift" of the EDGAR system;
A more general assessment and uplift of the agency’s cybersecurity risk profile, which involves identifying and reviewing all current and planned systems (including the Consolidated Audit Trail) that hold market sensitive data or personally identifiable information; and
The SEC’s internal review, overseen by the Office of the General Counsel, to determine the procedures followed in response to the 2016 intrusion.
Clayton authorized the immediate hiring of additional staff and outside IT consultants and directed SEC staff to strengthen the agency’s cybersecurity risk profile. Staff are looking at whether EDGAR is the appropriate mechanism to obtain certain types of data and reviewing the security systems, processes, and controls in place to protect EDGAR data. While EDGAR is the initial focus, staff will conduct similar reviews of other systems at the SEC. They also will work to enhance escalation protocols for cybersecurity incidents.
The agency is also evaluating its cybersecurity risk governance structure, which includes the establishment of a senior-level cybersecurity working group. Other ongoing and upcoming initiatives include Commission-level incident response exercises and continued interaction with other government agencies and committees on cybersecurity.
MainStory: TopStory CyberPrivacyFeed RiskManagement SECNewsSpeeches
Interested in submitting an article?
Submit your information to us today!Learn More