We recently looked into the massive data breach of personal information maintained by the publicly-traded company Equifax (EFX), one of the three major credit bureaus entrusted with such sensitive information. The debacle claimed two of the company's top executives, chief information officer David Webb and chief security officer Susan Mauldin, who both resigned in mid-September. On September 26, the company announced that its CEO Richard Smith is retiring but would act as an unpaid adviser for 90 days to help with the transition. Mr. Smith will collect $72 million owed for this year and $17.9 million in pension and other benefits. Fortune mischievously apportioned the $90 million payday across the customers whose information was improperly accessed at roughly 63 cents a head.
The House Energy and Commerce Committee and the Financial Services Committee have signaled their intent to hold hearings on the matter and the Senate Commerce and Finance Committees sent letters to the company demanding answers about the extent of the breach and the steps the company is taking to mitigate the damage. Breaking with normal practice because of the scale and seriousness of the incident, the Federal Trade Commission publicly disclosed that it had opened a formal investigation of the massive data breech. Days later, thirty-six U.S. senators asked the SEC and other federal authorities to investigate approximately $1.8 million of Equifax stock sales by three of its executives between July 29 - the day the company said it learned of the data breach - and September 7, when it was revealed it publicly.
The SEC hasn't publicly indicated if such an investigation is underway but it has definitely been out front in pushing entities it oversees to be vigilant in staying on top cybersecurity risks and candid in informing investors and other market participants of such risks. In December 2014, the SEC released Regulation Systems Compliance and Integrity (Regulation SCI), which promulgated regulations requiring securities exchanges and clearinghouses to "take corrective action with respect to SCI events (defined to include systems disruptions, systems compliance issues and systems intrusions), and notify the Commission of such events." Then on September 20, the Commission released a lengthy statement "highlighting the importance of cybersecurity to the agency and market participants, and detailing the agency's approach to cybersecurity as an organization and as a regulatory body."
Midway through the document, the Commission divulged that it learned last month that a hacking "incident previously detected in 2016 may have provided the basis for illicit gain through trading." "Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. Distinguishing the situation from the Equilar data breach, the Commission expressed the belief that "the intrusion did not result in unauthorized access to personally identifiable information, jeopardizing the operations of the commission, or result in systematic risk."
Although the Commission did not provide the specifics of the "incident" referenced in the document, it can pinpointed to May 14, 2016, an otherwise quiet Thursday when a sudden 20% surge in Avon Products (AVP) shares caused a stir. The unexplained move was quickly traced to a filing by a "private-equity" firm, purportedly bidding to take Avon private, that was uploaded to Edgar, the SEC's online public filing repository. The authenticity of the document became suspect because it was riddled with typographical errors, and also misspelled the firm's name, specifically its 3-letter acronym. Further investigation did not turn up a PTG Capital operating in London, where it was located according to the filing, or anywhere else. Investors quickly determined that the filing was a hoax and Avon shares plummeted to their preexisting level. At the time, federal prosecutors attributed the episode to a Bulgarian hacker and said the culprit made a mere $5,000 from the plot.
In an editorial entitled "The SEC's Cyber Embarrassment", the Wall Street Journal took the Commission to task for dropping the news that the filing system had been penetrated - all four sentences of it - in the middle of a 4,000 word document advising publicly-traded companies and exchanges on regulatory obligations to manage and disclose cyber risks; in journalism, the editorial board deadpanned, this is known as burying the lead. Indeed the document raised more questions than it provided answers.
Considering that the EDGAR system receives and processes 1.7 million fillings year, more frequent or widespread intrusions into it could undermine the integrity of the information and wreak havoc on investment and trading decisions. Moreover, news of the hack of its systems might not inspire confidence in the security of the SEC's Consolidated Audit Trail that is scheduled to go online this fall after seven years of development. If all goes according to plan, the CAT, a single, comprehensive database, will enable regulators to more efficiently and thoroughly track all trading in the U.S. equity and options markets. U.S. financial exchange officials have warned that the system will be an inviting target for hackers.
The SEC demands that publicly-traded companies scrupulously adhere to stringent disclosure regulations, which has been facilitated in recent years by its online platforms. After required information is made known in public filings via SEC systems, companies are not responsible for its safekeeping and integrity. But any shortcomings in doing so will invariably be felt on the issuer side.
Robert Stead
No comments:
Post a Comment