The U.S. federal agency responsible for ensuring that markets function as they should and for protecting investors was hacked last year and the intruders may have used the nonpublic information they obtained to profit illegally.
The disclosure arrived two months after a government watchdog said deficiencies in the computer systems of the Securities and Exchange Commission put the system, and the information it contains, at risk.
In July, the Government Accountability Office issued a critical report about the security measures employed by the SEC, citing a number of deficiencies in "the effectiveness of SEC's controls for protecting the confidentiality, integrity, and availability of its information systems." It issued 26 recommendations that it said would make SEC systems more secure.
According to the SEC, the breach was discovered last year, but the possibility of illicit trading was uncovered only last month. It did not explain why the hack itself was not revealed sooner, or which individuals or companies may have been impacted.
In a prepared statement, SEC chairman Jay Clayton said a review of the agency's cybersecurity risk profile determined that the previously detected incident was caused by "a software vulnerability" in its filing system known as EDGAR, short for Electronic Data Gathering, Analysis, and Retrieval system. Clayton said SEC has been conducting an assessment of its cybersecurity since he took over as chairman in May.
In the wake of the breach at the SEC, a Canadian umbrella group representing provincial securities regulators plans an additional cybersecurity review.
According to Reuters, the Canadian Securities Administrators said its regular reviews of national systems have found no evidence they've been compromised.
The CSA, which said it had not been in contact with the SEC, operates SEDAR, its equivalent to the EDGAR system
Enormous movements in markets
The SEC files financial market disclosure documents through its EDGAR system, which processes more than 1.7 million electronic filings in any given year. Those documents can cause enormous movements in the market, sending billions of dollars in motion in fractions of a second.
The revelation from the critical agency comes as Americans grapple with the repercussions of a massive, months-long hack at the credit agency Equifax, which exposed highly sensitive personal information of 143 million people in the U.S, and about 100,000 in Canada. Clayton said the agency's breach did not result in exposing personally identifiable information.
The SEC hasn't said whether it is investigating the hack at Equifax, but the agency for years has leaned on publicly traded corporations to strengthen their own cybersecurity systems.
An investigation into the breach and its possible consequences is ongoing, and the SEC said that it is co-operating with the "appropriate authorities."