SEC Hack: Is The Regulator Withholding Crucial Disclosure?

Just two weeks prior to a cybersecurity breach, the U.S. Securities and Exchange Commission (SEC) was alerted to critical lapses in its cybersecurity defenses. The alert was issued via a report released by the Office of Inspector General (OIG) detailing the SEC’s inadequacies in maintaining strong security measures for digital assets.

The report, published by Cotton & Company Assurance and Advisor, highlighted that there is a necessity to improve several security protocols, including vulnerability management and risk assessment in urgency.

Based on the document, the SEC was advised to improve its information security controls to include risk management, security training, and continuous diagnostics. Disregarding these suggestions, a breach took place on January 9 when an unauthorized entity accessed the SEC’s X account, deceiving the public with a false statement concerning a Bitcoin ETF approval.

Details of the January SEC Hack

Besides breaching SEC’s communications, the cyberattack had a significant monetary impact as reports claimed that the wrong announcement resulted in $90 million in market liquidations.

This incident entailed a SIM-swapping attack, which is a ploy used by attackers to take control of a victim’s phone number to evade security measures, which include two-factor authentication and which the SEC had not put in place for the account in question.

After the occurrence, the SEC clarified that the breach was restricted to social media and did not reach into internal systems or data. The entry point for the hackers was through the telecom carrier rather than a direct compromise of the digital infrastructure of the SEC, the agency stated.

Congressional Reaction and Calls for Accountability

The breach prompted an immediate reaction from the legislators, with Congresswoman Anne Wagner showing her worries regarding the impact of the hack. Describing the incident as a prime example of market manipulation, Wagner stated that he intended to ask more questions to Gary Gensler, the chairman of the SEC, when it comes to governance and the response after the cyber-attack.

The legislative inquiry has been centered on the sufficiency of the SEC’s reaction to the first OIG report and the possibility of what inaction on the part of the regulator following the report might have done towards the vulnerability that led to the January hack.

SEC’s Ongoing Response

Following the attack, the SEC is being watched to show improvements in its cybersecurity posture. As the SEC claims, they continue to work towards improving the strength of their information security program.

Nonetheless, specifics of how these improvements will be implemented are lacking, which hints at transparency issues and the effectiveness of the SEC’s response to both the OIG report and the January cyber incident.

The OIG’s timeline stipulated that the SEC was to submit its plan of action within 45 days after receipt of the December report, a timeline that came just before the hack. This has prompted more investigations into the adequacy and timeliness of the SEC’s administrative proceedings and observance of cyber security recommendations.

Read Also: SEC Delays Decision on Invesco Galaxy Ethereum ETF to July