SEC Had a Fraught Cyber Record Before X Account Was Hacked (1)

The hack of the U.S. Securities and Exchange Commission’s X account earlier this week is shining a light on an uncomfortable truth: Cybersecurity measures at Wall Street’s chief regulator have repeatedly been found to be lacking.

The agency wasn’t fully adhering to federal cybersecurity standards, including a requirement that public-facing systems support multifactor authentication, as of a reviewby its internal watchdog last year. A separate, independent evaluation performed a year earlier identified weaknesses in security measures at the commission, such as protocols for preventing unauthorized access to networks.

The SEC is by no means the only federal agency that has come under fire in recent years for lax cybersecurity defenses, but its high-profile role in regulating companies and markets across the US has made it a particularly attractive target for hackers. In 2016, the agency suffered a cyberattack that compromised its corporate filings database and allowed hackers to profit from non-public information, according to US prosecutors.

“We just witnessed the latest in Washington’s technological vulnerabilities yesterday, and a real low point for the SEC,” Rep. French Hill, an Arkansas Republican, said during a meeting of the US House of Representatives’ digital asset panel on Wednesday. Congressional Republicans were in the process of sending a letter to SEC Chair Gary Gensler demanding an investigation into the hack, he said.

On Thursday, Senators Ron Wyden, a Democrat from Oregon, and Cynthia Lummis, a Republican from Wyoming, also called for an inquiry into the hack. In a letter to the SEC’s Inspector General, the lawmakers asked for a probe of the “SEC’s apparent failure to follow cybersecurity best practices,” including multifactor authentication.

The SEC declined to comment on its cybersecurity policies. The Federal Bureau of Investigation was looking into the incident on Tuesday in which a hacker took control of the SEC’s handle on X, formerly known as Twitter. The hacker then published a fake post that inaccurately said the regulator had approved plans for spot Bitcoin exchange-traded funds, leading to a spike in the price of Bitcoin. (The agency approved ETF plans a day later.)

The US Securities and Exchange Commission’s X account was compromised on Tuesday with a fake post claiming that the agency had green lit plans to approve a spot-Bitcoin exchange-traded fund. Anna Irrera examines the fallout from the event on Bloomberg Television.

Source: Bloomberg

X said in a statement that an unidentified person had compromised the SEC’s X account by acquiring an associated phone number. It also noted that the SEC hadn’t activated two-factor authentication — a extra layer of security that has become standard for organizations as cyberattacks have increased. It remains unclear why the SEC hadn’t set up additional authentication.

Sign up for the Cyber Bulletin newsletter
for exclusive coverage inside the shadow world of hackers and cyber-espionage ‒ and how businesses are playing defense.

The takeover of the agency’s X account came at an inopportune time for the SEC, which recently imposed new regulations on public companies that require them to disclose cyber incidents within four business days as part of a broader effort to bring more transparency to corporate cyber defenses. In October, the SEC also sued SolarWinds Corp. — which was breached by Russian hackers in a 2020 hack that compromised both corporations and government agencies alike — for allegedly defrauding investors by downplaying security risks.

SolarWinds has disputed the allegations and accused the SEC of “twisting the facts.” In a statement Thursday, Serrin Turner, an attorney for Latham & Watkins representing SolarWinds, said the SEC hack on Tuesday “underscores how no organization’s security controls can ever be assumed to be perfectly implemented, and why regulators should approach cybersecurity with great care and humility.”

Gensler has meanwhile been outspoken about the need for companies to beef up digital security. In October, he posted a reminder on X “to secure your financial accounts as well as protect against identity theft and fraud.” One measure he recommended was multifactor authentication.

Read More: Companies Struggle to Sort How to Comply With SEC Cyber Rules

In 2022, the White House released a cybersecurity strategy directing agencies to take wide-ranging actions to better secure their networks. The strategy emphasized the need for multifactor authentication, describing it as “a critical part of the federal government’s security baseline.”

The SEC had made some progress on implementing the actions, its inspector general reported in a September letter. But it remained behind on some tasks, the report showed. Specifically, the SEC had yet to configure all of its public-facing systems to support multifactor authentication as of the audit last year, the inspector general said.

The SEC had instead argued that it was “generally” in compliance with the standard because all but one of its system had been migrated over to use Login.gov, a broader federal government access website that requires two-factor authentication, the inspector general’s report shows. While the SEC deemed the remaining system a limited risk, the inspector general insisted that phishing-resistant authentication was still necessary to keep hackers from gaining access to the SEC’s network.

Read More: SEC Hack Has Hallmarks of Lax Security Measures: Cyber Bulletin

A separate evaluation of the SEC’s data security controls by the firm Kearney & Co. found that the agency didn’t consistently implement procedures to limit access to its systems. The review, performed in 2022, noted that some deficiencies dated as far back as five years. The specific weaknesses were redacted, but the study found that the vulnerabilities were caused in part by Covid-related, work-from-home policies.

Kearney ultimately concluded that the SEC’s information security program didn’t meet a federal definition of being “effective.”

Last year, lax data security measures forced the SEC to dismiss 42 enforcement cases in front of its in-house courts. The agency found that some of its enforcement staff could see memos they weren’t supposed to see. The SEC said at the time that it regretted the lapse, which was blamed on a lack of proper safeguards.

In 2016, a group of eastern European hackers breached the regulator’s database of corporate filings. The hackers stole non-public corporate earnings reports and traded on them, making more than $4.1 million, according to court filings.

This past September, the regulator proposed adding multifactor authentication to the very same database.

(Updates with senators calling for an investigation in the fifth paragraph.)

To contact the reporters on this story:
Austin Weinstein in Washington at aweinstein18@bloomberg.net;
Jamie Tarabay in Washington at jtarabay2@bloomberg.net

To contact the editors responsible for this story:
Ben Bain at bbain2@bloomberg.net

Andrew Martin, Lynn Doan

© 2024 Bloomberg L.P. All rights reserved. Used with permission.