SEC didn’t seek DHS cyber help after breach

SEC didn’t seek DHS cyber help after breach
© Getty Images

The Securities and Exchange Commission (SEC) did not request help from the Department of Homeland Security (DHS) after its EDGAR financial database was breached last year, an official said Tuesday.

The SEC has come under scrutiny in Washington after disclosing the 2016 breach just last month, which it says may have allowed hackers to generate profits from stolen insider information.

ADVERTISEMENT

A top Homeland Security official testified before lawmakers on the House Homeland Security Committee Tuesday that SEC notified the department of the breach on Nov. 4 of last year but that “at the time, the extent of the issue was not well understood.” 

“We have very limited involvement in SEC,” Jeanette Manfra, the assistant secretary for cybersecurity and communications at the National Protection and Programs Directorate, said when pressed about DHS’s involvement in the breach. “They did not request our follow-on assistance for response.” 

Homeland Security is designated as the lead civilian agency protecting federal systems from cyber threats. 

SEC Chairman Jay Clayton disclosed the EDGAR breach on Sept. 20, which occurred sometime in 2016. Clayton, who was confirmed in May, told the Senate Banking Committee last week that he only learned of the intrusion in August, and that it would take a substantial amount of time to understand the full scope of the breach.

Clayton issued an update on Monday, revealing that the hack exposed personal information on two individuals, a change in the severity of the hack. He has stressed cybersecurity as a major priority of the commission under his watch. 

On Tuesday, Manfra said that DHS is reviewing its procedures in light of the SEC breach to make sure the department is more actively involved when agencies are breached — regardless of whether the entity reaches out to DHS for help. 

“In addition to this incident and several others, we are reviewing our procedures to ensure that it’s clear that when an incident happens, what role the department needs to play in a response, not just at the request of an agency,” Manfra said.

“If we’re looking at specific critical services and functions, then the department needs to have a more active role in that response regardless of whether the agency requests it,” she said. 

An SEC spokesman declined to comment.