After the Securities and Exchange Commission (SEC) disclosed in September that its EDGAR corporate filing system had been hacked a year earlier, Chairman Jay Clayton declared cybersecurity one of his agency's top priorities.
"We must remain on top of evolving threats when it comes to securing our own networks and systems against intrusion," Clayton told Congress.
But The Hill's review of internal evaluations shows the agency, which is the lead U.S. regulator of Wall Street, was anything but on top of cybersecurity before the hack. It was warned for years prior to the 2016 attack by the agency's inspector general that it suffered from lax defenses against cyber intrusions and a culture of poor security management, the reports show.
“The weaknesses we observed in the SEC’s security controls could adversely affect the confidentiality, integrity, and availability of the agency’s information and information systems,” the inspector general warned back in 2013 in what proved to be a prescient harbinger of the hacking that would occur.
In the years that followed, the inspector general sent additional warnings and possible solutions for "critical security areas such as access and identity management."
But change was slow to come.
In June 2016, just a few months before the EDGAR hack, the inspector general warned the SEC "had not fully addressed certain areas of potential risk identified in prior" security audits, and it raised specific concerns about vulnerabilities related to computer system authorizations and configurations.
"As a result, the SEC is at increased risk of unauthorized disclosure, modification, and use of sensitive, nonpublic information. Furthermore, these weaknesses present potential risks to the availability and functionality of mission-critical information systems," the internal watchdog warned again.
Inside the inspector general's office, a special unit designed to help cyber defenses also complained in 2016 that it was starved for resources and suffered from "no strategic vision and no clear objectives," according to a whistleblower's memo reported recently by Reuters.
SEC officials noted that Clayton ordered a security review this past May, shortly after being confirmed to lead the agency. The SEC said that review is ongoing and that the agency is committed to "identifying and managing cybersecurity risks and ensuring that market participants – including issuers, intermediaries, investors and government authorities – are actively and effectively engaged in this effort."
The EDGAR system is used by all publicly traded companies to file disclosures like mergers, company earnings and acquisitions. SEC officials say the 2016 hack may have been used to make some illicit trades and that private information, including Social Security numbers and dates of birth, was accessed for at least two people.
Experts in the cybersecurity field say they weren't surprised to hear the SEC was breached.
Greg Otto, a cybersecurity expert with CyberScoop, said there are several reasons why the U.S. government has lax cyber defenses for many of its agencies.
“A lot of government agencies are dealing with what we call legacy systems in which they’re dealing with technology that is 15-20 years, in some cases 30 years old. A lot of what is done in cybersecurity today as far as the technology can’t be bolted on to these legacy systems. So, the systems stay vulnerable because they don’t have the quick fixes that they need technology-wise and they don’t have the people they need in order to protect them," Otto said.
Rep. Jim Langevin (D-R.I.) agrees with Otto's assessment.
"You know had they been more vigilant, had the data been encrypted, then it would have gone a long way toward making it difficult," Langevin told The Hill.
The details surrounding the SEC breach are still being investigated. Langevin said Congress is dedicated to establishing what happened and finding a solution to protect vulnerable cyber systems.
"We’re just going to continue to be involved with this, get the answers we need to get, and just — this whole thing was certainly troubling," Langevin said.