The SEC hack has pitched the international finance world into turmoil as Wall Street's top regulator admits to not having secured its own systems.

Move over, Equifax; the SEC hack may have just stolen your thunder. Less than two weeks after Equifax disclosed that it had been breached, compromising the personal information of half of America, the U.S. Securities & Exchange commission admitted to a 2016 attack on its EDGAR database. Because EDGAR is used to disseminate company news and data to investors, the likely goal of the SEC hack was insider trading. ZDNet reports:

[The] SEC said the Edgar filing system data breach took place in 2016, but it is not yet known which companies may have been affected -- or how much the hacker profited.

Edgar processes roughly 1.7 million electronic filings per year.

The hacker was able to take advantage of a "software vulnerability in the test filing component" of Edgar, which "resulted in access to nonpublic information."

It gets even better; during the internal audit that brought the SEC hack to light, it was also discovered that SEC staff members were using “private, unsecured email accounts to transfer confidential information.”

The SEC has been bending over backwards to downplay the seriousness of the breach. Among other things, the agency stated it doesn’t “believe” any personal identifying information was compromised.

Well, that’s reassuring. After all, data breaches never turn out to be far more extensive than originally reported, do they?

Let this one sink in: The very agency in charge of enforcing cyber security on Wall Street, the same agency that called cyber attacks “the greatest threat to our [financial] markets,” issued a special risk bulletin after the WannaCry attacks, and very recently implied a greater emphasis on cyber security enforcement moving forward, cannot protect its own data. In fact, it turns out that the SEC itself has been warned about potential cyber security vulnerabilities for years; in January, the U.S. Department of Homeland Security found five “critical weaknesses” on SEC computers.

By the way, as of this writing, nobody has any earthly idea whether those “critical weaknesses” were ever addressed, or if they played a role in the SEC hack – although the agency pinky-swore that it “promptly” patched the software vulnerability it claims led to the breach.

Congress isn’t having it. They’re hauling SEC chairman Jay Clayton in front of the Senate Banking Committee. Wall Street investors and the international finance world are chewing their fingernails, especially since the SEC was poised to begin rolling out CAT, a brand-new trading history database, in November. CNBC has called CAT “the biggest financial data base ever assembled.” If the SEC couldn’t secure EDGAR, how can they be trusted with CAT?

Isn’t Anyone Practicing Proactive Cyber Security and GRC Anymore?

There’s an awful lot we don’t yet know about the SEC hack. We don’t know what “software vulnerability” the SEC is referring to. We don’t know who perpetrated the hack, how long they were in the SEC’s systems, or when the attack happened, other than it was sometime in 2016, and the agency didn’t figure it out until last month. We don’t know what data was stolen, other than it consisted of “nonpublic information.” We also don’t know if the hackers stopped with EDGAR or if they used the database as a foot in the door to penetrate other sections of the SEC’s network.

From the information we do have, we can surmise that the SEC engaged in some of the same shenanigans as Yahoo (which ignored cyber security warnings for years), Sony Pictures and the DNC (both of which transmitted confidential information through private, unsecured email), and Equifax (which waited for nearly two months to disclose a very serious breach).

We also know that proactive governance, risk, and compliance protocols prevent incidents like the SEC hack, the Equifax breach, email hacks, and the AWS hacks that are now being disclosed nearly daily. While these hacks are serious and far-reaching, from a technical standpoint, they are usually very simple and stem from companies having zero control over their data, who has access to it, and where and how it is being transmitted and stored.

Data governance, risk management, and compliance with applicable data security standards are the foundation of proactive cyber security. If you don’t want your company to be the next Equifax or SEC, start with getting back to GRC fundamentals.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.