S.E.C. Hacking Response Provides Road Map for Compromised Companies

For an agency that prizes prompt disclosure of accurate information and has pursued enforcement cases for companies that fail to disclose or update information for investors, it appears that the S.E.C. could use a dose of its own medicine.

But the hacking is more than a simple stumble for the S.E.C. It has provided a road map for what compromised companies can say in the future — using the S.E.C.’s own words — and raised the question of how the commission would secure hugely valuable information if it succeeds in its goal of collecting even more of it.

In announcing the breach last week, Mr. Clayton noted that “even the most diligent cybersecurity efforts will not address all cyberrisks that enterprises face.” Those words are certain to be cited back to the S.E.C. by any company — especially Equifax — when questions are raised about the systems it uses to prevent digital attacks and make a timely disclosure to the public when they do occur.

The Edgar system has been misused before, including a 2015 scheme to manipulate the shares of Avon by filing a fake tender offer for the company that temporarily drove up the value of its shares. That is akin to a spam email or another type of spoof that has a modest impact on the market and does not raise questions about the probity of the financial system.

The more ominous message about the breach is that only recently has it come to light that the information may have been used to generate trading profit. Much of what is in the Edgar system is made available to the public, but any preview before the release of information can be turned into enormous profit now that trading strategies can be executed in milliseconds.

Although Mr. Clayton claimed that the hacking did not “result in systemic risk,” the misuse of confidential information — especially when noticing it may have taken months — threatens the integrity of the financial markets.

The use of stolen information from the Edgar system has been likened to insider trading, but there is a crucial difference when hacking is involved. Insider trading requires showing a violation of a fiduciary duty in misusing the information for personal gain, but hackers are thieves who are bound by no such fiduciary duty.

It is no surprise that the hackers are at risk of penalties — in 2015, the Justice Department and the S.E.C. charged a group of Ukrainian hackers with fraud over trading on market-moving information before it was released to the…

Read the full article from the Source…

Leave a Reply

Your email address will not be published. Required fields are marked *