October 11, 2017

Hackers, Wall Street and the Innocents

Hackers. Some see them as evil criminals, out to destroy the lives of innocents; others consider them righteous anarchists, sticking it to corrupt world leaders and the corporate man. All can agree their ability to cause mass disruption is unmatched. While a few ambitious attackers aim for war and world domination (Russia, China, North Korea and the US have all experienced cyberattacks), most have a smaller aspiration—make money. The rich inventory of consumer information held by the financial industry makes it a prime target, facing tens of thousands of attacks daily. It is up to executives, regulators, and legislators to be proactive in the race against cyber criminals; as two financial corporations recently learned, underestimating them can make the challenge of preventing large-scale attacks impossible.

What happened at the SEC?

According to their website, the US Securities and Exchange Commission (SEC) is an “independent agency of the United States federal government which seeks to meet a growing need for sound market regulation” by “protecting investors, maintaining fair, orderly and efficient markets and facilitating capital formation". They are the trusted holders of information for the big wigs of wall street, like Goldman Sachs, Citadel, and Renaissance, which is why public outrage ensued after cyber attackers gained access to the SEC’s corporate filing system–EDGAR. EDGAR (Electronic Data Gathering, Analysis, and Retrieval system) is where Corporate America goes to store their important stuff: IPOs, quarterly earnings reports, mergers and acquisitions, warnings, etc. Why is this significant? Any individual who gains access to this database would also be privy to market-moving news long before anyone else. Just like a gambler counting cards, hackers with this information take all chance out of stock trading and essentially rob the system. It’s no wonder why blood pressures are skyrocketing all over Wall Street.

Ironically, shortly before the hack occurred, the SEC had decided that Wall Street’s technological infrastructure needed an upgrade. Intending to implement these changes and help protect companies from cyberattacks, the SEC created a series of regulations called the Reg SCI. Post-hack, Wall Street has expressed particular concern with the possibility that unauthorized individuals gained access to the Consolidated Audit Trail (CAT), the largest financial database ever created and a major component of the Reg SCI.

Remember Equifax?

Similar to the SEC hack, the 118-year-old credit reporting agency, Equifax, recently fell prey to a major security breach. Cybercriminals—who have yet to be identified—gained access to the names, social security numbers, birthdates and other private information of 143+ million Equifax users.

While the SEC hack gave access to market trends and may inhibit the ability to regulate stock trading, the Equifax breach gave access to private consumer information and, as a result, an indefinite ability to use victim’s identities fraudulently.

Looking out for number one.

It appears to be common practice for companies to downplay and deny the impact of cyber hacks for as long as possible. In the cases of Equifax and SEC, the time-gap between discovery and revelation may have enabled top executives to sell off their shares before broken trust, and bad publicity, caused investors to jump ship and stock prices to plummet.

According to npr.org, three Equifax executives “sold nearly $2 million worth of company stock” within days of the massive breach, which, “wasn't publicly disclosed until more than a month later.” In a statement, Equifax says the executives "had no knowledge that an intrusion had occurred at the time they sold their shares;” however, Bloomberg reported that "none of the filings lists the transactions as being part of 10b5-1 scheduled trading plans.”

Similarly, the SEC hack occurred in 2016 but was only revealed in August 2017, prompting questions to be raised about the agency’s transparency. In his opening statement to the Senate, SEC Chairman Jay Clayton said he waited to disclose the company’s massive data breach until he believed “we weren’t going to learn anymore.”

Timelines aren’t the only questionable aspect of these intrusions. At one point, a clause on the Equifax website enabled them to withhold information—like whether or not an individual was affected by the hack—until they agreed to forfeit their right to a civil lawsuit. According to the Washington Post, it was initially reported that the SEC breach “may have allowed the hackers to make a profit from illegal stock sales but did not compromise any personal data.” Recent forensic analysis has determined this is untrue, as the names, dates of birth, and social security numbers of at least two people were stolen.

Things need to change.

If these hacks reveal anything, it is that legislators, regulators and corporate executives frequently underestimate the cunning of hackers; as a result, they fail to honor their most valuable asset—the trust of customers. “There’s no panacea against hacking,” said Bradley Bondi, former counsel at the SEC, “Every organization, whether a public company or a government agency, such as the SEC, lives in glass houses when it comes to hackers. No organization can guarantee security or expect it.”

It is up to executives, regulators, and legislators to be proactive in the race against cyber criminals. Through a combined effort toward transparency, urgency, and diligence, corporate holders of information may be able to stay a step ahead of criminals to thwart cyberattacks before they devastate consumers.