The Insecurity of Security
Lingering questions remain over the SEC's handling of its own cybersecurity incident.
There has been, undoubtedly, a fair dollop of schadenfreude accompanying widespread disbelief this week as the Securities and Exchange Commission (SEC) joined the dubious honor roll of organizations that have suffered a massive cyber intrusion in recent weeks.
After all, this is the agency that has been continuously warning firms for years about their cyber practices and introduced specific rules to govern such areas not too long ago in the form of Regulation Systems Compliance and Integrity.
For it then to announce that it had not only been the victim of infiltration itself—in the secure database for company filings, no less—bordered on the incredible at first. Then came the revelation that senior officials hadn’t been made aware of it for months, and that the attack happened last year, potentially exposing markets to enormous amounts of illicit trading. None of it looks good for the agency.
It also hasn’t been helped by the somewhat furtive way it announced it—in a press release dispatched at around 8 p.m. Eastern time on a Wednesday, with a bland headline that makes it look like any other SEC missive on cybersecurity that has been issued over the years. It’s only when you read past the yawn-inducing first paragraph, and deep into the dense second, that the true purpose of this “statement” by SEC chairman Clayton becomes clear.
In journalism, this is a cardinal sin known as “burying the lede.” SEC press officers are not journalists, of course, but the apparently deliberate obfuscation here doesn’t look great. It also didn’t work, as the Wall Street Journal and the Washington Post subsequently issued story alerts some 30 minutes later.
There are lingering questions about how the SEC has handled this entire affair that need to be answered. Why did it take until August 2017 for the agency to become aware that a vulnerability in the Edgar system that was detected and patched in 2016 could have exposed the market to illicit trading? Was there, in fact, any illicit trading that then took place, and if it was as simple as the intruders buying a bunch of call options on companies ahead of significant announcements, why wasn’t it detected? More crucially, why were senior staff reportedly kept in the dark about this for so long?
These questions, and more, are apparently being asked by Congress. Senator Mark Warner, the ranking member of the Senate banking subcommittee, has already publicly expressed his intention to grill the SEC about this, and members of the House have said the same.
If the SEC is going to learn anything about how not to handle this incident, it can simply look to the botched Equifax ordeal for a salutary lesson in how not to go about doing things. This is a matter of market confidence, and moreover, confidence in the ability of regulators setting rules around cybersecurity to keep their own house in order. Sunlight is the best disinfectant, rather than rambling press releases with shocking, poorly detailed revelations.
This week on Buy-Side Technology:
- US editor Anthony Malakian and I talk to CBOE’s Bryan Harkins on the podcast this week about markets, technology, and his Wall Street Rides FAR charity event in support of autism research. You can learn more about the event here.
- If you haven’t read enough about the SEC hack already, this piece by yours truly and Inside Data Management’s Joanne Faulkner has more details, including the comment from Senator Warner.
- It’s been a busy week for other regulators, as the European market supervisors may be set to gain sweeping new powers under a proposal from the European Commission. Parliament, however, may block some of the more esoteric provisions.
- The FCA boosted its technology capabilities with an in-house system to monitor order books across equity and fixed income, commodities and currencies venues, the first time it’s been able to do this. It also warned that its patience on compliance with the revised Markets in Financial Instruments Directive (Mifid II) would not be infinite, but it would be proportionate in handling cases of non-compliance.
- SimCorp and TS joined forces to create a form of integrated order and execution management system.
- Finally, my colleague Aggelos Andreou has this nifty little piece on how exchanges have been the biggest winners from Mifid II, as we all knew was the case, really.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@waterstechnology.com
More on Emerging Technologies
Waters Wavelength Ep. 290: Nasdaq’s Valerie Bannert-Thurner
Nasdaq’s EVP and chief revenue officer for the financial technology division joins Nyela on the podcast.
Moral models: The ethics of data management
The IMD Wrap: You may be managing data efficiently, but are you managing it ethically? And is that something you should be concerned about? Yes, says Max, you should.
The Waters Cooler: No Singapore Slings
Market microstructure, a prediction exchange, ETF and T+1 woes—does it get any more exciting than this?
Waters Wavelength Ep. 289: WFIC at Y’all Street
Nyela joins to talk about her time at WFIC this year.
Managing cloud costs comes down to putting controls in place
With cloud usage now pervasive throughout the capital markets, firms are focusing on stemming unintended costs.
Pledging the ledger: At the tipping point of blockchain networks that work together
Interest in distributed ledger technology (DLT) is gaining momentum, sparking lively debates among proponents and detractors. The key question is: which version of DLT is suitable for advancing financial markets—public/permissionless or private/permissioned networks?
The Waters Cooler: What is going on?
Is it weird that Euronext bought Substantive? It’s weird, right? Plus WFIC, tick sizes, Microsoft and BlackRock want more datacenters for some reason, and, of course, AI. What does it all mean?
Waters Wavelength Ep. 288: Media’s changing landscape
Wei-Shen and Tony discuss ways to improve the podcast going forward.