The Insecurity of Security

There has been, undoubtedly, a fair dollop of schadenfreude accompanying widespread disbelief this week as the Securities and Exchange Commission (SEC) joined the dubious honor roll of organizations that have suffered a massive cyber intrusion in recent weeks.

After all, this is the agency that has been continuously warning firms for years about their cyber practices and introduced specific rules to govern such areas not too long ago in the form of Regulation Systems Compliance and Integrity.

For it then to announce that it had not only been the victim of infiltration itself—in the secure database for company filings, no less—bordered on the incredible at first. Then came the revelation that senior officials hadn’t been made aware of it for months, and that the attack happened last year, potentially exposing markets to enormous amounts of illicit trading. None of it looks good for the agency.

It also hasn’t been helped by the somewhat furtive way it announced it—in a press release dispatched at around 8 p.m. Eastern time on a Wednesday, with a bland headline that makes it look like any other SEC missive on cybersecurity that has been issued over the years. It’s only when you read past the yawn-inducing first paragraph, and deep into the dense second, that the true purpose of this “statement” by SEC chairman Clayton becomes clear.

In journalism, this is a cardinal sin known as “burying the lede.” SEC press officers are not journalists, of course, but the apparently deliberate obfuscation here doesn’t look great. It also didn’t work, as the Wall Street Journal and the Washington Post subsequently issued story alerts some 30 minutes later.

There are lingering questions about how the SEC has handled this entire affair that need to be answered. Why did it take until August 2017 for the agency to become aware that a vulnerability in the Edgar system that was detected and patched in 2016 could have exposed the market to illicit trading? Was there, in fact, any illicit trading that then took place, and if it was as simple as the intruders buying a bunch of call options on companies ahead of significant announcements, why wasn’t it detected? More crucially, why were senior staff reportedly kept in the dark about this for so long?

These questions, and more, are apparently being asked by Congress. Senator Mark Warner, the ranking member of the Senate banking subcommittee, has already publicly expressed his intention to grill the SEC about this, and members of the House have said the same.

If the SEC is going to learn anything about how not to handle this incident, it can simply look to the botched Equifax ordeal for a salutary lesson in how not to go about doing things. This is a matter of market confidence, and moreover, confidence in the ability of regulators setting rules around cybersecurity to keep their own house in order. Sunlight is the best disinfectant, rather than rambling press releases with shocking, poorly detailed revelations.

This week on Buy-Side Technology:

• US editor Anthony Malakian and I talk to CBOE’s Bryan Harkins on the podcast this week about markets, technology, and his Wall Street Rides FAR charity event in support of autism research. You can learn more about the event here.
• If you haven’t read enough about the SEC hack already, this piece by yours truly and Inside Data Management’s Joanne Faulkner has more details, including the comment from Senator Warner.
• It’s been a busy week for other regulators, as the European market supervisors may be set to gain sweeping new powers under a proposal from the European Commission. Parliament, however, may block some of the more esoteric provisions.
• The FCA boosted its technology capabilities with an in-house system to monitor order books across equity and fixed income, commodities and currencies venues, the first time it’s been able to do this. It also warned that its patience on compliance with the revised Markets in Financial Instruments Directive (Mifid II) would not be infinite, but it would be proportionate in handling cases of non-compliance.
• SimCorp and TS joined forces to create a form of integrated order and execution management system.
• Finally, my colleague Aggelos Andreou has this nifty little piece on how exchanges have been the biggest winners from Mifid II, as we all knew was the case, really.