A top US financial regulator faces questions about its preparation for cyber attacks, after disclosing a breach of a key database of company filings.
The Securities and Exchange Commission said a software vulnerability allowed access to private information and may have led to illicit trading.
Federal inspectors have previously identified numerous gaps in the SEC’s cyber security practices.
The SEC is investigating the breach.
A spokesperson declined to comment beyond a statement issued on Wednesday.
SEC Chair Jay Clayton said the agency detected the problem with the Edgar system, a main clearing house for filings by public companies, money managers, and other firms, in 2016 and fixed it.
But in August the SEC learned that it may have been exploited for trading gains. The agency said the breach did not result in “systemic risk”.
“The Commission will continue to prioritize its efforts to promote effective cybersecurity practices within the Commission itself and with respect to the markets and market participants it oversees,” Mr Clayton said.
A ‘big deal’
Questions remain about the scope of the breach, including when it occurred, how long it persisted and how many companies it might have affected.
The information available also does not make clear who might be behind the attack. Experts said possibilities range from organized crime groups to a state-backed entity.
Countries such as North Korea have been linked to groups alleged to be behind attacks on financial institutions in recent years, including the central bank of Bangladesh and a financial regulator in Poland.
Cyber security expert Tom Kellermann, chief executive of Strategic Cyber Ventures, said he thinks a group backed by a nation-state may be at work in this instance as well, because those are the groups that have succeeded at a high level in the past.
He is concerned about further security implications, he added.
“It’s a big deal,” he said. “The functional reality is [the disclosure is] just the tip of the iceberg.”
Analysts said the incident underscored that hackers are targeting increasingly high-profile financial institutions.
Cyber security firm Symantec said about 38% of the threats it detected last year targeted large businesses.
“There is a trend toward more worrisome malicious activity that targets financial markets,” said Tim Maurer, co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace.
The SEC presents a rich target for criminals looking for information about companies and other parts of the financial system. It polices stock markets and its Edgar database contains millions of company filings.
The agency’s leaders have been sounding increasingly loud alarms about cyber threats to financial systems.
The US Department of Homeland Security also found five “critical” weaknesses on SEC computers in January, Reuters reported.
The latest breach raises concerns about whether the SEC took cyber security protection seriously enough, said Representative Bill Huizenga, who sits on House committees that oversee the agency.
“That’s a question that can and should be asked,” Mr Huizenga said. “We have a regulator not necessarily living up to the standards they have been expecting others to live up to.”
Mr Clayton, who was appointed by President Donald Trump in January and confirmed in May, initiated a review of the agency’s cyber practices this spring.
He was previously scheduled to testify before a Senate banking panel next week. He is expected to face questions about the breach then, as well as from lawmakers in the House.
Mary Jo White, who preceded Mr Clayton as SEC chair, declined to comment.
The disclosure is likely to hurt the SEC, said William Carter, deputy director of the Technology Policy Program at the Center for Strategic and International Studies.
“The big issue it will pose is it will influence the credibility of the SEC and raise concerns about the risk companies face when making disclosures,” he said.