Business World

Sunday 18 February 2018

Insider trading fears after US watchdog hacked

Jay Clayton, chairman of the US Securities and Exchange Commission, said the agency learned in August that hackers may have exploited an incident in 2016 for illegal insider-trading
Jay Clayton, chairman of the US Securities and Exchange Commission, said the agency learned in August that hackers may have exploited an incident in 2016 for illegal insider-trading

Sarah N Lynch

The US Department of Homeland Security detected five "critical" cyber-security weaknesses on the Securities and Exchange Commission's computers as of January 23, 2017, according to a confidential weekly report reviewed by Reuters.

The report's findings raise fresh questions about a 2016 cyber breach into the US market regulator's corporate filing system known as "EDGAR."

Securities and Exchange Commission headquarters in Washington
Securities and Exchange Commission headquarters in Washington

SEC chairman Jay Clayton disclosed this week that the agency learned in August 2017 that hackers may have exploited the 2016 incident for illegal insider-trading.

The January DHS report, which shows its weekly findings after scanning computers for cyber weaknesses across most of the federal civilian government agencies, revealed that the SEC at the time had the fourth most "critical" vulnerabilities.

It was not clear if the vulnerabilities detected by DHS are directly related to the cyber breach disclosed by the SEC. But it shows that even after the SEC says it patched "promptly" the software vulnerability after the 2016 hack, critical vulnerabilities still plagued the regulator's systems.

The hack, two weeks after credit-reporting company Equifax said hackers had stolen data on more than 143 million US customers, has sent shockwaves through the US financial sector.

An SEC spokesman did not have any comment on the report. It is unclear if any of those critical vulnerabilities, detected after a scan of 114 SEC computers and devices, still pose a threat.

During the Obama administration, such scans were done on a weekly basis. "Any critical vulnerability like that should be acted on immediately," said Tony Scott, the former federal chief information officer during the Obama administration who now runs his own cyber-security consulting firm.

"This is what was at the root of the Equifax hack. There was a critical vulnerability that went unpatched for some long period of time. And if you're a hacker, you are going to ... try to see if you can exploit it in some fashion or another. So there is a race against the clock."

For the past several years, the Department of Homeland Security has been producing a report known as the "Federal Cyber Exposure Scorecard". It provides a weekly snapshot to more than 80 civilian government agencies about potential outstanding cyber weaknesses and how long they have persisted without being patched.

A directive by Homeland Security requires agencies to address critical vulnerabilities within 30 days, though sometimes that deadline can be difficult to meet if it might disrupt a government system.

The January snapshot shows improvements have been made across the US government since May 2015, when there were a total of 363 critical vulnerabilities on devices across all of the civilian agencies, according to the report.

As of January 23, there were a total of 40 critical vulnerabilities across the agencies reviewed by DHS and another 280 weaknesses categorised as "active high," which is the second more severe category.

The top four agencies with the most "critical" vulnerabilities as of January 23 included the Environmental Protection Agency, the Department of Health and Human Services, the General Services Administration and the SEC.

However, more vulnerabilities do not necessarily mean one agency is worse than another because things depend on how many computers or devices known as "hosts" were scanned and what kinds of information could potentially be exposed.

"All it takes is one," Scott said. "You can have one host and one vulnerability and your risk might be 10 times as high as someone who has 10 hosts and 10 vulnerabilities." (Reuters)

Irish Independent

Promoted Links

Business Newsletter

Read the leading stories from the world of Business.

Promoted Links

Also in Business