There are plenty of examples. In September, Equifax reported a data breach that exposed the credit histories and other information of 145.5 million Americans. Shortly thereafter, the Securities and Exchange Commission (SEC) reported a hacking incident that occurred in 2016.
Individuals and lawmakers have raised concerns about delays in reporting breaches after these incidents. However, breach response requires a delicate balance. Before reporting a breach to the public at large, organizations that are hacked have a responsibility to make a measured, comprehensive assessment of the situation. Here are details of the SEC breach incident and guidance for victim-organizations on how (and when) to report a data breach.
SEC Announces Breach
SEC Chairman Jay Clayton announced in September that the agency was expanding a probe into a 2016 data breach of its electronic filing system, known as EDGAR (short for Electronic Data Gathering, Analysis and Retrieval). The investigation will primarily focus on a review of when agency officials learned that the EDGAR system had been hacked. The FBI and U.S. Secret Service have also launched investigations into the breach.
EDGAR is the electronic filing system that the SEC created to increase efficiency and accessibility to corporate filings, and most publicly traded companies must submit documents to the SEC using it. However, some smaller companies don’t meet certain thresholds, they may be exempt from these EDGAR mandates.
Examples of documents that the SEC requires companies to file through EDGAR include annual and quarterly corporate reports and information pertaining to institutional investors. This time-sensitive information is often critical to investors and analysts.
Hackers Exploit Outdated System
Launched in the 1990s, EDGAR has been routinely updated and modified over the last two decades. However, like many legacy systems, EDGAR has some weaknesses and glitches, and the system will eventually need to be replaced.
The SEC awarded a $6.1 million contract to a firm in September 2016 to collect information needed to completely redesign EDGAR. The SEC anticipates that the information-gathering phase will extend through March 2018. A further extension may be requested to provide additional support for the redesign.
It appears that hackers were able to breach EDGAR by using authentic financial data when they were testing the agency’s corporate filing system, based on the SEC’s preliminary investigation. The breach occurred in October 2016 and was reportedly detected that month. The cyberattack appears to have been routed through a server in Eastern Europe.
The breach was discovered as part of an ongoing investigation by the SEC’s enforcement division. Although SEC Chair Clayton was vague on the details, he admitted, “Information they gained caused them to question whether there had been a breach of the system.”
Additionally, it’s not entirely clear what kind of information was breached. Corporate filings contain detailed financial information about company performance, but such information is usually available to investors in press releases prior to SEC disclosure. According to industry insiders, one potential target could be Forms 8-K. These are unscheduled filings regarding material events that companies are legally required to disclose. These disclosures in EDGAR begin before the official word gets out to the rest of the world.
Media sources say that the FBI’s investigation has homed in on trading activities conducted in connection with the breach. One possibility is that the EDGAR breach is connected to a group of hackers that intercepted electronic corporate press releases in a previous case handled by the FBI team.
SEC Chair Clayton, who took office in May 2017, claims to have first learned of the breach in August 2017. Clayton can’t guarantee that there haven’t been other breaches, although he didn’t blame his predecessors. “I cannot tell you with 100% certainty that this is the only breach we have had,” Clayton said, reiterating that the investigation was “ongoing.”
Take Control of Breach Response
The SEC incident was announced at roughly the same time as the high-profile Equifax breach, and the public response has focused significant attention on the lag between when an organization detects a breach and when it’s announced to the public.
The media and congressional investigations have cast doubt on the intentions of SEC Chair Clayton and the management team at Equifax: Were the delayed responses actually attempts to hide the truth, thereby exposing investors and other stakeholders to even greater potential losses?
However, it’s also important to consider the perspective of the victim-organization before anyone jumps to conclusions. It takes time to investigate a breach before announcing it to the public. A knee-jerk response that needs to subsequently be revised can cause major damage to the organization’s reputation with its stakeholders.
What should you do as soon as you suspect that your organization’s data has been breached? First, call your attorney, who will help assemble a team of data response specialists. The preliminary goal is to answer two fundamental questions:
- How were the systems breached?
- What data did the hackers access?
Forensic experts can help evaluate the extent of the damage once these questions have been answered. Sometimes, a breach occurs, but the hackers don’t actually steal any data.
A comprehensive data response includes the following services:
- Information technology (IT),
- Communications / public relations, and
- Credit monitoring services.
The goal in breach response is essentially the same whether your organization is small or large, for-profit or not-for-profit: to provide accurate, detailed information about the incident as quickly as possible to help minimize losses and preserve trust with customers, employees, investors, creditors and other stakeholders.
Once investigative and response procedures are underway, management needs to take proactive measures to fortify controls. This final step helps minimize the risk that another data breach will occur in the future.
As part of today’s interconnected, technology-driven world, data breaches are an inevitable. But how an organization responds to a breach can set it apart from others and affect its goodwill with stakeholders.
It’s important to work with your legal and forensic accounting professionals to help prevent and detect breaches, as well as to establish policies and procedures for investigating and responding to suspected hacking incidents. Proactive organizations don’t wait for a breach to strike.