The Insecurity of Security
Lingering questions remain over the SEC's handling of its own cybersecurity incident.
There has been, undoubtedly, a fair dollop of schadenfreude accompanying widespread disbelief this week as the Securities and Exchange Commission (SEC) joined the dubious honor roll of organizations that have suffered a massive cyber intrusion in recent weeks.
After all, this is the agency that has been continuously warning firms for years about their cyber practices and introduced specific rules to govern such areas not too long ago in the form of Regulation Systems Compliance and Integrity.
For it then to announce that it had not only been the victim of infiltration itself—in the secure database for company filings, no less—bordered on the incredible at first. Then came the revelation that senior officials hadn’t been made aware of it for months, and that the attack happened last year, potentially exposing markets to enormous amounts of illicit trading. None of it looks good for the agency.
It also hasn’t been helped by the somewhat furtive way it announced it—in a press release dispatched at around 8 p.m. Eastern time on a Wednesday, with a bland headline that makes it look like any other SEC missive on cybersecurity that has been issued over the years. It’s only when you read past the yawn-inducing first paragraph, and deep into the dense second, that the true purpose of this “statement” by SEC chairman Clayton becomes clear.
In journalism, this is a cardinal sin known as “burying the lede.” SEC press officers are not journalists, of course, but the apparently deliberate obfuscation here doesn’t look great. It also didn’t work, as the Wall Street Journal and the Washington Post subsequently issued story alerts some 30 minutes later.
There are lingering questions about how the SEC has handled this entire affair that need to be answered. Why did it take until August 2017 for the agency to become aware that a vulnerability in the Edgar system that was detected and patched in 2016 could have exposed the market to illicit trading? Was there, in fact, any illicit trading that then took place, and if it was as simple as the intruders buying a bunch of call options on companies ahead of significant announcements, why wasn’t it detected? More crucially, why were senior staff reportedly kept in the dark about this for so long?
These questions, and more, are apparently being asked by Congress. Senator Mark Warner, the ranking member of the Senate banking subcommittee, has already publicly expressed his intention to grill the SEC about this, and members of the House have said the same.
If the SEC is going to learn anything about how not to handle this incident, it can simply look to the botched Equifax ordeal for a salutary lesson in how not to go about doing things. This is a matter of market confidence, and moreover, confidence in the ability of regulators setting rules around cybersecurity to keep their own house in order. Sunlight is the best disinfectant, rather than rambling press releases with shocking, poorly detailed revelations.
This week on Buy-Side Technology:
- US editor Anthony Malakian and I talk to CBOE’s Bryan Harkins on the podcast this week about markets, technology, and his Wall Street Rides FAR charity event in support of autism research. You can learn more about the event here.
- If you haven’t read enough about the SEC hack already, this piece by yours truly and Inside Data Management’s Joanne Faulkner has more details, including the comment from Senator Warner.
- It’s been a busy week for other regulators, as the European market supervisors may be set to gain sweeping new powers under a proposal from the European Commission. Parliament, however, may block some of the more esoteric provisions.
- The FCA boosted its technology capabilities with an in-house system to monitor order books across equity and fixed income, commodities and currencies venues, the first time it’s been able to do this. It also warned that its patience on compliance with the revised Markets in Financial Instruments Directive (Mifid II) would not be infinite, but it would be proportionate in handling cases of non-compliance.
- SimCorp and TS joined forces to create a form of integrated order and execution management system.
- Finally, my colleague Aggelos Andreou has this nifty little piece on how exchanges have been the biggest winners from Mifid II, as we all knew was the case, really.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@waterstechnology.com
More on Emerging Technologies
The Waters Cooler: Tidings of comfort and joy
Christmas is almost upon us. Have you been naughty or nice?
FactSet launches conversational AI for increased productivity
FactSet is set to release a generative AI search agent across its platform in early 2025.
Waters Wavelength Ep. 295: Vision57’s Steve Grob
Steve Grob joins the podcast to discuss all things interoperability, AI, and the future of the OMS.
S&P debuts GenAI ‘Document Intelligence’ for Capital IQ
The new tool provides summaries of lengthy text-based documents such as filings and earnings transcripts and allows users to query the documents with a ChatGPT-style interface.
The Waters Cooler: Are times really a-changin?
New thinking around buy-build? Changing tides in after-hours trading? Trump is back? Lots to get to.
A tech revolution in an old-school industry: FX
FX is in a state of transition, as asset managers and financial firms explore modernizing their operating processes. But manual processes persist. MillTechFX’s Eric Huttman makes the case for doubling down on new technology and embracing automation to increase operational efficiency in FX.
Waters Wavelength Ep. 294: Grasshopper’s James Leong
James Leong, CEO of Grasshopper, a proprietary trading firm based in Singapore, joins to discuss market reforms.
The Waters Cooler: Big Tech, big fines, big tunes
Amazon stumbles on genAI, Google gets fined more money than ever, and Eliot weighs in on the best James Bond film debate.