SEC Chair Chair Clayton released this update yesterday on the 2016 Edgar breach, which indicates that - in addition to the information previously disclosed (reported on in last week's Society Alert here) - new information he was provided last Friday revealed that an Edgar test filing including the names, birth dates, and SSNs of two individuals was accessed. The SEC will offer to provide those individuals, as well as any others whose identifying information it learns was accessed via the breach, identity theft protection and monitoring services. The release also updates the various components of the SEC's cyber breach-triggered diligence and investigation going forward:
The agency’s efforts going forward are organized into five principal work streams:
1) The review of the 2016 EDGAR intrusion by the Office of Inspector General. Staff have been instructed to provide their full cooperation with this effort
2) The investigation by the Division of Enforcement into the potential illicit trading resulting from the 2016 EDGAR intrusion
3) A focused review of and, as necessary or appropriate, uplift of the EDGAR system. The EDGAR system has been undergoing modernization efforts. The agency has added, and expects to continue to add, additional resources to these efforts, which are expected to include outside consultants, and will increase the focus on cybersecurity matters
4) The more general assessment and uplift of the agency’s cybersecurity risk profile and efforts that were initiated shortly after the Chairman’s arrival at the Commission this past May, including, without limitation, the identification and review of all systems, current and planned (e.g., the Consolidated Audit Trail or CAT), that hold market sensitive data or personally identifiable information
5) The agency’s internal review of the 2016 EDGAR intrusion to determine, among other things, the procedures followed in response to the intrusion. This review is being overseen by the Office of the General Counsel and has an interdisciplinary investigative team that includes personnel from regional offices and will involve outside technology consultants
The update is also encompassed within Chair Clayton's prepared remarks for tomorrow's Financial Services Committee hearing on the SEC's agenda, operations and budget, where the SEC's cybersecurity posture generally, and the 2016 breach and related disclosure specifically, will undoubtedly play a role.