Peter J. Henning for the New York Times reported the Government Accountability Office had found IS deficiencies at the SEC that “limited the effectiveness of the S.E.C’s controls for protecting confidentiality, integrity and availability.” They also found poor encryption practices on certain data.
The hack was on a SEC system used by companies who are about to go public. The system is used as a practice system, where they enter in company information, just as they would when they become a publicly traded company.
The hack could have exposed insider information on companies who used the system to practice, and entered in real data vs. test data. Meaning, actual results, financial statements, and other data reported to the SEC by publicly traded companies.
This could have led to insider trading, by giving the hackers knowledge of non-public information and making trades based on that information.
The questionable thing is that the hack occurred last year… NIST and FISMA require reporting of a breach within 120 days of knowing. Now, these documents also include guidance to determine if a breach notification is required based on the likelihood of harm and could be argued why the SEC didn’t report last year, but… This type of incident handling now gives companies like Equifax a road map on how “Not” to report a security breach.
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
https://www.nytimes.com/2017/09/26/business/dealbook/sec-hack.html?mcubz=1
Leave a Reply
You must be logged in to post a comment.