Nonprofit Resources

print

SEC Discloses Breach of Key Agency System

print
In a September 20, 2017 statement, Securities and Exchange Commission (SEC) Chairman Jay Clayton disclosed a 2016 security breach of the commission’s EDGAR system, which serves as a clearinghouse for filings required of public companies.

Clayton noted that while the SEC detected the breach in 2016, in August 2017 a separate investigation revealed that the breach “may have provided the basis for illicit gain through trading.”

The breach exploited a software vulnerability to gain access to nonpublic information that could then be used to make profitable stock trades. The SEC does not believe that the breach compromised personally identifiable information. An internal investigation is underway.

According to Reuters, on September 26 Clayton told the Senate Banking Committee that the SEC is working on new guidelines to ensure that companies release details about cyber breaches “sooner.” The SEC is also investigating the recent Equifax breach.

Key Takeaways

While the SEC breach doesn’t directly affect nonprofit organizations, there are several important takeaways from the incident:

  • Vulnerability testing is vital. Both the Equifax and SEC breaches occurred when an unpatched vulnerability was exploited. Periodic independent testing will help identify risks in your organization.
  • Remediation is critical. Appoint someone within your organization to be responsible for ensuring all risks are mitigated as soon as possible after discovery. The SEC vulnerability was patched after discovery, but this still gave hackers time to exploit it. The vulnerability exploited in the Equifax breach was public knowledge, but Equifax had not patched it.
  • Create a zero-day vulnerability plan. Many times, a patch or update is not available at the time a vulnerability is discovered. Implementing a zero-day vulnerability plan can help your organization reduce its risk.

Please contact us at cybersecurity@capincrouse.com if you have  questions or would like to learn more about how our cybersecurity services can help you reduce your organization’s risk.

Cyber-related services are provided by Traina & Associates, a CapinCrouse company. Traina & Associates is an authorized trade name of Capin Technology LLC, a subsidiary of Capin Crouse LLP.

Lisa Traina

Lisa is a partner at Traina & Associates, a CapinCrouse company. She uses her more than 30 years of experience to assist organizations in implementing measures to secure data and manage risks efficiently and effectively. She is a nationally recognized speaker and author, and serves on the AICPA Cybersecurity Task Force. Lisa founded Traina & Associates in 1999 to provide IS security services to a broad range of industries. Traina & Associates joined CapinCrouse in January 2017.

Leave a Comment