On Sept. 20, the Securities and Exchange Commission announced that its system for electronic filing for public company disclosures, EDGAR, was compromised last year and that hackers may have used exposed information for illicit trading. The disclosure, which provided few details, offered the Commission the opportunity to issue a larger, wide-ranging statement describing its efforts to promote effective cybersecurity practices—inside the Commission itself as well as with respect to the market more broadly and the market participants it regulates. Notably, the statement highlights its continued, active investigation and enforcement of cybersecurity-related failures.

The Statement on Cybersecurity, released by Chairman Jay Clayton on September 20, 2017, did not indicate when the specific cyber-intrusion occurred but acknowledged that it resulted in access to nonpublic information:

In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Specifically, a software vulnerability in the test filing component of our EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information. We believe the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities.

The Statement on Cybersecurity is available in its entirety here. It is unclear whether the 2016 incident occurred before or after a GAO review of the Commission's FY 2016 cybersecurity protocols that found that the agency had not fully implemented certain recommended intrusion detection capabilities. See GAO report, SEC Improved Control of Financial Systems but Needs to Take Additional Actionshere.

Instead of offering detail regarding the incident, the Statement sets forth the Commission's understanding of its role in promoting cybersecurity as “[d]ata collection, storage, analysis, availability and protection (including security, validation and recovery) have become fundamental to the function and performance of our capital markets, the individuals and entities that participate in those markets, and the U.S. Securities and Exchange Commission.” The Statement broadly summarizes key areas of cybersecurity risk faced by both the Commission and its regulated entities: