The U.S. Securities and Exchange Commission’s cybersecurity record was already unbearable before Account X was hacked

The hack of the SEC’s

Last year, the agency's internal watchdog reviewed it and found that the agency was not fully complying with federal cybersecurity standards, including requiring public-facing systems to support multi-factor authentication. A separate independent review conducted a year ago found weaknesses in the council's security measures, such as protocols to prevent unauthorized access to the network.

The SEC is by no means the only federal agency to come under fire in recent years for lax cybersecurity defenses, but its high-profile role in regulating companies and markets across the United States has made it a particularly popular target for hackers. In 2016, the agency suffered a cyberattack that compromised its business filing database, allowing hackers to profit from nonpublic information, according to U.S. prosecutors.

"We just witnessed the latest technological breach in Washington yesterday, which is also a real low-lying area for the SEC," Arkansas Republican Congressman French Hill said Wednesday at a meeting of the U.S. House Digital Assets Panel. He said congressional Republicans are sending a letter to SEC Chairman Gary Gensler asking for an investigation into the hack. "

On Thursday, Democratic Sen. Ron Wyden of Oregon and Republican Sen. Cynthia Lummis of Wyoming also called for an investigation into the hacking incident. In a letter to the SEC's inspector general, the two lawmakers asked for an investigation into "the SEC's apparent failure to follow cybersecurity best practices," including multi-factor authentication.

The SEC declined to comment on its cybersecurity policies. The FBI is investigating an incident on Tuesday in which a hacker took control of the SEC's account on X, the predecessor to Twitter. The hackers then published a fake post falsely claiming regulators had approved plans for a spot Bitcoin exchange-traded fund, causing Bitcoin prices to surge. (A day later, the agency approved the ETF plan).

X said in a statement that an unknown person hacked into X's SEC account by obtaining relevant phone numbers. The statement also noted that the SEC did not activate two-factor authentication - which has become a standard security layer for businesses as cyberattacks increase. It remains unclear why the SEC did not set up additional authentication.

The U.S. Securities and Exchange Commission recently implemented new rules for public companies requiring them to disclose cyber incidents within four business days as part of a broader effort to increase transparency in corporate cyber defenses. In October, the SEC also sued SolarWinds - which was hacked by Russian hackers in a 2020 hack that threatened businesses and government agencies - accusing it of downplaying security risks and deceiving investors.

In a statement on Thursday, Serrin Turner, an attorney at Latham & Watkins LLP representing SolarWinds, said Tuesday's SEC hack "highlights that no organization's security controls can ever be considered perfectly implemented and why regulators should approach cybersecurity with great caution and humility."

Gensler himself has pointed out that businesses need to strengthen their digital security. In October, he posted a reminder on X to "keep your financial accounts safe from identity theft and fraud." One measure he suggested was multi-factor authentication.

In 2022, the White House released a cybersecurity strategy, instructing agencies to take broad actions to better protect cybersecurity. The strategy emphasizes the need for multi-factor authentication, describing it as "a critical part of the federal government's security baseline."

The SEC's inspector general reported in a September letter that the SEC had made some progress in implementing these actions. But reports show it still lags on some tasks. Specifically, as of the time of last year's audit, the SEC had not configured all of its public-facing systems to support multi-factor authentication.

The inspector general's report shows that the SEC instead found itself "generally" compliant because all but one of its systems had been migrated to use Login.gov, a broader federal government access website that requires two-factor authentication. While the SEC believes the remaining system risk is limited, the inspector general maintains that anti-phishing authentication is still necessary to prevent hackers from gaining access to the SEC's networks.

Kearney & Co. conducted a separate assessment of the SEC's data security controls and found that the agency did not consistently implement procedures to restrict access to its systems. The review, conducted in 2022, noted that some deficiencies date back as far as five years. Specific flaws were redacted, but the study found the vulnerabilities were caused in part by work-from-home policies related to the COVID-19 pandemic. Kearney ultimately concluded that the SEC's information security program did not meet the federal definition of "effective."

Last year, lax data security measures forced the SEC to dismiss 42 enforcement cases in its internal courts.

The agency found that some law enforcement officers were able to see memos that they were not supposed to see. The SEC said at the time that it regretted the lapse and blamed it on a lack of appropriate safeguards.

In 2016, a group of Eastern European hackers breached the regulator's database of corporate documents. Court documents show the hackers stole non-public company financial reports and traded them, earning more than $4.1 million.

In September, regulators recommended adding multi-factor authentication capabilities to the same database.