Daily Management Review

SEC’s EDGAR database vulnerable to cyber threats


10/06/2017


The SEC has admitted to the existence of vulnerabilities in its EDGAR database, a repository which houses millions of filing of corporate America, not only in its internal memo, but also during a Congressional hearing. As a result, the implementation of the new rules that were adopted in 2016 for the $18 trillion U.S. mutual fund industry, is likely to be delayed.



As per an internal memo from the SEC, Wall Street’s top regular, the Securities and Exchange Commission (SEC), has discovered that its corporate filing database has vulnerabilities which could be exploited to cause a system collapse.

The SEC’s internal memo dated September 22, discloses that its EDGAR database, which contains details of financial performance of U.S. public limited companies and mutual funds, could be at risk of a “denial of service” (DOS) attack, which essentially floods the network with packets to such an extent that it overwhelms it and forces it to shutdown.

The SEC made this discovery while testing EDGAR’s ability to absorb monthly and annual financial filings required under new rules adopted in 2016 for the $18 trillion mutual fund industry.

As per the internal memo, even an unintentional error by a company, such as filing an “invalid” form, could overwhelm the system’s memory and bring down the entire system.

The finding of the vulnerability comes in the wake of SEC’s admission last month that hackers had been able to breach the EDGAR database in 2016 and had money money from the mined data.

The discovery lays further doubt on the SEC’s network capabilities and whether the agency has adequately addressed cyber threats.

It has been a while since the mutual fund industry has had concerns that the market-sensitive data that it needs to submit could be exploited in the wrong hands.

As a result, the industry has redoubled its efforts to stall and delay the data-reporting rules, which are set to go into effect in June 2018, until it is reassured that the information that it provides is secured.

Clearly, the SEC should postpone implementation of its data reporting rule until the security of those systems is thoroughly tested and assessed by independent third parties,” said Mike McNamee, chief public communications officer of The Investment Company Institute (ICI), whose members manage $20 trillion worth of assets in the United States.

We are confident Chairman Clayton will live up to his pledge that the SEC will take whatever steps are necessary to ensure the security of its systems and the data it collects.”

An SEC spokesman declined to comment.

Rules adopted in 2016, require asset managers to file monthly and annual reports vis-a-vis their portfolio holdings; the rules were designed to protect the mutual fund industry in the event of a market crisis by showing the SEC and investors that they have enough liquidity to cover a rush of redemptions.

On Wednesday, in a Congressional hearing, SEC Chairman Jay Clayton testified that the agency was weighing its options to delay the rules in light of emerging cyber concerns. Incidentally, he did not mention about EDGAR’s vulnerability to the DOS attack.


 


 


 

Source:

http://uk.reuters.com