In early 2016, long before the U.S. Securities and Exchange Commission acknowledged this week that it had fallen victim to computer hackers, the agency laid out a plan to fortify its cybersecurity defenses -- by hiring three new employees.
At the time, it looked like a modest effort, especially compared with the agency's overall staff of nearly 5,000. But earlier this year, even such incremental moves ran headlong into President Donald Trump's push to slash government spending in favor of big corporate tax cuts. In May, Trump proposed eliminating a $50-million-a-year fund used to finance SEC computer-system upgrades. And the SEC's own budget proposal for fiscal 2018 calls for the elimination of nine information-technology staff positions compared with the prior year's request.
The agency, which warehouses reams of sensitive details on corporations, Wall Street firms, exchanges, mutual-fund companies and accounting firms, revealed last Wednesday that hackers had broken into one of its systems last year, possibly obtaining tips for illegal trades. In an accompanying statement, SEC Chairman Jay Clayton said he now plans to hire more people -- the number wasn't specified -- to combat cyber-related threats.
Clayton is expected to face tough questions by Congress on Tuesday over a 2016 hack of the SEC's corporate filing system.
The episode shows the risks of cutting tech budgets for government agencies that serve as big data repositories, especially with hackers growing increasingly sophisticated and aggressive. Top SEC officials had argued for years that their systems needed reinforcement, as large banks like JPMorgan Chase & Co. (JPM) and Citigroup Inc. (C) and more recently the credit-reporting firm Equifax Inc. (EFX) suffered hacking attacks.
At the core of the matter is whether financial-industry executives, investors, accountants and lawyers that routinely share confidential data with the agency might start to doubt its ability to safeguard their secrets.
Since at least 2011, the Washington-based agency has admonished publicly-traded companies to fully inform stockholders about the risks of cyberattacks. The SEC has also brought charges against hackers who have traded on information stolen from newswires and law firms.
"It's the ultimate irony that the SEC may have unwittingly become the tipper in a variety of insider-trading schemes," said John Reed Stark, a former chief of the SEC's Office of Internet Enforcement who's now a private cybersecurity consultant in Bethesda, Md.
An SEC spokesman declined to comment for this story and said Clayton wasn't available for an interview.
The heightened scrutiny of the SEC -- usually the scrutinizer -- comes as the agency's systems are stretched by increasing use. In the past four years, online searches of the Electronic Data, Gathering, Analysis and Retrieval system, a corporate-filings database known as Edgar, have nearly tripled to more than 14 billion annually, agency documents show.
Citigroup is a holding in Jim Cramer's Action Alerts PLUS charitable trust portfolio. Want to be alerted before Cramer and the AAP team buy or sell the stock? Learn more now.
The newly-revealed breach occurred in the "test-filing component" of Edgar, according to Wednesday's statement. The agency didn't elaborate on what that is, how it works or how it was compromised.
The lapse didn't occur on Clayton's watch, since the former Wall Street lawyer didn't arrive until earlier this year following Trump's inauguration. His predecessor, Mary Jo White, declined to comment. But the systems weaknesses will now be Clayton's to fix -- and pay for.
Earlier this year, the agency revealed in an annual publication just how vulnerable its systems were. According to that report, just 70% of the SEC's major systems were certified and accredited for standards related to information security and disaster recovery. The prior year's report had estimated the figure at 100%. (The decline wasn't explained.)
The U.S. Government Accountability Office reported in July that it had identified 26 "information-security control" deficiencies at the SEC. Lapses were cited in "consistently protecting its network boundaries from possible intrusions, identifying and authenticating users, authorizing access to resources, auditing and monitoring actions taken on its systems and network, or encrypting sensitive information," according to the report.
Pamela Dyson, who oversees the SEC's computer systems as chief information officer, said in a July 14 response to the GAO that the agency had made strides in addressing the lapses, including "a major enhancement to our vulnerability-management capability."
The SEC's $60-million-a-year technology budget is a tiny fraction of the vast sums spent by large U.S. banks that also hold sensitive financial-market data and customer information. JPMorgan, based in New York, budgeted $600 million in 2016 for cybersecurity alone, according to an annual report.
Clayton said in this week's statement that the agency will "continue to prioritize its efforts to promote effective cybersecurity practices" in light of the "sensitivity of the data and the associated risks of unauthorized access."
"Notwithstanding limitations on our hiring generally, we expect to hire additional expertise in the area," he added.
Stark, the former SEC official, said that cybersecurity experts are in such high demand from companies that the agency might find qualified candidates hard to come by -- especially since government salaries are typically lower than in the private sector.
"There's a huge labor shortage," he said.
In other words, the SEC is going to need some money.
- Trump's Latest Hotel Venture Focuses on Flea-Market Chic in Deep South
- Warren Buffett Has Lost More Than $1 Billion on Apple in Just the Past Week
- These Powerful Corporate Executives Could Make a Run at the Presidency in 2020
- The 10 Most Expensive Zip Codes to Live in the U.S.