SEC boss Jay Clayton better wear his asbestos suit on Tuesday, when he’s likely to come under fire while testifying before a Senate committee bent on knowing what the regulator is doing to prevent another embarrassing cyberattack.
The 2016 hack of the Securities and Exchange Commission’s Edgar database, revealed Sept. 20, while unnerving for Washington and Wall Street, wasn’t even the first time crooks broke into the regulator’s computer system.
“My reaction when I heard the news [last week] was we got played again,” a former SEC lawyer told The Post on Sunday.
The lawyer, who spoke on the condition of anonymity, said the hack by an unknown cyber crook reminded him of the May 2015 incident when a fake UK firm, PTG Capital Partners, posted a press release on Edgar saying it was making an offer for Avon that was nearly triple its closing price.
The fake report sent Avon shares soaring 18 percent.
What’s more, in 2012, a fake firm managed to get a $13 offer for the Rocky Mountain Chocolate Co. posted on Edgar.
In the most recent hack, the SEC in 2016 discovered intruders inside Edgar, and the agency patched the bad software that let the crooks in.
The SEC alerted the public only last week, but in its report said the breach occurred in August when it believed thieves could have traded illegally on that information.
“The SEC has viewed Edgar like a filing system at a library,” and not taken these threats seriously enough, the former SEC lawyer said.
The testimony of the SEC newcomer, who came on board as chairman in May, also is especially important because President Trump has made cyber-security a top priority.
Edgar is the database where corporations file private data awaiting to be made public. Getting hold of that information, even minutes before it goes public, could allow crooks to trade on it and pocket illegal profits.
“The risks from cyber breaches continue to threaten consumers and our financial markets,” Sen. Sherrod Brown (D-Ohio), the ranking member of the Senate Banking Committee, which will grill Clayton on Tuesday, told The Hill on Friday.
“We expect corporations that hold sensitive data to disclose information about breaches as soon as possible, and the SEC is no different.”
Clayton, who was not on the job when the most recent hack occurred, has angered critics for what they see as foot-dragging. Rep. Jim Langevin (D-R.I.) is “very disappointed” to have learned of the breach only on Wednesday.
“The scope of a cyber-security incident is not always readily apparent, and transparency can help affected entities take measures to protect themselves and lead to improvements in risk management processes,” Langevin told The Hill.
One cyber-security lawyer wondered whether the hackers who broke into the SEC’s Edgar database gained access to any other sensitive systems operated by the regulator.
If so, the breach could be even more extensive than the public already knows, lawyer Doug Henkin told The Hill.
When the SEC was asked to elaborate to the newspaper, a spokesman for the SEC refused to provide more information.