By Sarah N. Lynch and Jim Finkle
(Reuters) – The U.S. Securities and Exchange Commission (SEC), Wall Street’s top regulator, has discovered a vulnerability in its corporate filing database that could cause the system to collapse, according to an internal document seen by Reuters.
The SEC’s September 22 memo reveals that its EDGAR database, containing financial reports from U.S. public companies and mutual funds, could be at risk of “denial of service” attacks, a type of cyber intrusion that floods a network, overwhelming it and forcing it to close.
The discovery came when the SEC was testing EDGAR’s ability to absorb monthly and annual financial filings that will be required under new rules adopted last year for the $18 trillion mutual fund industry.
The memo shows that even an unintentional error by a company, and not just hackers with malicious intentions, could bring the system down. Even the submission of a large “invalid” form could overwhelm the system’s memory.
The defect comes after the SEC’s admission last month that hackers breached the EDGAR database in 2016.
The discovery will likely add to concerns about the vulnerability of the SEC’s network and whether the agency has been adequately addressing cyber threats.
The mutual fund industry has long had concerns that market-sensitive data required in the new rules could be exploited if it got into the wrong hands.
The industry has since redoubled its calls for SEC Chairman Jay Clayton to delay the data-reporting rules, set to go into effect in June next year, until it is reassured the information will be secure.
“Clearly, the SEC should postpone implementation of its data reporting rule until the security of those systems is thoroughly tested and assessed by independent third parties,” said Mike McNamee, chief public communications officer of The Investment Company Institute (ICI), whose members manage $20 trillion worth of assets in the United States.
“We are confident Chairman Clayton will live up to his pledge that the SEC will take whatever steps are necessary to ensure the security of its systems and the data it collects.”
An SEC spokesman declined to comment.
The rules adopted last year requiring asset managers to file monthly and annual reports about their portfolio holdings were designed to protect them in the event of a market crisis by showing the SEC and investors that they have enough liquidity to cover a rush of redemptions.
During a Congressional hearing on Wednesday, Clayton testified that the agency was considering whether to delay the rules in light of the cyber concerns. He did not, however, mention anything about the denial of service attack vulnerability.
VIRTUAL VOMIT
EDGAR is the repository for corporate America, housing millions of filings ranging from quarterly earnings to statements on acquisitions.
It is a virtual treasure trove for cyber criminals who could trade on any information gleaned before it is publicly released.
In the hack disclosed last month involving EDGAR, the SEC has said it now believes the criminals may have stolen non-public data for illicit trading.
The vulnerability revealed in the September memo shows that even an invalid form could jam up EDGAR.
The system did not immediately reject the form, the memo says. Rather, “it was being validated for hours before failing due to an invalid form type.”
That conclusion could spell trouble for the SEC’s EDGAR database because it means that if hackers wanted to, they could “basically take down the whole EDGAR system” by submitting a malicious data file, said one cyber security expert with experience securing networks of financial regulators who reviewed the letter for Reuters.
“The system would consume the data and essentially throw up on itself,” the person added.
(Reporting by Sarah N. Lynch in Washington and Jim Finkle in Toronto; Editing by Carmel Crimmins)
