Examples abound. In September, Equifax reported a data breach that exposed the credit histories and other information of 145.5 million Americans. Shortly thereafter, the Securities and Exchange Commission (SEC) reported a hacking incident that occurred in 2016.
These incidents have raised concerns from individuals and lawmakers about delays in reporting breaches. However, breach response requires a delicate balance. Organizations that are hacked have a responsibility to make a measured, comprehensive assessment of the situation before reporting a breach to the public at large. Here are details of the SEC breach incident and guidance for victim-organizations on how (and when) to report a data breach.
SEC Announces Breach
In September, SEC Chairman Jay Clayton announced that the agency was expanding a probe into a 2016 data breach of its electronic filing system, known as EDGAR (short for Electronic Data Gathering, Analysis and Retrieval). The investigation will primarily focus on a review of when agency officials learned that the EDGAR system had been hacked. The FBI and U.S. Secret Service have also launched investigations into the breach.
What exactly is EDGAR? It’s the electronic filing system that the SEC created to increase efficiency and accessibility to corporate filings. Most publicly traded companies must submit documents to the SEC using EDGAR. However, some smaller companies may be exempt from these EDGAR mandates if they don’t meet certain thresholds.
Examples of documents that the SEC requires companies to file through EDGAR include annual and quarterly corporate reports and information pertaining to institutional investors. This time-sensitive information is often critical to investors and analysts.
Hackers Exploit Outdated System
EDGAR was launched in the 1990s, and it’s been routinely updated and modified over the last two decades. Like many legacy systems, however, EDGAR has some weaknesses and glitches, and the system will eventually need to be replaced.
In September 2016, the SEC awarded a $6.1 million contract to a firm to collect information needed to completely redesign EDGAR. The SEC anticipates that the information-gathering phase will extend through March 2018. A further extension may be requested to provide additional support for the redesign.
Based on the SEC’s preliminary investigation, it appears that hackers were able to breach EDGAR by using authentic financial data when they were testing the agency’s corporate filing system. The breach occurred in October 2016 and was reportedly detected that month. The cyberattack appears to have been routed through a server in Eastern Europe.
The SEC’s enforcement division discovered the breach as part of an ongoing investigation. Although SEC Chair Clayton was vague on the details, he admitted, “Information they gained caused them to question whether there had been a breach of the system.”
Furthermore, it’s not entirely clear what kind of information was breached. Corporate filings contain detailed financial information about company performance, but such information is usually available to investors in press releases prior to SEC disclosure. According to industry insiders, one potential target could be Forms 8-K. These are unscheduled filings regarding material events that companies are legally required to disclose. These disclosures in EDGAR begin before the official word gets out to the rest of the world.
Media sources say that the FBI’s investigation has homed in on trading activities conducted in connection with the breach. One possibility is that the EDGAR breach is connected to a group of hackers that intercepted electronic corporate press releases in a previous case handled by the FBI team.
SEC Chair Clayton, who took office in May 2017, claims to have first learned of the breach in August 2017. Although he didn’t blame his predecessors, Clayton can’t guarantee that there haven’t been other breaches. “I cannot tell you with 100% certainty that this is the only breach we have had,” Clayton said, reiterating that the investigation was “ongoing.”
Take Control of Breach Response
Public response to the SEC incident, which was announced at roughly the same time as the high-profile Equifax breach, has focused significant attention on the lag between when an organization detects a breach and when it’s announced to the public.
The media and congressional investigations have cast doubt on the intentions of SEC Chair Clayton and the management team at Equifax: Were the delayed responses actually attempts to hide the truth, thereby exposing investors and other stakeholders to even greater potential losses?
Before anyone jumps to conclusions, however, it’s also important to consider the perspective of the victim-organization. It takes time to investigate a breach before announcing it to the public. A knee-jerk response that needs to subsequently be revised can cause major damage to the organization’s reputation with its stakeholders.
What should you do as soon as you suspect that your organization’s data has been breached? First, call your attorney, who will help assemble a team of data response specialists. The preliminary goal is to answer two fundamental questions:
- How were the systems breached?
- What data did the hackers access?
Once these questions have been answered, forensic experts can help evaluate the extent of the damage. Sometimes, a breach occurs, but the hackers don’t actually steal any data.
A comprehensive data response includes the following services:
- Information technology (IT),
- Communications / public relations, and
- Credit monitoring services.
Whether your organization is small or large, for-profit or not-for-profit, the goal in breach response is essentially the same: to provide accurate, detailed information about the incident as quickly as possible to help minimize losses and preserve trust with customers, employees, investors, creditors and other stakeholders.
Once investigative and response procedures are underway, management needs to take proactive measures to fortify controls. This final step helps minimize the risk that another data breach will occur in the future.
Data breaches are an inevitable part of today’s interconnected, technology-driven world. How an organization responds to a breach can set it apart from others and affect its goodwill with stakeholders.
Proactive organizations don’t wait for a breach to strike, however. Work with your legal and forensic accounting professionals to help prevent and detect breaches, as well as to establish policies and procedures for investigating and responding to suspected hacking incidents.
Breach Response Legislation in the Works
Following the SEC and Equifax incidents, the Personal Data Notification and Protection Act was reintroduced in the House. This bill aims to expedite data breach response time. Representative Jim Langevin (D-RI) originally proposed this bill in 2015. He claims that, if the legislation had been in effect when the Equifax breach occurred, Equifax would have had to disclose its breach to the Federal Trade Commission and the Department of Homeland Security within 30 days, not six weeks later.
“This bill will replace the patchwork of 48 state breach notification laws with a single nationwide standard that would clarify and strengthen companies’ obligations to report intrusions that compromise consumers’ personal information,” Langevin said. “Americans put a lot of trust in companies by giving them personal and private information, and they should have confidence that their data is secure. While I do not believe that breach notification is the only legislative response required following Equifax, it is an important first step in building accountability and protecting consumers.”
Under the proposed legislation, companies that fail to meet the requirements would be severely penalized, including fines of up to $1 million per violation. They could also be targeted for civil penalties in lawsuits from states across the country. The legislation doesn’t include any limit on damages in the event a corporation is found to have acted “willfully or intentionally.”
Critics of the bill argue that organizations could be hamstrung by stricter reporting requirements, especially if they are forced to report every isolated incident. Premature or inaccurate reports may cause consumers and other stakeholders to unnecessarily panic or become confused. Some also fear that “data breach fatigue” will eventually lead to public indifference.
We’re monitoring this controversial bill as it works its way through Congress. The recent Equifax and EDGAR breaches are helping it pick up momentum, however.