By Benjamin Bain, Annie Massa, and Robert Schmidt, Bloomberg News
The U.S. Securities and Exchange Commission hails its database of company filings as an innovation that’s dramatically boosted corporate transparency. But a hack that led to the theft of market-moving secrets is the latest sign that technology also brings dangers the SEC is struggling to combat.
The breach adds to a growing list of SEC embarrassments over Edgar, a massive online system where companies are required to disclose everything from stock sales by top executives to regulatory investigations. Past setbacks include fraudsters posting fake takeover announcements and allegations that some traders were getting access to market-moving news before others.
The cyberattack that occurred last year — but wasn’t disclosed until Wednesday — could be the most problematic incident, because it casts doubt on the SEC’s ability to safeguard data that fuels billions of dollars in daily financial transactions. The regulator was already grappling with hackers infiltrating companies to profit from insider trading, and now it turns out its own systems are a target.
If such breaches continue, or if the SEC is too underfunded or outgunned to fix them, it could undermine company and investor confidence in the agency. That might threaten the regulator’s ability to provide a bedrock principle of the U.S. financial system: market transparency.
Edgar has “all sorts of stuff that could possibly move the market,” said Larry Tabb, founder and research chairman of Tabb Group LLC, a research firm that specializes in capital markets. “If you can break in, there’s a trove of market-influencing information that you can find and mine. There’s profit in there.”
SEC Chairman Jay Clayton, who took over in May, is slated to testify before the Senate Banking Committee on Sept. 26. He’s expected to be grilled on the hack and why the agency waited so long to reveal it. The SEC said it doesn’t believe the breach led to the exposure of personally-identifiable information, such as Social Security numbers.
Among the few details that the SEC has shared about the intrusion is that it hit a corner of Edgar where companies can submit dummy filings. These forms, which are never meant to be released publicly, allow startups to get comfortable with using the database. Well-established corporations also use test filings to make sure their announcements format correctly on Edgar and to solicit feedback from the SEC.
The information hackers obtained and may have illegally traded on could have come from these filings.
The SEC has cautioned companies about what they put in test announcements. In a 2015 press release, the agency advised businesses seeking to raise money through crowdfunding not to include “confidential or personally identifiable information” in practice filings. Still, companies often don’t follow that advice, according to securities lawyers and corporate executives.
One person who frequently submitted test filings to Edgar said he can’t recall stripping out sensitive information. Another person said preliminary filings regularly include data that could move share prices, and are submitted so companies can engage in a back-and-forth with SEC staffers.
SEC spokesman Chris Carofine declined to comment on Edgar or the hack.
Questions about the scope of the breach remain unanswered. The SEC hasn’t said whether the intrusion was limited to Edgar’s test filing system, or if attackers merely used a vulnerability there to reach a bounty of additional records in the massive database. On average, people access 50 million-plus pages of disclosure documents through Edgar each day. It processes more than 1.7 million electronic filings each year.
There’s also a ton of confidential corporate data that the SEC houses. In addition to the publicly-accessible Edgar, the agency maintains a private repository that its officials can peruse, according to two people familiar with the matter who requested anonymity to discuss more sensitive SEC systems. The database is known as internal Edgar among the regulator’s staffers, one of the people said.
The SEC has long considered Edgar to be a centerpiece of its mission of making sure corporations provide full and timely disclosure to investors. The regulator began experimenting with electronic filings in 1984, and within 10 years, it was mandating that public companies submit information in digital form through its Electronic Data Gathering, Analysis and Retrieval System, now universally known as Edgar.
On Wall Street, Edgar is tracked with a laser focus. Traders sign up for data feeds to peruse new filings, using superfast computers to mine announcements and make instantaneous investment decisions.
But the SEC is now struggling to keep up with the deluge of information flowing through a database that was created more than two decades ago.
In 2016, the SEC began what it calls a multiphase effort to redesign Edgar. In a contract solicitation the agency put out that year, it said the repository had become “overly complex, expensive to operate and more difficult to efficiently evolve.”
The SEC also noted that over the past eight to 10 years “the number of filings made on Edgar has tripled, submission size has more than doubled and total data received has quadrupled.” The agency added that it used contractors to manage much of Edgar, including to “operate and monitor the system and maintain the hardware and software.”
The redesign is ongoing.
The SEC has drawn criticism from lawmakers for not closely vetting announcements made through Edgar. For instance, in May 2015, Nedko Nedev — a dual citizen of Bulgaria and the U.S. — issued a filing indicating that he was making an offer to buy Avon Products Inc. The cosmetics company’s shares jumped 20 percent before trading was halted.
The agency argues that the sheer volume of daily announcements would make it impossible to review everything, so it holds companies and individuals responsible for the accuracy of postings. Submitting false information can expose culprits to SEC civil penalties, and even criminal prosecution.
Edgar also drew scrutiny in 2014 when academics found some traders could get access to public filing data before it appeared on the SEC’s website. The researchers said that in some instances, investors who subscribed to feeds sold by an SEC contractor saw certain filings 10 seconds earlier.
Bloomberg News parent Bloomberg LP redistributes SEC filings. It competes with other news organizations in reporting details in filings.
— With assistance by Matt Robinson, and Matthew Townsend