SEC Hacking Shows Latest Weakness in Edgar (Audio)

every day. But the SEC recently revealed that it learned last year about a hack into the system that may have allowed hackers to obtain and profit from corporate confidential corporate information before that information became public. Here to talk with us about this hack into the EDGAR system are Peter Henning, a professor at Wayne State University Law School, and Robert Hockett, a professor at Cornell University Law School. Peter, the you know, most of the EDGAR system is publicly

available information. That's kind of the point, but there is part of it that has some confidential information that apparently is the subject of this hack. Explain exactly what it is that got hacked into here. Well, the security breach came through a portal that the SEC has so that newer companies companies that recently went public could essentially take it for a test drive and past materials on EDGAR.

The requirement is that whenever a company makes its disclosure UM, say quarterly or annual earnings, it has to do that UM immediately and make it available to all investors at the same time. So it was a way for them to test it UM. But there are companies that will make filings UH. For example, I p O s Now

you can make what's essentially a dark filing. You can put information in there that isn't available to the public that might have been available to the hackers and would give them maybe some insight information about what was going to happen at those companies and perhaps others if they rummaged around through the system. You just don't know what you're going to find, Bob, the attack occurred last year. The SEC just disclosed it on Wednesday. Is that against

its own advice to companies to announce cyber attacks promptly? Well, it's it's it's hard to tell to tell you the trition. I mean, the problem is, UM, you know that the SEC is sort of forced start faced with a dilemma on the one hand, if it reveals information that turns out not to be really that important in the longer term, but sort of stokes a panic or stokes sort of excess concern in the short term, uh than it might well, you know, sort of think better about having disclosed something

too quickly. So it's not sure whether to tell anybody right away because it doesn't want to cause more panic than might be warranted. On the other hand, that being said, if it does indeed turn out to be a significant problem, then of course the SEC looks to have egg on its face when it turns out that it knew the

information even sooner. In this particular case, I think what's particularly important or maybe worth noting, is that it didn't reveal the information until it determines that somebody might actually have used some still gotten information in order to engage in some form of insider trading. And that's something the

SEC apparently only just learned. Well, Peter, if the idea of this part of the system, you know, the confidential information, is to encourage new companies to get to put things up, for folks to get things in early and test out the system, what's if this ends up deterring that from happening. If this kind of hack deterurns that from happening, what are the likely consequences in terms of companies ability to get their information out the right way? Well, I don't

I'm not sure if it will be a detern. It certainly will make companies hesitant, and indeed, even the SEC said for those using this portal, you know, be careful about the information you put here. UM. But you know, just like any warning label, I'm not sure how many people might have actually read it. Um. Really the message here is the broader one, and of course it's coming just a couple of weeks after the disclosure of the Equifax league is that really no computer system is completely secure.

That we are living, um in an era and this may go on. Um as far as the eye can see, we're living in an era in which there is going to be cyber attacks and confidential information can get exposed. So you know, it's um, maybe physician heled iself. The SEC has to take stronger measures here to protect what

may be crucial information about companies. Otherwise they're going to be more careful about what they file and may try to puzz things a little bit to try to ratchet down how much they end up disclosing in their public filings. Bob Edgar is tracked carefully by traders who use super fast computers. How much information does Edgar have that can actually move the more kit, Well, it's had a great

deal of such information. And then in a way, that's sort of part of the point, right, I mean, the original impetus behind Edgar is essentially just sort of a race or to sort of diminish, nearly to the vanishing point, any kind of time advantage that one trader might have relative to another when it comes to trading uninformation that is disclosed once it is disclosed, and has some sort of significance, a price relevant significance to the shares of

the firm that are traded. Right. So the irony here, of course is that you know Edgar is is established in order to level that that playing field. But if some people are able to hack it and others are not, you might end up with the sort of paradoxyl the paradoxical situation wherein Edgar ends up facilitating certain kinds of insider trading by essentially gipping off right, some people much more, much sooner than it tips off others simply by by

into those first people's capacity to hack it. So that makes Peter's point of all the more important that you know, in order for even to sort of fulfill its function, it really has to be more or less hack proof, or at least it has to be proofed against hacking of the kind that can facilitate insider trading. We've been talking about the hack of the sec and its implications with Peter Henning, professor at Wayne State University Law School,

and Robert hocket, a professor at Cornell University Law School. Peter, this isn't the first time that the SECS Edgar system has been compromised. Now they are going to put in the consult what's been called the Consolidated Audit Trail, So would you explain that and whether they're going to be

concerns about that in light of this new hack. Consolidated Audit Trail has actually been a dream of the SECS for about the last thirty to forty years, where it would give them a real time look at who is trading um across all of the markets, so that they could see if there's any kind of market disruption or if the order flow is somehow affected by an event or perhaps even a technological glitch. So this is what

they've wanted. What that is, though, is incredibly valuable information. Uh. If I know that, say Fidelity or Vanguard is selling out a position or accumulating a position, um, I can trade ahead of that or trade along with it before the stock price is affected. I can make a great deal of money. So what the heck is saying is that as the SEC accumulates more and more valuable information, uh, it's going to become a target even more. And so

it's really going to have to protect that information. And of course the firms are worried that their information could be stolen and used either against them or by someone to profit. And that's going to cost other investors money. I expected, given this hack, and you know, we don't know that much about it yet, but given this hack, uh, a lot of banks and other investors would be very concerned about what might happen when the consolidated art show

finally gets up. Can we expect that this is just going to delay that project, you know, by measures we can't even figure out yet. Yeah, I don't know, I really don't know whether we should expect this to sort of delay that project or not. I mean, it might do that. It might in fact instead hasten the project of of beefing up internet security or cybersecurity or the like. Where it might that might do both. I mean a

couple of other things worth noting in this connection. It seems to me as first of all, there is the Equifax matter that Peter had mentioned before. There's also another matter that we've sort of forgotten about but was pretty big news about a year ago, and that was when the New York bet was fooled by hackers into making a very large money transfer on behalf or supposedly on behalf of the Bangladesh Central Bank UH and that was

done through hacking as well. And indeed the New York Fed sort of discovered the problem um only sort of by accident, only through a sort of a fortuity owing to a strange name that was used by one of the parties who was hacking it. And so people have since then, of course, has been a little bit concerned about the security of the swift money transfer system that

the central banks and other banks used as well. So in a way, the problem is is quite pervasive throughout the the financial system, and I'm hoping therefore that the takeaway from this will be that we really have to get quite serious about cybersecurity across the entirety of the financial system and not let it delay um uh sort of beneficial actions that various regulars who are planning to take unless absolutely necessary, but instead it just sort of

speed us up when it comes to really addressing all of the cyber vulnerabilities that appear to be pervasive out there. Peter SEC Chairman Jake Clayton is scheduled to testify before the Senate Banking com it Eating next week. What kind of questions do you expect him to be getting and

will there be a grilling of sorts? There'll be a little bit of a grilling, although in a sense he gets a bit of a free pass because the hack took place under his predecessor, Mary Joe White, and you know, perhaps the delay and disclosing it um might be an issue brought up, But really I think he wants to use this as a way to highlight the need to enhance cybersecurity. And as Bob said, Bob's absolutely right that, um, this is not we can't just beat these as isolated incidents.

That this is something that is going to be pervasive through the financial system, and so if you view one security patch as somehow a cure, it's at best of placebo. So I think Clayton is going to go on the offensive here and perhaps even use this as a way to ask Congress for more money for the SEC. Uh,

don't free act. This is a political agency, Bob. You know, we we talk about the importance of cybersecurity, and it seems are there ways to actually stop this from happening because it seems like every everyone and every agency can be act. Yeah. So I mean if I were a computer security expert, um, I could answer you more different deplity, but I would probably also be a millionaire or a billionaire by now. It's I mean, in theory, we can do this, right, but but there's so many prerequisites that

have to be met. One of them that maybe it's worth highlighting at the moment is that because so much of the transacting that goes on in the financial system now takes place across borders through multiple electronic systems, you need some kind of harmonization on the part of multiple jurisdictions when it comes to what forms of electronic communications are going to be used, what protocols or what security protocols are to be used, what specific technologies technologies are

going to be used, and so forth, And it's thus far proved it would be difficult to get consensus even on that. You might have read even a couple of days ago that some of our partners in Europe and Asia are sort of suspicious of the protocols that were currently favoring because they think we might be favoring Member precisely because we're able to hack them. I'm going to

have to stop you there. I thought all professors were millionaires thanks to two of them, Peter Henning, professor at Waynestad University Law School and Robert Hockett, professor at Cornell University Law School,