SEC data breach has muni advisors on edge about compromised personal information
PHOENIX - Municipal advisors are concerned that personal information could have been compromised in a recently revealed security breach of the Securities and Exchange Commission's online EDGAR system.
The National Association of Municipal Advisors expressed its concerns in an Oct. 2 letter addressed to SEC chairman Jay Clayton and also sent to the other commissioners.
NAMA members, as regulated MAs required to register with the SEC and the Municipal Securities Rulemaking Board, provide sensitive personal information that could have fallen into the hands of hackers. The breach occurred in 2016, but was not publicly addressed by the SEC until Sept. 20.
While the SEC said at that time that information gleaned in the cyber-attack may have contributed to illicit trading, Clayton disclosed on Oct. 2 that some personal information was also compromised.
“The ongoing staff investigation of the 2016 intrusion has now determined that an EDGAR test filing accessed by third parties as a result of that intrusion contained the names, dates of birth and social security numbers of two individuals,” the SEC said in a statement.
The SEC said that its staff are reaching out to the two individuals to notify them and offer them identity theft protection and monitoring services, and if the agency’s review should uncover more affected individuals, the commission will offer them those same services as well.
NAMA executive director Susan Gaffney, who signed the letter, asked that the SEC provide further information about the incident to allow MAs the chance to take steps to protect themselves if necessary.
“Municipal advisors must submit confidential and personal information directly into the EDGAR system that, if exposed, could lead to disruption in their personal and professional well-being,” Gaffney wrote. “The information that MAs must input includes social security numbers, addresses and work history, that is not intended for public consumption.”
NAMA would like the chance to work with the SEC to address security concerns and what remedies MAs might take to protect themselves in the event that they were affected, Gaffney added.
Clayton, whom the SEC said was not briefed on the new information until Sept. 29, said in a statement that the commission is taking the matter very seriously and intends to investigate it thoroughly. The SEC has already authorized the hiring of additional staff and outside technology consultants to beef up cybersecurity.
“The 2016 intrusion and its ramifications concern me deeply,” said Clayton. “I am focused on getting to the bottom of the matter and, importantly, lifting our cybersecurity efforts moving forward.”
Clayton said those efforts might take “substantial time.”