U.S. lawmakers demand investigation into SEC’s security practices following breach
The SEC's X account was hacked on Jan. 9 to post a fake ETF approval notice.
Senators Ron Wyden and Cynthia Lummis requested an investigation of the U.S. Securities and Exchange Commission (SEC) in a letter on Jan. 11.
The two lawmakers asked the SEC’s Inspector General, Deborah Jeffrey, to open an investigation into a security breach that occurred two days earlier as well as the agency’s failure to follow best cybersecurity practices.
The breach saw an unknown party illegally access the SEC’s X account and post a false announcement suggesting that the agency had approved a spot Bitcoin ETF. Though the SEC did in fact approve ETFs of that type one day later, the agency said that the original message was false and confirmed the breach.
Senators said the SEC should have used multi-factor authentication and phishing-resistant hardware tokens (ie. security keys). They asked for the investigation to focus on these matters and find any other security gaps. Senators requested an update on the investigation by Feb. 12, 2024.
Did the SEC break any rules?
Senators Wyden and Lummis did not suggest that the SEC violated any specific rules through the oversights that allowed the breach to occur.
The two senators noted that the White House’s Office of Management and Budget (OMB) issued a memo in January 2022 requiring agencies to use multi-factor authentication and security keys. Though they acknowledged that this policy does not apply to social media websites, they said that the memo makes it clear that such features are necessary to protect against attacks.
Senators did not suggest that the SEC violated certain rules through which it requires companies to disclose securities breaches. However, senators did imply hypocrisy in this area: they called SEC’s failures “inexcusable, particularly given the agency’s new requirements for cybersecurity disclosure.”
Senators also highlighted the “obvious potential” for market manipulation in their complaint. Indeed, Bitcoin saw sudden losses as the SEC revealed the false nature of the announcement. The price of Bitcoin (BTC) fell from $46,865 to $45,415 within two hours of 9:00 p.m. UTC on Jan. 9, marking a loss of about 3%.
Despite the critical nature of the SEC’s failures, the lack of any specific violations makes it unclear what consequences the agency might face.