by Christopher A. Iacovella
On Oc. 16, the Securities and Exchange Commission authored a statement on X that read, “Careful what you read on the internet. The best source of information about the SEC is the SEC.”
It took less than three months for that statement to be proven false.
The apparent hack of the SEC’s official X account on Jan. 9 raises serious concerns about the commission. Specifically, it raises questions about the SEC’s internal cybersecurity procedures and the diminishing faith the investing public has in the agency to protect their personal and financial information.
Chairman Gary Gensler and other SEC officials have lectured market participants and deflected concerns from investors regarding cyberattacks targeting the SEC. Will all that change after this month’s compromise of the commission’s X account?
Cyber incidents like this one have real consequences. After the (now confirmed false) announcement of the approval of Bitcoin ETFs on the SEC’s official X account, the price of Bitcoin spiked significantly. Minutes later, Chairman Gensler stated that the SEC had not in fact approved the ETFs, causing widespread confusion and the price of Bitcoin to plummet.
The SEC’s failure to adhere to basic cybersecurity protocols to protect its own account directly caused extreme volatility in the price of Bitcoin. The agency was hacked because it had violated its own cybersecurity risk management rules that public companies must follow.
In the coming months, the public will learn more about this breach. But the more immediate concern for the public is that this incident clearly demonstrates the agency cannot be trusted to protect the personal information of American investors, which it now desperately wants to collect.
The SEC wants to collect and store investors’ personal and financial information in its Consolidated Audit Trail database. Unless it is stopped, this CAT database will collect and store every trade, every position, the value of those positions, and link them to the personal identity of every American investor.
Personal privacy concerns aside, this will only make it easier for hackers to steal the identity and financial worth of every American investor who owns a share of stock.
Gensler justifies this egregious violation of Americans’ privacy rights on the grounds that the agency must be allowed to spy your portfolio to make sure you aren’t violating the law. Former SEC Chairman Jay Clayton stated in 2017 that the SEC, “should not take any sensitive data unless we can protect it.” This incident proves that it cannot.
As SEC Division of Enforcement Director Gurbir Grewal remarked in June, “When there are cyber-attacks on publicly traded companies and other market participants, we consider the investing public to also be potential victims of those incidents.” Surely, the same can be said for a cyberattack on the Consolidated Audit Trail database, which could compromise the identity and financial positions of millions of Americans.
Will the SEC live up even to its own cybersecurity disclosure rules to protect the public? Can the public trust the SEC chairman to undertake and uphold a thorough internal investigation of the incident and the market manipulation that followed?
Grewal said that public companies need “to have real policies that work in the real world, and then they need to actually implement them; having generic ‘check the box’ cybersecurity policies simply doesn’t cut it.” Why shouldn’t the SEC be held to this same standard? Who will be held accountable at the agency for this incident?
American investors are the targets of growing cyberthreats from criminals, state-sponsored actors, and individuals with regular access to sensitive investor data every day. If the SEC can’t protect its own social media accounts, then there is little chance it can protect the personal and financial information of every American investor.
The U.S. is home to the world’s deepest and most liquid capital markets. It’s imperative investors have trust that trading in our markets is safe. But that will all change if the SEC continues to pursue the authority to collect every American investor’s identity and financial worth and a massive cybersecurity breach occurs as a result.
A government agency that can’t protect an X account from being hacked must not be allowed to create a national database that puts the financial privacy of every American investor at risk. Congress must intervene to stop the SEC from putting a bullseye on American investors.
Christopher A. Iacovella is president and CEO of the American Securities Association.
This opinion originally appeared in The Hill.
###
About the American Securities Association
American Securities Association, based in Washington, DC, represents the retail and institutional capital markets interests of regional financial services firms who provide Main Street businesses with access to capital and advise hardworking Americans how to create and preserve wealth. ASA’s mission is to promote trust and confidence among investors, facilitate capital formation, and support efficient and competitively balanced capital markets. This mission advances financial independence, stimulates job creation, and increases prosperity. The ASA has a geographically diverse membership of almost one hundred members that spans the Heartland, Southwest, Southeast, Atlantic, and Pacific Northwest regions of the United States.
Comments