The views expressed by contributors are their own and not the view of The Hill

The SEC can’t protect its own data. Should it be trusted to protect yours?

AP Photo/Andrew Harnik, File
FILE – The seal of the U.S. Securities and Exchange Commission at SEC headquarters, June 19, 2015, in Washington. The Securities and Exchange Commission said Tuesday, Jan. 9, 2024, that a post on X, formerly known as Twitter, announcing that the securities regulator had approved the trading of exchange-traded funds holding bitcoin was fake, and…

On Oc. 16, the Securities and Exchange Commission authored a statement on X that read, “Careful what you read on the internet. The best source of information about the SEC is the SEC.”

It took less than three months for that statement to be proven false.

The apparent hack of the SEC’s official X account on Jan. 9 raises serious concerns about the commission. Specifically, it raises questions about the SEC’s internal cybersecurity procedures and the diminishing faith the investing public has in the agency to protect their personal and financial information.

Chairman Gary Gensler and other SEC officials have lectured market participants and deflected concerns from investors regarding cyberattacks targeting the SEC. Will all that change after this month’s compromise of the commission’s X account?

Cyber incidents like this one have real consequences. After the (now confirmed false) announcement of the approval of Bitcoin ETFs on the SEC’s official X account, the price of Bitcoin spiked significantly. Minutes later, Chairman Gensler stated that the SEC had not in fact approved the ETFs, causing widespread confusion and the price of Bitcoin to plummet.

The SEC’s failure to adhere to basic cybersecurity protocols to protect its own account directly caused extreme volatility in the price of Bitcoin. The agency was hacked because it had violated its own cybersecurity risk management rules that public companies must follow.

In the coming months, the public will learn more about this breach. But the more immediate concern for the public is that this incident clearly demonstrates the agency cannot be trusted to protect the personal information of American investors, which it now desperately wants to collect. 

The SEC wants to collect and store investors’ personal and financial information in its Consolidated Audit Trail database. Unless it is stopped, this CAT database will collect and store every trade, every position, the value of those positions, and link them to the personal identity of every American investor.

Personal privacy concerns aside, this will only make it easier for hackers to steal the identity and financial worth of every American investor who owns a share of stock.

Gensler justifies this egregious violation of Americans’ privacy rights on the grounds that the agency must be allowed to spy your portfolio to make sure you aren’t violating the law. Former SEC Chairman Jay Clayton stated in 2017 that the SEC, “should not take any sensitive data unless we can protect it.” This incident proves that it cannot.

As SEC Division of Enforcement Director Gurbir Grewal remarked in June, “When there are cyber-attacks on publicly traded companies and other market participants, we consider the investing public to also be potential victims of those incidents.” Surely, the same can be said for a cyberattack on the Consolidated Audit Trail database, which could compromise the identity and financial positions of millions of Americans.

Will the SEC live up even to its own cybersecurity disclosure rules to protect the public? Can the public trust the SEC chairman to undertake and uphold a thorough internal investigation of the incident and the market manipulation that followed?

Grewal said that public companies need “to have real policies that work in the real world, and then they need to actually implement them; having generic ‘check the box’ cybersecurity policies simply doesn’t cut it.” Why shouldn’t the SEC be held to this same standard? Who will be held accountable at the agency for this incident?

American investors are the targets of growing cyberthreats from criminals, state-sponsored actors, and individuals with regular access to sensitive investor data every day. If the SEC can’t protect its own social media accounts, then there is little chance it can protect the personal and financial information of every American investor.

The U.S. is home to the world’s deepest and most liquid capital markets. Its imperative investors have trust that trading in our markets is safe. But that will all change if the SEC continues to pursue the authority to collect every American investor’s identity and financial worth and a massive cybersecurity breach occurs as a result.

A government agency that can’t protect an X account from being hacked must not be allowed to create a national database that puts the financial privacy of every American investor at risk. Congress must intervene to stop the SEC from putting a bullseye on American investors.

Christopher A. Iacovella is president and CEO of the American Securities Association.

Tags Gary Gensler

Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. Regular the hill posts

Main Area Bottom ↴

Top Stories

See All

Most Popular

Load more