Chair Gensler Says SEC Takes Its Own Cybersecurity Seriously
Commentary by Steven Lofchie
SEC Chair Gary Gensler asserted that the agency "takes its cybersecurity obligations seriously" and that Commission staff recognize that the recent hack of the SEC's "X" account by an unauthorized party raises "concerns about the security of the SEC's social media accounts."
Chair Gensler's "Statement on Unauthorized Access to the SEC’s @SECGov X.com Account" was a response to an unauthorized party posting an announcement that the Commission approved spot bitcoin exchange-traded funds. In the statement, Chair Gensler described the sequence of events, including the time and content of the fraudulent posts and the SEC's removal of those posts. He said that staff was still assessing the scope of the incident, but that "there is currently no evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts."
Mr. Gensler said that the SEC staff "will continue to assess whether additional remedial measures are warranted" and that the SEC was in contact with various law enforcement authorities.
Commentary
Following disclosure of the hack, House Financial Services Committee Chair Patrick McHenry wrote a letter to the SEC demanding an explanation for the breach. Directing his admonition to Chair Gensler, Mr. McHenry stated that "[t]his failure is unacceptable, and it is disturbing that your agency could not even meet the standard you require of private industry."
It is notable that in the SEC's response, Chair Gensler did not concede that additional security measures were necessary, but only that staff is studying the issue. Having been the victim of a breach that moved the market price of bitcoin, made the newspapers and is the subject of Congressional attention, it would seem obvious that the SEC must improve its cyber-protections on the account, even if one assumes that the agency could not have reasonably anticipated the possibility of the attack.