The United States Securities and Exchange Commission (SEC) was found lacking in its cybersecurity program just two weeks before its X account was hacked on January 9. An independent evaluation by the Office of Inspector General (OIG) and contractor Cotton & Company Assurance and Advisor highlighted several security weaknesses within the federal regulator’s protocols. The report urged management to take action to address areas of potential risk, including maintaining its vulnerability disclosure policy and logging meeting requirements. The SEC’s Chief Information Officer, David Bottom, acknowledged the need for improvements in various domains such as risk management, supply chain, security training, and continuous diagnostics and monitoring.
Following the OIG report, the SEC was ordered to submit an action plan within 45 days to improve its underperforming security program. The commission was hacked on January 9 when an authorized party gained access to the X account and posted a fake spot Bitcoin ETF approval announcement. The hack resulted in $90 million in liquidations and raised concerns about market manipulation. Congresswoman Anne Wagner expressed her concern over the incident, calling it clear market manipulation that impacted millions of investors. The hack was later revealed to have occurred due to the lack of two-factor authentication, enabling an unknown party to access the commission accounts via a SIM-swapping attack.
The lack of cybersecurity measures and vulnerabilities in the SEC’s protocols raised questions about its ability to prevent fraudulent activities and protect sensitive information. The commission’s failure to enable two-factor authentication allowed unauthorized access to its social media accounts, leading to market manipulation concerns. The incident highlighted the importance of maintaining robust security measures to safeguard against unauthorized access and potential data breaches. Senator Cynthia Lummis called for transparency regarding the hack and emphasized the need to understand the circumstances surrounding the fraudulent announcement made on the SEC’s social media.
Despite the security breach and concerns raised about market manipulation, the SEC stated that the unauthorized party did not gain access to its systems, data, devices, or other social media accounts. The access to the phone number occurred via the telecom carrier and not through SEC systems, according to the commission’s statement following the hack. It remains unclear if or when the federal agency will face reprimand for the incident, as questions continue to be raised about the adequacy of its cybersecurity program. The hack of the SEC’s Twitter account underscores the importance of implementing robust security measures to protect against unauthorized access and fraudulent activities. Congresswoman Anne Wagner emphasized the need for accountability and transparency in understanding the circumstances surrounding the incident.