Four continents, eleven assailants, and at least $4.1 million in illegal profits (“Press Release” SEC Emblem, 2019). This was the result of the 2017 hack of the SEC’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) database, an online database maintained by the Securities and Exchange Commission (SEC) that contains public company filings—releasing thousands of documents that were used in a global conspiracy in order to conduct high-speed insider trading at a rate unfathomable from previous insider trading. This hack represents two of the SEC’s most significant issues: cybersecurity threats and an insufficient budget to effectively carry out its mission of protecting investors and maintaining the integrity of the securities markets.

The Securities and Exchange Commission (SEC) is a U.S. government agency responsible for regulating the securities markets and protecting investors. The SEC enforces federal securities laws, makes rules and regulations related to the securities markets, oversees the operations of the securities markets, and protects investors by ensuring they have access to accurate and timely information about securities. The SEC’s mission is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation (SEC Congressional Budget, 2023). The SEC protects investors from fraud and other forms of misconduct by promoting transparency and accountability in the securities markets. 

One of the ways the SEC regulates the financial industry and promotes transparency is through annual independent audits of public companies. These filings, such as annual and quarterly reports, registration statements, and insider trading reports, are available to the public on the EDGAR database (ChatGPT). The Electronic Data Gathering, Analysis, and Retrieval (EDGAR) database is an online database maintained by the Securities and Exchange Commission (SEC) that contains public company filings. Ensuring investors and other interested parties can access these filings to obtain information about a company’s financial performance, business operations, and other essential details. The system, created in 1984, was intended to be used by investors, analysts, and researchers to modernize and improve the efficiency of the SEC’s filing system.

In 2017, the US Securities and Exchange Commission (SEC) announced that its Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system had been hacked, and non-public information had been accessed. SEC Chairman Jay Clayton (2017) said in an SEC statement that EDGAR had a “software vulnerability” that was “exploited and resulted in access to nonpublic information,” stating that “Notwithstanding our efforts to protect our systems and manage cybersecurity risk, in certain cases, cyber threat actors have managed to access or misuse our systems.” This information was then used in order to gain a significant advantage in the markets. The SEC attorneys presented a chart in a filing showing each trader’s “win rate”. Without the hacked data, none of the traders achieved better than a 58% win rate, and seven out of eight traders lost money. With access to the hacked data, all traders made a profit, and most made several hundred thousand dollars. One trader even achieved a win rate of 96% (Mathews, 2019). The traders traded at least 157 transactions from May to October 2016. They generated at least $4.1 million in illegal profits before the SEC charged a Ukrainian hacker, six individual traders in California, Ukraine, and Russia, and two entities. (“Press Release” SEC Emblem, 2017). The SEC’s recent announcement may impede the agency’s attempts to gather comprehensive data on stock trades in a centralized database, which could potentially aid in detecting market manipulation.

The massive profit of $4.1 million resulted from only one hack of data and presented a significant vulnerability in the cybersecurity efforts of the SEC. In a 27-page 2016 report, the U.S. Government Accountability Office (U.S. GAO) found in 2016 that the SEC was not always using encryption, supported software, well-tuned firewalls, and other critical security tools to protect their organization’s information (Price, 2017). Like all government agencies, the SEC is limited in their efforts by budget. While the cybersecurity of the SEC is limited by its budget as a government agency, hackers looking to exploit the SEC’s vulnerabilities are limited only by their greed. As of 2022, the SEC’s the Division of Enforcement Crypto Assets and Cyber Unit (formerly known as the Cyber Unit) contains only 50 employees (Press Release, 2022), with the average pay for a Security Administrator only being $106,591.52 (Securities and Exchange Commission salaries of 2021). This leads to a revolving door effect where regulators use their institutional knowledge to work in the private securities industry (Kurt Schacht, 2019), under higher compensation, to the detriment of the SEC and investor interests. The dichotomy is that the SEC needs and has the authority to collect large swaths of information from companies and markets that are unavailable to the public. However, it lacks the security & safeguards to protect this information to the extent of its worth.

The SEC’s EDGAR hack exposed vulnerabilities regarding the SEC’s cybersecurity and budget constraint. The agency needs adequate controls and measures to defend against advanced cyber threats considering the value of the information they protect. Additionally, the low-pay scale offered to cybersecurity employees compared to the private sector makes attracting and retaining talent difficult. However, given the value of the information the SEC collects, the agency must strengthen its cybersecurity measures and ensure the integrity of securities markets. 

Reflection:

As an economics student at the Zicklin Business School at Baruch, I recognize cybersecurity’s paramount significance in the financial industry. The SEC’s EDGAR hack highlights the urgent need to protect the integrity of securities markets through robust cybersecurity measures. This incident highlighted vulnerabilities within the SEC’s systems, emphasizing the need for adequate controls to combat advanced cyber threats.

Studying economics has given me a unique perspective on the profound impact of cybersecurity on financial markets and the broader economy. My professional portfolio of projects emphasizes my deep appreciation for the intricate interplay between economics, cybersecurity, and the financial sector. The EDGAR hack has made the significance of cybersecurity infrastructure abundantly clear and established stringent security protocols to safeguard sensitive financial data and uphold market integrity. The EDGAR hack precisely aligns with my focus on cybersecurity, as it illustrates the potential risks and challenges associated with safeguarding sensitive financial data.

What’s more, the budget constraints faced by regulatory agencies like the SEC pose significant challenges. It’s disheartening to see that limited resources can impede their ability to adequately protect investors and fulfill their mission of preserving market integrity. It has underscored the critical importance of implementing effective measures to protect against advanced cyber threats, particularly considering the immense value of the information they safeguard.

This paper on the SEC’s EDGAR hack underscores my focus on regulation, cybersecurity, and fintech. As I continue on my professional journey, I am more determined than ever to contribute to developing and implementing effective cybersecurity strategies. I plan to focus on the urgent need for robust measures to protect market integrity and sensitive financial data, ensuring the industry’s stability, trust, and resilience while safeguarding investor interests and upholding the integrity of securities markets.

As a student, my career exploration took me through diverse fields before I found my passion for economics at the Zicklin School of Business. While studying Law at Brooklyn Technical, I discovered economist Tyler Cowen’s blog, which fascinated me with its application of economic principles to real-world phenomena. Economics became less abstract and more relevant as I explored income inequality, the business cycle, and government policies impact on the economy.

Although I initially pursued physics and chemistry at SUNY New Paltz, my interest in economics persisted. I seized an internship opportunity in finance, gaining practical experience analyzing financial data and market trends. I researched Defi, Stablecoins, Blockchain, Delegating/Validating, and Cryptocurrency market news.

The complex interplay between markets, institutions, and policy further captivated me, leading me to pursue an economics degree at the Zicklin School of Business. Here, I learn from prominent economists, developing critical analytical skills through courses in econometrics, financial modeling, and macroeconomic theory.

As I delved deeper into economics, topics like game theory, international trade, and financial markets expanded my knowledge and fueled my passion. Economics revealed its interdisciplinary nature, applicable to law, public policy, and psychology.

My unique journey has ultimately driven me to pursue a career in economics. I embrace this field’s opportunities and am eager to make a positive impact using my knowledge. With continued learning and growth, I hope to contribute to a better world through my work as an economist.

Moral hazard is a concept that describes the increased likelihood of risky behavior when individuals or entities are shielded from the negative consequences of their actions. In the cryptocurrency industry, the lack of clarity regarding the ownership of cryptocurrency held on exchanges creates a significant moral hazard. This ambiguity can lead to exchanges engaging in risky behavior, and if an exchange becomes insolvent, customers may face challenges in recovering their assets.

One of the critical issues is the absence of clear regulatory frameworks and legal precedents surrounding cryptocurrency. Unlike traditional assets, many jurisdictions often do not recognize cryptocurrencies as legal tender or property. Consequently, the protections afforded to traditional assets may not extend to crypto assets. In the event of exchange insolvency, customers who hold cryptocurrency assets on the platform may be considered unsecured creditors. As unsecured creditors, they do not have a specific claim on any particular asset or property of the exchange, and there is no guarantee that they will recover their total assets.

Bankruptcy lawyer A.J. Levitin highlighted this issue in the journal article “Not your keys, not your coins: Unpriced credit risk in cryptocurrency.” Levitin emphasized that cryptocurrency exchange investments create a debtor-creditor relationship between the custodian and the customer, allowing exchanges to behave more frivolously with consumer funds than traditional finance due to the lack of precise regulation.

A recent example that illustrates the moral hazard in the cryptocurrency industry is the collapse of FTX, a company with various divisions, including venture capital, a hedge fund, and two exchanges. The group’s hedge fund made risky loans and bets with customer assets. While custodial holdings of securities or cash deposits by securities or commodities brokers or banks receive substantial legal protection under US law, no such protections exist for custodial holdings of cryptocurrencies.

To address these concerns, the Securities and Exchange Commission (SEC) proposed new rules on February 13th, 2023, requiring advisors to properly segregate investors’ assets, including crypto assets, into separate accounts. This proposal aims to prevent fraudulent activities such as Ponzi schemes by ensuring that assets are not recycled to deceive investors. By imposing stricter regulations and requiring audits and record-keeping, the SEC seeks to enhance clarity and guidance for companies issuing cryptocurrencies in compliance with the law.

The SEC’s proposed action is a significant step towards resolving one of the prominent issues in the crypto industry related to the ownership and usage of customer funds. As the regulatory body takes action against cryptocurrency issuers violating securities laws, it brings greater accountability and transparency to the industry. Establishing clear frameworks and protections is crucial for mitigating the moral hazards associated with the ownership of cryptocurrency assets by exchanges.

In conclusion, the lack of clarity surrounding the ownership of cryptocurrency held on exchanges creates a moral hazard in the industry. This ambiguity can lead to risky behavior by exchanges, and customers may face difficulties in recovering their assets if an exchange becomes insolvent. Clear regulations, accountability, and guidance from government regulators are essential to protect customer interests and ensure the long-term viability and stability of the cryptocurrency industry. As the market continues to evolve, efforts should be made to establish comprehensive frameworks and safeguards to address the moral hazards inherent in the ownership of cryptocurrency assets by exchanges.