The United States Securities and Exchange Commission (SEC) received a report from the Office of Inspector General (OIG) alleging that its cybersecurity program was lacking just two weeks before the commission’s X account was hacked on January 9, according to Fox Business reporter Eleanor Terrett.
SEC Received OIG Report Two Weeks Before X Hack
Eleanor Terret tweeted on May 6 about the issue, highlighting a December 2023 OIG report, an independent evaluation by contractor Cotton & Company Assurance and Advisor concluded that the federal regulator fell short of “effectively mitigating security weaknesses.”
“To improve the SEC’s information security program, we urge management to take action to address areas of potential risk identified in this report,” the report read.
The nearly 30-page document highlighted a list of much-needed improvements to the SEC’s security protocols, including maintaining its vulnerability disclosure policy and logging meeting requirements.
🚨NEW: Remember the @SECGov X hack from January 9th? The last update from the agency on January 22 stated that it was working with the Office of the Inspector General and several outside agencies including the FBI about the incident.
But apparently in 2023, the SEC OIG got an…
— Eleanor Terrett (@EleanorTerrett) May 6, 2024
“I am pleased your report identified improvements to SEC’s information security program across several domains, such as risk management, supply chain, security training, and continuous diagnostics and monitoring,” the SEC’s Chief Information Officer David Bottom said in a December 2023 letter to OIG. “The SEC’s Office of Information Technology (OIT) continues to focus on improving maturity throughout the program, even though not all metrics are evaluated and scored each year.”
After receiving OIG’s report on its underperforming security program, the federal agency was ordered to submit an action plan within 45 days. The SEC was hacked shortly after on January 9 when an authorized party gained access to the commission’s X account and posted a fake spot Bitcoin ETF approval announcement.
Cybersecurity Program Questioned Following Report
According to CoinDesk, the hack resulted in $90 million in liquidations, prompting market manipulation concerns.
Fraudulent announcements, like the one that was made on the SEC’s social media, can manipulate markets. We need transparency on what happened.
— Senator Cynthia Lummis (@SenLummis) January 9, 2024
“Deeply concerned with this alleged hack of the SEC’s Twitter account,” Congresswoman Anne Wagner stated. “This is clear market manipulation that impacted millions of investors. I plan to get more answers from Chair Gensler on this incident.”
The federal agency was later found to have not enabled two-factor authentication, allowing an unknown party to access the commission accounts via a SIM-swapping attack.
“Access to the phone number occurred via the telecom carrier, not via SEC systems,” the SEC said in a statement shortly following the hack. “SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts.”
Despite its obvious vulnerabilities, it is unclear if or when the federal commission will face reprimand for the incident.