The United States Securities and Exchange Commission (SEC) was criticized by the Office of Inspector General (OIG) for having a lacking cybersecurity program just two weeks before the commission’s X account was hacked on January 9. An independent evaluation by contractor Cotton & Company Assurance and Advisor found that the SEC was not effectively mitigating security weaknesses and identified areas of potential risk that needed to be addressed. The SEC’s Chief Information Officer acknowledged the need for improvements in the agency’s security program and stated that the SEC’s Office of Information Technology was focused on enhancing maturity throughout the program, despite not evaluating and scoring all metrics each year.
Following the OIG report on the SEC’s underperforming security program, the federal agency was required to submit an action plan within 45 days. However, the SEC was hacked on January 9 when an authorized party gained access to the commission’s X account and posted a fake spot Bitcoin ETF approval announcement. This hack resulted in $90 million in liquidations and raised concerns about market manipulation. Congresswoman Anne Wagner expressed deep concern over the incident and stated her intention to seek more answers from Chair Gensler regarding the market manipulation that impacted millions of investors. The SEC was found to have not enabled two-factor authentication, allowing an unknown party to access the commission’s accounts via a SIM-swapping attack.
The fraudulent announcement made on the SEC’s social media account raised questions about market manipulation and prompted calls for transparency regarding the incident. Senator Cynthia Lummis emphasized the need for clarity on what happened, while Congresswoman Wagner vowed to seek more answers from the SEC Chair. The federal agency clarified that access to the phone number occurred via the telecom carrier, not the SEC systems, and that there was no evidence of unauthorized access to SEC systems, data, devices, or other social media accounts. Despite the evident vulnerabilities in its cybersecurity program, it remains uncertain if or when the SEC will face consequences for the hack.
The hack of the SEC’s X account and the subsequent fake announcement of a Bitcoin ETF approval highlighted the vulnerabilities in the commission’s cybersecurity program. The OIG report from December 2023 had already identified areas of weakness in the SEC’s security protocols and urged management to address potential risks. The federal agency’s response to the hack included working with the Office of the Inspector General and external agencies such as the FBI to investigate the incident. The lack of two-factor authentication and the use of a SIM-swapping attack to access the SEC’s accounts underscored the need for stronger security measures.
The SEC’s cybersecurity program came under scrutiny following the hack of its X account and the posting of a fake Bitcoin ETF approval announcement on January 9. The OIG report from December 2023 had highlighted deficiencies in the SEC’s security program and recommended improvements to mitigate security weaknesses. The federal agency was ordered to submit an action plan in response to the report, but the hack occurred before any significant changes could be implemented. The incident raised concerns about market manipulation and prompted calls for transparency and accountability from lawmakers. Despite the vulnerabilities exposed by the hack, it is uncertain whether the SEC will face any repercussions for the breach.