The Securities and Exchange Commission warned staffers their personal brokerage account information may have been compromised, according to Reuters.
The contractor hired to operate the ethics compliance program provided names and account numbers to a subcontractor without permission from the SEC, Thomas Bayer, the regulatory body’s CIO, wrote in a letter to employees Oct. 7. Bayer didn’t believe the information had been actually misued.
The news comes just days after the SEC issued a guidance recommending organizations disclose all cyber-risks and incidents that may have an impact on operations or financial results. The guidance explicitly explicitly spelled out how public companies should disclose various risks so investors understand what security measures organizations have in place.
“It is the SEC’s policy to provide notification of any incident that presents the potential for unauthorized access to personal information,” Bayer wrote.
The SEC has an ethics compliance program to ensure staffers are not engaging in insider trading, which is run by Greenwich, Conn.-based Financial Tracking Technologies, according to The Ethics Program system allows SEC employees to “pre-clear and report” trading activities and holdings to the Ethics Office.
The agency’s Office of Information Technology initiated a security review on Sept. 16 after a former FTT employee said the company may be mishandling data. The IT team found that FTT had hired several consultants and sub-contracted some of the work to a global technology and business services organization. These third-party contractors also had access to the personal data collected by the program without the SEC’s permission or knowledge, which violated FTT’s contract.
“Because FTT did not seek the SEC’s preapproval, the SEC had not subjected the unauthorized personnel to background investigation,” Bayer said.
The SEC has directed FTT to “immediately terminate all access to SEC systems” by the unauthorized parties, Bayer said. The system has since been offline and employees are clearing their trades with the SEC’s ethics office via email, according to Reuters.
FTT claimed in a statement on Oct. 15 it had notified the SEC of the third party vendor and financial data of SEC employees had “remained under our control at all times.”
Even though the data has likely not been misued, “it is prudent to consider taking some precautionary actions to protect yourself,” Bayer wrote. Employees can take advantage of a year of credit monitoring service for free, Bayer said.