SEC's X account hack rehashes concerns over agency's data security
Sen. John Kennedy says risk to investor privacy is 'clearer than ever'
Congressional Republicans are citing the recent hack of the Securities and Exchange Commission’s official account on social media platform X as grounds for redoubling efforts to restrict the agency’s ability to collect large amounts of private investor data, FOX Business has learned.
Louisiana Republican Sen. John Kennedy, a member of the Senate Banking Committee which oversees the SEC, exclusively told FOX Business that the risk to investor privacy is "clearer than ever" after an unknown party on Jan. 9 gained unauthorized access to the official SEC account on X and posted an erroneous message to the agency's 750,000 followers, announcing the SEC had approved the launch of 11 new bitcoin ETFs.
Kennedy says he plans to push harder for legislation that he introduced to the Senate in July that would restrict the SEC’s mining of investors’ financial and personal data, which he says is unconstitutional.
SPOT BITCOIN ETFS APPROVED BY SEC
"The recent hacking of the SEC's X account proves just how badly Americans need the Protecting Investors’ Personally Identifiable Information Act to safeguard their sensitive data," Kennedy said in a statement to FOX Business. "The risk is clearer than ever, as is Congress’s responsibility to act."
Several federal agencies, including the FBI, the SEC’s Office of the Inspector General, the Commodity Futures Trading Commission (which oversees the bitcoin futures market) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, have launched their own investigations into the matter. Sens. Ron Wyden, D-Ore., and Cynthia Lummis, R-Wyo., have requested an update from the Office of the Inspector General on its investigation to be delivered no later than Feb. 12.
The SEC had no official comment but previously stated that staff had not identified any evidence that the unauthorized party gained access to any other SEC systems or data.
The highly anticipated approval announcement of the bitcoin ETF was expected to come from the agency the day after the data breach. The fake post caused the price of bitcoin to briefly spike from $46,730 to nearly $48,000 before SEC staff were able to regain control of the account and announce no decision had been made. Minutes later, bitcoin suffered a mini-crash, falling 4.5% to around $45,000, causing significant investor losses.
A subsequent investigation by X revealed the hack occurred because the account did not have multifactor authentication enabled, a verification method that helps guard against hacking attempts. The SEC admitted that two-factor authentication was turned off in June at the request of staff, meaning the account was left vulnerable for at least six months before the hack. The SEC has said two-factor authentication is currently enabled for all SEC social media accounts that offer it.
VALKYRIE INVESTMENTS FIRST TO OFFER ETHER FUTURES THROUGH ETF
The party behind the account breach has yet to be revealed publicly. It is unclear if the SEC knows the party’s identity.
The event has led to questions from lawmakers on both sides of the aisle about internal cyber safety practices at the SEC, which itself mandates strict cybersecurity compliance from the public companies it regulates. The SEC controls large databases of investor information, like the Consolidated Audit Trail (CAT), which tracks all equities and options trades made in the U.S. and subsequently stores investors’ financial and personal information.
At issue for lawmakers is whether criminals or terrorists can gain easy access to this information to make illicit profits or pursue widespread identity theft and possibly destabilize the U.S. financial system.
"The American people deserve real accountability from the SEC regarding their internal cybersecurity practices," said Rep. Barry Loudermilk, R-Ga. "This is an unacceptable failure and Congress needs answers. If Chairman Gensler cannot secure his agency’s Twitter account, how can we trust the SEC to protect investors’ personal identifiable information?"
Loudermilk introduced companion legislation in the House that he said would help prevent either an accidental or intentional breach by restricting the SEC’s ability to collect data in the first place.
The CAT database was first approved in 2016 but has been expanded under current Chairman Gary Gensler. The data collection effort has also drawn the ire of other regulatory agencies like the Financial Industry Regulatory Authority and industry trade groups like the Securities Industry and Financial Markets Association that represent broker-dealers that are required to pay high fees to fund the operation of the database.
When the CAT was created, market participants estimated the average annual costs of operating the database at a little more than $51 million. By March 2023, the CAT published a budget of $223 million, according to the SEC.
Wall Street magnates Citadel Securities and the American Securities Association sued the SEC in October over the Commission’s approval of the new CAT funding model that they say forces brokerage firms to foot around 80% of the bill.
Citadel and the ASA said the SEC "overstepped its statutory authority and failed to address investor and industry concerns" when it signed off on the funding plan.
GET FOX BUSINESS ON THE GO BY CLICKING HERE
However, the SEC believes CAT is instrumental in improving investor protection and market integrity by providing surveillance across all areas of U.S. markets. Former SEC Chairman Jay Clayton, Gensler’s predecessor, says CAT was intended to enhance the regulatory oversight of the securities markets. In remarks delivered in September, Gensler said CAT has benefited the Commission in surveillance and enforcement work.