Two senators, Ron Wyden, D-Ore. and Cynthia Lummis, R-Wyo have demanded an investigation into the hack incident that affected the securities and exchange commission (SEC)’s official Twitter handle.
The two senators have asked SEC Inspector General Deborah J. Jeffrey to open an investigation into what happened when the SEC’s Twitter account was compromised, in addition to the “SEC’s apparent failure to follow cybersecurity best practices.”
The SEC’s Twitter account was compromised on Tuesday last week, and the hacker posted a message on the handle saying that the SEC has approved spot Bitcoin ETFs. This happened at the peak of anticipation of approval from the SEC for a spot Bitcoin ETF.
As a result, several crypto news websites reported the fake news on their websites until the SEC through its chair Gary Gensler announced that the information was fake. Twitter said at the time that the account was compromised because the phone number associated with the account was not secured with two-factor authentication.
Wayden and Lummis noted that the SEC’s social media accounts should have been kept safe using industry best practices.
“Not only should the agency have enabled MFA, but it should have secured its accounts with phishing-resistant hardware tokens, commonly known as security keys, which are the gold standard for account cybersecurity,” the senators said.
The SEC also later announced that it was partnering with law enforcement agencies to look into the attack on its Twitter account.
SEC Didn’t Take Precaution
The attack on the SEC’s Twitter account has raised a lot of concerns both among the public and key policy makers because of the impact such an incident could have on investors and others in general.
Addressing the inspector general, Wyden and Lummis said “Management of the SEC has received ample warning of the dangers of poor cybersecurity practices from your office,” citing a few past reports.
The inspector general’s office had in December found that “the SEC’s information security program and practices were not effective,” and said though the agency had made progress, other fixes needed to be made.
“Additionally, a hack resulting in the publication of material information for investors could have significant impacts on the stability of the financial system and trust in public markets, including potential market manipulation,” Lummis and Wyden said. “We urge you to investigate the agency’s practices related to the use of MFA, and in particular, phishing-resistant MFA, to identify any remaining security gaps that must be addressed.”
The two senators have demanded an update on the investigation and the SEC’s remediation by Feb. 12. Meanwhile, two other senators J.D. Vance and Thom Tillis had sent a letter to SEC chair Gary Gensler requesting clarification on the security breach on the agency’s official X account.
“These developments raise serious concerns regarding the Commission’s internal cybersecurity procedures and are antithetical to the Commission’s tripart mission to protect investors, maintain fair, orderly and efficient markets, and facilitate capital formation,” the letter said.
It Could Have Been Worse
The senators had also earlier stated that a breach on the SEC’s account is an indication of the agency’s attitude towards its cybersecurity in general.
For a sensitive high government agency like the SEC, this could mean potential danger not just to the agency, but also to the companies they work with as well as investors, hence the need to investigate to avert a more serious incident in the future.