WASHINGTON ��The U.S. Securities and Exchange Commission says its database of company filings has significantly increased corporate transparency. But a hack that led to the theft of market-moving secrets is the latest sign that technology also brings dangers the SEC is struggling against.
The breach adds to a growing list of SEC embarrassments over Edgar, an online system in which companies are required to disclose such things as stock sales by top executives and regulatory investigations. Past setbacks include fraudsters posting fake takeover announcements and allegations that some traders were getting access to company news before others.
The cyberattack that occurred last year but not disclosed until Wednesday could be the most problematic incident, because it casts doubt on the SEC's ability to safeguard data that fuels billions of dollars in daily financial transactions. The regulator was already grappling with hackers infiltrating companies to profit from insider trading, and now it turns out that its own systems are a target.
If such breaches continue, or if the SEC is too underfunded or outgunned to fix them, it could undermine company and investor confidence in the agency. That might threaten the regulator's ability to provide a bedrock principle of the U.S. financial system: market transparency.
Edgar has "all sorts of stuff that could possibly move the market," said Larry Tabb, founder and research chairman of Tabb Group, a research firm that specializes in capital markets. "If you can break in, there's a trove of market-influencing information that you can find and mine. There's profit in there."
SEC Chairman Jay Clayton, who took over in May, is scheduled to testify before the Senate Banking Committee Tuesday. He's expected to be questioned about the hack and why the agency waited so long to reveal it. The SEC said it doesn't believe the breach led to the exposure of personally identifiable information, such as Social Security numbers.
Among the few details that the SEC has provided about the intrusion is that it hit a corner of Edgar where companies can submit dummy filings. Such forms, which are not meant to be released publicly, allow startups to get comfortable with using the database. Well-established corporations also use test filings to make sure their announcements are formatted correctly on Edgar and to solicit feedback from the SEC.
The information hackers obtained and may have illegally traded on could have come from those filings.
The SEC has cautioned companies about what they put in test announcements. In a 2015 news release, the agency advised businesses seeking to raise money through crowdfunding not to include "confidential or personally identifiable information" in practice filings. Companies often don't follow that advice, according to securities lawyers and corporate executives.
SEC spokesman Chris Carofine declined to comment on Edgar or the hack.
Questions about the scope of the breach remain unanswered. The SEC hasn't said whether the intrusion was limited to Edgar's test filing system, or if attackers merely used vulnerability there to reach additional records in the database. On average, people access 50 million-plus pages of disclosure documents through Edgar every day. It processes more than 1.7 million electronic filings each year.
The SEC also keeps a lot of confidential corporate data. In addition to the publicly accessible Edgar, the agency maintains a private repository that its officials can peruse, according to two people familiar with the matter who spoke on the condition of anonymity.
The SEC has long considered Edgar to be a centerpiece of its mission of making sure corporations provide full and timely disclosure to investors. The regulator began experimenting with electronic filings in 1984, and within 10 years, it was mandating that public companies submit information in digital form through its Electronic Data Gathering, Analysis and Retrieval System, now universally known as Edgar.
On Wall Street, Edgar is tracked with a laser focus. Traders sign up for data feeds to peruse new filings, using superfast computers to mine announcements and make instantaneous investment decisions.
But the SEC is now struggling to keep up with the deluge of information flowing through a database that was created more than two decades ago.
In 2016, the SEC began what it calls a multiphase effort to redesign Edgar. In a contract solicitation the agency put out that year, it said the repository had become "overly complex, expensive to operate and more difficult to efficiently evolve."
The SEC also noted that over the past eight to 10 years, "the number of filings made on Edgar has tripled, submission size has more than doubled and total data received has quadrupled." The agency said that it used contractors to manage much of Edgar, including to "operate and monitor the system and maintain the hardware and software." The redesign is continuing.
The SEC has been criticized by members of Congress for not closely vetting announcements made through Edgar. For example, in May 2015, Nedko Nedev �� a dual citizen of Bulgaria and the U.S. �� issued a filing indicating that he was making an offer to buy Avon Products. The cosmetics company's shares rose 20 percent before trading was stopped.
The agency argues that the volume of daily announcements would make it impossible to review everything, so it holds companies and individuals responsible for the accuracy of postings. Submitting false information can expose culprits to SEC civil penalties, and even criminal prosecution.
Edgar also drew scrutiny in 2014 when academics found that some traders could get access to public filing data before it appeared on the SEC's website. The researchers said that in some instances, investors who subscribed to feeds sold by an SEC contractor saw certain filings 10 seconds earlier than others.
����
Bloomberg News parent Bloomberg LP redistributes SEC filings. It competes with other news organizations in reporting details in filings.
����
(Massa reported from New York. Matt Robinson and Matt Townsend contributed to this report.)
