SEC system that was breached is decades old

Computer Hacker

Certainly a sophisticated threat actor could very easily find ways into the SEC system, a former attorney for the agency told CNBC.

The U.S. Securities and Exchange Commission database that was hacked is decades old, former SEC attorney Scott Kimpel told CNBC on Thursday.

The country's top regulator said on Wednesday it discovered last month that its corporate disclosure database was breached in 2016. It is currently investigating the matter, which may have resulted in hackers profiting by trading using insider information stolen from the system.

Kimpel said there are various security systems that are put in place in the SEC' s database.

However, "you are dealing with a system that really was built in the 1980s and has been updated through patches over the last three decades," he said in an interview with " Power Lunch ."

"Certainly a sophisticated threat actor, be it a nation-state or organized crime or some other person with those sort of inclinations, could very easily find ways into the system."

However, former SEC counsel Bradley Bondi told " Closing Bell " he was very surprised by the intrusion given the tight security in that part of the SEC's system.

"What happened here was the equivalent of a hacker going into Fort Knox and stealing some gold bars," he said.

The system, called EDGAR, houses millions of documents that companies are required to file to the SEC so they can be accessed by investors.

The hackers gained access by exploiting a software glitch in the test filing component of the system to gain access to non-public information, the agency said.

Kimpel said companies often make test filings in the hours or days before the actual filings are done. He now suggests companies wait to do it until the last possible second.

"If you would do a test filing at night, for example, before you file the next morning that data sits on the server 12, 14 hours, giving a cybercriminal … plenty of time to play with whatever information they're able to obtain," he said.

The SEC "promptly" patched the vulnerability after detecting it in 2016, but the regulator only became aware last month that the glitch "may have provided the basis for illicit gain through trading," it said.

Bondi said catching those who may have committed the hack and traded illegally on the inside information will be a difficult task.

"It's going to take a while, I think, for the SEC to piece through and determine really the impact here of these hacks," he said. "But they do have the tools, and they do have the legal arsenal to … bring these people to justice."

According to a report reviewed by Reuters, the U.S. Department of Homeland Security detected five "critical" cybersecurity weaknesses on the SEC's computers as of Jan. 23, 2017.

— CNBC's Kerima Greene and Reuters contributed to this report.

JefferiesAnd the Best Place to Work in the global financial markets 2017 is...

Register for Financial Markets News Alerts