The US Securities and Exchange Commission said two individuals had their information, including Social Security numbers, revealed as part of an intrusion into the SEC’s system.

SEC Chairman Jay Clayton provided an update on the status of the agency’s review and investigation of the 2016 intrusion into the EDGAR system. That intrusion was only recently detected, and the SEC admitted that insider trading may have resulted from the breach.

The ongoing investigation of the 2016 intrusion has determined that an EDGAR test filing accessed by third parties as a result of that intrusion contained the names, dates of birth and social security numbers of two individuals.  The determination was based on forensic data analysis conducted since the agency’s Sept. 20th disclosure of the intrusion.

The SEC will offer to provide the two individuals with identity theft protection and monitoring services. Others who are revealed in the ongoing investigation will be afforded similar protections, the SEC said.

“The 2016 intrusion and its ramifications concern me deeply.  I am focused on getting to the bottom of the matter and, importantly, lifting our cybersecurity efforts moving forward,” said Clayton.  “While our review and remediation efforts are ongoing and may take substantial time to complete, I believe it is important to provide new information regarding the scope of the 2016 intrusion and provide an update on the steps we are taking to assess and improve the cybersecurity risk profile of our EDGAR system and of the agency’s systems more broadly.”

The agency’s efforts going forward are organized into five principal work streams:

1)    The review of the 2016 EDGAR intrusion by the Office of Inspector General.  Staff have been instructed to provide their full cooperation with this effort

2)    The investigation by the Division of Enforcement into the potential illicit trading resulting from the 2016 EDGAR intrusion

3)    A focused review of and, as necessary or appropriate, uplift of the EDGAR system. The EDGAR system has been undergoing modernization efforts.  The agency has added, and expects to continue to add, additional resources to these efforts, which are expected to include outside consultants, and will increase the focus on cybersecurity matters

4)    The more general assessment and uplift of the agency’s cybersecurity risk profile and efforts that were initiated shortly after the Chairman’s arrival at the Commission this past May, including, without limitation, the identification and review of all systems, current and planned (e.g., the Consolidated Audit Trail or CAT), that hold market sensitive data or personally identifiable information

5)    The agency’s internal review of the 2016 EDGAR intrusion to determine, among other things, the procedures followed in response to the intrusion. This review is being overseen by the Office of the General Counsel and has an interdisciplinary investigative team that includes personnel from regional offices and will involve outside technology consultants

Clayton has pledged to keep Congress informed of the ultimate findings and conclusions of the agency’s internal review into the 2016 intrusion.  Clayton also authorized the immediate hiring of additional staff and outside technology consultants to aid in the agency’s efforts to protect the security of its network, systems and data.