Senators Want Better SEC Cybersecurity After EFT-Related Hack

Two U.S. senators want the Securities and Exchange Commission (SEC) to up its cybersecurity game after a recent hack.

Last week, someone breached SEC’s account on X to falsely announce the regulator’s long-awaited approval of bitcoin exchange-traded funds (ETFs).

While that approval would come a day later, the phony news did serve to temporarily drive up the price of bitcoin. 

Now, Sens. Ron Wyden, D-Ore., and Cynthia Lummis, R-Wyo., are calling on the agency to investigate the breach.

“The SEC’s failure to follow cybersecurity best practices is inexcusable, particularly given the agency’s new requirements for cybersecurity disclosure,” the lawmakers wrote in a letter to SEC Inspector General Deborah J. Jeffrey on Friday (Jan. 12).

“Additionally, a hack resulting in the publication of material information for investors could have significant impacts on the stability of the financial system and trust in public markets, including potential market manipulation. We urge you to investigate the agency’s practices related to the use of MFA, and in particular, phishing-resistant MFA, to identify any remaining security gaps that must be addressed.”

MFA refers to multifactor authentication, a security measure that the SEC apparently did not use when logging onto X (formerly known as Twitter).

“Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party,” X said last week.

“We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised.”

The SEC has said that the FBI is investigating the case. The incident has also drawn the ire of Sens. J.D. Vance, R-Ohio, and Thom Tillis, R-N.C., who likewise demanded an explanation from the SEC last week.

In a letter dated Tuesday and addressed to SEC Chair Gary Gensler, the senators said the unauthorized post and the confusion that followed raise concerns about the SEC’s internal cybersecurity procedures and its ability to carry out its mission.

“It is unacceptable that the agency entrusted with regulating the epicenter of the world’s capital markets would make such a colossal error,” the senators wrote.