WEBVTT - SEC Hacking Shows Latest Weakness in Edgar (Audio)

0:00:00.040 --> 0:00:02.639
<v Speaker 1>When the Security Is and Exchange Commission created the system

0:00:02.680 --> 0:00:06.160
<v Speaker 1>known as EDGAR in the nineteen nineties to make corporate

0:00:06.240 --> 0:00:09.680
<v Speaker 1>key corporate filings publicly available. It was hailed as a

0:00:09.760 --> 0:00:12.639
<v Speaker 1>victory for transparency that would help level the playing field

0:00:12.680 --> 0:00:16.759
<v Speaker 1>for investors, and the system is many years later now

0:00:17.520 --> 0:00:20.080
<v Speaker 1>very heavily used. According to the SEC, it gets more

0:00:20.079 --> 0:00:22.960
<v Speaker 1>than one point seven million filings per year and more

0:00:23.000 --> 0:00:25.919
<v Speaker 1>than fifty million pages of documents are accessed on Edgar

0:00:26.120 --> 0:00:30.240
<v Speaker 1>every day. But the SEC recently revealed that it learned

0:00:30.320 --> 0:00:33.320
<v Speaker 1>last year about a hack into the system that may

0:00:33.360 --> 0:00:37.320
<v Speaker 1>have allowed hackers to obtain and profit from corporate confidential

0:00:37.360 --> 0:00:42.360
<v Speaker 1>corporate information before that information became public. Here to talk

0:00:42.400 --> 0:00:45.159
<v Speaker 1>with us about this hack into the EDGAR system are

0:00:45.240 --> 0:00:48.520
<v Speaker 1>Peter Henning, a professor at Wayne State University Law School,

0:00:48.600 --> 0:00:53.280
<v Speaker 1>and Robert Hockett, a professor at Cornell University Law School. Peter,

0:00:53.800 --> 0:00:56.880
<v Speaker 1>the you know, most of the EDGAR system is publicly

0:00:56.920 --> 0:00:59.600
<v Speaker 1>available information. That's kind of the point, but there is

0:00:59.720 --> 0:01:03.640
<v Speaker 1>part of it that has some confidential information that apparently

0:01:03.720 --> 0:01:06.520
<v Speaker 1>is the subject of this hack. Explain exactly what it

0:01:06.600 --> 0:01:10.320
<v Speaker 1>is that got hacked into here. Well, the security breach

0:01:10.480 --> 0:01:14.000
<v Speaker 1>came through a portal that the SEC has so that

0:01:14.680 --> 0:01:21.080
<v Speaker 1>newer companies companies that recently went public could essentially take

0:01:21.120 --> 0:01:25.920
<v Speaker 1>it for a test drive and past materials on EDGAR.

0:01:26.480 --> 0:01:30.039
<v Speaker 1>The requirement is that whenever a company makes its disclosure UM,

0:01:30.400 --> 0:01:32.960
<v Speaker 1>say quarterly or annual earnings, it has to do that

0:01:33.560 --> 0:01:37.280
<v Speaker 1>UM immediately and make it available to all investors at

0:01:37.319 --> 0:01:38.959
<v Speaker 1>the same time. So it was a way for them

0:01:38.959 --> 0:01:41.800
<v Speaker 1>to test it UM. But there are companies that will

0:01:41.840 --> 0:01:44.720
<v Speaker 1>make filings UH. For example, I p O s Now

0:01:44.800 --> 0:01:48.640
<v Speaker 1>you can make what's essentially a dark filing. You can

0:01:48.680 --> 0:01:51.840
<v Speaker 1>put information in there that isn't available to the public

0:01:52.360 --> 0:01:55.520
<v Speaker 1>that might have been available to the hackers and would

0:01:55.520 --> 0:01:59.040
<v Speaker 1>give them maybe some insight information about what was going

0:01:59.080 --> 0:02:01.880
<v Speaker 1>to happen at those companies and perhaps others if they

0:02:01.960 --> 0:02:04.120
<v Speaker 1>rummaged around through the system. You just don't know what

0:02:04.160 --> 0:02:07.800
<v Speaker 1>you're going to find, Bob, the attack occurred last year.

0:02:08.040 --> 0:02:12.160
<v Speaker 1>The SEC just disclosed it on Wednesday. Is that against

0:02:12.200 --> 0:02:17.520
<v Speaker 1>its own advice to companies to announce cyber attacks promptly? Well,

0:02:17.560 --> 0:02:19.600
<v Speaker 1>it's it's it's hard to tell to tell you the trition.

0:02:19.639 --> 0:02:21.799
<v Speaker 1>I mean, the problem is, UM, you know that the

0:02:21.880 --> 0:02:24.760
<v Speaker 1>SEC is sort of forced start faced with a dilemma

0:02:25.360 --> 0:02:28.600
<v Speaker 1>on the one hand, if it reveals information that turns

0:02:28.639 --> 0:02:32.519
<v Speaker 1>out not to be really that important in the longer term,

0:02:32.560 --> 0:02:35.200
<v Speaker 1>but sort of stokes a panic or stokes sort of

0:02:35.240 --> 0:02:39.160
<v Speaker 1>excess concern in the short term, uh than it might well,

0:02:39.360 --> 0:02:41.920
<v Speaker 1>you know, sort of think better about having disclosed something

0:02:41.960 --> 0:02:44.960
<v Speaker 1>too quickly. So it's not sure whether to tell anybody

0:02:45.120 --> 0:02:47.360
<v Speaker 1>right away because it doesn't want to cause more panic

0:02:47.360 --> 0:02:50.040
<v Speaker 1>than might be warranted. On the other hand, that being said,

0:02:50.080 --> 0:02:52.840
<v Speaker 1>if it does indeed turn out to be a significant problem,

0:02:53.000 --> 0:02:54.720
<v Speaker 1>then of course the SEC looks to have egg on

0:02:54.760 --> 0:02:56.359
<v Speaker 1>its face when it turns out that it knew the

0:02:56.400 --> 0:02:59.440
<v Speaker 1>information even sooner. In this particular case, I think what's

0:02:59.440 --> 0:03:02.800
<v Speaker 1>particularly important or maybe worth noting, is that it didn't

0:03:02.800 --> 0:03:06.680
<v Speaker 1>reveal the information until it determines that somebody might actually

0:03:06.680 --> 0:03:10.360
<v Speaker 1>have used some still gotten information in order to engage

0:03:10.360 --> 0:03:12.840
<v Speaker 1>in some form of insider trading. And that's something the

0:03:12.919 --> 0:03:17.400
<v Speaker 1>SEC apparently only just learned. Well, Peter, if the idea

0:03:17.520 --> 0:03:22.120
<v Speaker 1>of this part of the system, you know, the confidential information,

0:03:22.360 --> 0:03:26.440
<v Speaker 1>is to encourage new companies to get to put things up,

0:03:26.480 --> 0:03:28.639
<v Speaker 1>for folks to get things in early and test out

0:03:28.639 --> 0:03:33.359
<v Speaker 1>the system, what's if this ends up deterring that from happening.

0:03:33.440 --> 0:03:36.120
<v Speaker 1>If this kind of hack deterurns that from happening, what

0:03:36.200 --> 0:03:39.400
<v Speaker 1>are the likely consequences in terms of companies ability to

0:03:39.840 --> 0:03:43.080
<v Speaker 1>get their information out the right way? Well, I don't

0:03:43.080 --> 0:03:44.720
<v Speaker 1>I'm not sure if it will be a detern. It

0:03:44.920 --> 0:03:48.080
<v Speaker 1>certainly will make companies hesitant, and indeed, even the SEC

0:03:49.000 --> 0:03:51.680
<v Speaker 1>said for those using this portal, you know, be careful

0:03:51.720 --> 0:03:54.760
<v Speaker 1>about the information you put here. UM. But you know,

0:03:54.880 --> 0:03:57.560
<v Speaker 1>just like any warning label, I'm not sure how many

0:03:57.600 --> 0:04:01.040
<v Speaker 1>people might have actually read it. Um. Really the message

0:04:01.080 --> 0:04:04.000
<v Speaker 1>here is the broader one, and of course it's coming

0:04:04.040 --> 0:04:07.200
<v Speaker 1>just a couple of weeks after the disclosure of the

0:04:07.240 --> 0:04:12.720
<v Speaker 1>Equifax league is that really no computer system is completely secure.

0:04:12.920 --> 0:04:16.880
<v Speaker 1>That we are living, um in an era and this

0:04:17.040 --> 0:04:19.640
<v Speaker 1>may go on. Um as far as the eye can see,

0:04:19.720 --> 0:04:21.839
<v Speaker 1>we're living in an era in which there is going

0:04:21.920 --> 0:04:26.960
<v Speaker 1>to be cyber attacks and confidential information can get exposed.

0:04:27.480 --> 0:04:31.320
<v Speaker 1>So you know, it's um, maybe physician heled iself. The

0:04:31.480 --> 0:04:35.359
<v Speaker 1>SEC has to take stronger measures here to protect what

0:04:35.480 --> 0:04:39.160
<v Speaker 1>may be crucial information about companies. Otherwise they're going to

0:04:39.240 --> 0:04:41.880
<v Speaker 1>be more careful about what they file and may try

0:04:41.880 --> 0:04:44.800
<v Speaker 1>to puzz things a little bit to try to ratchet

0:04:44.800 --> 0:04:49.000
<v Speaker 1>down how much they end up disclosing in their public filings.

0:04:49.080 --> 0:04:53.720
<v Speaker 1>Bob Edgar is tracked carefully by traders who use super

0:04:53.760 --> 0:04:58.960
<v Speaker 1>fast computers. How much information does Edgar have that can

0:04:59.080 --> 0:05:02.400
<v Speaker 1>actually move the more kit, Well, it's had a great

0:05:02.480 --> 0:05:05.080
<v Speaker 1>deal of such information. And then in a way, that's

0:05:05.080 --> 0:05:07.040
<v Speaker 1>sort of part of the point, right, I mean, the

0:05:07.040 --> 0:05:10.640
<v Speaker 1>original impetus behind Edgar is essentially just sort of a

0:05:10.760 --> 0:05:13.599
<v Speaker 1>race or to sort of diminish, nearly to the vanishing point,

0:05:14.120 --> 0:05:17.560
<v Speaker 1>any kind of time advantage that one trader might have

0:05:17.640 --> 0:05:21.400
<v Speaker 1>relative to another when it comes to trading uninformation that

0:05:21.520 --> 0:05:24.920
<v Speaker 1>is disclosed once it is disclosed, and has some sort

0:05:24.920 --> 0:05:29.440
<v Speaker 1>of significance, a price relevant significance to the shares of

0:05:29.480 --> 0:05:32.120
<v Speaker 1>the firm that are traded. Right. So the irony here,

0:05:32.160 --> 0:05:34.640
<v Speaker 1>of course is that you know Edgar is is established

0:05:34.680 --> 0:05:37.840
<v Speaker 1>in order to level that that playing field. But if

0:05:37.880 --> 0:05:40.280
<v Speaker 1>some people are able to hack it and others are not,

0:05:40.839 --> 0:05:42.840
<v Speaker 1>you might end up with the sort of paradoxyl the

0:05:43.080 --> 0:05:47.560
<v Speaker 1>paradoxical situation wherein Edgar ends up facilitating certain kinds of

0:05:47.600 --> 0:05:52.080
<v Speaker 1>insider trading by essentially gipping off right, some people much more,

0:05:52.600 --> 0:05:55.480
<v Speaker 1>much sooner than it tips off others simply by by

0:05:55.560 --> 0:05:58.720
<v Speaker 1>into those first people's capacity to hack it. So that

0:05:58.720 --> 0:06:00.919
<v Speaker 1>makes Peter's point of all the more important that you know,

0:06:01.000 --> 0:06:04.080
<v Speaker 1>in order for even to sort of fulfill its function,

0:06:04.640 --> 0:06:07.000
<v Speaker 1>it really has to be more or less hack proof,

0:06:07.160 --> 0:06:10.160
<v Speaker 1>or at least it has to be proofed against hacking

0:06:10.240 --> 0:06:13.200
<v Speaker 1>of the kind that can facilitate insider trading. We've been

0:06:13.240 --> 0:06:16.240
<v Speaker 1>talking about the hack of the sec and its implications

0:06:16.279 --> 0:06:19.320
<v Speaker 1>with Peter Henning, professor at Wayne State University Law School,

0:06:19.360 --> 0:06:23.520
<v Speaker 1>and Robert hocket, a professor at Cornell University Law School. Peter,

0:06:23.680 --> 0:06:28.400
<v Speaker 1>this isn't the first time that the SECS Edgar system

0:06:28.440 --> 0:06:31.560
<v Speaker 1>has been compromised. Now they are going to put in

0:06:31.760 --> 0:06:35.640
<v Speaker 1>the consult what's been called the Consolidated Audit Trail, So

0:06:35.839 --> 0:06:38.560
<v Speaker 1>would you explain that and whether they're going to be

0:06:38.640 --> 0:06:44.400
<v Speaker 1>concerns about that in light of this new hack. Consolidated

0:06:44.440 --> 0:06:47.080
<v Speaker 1>Audit Trail has actually been a dream of the SECS

0:06:47.200 --> 0:06:50.599
<v Speaker 1>for about the last thirty to forty years, where it

0:06:50.600 --> 0:06:54.680
<v Speaker 1>would give them a real time look at who is

0:06:54.760 --> 0:06:59.360
<v Speaker 1>trading um across all of the markets, so that they

0:06:59.400 --> 0:07:02.240
<v Speaker 1>could see if there's any kind of market disruption or

0:07:02.760 --> 0:07:08.360
<v Speaker 1>if the order flow is somehow affected by an event

0:07:08.600 --> 0:07:12.600
<v Speaker 1>or perhaps even a technological glitch. So this is what

0:07:12.640 --> 0:07:18.000
<v Speaker 1>they've wanted. What that is, though, is incredibly valuable information. Uh.

0:07:18.280 --> 0:07:22.800
<v Speaker 1>If I know that, say Fidelity or Vanguard is selling

0:07:22.800 --> 0:07:27.640
<v Speaker 1>out a position or accumulating a position, um, I can

0:07:27.680 --> 0:07:30.720
<v Speaker 1>trade ahead of that or trade along with it before

0:07:30.800 --> 0:07:32.800
<v Speaker 1>the stock price is affected. I can make a great

0:07:32.840 --> 0:07:36.080
<v Speaker 1>deal of money. So what the heck is saying is

0:07:36.160 --> 0:07:41.440
<v Speaker 1>that as the SEC accumulates more and more valuable information, uh,

0:07:41.520 --> 0:07:45.680
<v Speaker 1>it's going to become a target even more. And so

0:07:45.800 --> 0:07:49.000
<v Speaker 1>it's really going to have to protect that information. And

0:07:49.000 --> 0:07:51.840
<v Speaker 1>of course the firms are worried that their information could

0:07:51.880 --> 0:07:55.400
<v Speaker 1>be stolen and used either against them or by someone

0:07:55.440 --> 0:07:59.560
<v Speaker 1>to profit. And that's going to cost other investors money.

0:07:59.440 --> 0:08:02.560
<v Speaker 1>I expected, given this hack, and you know, we don't

0:08:02.560 --> 0:08:05.560
<v Speaker 1>know that much about it yet, but given this hack, uh,

0:08:05.960 --> 0:08:09.720
<v Speaker 1>a lot of banks and other investors would be very

0:08:09.760 --> 0:08:12.640
<v Speaker 1>concerned about what might happen when the consolidated art show

0:08:12.680 --> 0:08:15.320
<v Speaker 1>finally gets up. Can we expect that this is just

0:08:15.360 --> 0:08:20.000
<v Speaker 1>going to delay that project, you know, by measures we

0:08:20.040 --> 0:08:23.360
<v Speaker 1>can't even figure out yet. Yeah, I don't know, I

0:08:23.680 --> 0:08:25.840
<v Speaker 1>really don't know whether we should expect this to sort

0:08:25.840 --> 0:08:28.440
<v Speaker 1>of delay that project or not. I mean, it might

0:08:28.520 --> 0:08:32.480
<v Speaker 1>do that. It might in fact instead hasten the project

0:08:32.559 --> 0:08:37.240
<v Speaker 1>of of beefing up internet security or cybersecurity or the like.

0:08:37.440 --> 0:08:39.760
<v Speaker 1>Where it might that might do both. I mean a

0:08:39.760 --> 0:08:41.720
<v Speaker 1>couple of other things worth noting in this connection. It

0:08:41.760 --> 0:08:43.360
<v Speaker 1>seems to me as first of all, there is the

0:08:43.400 --> 0:08:47.199
<v Speaker 1>Equifax matter that Peter had mentioned before. There's also another

0:08:47.240 --> 0:08:49.480
<v Speaker 1>matter that we've sort of forgotten about but was pretty

0:08:49.480 --> 0:08:51.960
<v Speaker 1>big news about a year ago, and that was when

0:08:51.960 --> 0:08:55.480
<v Speaker 1>the New York bet was fooled by hackers into making

0:08:55.760 --> 0:08:59.520
<v Speaker 1>a very large money transfer on behalf or supposedly on

0:08:59.640 --> 0:09:03.440
<v Speaker 1>behalf of the Bangladesh Central Bank UH and that was

0:09:03.840 --> 0:09:06.360
<v Speaker 1>done through hacking as well. And indeed the New York

0:09:06.440 --> 0:09:09.920
<v Speaker 1>Fed sort of discovered the problem um only sort of

0:09:09.960 --> 0:09:13.720
<v Speaker 1>by accident, only through a sort of a fortuity owing

0:09:13.720 --> 0:09:16.320
<v Speaker 1>to a strange name that was used by one of

0:09:16.360 --> 0:09:19.360
<v Speaker 1>the parties who was hacking it. And so people have

0:09:19.440 --> 0:09:21.079
<v Speaker 1>since then, of course, has been a little bit concerned

0:09:21.080 --> 0:09:24.599
<v Speaker 1>about the security of the swift money transfer system that

0:09:24.679 --> 0:09:26.960
<v Speaker 1>the central banks and other banks used as well. So

0:09:27.440 --> 0:09:30.280
<v Speaker 1>in a way, the problem is is quite pervasive throughout

0:09:30.320 --> 0:09:33.560
<v Speaker 1>the the financial system, and I'm hoping therefore that the

0:09:33.600 --> 0:09:35.560
<v Speaker 1>takeaway from this will be that we really have to

0:09:35.600 --> 0:09:38.880
<v Speaker 1>get quite serious about cybersecurity across the entirety of the

0:09:38.920 --> 0:09:42.640
<v Speaker 1>financial system and not let it delay um uh sort

0:09:42.679 --> 0:09:45.400
<v Speaker 1>of beneficial actions that various regulars who are planning to

0:09:45.400 --> 0:09:48.320
<v Speaker 1>take unless absolutely necessary, but instead it just sort of

0:09:48.320 --> 0:09:51.200
<v Speaker 1>speed us up when it comes to really addressing all

0:09:51.240 --> 0:09:53.800
<v Speaker 1>of the cyber vulnerabilities that appear to be pervasive out there.

0:09:54.360 --> 0:09:58.880
<v Speaker 1>Peter SEC Chairman Jake Clayton is scheduled to testify before

0:09:58.880 --> 0:10:02.000
<v Speaker 1>the Senate Banking com it Eating next week. What kind

0:10:02.000 --> 0:10:05.320
<v Speaker 1>of questions do you expect him to be getting and

0:10:05.360 --> 0:10:08.679
<v Speaker 1>will there be a grilling of sorts? There'll be a

0:10:08.720 --> 0:10:10.760
<v Speaker 1>little bit of a grilling, although in a sense he

0:10:10.800 --> 0:10:14.360
<v Speaker 1>gets a bit of a free pass because the hack

0:10:14.480 --> 0:10:18.760
<v Speaker 1>took place under his predecessor, Mary Joe White, and you know,

0:10:18.840 --> 0:10:22.000
<v Speaker 1>perhaps the delay and disclosing it um might be an

0:10:22.040 --> 0:10:25.040
<v Speaker 1>issue brought up, But really I think he wants to

0:10:25.200 --> 0:10:28.760
<v Speaker 1>use this as a way to highlight the need to

0:10:28.960 --> 0:10:34.120
<v Speaker 1>enhance cybersecurity. And as Bob said, Bob's absolutely right that, um,

0:10:34.679 --> 0:10:37.719
<v Speaker 1>this is not we can't just beat these as isolated incidents.

0:10:38.040 --> 0:10:40.480
<v Speaker 1>That this is something that is going to be pervasive

0:10:40.600 --> 0:10:44.400
<v Speaker 1>through the financial system, and so if you view one

0:10:44.480 --> 0:10:49.760
<v Speaker 1>security patch as somehow a cure, it's at best of placebo.

0:10:49.920 --> 0:10:52.760
<v Speaker 1>So I think Clayton is going to go on the

0:10:52.800 --> 0:10:56.200
<v Speaker 1>offensive here and perhaps even use this as a way

0:10:56.240 --> 0:10:59.439
<v Speaker 1>to ask Congress for more money for the SEC. Uh,

0:10:59.520 --> 0:11:03.960
<v Speaker 1>don't free act. This is a political agency, Bob. You know,

0:11:04.000 --> 0:11:06.720
<v Speaker 1>we we talk about the importance of cybersecurity, and it

0:11:06.840 --> 0:11:10.720
<v Speaker 1>seems are there ways to actually stop this from happening

0:11:10.720 --> 0:11:14.439
<v Speaker 1>because it seems like every everyone and every agency can

0:11:14.480 --> 0:11:18.600
<v Speaker 1>be act. Yeah. So I mean if I were a

0:11:18.640 --> 0:11:22.600
<v Speaker 1>computer security expert, um, I could answer you more different deplity,

0:11:22.600 --> 0:11:24.360
<v Speaker 1>but I would probably also be a millionaire or a

0:11:24.360 --> 0:11:27.520
<v Speaker 1>billionaire by now. It's I mean, in theory, we can

0:11:27.679 --> 0:11:30.640
<v Speaker 1>do this, right, but but there's so many prerequisites that

0:11:30.880 --> 0:11:33.480
<v Speaker 1>have to be met. One of them that maybe it's

0:11:33.480 --> 0:11:36.959
<v Speaker 1>worth highlighting at the moment is that because so much

0:11:37.160 --> 0:11:39.640
<v Speaker 1>of the transacting that goes on in the financial system

0:11:39.640 --> 0:11:44.200
<v Speaker 1>now takes place across borders through multiple electronic systems, you

0:11:44.280 --> 0:11:47.160
<v Speaker 1>need some kind of harmonization on the part of multiple

0:11:47.240 --> 0:11:51.440
<v Speaker 1>jurisdictions when it comes to what forms of electronic communications

0:11:51.440 --> 0:11:53.720
<v Speaker 1>are going to be used, what protocols or what security

0:11:53.720 --> 0:11:57.760
<v Speaker 1>protocols are to be used, what specific technologies technologies are

0:11:57.760 --> 0:11:59.520
<v Speaker 1>going to be used, and so forth, And it's thus

0:11:59.520 --> 0:12:01.640
<v Speaker 1>far proved it would be difficult to get consensus even

0:12:01.679 --> 0:12:03.079
<v Speaker 1>on that. You might have read even a couple of

0:12:03.160 --> 0:12:05.440
<v Speaker 1>days ago that some of our partners in Europe and

0:12:05.480 --> 0:12:07.920
<v Speaker 1>Asia are sort of suspicious of the protocols that were

0:12:07.920 --> 0:12:10.880
<v Speaker 1>currently favoring because they think we might be favoring Member

0:12:10.880 --> 0:12:13.280
<v Speaker 1>precisely because we're able to hack them. I'm going to

0:12:13.360 --> 0:12:15.760
<v Speaker 1>have to stop you there. I thought all professors were

0:12:15.840 --> 0:12:19.280
<v Speaker 1>millionaires thanks to two of them, Peter Henning, professor at

0:12:19.280 --> 0:12:22.720
<v Speaker 1>Waynestad University Law School and Robert Hockett, professor at Cornell

0:12:22.840 --> 0:12:23.880
<v Speaker 1>University Law School,