How Not to Address Being Hacked: SEC Edition
The Securities and Exchange Commission let slip Wednesday evening — nearly half way into a 4,000-word statement on cybersecurity — that it learned last month that a hacking “incident previously detected in 2016 may have provided the basis for illicit gain through trading.” In journalism, this is known as burying the lead.
…
So the SEC waited weeks after learning that its filing system had been penetrated for potentially illicit gain to disclose the break-in. And then it discreetly dropped the news into a lengthy memo advising companies and exchanges about their regulatory obligations to manage and disclose cyber risks.
A few questions: Why didn’t the agency report the incident when it occurred last year — and exactly when? — and what took it so long to figure out that the hack might have resulted in illegal trading activity?
If Vegas was taking bets, I’d put a lot of cash down on more bad news coming out about this hack in the near future. While they are a government entity and have some protection as to what they disclose to the public, they still leave a lot of questions to be answered. Like why didn’t they follow their own disclosure guidelines?
From a crisis communications perspective, it’s always better to get out in front of an issue than hide and let information dribble out piece by piece.