Hackers may have used information stolen from the US financial regulator to make "illicit gain" through insider trading, the body's chairman admitted.

A flaw in the software used to file sensitive corporate information with the US Securities and Exchange Commission (SEC) was exploited in 2016, according to a statement from Jay Clayton.

However, it was not until August 2017 that the agency realised criminals may have used the hack to give themselves an advantage on the stock market.

Mr Clayton said: "Our investigation of this matter is ongoing, however, and we are coordinating with appropriate authorities."

The appropriate authority is likely to be the Federal Bureau of Investigation which is responsible for pursuing federal and cyber crimes.


As the securities regulator the SEC collects corporate filings which could have a market-moving effect if they were made public.

The EDGAR database which was hacked is used by corporations to file a range of sensitive reports, from their quarterly earnings forms through to announcements of mergers and acquisitions.

Earlier this year the SEC filed fraud charges against a mechanical engineer who was accused of "scheming to manipulate the price of Fitbit stock by making a phoney regulatory filing" on the EDGAR system.

Mr Clayton's statement continued: "We also must recognise - in both the public and private sectors, including the SEC - that there will be intrusions, and that a key component of cyber risk management is resilience and recovery."

He stressed the value to businesses of having adequate cybersecurity plans less than a fortnight after one of the largest breaches announced in recent times.

Earlier in September, credit-checking firm Equifax admitted that 143 million Americans had their details compromised in an attack on its systems.

Equifax discovered the breach on 29 July, but did not inform the public or shareholders until 7 September.

Mr Clayton said that companies needed to consider whether they were adequately disclosing "information about their risk management governance and cyber security risks" to the public.

"Failure to do so may result in an enforcement action," he warned, although the SEC is yet to ever bring any such action against a non-complying company.