By 
In response to a recent cyber attack that led to a false announcement regarding the approval of bitcoin exchange-traded funds (ETFs) on the Securities and Exchange Commission’s (SEC) X account, two U.S. senators, Ron Wyden (D-Ore.) and Cynthia Lummis (R-Wyo.), are calling for an investigation and urging the SEC to bolster its cybersecurity practices.
Last week, an unidentified individual breached the SEC’s X account to falsely declare the regulator’s approval of bitcoin ETFs, causing a temporary surge in bitcoin prices. Although the actual approval came a day later, the incident highlighted vulnerabilities in the SEC’s cybersecurity measures.
In a letter addressed to SEC Inspector General Deborah J. Jeffrey on Friday, Senators Wyden and Lummis expressed their concerns, stating, “The SEC’s failure to follow cybersecurity best practices is inexcusable, particularly given the agency’s new requirements for cybersecurity disclosure.”
The lawmakers emphasized that a cybersecurity breach leading to the dissemination of material information for investors could have severe consequences on the stability of the financial system and trust in public markets, potentially enabling market manipulation.
The senators urged the SEC to investigate its practices related to the use of multifactor authentication (MFA), particularly phishing-resistant MFA, to identify any existing security gaps that need addressing.
Multifactor authentication is a security measure that the SEC apparently did not use when logging onto X. The compromise was attributed to an unidentified individual gaining control over a phone number associated with the @SECGov account through a third party.
X clarified, “We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised.” The SEC has reported that the FBI is currently investigating the incident.
Senators J.D. Vance (R-Ohio) and Thom Tillis (R-N.C.) also expressed their concerns about the incident in a letter addressed to SEC Chair Gary Gensler. They emphasized that the unauthorized post and ensuing confusion raised questions about the SEC’s internal cybersecurity procedures and its ability to fulfill its mission, describing the agency’s error as unacceptable given its regulatory role in the global capital markets.
Comments