Senators Ron Wyden and Cynthia Lummis requested an investigation from the U.S. Securities and Exchange Commission (SEC) in a letter on January 11.
The two lawmakers asked the SEC Inspector General Deborah Jeffrey to open an investigation into a security breach that occurred two days earlier, as well as the agency’s failure to follow best cybersecurity practices.
The breach allowed an unknown party to illegally access the SEC’s X account and post a false announcement suggesting that the agency had approved a spot Bitcoin ETF. Although the SEC did approve ETFs of that type a day later, the agency said the original report was false and confirmed the breach.
Senators said the SEC should have used multi-factor authentication and phishing-resistant hardware tokens (i.e. security keys). They asked that the investigation focus on these issues and identify any other safety gaps. Senators requested an update on the investigation by February 12, 2024.
Did the SEC break rules?
Senators Wyden and Lummis did not suggest that the SEC had broken any specific rules by making the mistakes that enabled the breach.
The two senators noted that the White House Office of Management and Budget (OMB) issued a memo in January 2022 requiring agencies to use multi-factor authentication and security keys. While they acknowledged that this policy does not apply to social media websites, they said the memo makes clear that such features are necessary to protect against attacks.
Senators have not suggested that the SEC has violated certain rules that require companies to disclose violations of securities laws. Senators, however, implied hypocrisy on this issue, calling the SEC’s failures “inexcusable, especially given the agency’s new cybersecurity disclosure requirements.”
Senators also highlighted the “clear potential” for market manipulation in their complaint. Bitcoin indeed saw sudden losses when the SEC revealed the false nature of the announcement. The price of Bitcoin (BTC) fell from $46,865 to $45,415 within two hours of 9:00 PM UTC on January 9, marking a loss of around 3%.
Despite the critical nature of the SEC’s failures, the lack of specific violations makes it unclear what consequences the agency could face.
