UPDATE: The SEC's Netflix/Reed Hastings Policy and @GaryGensler and @SECGov and the SIM Swap Hack

January 23, 2024

January 9, 2024 @SECGov Hacked

This is how everything started. On January 9, 2024, Twitter/X posted from its @Safety https://twitter.com/Safety page that @SECGov https://twitter.com/SECGov had been hacked -- and Twitter/X placed the blame on the federal regulator for its lack of security:

Nostalgic 2023 SEC Cybersecurity Rule

Some have interpreted the @Safety statement as a bit of a back-handed slap at the SEC -- the same SEC that has done its best to regulate Twitter / X and, pointedly, Elon Musk. Notwithstanding the company's likely glee at getting in a few shots at the SEC, it's hard to defend the federal regulator's questionable cybersecurity attendant to its @SECGov page. After all, turnabout is fair play: 

SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (SEC Release / July 26, 2023)
https://www.sec.gov/news/press-release/2023-139

The Securities and Exchange Commission today adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC Chair Gary Gensler. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

The new rules will require registrants to disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material. The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. . . . 

SEC's Tardy Sec.gov Response

The SEC's lack of a TIMELY and PUBLIC disclosure about the hacking is demonstrated by the absence of a Statement on the regulator's government sec.gov website. Both an SEC Press Release and a Statement from Chair Gensler should have been on sec.gov on January 9, 2024. So much for the federal regulator's advocacy of "cybersecurity disclosure to investors." Note the two screenshots from sec.gov that were taken on January 10, 2024, at 11:06 am ET:



The Social-Media Marketing of Federal Securities Regulation

As I have often noted, the modern-day regulation of Wall Street is less about substance and more about the "marketing" of regulation. Once, regulation was about regulation; but today, it's about likes and posts and thumbs up and smiley faces. How nice that as its Twitter / X Account is hacked, the SEC still found time to launch an Instagram account https://www.sec.gov/sec-instagram.

UPDATE:
 
Getting Around to a Statement -- January 12, 2024
 
The hack took place on January 9th. It was only on January 12th (three days later) that the SEC got around to posting a Statement from Chair Gensler on the regulator's .gov website.
 

Based on current information, staff understands that, shortly after 4:00 pm ET on Tuesday, January 9, 2024, an unauthorized party gained access to the @SECGov X.com account by obtaining control over the phone number associated with the account. The unauthorized party made one post at 4:11 pm ET purporting to announce the Commission’s approval of spot bitcoin exchange-traded funds, as well as a second post approximately two minutes later that said “$BTC.” The unauthorized party subsequently deleted the second post, but not the first. Using the @SECGov account, the unauthorized party also liked two posts by non-SEC accounts. While SEC staff is still assessing the scope of the incident, there is currently no evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts.

Upon becoming aware of the incident, staff in the Office of Public Affairs posted to the official @garygensler X.com account at 4:26 pm ET, alerting the public that the @SECGov account had been compromised, an unauthorized post was made, and the Commission had not approved the listing and trading of spot bitcoin exchange-traded products. Staff deleted the first unauthorized post on the @SECGov account, un-liked the two liked posts, and, at 4:42 pm ET, made a new post on the @SECGov account stating that the account had been compromised. Staff also reached out to X.com for assistance in terminating the unauthorized access to the @SECGov account. Based on information currently available, staff believe that the unauthorized access to the account was terminated between 4:40 pm ET and 5:30 pm ET.

The SEC takes its cybersecurity obligations seriously. Commission staff are still assessing the impacts of this incident on the agency, investors, and the marketplace but recognize that those impacts include concerns about the security of the SEC’s social media accounts. The staff also will continue to assess whether additional remedial measures are warranted.

Staff are coordinating with appropriate law enforcement and federal oversight entities, including the SEC’s Office of Inspector General, the Federal Bureau of Investigation, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, amongst others, in their investigations. The agency will provide updates on the incident as appropriate. Importantly, the Commission makes its actions public on the Commission’s website, http://www.sec.gov. The Commission does not use social media channels to make its actions public; social media posts only amplify announcements that are made on our website.

Bill Singer's Comment

According to Chair Gensler's January 12, 2024, Statement at https://www.sec.gov/news/statement/gensler-x-account, the alleged hack of "@SECGov X.com" occurred at 4:11 pm ET on January 9, 2024; and, further, the .gov-posted Statement asserts that the SEC's formal response manifested itself in this fashion.

Upon becoming aware of the incident, staff in the Office of Public Affairs posted to the official @garygensler X.com account at 4:26 pm ET, alerting the public that the @SECGov account had been compromised, an unauthorized post was made, and the Commission had not approved the listing and trading of spot bitcoin exchange-traded products. Staff deleted the first unauthorized post on the @SECGov account, un-liked the two liked posts, and, at 4:42 pm ET, made a new post on the @SECGov account stating that the account had been compromised. Staff also reached out to X.com for assistance in terminating the unauthorized access to the @SECGov account. Based on information currently available, staff believe that the unauthorized access to the account was terminated between 4:40 pm ET and 5:30 pm ET.

As such, the SEC Office of Public Affairs announced the unauthorized post (the hack) via a post "to the official @garygensler X.com account at 4:26 pm ET, alerting the public that the @SECGov account had been compromised . . ."

Interesting bit of phrasing, no? The @garygensler X .com account is "official." Official? Which raises the question as to what the difference in "official" is when it comes to @garygensler and @SECGov versus sec.gov.  Apparently, the SEC doesn't quite see any concerns or issues when it deems Chair Gensler's and the SEC-itself's Twitter / X accounts as rising to the level of sec.gov. Should the SEC really be talking about Twitter / X accounts as official when that private-sector social media company is regulated by the SEC -- and the relationship among the federal regulator, the private company X, and the private corporate executive Musk is often contentious?

2013 SEC Netflix/Hastings Report

Likely forgotten by many industry pundits, is this decade-old matter: Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: Netflix, Inc., and Reed Hastings (SEC Report of Investigation; '34 Act Rel. No. 69297 / April 2, 2013)
https://www.sec.gov/files/litigation/investreport/34-69279.pdf, which was prompted by this event [Ed: footnotes omitted]:

The Division of Enforcement has investigated whether Netflix, Inc. (“Netflix”) and its Chief Executive Officer, Reed Hastings (“Hastings”) violated Regulation FD (17 C.F.R. §243.100 et seq.) and Section 13(a) of the Securities Exchange Act of 1934 (“Exchange Act”). The Commission has determined not to pursue an enforcement action in this matter. The investigation concerned Hastings’s use of his personal Facebook page, on July 3, 2012, to announce that Netflix had streamed 1 billion hours of content in the month of June. Neither Hastings nor Netflix had previously used Hastings’s personal Facebook page to announce company metrics, and Netflix had not previously informed shareholders that Hastings’s Facebook page would be used to disclose information about Netflix. The post was not accompanied by a press release, a post on Netflix’s own web site or Facebook page, or a Form 8-K.

The investigation raised questions regarding: 1) the application of Regulation FD to Hastings’s post; and 2) the applicability of the Commission’s August 2008 Guidance on the Use of Company Web Sites to emerging technologies, including social networking sites, such as Facebook. 

at Page 1 of the 2013 SEC Report of Investigation

Personal Social Media Sites of Individuals

Among the issues considered in the 2013 Netflix/Hastings Report was this aspect of the use of a personal social media site to disclose material corporate information [Ed: footnotes omitted]::

Although every case must be evaluated on its own facts, disclosure of material, nonpublic information on the personal social media site of an individual corporate officer, without advance notice to investors that the site may be used for this purpose, is unlikely to qualify as a method “reasonably designed to provide broad, non-exclusionary distribution of the information to the public” within the meaning of Regulation FD.This is true even if the individual in question has a large number of subscribers, friends, or other social media contacts, such that the information is likely to reach a broader audience over time. Personal social media sites of individuals employed by a public company would not ordinarily be assumed to be channels through which the company would disclose material corporate information. Without adequate notice that such a site may be used for this purpose, investors would not have an opportunity to access this information or, in some cases, would not know of that opportunity, at the same time as other investors.

at Pages 7 - 8 of the 2013 SEC Report of Investigation

@GaryGensler and @ SECGov and sec.gov

As posted on the SEC's "Speeches and Statements" page at https://www.sec.gov/news/speeches-statements, the January 12, 2024 Statement at https://www.sec.gov/news/statement/gensler-x-account references "@GaryGensler." Note that the January 2024 SEC Statement is posted on "www.sec.gov . . ." and the link to the statement is posted on "www.sec.gov . . .;" however, the cited "@GaryGensler" post is made on a non-SEC site of "https:''twitter.com/ . . ." Using that handles as a search term, you are taken to this page https://twitter.com/GaryGensler/status/1744833049064288387. SEC Chair Gensler's cited Twitter / X post (which references "@SECGov") appears as follows:

Accordingly, the @GaryGensler tweet admonishes that the "@SECGov twitter account was compromised . . ." but what, exactly, is the public to make of the differences between content posted on "sec.gov" and, in contradistinction, content posted on "@SECGov" and content posted on "@GaryGensler"? Moreover, should the SEC be fostering such confusion that the private "twitter account," which is housed on what has morphed into X  or Twitter/X is somehow an "official" United States government site?

Consider how the @GaryGensler page actually displays online under the heading "https://twitter.com/GaryGensler":

A Federal Disclaimer Disclaiming a Social Media Disclaimer?

In the spirit of asking more questions to foster more careful deliberation about the use of social media by government figures and potentially imbuing such social media sites with the appearance of a formal, governmental status, consider what the above "Disclaimer" asserts:

Frankly, I find the entire SEC's social media presence to be both troubling and potentially dangerous. The "Disclaimer" link to the Twitter/X pages sends the reader back to an SEC.gov webpage at https://www.sec.gov/page/sec-social-media-disclaimer. The "SEC Social Media Disclaimer," which is on an sec.gov page warns that social media content expresses only the "author's views." Further, the sec.gov disclaimer states that the author's views are not approved or endorsed by the Commission. What an incredibly bit of circular illogic! A disclaimer posted on a private Twitter/X page sends the reader to a disclaimer on an sec.gov governmental site page, but the official governmental disclaimer says that the views on the social media page are not approved/endorsed by the government agency. So . . . like, y'know, just what the hell are the @GaryGensler and @SECGov Twitter/X pages? Private content? Public content? Opinion? Government sanctioned posts?

I would urge the SEC to re-visit its 2013 Netflix/Hastings policy and better incorporate that position with the regulator's 2024 use of social media. Clearly, the emphasis must be on avoiding the use of a non-governmental social media page as the first resort to announcing material regulatory events involving the federal regulator.   

UPDATE January 23, 2024

And despite it all (or perhaps in spite of it all?), the SEC still doesn't quite get it. As a federal regulator, the SEC has an obligation to provide transparency in its dealings and to clearly and unequivocally offer public dissemination of its conduct -- even when it's "misconduct." Instead, the SEC plays a shell game when it comes to disclosing the @SECGov / Twitter / X account hack.

Despite the SEC having a "Speeches and Statements" page on its sec.gov website at https://www.sec.gov/news/speeches-statements, as of January 23, 2024, there is still no posting on that page of the latest revelation involving what is now generally referred to as the "SIM swap" hack. Perhaps a bit too cleverly, the SEC seems to think that transparent, public disclosure is best accomplished by issuing a so-called "Media" statement but not printing out that very statement on, well, y'know, where else? -- on the sec.gov "Speeches and Statements" page. Instead, the SEC apparently created a new, dedicated page titled: "SECGOV X Account" but there's virtually no way to find that listed on the official statements page. Moreover, see if you can find it via a normal online search. Good luck with that! Even more cynically, is that the dedicated page references purported "Statement by an SEC Spokesperson to the Media" for several dates but never posted any of those statement on the, yeah, you got it, on the Speeches and Statements page and still doesn't name the name of the Spokesperson(s).

My what an inconvenient truth it must be for the SEC to go to such lengths to impede the public's efforts to simply and easily find the various SIM swap hack statements. I'm sure that any number of clever folks at the regulator will argue that I'm making much ado about nothing. What I will direct those same hecklers to is this disclosure on the Speeches and Statements page explaining the nature of the content to be posted there: "Speeches and statements (including testimony and video transcripts) given by the Chair, Commissioners, and SEC staff."

And where the hell on that page is the statement by Chair Gensler or any member of the SEC staff concerning the recent revelation of the SIM swap hack?

Here's what they have buried on some far flung page on their ponderous site:

SECGov X Account (a/o January 22, 2024)
https://www.sec.gov/secgov-x-account

On Tuesday, January 9, 2024, the SEC’s @SECGov X account was compromised. SEC staff are coordinating with appropriate law enforcement and federal oversight entities, including the SEC’s Office of Inspector General, the Federal Bureau of Investigation, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, amongst others, in their investigations into the unauthorized activity.

The agency will provide updates on the incident as appropriate on this page.
 

 *   *   *

 *   *   *

 

January 22, 2024: Statement by an SEC Spokesperson to the Media:
We are providing the following update on the January 9, 2024, unauthorized access and activity (the “incident”) on the @SECGov X account:

 

SEC staff are continuing to coordinate with several law enforcement and federal oversight entities, including the SEC’s Office of Inspector General, the Federal Bureau of Investigation, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the Commodity Futures Trading Commission, the Department of Justice, and the SEC’s own Division of Enforcement. 

Two days after the incident, in consultation with the SEC’s telecom carrier, the SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent “SIM swap” attack. SIM swapping is a technique used to transfer a person’s phone number to another device without authorization, allowing the unauthorized party to begin receiving voice and SMS communications associated with the number. Access to the phone number occurred via the telecom carrier, not via SEC systems. SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts.

Once in control of the phone number, the unauthorized party reset the password for the @SECGov account. Among other things, law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account. 

While multi-factor authentication (MFA) had previously been enabled on the @SECGov X account, it was disabled by X Support, at the staff’s request, in July 2023 due to issues accessing the account. Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9. MFA currently is enabled for all SEC social media accounts that offer it.

*   *   *

January 12, 2024: Statement by Chair Gary Gensler on Unauthorized Access to the SEC’s @SECGov X.com Account

Based on current information, staff understands that, shortly after 4:00 pm ET on Tuesday, January 9, 2024, an unauthorized party gained access to the @SECGov X.com account by obtaining control over the phone number associated with the account. The unauthorized party made one post at 4:11 pm ET purporting to announce the Commission’s approval of spot bitcoin exchange-traded funds, as well as a second post approximately two minutes later that said “$BTC.” The unauthorized party subsequently deleted the second post, but not the first. Using the @SECGov account, the unauthorized party also liked two posts by non-SEC accounts. While SEC staff is still assessing the scope of the incident, there is currently no evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts.

Upon becoming aware of the incident, staff in the Office of Public Affairs posted to the official @garygensler X.com account at 4:26 pm ET, alerting the public that the @SECGov account had been compromised, an unauthorized post was made, and the Commission had not approved the listing and trading of spot bitcoin exchange-traded products. Staff deleted the first unauthorized post on the @SECGov account, un-liked the two liked posts, and, at 4:42 pm ET, made a new post on the @SECGov account stating that the account had been compromised. Staff also reached out to X.com for assistance in terminating the unauthorized access to the @SECGov account. Based on information currently available, staff believe that the unauthorized access to the account was terminated between 4:40 pm ET and 5:30 pm ET.

The SEC takes its cybersecurity obligations seriously. Commission staff are still assessing the impacts of this incident on the agency, investors, and the marketplace but recognize that those impacts include concerns about the security of the SEC’s social media accounts. The staff also will continue to assess whether additional remedial measures are warranted.

Staff are coordinating with appropriate law enforcement and federal oversight entities, including the SEC’s Office of Inspector General, the Federal Bureau of Investigation, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, amongst others, in their investigations. The agency will provide updates on the incident as appropriate. Importantly, the Commission makes its actions public on the Commission’s website, http://www.sec.gov. The Commission does not use social media channels to make its actions public; social media posts only amplify announcements that are made on our website.
 

 *   *   *

January 10, 2024: Statement by an SEC Spokesperson to the Media:
We are providing the following update as it relates to the unauthorized access and activity on the @SECGov X.com account:

    1. The SEC continues to investigate the matter and is coordinating with appropriate law enforcement entities, including the SEC’s Office of the Inspector General and the FBI.

    1. The unauthorized content on the @SECGov account was not drafted or created by the SEC.

    1. We will provide updates on the incident as appropriate.

    1. Consistent with existing practice, any Commission action on exchange rule filings would be posted on the relevant section of the SEC’s website at https://www.sec.gov/ and then in the Federal Register. As always, that would be the first public indication of a Commission’s action.

       

 *   *   *

January 9, 2024: Statement by an SEC Spokesperson to the Media:
The SEC has determined that there was unauthorized access to and activity on the @SECGov x.com account by an unknown party for a brief period of time shortly after 4 pm ET. That unauthorized access has been terminated. The SEC will work with law enforcement and our partners across government to investigate the matter and determine appropriate next steps relating to both the unauthorized access and any related misconduct.
 

 *   *   *

January 9, 2024: Statement by an SEC Spokesperson to the Media:
The SEC's @SECGov X/Twitter account has been compromised. The unauthorized tweet regarding bitcoin ETFs was not made by the SEC or its staff.