Source: Louisa Svenson via Alamy Stock Photo
Following the Securities and Exchange Commission's X account, formerly known as Twitter, compromise on Jan. 9, two Senators have issued a statement calling the hack "inexcusable" and urging the Inspector General of the US Securities and Exchange Commission (SEC) to investigate the regulator's failure to have basic multifactor authentication (MFA) protections in place.
"Additionally, a hack resulting in the publication of material information for investors could have significant impacts on the stability of the financial system and trust in public markets, including potential market manipulation," Senators Ron Wyden, D-Ore., and Cynthia Lummis, R-Wyo. said in a statement. "We urge you to investigate the agency's practices related to the use of MFA, and in particular, phishing-resistant MFA, to identify any remaining security gaps that must be addressed."
Senators Question SEC Cybersecurity Practices
Since March 2020, Twitter's policy changed to only offer text-based two-factor authentication to premium subscribers. Other organizations including Google's cybersecurity team Mandiant as well as car company Hyundai have fallen prey to crypto hackers well aware of Twitter's new policy.
Sen. Wyden's office tells Dark Reading the specific concern is why the SEC didn't implement an alternative MFA process like a third-party authentication app or security key once the X policy changed in March 2023.
In the instance of the SEC X account breach, a phone number associated with the account was compromised by the crypto hackers and used to put out miscommunications to manipulate the bitcoin market.
"Not only should the agency have enabled MFA, but it should have secured its accounts with phishing-resistant hardware tokens, commonly known as security keys, which are the gold standard for account cybersecurity," the letter to the SEC Inspector General said, adding the agency was warned in 2023 about its "poor cybersecurity."
The letter added a shot at the regulator's increasingly rigorous oversight of enterprise cybersecurity.
"The SEC's failure to follow cybersecurity best practices is inexcusable, particularly given the agency's new requirements for cybersecurity disclosure," the Senators wrote.