US lawmakers, including Senators Ron Wyden and Cynthia Lummis, are calling for an investigation into the recent hack of the Securities and Exchange Commission (SEC)’s X (formerly Twitter) account. The hack occurred on January 10, when hackers compromised the SEC’s X account and posted a false announcement about the approval of Bitcoin exchange-traded funds (ETFs), causing a temporary spike in Bitcoin prices.
In a letter dated January 11, 2024, Senators Wyden and Lummis criticized the SEC for failing to secure its social media accounts using industry best practices. They pointed out that the SEC’s X account did not have two-factor authentication (2FA) enabled at the time of the hack, making it vulnerable to unauthorized access. The hackers were able to take over the account by hijacking a phone number associated with the @SECGov account in a SIM-swapping attack.
This incident is part of a larger trend of crypto-related X account hijacks targeting prominent companies, such as Mandiant, Hyundai, and Certik. The lawmakers expressed concern about the destabilizing impact of such hacks on the financial system, noting that market manipulation could occur if material information for investors is published through compromised accounts.
Wyden and Lummis urged the SEC to adopt cybersecurity best practices, including the use of security keys and 2FA, to prevent future attacks. They cited recent guidance from the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) recommending the use of these security measures. The senators emphasized the importance of phishing-resistant MFA in particular, highlighting the potential risks posed by inadequate security measures.
The SEC, which introduced new rules in 2023 requiring publicly listed firms to disclose cyber incidents within four days, has faced criticism for its cybersecurity practices. An independent evaluation in FY23 found that the SEC’s information security program was ineffective. Wyden and Lummis have given the SEC until February 12 to provide an update on their investigation and cybersecurity remediation efforts.
Overall, the lawmakers are calling for greater accountability and transparency in cybersecurity practices to protect the integrity of the financial system and public trust in the markets.