US lawmakers are calling for an investigation into the recent hack of the Securities and Exchange Commission (SEC)’s X (formerly Twitter) account. Senators Ron Wyden and Cynthia Lummis have criticized the federal agency for not implementing industry best practices to secure their social media accounts.
The breach occurred on January 10 when hackers compromised the SEC’s X account and posted a fake announcement about the approval of Bitcoin exchange-traded funds (ETFs), causing a brief spike in Bitcoin prices. The SEC quickly responded, clarifying that they had not approved such products.
X’s security team later revealed that the hack was due to a SIM-swapping attack that hijacked a phone number associated with the @SECGov account. It was also noted that the SEC’s account did not have two-factor authentication (2FA) enabled at the time of the breach.
This incident is part of a series of crypto-related hacks targeting prominent companies, including Mandiant, Hyundai, and Certik. The lawmakers emphasized the potential for market manipulation through such hacks and criticized the SEC for not following cybersecurity best practices, such as enabling 2FA and security keys.
They pointed out that the SEC should have used security keys and 2FA to secure their social media accounts, in line with recent guidance from the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA). The option to enable security keys has been available for X users since 2021.
Wyden and Lummis expressed concern about the destabilizing impact of such hacks on the financial system and urged the SEC to investigate their cybersecurity practices. They highlighted the importance of implementing phishing-resistant MFA to address any remaining security gaps.
The SEC, which introduced new rules in 2023 requiring publicly listed firms to disclose cyber incidents within four days, has faced criticism for its poor cybersecurity practices in recent years. An independent evaluation in FY23 found that the SEC’s information security program was not effective.
The lawmakers have given the SEC until February 12 to provide an update on their investigation and cybersecurity remediations. It is essential for regulators to prioritize cybersecurity measures to protect investors and maintain trust in public markets.