Gary Gensler, the chairman of the U.S. Securities and Exchange Commission (SEC), has addressed inquiries from legislators concerning a security incident involving the SEC’s account on X.
On Jan. 9, an unauthorized individual executed a SIM swap attack on the SEC’s account on X and falsely announced that the SEC had sanctioned several spot Bitcoin ETFs. Despite the initial message being fake, the SEC did indeed authorize those funds on Jan. 10.
The incident triggered a swift response from Gensler, who reassured lawmakers of the SEC’s commitment to cybersecurity. In a communication to House members Patrick McHenry, Bill Huizenga, French Hill, and Ann Wagner, Gensler emphasized the SEC’s dedication to stringent cybersecurity measures. “I assure you that the SEC takes its cybersecurity obligations seriously,” Gensler stated, highlighting a briefing arranged on Jan. 17 to address the incident and respond to inquiries from the lawmakers.
This group of House members had previously expressed concerns, urging the SEC to adhere to the same security disclosure standards it expects from regulated companies. They requested a detailed explanation by Jan. 17, a deadline the SEC met through the mentioned briefing.
Senators Ron Wyden and Cynthia Lummis also engaged with the SEC, seeking an investigation into enhanced security measures such as multi-factor authentication and the implementation of phishing-resistant hardware tokens. However, an update on these requests, expected by Feb. 12, was not covered in Gensler’s latest correspondence.
Gensler’s letter, not initially made public, came to light following a report by Politico on Feb. 8. It detailed the ongoing investigation into the SIM swap attack, including efforts to understand how the attacker accessed the phone number linked to the SEC’s X account and bypassed security measures.
Critics pointed out that the SEC’s X account lacked two-factor authentication at the time of the breach, a security feature subsequently enabled across all SEC social media platforms. The SEC is continuing to investigate the extent of the breach and has found no evidence of further unauthorized access to its systems or data.