What can financial services firms learn from the SEC’s X account hack?

With the Securities and Exchange Commission’s X account being hacked and used to share false information, what lessons can firms learn to minimize social media risk?

26 January 2024 7 mins read
by Jay Hampshire

In brief:

  • The X account of the Securities and Exchange Commission (SEC) was hacked, and an “unknown party” was able to post misinformation relating to approvals of Bitcoin ETFs
  • This hack resulted in a $40 billion market swing – and reputational damage for both the SEC and its cybersecurity-focused chair, Gary Gensler
  • It became clear that the hack was possible because the SEC had not set up two-factor authentification for a phone number connected to their account

Readers of a certain age will remember the chaotic implications of leaving their laptop unattended and logged in to a social media account within reach of friends. They would often return to an embarrassing status, post, or picture uploaded to their account and be forced to issue an explanation. It was (mostly) light-hearted fun, where the worst-case scenario was being embarrassed – not causing a $40 billion market swing.

Unfortunately for Securities and Exchange Commission (SEC) chair Gary Gensler, that’s exactly what happened after a hacker gained access to the official SEC X account and uploaded a post claiming that the regulator had approved US spot bitcoin exchange traded funds (ETFs) – causing considerable market fluctuation and embarrassment for a regulator that regularly espouses the importance of good cybersecurity practices.

Nothing to see here

Just after 16:00 EST on Tuesday, 9th January, the SEC’s X account posted an official-looking update declaring that the regulator “grants approval for #Bitcoin ETFs for listing on all registered national securities exchanges.” This update came amid ongoing wrangling between the commission and the crypto space, with exchange-traded funds (ETFs) the latest battlefield. The post was quickly picked up and shared widely on social media, business news websites, and even Bloomberg TV. A post from the official SEC account, on a current hot-button issue, featuring a picture of and quote attributed to Gensler himself? So far, so legitimate.

Only the post wasn’t legitimate, but the result of “an unknown party” gaining unauthorized access to the SEC’s account. Within ten minutes, Gensler had issued a retraction on his own account, confirming that the SEC’s profile “was compromised, and an unauthorized tweet was posted. The SEC has not approved the listing and trading of spot bitcoin exchange-traded products”.

Unfortunately, ten minutes was more than enough time for the post to have serious repercussions across the Bitcoin market. In the minutes after the fake post was published, the price of Bitcoin rose by around 2.5 percent, although it later dropped below 2.5 percent of its original value. All told, the post resulted in a $40 billion swing in the combined value of all Bitcoin in circulation – a considerable repercussion.   

The two-factor factor

An initial investigation into how the unknown party gained access to the SEC’s account was performed by X, with it being confirmed that:

“The compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account … We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised. We encourage all users to enable this extra later of security.”

This is an embarrassing oversight for the SEC given that cybersecurity is something that always sits high on its agenda when it comes to how it assesses the firms it regulates, and especially so considering cybersecurity, operational resilience, and information security were raised as key elements of the commission’s 2024 regulatory examination priorities.

A statement released by the SEC after the breach outlines that the regulator is assessing the next steps to take:

“The SEC will work with law enforcement and our partners across government to investigate the matter and determine appropriate next steps relating to both the unauthorized access and any related misconduct.”

Some especially boisterous voices within the wider financial and governmental space may see Gensler having egg on his face (though not egg from Larry, the now extinct former Twitter mascot) as an opportunity to air personal grievances around his stance on crypto and call for his resignation. While falling foul of the kind of hack the regulator has spent years warning firms to prevent puts Gensler and the SEC in an unenviable position, it is hard to see that such a lapse will result in Gensler’s resignation, even after a potential multi-agency investigation.

What it has resulted in, however, is a cautionary tale of the multiple potential impacts stemming from this sort of cybersecurity risk (and not the first instance of the SEC being forced to take the ‘do as I say, not as I do’ position). 

Assessing the damages

While the lack of ensuring thorough two-factor authentification was in place appears to have been a genuine mistake, it has been a costly one, and has resulted in clear repercussions to the SEC’s regulatory reputation, Gensler’s own standing, and overall market integrity.

  • Reputational damage: Mistakes and oversights can and will happen when it comes to cybersecurity. John Stark, who served 18 years as an attorney for the SEC and now works as a cybersecurity consultant, summarized this well: “You can do everything you can to stop them, but sooner or later, some person screws up”. But unfortunately the SEC is in the unenviable position of being a regulator – an organization in the business of policing and punishing ‘screw ups’ – and an issue stemming from what is a relatively simple cybersecurity step that has taken place in a very public forum could cause damage to the SEC’s reputation and authority in the eyes of some in the market
  • Personal brand: By using an image of Gary Gensler alongside a quote supposedly attributed to him, the unknown hacker gave the fake post an added air of authenticity. What they also did was involve Gensler – already a much-maligned figure in the world of Crypto – forcing him to issue a retraction on his personal account, and to admit that the SEC had failed to uphold standards of cybersecurity it holds those it regulates to. While the SEC ultimately approved the ETFs holding bitcoin around 24 hours after the hack, it has done Gensler’s popularity with some no favours
  • Market integrity: The implication that one rogue social media post can have billions of dollars’ worth of impact on the markets is clear cause for concern. While markets react to external changes, and anticipating and mitigating against these risks is a core part of risk management, social media is beginning to pose a much greater risk to market integrity. While the SEC has put clear guidelines in place to protect consumers against how firms might use social media, like the Marketing Rule, the risks social media might pose to the wider market can be harder to foresee. The collapse of Silicon Valley Bank was expedited by posts and discussion on social media, and firms need to be cautious around the knock-on effects social media risk can have if not accounted for

While the high importance of ensuring proper cybersecurity strategies like two-factor authentification are in place is the clearest takeaway from this incident, the clear risk social media can pose is also something firms need to be aware of.

Our recent survey of data from over 10,000 financial services firms indicated that only 33% of firms are capturing communications data from LinkedIn accounts, and only 20% are capturing the same data from X accounts. Having consistent, clear oversight of how social channels are being used is vital in being able to monitor communications data and anticipate potential social media risk, such as internal bad actors and external messages and posts that might be cause for concern. When combined with solid cybersecurity practices, it creates a bedrock of compliant communications and secure accounts that will reduce both risk to reputation and the markets.

Ensuring cybersecurity steps like multi-factor authentification are in place across your business social media channels is just one element of strong security strategy. Other elements, like capturing and archiving communications compliantly and communications surveillance ensure you can spot and mitigate potential threats and bad actors – before the damage is done.