The recent breach at the SEC illustrates how prevalent internet cyberattacks have become. They are a ubiquitous threat, inherent to the information exchange the internet provides. Often times with little warning or even indication that the event is occurring, hackers can infiltrate secure systems and access nonpublic information that could be exploited or damaging to multiple parties. Particularly when it comes to EDGAR, a great deal of sensitive, private information is regularly exchanged between companies and the SEC. Should this information be accessed before it’s appropriate, it could lead to all sorts of undesirable consequences. Even something as simple as prior knowledge of the type of form a company is in the process of filing can result in unwanted outcomes. Therefore, it’s essential that we as filers, filing agents, and other involved parties protect ourselves from unwanted intrusions.
Thursday, September 28. 2017
The EDGAR System has multiple layers of protection to verify companies and filings. If you’re not familiar with these protections and how they work to guard against fraudulent filings and data exploitation, we’ll review them briefly here. CIKs, or Central Index Keys, are publicly available numeric codes that identify companies in several online databases, including EDGAR. The CIK is unique to a filer, such as a public company, investment company reporting owner, or a filing agent. These are public facing, meaning the public has access to the CIK and to the company’s public information indexed by that CIK (such as EDGAR filings). The CCC is a CIK Confirmation Code, which is a secret code distributed by the SEC to identify the recipient and ensure said recipient is authorized to make EDGAR filings on behalf of the filer. A CIK/CCC combination is required to submit a filing.
In addition, to log onto the EDGAR Filing Website, you need a password linked to your CIK. Once logged in, you can search for or make filings using another CIK, though in the second case you must have the CCC for that CIK in order to complete the filing. Also, CIK/CCC code pairs expire annually and must be renewed. You should note that you can change your CCC back to what it was before it expired, but this is generally not a good practice. We’ll talk more about changing your CCC in a bit.
Finally, on top of your CIK, CCC, and password, the SEC also issues you a Password Modification Code (PMAC) and a passphrase. The PMAC is necessary to reset/change your password and CCC, at least annually (as mentioned above) but whenever you feel it’s appropriate. The passphrase can be used in conjunction with the CIK to generate new access codes, including the password, CCC, and PMAC. Think of this as the ultimate level of security. If you forget any of your credentials and key access codes from your password to your CCC, or if you believe your information has been compromised, the passphrase allows you to reset your account.
Many of these varying codes and passwords are used during the process of submitting a filing to the EDGAR System. The figure below exhibits a general example of the EDGAR submission process. Green lines/boxes indicate sections in the flow of data where information is secure (for example, the EDGAR Filing Website uses HTTP Secure (https) to encrypt and protect the exchange of data). Orange lines/boxes indicate places where there could be potential security vulnerabilities, and, as a filer, you can take steps to protect yourself. The filer/filing agent begins on the left of the flow chart. Note that this section is marked in orange; there can be possible vulnerabilities in your own computer systems/practices. We’ll discuss how to mitigate these risks in a bit.
Once you use your CIK and password to log onto the EDGAR Filing Website, you’ve accessed a secure system. You can enter the database via CIK/CCC or you can transmit your test or live filing. As you submit your filing, your data enters the EDGAR System itself, which is also secure. There is subsequent EDGAR validation of the CCC, validation of the filing itself, and should all that yield no errors, the filing is completed. At this point, if it’s a live filing, it’s disseminated to the public and appears on the EDGAR System Company Page. Both of these actions are secure, governed by the data transfer protocols of the EDGAR System. However, the emails that result from the filing, both live and test, may not be secure since it is hard to control the chain of custody on email depending on the situation.
You can probably see from this simple figure that most of security risks lie outside the EDGAR Filing Website and the EDGAR System. Of course, should the EDGAR System be compromised (like what has apparently happened recently), there is very little you as the filer or filing agent can do to control the situation. However, there are points during this information flow where you can help to protect yourself and your data.
In general practice, it’s always a good idea to change your passwords regularly and limit internal access to sensitive information at your company. It’s also always wise to keep your systems updated with antivirus, anti-malware, and the latest operating system security patches. The points we’re about to address apply common sense practices to the specific security measures the EDGAR system has provided.
1. When transmitting information to the SEC (or in general), send only CIK/CCC codes. Never give out passphrases
or PMAC information.
Passwords should only be given out if the action of filing must be performed under a specific CIK. Remember, except for the accession number, the logon CIK has no legal bearing on the actual filing. The CIK and CCC are required in order to identify the legal entities as part of the filing process and are often distributed to filing agents or other involved parties, but your specific password is not required for a filing agent to file on your behalf. Therefore, beyond CIK/CCC codes, you should take care not to distribute any other information that allows access to the EDGAR system. Never share your PMAC and never share your passphrase. These (especially the passphrase) should be kept private and confidential.
2. Change your CCC regularly.
Because CCCs are often shared with third-party filing agents, they should be changed regularly. The SEC recommends the CCC code be altered whenever it’s been shared with a third-party. Some companies change the CCC after each filing. If a cyberattacker or other unauthorized party obtains your CCC, they can file in your name, so it’s especially important to keep these codes protected. Changing them often is essential.
As mentioned above, the CIK/CCC code combination expires annually. The EDGAR System will allow you to change the CCC to the code you are currently using. While this may be tempting for simplicity’s sake, it’s not generally a good practice to do it, particularly if that code has been shared with third-parties. The CCC is what identifies a filing as “legitimate” for a given CIK, so if that information is not secure, the entire filing can be compromised.
If you use multiple agents or parties who file on your behalf, consider creating unique CCCs for each party. Then, when a filing is ready, go to the EDGAR System and set that specific CCC code. This relieves agent from having to constantly change codes and ensures that during a set period of time only that agent can file on your behalf. After a filing has been completed, change the CCC to a code that you do not disclose to anyone.
3. Watch carefully for EDGAR System emails, specifically the email account associated with your Form ID.
The EDGAR System automatically generates notification emails whenever a test or live filing occurs for a CIK. These emails are distributed according to a couple of parameters. First, the form being submitted allows for email addresses to be specified (the number may vary with the form type), and these addresses will be notified upon a test or live filing. Second, the email address associated with the Form ID for the CIK (which is defined when your CIK was registered with the EDGAR System) always receives a notification email of activity concerning the CIK assuming the CCC matches. This is extremely important. The Form ID email notifications can alert you right away that your CIK/CCC codes have been compromised. If you receive emails for filings that should not exist, you can quickly take steps to address the situation.
For this reason, it’s immensely important to make sure that email address associated with your Form ID is up to date. It can commonly happen that the person who made the Form ID leaves your company, and his or her email becomes inaccessible. Always ensure that the Form ID email address is secure. It’s a simple way to be certain the activity associated with your CIK/CCC is authorized and legitimate.
Also note that, with the exception of a few forms, the Form ID email will only be notified on filings that have a matching CIK and CCC combination. Attempts that ‘try’ an incorrect CIK/CCC pair will not generate a notification. Please note that forms that require only a CIK (such as a subject-company) may not result in a Form ID email.
4. Take care of how you handle sensitive data.
Email notifications that come from the EDGAR System can be tricky. Test filing notifications generally redact the company name, the CIK, and the form being test filed. Notification emails pertaining to live filings, however, can have this information visible in plain text. You should exercise caution in how you handle the emails, as even knowing what company is filing what type of form can give data exploiters an advantage. Manage your EDGAR emails carefully.
Completed submissions should also be stored and handled conscientiously to avoid sensitive data being exposed. In an upcoming Legato Developer’s Corner blog, we’ll examine a Legato script that can “scrub” a GoFiler project and filing records to remove the CCC and other sensitive information in order for the submission to be archived.
5. Limit internal access to the PMAC and passphrase.
Obviously in a filing agent’s production environment, people working with the filing need access to certain information, namely the CIK and CCC for that filing, to access the EDGAR Filing System website. If you’re a filer who prefers to do the work in house, you may instead be dispersing information to other members of your staff or department. In any case, it’s best not to disseminate your password, the PMAC, or your passphrase. We mentioned this before, but this good practice also implies to within your own company. These codes grant someone the capacity to change your EDGAR System information, and with that they can file in your name or potentially access privileged information.
The bottom line is this: it’s a good idea to change your codes often, and it’s important to do what you can to limit the exposure and spread of sensitive information. Of course, this can be a difficult task when a submission may pass through many different hands at multiple companies before reaching the EDGAR System. It can become a quandary when you’re balancing security needs with convenience, efficiency, and common sense. However, these few simple practices can limit the possibility of your sensitive information falling into the wrong hands.