Exclusive: Senate Finance head calls for probe into hack of SEC's X account
The chair of the Senate Finance Committee is calling for an official investigation into the recent hack of the U.S. Securities and Exchange Commission's account on X, formerly known as Twitter.
Driving the news: In a letter first shared with Axios, Sen. Ron Wyden (D-Ore.) is calling on the SEC's inspector general to open an investigation into the agency's "apparent failure to follow cybersecurity best practices."
- Sen. Cynthia Lummis (R-Wyo.), a member of the Senate Banking Committee, co-authored the letter.
Why it matters: It remains unclear which office would have jurisdiction over an investigation into the SEC's market-moving hack — when the SEC would usually be the agency that would probe such an event.
- The letter indicates that top congressional leaders see the SEC's inspector general as the best fit for the job.
The big picture: Wyden and Lummis' letter adds to a growing chorus of lawmakers looking to find out how the recent hack happened.
- Sens. J.D. Vance (R-Ohio) and Thom Tillis (R-N.C.) also sent a letter to the SEC on Tuesday demanding answers.
Catch up quick: The SEC said on Tuesday that an unauthorized party had hacked its account on X and sent a false tweet claiming national exchanges were approved at the time to list Bitcoin ETFs.
- X later confirmed that the SEC's account did not have multifactor authentication (MFA) activated at the time of the compromise — meaning a user did not have to verify their identity beyond a phrase-based password to gain access.
What they're saying: "Not only should the agency have enabled MFA, but it should have secured its accounts with phishing-resistant hardware tokens, commonly known as security keys, which are the gold standard for account cybersecurity," Wyden and Lummis wrote in the letter being sent Friday.
- "X has permitted users to restrict access to their accounts exclusively using security keys and to remove phone numbers, which can be easily hijacked by fraudsters, since 2021," they added.
Details: The senators are looking for the inspector general's office to investigate not just the individual incident, but also the agency's overall MFA policies and practices.
- Wyden and Lummis also point out that the SEC's Office of the Inspector General has studied the agency's cybersecurity practices before.
- In a report released in December, the SEC's IG office determined that the agency's "information security program and practices were not effective."
Of note: The SEC also just started enforcing new cybersecurity disclosure requirements for publicly traded companies last month.
What's next: Wyden and Lummis are asking the SEC's inspector general to open an investigation and provide an update to Congress by Feb. 12.