SEC is taking cybersecurity obligations seriously, Gensler tells Congress

The Securities and Exchange Commission is continuing to gauge the scope of a false social media post that went out ahead of the approval of spot bitcoin exchange-traded funds, Chair Gary Gensler said in a letter to House Republicans.

"I assure you that the SEC takes its cybersecurity obligations seriously," Gensler said last week in the letter sent to House Financial Services Committee Chair Patrick McHenry, Rep. Bill Huizenga of Michigan, Rep. French Hill of Arkansas and Rep. Ann Wagner of Missouri.

The four Republicans had demanded a briefing from the SEC to look into what went wrong when a false post about the approval of spot bitcoin ETFs went out on the agency's X account in early January. 

"I understand that the SEC’s Office of Legislative and Intergovernmental Affairs arranged a briefing on January 17 for your staff concerning the X incident and addressing the questions raised in your letter. SEC staff remains available to answer any additional questions you may have," Gensler said in last week's letter.

A phony post went out to the SEC's hundreds of thousands of followers on Jan. 9 that said the agency had granted approval for the listing of spot bitcoin ETFs, which was not yet the case. Gensler then quickly posted from his personal account that the SEC's X account had been compromised. 

X confirmed in a post on Jan. 9 that the SEC's X account had been compromised, as someone obtained control over a phone number associated with the account. The platform's security team noted that the SEC did not set up two-factor authentication for its account when it was compromised, which sparked criticism from some in Washington D.C.

On Jan. 10, the agency officially approved spot bitcoin ETFs. 

Multiple updates from the SEC

The SEC said its multi-factor authentication on its X account had been previously disabled, but has since been enabled on all SEC social media accounts that offer it, according to a Jan. 22 update .

The SEC also discussed a SIM swap, a technique that is used to transfer someone's phone number to another device without authorization.

"Among other things, law enforcement is currently investigating how the unauthorized party got the carrier to change the SIM for the account and how the party knew which phone number was associated with the account," Gensler said in the letter. "At present, SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts."