It has emerged that Wall Street's regulated community had to wait for more than a year to learn that online intruders hacked the Securities and Exchange Commission's EDGAR system last summer and might have traded on the information they stole, while all the while the regulator was berating firms for bad cyber-security.

The regulator's website couches its disclosure of the leak in terms that suggest that the commissioners are somewhat out of touch with developments at their offices: "In August 2017, the commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading.  Specifically, a software vulnerability in the test filing component of the commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to non-public information. It is believed the intrusion did not result in unauthorised access to personally identifiable information, jeopardise the operations of the commission, or result in systemic risk. An internal investigation was commenced immediately at the direction of the chairman."

One of the commissioners, Mike Piwowar, has announced that he was “recently informed for the first time that an intrusion occurred in 2016.” The SEC shut down a specialised unit that looked at cyber-crime in 2010. The EDGAR system, on which financial companies disclose all manner of information, is nearly 20 years old.

The National Investor Relations Institute has expressed its 'shock' at the way the regulator has handled the incident and says that its 3,300 members are embarking on a review of the trading reports they sent to the SEC in an attempt to detect insider dealing. Some commentators have asked the SEC whether this forthcoming review was the reason why it made its disclosure last week, but it has not responded.

Chairman Jay Clayton almost, but not quite, stated in a press release last week that his disclosure of last year's leak was the result of an investigation he began recently: "In May 2017, I initiated an assessment of our internal cybersecurity risk profile and our approach to cybersecurity from a regulatory and oversight perspective. This statement is one part of our effort to analyse, improve and communicate our work in this area to market participants and the American public more generally."

No enforcement activity has yet sprung from a cyber-security failure, but the SEC has been threatening to embark on one and has already been involved in one. In a quarterly open report to the regulator in November, Yahoo said that it was co-operating with federal agencies including the SEC over a “security incident and related matters.” This, according to the Wall Street Journal, was a reference to two huge "data breaches" and the SEC was reportedly trying to work out whether Yahoo should have told investors about them. One occurrence, according to Reuters, happened in 2014, involved 500,000 accounts and was only mentioned in public in September last year. In December, Yahoo declared itself the victim of another (presumably distinct) attack involving a billion accounts in August 2013. Some commentators are viewing this tale as a sign that firms and regulators alike usually want to keep their cyber-episodes a secret - from the public and from each other - for as long as possible.