The Securities and Exchange Commission (SEC) has proposed security and access control upgrades to its EDGAR system, where public companies file their documents with the regulator. Among the more notable changes is shifting from a one login per company system to a one login per individual. This means that, rather than the entire company having one account that is used to file everything they need with the SEC, every person logging into the EDGAR system will need their own account and credentials. SEC Chair Gary Gensler compared the current system to having the entire family share one password for a streaming app.
“This is like having a family passing around one shared login and password for a movie streaming app. You know where that can lead. That’s simply not the most secure system—for filers and the Commission alike—when it comes to information relating to financial disclosure. By contrast, today’s actions would further secure login protocols by requiring every person filing something into EDGAR to login with individual credentials and to use multi-factor authentication,” he said in his statement supporting the proposal.
Right now, those seeking to file on EDGAR apply for access by completing the Form ID application for access on the EDGAR Filer Management website and submitting a notarized copy of that application signed by an authorized individual of the filer. Further, when the applicant entity or individual submits the Form ID, the applicant must create and retain a passphrase to be used to create access codes if the application is granted. If Commission staff approves the Form ID application, an account in the filer’s name is opened on EDGAR, denoted by a central index key number (“CIK”) unique to that filer, if needed.
This system has made it difficult to trace filings to specific individuals, as the entire company uses the same credentials. As a result, SEC staff and affected filers often encounter delays in addressing potentially problematic filings. The SEC also said, in the proposed rule itself, that there are major security concerns with this approach, such as companies actually losing track of who does and does not have access. This is particularly problematic when considering many entities use third parties, like law firms or software providers, to make EDGAR filings for them.
Under the new system being proposed, each filing entity will authorize and maintain individual EDGAR accounts, including for any third parties who file on their behalf. They will also authorize account administrators and technical administrators to oversee access. Each filer, through its account administrators, would be required to confirm annually that all account administrators, users, technical administrators, and delegated entities are authorized by the filer to act on its behalf, and that all information about the filer on the dashboard is accurate; maintain accurate and current information on EDGAR concerning the filer’s account; and securely maintain information relevant to the ability to access the filer’s EDGAR account. These accounts will also be equipped with multi-factor authentication, which the current system lacks.
Beyond the proposal itself, the SEC also said it will open to the public a beta software environment for filer testing and feedback, which will reflect the proposed rule and form amendments and the related technical changes, on Sept. 18, 2023. Information about signing up for beta testing and extensive additional information about the proposal and related technical changes can be found on the EDGAR Next—Filer Access and Account Management page on SEC.gov.
The proposed rule will be published in the Federal Register. The public comment period will remain open until 60 days after the date of publication of the proposing release in the Federal Register.