SEC Chairman Jay Clayton faced tough questions and criticism on cybersecurity from a Senate committee on Tuesday.
It was his first testimony before the U.S. Senate Committee on Banking, Housing and Urban Affairs since his appointment to lead the SEC was confirmed. Clayton read his prepared testimony that included comments on the agency’s regulatory agenda, enforcement, fewer initial public offerings and its cooperation with the Department of Labor and state securities regulators in creating better rule-making for financial advisors and broker/dealers.
But much of the testimony was dedicated to cybersecurity and Clayton’s Sept. 20 statement that the agency’s EDGAR system was subject to a breach in 2016—perhaps in anticipation of the committee’s interest in the subject, which monopolized much of the question-and-answer session.
The reveal by the SEC came on the heels of one of the worst cybersecurity breaches in U.S. history, when Equifax announced earlier in the month that hackers exploited an outdated system and were able to obtain names, Social Security numbers, birth dates, addresses and other information about 143 million Americans.
Even before Clayton gave his testimony, Sen. Sherrod Brown (D-Ohio), the committee’s ranking member from the Democratic Party, expressed his frustration with the SEC and said “regulatory agencies must abide by the same, or frankly, by a higher standard” than companies they oversee.
“When we learn a year after the fact that the SEC had its own breach and that it likely led to illegal stock trades, it raises questions about why this SEC seems to have swept this under the rug,” Brown said. “What else are we not being told? What else is at risk? What are the consequences to the American investing public, and the public generally.”
Brown acknowledged that the 2016 breach of the SEC’s EDGAR system didn’t occur under Clayton’s watch. He and other committee members wondered why the SEC hadn’t revealed the breach until last week.
“How can you expect companies to do the right thing when your agency has not?” Brown asked Clayton before his testimony.
While answering questions from Idaho Sen. Mike Crapo (R-Idaho), the committee chairman, Clayton reiterated much of what was already explained in his statement about the 2016 breach.
He said he did not become aware of the breach until August 2017, then ordered an internal investigation as a result. He determined it was a “serious matter” that needed to be disclosed once the agency felt comfortable they understood its breadth.
“When you make a public disclosure, other people try to test and probe,” Clayton said. "We are under constant attack from nefarious actors.”
Sen. Brown and Sen. Jon Tester (D-Mont.) took issue with Equifax waiting six weeks to disclose its security breach and asked Clayton about a materiality standards to determine when or if a disclosure should occur. Clayton said he is in favor of companies disclosing more complete risk profiles when it comes to cybersecurity. The livelihood of some companies, either because of the nature or volume of data they collect and use, is far more vulnerable than others.
Clayton declined to comment on Equifax or any company specifically during the hearing. He said the SEC is not exactly sure when EDGAR was breached in 2016. But no matter when that was, the agency’s disclosure occurred well after six weeks after the event occurred.
He also said he did not know if former SEC Chairwoman Mary Jo White was ever aware of the 2016 breach while answering questions from Sen. John Kennedy (R-La.). However, he said it has been the position of former regulators and himself that the agency will need more resources dedicated to cybersecurity going forward.
“Single actors dwarf the amount that we have available to spend in that area,” Clayton said. “To me, that just tells me that we’re a bit out of step and we need to up our game.”