Jay Clayton, the head of the Securities and Exchange Commission, told a Senate panel Tuesday that he found out about a serious security breach at the agency belatedly and that determining the extent of the intrusion could take a significant amount of time.
In his first appearance before the Senate Banking Committee since taking office, Clayton faced some critical questioning from lawmakers about the agency’s handling of the breach and how the SEC would manage the fallout from the massive hack of the credit reporting company Equifax that exposed the personal information of 143 million people.
Regulators should abide by the same, or even higher, standards as the companies they regulate, said Sen. Sherrod Brown (Ohio), ranking Democrat of the committee. “So when we learn a year after the fact that the SEC had its own breach and that it likely led to illegal stock trades, it raises questions about why the SEC seems to have swept this under the rug,” he said. “What else are we not being told, what other information is at risk, and what are the consequences?”
Clayton disclosed the breach late in the evening last week in a single paragraph of a five-page statement about the agency’s approach to cybersecurity. “One of the worries in a situation like this is that when you make a disclosure, other people try to test and probe,” Clayton said when asked about the timing of the statement.
Still, some lawmakers appeared to sympathize with Clayton, who took office in May, repeatedly noting that the breach occurred under his predecessor. “This bed was on fire when you laid down on it,” said Sen. John Neely Kennedy (R-La.).
The system that was breached, known as Edgar, serves as a clearinghouse for the public filings that companies must make to the agency, including reports on periodic financial results and newsworthy developments. There can sometimes be a lag between the time when the reports are electronically filed with the agency and when they can be viewed by the public, making the system a potentially lucrative target to hackers hoping to learn sensitive information before the rest of the market.
In the wake of the breach, the SEC is hiring additional personnel to aid in its cybersecurity efforts and starting a new cybersecurity unit, Clayton said. The agency’s Office of Inspector General and other officials are investigating the extent of the breach, including how much data may have been taken and how long hackers had access to the system, he said.
But the agency will need more money to dedicate to this issue in the future, Clayton said. “Single actors dwarf the amount we have available” to spend in this area, he said.
Clayton also faced repeated questions about the massive breach at Equifax. The company’s longtime chief executive, Richard Smith, announced his retirement Tuesday, but lawmakers said that does not resolve the matter.
“I think the resignation of the CEO is by no means enough,” said Sen. Mark R. Warner (D-Va.) “I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity.”
Clayton was asked whether Equifax executives should be able to keep their bonuses and whether the company waited too long to disclose the hack to the public. He declined to address questions related to the company directly, noting that the SEC may have to take up the matter. But, he said, in general, “companies should be disclosing more … [and] there should be better disclosure about their risk portfolios, and there should be sooner disclosures about intrusions.”
He said, “When they [companies] have notice of a cyberbreach we expect people to constantly assess whether that breach is material to investors, and when they determine that it is, make appropriate disclosure promptly.”
Kennedy pointed to three Equifax executives who sold nearly $2 million in stock after the company learned of the breach but before it was disclosed publicly. “Is that insider trading?” Kennedy asked. Clayton declined to weigh in on the issue.
Regulators and industry officials have been warning about the growing number of cyberattacks aimed at manipulating the public markets for years. In 2015, federal investigators said an international hacking ring armed with tens of thousands of corporate secrets pocketed more than $100 million from illicit trades. The hackers stole more than 150,000 news releases that were scheduled to be delivered to investors. Three times last year, the SEC said it identified overseas hacking rings that had targeted nonpublic information.
This also isn’t the first time Edgar, which receives millions of documents a day, has been compromised. In 2015, fraudsters posted fake information on the site about the takeover of Avon Products, driving the company’s stock price up significantly before the hack was detected. In 2014, several researchers found that information submitted to Edgar was available to some users for 30 seconds before it became publicly available, potentially giving some traders an unfair advantage.
“We are under constant attack by nefarious actors,” Clayton said during the hearing. “We must remain on top of evolving threats when it comes to securing our own networks and systems against intrusion.”
But the latest breaches could also hamper the SEC’s efforts to collect more detailed information about stock trades into a central database, known as the consolidated audit trail, that could make it easier for the agency to detect market manipulation. Some industry officials have questioned whether the SEC could properly safeguard the data, which would include the names, addresses, birth dates and Social Security numbers of investors. A hacker who gained access to the database could potentially replicate the proprietary trading strategies of hedge funds, they warn.
“It is critical that the SEC safeguards the data it collects and maintains — especially as the consolidated audit trail, or CAT, becomes operational,” said Sen. Mike Crapo (R-Idaho), chairman of the Banking Committee. “The recent Equifax breach has highlighted the need to protect this sensitive and valuable information.”