Cybersecurity

SEC Chair Clayton Grilled Over Data Breaches

Analysts say agency is underfunded

Jay Claton testifies before the Senate Banking Committee during his confirmation hearing March 23, 2017 (Photo by Chip Somodevilla/Getty Images)

The Securities and Exchange Commission plans to ask for an enhanced budget next year as Chairman Jay Clayton aims to beef up the SEC’s cybersecurity measures in light of a data breach revealed last week that may have provided a basis for illicit stock trade profit.

“We’re going to need more money for the area of cybersecurity in general and I intend to ask for it,” Clayton told the Senate Banking Committee during his public testimony Tuesday.

Clayton, in his first visit to the committee since taking the SEC helm in May, faced criticism from members of both parties regarding the agency’s delayed response to the incident, which Chairman Mike Crapo (R-Idaho) said “disturbed” him.

The SEC said the incident involved a vulnerability in a custom EDGAR corporate filings system but did not expose any personal data.

Since becoming chairman, Clayton has pushed for greater scrutiny and education surrounding cybersecurity at the agency and the institutions it regulates. But an increase to the SEC’s $1.6 billion budget could be an uphill battle, said James Angel, a professor at Georgetown’s McDonough School of Business, in a phone interview Tuesday.

“The SEC has no natural champions for their budget,” Angel said. “As far as I can tell there is nobody who is going up to their congresspersons and saying, ‘I want you to spend more money on my regulators.’”

Angel said he was surprised Clayton didn’t make a stronger case for “how seriously underfunded the SEC is,” noting that since the agency’s start in 1934, it has only received about $23 billion to date.

MC SVG Quote Icon

As far as I can tell, there is nobody who is going up to their congresspersons and saying, 'I want you to spend more money on my regulators.'

While Congress decides the SEC’s budget, it is deficit-neutral — fees it collects from Wall Street firms are matched by the amount Congress sets aside. The White House budget proposal seeks to scrap a separate $50 million annual Reserve Fund created in the Dodd-Frank Act that the agency has used to finance information technology modernization efforts.

Clayton told lawmakers that he only learned last month of the breach, which occurred in 2016 under the leadership of then-Chair Mary Jo White. Clayton added he immediately ordered a review of the event because it was “clear to me it was a serious matter.”

Clayton provided few new details about the incident, including in which month it occurred and what kind of vulnerability was present in the filing system, saying he did not have enough information to comment on the matter. Clayton also said he has no indication that White knew of the breach at the time it occurred.

“What happened in 2016 and who knew about it is going to be the subject of this review that I’ve asked of the inspector general,” Clayton said.

Sen. John Kennedy asks Jay Clayton about the SEC hack

Senate Democrats used the hearing to prod Clayton, as the head of the nation’s key regulator, to criticize Equifax Inc. for its handling of a data hack that exposed the personal information of approximately 143 million Americans. Equifax announced Tuesday that CEO Robert Smith will retire, effective immediately.

Clayton did not offer specific comments about the Equifax disclosure, which came over a month after Equifax discovered the breach, and would not comment on allegations that top executives unloaded stock during that timeframe, saying it would be inappropriate to comment on an investigation or to confirm whether or not one is pending.

That response drew criticism from the committee’s ranking Democrat, Sen. Sherrod Brown of Ohio.

”If a company did what they did and the chairman of the SEC is not willing to be critical of that, that’s a concern to a lot of us,” Brown said.

Clayton said the SEC expects companies to constantly assess whether a breach is “material to investors” — and when they determine that it is, to make appropriate disclosure promptly. But lawmakers pushed for a strong response to the issue.

“If we don’t send a very, very strong message, I question whether Equifax even has the right to continue providing these services with the level of sloppiness and lack of attention to cybersecurity,” said Sen Mark Warner (D-Va.), who serves as vice chairman of the Senate Intelligence Committee.

Senators also quizzed Clayton on reducing regulations to simplify initial public offering filings and the Department of Labor fiduciary rule, now delayed 18 months, which requires financial advisers to act in the best interests of their clients in retirement accounts.

Clayton said the agency’s coordination with the Labor Department to harmonize the fiduciary rule is a top priority, but did not say when he expected updated standards to be released.

“We’re pushing this one,” Clayton said. “This is the top of our list in that area.”

MC SVG Quote Icon

From Equifax to the SEC, Americans are rightly concerned about the security of their financial and personal information

On Tuesday, 22 Democratic members of the House Financial Services Committee sent a letter to Clayton requesting more information on the EDGAR system, its potential vulnerabilities, the SEC’s response to the hack and the agency’s plan moving forward.

“From Equifax to the SEC, Americans are rightly concerned about the security of their financial and personal information, this is a massive issue that cuts across our entire economy,” said Rep. John Delaney (D-Md.) in a statement. “EDGAR holds massive amounts of information and we need detailed answers from the SEC as to what happened.”

Correction: A previous version of this story misstated when Clayton became SEC chairman.