Senate Grills SEC Chairman After Security Breach – Refuses to Comment on Equifax Insider Trading
Cyberattacks have taken the US financial industry by storm as the country’s regulator, the US Securities and Exchange Commission, disclosed that criminals had breached its EDGAR system last year. EDGAR hosts millions of documents, including market-sensitive corporate disclosures such as earnings statements. The regulatory authority had suggested that the breach may have resulted in insider trading. The SEC chairman, Jay Clayton, who was appointed to chair the Commission in May this year was grilled by the Senate Banking Committee earlier today, over the cyber breach.
In his statement to the Senate, Clayton said that he was only made aware of the breach last month. The security breach is believed to have occurred in 2016, however, Clayton added that “I don’t think we can know for sure” about the exact timing of the breach.
This was Clayton’s first appearance before the Banking Committee since taking office, and the hearing also offered lawmakers a first opportunity to learn about the cyber breach from the chairman himself.
Clayton asks for more money to fund a new cybersecurity unit
Clayton said that once he was made aware of the hack, he had ordered an internal review, in which it was discovered that the security breach may have allowed criminals to make illegal profits. He then decided to disclose the breach once he had the information to consider it a “serious” incident.
“When we learn a year after the fact that the SEC had its own breach and that it likely led to illegal stock trades, it raises questions about why the SEC seems to have swept this under the rug,” Senator Sherrod Brown, the Democratic member of the committee, asked the chairman.
“What else are we not being told, what other information is at risk, and what are the consequences?” Brown added.
While Clayton wouldn’t respond to the possibilities of SEC having tried to cover it up, he said the agency is planning to hire more cybersecurity experts and demand for more funds.
“We’re going to need more money for cyber security, and I intend to ask for it.”
Some lawmakers weren’t so brutal, though, as they noted that Clayton took office earlier this year, while the breach had happened in 2016. Clayton said that the agency doesn’t believe that his predecessor knew about the breach. The same lawmakers, however, did add that the chairman took a very long time to reveal the breach.
“The disclosure, or lack thereof, is all yours. How can you expect companies to do the right thing when your agency has not?”
Analysts worry that SEC’s (mis)handling of its cyber breach would set a precedent for the financial industry that would use the same excuses in front of the Chairman when he probes the companies for failing to secure their critical systems and revealing sensitive personal data. “Even the most diligent cybersecurity efforts will not address all cyberrisks that enterprises face,” Clayton had written in his disclosure statement that was a 5-pages long cybersecurity lesson containing only a single paragraph on SEC’s own breach disclosure, raising questions about SEC potentially trying to cover it up.
SEC chair refuses to comment on Equifax
Chairman was also asked questions about the agency’s role after the massive breach at the credit reporting firm, Equifax. Equifax CEO retired earlier today, but Senator Mark R Warner said that “the resignation of the CEO is by no means enough”.
“I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity.”
Clayton was also asked if Equifax executives selling their stocks (worth $1.8million) days before the breach disclosure comes under insider trading. Chairman declined to respond to these questions saying that it might come before the agency, adding that the Commission wasn’t “ignoring” the issue.
Before Clayton’s appointment as the new chairman, some lawmakers had raised concerns that his past representation of financial firms (Clayton represented several Wall Street companies as a lawyer for Sullivan & Cromwell) would need him to recuse himself from enforcement cases, and may turn him into a chairman “watching from the sideline”.
The Federal Bureau of Investigation and the US Secret Service are currently conducting an investigation into both the Equifax security breach that resulted in a dump of sensitive data of over 143 million Americans and SEC’s EDGAR system.