Securities and Exchange Commission Chairman Jay Clayton faced questions on recent high-profile data breaches and the adequacy of current breach disclosure laws when he appeared in front of the Senate Banking, Housing and Urban Affairs Committee on Tuesday.
Senators pressed Clayton for details about the 2016 cyberattack on the SEC, which was just disclosed last week, as well as the massive Equifax breach that was disclosed earlier this month.
Both incidents, the SEC chairman and several senators noted, go to the broader issue of public trust in the SEC and its ability to regulate companies that gather personally identifiable information (PII) on millions of Americans.
In his opening statement, Clayton outlined facts about the 2016 SEC breach, which happened under his predecessor, and the SEC’s recent disclosure of that breach. The 2016 cyberattack did not come to Clayton’s attention until August, he said. Clayton became chairman in May.
The breach involved an intrusion into the so-called EDGAR (Electronic Data Gathering, Analysis and Retrieval) information filing system and “may have provided the basis for illicit gain through trading,” Clayton told senators.
Clayton said the SEC’s Office of IT “believes” the intrusion involved exploiting a defect in the EDGAR system’s custom software. The bug has since been patched, Clayton said, and investigators believe the intrusion did not provide threat actors with access to PII, did not jeopardize SEC operations and did not result in “systemic risk.”
However, Clayton said the EDGAR incident “concerns me deeply.”
“Many questions remain,” Clayton told senators, noting the investigation is ongoing and may take “substantial time to complete.”
However, Clayton insisted that concerns about the breach and the SEC’s ability to protect sensitive data must not derail the regulator’s mission.
“This is not the time for the SEC to pull back from our important market oversight role by limiting our access to sensitive information,” Clayton said. He told senators that intrusions are inevitable and then highlighted the importance of resilience and recovery.
Committee Chair Mike Crapo, R-Idaho, asked Clayton about additional details on the software vulnerability, which Clayton said he did not currently have.
Clayton recounted his thinking and actions upon learning of the breach, telling the senators:
It’s not like you find out about a breach and know everything on day one. Over the course of the investigation, it became clear to me this was a serious matter. I decided when this was serious, the disclosure is necessary. Then the question is: What facts do you have? We tried to gather more facts. You want to make a clear disclosure. You don’t want to make a disclosure that’s misleading. I made the decision over the past weekend that the time had come to make disclosure. We knew enough to make the disclosure, we weren’t going to learn anymore and we made the disclosure.
In later questioning, Ranking Member Sherrod Brown, D-Ohio, continued pursuing the topic of disclosure in regards to the Equifax breach and broader breach disclosure requirements, particularly around the criterion of “materiality.”
Brown began his questioning by noting, “Equifax waited six weeks to disclose its breach. Companies often say if a matter does not have a material impact on its financial results, they do not need to disclose. Is materiality the right standard when a company suffers a breach and Americans have PII stolen?”
Clayton responded, “I believe materiality is the core of our disclosure system. I believe it’s the touchstone. Going to your question about whether companies are making the right materiality assessment – I think that’s a very good question.”
Brown continued, “So when it’s left in the hands of the company – from just that response – [the SEC] doesn’t seem as engaged maybe in this question and this issue as we might like. They may continue this kind of behavior.”
Clayton then began a pattern of evading direct questions about the Equifax incident. Clayton replied, “Companies should be disclosing more. I’m not going to talk about a specific company or a specific set of circumstances. That’s inappropriate in my position.”
Clayton continued by taking broadly about “the landscape of disclosure,” adding that “Companies should be providing sooner disclosures about intrusions that may affect shareholders’ investment decisions. And I also believe that across the landscape of our markets there should be better disclosure about the cyber risk we face.”
Brown pressed, “So you would totally disagree with Equifax’s decision to withhold that information for those several weeks, citing materiality if they were?”
And, again, Clayton evaded the question, “Senator, I’m not going to get into a particular company’s decision or non-decision –”
Brown interrupted, “So you can’t say to this committee that Equifax wasn’t wrong withholding this information – irrespective of the executives that dumped their stock. Forget that for a moment. You can’t say to this committee they were wrong in withholding that information?”
Clayton again refrained from answering, telling Brown, “It would be inappropriate for me to comment on that matter, that specific matter.”
“Well, that’s a pretty big concern,” Brown said. “If a company did what [Equifax] did, and the chair of the SEC is not willing to be critical of that, that’s a concern to a lot of us.”
Brown then changed the topic to executive compensation. Citing the retirement of Equifax’s CEO and chairman on Tuesday, as well as the chief security officer and chief information officer earlier, Brown asked Clayton if it was appropriate for the Equifax executives to keep their bonuses and stock awards.
Clayton responded, “Again senator, that is a specific matter, a matter that may come before the commission, may come before me to make decisions. It would be inappropriate for me to comment on that specific matter. Do I believe that if executives have profited from a high stock price that’s a result of failure to disclose, other acts that are clearly violations of securities laws, should there be an ability to get back those gains? Yes, I do.”
Brown pressed, “And you think the clawbacks should be ordered by the SEC, not relying on the board?”
Clayton replied, “As you know, there’s a pending rulemaking in this regard, and we’re looking at that.”
“Isn’t it time the SEC finished the Dodd-Frank clawback rule?” Brown asked.
“It is one of many mandates,” Clayton said. “I intend to finish the mandate. There is a prioritization. I welcome your continued input on how we’ve prioritized those.”
Brown continued, “And you understand the American public – in case after case after case – feels that this government let them down when executives through massive incompetence, which may have been all it was with Equifax, or fraud, if the failure to disclose contributed to the executives dumping their stock. Do you understand the American public’s anger with the fact – forgetting anybody going to prison, I get that – but not even clawbacks for these executives? You understand the American public’s outrage about that?”
“Yes, I do,” Clayton responded.