Senate Testimony: SEC Chairman Offers Cyber 'Mea Culpa'Regulator Also Launches 'Cyber Unit' to Investigate 'Cyber-Related Misconduct'
This story has been updated.
The chairman of the Securities and Exchange Commission told a Senate committee on Tuesday that the agency could have done more to investigate the breach it suffered in 2016 (see Hackers May Have Traded on Stolen SEC Data).
At the hearing, Jay Clayton also called for more cyber risk disclosures by public firms.
Clayton, who was appointed to head the SEC by President Trump on January 20, was confirmed by the Senate and took office in early May. He previously led the cybersecurity practice at law firm Sullivan & Cromwell LLP, where he was a partner. When he assumed office, he promised to pursue a path of deregulation, to make it easier for companies to go public.
Now facing his first major crisis since taking office, Clayton testified that he only learned of the 2016 intrusion into the agency's EDGAR system in August - three months after he took the helm. "In response to this information, I immediately commenced an internal review," according to Clayton's written testimony submitted to the Senate Banking Committee.
EDGAR is an electronic filing system for company data that processes more than 1.7 million documents per year, including nonpublic data that could be used by rogue traders for personal gain (see Profiting From the SEC Breach).
"Through this review and the ongoing enforcement investigation, I was informed that the 2016 intrusion into the test filing component of our EDGAR system provided access to nonpublic EDGAR filing information and may have provided a basis for illicit gain through trading," Clayton testified.
In an unusual move, the SEC last week issued a lengthy statement warning that it had been breached in May 2016, and that it suspected that the stolen, non-public data obtained by attackers "may have provided the basis for illicit gain through trading."
Agency's Breach Response
Clayton, in his testimony, said the breach appears to have exploited "a defect in custom software in the EDGAR system." When the breach was discovered, the SEC patched the unspecific flaw, notified the Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT), and believes that it successfully stopped the attack.
Clayton said the SEC's IT team believes "that the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the commission or result in systemic risk," but says those findings are preliminary and that the related investigation remains ongoing "and may take substantial time to complete."
Nevertheless, Clayton said he's already called for help - including from the Office of the Inspector General - to ensure that the agency puts better information security practices and procedures in place. "I have formally requested that the OIG begin a review into what led to the intrusion, the scope of nonpublic information compromised and our efforts in response," he said. "I have also asked the OIG to provide recommendations for how the SEC should remediate any related system or control deficiencies. We also are pursuing and considering other measures that may enhance our investigative, remediation and prevention efforts."
Clayton has also called for the agency to hire more cybersecurity experts.
The SEC has already made some changes. As part of a cybersecurity review that he initiated in May, Clayton said that the SEC has already launched "a senior-level cybersecurity working group to coordinate information sharing, risk and threat monitoring, incident response and other cross-divisional and interagency efforts and an assessment of reporting and escalation procedures."
A bipartisan group of 19 Senate banking committee lawmakers on Monday urged Clayton to review whether new SEC guidelines should be implemented relating to how breached public businesses must disclose hacks. "The U.S. capital markets are vital to our country and the SEC is the steward of the markets. It is critical to investors and the operation of the markets that the SEC's disclosure requirements evolve and adapt to reflect developments in tech and the related risks," the senators write in a letter to Clayton.
In his testimony, Clayton said that he also continues to implement cybersecurity changes he detailed in a July speech to the Economic Club of New York.
"The SEC is ... working closely with fellow financial regulators to improve our ability to receive critical information and alerts and react to cyber threats," Clayton said in July.
If Clayton entered office with a promise to undo at least some of the SEC's reporting requirements, the agency's own breach may force him to issue revised plans for tackling cybersecurity as well as attempted market violations, Andy Green, a former Senate aide and SEC lawyer, tells the Wall Street Journal.
"Our markets are more electronic and market participants are more dependent than ever on computerized and algorithmic trading," says Green, who's now managing director of economic policy at the left-leaning Center for American Progress. "The SEC needs to focus on getting fully up to speed on data-driven markets, and cyber has to be at the center of that."
SEC Launches New 'Cyber Unit'
On that front, the SEC on Monday announced that after months of related planning, its enforcement division has launched a new "cyber unit" designed to target "cyber-related misconduct."
The regulatory agency says the new unit will focus on:
- Market manipulation schemes involving the spread of false information via electronic and social media attempts to obtain nonpublic information via hacking;
- Hack attacks designed to obtain material nonpublic information;
- Violations involving distributed ledger technology and cryptocurrency initial coin offerings, aka ICOs;
- Misconduct perpetrated using the dark web;
- Intrusions into retail brokerage accounts;
- Cyber-related threats to trading platforms and other critical market infrastructure.
The new unit will be helmed by Robert A. Cohen, who since 2015 has been one of two co-chiefs of the SEC Enforcement Division's Market Abuse Unit.
"Cyber-related threats and misconduct are among the greatest risks facing investors and the securities industry," says Stephanie Avakian, co-director of the SEC's Enforcement Division. "The Cyber Unit will enhance our ability to detect and investigate cyber threats through increasing expertise in an area of critical national importance."
Clayton's July speech will no doubt be reread in the context of the SEC's own breach. At the time, Clayton said that being a breach victim is not necessarily proof that an organization was guilty of not taking information security seriously.
On the other hand, he said that when it comes to preparation, "being a victim of a cyber penetration" - especially by nation-states launching advanced attacks - "is not, in itself, an excuse" for a company to absolve itself of any breach responsibility.
"I think we need to be cautious about punishing responsible companies who nevertheless are victims of sophisticated cyber penetrations," Clayton said. "Said another way, the SEC needs to have a broad perspective and bring proportionality to this area that affects not only investors, companies, and our markets, but our national security and our future."