The chairman of the Securities and Exchange Commission on Tuesday said it would take “substantial” time to determine the full scope a 2016 cybersecurity breach that may have allowed hackers to profit from insider information.
Jay Clayton testified to the Senate Banking Committee one week after revealing that hackers had breached the SEC’s EDGAR corporate filing system, a key hub for financial information. The intruders accessed information from corporate disclosures that are not public.
Several Democrats focused on why it took more than a year for the SEC to realize and reveal it had been hacked, despite the potential consequences.
{mosads}”We understand the breach happened under your predecessor, but the disclosure — or lack thereof — is all yours,” Sen. Sherrod Brown (Ohio), the committee’s ranking Democrat, said to Clayton regarding the SEC breach.
“How can you expect companies to do the right thing when your agency is not?”
Clayton, who was confirmed as SEC chairman in May, said he acted as quickly as he could to disclose the breach and bolster the agency’s cyber defenses.
Hackers allegedly infiltrated the EDGAR system through a flaw in the SEC’s custom software sometime in 2016, Clayton said.
EDGAR is the electronic filling system through which publicly traded companies make public and private disclosures about their financial affairs. Companies and investors send scores of forms through the system on securities sales, initial public offerings, corporate financial information and structural plans.
While much of EDGAR is publicly accessible, it also contains private financial records that only regulators can see. Stealing, acting or trading on that information can violate federal privacy and insider trading laws.
Clayton said he first learned of the EDGAR breach last month during an internal review of SEC cybersecurity. He described learning bits and pieces about the attack during the following weeks before hitting a wall and deciding to reveal the hack last month.
“I believed that, once I knew enough to understand that the 2016 intrusion provided access to nonpublic EDGAR test filings and that this may have resulted in the misuse of nonpublic information for illicit gain,” Clayton said, “it was important to disclose the incident and our cyber risk profile more generally to the American public and Congress.”
Clayton didn’t reveal who could have been behind the attack, which companies were targeted and what effect the hack could have had on markets. He said that the SEC still has much to discover about the breach and its potential impact, much of which won’t be public.
“Our review and investigation of these matters, however, as well as the extent and impact of the intrusion and related illicit activity, is ongoing and may take substantial time to complete,” Clayton said.
The chairman asked the agency’s inspector general to probe the breach, its market effects and how well the SEC handled it. Clayton also said the SEC planned to hire more cybersecurity experts to bolster its systems.
The SEC breach triggered concern and confusion across the political and business spectrum. Republicans urged Clayton to increase network security and investigate the breach before peppering with him questions on rolling back Obama-era banking rules.
“The SEC and other agencies must be held to a higher standard,” said Senate Banking Committee Chairman Mike Crapo (R-Idaho). “I am glad to see that under your leadership, Chairman Clayton, the SEC is taking cybersecurity seriously.
Several Democrats compared the SEC hack to the separate breach at credit reporting company Equifax, which exposed the personal financial information of more than 144 million people.
Clayton repeatedly declined to comment specifically on Equifax’s case, the weeks-long gap in between the credit company’s hack and disclosure, or how three executives sold millions in Equifax stock after the hack was discovered.
The chairman wouldn’t confirm if the SEC is probing Equifax, though federal agencies rarely reveal the existence or state of investigations until their completion. Clayton did say he was “paying attention” to Equifax, which is already being investigated by the Federal Trade Commission and several congressional committees.
“That is a specific matter, a matter that may come before me to make decisions,” Clayton said. “It would be inappropriate for me to discuss that.”
Democrats urged Clayton to crack down on Equifax, arguing the company’s leaders neglected their responsibility to protect consumer data and failed to offer sufficient help to victims. Sen. Mark Warner (D-Va.) floated banning Equifax from collecting data at all.
“The market has already taken, I think, 25 percent off [Equifax’s] market value,” Warner said, “but I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity.”
Sen. Jon Tester (D-Mont.) called the behavior of Equifax leaders “bizarre” and said several appeared to have “dumped stock” once they knew the company faced a reckoning.
Former Equifax CEO Richard Smith was scheduled to appear before the committee next week before he announced his early retirement Tuesday.
“I hope he still comes to the committee next week,” Tester said. “I think it’s less about spending more time with his family and more about spending less time with us.”
This story was updated at 3:18 p.m.