SEC chairman faces questions from Congress after data breach
The chairman of the Securities and Exchange Commission is likely to face an especially tough hearing in front of Congress on Tuesday, after the agency acknowledged that it also was a victim to a hack.
News about the breach of an SEC network that delivers company news and data to investors follows the disclosure of the massive data breach from credit company Equifax that allowed hackers to access or steal the personal information of 143 million Americans.
Jay Clayton, who has been at the head of the SEC since May, is not likely to face calls for his removal since the breach happened a year ago, before he was sworn in. But he may be questioned about whether the SEC — the federal government's main arm for enforcing rules and regulations on Wall Street — is up to the task of keeping data secure.
In prepared remarks, Clayton will tell lawmakers that the Commission will be undergoing "immediate hiring of additional staff to aid in our efforts to protect the security of the agency's network, systems and data."
"I also directed the staff to enhance our escalation protocols for cybersecurity incidents in order to enable greater agency-wide visibility and understanding of potential cyber vulnerabilities and attacks," Clayton added in his remarks.
WHAT QUESTIONS MAY CLAYTON FACE?
Two major issues in this SEC breach are the potential for insider trading and whether the SEC knew about the security breach for months and only recently decided to disclose it.
The SEC operates a system known as EDGAR, which allows publicly traded companies to upload digitally the documents they are required to share with investors. What appeared to happen is that hackers were able to get into the system in a way that allowed them to see companies filing their documents to the SEC but before those documents would be dispersed to the general public.
Clayton will likely have to answer how probable it is that insider trading took place and what the scope of it might be. He is also likely to be asked why the commission sat on the news of this breach until August when it happened a year ago. The hack occurred despite repeated warnings in recent years about weaknesses in the agency's data security controls. Members of the Senate Banking Committee may well want to know what the SEC has done to secure its systems.
On Monday the SEC said it had created a new cyber unit that will target market manipulation, hacking and dark web operatives.
The agency also revealed a new team tasked with protecting every day investors from unsafe offers like pump-and-dump schemes in which the value of an investment is driven artificially high before being sold aggressively.
WHY IS THIS A BIG DEAL?
The hack of the document system is especially worrisome because of how widely investors have used and trusted the system, which came online in the early 1990s. Companies use EDGAR to alert investors to important developments that could affect their share prices, like government investigations, executive shake-ups and approaches for a takeover. If hackers were able to see information before the rest of the investment community did, they would have a trading advantage.
The SEC's disclosure also follows one from Equifax, which said this month that information about millions of people was exposed. The SEC is currently investigating the Equifax breach, and news of the hack will raise questions about whether an agency that is tasked with sanctioning companies is unable to keep their own house in order.
"We must remain on top of evolving threats when it comes to securing our own networks and systems against intrusion," said Clayton in his remarks.
He adds, "This means regularly evaluating progress, pursuing improvements and making it a priority to invest sufficient resources so our systems keep up with the fast-changing threat environment."
WHO MAY BE INVOLVED
The SEC hasn't said which individuals or companies may have been affected or who might have carried out the breach. Experts say a hack by Chinese or Russian actors can't be ruled out.
While it discovered the breach last year, the agency says it only became aware last month that information obtained by the intruders may have been used for illegal trading profits.
Critics say the SEC isn't meeting the same security standards it demands of corporate America.