An already scheduled grilling of Jay Clayton, the five-months-and-counting chairman of the Securities and Exchange Commission, before the Senate Banking Committee had plenty of new fodder to dig into.

His Sept. 26 testimony, at a hearing on “Oversight of the U.S. Securities and Exchange Commission,” repeatedly focused on a recently revealed data breach.

In August 2017, the Commission learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading, Clayton said. “Specifically, a software vulnerability in the test filing component of the Commission’s EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to non-public information.

U.S. Senator Mike Crapo (R-Idaho), chairman of the Committee, addressed the SEC breach in his opening remarks.“The Commission collects and stores a huge amount of public and non-public data,” he said. “If this data were subject to a cyber-breach, it could have severe consequences to the markets, market participants and the American public.”

“I was disturbed to learn that the SEC suffered a cyber-breach of its EDGAR system in 2016, but did not notify the public, or even all of its Commissioners, until it was discovered during your recent review,” he added. “It is critical that the SEC safeguards the data it collects and maintains – especially as the consolidated audit trail, or CAT, becomes operational. Through the [forthcoming Consolidated Audit Trail], the SEC will have access to significant nonpublic market data and personal identifiable information, including individuals’ names, addresses, dates of birth, and social security numbers. The recent Equifax breach has highlighted the need to protect this sensitive and valuable information.”

Sen. Sherrod Brown, ranking member of the Committee, said the breach raises “serious concerns about the integrity of the SEC’s data systems.”

“We expect that companies that hold Americans’ personal and financial data will keep that information secure and be upfront with the public, regulators, and lawmakers when breaches occur,” he said. “Our regulatory agencies must abide by the same, or even a higher standard. When we learn a year after the fact that the SEC had its own breach and that it likely led to illegal stock trades, it raises questions about why the SEC seems to have swept this under the rug. What else are we not being told, what other information is at risk, and what are the consequences?”

Highlights of Clayton’s breach-related testimony:

 “We believe the 2016 intrusion involved the exploitation of a defect in custom software in the EDGAR system. When it was originally discovered, the SEC Office of Information Technology (OIT) staff took steps to remediate the defect in custom software code and reported the incident to the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT).  Based on the investigation to date, OIT staff believes that the prior remediation effort was successful.”

“We believe that the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission or result in systemic risk. Our review and investigation of these matters, however, as well as the extent and impact of the intrusion and related illicit activity, is ongoing and may take substantial time to complete.” 

“Our review and investigation of this matter consists of two related components. The first component has been focused on the 2016 intrusion itself, including efforts to determine its scope and whether there were or are any related vulnerabilities in our EDGAR system. Importantly, in conducting this review and related forensic analysis, it has been a priority and a constraint to maintain the security and operational capabilities of EDGAR, which is a critical component of our disclosure-based market system and accepts filings virtually continuously during the week.”  

“The second component of our review and investigation consists of our investigation into trading potentially related to the intrusion.  This investigation is being conducted by our Division of Enforcement and is ongoing.”  

 “I have authorized the immediate hiring of additional staff to aid in our efforts to protect the security of the agency’s network, systems and data. I also directed the staff to enhance our escalation protocols for cyber-security incidents in order to enable greater agency-wide visibility and understanding of potential cyber vulnerabilities and attacks.”  

“We are continuing to examine whether public companies are taking appropriate action to inform investors, including after a breach has occurred, and we will investigate issuers that mislead investors about material cybersecurity risks or data breaches… I would like to see more and better disclosure in this area.”

“Cybersecurity must be more than a firm-by-firm or agency-by-agency effort. Active and open communication between and among regulators and the private sector also is critical to ensuring the nation’s financial system is robust and effectively protected.”

Compliance Week will have more on Clayton’s testimony, regarding the breach and other matters, in our Oct. 3 newsletter.