Securities and Exchange Commission Chairman Jay Clayton told a panel of senators on Tuesday that an investigation into his agency’s recently revealed data breach is ongoing and that he is looking to hire additional staff to help protect the agency’s network and data.
Clayton fielded questions from the Banking, Housing and Urban Affairs Committee about the SEC breach as well as the Equifax breach that occurred last month.
In a lengthy written statement released last week, Clayton said that the SEC detected a breach into its EDGAR system in 2016. The database houses corporate disclosures that are not always immediately available to the public, meaning it could be used for insider trading.
Clayton told the committee that the breach was made possible by a defect in a custom piece of software used by the independent regulator. While an exact timeline of the breach is unclear, a fix was pushed out to the affected software platform after the issue was first detected, he said.
“The more custom software is the more likely it is to be vulnerable,” Clayton described.
In his prepared testimony, Clayton said that he was not informed of the breach until last month, after which he ordered an internal review that revealed the insider trading risks.
“It’s not like you find out about a breach and you know everything on day one,” Clayton said. “I decided when this was serious that disclosure was necessary.”
Clayton told the panel that he didn’t have a timeline for the ongoing investigation.
“When there isn’t definite timelines it’s my experience that these things go on forever,” Sen. Jon Tester, D-Mont., responded.
Clayton took the SEC post in May, meaning the breach happened before he started the job.
Despite saying that the breach was detected some time in 2016, Clayton claimed he had no reason to believe that his Obama administration predecessor, Mary Jo White, knew about the breach during her tenure. The admission would suggest that someone at the SEC discovered the breach but the information was not relayed back to White.
“This bed was on fire when you laid down on it,” acknowledged Sen. John Kennedy, R-La.
Clayton also faced repeated questions from committee members about his views on a breach at credit monitoring company Equifax, which may have exposed personal information of up to 143 million people. The senators criticized the six-week delay before Equifax’s disclosure of the breach and some company executives selling their stock in the meantime.
Clayton refused to confirm or deny if the SEC is investigating the Equifax matter, but said that companies should disclose breaches as soon as they know if they’re relevant to investors.
“We expect people to constantly assess whether that breach is material to investors, and when they determine that it is, make appropriate disclosure promptly,” he said.
Sen. Mark Warner, D-Va., expressed frustration about the public’s lack of control over personal information being held by companies like Equifax.
“We have no ability to opt into these systems. We are part of these systems whether we like it or not,” Warner said. “I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity.”
Clayton also told senators that the SEC needs more funding for cybersecurity and that he intends to ask for it. A budget proposed by the White House would decrease the level of funding provided to the SEC specifically to build out improved cybersecurity capabilities.
“If you look at the resources that private actors in the our capital markets devote to information and cybersecurity … single actors dwarf the amount that we have available to spend in this area,” he said.