Senators grill Clayton on data breaches at SEC and Equifax; rules for disclosure of cyber-hacks; effect on consolidated audit trail; coordination with DoL on fiduciary rule

The Senate Banking Committee on September 26, 2017, held an oversight hearing for the Securities and Exchange Commission. The only witness was SEC Chairman Jay Clayton. It was the first time Clayton has testified before the committee since his confirmation hearing in March. Testimony from the hearing is available here.

In his opening statement, Chairman Mike Crapo (R-ID) commended Clayton for starting an assessment of the SEC's cyber-risk profile, but said he was "disturbed" to learn the agency had suffered a breach of its EDGAR system in 2016, "but did not notify the public, or even all of its commissioners, until it was discovered during your recent review." Crapo said data security at the SEC was critical as the consolidated audit trail (CAT) becomes operational. CAT will give the SEC "access to significant nonpublic market data and personally identifiable information," he said. Crapo also said the Labor Department's fiduciary rule for retirement plan advisors is harmful, saying he appreciates Clayton's focus on standards of conduct for investment advisers and broker-dealers. He added that "if clarification needs to be made about [those] standards … I believe the SEC has the most expertise and is the best position to establish consistent standards for all investors."

In his statement, Ranking Member Sherrod Brown (D-OH) said the breach of the EDGAR system "allowed hackers to obtain non-public information and perhaps make illegal stock trades … When we learned, a year after the fact, that the SEC had its own breach" after Equifax disclosed that it had also been hacked, "it raises questions about why this SEC seems to have swept this under the rug." Brown said that the EDGAR breach "took place under your predecessor, we recognize that. But the disclosure or the lack thereof is all yours." Brown asked how the SEC can expect companies to do the right thing "when your agency has not? We all have to earn the public's trust every day. Right now, the SEC needs to do more, it needs to make sure companies that it regulates … do better." Brown added that the SEC must "finish the Dodd-Frank Title VII derivatives rules" on incentive compensation and clawbacks.

In his prepared statement, SEC Chairman Jay Clayton said there are four areas where the agency most needs additional focus and resources: 1) Cybersecurity, 2) retail investor protection, 3) market integrity (including market structure, risk and resiliency), and 4) capital formation. Clayton said he was first informed of a possible intrusion into the EDGAR system in August 2017, and immediately started an internal review. That review showed that the breach had provided access to non-public EDGAR filing information, and may have provided a basis for illicit gain through trading. "We believe the intrusion involved the exploitation of a defect in custom software," he said, adding that steps were taken to remediate the defect in EDGAR. Clayton said that while the agency's review is ongoing, they believe the intrusion "did not result in unauthorized access to personally identifiable information, jeopardize the operations of the commission, or result in systemic risk." Clayton said he recognized that "I am not the only one who is deeply concerned. Rightfully, it will cause this committee and others to increase their focus on whether the Commission's approach to cybersecurity appropriately addresses our cyber risk profile. But Clayton cautioned that the SEC should not be limited in its access to sensitive information as a result of the breach, because that would require the agency to "pull back from our important market oversight role."

Turning to policy matters, Clayton highlighted one part of his prepared testimony, the SEC's upcoming Regulatory Flexibility Act Agenda. Clayton said "these agendas must be streamlined to inform Congress, investors and other interested parties about what we intend to do and realistically expect to do over the coming year. We intend to provide just such an agenda."

Q&A

Chairman Crapo said he has long been concerned about regulators' growing data collection requirements, as well as "the massive data collection" being done in the private sector, and that his concern has only grown since cyber-breaches were discovered at the FDIC, IRS, OPM, SEC and other agencies. He said the SEC and other agencies must be held to a higher standard of cyber-readiness. Crapo asked for more details about the software defect that led to the EDGAR breach, but Clayton said he didn't have anything to add to his statement in that area. He added that he decided two weekends ago that the agency should disclose the breach because "we knew enough to make the disclosure, we weren't going to learn any more." Clayton said that SEC has hired outside consultants to do "penetration testing" and "constant reviews" of EDGAR because "we are under constant attack from nefarious actors."

Crapo said he was concerned about the SEC's collection of personally identifiable information as part of the consolidated audit trail (CAT) system. He asked if such data must be collected, and if so, can it be adequately protected? Clayton said this type of data "enables us to detect into insider trading that we would not have been able to detect in the past. It enables us to prioritize our examination efforts." But he said he believes the SEC does "not want to take sensitive data that we do not need to further our mission, and we need to examine the data … [and] should not take any sensitive data unless we can protect it."

Ranking Member Brown noted that companies often argue that a problem does not need to be disclosed unless it has a material impact on financial results. He asked if that was the right standard when consumers' personal information is stolen. Clayton told him that materiality is the "touchstone" of the U.S. disclosure system, and the question is whether companies are making "the right materiality assessment." He added that companies "should be providing better disclosure about their risk profile" and "sooner disclosure about intrusions that may affect shareholders' investment decisions." He declined to comment on whether Equifax had made the wrong decision in withholding information about its breach for several weeks. Referring to today's announcement that Equifax CEO Richard Smith will retire, Brown asked if it is appropriate for Equifax's executives to be able to now "retire and keep their bonuses and stock awards." Clayton said it was not appropriate for him to comment on a matter that might come before the Commission, though he agreed that companies should be able to claw back compensation from executives who profited from a high stock price that was a result of failure to disclose securities law violations. Brown said such a clawback should be ordered by the SEC and not left to a board's decision, as it was with Wells Fargo. When Brown urged him to finish the Dodd-Frank rule on incentive compensation, adding that this is an issue that had provoked "the American public's outrage," Clayton said that rule was "one of many mandates; I intend to finish the mandate. There is a prioritization. I am going to be very open with this committee and the American people and the Regulatory Flexibility Agenda about our priorities."

Tim Scott (R-SC) said the Labor Department's fiduciary rule for retirement plan advisers has negatively affected many Americans by restricting financial professionals' access to their accounts. He cited a survey that indicated 75% of financial advisers with clients whose assets are less than $25,000 "will take on fewer small accounts due to increased compliance costs and legal risks" under the rule. He asked what Clayton could say about the SEC's coordination with the DOL on the rule and the 18-month delay in implementing it. Clayton thanked Labor Secretary Alexander Acosta for reaching out to the SEC on this issue, and said the SEC has "issued a request for updated views from investors and from industry participants on the effects of the DOL rule and what we should do going forward in terms of standards of conduct. We're reviewing the information received." Clayton said that based on what he has seen so far, he has four top concerns: 1) investors with smaller amounts of assets should not be pushed into a narrow set of circumstances; 2) clarity, so that investors know the fiduciary obligations owed to them; 3) consistency between retirement and non-retirement accounts; and 4) coordination between DOL, SEC and state regulators in enforcing the rule.

In his questions, Jon Tester (D-MT) said that while he knows that Equifax CEO Richard Smith had announced his retirement today, "I hope [Chairman Crapo] still can get him in front of the committee next week, because I think it's less of spending time with his family and more of not spending time with us, and I think that's really important." Tester also asked Clayton if the SEC is working with the Labor Department "to harmonize that fiduciary rule so that people don't get ping-ponged back and forth between two rules." Clayton said they were, and "this is a priority for me. Everything can't be a priority, this is a priority for me … We're pushing this one. This is the top of my list in that area of the commission."

Mark Warner (R-VA) devoted most of his questions to the Equifax breach, which he called "a travesty … [and] the resignation of the CEO is by no means enough … The Equifax breach is so egregious, 1) in terms of the sloppiness of their defenses, and 2) the fact that this was clearly a knowable vulnerability — they had known for months and if they'd simply put a patch in place, we might've precluded this. And then, to add insult to injury, Equifax, when it put up the site to direct consumers after the breach, that site was not properly domain-registered and was known to have vulnerabilities in the site itself. … I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity … My investigation has shown, with 9,000 public companies, we have had less than 100 companies since 2010 feel that any level of cyber incursion was significant enough to meet that materiality standard to notify the public … I find that absolutely unacceptable … we'd like to work with you on whether we need legislative actions or whether we work with [the SEC] as an entity."

Elizabeth Warren (D-MA) questioned the data Clayton has used earlier this year to argue that the number of U.S. public companies had declined by 50% in the last 20 years, as well as his conclusion that the SEC should review and possibly reduce disclosure burdens on public companies. Warren said there has been only a "slight decline" in the number of public companies since the tech bubble burst around 2001, and most of that decline is attributable to an increase in mergers and acquisitions. Warren said the data show that "in the last few years, people are investing more money in IPOs than they did even at the height of the dot-com boom. So if your primary focus is on investors … why do you care if there are fewer IPOs, so long as IPOs overall are attracting more investor dollars?" Warren said that loosening the rules Clayton has cited "may make life a whole lot more profitable for a handful of bankers and for corporate attorneys who just want more IPOs in the system. But there is no evidence that it will make life better for investors … "

David Perdue (R-GA) asked about the status of the Dodd-Frank conflict minerals rule, which was struck down and returned to the SEC by a federal court. "There was a court determination that part of the rule had a First Amendment issue with it," Clayton said. "The rule is on the books, we've issued no-action guidance in how to comply with the rule in the interim, [and] we're now reviewing the rule … And that's where it stands."

Chris Van Hollen (D-MD) said he is working on a bill with Rep. Carolyn Maloney (D-NY), prompted by the Equifax breach, that would prohibit executives from selling stock after "material" changes at the company that have not been disclosed to the public. However, "There is no standard or definition of how to apply the concept of materiality to a cyber breach," Van Hollen said. "For example, the SEC doesn't say that if a cyber breach would result in the disclosure of X amount of information about customers and that could lead to a significant change in the value company … It seems to me there should be a presumption that once a company has decided there has been a material change, and before they disclose that to the public, there should be just a rule that executives don't trade that stock." Clayton told him, "I like the concept … we can definitely work on it."

———————————————