By Michelle Price and Pete Schroeder
WASHINGTON (Reuters) – The chairman of the U.S. Securities and Exchange Commission (SEC) told a congressional committee on Tuesday he did not believe his predecessor Mary Jo White knew of a 2016 cyber breach to the regulator’s corporate disclosure system, the exact timing of which could not be known “for sure.”
Jay Clayton, who was formally appointed to his role in May, also said listed companies should disclose more detailed information on cyber breaches “sooner,” and that the U.S. regulator was working on new guidelines to ensure this.
The Senate Banking Committee grilled Clayton on Tuesday over a 2016 hack of EDGAR, the agency’s online corporate financial disclosure system, only disclosed last Wednesday, which has shaken confidence in the SEC’s cyber defenses.
Clayton said he had decided last weekend to disclose the breach once he had enough information to establish it was “serious,” but he would not be drawn on who at the agency had known about it and whether there was an attempt to cover it up.
“I have no belief sitting here that Chair White knew,” Clayton said when asked whether his predecessor had been aware of the hack, adding: “I don’t think we can know for sure” on the exact timing of the breach.
Clayton fielded several questions from senators on the recent Equifax Inc data breach in which hackers stole personal data of about 143 million customers of the credit reporting firm, including on the timing of the company’s disclosure.
Although the former Wall Street lawyer declined to comment on whether the SEC was investigating stock sales made by Equifax executives prior to the disclosure, he said he was “not ignoring” the issue.
The hearing, which had been scheduled prior to the disclosure of the SEC’s breach, offered lawmakers, companies and investors the first opportunity to hear from the SEC chief on the incident.
Clayton originally had been scheduled to discuss capital market reform at his first hearing before the committee since being formally appointed in May, but his pro-growth agenda was largely eclipsed by the SEC breach and the Equifax scandal.
Wall Street’s top regulator came under fire last week after disclosing that hackers might have used information stolen from EDGAR, which houses millions of market-sensitive corporate disclosures such as earnings releases, for insider trading.
“When we learn a year after the fact that the SEC had its own breach and that it likely led to illegal stock trades, it raises questions about why the SEC seems to have swept this under the rug,” Senator Sherrod Brown, the ranking Democratic member of the committee, asked Clayton during opening remarks.
“What else are we not being told, what other information is at risk, and what are the consequences?” Brown asked. “How can you expect companies to do the right thing when your agency has not?”
CYBER DEFENSES EYED
Reuters reported on Monday that the Federal Bureau of Investigation and the U.S. Secret Service have launched investigations into the breach, which occurred in October 2016 and appeared to have been routed through servers in Eastern Europe. The breach appeared to have been one of several cyber incidents documented by the SEC in recent months, Reuters reported.
Clayton said he only learned about the 2016 hack in August and that the SEC’s enforcement staff and inspector general’s office have launched internal probes.
The regulator reported the breach to the Department of Homeland Security’s Computer Emergency Readiness Team when it was first discovered, Clayton said in the testimony, adding the regulator plans to hire more cyber security experts.
Clayton said the hack was possibly the result of a defect in the EDGAR software and said that personally identifiable information did not appear to have been put at risk, but he declined to provide further detail.
He said the SEC was still determining the extent and impact of the breach and that it could take “substantial time” to complete due to the amount of data that needed to be analyzed.
The committee also quizzed Clayton about other potential breaches at the agency and the regulator’s general cyber defenses.
Clayton said he could not say with “100 percent certainty” that the EDGAR breach was the only one suffered by the agency, and added that he planned to ask Congress for more funds to tackle the rising cyber threat.
“We’re going to need more money for cyber security, and I intend to ask for it.”
(Reporting by Michelle Price and Pete Schroeder; editing by Leslie Adler and G Crosse)