SEC chair to face grilling from Senate panel over cyber breach

Jay Clayton 2

The chairman of the U.S. Securities and Exchange Commission is expected to be grilled by Congress on Tuesday over a 2016 hack of the regulator's corporate filing system that has shaken investor confidence in its cyber defenses.

The hearing by the Senate Banking Committee, which had been scheduled prior to the disclosure of the breach last Wednesday, will offer lawmakers, companies and investors the first opportunity to hear from SEC chief Jay Clayton on the incident. The SEC has so far provided no additional public information.

Clayton originally had been scheduled to discuss capital market reform at his first hearing before the committee since being formally appointed in May, but his pro-growth agenda is likely to eclipsed by the breach of the SEC's EDGAR database, Congressional sources said.

Wall Street’s top regulator came under fire last week after disclosing that hackers might have used information stolen from EDGAR, which houses millions of market-sensitive corporate disclosures such as earnings releases, for insider trading.

"When we learn a year after the fact that the SEC had its own breach and that it likely led to illegal stock trades, it raises questions about why the SEC seems to have swept this under the rug," Senator Sherrod Brown, the ranking Democratic member of the committee, will ask Clayton, according to prepared remarks seen by Reuters.

"What else are we not being told, what other information is at risk, and what are the consequences?" Brown will ask. "How can you expect companies to do the right thing when your agency has not?"

CYBER-PREPAREDNESS IN FOCUS

Reuters reported on Monday that the Federal Bureau of Investigation and the U.S. Secret Service have launched investigations into the breach, which occurred in October 2016 and appeared to have been routed through servers in Eastern Europe. The breach appeared to have been one of several cyber incidents documented by the SEC in recent months, Reuters reported.

Clayton said in prepared testimony released by the committee on Monday that he only learned about the 2016 hack in August and that the SEC's enforcement staff and inspector general's office have launched internal probes.

The regulator reported the breach to the Department of Homeland Security's Computer Emergency Readiness Team when it was first discovered, Clayton said in the testimony, adding the regulator plans to hire more cyber security experts.

Clayton said in his prepared remarks that the hack was possibly the result of a defect in the EDGAR software and said that personally identifiable information did not appear to have been put at risk.

He said the SEC was still determining the extent and impact of the breach and that it could take "substantial time" to complete. Clayton said he was limited in what he could say publicly given the ongoing review.

Even so, Clayton is expected to be quizzed on Tuesday about the SEC's broader cyber-preparedness and on the activity of a new cyber unit, announced by the SEC Monday evening, that the regulator said will target cyber-related misconduct including market manipulation.

The committee is also expected to ask about the robustness of the SEC's current guidelines requiring public companies to disclose material cyber breaches to investors.

The committee wrote to Clayton on Monday asking whether the guidelines, first drawn up in 2011, should be updated in light of heightened cyber risks underscored by the Equifax Inc breach in which hackers stole personal data of about 143 million customers of the credit reporting firm.

"Right now the SEC needs to do more, and it needs to make sure the companies it regulates do better," Brown will say.

(Reporting by Michelle Price; Editing by Leslie Adler)