U.S. senators from both parties on Tuesday grilled the chairman of the Securities and Exchange Commission — the agency responsible for policing Wall Street — on its handling of a 2016 data breach that was disclosed only last week.
The hack breached the SEC's system for handling corporate filings intended for investors, known as EDGAR. That has raised concerns that the hackers may have gained advance looks at filings and engaged in insider trading.
The SEC's disclosure also followed a much larger breach at credit reporting firm Equifax that exposed sensitive personal information belonging to 143 million Americans. Lawmakers also blasted Equifax executives for their delay in disclosing the hack, even as some executives sold shares in the company. Equifax's CEO stepped down Tuesday.
"I was disturbed to learn that the SEC suffered a cyberbreach of its EDGAR system in 2016 but did not notify the public, or even all of its commissioners, until it was discovered during your recent review," said Senate Banking Committee Chairman Mike Crapo, an Idaho Republican.
New investigative unit
SEC Chairman Jay Clayton told the committee that the incident "concerns me deeply" and said he had ordered an investigation by the agency's inspector general. On Monday, the SEC said it had created a new cyberunit that would target market manipulation, hacking and dark-web operatives.
Clayton said he became aware of the attack in August, months after becoming chairman in May. But he couldn't say when the hack occurred or when an investigation into the breach would be completed.
He also said he couldn't guarantee "that this was the only breach that we had."
Senator Sherrod Brown, an Ohio Democrat, acknowledged that the breach occurred before Clayton took office. But he slammed the chairman for not revealing it more quickly.
"When we learn a year after the fact that the SEC had its own breach and that it likely led to illegal stock trades, it raises questions about why the SEC seems to have swept this under the rug," Brown said. "Of course this breach took place under your predecessor, but the disclosure, or lack thereof, is all yours."
Brown and other senators also expressed outrage about how Equifax handled its breach, which it didn't disclose until six weeks after discovering it.
Three Equifax executives sold shares worth a combined $1.8 million before the company revealed it had been hacked. Equifax said the executives were unaware of the breach prior to the stock sales.
Clayton refused to comment when asked whether executives at Equifax had engaged in insider trading when they sold their shares. He did not confirm or deny that the SEC was investigating the issue.
Return of proceeds
However, he opened the door to potentially forcing the executives to return the proceeds of the stock sales, if the company's six-week delay in disclosing the breach was found to be improper. Equifax's stock is down more than 26 percent since the company disclosed the hack after the close of trading on Wall Street on September 7.
Under questioning, Clayton agreed that publicly traded companies needed to do more to disclose the risks they faced from cyberattacks and to disclose them more quickly when they occur.
He also said the agency needed more resources for data security and to combat future attacks. The SEC did not seek any increase to its budget for next year, but Clayton said that would change when it submits its budget for its 2019 fiscal year that beings in October 2018.
"We are going to need more money for IT security and technology generally, and I intend to ask for it," he said.
The amount a single Wall Street bank spends on cybersecurity "dwarfs" the SEC's budget, he said.
