Jay Clayton Testifies Before Senate Banking Committee on SEC, Equifax Breaches
Publicly traded companies should do a better job of disclosing cyber risks they face in their filings with the Securities and Exchange Commission, SEC Chairman Jay Clayton says.
“As I look across the landscape of disclosure, companies should be providing better disclosure about their risk profile,” Clayton told the Senate Banking Committee on Tuesday. “Companies should be providing sooner disclosure about intrusions if it may affect shareholder disclosure decisions.”
The hearing occurred less than a week after the SEC disclosed its Edgar electronic reporting system for company data was breached and the same day another hack victim, the credit reporting bureau Equifax, announced the retirement of its CEO (see After Mega-Breach at Equifax, CEO Richard Smith Is Out.
At the hearing, Clayton said hackers appeared to have exploited “a defect in custom software in the EDGAR system.” He said the SEC “notified the Department of Homeland Security’s United States Computer Emergency Readiness Team and believes that it successfully stopped the attack (see Senate Testimony: SEC Chairman Signals Cyber ‘Mea Culpa’).
Focus on Equifax Breach
But some senators focused their questioning not on the SEC breach, but rather on the way Equifax reported its breach and how some Equifax executives might have profited from the sale of stock before the credit reporting bureau publicly disclosed the hack.
Clayton declined to make direct comments on the Equifax breach, but said the SEC would go after any executive who profited from insider information, such as knowledge of a cyber incident that had not yet been made public. He would not say whether Equifax was under investigation by the SEC, but would not rule out the possibility of a probe.
If Clayton showed hesitancy on discussing Equifax by name, several committee members were not reluctant to do so.
“Equifax is a travesty. The fact that the CEO resigned by no means [is] enough,” said Sen. Mark Warner, D-Va., who characterized cybersecurity as the nation’s top vulnerability.