SEC Pushes on Cybersecurity Disclosure09.26.2017 By Rob Daly Editor-at-Large
Cybersecurity was the main topic during a two-hour oversight hearing of the US Securities and Exchange Commission held by the Senate Bank, Housing and Urban Affairs Committee.
Questions by committee members to SEC Chairman Jay Clayton, the hearing’s sole witness, bounced between the breach of the SEC’s EDGAR corporate filing platform and the hack of credit reporting firm Equifax that has affected an estimated 143 million US consumers.
A popular question posed by Committee Chairman Sen. Michael Crapo (R-ID) and Ranking Member Sen. Sherrod Brown (D-OH) regarded when the SEC first detected the EDGAR breach and why regulator’s waited until September 20 to disclose the event.
“We looked at the facts that we had and wanted to make a clear disclosure and one that was not misleading,” said Clayton. “We knew enough to make the disclosure.”
He also noted that the matter is subject to an ongoing internal and external investigations.
Sen. Brown and Sen. Mark Warner (D-VA) raised the issue that far too few companies are classifying cybersecurity breaches as material issues and disclose them publicly.
“In our research of 9,000 public companies, fewer than 100 companies felt that breaches reached material for disclosure,” said Warner.
Clayton agreed, adding that companies should be making more and better disclosure of cybersecurity incidents.
When asked by Warner whether the SEC’s Regulation System Compliance and Integrity should be expanded to venus like alternative trading systems, dark liquidity pools, and other venues, Clayton agreed that the SEC should look at those trading platforms on the same basis as those venues that fall under Reg SCI.
Several times during the hearing Clayton also allay the concerns of Chairman Carpo, Sen. Mike Rounds (R-SD), Sen. David Perdue (R-GA) over the data that the Consolidated Audit Trail will collect when the platform’s first phase goes live in November.
“We do not want to take data from the CAT unless we need it and can protect it,” he said.
Clayton demurred answering Sen. Joe Donnelly (D-IN). Sen Tim Scott (R-SC), and Sen Jon Tester’s question whether the SEC will approve the acquisition of the Chicago Stock Exchange by a group of investors led by Chongqing Casin Enterprise Group.
The SEC is approaching the decision in the style of rulemaking, explained Clayton.
“There were 140 days for review, and the appropriate division approved it,” he said. “Now the committee will review the approval.”
Brokers need to bolster protection against the "account intrusion" threat.
The Crypto Assets and Cyber Unit in the Division of Enforcement will grow to 50 dedicated positions.
Participants included over 1,000 representatives from more than 20 countries.
COVID-19 pandemic and geopolitical tensions round out the top three threats in DTCC survey.
The Australian regulator concluded its investigation into the ASX equity market outage in November 2020.