SEC Chair Wants More Cyber Risk Disclosure From Public FirmsJay Clayton Testifies Before Senate Banking Committee on SEC, Equifax Breaches
Publicly traded companies should do a better job of disclosing cyber risks they face in their filings with the Securities and Exchange Commission, SEC Chairman Jay Clayton says.
"As I look across the landscape of disclosure, companies should be providing better disclosure about their risk profile," Clayton told the Senate Banking Committee on Tuesday. "Companies should be providing sooner disclosure about intrusions if it may affect shareholder disclosure decisions."
The hearing occurred less than a week after the SEC disclosed its Edgar electronic reporting system for company data was breached and the same day another hack victim, the credit reporting bureau Equifax, announced the retirement of its CEO (see After Mega-Breach at Equifax, CEO Richard Smith Is Out.
At the hearing, Clayton said hackers appeared to have exploited "a defect in custom software in the EDGAR system." He said the SEC "notified the Department of Homeland Security's United States Computer Emergency Readiness Team and believes that it successfully stopped the attack (see Senate Testimony: SEC Chairman Signals Cyber 'Mea Culpa').
Focus on Equifax Breach
But some senators focused their questioning not on the SEC breach, but rather on the way Equifax reported its breach and how some Equifax executives might have profited from the sale of stock before the credit reporting bureau publicly disclosed the hack.
Clayton declined to make direct comments on the Equifax breach, but said the SEC would go after any executive who profited from insider information, such as knowledge of a cyber incident that had not yet been made public. He would not say whether Equifax was under investigation by the SEC, but would not rule out the possibility of a probe.
If Clayton showed hesitancy on discussing Equifax by name, several committee members were not reluctant to do so.
"Equifax is a travesty. The fact that the CEO resigned by no means [is] enough," said Sen. Mark Warner, D-Va., who characterized cybersecurity as the nation's top vulnerability.
Warner pointed out that Equifax failed to fix its systems prior to the breach despite the availability of a patch and then it set up a website for consumers that proved to be insecure, suggesting the credit reporting company should face severe penalties. "I question [whether] Equifax has the right to continue providing these services with the level of sloppiness and lack of attention to cybersecurity," Warner said.
Defining a Material Breach
SEC rules require that companies must report cyber risks and breaches if they pose material risks to investors. But it's up to each company to determine what constitutes a material risk.
Sen. Chris Van Hollen, D-Md., suggested that the SEC should clearly define what constitutes a material cyber breach. But Clayton would not commit to the SEC creating such a rule.
Warner pointed out that most companies that experience a breach don't consider them material. He noted that the social media company Yahoo didn't disclose in its SEC filings a breach that exposed records of some 500 million users. The Virginia Democrat cited a study he conducted of 9,000 companies that showed that fewer than 100 of them since 2000 considered a breach significant enough to reach the materiality standard to require public notification. "I find that absolutely unacceptable," Warner said.