SEC Chief Wants Investors to Better Understand Cyberrisk -- Update

The chairman of the Securities and Exchange Commission said Tuesday that regulators and Wall Street need to do more to educate investors about the serious risks that companies and the financial system face from cyberintrusions.

Jay Clayton, speaking at an event sponsored by New York University's School of Law, said investors still don't fully appreciate the threat posed by hackers. "I am not comfortable that the American investing public understands the substantial risk that we face systemically from cyber issues and I would like to see better disclosure around that," Mr. Clayton said.

Some cybersecurity experts have in the past called for the SEC to require more specific disclosures by U.S. public companies about cyberrisks, particularly following a 2013 breach at Target Corp. that compromised the credit- and debit-card information of millions of customers.

Mr. Clayton said the SEC would investigate companies that mislead investors about material cyberrisks, but said the battle against hackers is much broader and shouldn't be waged in government "silos."

"We have to have our individual responsibilities, but we also have to do our best to foster a collective approach to the issue," Mr. Clayton said.

The SEC's role in policing cybersecurity is more nuanced than that of many state regulators, which investigated Target for what they alleged was its failure to provide reasonable data security. Target agreed in May to pay $18.5 million to resolve the probe.

The SEC is more focused on whether financial companies that it directly supervises, such as brokerage firms and asset managers, are protecting themselves and their clients against hackers. The agency issued a risk alert last month that outlined policies it sees as effective for mitigating the risks and highlighted some deficiencies.

The markets regulator has occasionally taken enforcement action against financial firms whose practices left customers' data unprotected. It has also gone after individuals who hacked into brokerage accounts in order to carry out insider trading or other fraud. But it has never sued a public company over how it communicated the threat of hacking or breaches that it suffered.

Write to Dave Michaels at dave.michaels@wsj.com

(END) Dow Jones Newswires

September 05, 2017 20:22 ET (00:22 GMT)