Is SEC chief Clayton soft on cyber victims?

Jay Clayton 2

U.S. Securities and Exchange Commission Chair Jay Clayton faces the wrath of lawmakers on Tuesday, after Wall Street’s top market regulator and watchdog fell victim to a breach itself last year, disclosing the attack in a press release last week.

Although Clayton wasn’t head of the SEC at the time of the hack, which occurred in 2016, remarks he made in July at the Economic Club of New York indicate he may commiserate with businesses that have fallen victim to cyberattacks.

“Being a victim of a cyber penetration is not, in itself, an excuse,” he said. “But I think we need to be cautious about punishing responsible companies who nevertheless are victims of sophisticated cyber penetration.”

Clayton also said during the same speech that companies have an obligation to disclose material information about cyber events.

He questioned during his confirmation hearing in March whether companies were doing enough to keep their clients and investors abreast of need-to-know information.

“As I look across the landscape, discussion and understanding of cyber threats and their possible impact on companies, I question whether the disclosure is where it should be,” he said before the Senate Banking Committee.

In prepared remarks leaked on Monday, it was revealed that Clayton was made aware of the SEC hack in August. Some experts have questioned whether the SEC itself was forthcoming enough in its disclosures of the recent breach.

“There’s a method to it, to obfuscate, deny, deny, deny: ‘It’s not our fault, it’s the hacker’s fault,’” cybersecurity expert Morgan Wright said of the SEC’s response last week.

The SEC was notably short on detail regarding the hack in a press release put out on Sept. 20. The commission said hackers exploited a software vulnerability and gained access to nonpublic information. There is an ongoing investigation into whether that information was used to make illegal trades.

The particular system that was breached, the EDGAR system, stores filings from publicly traded companies. The SEC said that investors generally have access to more than 50 million pages of documents through the system that processes more than 1.7 million filings each year.

Clayton’s hearing before the Senate Banking Committee begins at 10 a.m. ET.