Jay clayton testified before the Banking Committee about a data breach at the agency. He answered questions about the Security Breach at equifax. Today, we will receive testimony from securities and Exchange Commission chairman, jay clayton, regarding the work and agenda of the fcc. Thank you, mr. Chairman, for attending here today. Oversight of the fcc is a critical function of the committee. We have an important threepart mission, to protect investors, maintain fair, orderly and efficient markets. No one part of this mission is more important than the other. The scc increases transparency and trust in the u. S. Stock market providing investors with the information they need to make informed Investment Decisions. It helps investors artis pate on a firm footing to participate in college, retirement or other lifechanging events. It is critical they fulfill this mission. At the same time, scc must be cognizant their work may carry risks to the investors it seeks to help. I commend you for initiating the cyber risk profile, mr. Chairman. They collect and store public and nonpublic data. If this data were subject to a cyber breach, it could have severe consequences to the markets, Market Participants and the American Public. I was disturbed to learn they suffered a cyber breach of the system in 2016 but did not notify the public or all the commissioners until it was discovered during your recent review. It is critical that the scc safeguards the data it collects and maintains especially as the audit trail or c. A. T. Becomes operational. Through the c. A. T. , the scc has access to significant nonmarket public data and unidentifiable information including names, addresses, dates of birth and Social Security numbers. The Equifax Breach we need to ensure entities only collect this type of information if and when absolutely necessary and if it is collected, that is it problemerly secured. Im glad to see under your leadership, the scc is taking Cyber Security seriously. Other regulators and agencies should follow your lead and delineate the profiles. If breached, disclose events to congress and the public. Cyber attacks and breaches are a significant risk at all entities, both regulators and companies. As a part of your work in the Cyber Security area, you should review current cyber risk disclosure guidance to ensure they understand the magnitude and cyber risks at Public Companies. Along with your attention to cyber, i appreciate your focus on the standards of comment for broker dpeelers. The few dishary rule will limit the choice making it more expensive for americans and ultimately hurt the ability to save for retirement. If clarification needs to be made for broker dealers and investment advisers, they have the most expertise for all investors. I also appreciate your focus in public discussions on encouraging capital formation. They are essential to helping markets grow, facilitating and making sure americans have Investment Opportunities. Im interested in hearing your ideas to encourage them to go more public. The senate recently passed several bipartisan bills and would be interested in additional ways to improve the laws to help all americans. I look forward to hearing your thoughts on these issues and the future of the commission. Senator brown . Thank you, chairman. Welcome chair clayton to the committee. Last week, just about every adult in america was trying to comprehend the risk they or someone in their family faces because of the Equifax Breach. The integrity of the system, it allowed hackers to obtain nonpublic information. We expect the companies that hold americas personal Financial Data will keep it secure and be up front with lawmakers than breaches. Regulatory agencies must bide by the same, for frankly a higher standard. When we learn a year after the fact that scc had its own breach and likely led to illegal stock trades, it raises questions about why the scc seems to have swept this under the rug. What else are we not tolt . What other information is at risk . What are the consequences to the American Public . Of course this breach took place under your predecessor, we recognize that. The disclosure or lack thereof is yours. How are main Street Investors confident to hold them accountable when the scc is not or immediately forthcoming. Equifax violated the trust twice. First, when it failed to secure the data it collects and profits from about americans Financial Lives and the second time, waited a month to admit to a breach. How can you expect companies to do the right thing when your agency has not. We have to earn the publics faith. Right now, scc needs to do more and make sure its companies it regulates that they do better. Doing more doesnt end with Cyber Security. The mandate has never been more important, making sure main Street Investors are treated fairly, companies do not abuse accounting rules and markets are efficient and transparent should be at the top of your list at the scc as you consider offering reforms and reducing disclosure. Protecting investors and maintaining Financial Stability mean that scc needs to finish the doddfrank title vii rules, the compensation rules the rules on equity compensation. Each will help enhance investors and the Publics Trust in our financial system. Its been five months, almost, since your swearing in. I bet the next five months will be the most demanding than the last five. Everyone will look at how you hold companies accountable. Thank you, senator brown. Chairman, your full, written testimony handmade part of the record. I understand you asked for an extra minute in your opening statement. You are welcome to have that. I dont want the senators to think everyone is granted an extra minute in their questioning. I encourage them to remember the time. With that, mr. Chairman, please proceed. Thank you for your endull jens. Chairman crapo, Ranking Member brown, members of the committee, thank you for the opportunity to testify before you today about the Exchange Commission. I will attempt to be concise in remarks as you and the American People have questions regarding among other things cyber risk profile and the intrusion we disclosed last week. I will start with a thank you. My fellow commissioners and people of the agency have been welcoming to me. I have benefited from each interaction. During my four months at the commission, i devoted a substantial portion of my efforts to Agency Operations including whether we have the people, technology and office space necessary. As discussed in more detail in my written testimony, i believe there are four areas where additional focus and resources are most needed. Cyber security, Retail Investment protection, market integrity, risk and resiliency and capital formation. Specifically, with regard to Cyber Security, i have been focused on this since my first weeks in the commission. As recent events demonstrate, this is an area we need attention to respond to market developments and meet the expectations of the American People. I will turn to the recently disclosed incident. In august, 2017, in connection with an Ongoing Investigation by the division of enforcement, i was notified of a possible intrusion into the system. In response to this, i immediately commenced an internal review. Through this review and the ongoing enforcement, i was informed of the 2016 intrusion, one, provide access to the filing information and two, may have provided a basis for illicit gain for trading. We believe the intrusion was an exploitation in a defect in the software in the system. When it was originally discovered, the office of Information Technology, oit, took steps to fix the defect and reported it to the department of homeland security. Based on the investigation, to date, oit staff believe the effort was successful. We also believe the intrusion did not result in unauthorized access to identifiable information and result in Systemic Risk. I note, our review and investigation of these matters is ongoing and may take substantial time to complete. This review has two related components. The first is focused on the 2016 intrusion itself including efforts to determine the scope and whether there were or are vulnerabilities in the system. Importantly, in conducting this review, it has been a priority and constraint to maintain the security and operational capabilities of edgar. A criticf our disclosure based market system and accepts filings virtually continuously during the week. Various agency personnel, including members of Enforcement Division, the office of general counsel, and the office of Inspector General, have been involved in this effort. In addition, i have formally requested that the office of Inspector General begin a review into, one, what led to this intrusion, two, the scope of nonpublic information kproe compromised, and three, our efforts in response. Ive asked the office of Inspector General to provide recommendations for how the sec should remediate any related system or control deficiencies. The second component of our review consists of our investigation into trading, potentially related to the intrusion. The investigation is being kukd by our division of enforcement and is ongoing. There are limits on what i know and can discuss about the 2016 incident due to the status and nature of these reviews. Nevertheless, this past wednesday i directed the issuance of a cyber risk profile statement and a press release highlighting the 2016 intrusion. I directed this disclosure because although many questions remain, i believe that, one, once i knew enough to understand that the intrusion provided access to nonpublic edgar test filings and, two, that this may have resulted in misuse of nonpublic information for illicit gain, it was important to make that disclosure to the American People and congress. The matter involving our edgar system concerns me deeply. I recognize that i am not the only one who is deeply concerned. Rightfully it will cause this committee and others to increase their focus on whether the commissions approach to cybersecurity appropriately addresses our cyber risk profile. This is all the more reason it was appropriate to disclose the intrusion now even though our review and investigation are ongoing. As a result of this incident, some have questioned whether we can appropriately protect the Sensitive Information we receive and whether we should receive Additional Data to further our mission. This is not the time for the sec to pull back from our important market oversight role by limiting our access to Sensitive Information. Our mission is too important to millions of main street investigators,ish wers and Market Participants to do so. We must be vigilant and we do better. We must also recognize in both the public and private sectors, including the sec, there will be intrusions and that key components of Cyber Risk Management for organizations and Market Participants generally are resilience and recovery. Turning to policy matters, my written testimony discusses our recent regulatory efforts in detail. I will highlight only one item, the upcoming regulatory flexibility act agenda. A semi annual disclosure of the commissions near term priorities. Ible it is important that these agendas provide transparency and accountability for agency matters. If they are to meet their intended purpose these agsds must be streamlined to inform congress, investigators and or interested parties about what we expect to do over the coming kwleer. We intend to provide just such an agenda. Thank you for your indull ens on the extra time. Thank you very much chairman. First ive been long concerned with the data requirements by our regulators. Im very concerned also about the massive Data Collection thats going on in the private sector. Information about peoples lives that can and we are seeing has resulted in damage to them. My concerns have only grown given the disclosed Cyber Breaches at the fdic, the irs, the opm, your commission and other agencies. Ive mentioned many times in hearings that Consumer FinancialProtection Bureau and its massive Data Collection that im very concerned about. In addition, the sec itself has come under scrutiny in recent gao reports for its own security controls over its key Financial Systems and information. The sec and other agencies monitor, regulate and enforce the data safeguards in place at regulated entities. Given the amount of data that they collect, as well as the roles they play as the stewards of our markets, the sec and other Government Agencies must be held to a higher standard when it comes to cyber readiness. A couple questions about the current cyberattack that you are dealing with. Can you give us any more information about the defect in the software that caused this attack or is this not the time to discuss that . I do not have any more information about the type of defect that led to the intrusion. There is an Ongoing Investigation. Weve got the office of Inspector General involved, and as relevant facts become available, we intend to work with this committee to ensure that you have the information you need in your oversight role. And youve said this already in your testimony generally, but what actions did you take as you found out about this breach . So its not like you find out about a breach and you know everything on day one. Right. This came to my attention in august of this year. I immediately instructed an investigation take place. Over the course of that investigation and review, it became clear to me that this was a serious matter. When it became clear to me that this was a serious matter, i made the determination to take a number of steps, including eninsuring that the system was continuing to work. As i said, it is a system that is critical to the operations of our markets and the sec. Also, disclosure. I know that thats a focus for this committee. Let me get right to it. I decided when this was serious that disclosure was necessary. Then the question is what facts do you have . We tried to gather more facts. You want to make a clear disclosure. You dont want to make disclosure thats misleading. I made the decision over the last past weekend that the time had come to make disclosure. We knew enough to make the disclosure. We werent going to learn any more and we made the disclosure. Weve taken a number of additional steps, including hiring outside consultants to do penetration testing, constant reviews of our system. One of the worries in a situation like this is when you make a Public Disclosure, other people try to test and probe. We are under constant attack from nefarious actors. So i can go through other things, but thats a high level summary of the steps taken. All right. Thank you very much. Id like to talk about the consolidated audit trail for just a moment. The consolidated audit trail or cat is an issue that has been important to me and many members of the committee for a number of years. Once implemented cat will capture customer and order event information from the time of the order inception through execution. Such information will also include personally identifiable information. As i mentioned, im concerned by the governments collection of such information. Do you believe that this data must be collected and if so, how can you assure that it will be adequately protected . I do believe that data of the type were discussing in cat is very valuable to our oversight role. If you look at Insider Trading or monitoring of investment managers, broker dealers, this type of data enables us to detect Insider Trading that we would not have been able to detect in the past. It enables us to prioritize our examination efforts. Its important. That said, when i got to the commission and investigated the cat system as a person responsible for it as opposed to someone from the outside, i quickly made the decision that we do not want to take Sensitive Data that we do not need to further our mission. And we need to examine that data. We also should not take any Sensitive Data unless we can protect it. And i felt that way a month ago, two months ago. I feel that way even more so today. All right. Thank you. Senator brown. Thanks, mr. Chairman. Equifax as we know so well waited six weeks to disclose its cyber breach, the personal identifiable of 143 million americans were in the hands of criminal, as we know. Companies may often say if a matter does not have a Material Impact on its Financial Results they dont need to disclose