Cspan2. The chair of the securities and Exchange Commission, jay clayton, testifies about s. E. C. Priorities and the agenda including a data breach last year. Also the recent equifax data breach which affected 143 million americans. The Senate BankingCommittee Held this hearing last week. Today we will receive testimony from securities and Exchange Commission chairman jay clayton regarding the work and the agenda of the s. E. C. Thank you mr. Chairman for attending here today. Oversight of the s. E. C. Is critical function of this committee. The s. E. C. Has an important threepart mission to protect investors, maintain fair, orderly and efficient markets and facilitate capital formation. No one part of this mission is more important than the other. The s. E. C. Increases transparency and trust in the u. S. Stock market providing investors with the Material Information they need to make informed Investment Decisions. It also helps investors participate in our markets on a fair footing so that they can prepare for important milestones in their lives such as college, retirement, or other life changing events. Its critical that the s. E. C. Continue its important work to fulfill this mission. At the same time, the s. E. C. Must be cognizant that its work may carry risks to the investors it seeks to help. I commend you for niching an assessment, mr. Chairman. The commission collects and stores a huge amount of public and nonpublic data. If this data were subject to a cyber breach, it could have severe consequences to the markets, Market Participants and to the American Public. I was disturbed to learn that the s. E. C. Suffered a cyber breach of its edgar system in 2016. But did not notify the public or even all of its commissioners until it was discovered during your recent review. It is critical that the s. E. C. Safeguards the data it collects and maintains, especially as the consolidated audit trail or cat becomes operational. Through the cat the s. E. C. Will have access to significant nonpublic market data. Including individuals names, addresses, dates of birth and Social Security numbers. The recent Equifax Breach has highlighted the need to protect this sensitive and valuable information. We need to ensure that entities only collect this type of information if and when absolutely necessary and if it is collected that it is properly secured. Im glad to see under your leadership the s. E. C. Is taking Cyber Security seriously. Other regulators and agencies should follow your lead and delineate their own cyber risk profiles and if breached they too should disclose such events to congress and the public. Cyber attacks and breaches are a significant risk at all entities, both regulators and companies. As a part of your work in the Cyber Security area you should also review to ensure that investors understand the complexity of cyber risks at Public Companies. Along with your attention to cyber i appreciate your focus on the standards of conduct for Investment Advisers and broker dealers. The rule will limit investor choice making investing more experience for Many Americans and hurt the ability for people to save for retirement. If clarification needs to be made, i believe the s. E. C. Has the most expertise and is the best position to establish consistent standards for all investors. I also appreciate your focus and public discussions on the importance of encouraging capital formation. The Capital Markets are essential to helping companies grow, facilitating job growth and ensuring that americans have Investment Opportunities. Im interested in hearing your ideas of how we can encourage more companies to go public without discharging the availability of capital in the private market. The senate recently passed several bipartisan security bills and we would be interested in additional ways that congress can improve securities laws to help all americans. I look forward to hearing your thoughts on these issues and on the future of the commission. Senator brown. Thank you, chairman. Welcome, chair clayton to our committee. For one of many visits im sure youll make. Last week as just about every adult in america was trying to comprehend the risks that they or someone in their family faces because of the Equifax Cyber breach, you disclosed the s. E. S. E. C. s own breach in 26. That breach allowed hackers to obtain nonpublic information and perhaps make illegal stock trades. We expect that companies that hold americas personal and Financial Data will keep that Information Secure and be up front with the public with regulators, with lawmakers when breaches in fact occur. A regulatory agencies must abide by the same or frankly at a higher sta higher standard. When we learn a year after the fact that s. E. C. Had its own breach t raises questions about why this s. E. C. Seems to have swept this under the rug. What else are we not being told . What other information is at risk . What are the consequences to the american investing public and the American Public generally . Of course this breach took place under your predecessor. We recognize. That but the disclosure or the lack there of is all yours. How are main Street Investors supposed to have confidence that the s. E. C. Can hold Big Companies accountable when the s. E. C. Is not more immediately forthcoming. Equifax violated the Publics Trust twice. First when it fail to secure the volumes of data it collects and profits from about americas Financial Lives and then a second time when it waited over a month to admit to the breach. How can you expect companies to do the right thing when your agency has not . We all have to earn the Publics Trust every day. Right now the s. E. C. Needs to do more. It needs to make sure companies that it regulates, that those companies do better. Doing more doesnt end with Cyber Security. The s. E. C. s Investor Protection mandate has never been more important. Making sure main Street Investors are treated fairly. Companies do not abuse accounting rules and markets are efficient and transparent should be at the top of your list at the s. E. C. As you consider offering reforms and reducing disclosure. Protecting investors and maintaining Financial Stability also mean that s. E. C. Needs to finish the doddfrank title seven rules, the incentive compensation rule, the rules on claw backs and hedging equity compensation. Each chair clayton, its been five months almost since your swearing in. I expect the next five months will be more demanding than the last five. The list of your responsibility gross. Now everyone is watching how s. E. C. Responds and how you personally as chairman of the s. E. C. , how you hold companies accountable. Thank you. Thank you, senator brown. Chairman clayton, as you know, your full written testimony has been made a part of the record. I understand youve asked for an extra minute in your Opening Statement and youre welcome to have that. But i dont want the senators to think that everybodys being granted an extra minute in their question. And i encourage them to remember the time. With that, mr. Chairman, please proceed. Thank you for your indulgence. Chairman, Ranking Member brown, distinguished members of the committee, thank you for the opportunity to testify before you today about the work of the u. S. Securities and Exchange Commission. I will attempt to be concise in my remarks as i know you and the American People have many important questions regarding among other things our cyber risk profile and the intrusion we disclosed last week. I will start with a thank you. My fellow commissioners and the people of the agency have been incredibly welcoming to me. I have benefited from each interaction with these dedicated individuals. During my four months at the commission, ive devoted a substantial portion of my efforts to agency operations. Including assessing whether we have the people, technology, and office space necessary to succeed in our mission. As discussed in my written testimony i believe there are four areas where additional focus and resources are most needed. Cyber security, retail Investor Protection, market integrity, and capital formation. Specifically with regard to Cyber Security, ive been focussed on this issue internally and externally since my first weeks at the commission. As recent events demonstrate all too well, this is an area where we need to devote Significant Resource and attention to respond to market developments and meet the expectations of the American People. I will turn to the receiptly disclosed incident. In august, 2017, in connection with an Ongoing Investigation by our division of enforcement, i was notified of a possible intrusion into our edgar system. In response to this information, i immediately commenced an internal review. Through this review and the ongoing enforcement investigation, i was informed that the 2016 intrusion, one, provided access to nonpublic edgar filing information, and two, may have provided a basis for illicit gain through trading. We believe the intrusion involved the exploitation of a defect in Custom Software in our edgar system. When it was originally discovered our office of Information Technology, we refer to it as oit, took teps to remediate the defect and reported the incident to the department of homeland security. Based on the investigation to date, oit staff believe that the prior remediation effort was successful. We also believe that the intrusion did not result in unauthorized access to personally identifiable information, jeopardized the operations of the commission, or result in sis tystemic risk. I note our review and investigation of these matters is ongoing and it may take substantial time to complete. This review has two related components. The first is focused on the 2016 intrusion itself including efforts to determine its scope and whether there were or are any related vulnerabilities in our edgar system. Importantly, in conducting this review, it has been a priority and a constraint to maintain the security and operational capabilities of edgar. Edgar is a critical component of our disclosure based market system and accepts files continuously during the week. Various agency personnel, including members of the Enforcement Division, the office of general counsel, and the office of Inspector General, have been involved in this effort. In addition, i have formally requested that the office of Inspector General begin a review into, one, what led to this intrusion, two, the scope of nonpublic information compromised, and three, our efforts in response. Ive asked the office of Inspector General to provide recommendations for how the s. E. C. Should remediate any related system or controlled efficiencies. The second component consists of our investigation into trading potentially related into the intrusion. It is being conducted by our division of enforcement and is ongoing. There are limits of what i know and can discuss due to the status and nature of these reviews. Nevertheless, this past wednesday i directed the issuance of a cyber risk profile statement and a press release highlighted the 2016 intrusion. I directed this disclosure because although many questions remain, i believe that, one, once i knew enough to understand that the intrusion provided access to nonpublic edgar test filings, and two, that this may have resulted in misuse of nonpublic information for illicit gain, it was personality to make that disclosure to the American People and congress. The matter involving our edgar system concerns me deeply. I recognize that i am not the only one who is depeply concerned. It will cause this committee and others to increase the focus to whether the commissions focus addresses our cyber risk profile. This is all the more reason it was appropriate to disclose the intrusion now even though our review and investigation are ongoing. As a result of this incident, some have questions whether we can appropriately protect the Sensitive Information we receive and whether we should receive Additional Data to further our mission. S in this is not the time to pull back from our important oversight role by limiting our access. Our mission is too important to millions of main Street Investors, issuers and Market Participants to do so. We must be vigilant and we must do better. We must also recognize in both the public and private sectors, including the s. E. C. There will be intrusions and that key components of Cyber Risk Management for organizations and Market Participants generally are resilience and recovery. Turning the policy matters, my written testimony discusses a recent regulatory efforts in detail. I will highlight only one item. The upcoming regulatory flexibility act agenda. A semi annual disclosure of the near term priorities. Ible it is primportant that the provide if they are to meet their intended purpose, these agendas must be streamlined to inform congress, investors and other interested parties about what we intend to do and realistically expect to do over the coming year. We intend to provide just such an agenda. Thank you and thank you for your indulgence on the extra time. Thank you very much, chairman clayton. First ive been long concerned with the growing Data Collection requirements by our regulators. Im very concerned also about the massive Data Collection going on in the private sector, information about peoples lives that can and we are seeing has resulted in damage to them. My concerns of only grown dichb t given the disclosed Cyber Breaches, your commission and other agencies. Ive mentioned many times in hearings that Consumer Final Protection Bureau and its massive Data Collection that im very concerned about. In addition, the s. E. C. Itself has come under scrutiny urnder reports for its own security controls. The s. E. C. And other agencies, monitor, regulate and enforce data safeguards in place. Given the amount of data that they collect as well as the roles they play as the stewards of our markets, the s. E. C. And other Government Agencies must be held to Higher Standards when it comes to cyber readiness. A couple questions about the current cyber attack that you are dealing with. Can you give us any more information about the defect in the software that caused this attack or is this not the time to discuss that . I do not have any more information about the type of defect that led to the intrusion. There is an Ongoing Investigation. Weve gotten the office of Inspector General involved. As relevant facts become available, we intend to work with this committee to ensure that you have the information you need in your oversight role. Youve said this already in your testimony generally, but what actions did you take as you found out about this breach . So its not like you find out about a breach and you know everything on day one. Right. This came to my attention in august of this year. I immediately instructed that an investigation take place. Over the course of that investigation and review, it became clear to me that this was a serious matter. But it became to me that this was a serious matter. I made the determination to take a number of steps, including ensuring that the system was continuing to work. As i said, it is a system that is critical to the operations of our markets and the s. E. C. Also disclosure. I know thats a focus for this committee. Let me get right to it. I decided when this was serious that disclosure was necessary. Then the question is what facts do you have . We tried to gather more facts. You want to make clear disclosure. You dont want to make disclosure thats misleading. I made the decision over the last past weekend that the time had come to make disclosure. We knew enough to make the disclosure. We werent going to learn any more and we made the disclosure. Weve taken a number of initial steps. One of the worries is when you make a Public Disclosure, other people try to test and probe. We are under constant attack from nefarious actors. I can go through other things, but thats a high level summary of the steps taken. Thank you very. Id like to talk about the consolidated audit trail for a moment. Cat is an issue that has been important to me and many other members of the committee for a number of y