Two men share securities regulation news

Breaking news and expert analysis on legal and compliance issues

[Back To Home][Back To Archives]

From Securities Regulation Daily, September 26, 2017

Senate SEC oversight hearing focuses on EDGAR, Equifax breaches

By Anne Sherry, J.D.

Testifying before the Senate Banking Committee, SEC Chairman Jay Clayton fielded questions about the cybersecurity breaches at Equifax and at the SEC itself. In remarks leading off the SEC Oversight Hearing, committee chair Mike Crapo (R-Idaho) said that the upcoming consolidated audit trail makes it all the more important for the SEC to safeguard the data it collects. The ranking member, Sherrod Brown (D-Ohio), chastised the agency, and Clayton himself, for delaying disclosure of the 2016 EDGAR breach. "Of course this breach took place under your predecessor," Brown said, "but the disclosure, or lack thereof, is all yours."

EDGAR breach: timeline and next steps. Clayton described the SEC’s response to the EDGAR breach, but said he had insufficient information to answer many of the senators’ questions about the specific intrusion, such as the software vulnerability or the timeline of discovery. The chairman was notified in August 2017 and the Office of Information Technology reported the breach to Homeland Security. Clayton has asked the Office of Inspector General to investigate the cause of the intrusion and the scope of information that was accessed, as well as to offer recommendations for the SEC’s response. Clayton also said that the SEC is looking into the second major aspect of the intrusion: detecting and prosecuting any insider trading on the stolen information.

Equifax breach: insider trading. Several members of the Banking Committee pressed Clayton to describe what the SEC is doing about what looks like insider trading on the part of several Equifax executives, but the chairman declined, explaining that he cannot comment on investigations implicating third parties. Heidi Heitkamp (D-ND) said that with regard to individual accountability, the agency compares unfavorably to Nevada’s gambling regulators: "If you took straight-up gambling and used those same guidelines and benchmarks that people feel about the equity markets, Las Vegas gets an A or A- for soundness, security, and fairness, and I don’t know that you get an A or A-. You’re probably at a C." Clayton said that if Main Street investors don’t feel the SEC has their back, he wants to change that.

Later, on a question from Catherine Cortez Masto (D-Nev), Clayton indicated that the agency will continue to hold individuals accountable regardless of the fate of the Yates memo. He said that in his view, "individual accountability, particularly in a corporate context, has a bigger deterrent effect." The Enforcement Division is approaching this the right way, he added, and he expects their approach to continue.

Materiality of cyber intrusions. Several committee members expressed dismay at the six weeks it took Equifax to disclose the security breach, particularly in light of the apparent insider trades. Brown observed that companies are not required to disclose information that is not material, but asked whether this is the right standard when a company has a data breach. Mark Warner (D-Va) pointed out that Yahoo’s 2016 breach involved 500 million users, but the company did not believe that it was material enough to report. He added that fewer than 100 companies since 2010 have recognized a cyber incursion as material.

Clayton affirmed that materiality is the touchstone for the SEC’s disclosure question, but allowed that companies may not be assessing materiality correctly. Although he refused to call Equifax out specifically, Clayton said that more generally, companies should be disclosing more information, sooner. "Across our markets, there should be better disclosure as to the cyber risks we face," he said. This includes where the risks lie; what the company knows and does not know; and disclosure of a breach after it is discovered.

Brian Schatz (D-Haw) also focused on materiality, but in the context of climate risk. Schatz quoted Valero Energy’s 10-K as saying that "some scientists" have warned that greenhouse gas emissions may increase the frequency of storms and other climatic events; "if any such effects were to occur, it is uncertain if they would have an adverse effect on our financial condition and operations." The senator noted that Hurricane Harvey shuttered five Valero refineries, which produced a third of the company’s output. The system is not equipped to measure the financial risk of climate change, "so we book it at zero because it’s difficult to assess." Although Clayton said that there was SEC guidance on this issue, Schatz noted that it dates back to 2010 and asked the chairman to keep an open mind.

DOL fiduciary rule. Tim Scott (R-SC) queried the chairman on the SEC’s coordination with the Labor Department on the fiduciary rule. Clayton thanked Secretary Acosta for reaching out to the SEC and summarized the comments the agency has received from investors. He identified four main points that should be reflected in the rule: 1) choices for smaller investors; 2) clarity as to whom investors are dealing with and what obligations they owe; 3) consistency across account types (retirement and non-retirement accounts); and 4) coordination among the SEC, the DOL, and state regulators. When Jon Tester (D-Mont) asked when the harmonized rule will be out, Clayton could only say that it tops his list for that area of the Commission.

IPOs. Elizabeth Warren (D-Mass) focused her time exclusively on the decrease in initial public offerings. Criticizing Clayton for comparing the number of IPOs today with the number at the height of the dot-com boom, she said that since that bubble popped, the slight decline in public companies can be attributed to M&A transactions. Warren does not see the decline in IPOs as a problem for investors; the data show that people are investing more dollars in IPOs even though the number of offerings is down. Clayton responded that IPOs used to happen earlier in the company’s growth curve, giving public investors the benefit of more growth. The senator said the data belie this interpretation: fewer, bigger IPOs are better for investors, because companies tend to have stronger revenue and performance at the time they go public.

Warren has spoken out against the SEC’s disclosure effectiveness review, but at this hearing she did not expressly challenge the link between disclosure requirements and a decline in IPOs. Later, Tom Cotton (R-Ark) used props to make this connection. Having printed out a copy of Wal-Mart’s 26-page 1970 IPO registration statement, Cotton set down Snap Inc.’s 2016, 247-page tome next to it. "This explains one reason for fewer IPOs," he said. "You can’t attribute it just to the dot-com boom." Clayton said that in addition to the review of Regulation S-K, the agency has taken several steps to encourage IPO filings. One was extending the JOBS Act’s confidential filing provisions to companies of all sizes, and extending the time window to allow for secondary liquidity. The SEC has also reduced the need to file financial statements that will not be part of the public disclosure package. Responding to a later question from Richard Shelby (R-Ala), Clayton said he sees IPOs as the water filling the bathtub and he just wants a bigger bathtub because retail investors have few opportunities outside the public markets.

Operations and budget. Finally, the chairman discussed several aspects of the SEC’s internal operations. In response to Jack Reed (D-RI), who asked whether the SEC is making use of the $50 million cybersecurity reserve fund he included in Dodd-Frank, Clayton said that the agency wants and needs those funds, but that it is not enough. The SEC went with a flat budget for 2018, but its authorization request for fiscal year 2019 is $1.7 billion, about $100 million more than years 2016 through 2018.

MainStory: TopStory CyberPrivacyFeed DoddFrankAct Enforcement ExchangesMarketRegulation FedTracker Securities IPOs JOBSAct PublicCompanyReportingDisclosure RiskManagement SECNewsSpeeches TrumpAdministrationNews

Back to Top

Securities Regulation Daily

Introducing Wolters Kluwer Securities Regulation Daily — a daily reporting service created by attorneys, for attorneys — providing same-day coverage of breaking news, court decisions, legislation, and regulatory activity.


A complete daily report of the news that affects your world

  • View full summaries of federal and state court decisions.
  • Access full text of legislative and regulatory developments.
  • Customize your daily email by topic and/or jurisdiction.
  • Search archives for stories of interest.

Not just news — the right news

  • Get expert analysis written by subject matter specialists—created by attorneys for attorneys.
  • Track law firms and organizations in the headlines with our new “Who’s in the News” feature.
  • Promote your firm with our new reprint policy.

24/7 access for a 24/7 world

  • Forward information with special copyright permissions, encouraging collaboration between counsel and colleagues.
  • Save time with mobile apps for your BlackBerry, iPhone, iPad, Android, or Kindle.
  • Access all links from any mobile device without being prompted for user name and password.