Following a breach of the public filing system at the Securities and Exchange Commission, the agency has promised lawmakers it is ramping up its cybersecurity efforts — including the hiring of a chief risk officer.
SEC Chairman Jay Clayton at an Oct. 4 meeting of the U.S. House Financial Services Committee described the steps the agency is taking to prevent another breach. One of those steps is to bring on an agency-wide chief risk officer, Clayton said. Currently, the agency employs a chief risk and strategy officer within the SEC's Office of Compliance Inspections and Examinations.
The new position would oversee cyberattacks and breaches and would properly disclose them when a system has been materially affected, he told lawmakers.
"With respect to new positions ... I think we could use a new chief risk officer," Clayton said. "Not just for cybersecurity, but for general risk. I've begun to search for a chief risk officer."
Another step is to allocate more funds to the agency's budget for next year, Clayton said, echoing statements he made a week earlier before the Senate Banking Committee.
When Clayton took the agency's helm in May, he requested a flat budget with no year-over-year change in funding. But following the breach, he said his agency's next budget request will include more funding for cybersecurity personnel, system upgrades and other tools to brace its systems.
Clayton's comments followed the breach of the agency's EDGAR system. The disclosure of that event came just weeks after the revelation that hackers stole as many as 145.5 million consumers' information in a hack of Equifax Inc.
At the same time, a rollout of the consolidated audit trail, or CAT, a trade recording system designed to help regulators analyze trading activity across equities and options markets, is on hold because of funding issues. At the Senate hearing, Clayton said emphatically that his agency would only draw information from the CAT if the SEC can demonstrate adequate protection for the information.
"From the time I got to the commission and got briefed on the CAT, the questions I have asked are: What information [are] we taking in that's sensitive, do we need it, and can we protect it," Clayton said to the House committee. "I have made clear I don't want information unless we need it for our mission."
Clayton said those questions had not been answered to his and the agency's "satisfaction," in response to a question from committee Chairman Jeb Hensarling, R-Texas.