On September 20, the SEC released a statement issued by Chairman Jay Clayton regarding the Commission’s approach to cybersecurity and its impact on market participants. Topics discussed in the statement, which is part of the SEC’s ongoing assessment of its cybersecurity risk profile, include:
- the collection and use of data by the SEC;
- the management of, and responses to, internal cybersecurity risks;
- the integration and incorporation of cybersecurity considerations into the SEC’s supervision of regulated entities;
- coordinated efforts with other regulations to identify and mitigate risk; and
- oversight and enforcement efforts related to cybersecurity activities.
The Chairman also discussed the SEC’s discovery in August that a 2016 security incident involving a software vulnerability within the Commission’s EDGAR system “may have provided the basis for illicit gain through trading” by providing access to nonpublic information. However, the SEC also stated its belief that “the intrusion did not result in the unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.” According to the SEC, the vulnerability was patched promptly after discovery, and the SEC commenced an internal investigation, which is ongoing.
Chairman Clayton is scheduled to testify before the Senate Banking Committee on September 26 at a hearing titled, “Oversight of the U.S. Securities and Exchange Commission.”