Closely on the heels of the massive Equifax data breach and its own cybersecurity incident – in which SEC Chairman Jay Clayton admitted that the agency’s hack likely provided the basis for illicit gains through trading – the SEC has announced two separate enforcement initiatives to build on its existing enforcement division.
First, the creation of an SEC cyber unit will target “cyber-related misconduct,” and second, a retail strategy task force will implement initiatives that directly affect retail investors.
The SEC’s announcement came one day before Clayton was scheduled to testify before a Senate panel, in which he told elected officials that he learned of the data breach at the agency “belatedly” and that it could still take quite a bit of time before the full extent of the intrusion is understood.
The federal agency’s newly formed cyber unit has apparently been in the planning stages for months, intended to complement the incoming chairman’s initiatives to create a “cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency,” SEC officials said.
The division’s expertise has sought to keep pace with the current cyber-climate, but co-director of the SEC’s enforcement division, Stephanie Avakian echoed in her statement, “The cyber unit will enhance our ability to detect and investigate cyber threats through increasing expertise in an area of critical national importance.” Robert Cohen has been appointed chief of the cyber unit – reassigned from his role as co-chief of the market abuse unit.
During his Senate testimony – Clayton’s first time before the Senate Banking Committee since taking office in May 2017 – several U.S. senators pressed the chairman to abide by the same, if not higher, standards as the companies he regulates.
“When we learn a year after the fact that the SEC had its own breach and that it likely led to illegal stock trades, it raises questions about why the SEC seems to have swept this under the rug,” asked Ohio Sen. Sherrod Brown, according to The Washington Post. “What else are we not being told, what other information is at risk, and what are the consequences?”
Clayton aptly answered by asserting that reporting a vulnerability before fully understanding it can lead others to “try to test and probe it.” However, this answer my draw attention back to the fact that Equifax intrusion came on the back of a months-old, and already patched, vulnerability.
Facing pressure from the company’s board in the wake of the massive breach, Equifax CEO Richard Smith announced his departure from the company in the form of an “early retirement”– in which he could walk away with at least $18 million in pension benefits.