After the Cyber Breach: SEC Faces Questions, Clayton Testifies, Effect on the CAT
The asset management industry, including the SEC, is weighing the impact of the cybersecurity breach that agency chair Jay Clayton recently disclosed to the public (ACA Insight, 9/25/17). In the wake of the disclosure, the SEC announced a new initiative, Clayton testified before a Senate committee, and industry leaders and observers speculated as what it all might mean for future regulation and oversight, including the launching of the agency’s Comprehensive Audit Trail (CAT).
"I have the sense that the breach is something of an eye-opening experience for at least some SEC staffers. They got to see firsthand that what can happen in the private sector can also happen in the public sector," said Willkie Farr partner and former SEC Division of Investment Management director Barry Barbash. "It was likely a governmental wake-up call."
There is also the issue of the agency’s credibility in regulating firms’ cybersecurity compliance when it apparently, at least in this one instance, failed to do so itself. "You can go one step further and say that, on one hand, the SEC is telling registrants to be ready for cybersecurity, but on the other hand, the agency didn’t even follow its own guidance," said Ropes & Gray counsel David Tittsworth.
Perhaps, suggested Kirkland & Ellis partner and former SEC Division of Investment Management director Norm Champ, "the agency should consider putting in place a moratorium on certain sensitive filings, such as Form PF or others outside of registration filings, until information security is straightened out."
Overall, "the industry is transfixed by this," said Shearman Sterling partner Nathan Greene. "Everyone is talking about it."
The SEC itself refused to comment on the matter beyond Clayton’s statement, testimony and those press releases that have already been issued.
What happened, according to testimony Clayton provided September 26 before the U.S. Senate Banking, Housing and Urban Affairs Committee that built on information he provided in his initial February 20 statement, was that this past August, he was informed of a possible 2016 intrusion into the SEC’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system. The SEC uses EDGAR to perform automated collection, validation, indexing, acceptance, and forwarding of submissions by investment advisers, broker-dealers, companies and others required by law to file forms with the agency.
"I was informed that the 2016 intrusion into the test filing component of our EDGAR system provided access to nonpublic EDGAR filing information and may have provided a basis for illicit gain through trading," Clayton told the committee. "We believe the 2016 intrusion involved the exploitation of a defect in custom software in the EDGAR system."
When the intrusion was first discovered, he said, the agency’s Office of Information Technology "took steps to remediate the defect in custom software code" and reported the incident to the Department of Homeland Security’s United States Computer Emergency Readiness Team. "Based on the investigation to date, [Office of Information Technology] staff believes that the prior remediation effort was successful. We also believe that the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission or result in systemic risk."
But Clayton also added this proviso: "Our review and investigation of these matters, however, as well as the extent and impact of the intrusion and related illicit activity, is ongoing and may take substantial time to complete."
He also said this: "There are limits on what I know and can discuss about the 2016 incident due to the status (ongoing and incomplete) and nature (enforcement) of these reviews and investigations."
"This was totally foreseeable," said Champ, who attributed much of the problem to the "outdated" nature of EDGAR. "It was state of the art in the 1980s, but not now. EDGAR would be out of date anywhere. It wouldn’t be state of the art in North Korea. It’s a shame our markets regulator does not have a better tool."
Barbash said that when he initially read about the breach, "I thought about the data registrants have to file with the SEC on Form ADV, Form PF, and soon with the CAT. I’ve had clients ask me in the past, in the context of those requirements, whether the SEC’s data protection systems were sufficient to protect the information. Those clients are very concerned now."
"Adviser clients have asked me, in the wake of the breach, how they should go about their business, how they should handle confidential client information, why did some SEC commissioners not find out about this until August 2017, was the former SEC chair aware of this during her tenure, and more," he said.
Agency commissioner Michael Piwowar, in a separate statement issued September 20, said that he did not find out about the cybersecurity breach until recently.
The new initiative, which the agency announced September 25, is the creation of a cyber unit "that will focus on targeting cyber-related misconduct," the SEC said. The agency at the same time announced the creation of a retail strategy task force, apparently not related to cybersecurity, "that will implement initiatives that directly affect retail investors."
Under the cyber initiative, the Division of Enforcement will focus its "substantial cyber-related expertise" on targeting cyber-related misconduct, the SEC said, including:
Market manipulation schemes involving false information spread through electronic and social media,
Hacking to obtain material nonpublic information,
Violations involving distributed ledger technology and initial coin offerings,
Misconduct perpetrated using the dark web,
Intrusions into retail brokerage accounts, and
Cyber-related threats to trading platforms and other critical market infrastructure.
The agency said that the unit has been in the planning stages "for months," but one may perhaps be excused for noting the timing of the announcement just three work days after Clayton revealed the EDGAR breach. The SEC said that the new initiative complements other Clayton initiatives to implement an internal cybersecurity risk profile and create a cybersecurity working group to coordinate information sharing, risk monitoring and incident response efforts throughout the agency.
"Sometimes the best defense is a good offense," said Bell Nunnally partner Robert Long. "With the SEC taking it on the chin over the past week due to its EDGAR system being breached by hackers, the agency’s enforcement initiative is well-timed, particularly since it coincided with Clayton’s Senate testimony the next day."
Depending on one’s point of view, disclosure of the breach came out at either a bad time or a good time in relation to the CAT, part of which is expected to be in operation in November (ACA Insight 7/24/17, 12/5/16). Once in place, the CAT would capture, in a single, consolidated data source, customer and order information for orders in national market system securities, across all markets, from the time of order inception through routing, cancellations, modification or execution.
Market exchanges will be required to report all of their transactions on CAT, with broker-dealers having to do so over the subsequent two years. Nor are investment advisers immune, as they will eventually be asked questions about trades involving best execution, trade timing, and choices made on behalf of some clients and not others.
But given the EDGAR breach, the question is raised of the security of information collected not only for the CAT, but on other forms recently required to be completed, such as more comprehensive information on Form ADV or private fund information on Form PF.
"It’s possible the CAT will be delayed," said Tittsworth, adding that the key is whether those contributing information to it "can believe reasonable steps are being taken to secure the information."
Barbash suggested that what will most likely happen is that "the SEC will conduct an internal evaluation to assure itself that the CAT is safe," and will move forward with it on schedule. In doing that, he said, "it will be doubling down on its ability to protect against a breach."
Clayton, in his testimony, said that he "expect[s] that the roll out of the various components of CAT data reporting, the first phase of which is scheduled to take effect on November 15, 2017 . . . , will reflect an ongoing assessment of the sensitivity of the data reported and related security concerns and protections."
Protection of sensitive CAT data, he said, "is of paramount importance to the Commission. . . . I appreciate that security issues are particularly acute with respect to a data repository that contains comprehensive information on trading activity in the securities markets, especially in light of recent events. I am therefore focused on issues of data security with respect to CAT."