Securities and Exchange Commission Chairman Jay Clayton plans to increase his budget request to fortify cybersecurity infrastructure in the wake of a breach of the agency's system.
Clayton, who was sworn in as head of the SEC in May, in a hearing before the Senate Banking Committee on Tuesday said that the Trump White House and Congress should expect a bigger budget request from him for fiscal 2019. He also said he agrees with the "purpose" of Dodd-Frank reserve fund for the SEC that the Trump administration has proposed cutting.
"I think we need to spend more money," Clayton said in an exchange with Senator Jack Reed (D-RI) on Tuesday. "When I got to the commission, I made some assessments. We went with a flat budget for this fiscal year. I will not be asking for a flat budget in fiscal '19. We're going to need more money in the area of cybersecurity and IT generally, and I intend to ask for it."
Clayton intends to request $1.7 billion for SEC operations in fiscal year 2019. That marks a roughly $100 million increase from the $1.6 billion the SEC requested for fiscal 2018 but it less than the $1.78 billion requested for fiscal 2017 under the Obama administration.
"I do not make a request for additional funds lightly, especially in a tight budgetary environment," he said in prepared testimony delivered ahead of the hearing. "But after an evaluation of the SEC's capabilities and needs, I believe this request is necessary for the SEC to continue the effective pursuit of our tripartite mission."
Clayton said the request will allow the hiring freeze implemented at the start of fiscal 2017 to be lifted and technologies to be enhanced and modernize. He also pointed to the disparity between private company budgeting for cybersecurity and public.
"The $234 million that the SEC plans to spend on information technology in fiscal year 2018 is quite modest, by way of comparison, to the amounts that the major Wall Street firms spend on their own information technology systems," he said. "For example, in 2016 one large financial institution alone spent more than $9.5 billion on technology firm-wide, with $3 billion of that dedicated to new initiatives. Another large financial institution spent $6.6 billion in 2016 on technology initiatives."
He did not name the specific firms.
Clayton also addressed the SEC Reserve Fund, which the Trump administration has proposed eliminating. Established under the Dodd-Frank Act, the fund is financed by SEC registration fees and is used to fund long-term capital investments in information technology. The SEC has the authority to deposit up to $50 million into the fund annually, with a balance limit of $100 million.
"We want and need the $50 million for IT," Clayton said when asked by Reed, one of the original proponents of the reserve fund, asked if he was using it. "We are using it."
Reed also pressed him of the Trump administration's proposal to cut the fund, which in its budget proposal it characterized as a maneuver to restore the SEC's "accountability to the American taxpayer."
Clayton demurred, stopping short of contradicting the Trump administration but acknowledging the fund's importance.
"Senator, I agree that the purpose of the fund, including to be able to make longer-term commitments than year-on-year to cybersecurity, is a very good idea," he said.
White House representatives did not immediately return request for comment on Clayton and SEC budgeting.
The increased funding request comes in the wake of the SEC's acknowledgment last week that hackers breached its EDGAR system used to store and record public company filings. The breach took place in 2016, but Clayton, a Trump appointee, was only made aware of it in August.
"It's not like you find out about a breach and you know everything on day one," Clayton said on Tuesday when discussing the ongoing investigation into the breach. He said the breach was the result of a "defect in a custom piece of software" in the EDGAR system and that custom pieces of software are more likely to be vulnerable.
He also batted down insinuations by Senator John Kennedy (R-LA) that his predecessor, Mary Jo White, had known about the breach. "I have no belief, sitting here, that Chair White knew about this," he said.
The SEC wasn't the only cybersecurity breach discussed at Tuesday's Banking Committee hearing -- the cyberattack at Equifax Inc. (EFX) that compromised the personal information of 143 million Americans was a hot topic as well. Just as the hearing was starting, the company announced that its chairman and CEO Richard Smith would be stepping down.
Clayton declined to get into the specifics of Equifax's decision-making on the timing of its disclosure of the hack but said he expects companies to "constantly assess, when they have notice of a cyber breach...whether that breach is material to investors, and when they determine that is, make appropriate disclosures promptly." He also declined to comment on whether the SEC was conducting an investigation into Equifax for items such as potential insider trading.
"We do not have a whole-of-government or whole-of-society approach on cybersecurity," said Senator Mark Warner (D-VA), also mentioning Russian meddling in the 2016 election, social media platforms "manipulated" with false information and the Yahoo! Data breaches reported in 2016.
Of 9000 public companies, fewer than 100 companies since 2010 feel that any level of "cyber incursion" was significant enough to notify the public, Warner said. "I find that absolutely unacceptable," he said.
"Across the landscape of our markets, not just company by company or regulator by regulator but across our markets, there should be better disclosure as to the cyber risk we face," Clayton said.