Now hiring: Chief risk officer at SEC following massive data breach

Nearly two years after the Securities and Exchange Committee suffered a major data breach, the financial regulatory agency plans to hire a chief risk officer to help shore up its cyber defenses.

SEC Commissioner Michael Piwowar, speaking at a Data Coalition event on regulation technology, said the idea for the new hire came from Chairman Jay Clayton, who has been leading the SEC’s response to the cyber breach since it was discovered last September.

“We’re having discussions right now with folks in the industry in terms of what types of qualities we would like to have in someone in that particular role,” Piowar said during the March 7 event in Washington.

Last September, the SEC discovered evidence of a data breach through a software vulnerability in its Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system, which handles more than 1.7 million electronic filings per year. The breach, which took place in 2016, may have also led to illegal trading.

Advertisement

Piwowar said Clayton, who took over as the head of the SEC last May, has been an “unsung hero” when it comes to shoring up the agency’s cybersecurity.

“Not only has Chairman Clayton’s continuous and intense focus on cybersecurity since his first days in office contributed greatly to improving the risk management practices across our financial markets, he’s also intent on improving the commission’s own risk management culture,” Piwowar said.

Testifying before the Senate Banking, Housing and Urban Affairs Committee last September, Clayton said the SEC needs more funding from lawmakers to help improve its cybersecurity posture.

Under President Donald Trump’s fiscal 2019 budget proposal, the SEC would receive a $1.6 billion budget, a 3.5 percent increase over enacted levels.

“Frankly, we just need more money. We’ve had flat budgets for a while. We get our appropriation levels set from Congress, and the chairman had made very effective efforts, speaking to folks on the appropriations committees and other folks, that in order for us to protect this data that the public entrusts us with, we need more money to ramp up some cybersecurity efforts,” Piwowar said.

As the SEC continues its investigation into the 2016 EDGAR breach, Piwowar said one “silver lining” has been a top-to-bottom review of the types of data the SEC has been collecting.

“Chairman Clayton was already engaged in an evaluation of just those types of things — questions regarding what information are we collecting, what information has potential material non-public information. What has potential personally identifiable information, and then asking the simple question, ‘Do we need that?'” Piwowar said.

“If we don’t need it, we shouldn’t be collecting it, because it’s just in there for people to potentially go after it,” he added.

Last year, Clayton urged lawmakers to keep an IT modernization reserve fund that President Donald Trump proposed eliminating in his fiscal 2018 budget proposal.

Created under the 2010 Dodd-Frank Act, the reserve fund allows the SEC to deposit up to $50 million every year in registration fees collected from investment companies and investment advisers, and has a $100 million cap. Since the fund was set up, the SEC has used the money on IT modernization projects.

Piwowar pointed to the agency’s EDGAR system, which has been in place since 1984, as one example of IT systems in need of an upgrade.

“I like to think of EDGAR as part of the commission’s hipster culture — quaint, retro and regtech before it was cool,” he said.

While Piwowar said emerging technology like blockchain and artificial intelligence tools could help streamline regulatory reporting, he cautioned that the right cybersecurity safeguards need to be in place before broadly adopting any of these new tech trends.

“Although I’m excited about the potential for regtech and fintech, I cannot end this discussion without admitting that they give me a certain level of trepidation. With each technological advance that occurs, the commission must confront a new opportunity for cyber threats to develop. These threats are just as just as pressing for the latest evolution in technology as they are for our legacy EDGAR system,” he said.