WASHINGTON – Though he avoided answering questions directly related to the recent Equifax data breach, Securities and Exchange Commission Chairman Jay Clayton told Senate lawmakers today that he supports corporate controls for when executives sell stock after material change.
Atlanta-based credit reporting agency Equifax discovered a data breach in July that may have compromised personal information for an estimated 143 million Americans. According to the company, the breach was discovered on July 29, and three senior executives sold shares of stock worth nearly $1.8 million on Aug. 1 and 2. The breach was not publicly disclosed until Sept. 7.
The company has claimed that Chief Financial Officer John Gamble, U.S. information solutions president Joseph Loughran and workforce solutions president Rodolfo Ploder were unaware of the data breach when they sold the stocks, according to Bloomberg News. CEO and Chairman Richard Smith, who is scheduled to testify before the Senate Banking Committee next week, abruptly retired today.
Clayton appeared before the committee the same day Smith retired, and though he declined to discuss specifics of a potential investigation he agreed with concepts offered by Sen. Chris Van Hollen (D-Md.), who is working on legislation in response to the data breach.
“It occurs to me that once a company decides there’s been a material change and before they disclose that to the public, there should be a rule that executives don’t trade that stock,” Van Hollen said. “Doesn’t that make sense in terms of protecting the markets?”
A material change in this case refers to a change in risk profile of a publicly traded company. Clayton said that he didn’t want to comment on a specific situation, but said that most companies have trading policies that control what Van Hollen was discussing. He called it “an important part of good corporate hygiene.”
Van Hollen said that control measures seem like a no-brainer.
“We can definitely work on it,” Clayton said.
Sen. Mark Warner (D-Va.) challenged Clayton’s reticence on the potential Equifax investigation.
“Your colleagues at the (Federal Trade Commission), who also have a process in place where they don’t normally reveal an ongoing investigation, felt that this was so serious that they acknowledged that there was an investigation going on,” Warner said.
Warner also criticized Equifax for its prior knowledge of the vulnerability and the “sloppiness” in addressing the offenses. He noted the website that the company created to respond to concerns also carried data vulnerabilities. He asked if Clayton had any further comment about how the SEC addresses these data breaches.
“Yes I do,” Clayton said. “I agree with you, generally. I don’t think there’s been enough disclosure around, as I said, the risk profile of companies with respect to cyber security.”
Sen. John Kennedy (R-La.) suggested that Clayton let the committee know if the SEC decides not to pursue an investigation against Equifax, so that lawmakers can order their own probe.
“I would say that’s a fair question,” Clayton said, without committing to the suggestion.
Clayton also avoided questions on a recent SEC data breach, saying that results from the Office of Inspector General are pending. The SEC in 2016 discovered that its EDGAR system had been the victim of a massive data breach but the issue was only disclosed last week. Clayton ordered an investigation with the OIG after learning of the breach in August, at which point it “became clear that it was a serious matter.”
“We are under constant attack from nefarious actors,” Clayton said, before adding: “We also should not take any sensitive data unless we can protect it, and I felt that way a month ago, two months ago. I feel that way even more so today.”