The Securities and Exchange Commission chairman told senators Tuesday that the agency needs to keep its long-term IT modernization fund in order to defend against future cyber breaches. However, the Trump administration has already supported eliminating that cybersecurity fund in its budget proposal for fiscal 2019.
SEC Chairman Jay Clayton told members of the Senate Banking, Housing and Urban Affairs Committee that in light of a 2016 cyber breach to its filing system, which it only disclosed last week, the agency would be requesting more money from Congress in its upcoming budget proposal.
“We went with a flat budget for the next fiscal year,” Clayton said, referring to fiscal 2018, which begins Oct. 1. “I will not be asking for a flat budget for fiscal year ’19. We are going to need more money in the area of cybersecurity and IT generally, and I intend to ask for it.”
In addition to annual congressional funding, the SEC chairman also defended the agency’s use of its “reserve fund” to fund long-term IT modernization projects, despite opposition from Republican lawmakers and more recently, the Trump administration.
Created under the 2010 Dodd-Frank Act, the reserve fund allows the SEC to deposit up to $50 million every year in registration fees collected from investment companies and investment advisers, and has a $100 million cap. Since the fund was set up, the SEC has used the money on IT modernization projects.
“We want and need the $50 million for IT,” Clayton said. “We are using it, and it’s part of our budget going forward.”
In May, the Office of Management and Budget released a fiscal 2018 budget proposal that would eliminate the SEC’s reserve fund. In 2016, House Financial Services Committee Chairman Jeb Hensarling (R-Texas) introduced legislation that would have also eliminated the fund.
“In this cybersecurity world, it’s expensive to stay ahead with technology [and] software,” said Sen. Jack Reed (D-R.I.), who introduced the Dodd-Frank provision that set up the reserve fund. He also urged Clayton to “resist any attempts to take away this fund.”
Clayton told Reed he agreed that “the purpose of the fund, including to be able to make longer-term commitments than what’s year-on-year to cybersecurity, is a very good idea.”
Regarding the scope and nature of the breach, Clayton deferred some detailed questions to the agency’s Office of Information Technology, but in his own “layman” terms, said he was notified of the 2016 breach this August, and that the breach targeted a custom piece of software in the SEC’s EDGAR system, which companies use to file earnings reports and other sensitive information.
While the investigation remains ongoing, Clayton said he believes the intrusion did not result in unauthorized access to personally identifiable information.
Several senators compared the SEC’s response to its cyber incident with yet another high-profile financial data breach reported by Equifax, which may have compromised the personally identifiable information of more than 143 million customers. Clayton weighed in on the comparison by saying the private-sector financial industry vastly outspends the federal government to shore up its cyber risk.
“If you look at the resources that private actors in our capital markets devote to information technology and cybersecurity … single actors dwarf the amount that we have available to spend in this area. To me, that just tells me we’re a bit out step and we need to up our game,” Clayton said.
Sen. Mike Crapo (R-Idaho), the committee’s chairman, expressed concerns over the volume of data collected by government regulators and the private sector, and cited a number of recent cyber incidents at the IRS, the Office of Personnel Management, and the Federal Deposit Insurance Corporation.