Among the fallout: revelations that insiders in the company made securities trades based on knowledge of the data breach long before shareholders or the public even knew what was happening.
That same year, Clayton ordered an internal cybersecurity audit of the SEC itself. The audit revealed that in 2016, the SEC’s own systems were compromised by hackers suspected of snooping for confidential information to facilitate illicit trades.
From the start, cybersecurity incidents were among the major issues that would punctuate Clayton’s tenure in his first year.
On December 6 at the Harmonie Club in New York, Clayton delivered the keynote speech of a SIPA-hosted panel discussion among financial-sector leaders and influencers.
The topic: Developing a Defensible Cyber Strategy.
Clayton’s remarks, which reflected his personal views on the most pressing risks to the financial sector, also further defined the core of the day’s topic by underlining cybersecurity as one of his key concerns in the year ahead.
“Cybersecurity is something that we at the agency look at from a number of perspectives,” Clayton said.
He noted that the SEC must contend with not just technical threats to financial markets, but also how cyber incidents are disclosed by companies and interpreted and understood by investors -- and whether the SEC’s policies are keeping pace with financial innovation in cyberspace.
In other words, Clayton’s concerns about cyber risk reflect policy problems as much as they do technical problems.
Such dual challenges are part of the reason why SIPA’s Tech and Policy Initiative, which co-sponsored the event, was created.
It was through the initiative, for example, that SIPA published last year’s report on Building a More Defensible Cyberspace. The report concluded that a winning cyber strategy for New York and its vast financial ecosystem, the United States, and the world — all now connected in both threat and opportunity by the cyber domain — requires a multidisciplinary policy approach that leverages the efficiency of collaboration scale.
For the panel following Clayton’s speech, the initiative assembled several influential leaders from the worlds of law and finance to discuss the most pressing issues concerning cybersecurity and financial markets.
- Phil Venables, partner and chief operational risk officer at Goldman Sachs, one of the world’s most systemically important financial firms.
- Joseph Shenker, the chairman of Sullivan & Cromwell, the law firm known for its role in shaping domestic policy and international affairs over the past century.
- Allen Parker, general counsel to Wells Fargo & Company, the world’s second largest bank by market capitalization.
- Connie Brenton, the director of legal operations for NetApp, one of the world’s largest cloud computing providers.
- Moderator Jason Healey, a senior research scholar at SIPA, former director for cyber infrastructure protection at the White House, and founder of the Atlantic Council’s Cyber Statecraft Initiative.
Among the top issues the panel brought up ranged from broad structural challenges, to small things that could help companies protect themselves and consumers.
Brenton, who also serves as the CEO of the Corporate Legal Operations Consortium, a network of corporate lawyers, said that in order for firms to work better together, they must develop a common language.
“If we could put some process in place — even among survey questions — we would gain… years in efficiency,” she said.
Another topic discussed by the panel was adjusting current levels of liability faced by companies that fall victim to cyber attacks. In other words, make disclosing a cyber incident less fraught for corporate decision makers by providing a legal safe harbor to disclose an attack.
Venables, citing his own experience managing risk, also brought up practical changes across both industry and government that could immediately help reducing the impact of data breaches — such as reducing the amount of sensitive information companies collect or share with vendors and partners.
A watchword throughout the discussion was collaboration.
“The only way we can get around this is to pool our resources,” Shenker said.
— Dominick Tao MPA ’19
Watch: SEC Chairman Jay Clayton's Remarks