[Senate Hearing 115-134] [From the U.S. Government Publishing Office] S. Hrg. 115-134 OVERSIGHT OF THE U.S. SECURITIES AND EXCHANGE COMMISSION ======================================================================= HEARING BEFORE THE COMMITTEE ON BANKING,HOUSING,AND URBAN AFFAIRS UNITED STATES SENATE ONE HUNDRED FIFTEENTH CONGRESS FIRST SESSION ON RECEIVING TESTIMONY FROM THE CHAIRMAN OF THE SECURITIES AND EXCHANGE COMMISSION REGARDING THE AGENCY'S WORK AND AGENDA __________ SEPTEMBER 26, 2017 __________ Printed for the use of the Committee on Banking, Housing, and Urban Affairs [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available at: http: //www.govinfo.gov / __________ U.S. GOVERNMENT PUBLISHING OFFICE 28-283 PDF WASHINGTON : 2018 ---------------------------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS MIKE CRAPO, Idaho, Chairman RICHARD C. SHELBY, Alabama SHERROD BROWN, Ohio BOB CORKER, Tennessee JACK REED, Rhode Island PATRICK J. TOOMEY, Pennsylvania ROBERT MENENDEZ, New Jersey DEAN HELLER, Nevada JON TESTER, Montana TIM SCOTT, South Carolina MARK R. WARNER, Virginia BEN SASSE, Nebraska ELIZABETH WARREN, Massachusetts TOM COTTON, Arkansas HEIDI HEITKAMP, North Dakota MIKE ROUNDS, South Dakota JOE DONNELLY, Indiana DAVID PERDUE, Georgia BRIAN SCHATZ, Hawaii THOM TILLIS, North Carolina CHRIS VAN HOLLEN, Maryland JOHN KENNEDY, Louisiana CATHERINE CORTEZ MASTO, Nevada Gregg Richard, Staff Director Mark Powden, Democratic Staff Director Elad Roisman, Chief Counsel Michelle Mesack, Senior Counsel Laura Swanson, Democratic Deputy Staff Director Elisha Tuku, Democratic Chief Counsel Dawn Ratliff, Chief Clerk James Guiliano, Hearing Clerk Shelvin Simmons, IT Director Jim Crowell, Editor (ii) C O N T E N T S ---------- TUESDAY, SEPTEMBER 26, 2017 Page Opening statement of Chairman Crapo.............................. 1 Opening statements, comments, or prepared statements of: Senator Brown................................................ 2 WITNESS Jay Clayton, Chairman, Securities and Exchange Commission........ 3 Prepared statement........................................... 37 Responses to written questions of: Senator Scott............................................ 49 Senator Menendez......................................... 52 Senator Sasse............................................ 57 Senator Tillis........................................... 78 Senator Heitkamp......................................... 88 Senator Cortez Masto..................................... 91 (iii) OVERSIGHT OF THE U.S. SECURITIES AND EXCHANGE COMMISSION ---------- TUESDAY, SEPTEMBER 26, 2017 U.S. Senate, Committee on Banking, Housing, and Urban Affairs, Washington, DC. The Committee met at 10:02 a.m. in room SD-538, Dirksen Senate Office Building, Hon. Mike Crapo, Chairman of the Committee, presiding. OPENING STATEMENT OF CHAIRMAN MIKE CRAPO Chairman Crapo. The Committee will come to order. Today we will receive testimony from Securities and Exchange Commission Chairman Jay Clayton regarding the work and agenda of the SEC. Thank you, Mr. Chairman, for attending here today. Oversight of the SEC is a critical function of this Committee, and the SEC has an important three-part mission: to protect investors; maintain fair, orderly, and efficient markets; and facilitate capital formation. No one part of this mission is more important than the other. The SEC increases transparency and trust in the U.S. stock market, providing investors with the material information they need to make informed investment decisions. It also helps investors participate in our markets on a fair footing so that they can prepare for important milestones in their lives, such as college, retirement, or other life-changing events. It is critical that the SEC continue its important work to fulfill this mission. At the same time, the SEC must be cognizant that its work may carry risks to the very markets and investors it seeks to help. I commend you for initiating an assessment of the SEC's cybersecurity risk profile, Mr. Chairman. The Commission collects and stores a huge amount of public and nonpublic data. If this data were subject to a cyber breach, it could have severe consequences to the markets, market participants, and to the American public. I was disturbed to learn that the SEC suffered a cyber breach of its EDGAR system in 2016, but did not notify the public, or even all of its Commissioners, until it was discovered during your recent review. It is critical that the SEC safeguards the data it collects and maintains, especially as the consolidated audit trail, or CAT, becomes operational. Through the CAT, the SEC will have access to significant nonpublic market data and personally identifiable information, including individuals' names, addresses, dates of birth, and Social Security numbers. The recent Equifax breach has highlighted the need to protect this sensitive and valuable information. We need to ensure that entities only collect this type of information if and when absolutely necessary and, if it is collected, that it is properly secured. I am glad to see that under your leadership, Chairman Clayton, the SEC is taking cybersecurity seriously. Other regulators and agencies should follow your lead and delineate their own cyber risk profiles and, if breached, they too should disclose such events to Congress and the public. Cyber attacks and breaches are a significant risk at all entities, both regulators and companies. As part of your work in the cybersecurity area, you should also review current cyber risk disclosure guidance to ensure that investors understand the magnitude and complexity of cyber risks at public companies. Along with your attention to cyber, I appreciate your focus on the standards of conduct for investment advisers and broker- dealers. The DOL fiduciary rule will limit investor choice, making investing more expensive for many Americans, and ultimately hurt the ability for people to save for retirement. If clarification needs to be made about the standards of conduct for broker-dealers and investment advisers, I believe the SEC has the most expertise and is the best positioned to establish consistent standards for all investors. I also appreciate your focus and public discussions on the importance of encouraging capital formation. The capital markets are essential to helping companies grow, facilitating job growth, and ensuring that Americans have investment opportunities. I am interested in hearing your ideas of how we can encourage more companies to go public without discouraging the availability of capital in the private market. The Senate recently passed several bipartisan securities bills, and we would be interested in additional ways Congress can improve securities laws to help all Americans. I look forward to hearing your thoughts on these issues and on the future agenda of the Commission. Senator Brown. STATEMENT OF SENATOR SHERROD BROWN Senator Brown. Thank you, Chairman Crapo. Welcome, Chair Clayton, to our Committee for one of many visits I am sure you will make. Last week, as just about every adult in America was trying to comprehend the risks that they or someone in their family face because of the Equifax cyber breach, you disclosed the SEC's own breach in 2016. In addition to raising serious concerns about the integrity of the SEC's data systems, that breach allowed hackers to obtain nonpublic information and perhaps make illegal stock trades. We expect that companies that hold Americans' personal and financial data will keep that information secure and be upfront with the public, with regulators, and with lawmakers when breaches, in fact, occur. Our regulatory agencies must abide by the same or, frankly, a higher standard. So when we learn a year after the fact that the SEC had its own breach and that it likely led to illegal stock trades, it raises questions about why the SEC seems to have swept this under the rug. What else are we not being told? What other information is at risk? What are the consequences to the American investing public and the American public generally? Of course, this breach took place under your predecessor, we recognize that, but the disclosure, or the lack thereof, is all yours. How are Main Street investors expected to have confidence that the SEC can hold big companies accountable when the SEC is not more immediately forthcoming? Equifax violated the public's trust twice--first when it failed to secure the volumes of data it collects and profits from about Americans' financial lives, and then a second time when it waited over a month to admit to the breach. How can you expect companies to do the right thing when your agency has not? We all have to earn the public's trust every day. Right now, the SEC needs to do more, and it needs to make sure that the companies it regulates do better. Doing more does not end with cybersecurity. The SEC's investor protection mandate has never been more important. Making sure Main Street investors are treated fairly, companies do not abuse accounting rules, and markets are efficient and transparent should be at the top of your list at the SEC as you consider offering reforms and reducing disclosure. Protecting investors and maintaining financial stability also means that the SEC needs to finish the Dodd-Frank Title VII derivatives rules, the incentive compensation rule, and the rules on clawbacks and hedging equity compensation. Each of these rulemakings will help enhance investors' and the public's trust in our markets and the financial system. Chair Clayton, it's been almost 5 months since your swearing in. I expect the next 5 months will be more demanding than the last five. The list of your responsibilities grows. Now everyone is watching how the SEC responds and how you personally, as Chairman of the SEC, hold companies accountable. Thank you. Chairman Crapo. Thank you, Senator Brown. Chairman Clayton, as you know, your full written testimony has been made a part of the record. I understand that you have asked for an extra minute for your opening statement, and you are welcome to have that. But I do not want the Senators to think that everybody is being granted an extra minute in their questioning, and I encourage them to remember the time. With that, Mr. Chairman, please proceed. STATEMENT OF JAY CLAYTON, CHAIRMAN, SECURITIES AND EXCHANGE COMMISSION Mr. Clayton. Thank you for your indulgence. Chairman Crapo, Ranking Member Brown, distinguished Members of the Committee, thank you for the opportunity to testify before you today about the work of the U.S. Securities and Exchange Commission. I will attempt to be concise in my remarks, as I know you and the American people have many important questions regarding, among other things, our cyber risk profile and the intrusion we disclosed last week. I will start with a thank you. My fellow Commissioners and the people of the agency have been incredibly welcoming to me. I have benefited from each interaction with these dedicated individuals. During my four months at the Commission, I have devoted a substantial portion of my efforts to agency operations, including assessing whether we have the people, technology, and office space necessary to succeed in our mission. As discussed in more detail in my written testimony, I believe there are four areas where additional focus and resources are most needed: cybersecurity; retail investor protection; market integrity, including market structure, risk, and resiliency; and capital formation. Specifically with regard to cybersecurity, I have been focused on this issue, internally and externally, since my first weeks at the Commission. As recent events demonstrate all too well, this is an area where we need to devote significant resources and attention to respond to market developments and meet the expectations of the American people. I will turn to the recently disclosed incident. In August 2017, in connection with an ongoing investigation by our Division of Enforcement, I was notified of a possible intrusion into our EDGAR system. In response to this information, I immediately commenced an internal review. Through this review and the ongoing enforcement investigation, I was informed that the 2016 intrusion, one, provided access to nonpublic EDGAR filing information and, two, may have provided a basis for illicit gain through trading. We believe the intrusion involved the exploitation of a defect in custom software in our EDGAR system. When it was originally discovered, our Office of Information Technology--we refer to it as ``OIT''--took steps to remediate the defect and reported the incident to the Department of Homeland Security. Based on the investigation to date, OIT staff believes that the prior remediation effort was successful. We also believe that the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk. I note our review and investigation of these matters is ongoing, and it may take substantial time to complete. This review has two related components. The first is focused on the 2016 intrusion itself, including efforts to determine its scope and whether there were or are any related vulnerabilities in our EDGAR system. Importantly, in conducting this review, it has been a priority and a constraint to maintain the security and operational capabilities of EDGAR. EDGAR is a critical component of our disclosure-based market system and accepts filings virtually continuously during the week. Various agency personnel, including members of the Enforcement Division, the Office of General Counsel, and the Office of Inspector General, have been involved in this effort. In addition, I have formally requested that the Office of Inspector General begin a review into, one, what led to this intrusion; two, the scope of nonpublic information compromised; and, three, our efforts in response. I have asked the Office of Inspector General to provide recommendations for how the SEC should remediate any related system or control deficiencies. The second component of our review consists of our investigation into trading potentially related to the intrusion. The investigation is being conducted by our Division of Enforcement and is ongoing. There are limits on what I know and can discuss about the 2016 incident due to the status and nature of these reviews. Nevertheless, this past Wednesday I directed the issuance of a cyber risk profile statement and a press release highlighting the 2016 intrusion. I directed this disclosure because, although many questions remain, I believed that, one, once I knew enough to understand that the intrusion provided access to nonpublic EDGAR test filings and, two, that this may have resulted in the misuse of nonpublic information for illicit gain, it was important to make that disclosure to the American public and Congress. The matter involving our EDGAR system concerns me deeply. I recognize that I am not the only one who is deeply concerned. Rightfully, it will cause this Committee and others to increase their focus on whether the Commission's approach to cybersecurity appropriately addresses our cyber risk profile. This is all the more reason it was appropriate to disclose the intrusion now even though our review and investigation are ongoing. As a result of this incident, some have questioned whether we can appropriately protect the sensitive information we receive and whether we should receive additional data to further our mission. This is not the time for the SEC to pull back from our important market oversight role by limiting our access to sensitive information. Our mission is too important to millions of Main Street investors, issuers, and market participants to do so. We must be vigilant, and we must do better. We must also recognize in both the public and private sectors, including the SEC, there will be intrusions and that key components of cyber risk management for organizations and market participants generally are resilience and recovery. Turning to policy matters, my written testimony discusses our recent regulatory efforts in detail. I will highlight only one item: the upcoming Regulatory Flexibility Act Agenda, a semiannual disclosure of the Commission's near-term priorities. I believe it is important that these agendas provide transparency and accountability for agency matters. If they are to meet their intended purpose, these agendas must be streamlined to inform Congress, investors, and other interested parties about what we intend to do and realistically expect to do over the coming year. We intend to provide just such an agenda. Thank you, and thank you for your indulgence on the extra time. Chairman Crapo. Thank you very much, Chairman Clayton. First, I have been long concerned with the growing data collection requirements by our regulators. I am very concerned also about the massive data collection that is going on in the private sector, information about people's lives that can and, we are seeing, has resulted in damage to them. My concerns have only grown given the disclosed cyber breaches at the FDIC, the IRS, the OPM, your Commission, and at other agencies. I have mentioned many times in hearings the Consumer Financial Protection Bureau and its massive data collection that I am very concerned about. In addition, the SEC itself has come under scrutiny in recent GAO reports for its own security controls over its key financial systems and information. The SEC and other agencies monitor, regulate, and enforce the data safeguards in place at regulated entities. Given the amount of data that they collect as well as the roles they play as the stewards of our markets, the SEC and other Government agencies must be held to a higher standard when it comes to cyber readiness. A couple questions about the current cyber attack that you are dealing with. Can you give us any more information about the defect in the software that caused this attack? Or is this not the time to discuss that? Mr. Clayton. I do not have any more information about the type of defect that led to the intrusion. There is an ongoing investigation. We have gotten the Office of Inspector General involved, and as relevant facts become available, we intend to work with this Committee to ensure that you have the information you need in your oversight role. Chairman Crapo. And you have said this already in your testimony generally, but what actions did you take as you found out about this breach? Mr. Clayton. So it is not like you find out about a breach and you know everything on day one. Chairman Crapo. Right. Mr. Clayton. This came to my attention in August of this year. I immediately instructed that an investigation take place. Over the course of that investigation and review, it became clear to me that this was a serious matter. When it became clear to me that this was a serious matter, I made the determination to take a number of steps, including ensuring that the system was continuing to work. As I said, it is a system that is critical to the operations of our markets and the SEC. Also, disclosure. I know that that is a focus for this Committee. Let me get right to it. I decided when this was serious that disclosure was necessary. Then the question is: What facts do you have? We tried to gather more facts. You want to make a clear disclosure. You do not want to make disclosure that is misleading. I made the decision over the last past weekend that the time had come to make disclosure. We knew enough to make the disclosure. We were not going to learn any more at that time, and we made the disclosure. We have taken a number of additional steps, including hiring outside consultants to do penetration testing, constant reviews of our system. One of the worries in a situation like this is when you make a public disclosure, other people try to test and probe. You know, we are under constant attack from nefarious actors. So I can go through other things, but that is a high-level summary of the steps taken. Chairman Crapo. All right. Thank you very much. I would like to talk about the consolidated audit trail for just a moment. The consolidated audit trail, or CAT, is an issue that has been important to me and many Members of the Committee for a number of years. Once implemented, CAT will capture customer and order event information from the time of the order inception through execution. Such information will also include personally identifiable information. As I mentioned, I am concerned by the Government's collection of such information. Do you believe that this data must be collected? And if so, how can you assure that it will be adequately protected? Mr. Clayton. I do believe that data of the type we are discussing in CAT is very valuable to our oversight role. If you look at insider trading or monitoring of investment managers, broker-dealers, this type of data enables us to detect insider trading that we would not have been able to detect in the past. It enables us to prioritize our examination efforts. It is important. That said, when I got to the Commission and investigated the CAT system as a person responsible for it as opposed to someone from the outside, I quickly made the decision that we do not want to take sensitive data that we do not need to further our mission, and we need to examine that data. We also should not take any sensitive data unless we can protect it, and I felt that way a month ago, 2 months ago. I feel that way even more so today. Chairman Crapo. All right. Thank you. Senator Brown. Senator Brown. Thanks, Mr. Chairman. Equifax, as we know so well, waited 6 weeks to disclose its cyber breach. The personal identifiers of 143 million Americans were in the hands of criminals, as we know. Companies may often say if a matter does not have a material impact on its financial results, they do not need to disclose it to investors and the public. Is materiality the right disclosure standard when a company has a breach and Americans' personal information is stolen? Mr. Clayton. Senator, I believe materiality is the core of our disclosure system. I believe it is the touchstone. Going to your question about whether companies are making the right materiality assessment, I think that is a very good question. Senator Brown. So when it is left in the hands of the company, with the SEC, just from that response, it does not seem as engaged maybe in this question and this issue as we might like. They may continue this kind of behavior. Mr. Clayton. Companies should be disclosing more. I am not going to talk about a specific company or a specific set of circumstances. That is inappropriate in my position. As I look across the landscape of disclosure--and I have been saying this for some time--companies should be providing better disclosure about their risk profile. Companies should be providing sooner disclosure about intrusions that may affect shareholders' investment decisions. And I also believe that across the landscape of our markets, not just company by company or regulator by regulator but across our markets, there should be better disclosure as to the cyber risks we face. Senator Brown. So you would totally disagree with Equifax's decision to withhold that information for those several weeks, citing materiality, if they were? Mr. Clayton. Senator, I am not going to get into a particular company's decision or nondecision. Senator Brown. So you cannot say to this Committee that Equifax was not wrong in withholding this information? Irrespective of the executives that dumped their stock, forget that for a moment. You cannot say to this Committee they were wrong in withholding that information? Mr. Clayton. It would be inappropriate for me to comment on that matter, that specific matter. Let me say this about making the decision on when to disclose: We expect people to constantly assess--when they have notice of a cyber breach, we expect people to constantly assess whether that breach is material to investors and, when they determine that it is, make appropriate disclosure promptly. Senator Brown. Well, that is a pretty big concern. If a company did what they did and the Chair of the SEC is not willing to be critical of that, that is a concern to a lot of us. Let me move to another part of Equifax. This morning, Equifax announced its CEO is retiring. Two weeks ago, the CIO and the chief security officer retired. Do you think it is appropriate, Mr. Chair, for the executives who ran the company during the massive breach, that they get to retire and keep their bonuses and stock awards? Mr. Clayton. Again, Senator, that is a specific matter, a matter that may come before the Commission, may come before me to make decisions. It would be inappropriate for me to comment on that specific matter. Do I believe that if executives have profited from a high stock price that is the result of failure to disclose other acts that are clearly violations of our securities laws, should there be an ability to get back those gains? Yes, I do. Senator Brown. And you think the clawback should be ordered by the SEC, not relying on the board, as Wells Fargo apparently did? Mr. Clayton. As you know, there is a pending rulemaking in this regard, and we are looking at that. Senator Brown. And isn't it time the SEC finished the Dodd- Frank clawback rule? Mr. Clayton. It is one of many mandates. I intend to finish the mandate. There is a prioritization. I am going to be very open with this Committee and the American people in the Regulatory Flexibility Agenda about our priorities, and I welcome your continued input on how we prioritize those. Senator Brown. And you understand the American public in case after case after case feels this Government let it down when executives through massive incompetence, which may have been all it was with Equifax, or fraud, if the failure to disclose contributed to the executives dumping their stock, you understand the American public's anger with the fact-- forgetting anybody going to prison, I get that; but not even clawbacks for these executives, you understand the American public's outrage about that? Mr. Clayton. Yes, I do. Senator Brown. OK. Glad to hear it. Thank you. Chairman Crapo. Thank you. Senator Scott. Senator Scott. Thank you, Mr. Chairman. And thank you to Chair Clayton for being here this morning, and thank you for your important work. I once had to answer to the SEC as a financial representative, and it was never fun to have you guys walk into the office and share your valuable time with those of us in the business. However, I do think it is important for us to recognize the fact that the fiduciary rule has had a negative impact on many Americans. The average South Carolinian has less than 1 year's salary in their retirement accounts. Restricting access to professionals in the financial industry has a negative impact on the resources available to the average American for retirement, and the last thing we need to do at this point is to find ways to get experts out of the household, which is the unintended consequence of the fiduciary rule from my perspective. There was a survey of 600 financial advisers. They found that 75 percent of the professionals whose clients have starting assets under $25,000 will take on fewer small accounts due to increased compliance costs and legal risk under the DOL's rule. These folks desperately need the experts to make good, sound financial decisions. I was pleased to see the 18-month delay, so my question to you is: What more can you tell us about your coordination with the DOL on the fiduciary rule and the 18-month delay? Mr. Clayton. Yes, thank you, Senator. I want to thank Secretary Acosta for reaching out to the SEC in this regard, reaching out to say we should work together on this. And I believe we should work together. With respect to steps we have taken, I have issued a request for updated views from investors and from industry participants on the effects of the DOL rule and what we should do going forward in terms of standards of conduct. We are reviewing the information received. I have made it clear that, based on what I know to date, there are a couple of things that I want to make sure are reflected in any rulemaking, including joint rulemaking, we do in this regard, including with the State regulators: First, that investors of the type you describe have choice, that they are not pushed into a narrow set of circumstances as a result of whatever steps we take; Second, that there is clarity, that investors know the type of person they are dealing with, and they know the obligations owed to them; Third, that there is consistency. If you have two different types of accounts--a retirement account and a nonretirement account--but you are facing the same person, there ought to be consistency with respect to those accounts; And, last, coordination, that we, the DOL, and the State regulators are coordinated in how we approach this. And I am very much looking forward to working with the Department of Labor as we proceed. Senator Scott. Thank you. It certainly is good to have the SEC and the DOL working together on such an important issue. State insurance regulators are the experts on fixed-income annuities. How will you be involving the State regulators? Mr. Clayton. I have been in dialogue with the State regulators since I got on the job, and they will be part of this effort. Senator Scott. Excellent. I know I am running out of time, so I do want to make two more points, one on the Chicago Stock Exchange. The fact that we are looking at Chinese investors trying to buy the Chicago Stock Exchange, and you pumping the brakes on that decision I think is good. We all would like to encourage more FDI, but we need to do it in the most responsible way possible, so thank you for your position and your perspective on that issue. Another issue that seems to be really important these days is shareholder resubmissions. Management of public companies should be held accountable by their shareholders. A balance between both sides ensures productivity and corporate transparency. That said, I wonder if the scales have not been tipped a little bit too far. As of now, we allow for the resubmission of shareholder proposals even if nearly 90 percent of shareholders have already voted no in the past. That increases costs and distracts from long-term thinking, all the while doing little to protect investors. How are other shareholders impacted by such a low bar for proposal of resubmission? Mr. Clayton. Senator, I agree with you, this is an area that we should be continually examining because shareholder access to management is important. There are many times where shareholders have made proposals that have gotten traction and have led to positive change. That said, you identify an issue that you can have: Not widely held and idiosyncratic views of a few shareholders cost the other shareholders a substantial amount of time and cost management a substantial amount of time, which is valuable time you do not get back. And we need to continually look at that balance in our oversight role. Senator Scott. Thank you. Thank you, Mr. Chairman. Chairman Crapo. Thank you, Senator Scott. Senator Tester. Senator Tester. Thank you, Mr. Chairman. On the topic that Senator Scott just brought up with the U.S. stock exchange potential purchase by a Chinese company, I hope your review would come back negative in that regard. That is just my opinion as a dirt farmer, OK? Look, earlier this month, we learned in Montana that 360,000 people had their private information stolen when the Equifax breach happened. To put that in perspective, that is over 60 percent of the adults in our State, OK? I think if the election said anything last time--and it said many things--it said people on the ground, regular folks, are tired of folks getting away with apparent wrongdoings. Your answer, Chairman Clayton, to the Ranking Member that it was inappropriate to comment on the 6-week delay, the 6-week delay seems a little bit bizarre to me, especially if, in fact, these folks dumped stock and tried to--why would they wait 6 weeks? Mr. Clayton. Senator, these are good questions. They are valid questions. Senator Tester. Yeah. Mr. Clayton. They are questions that the American public should have. In my position as a person who may have to---- Senator Tester. That is why you do not want to comment, because it is your position--you believe firmly that these folks need to be held accountable if there is any wrongdoing, whether they still have their position or resigned from their position? You will, to the full extent of the law, enforce the law? Mr. Clayton. That is my job. Senator Tester. Good. I would just say that what transpired here--and I am not in your position, but 6 weeks is way, way, way too long. And I just cannot believe that, quite frankly-- and, by the way, Mr. Chairman, I know Richard Smith resigned today, but I hope he still comes in front of the Committee. I hope you still can get him in front of the Committee next week, because I think it is less spending time with his family and more of not spending time with us. And I think that is really important. And let me give you an example. They spent 6 weeks announcing the breach, but his resignation was--papers were signed yesterday. It was announced today. And so they could do it quicker if they wanted to do it, and I hope that moving forward we will be watching, OK? As far as the SEC's breach, when in 2016 did that happen? What month? Mr. Clayton. That is part of our ongoing internal investigation. Senator Tester. You do not know for sure? Mr. Clayton. I do not think we can say for sure. Senator Tester. OK. One of the questions the Chairman asked you is: What type of defect caused the breach? And you said you did not know what that defect was. And it is an honest answer, but the question is: What is stopping them from doing it again? If you do not know what the defect is and they breached your system, it looks to me like they can breach your system anytime they want if you do not know what the defect is? Mr. Clayton. I will tell you what I do know. I am told it was a defect in a custom piece of software for our EDGAR system. I am not a computer science expert. It has been a long time since I have done programming. But my understanding of this landscape, though, is the more custom software is, the more likely it is to be vulnerable. Senator Tester. So you were able to cut the custom portion out that was---- Mr. Clayton. Your characterization and mine are going to be laymen's. I think that is---- Senator Tester. All right. I got it. Mr. Clayton.----fair enough. Senator Tester. So you did say that you were in the process of a review that would involve--that would determine the scope of the breach and the response to that scope. What is your timeline for that? Mr. Clayton. I cannot give you a timeline. I have experience with these kinds of investigations. One of the things we are constrained by is, you know, you have got to pull a lot of data to look at this, including in terms of scope. Senator Tester. Yeah. Just let me ask you this: Do you feel that this is an urgent matter? Mr. Clayton. I do. Senator Tester. So when there are not definite timelines, it has been my experience that these things go on forever. And I would hope that you as Chairman of the SEC will put the screws to these folks and make sure that they are getting this job done so we can find out what is going on. This is a big deal. Mr. Clayton. I will, and I have already involved the Office of Inspector General. Senator Tester. OK. Mr. Clayton. Because they should be looking at this as well. Senator Tester. One other thing: DOL fiduciary rule. And Senator Scott said that you were working together to harmonize those rules. I was thinking about something else. I did not pick that up. I just want to confirm that. Are you working with the DOL to harmonize that fiduciary rule so that people do not get ping-ponged back and forth between two rules? Mr. Clayton. Yes. Senator Tester. OK. And do you anticipate--that harmonized rule will be out when? Mr. Clayton. This is a priority for me. Everything cannot be a priority. This is a priority for me. Senator Tester. Well, you have got a lot of people that work for you, so you can have more than one---- Mr. Clayton. Yeah, we are pushing this one. This is the top of my list in that area of the Commission. Senator Tester. Thank you very much. Chairman Crapo. Thank you, Senator. Senator Kennedy. Senator Kennedy. Thank you, Mr. Chairman, and Mr. Chairman. You said you found out about the SEC data breach in August of this year? Mr. Clayton. Yes, sir. Senator Kennedy. When did the SEC find out about it? Mr. Clayton. In 2016. Senator Kennedy. Did Chairwoman White know about it? Mr. Clayton. What happened in 2016 and who knew about it is going to be the subject of this review that I have asked the Office of Inspector General to--I have no belief sitting here that Chair White knew about this. Senator Kennedy. Well, when you found out about it in August of 2016, how did you find out about it? Mr. Clayton. Our Division of Enforcement had an ongoing investigation. Information that they gained in connection with that investigation caused them to question whether there had been a breach of our system. And that is the time I launched an investigation. Senator Kennedy. And when did they raise that question? Mr. Clayton. When did they raise that question? Senator Kennedy. When did they raise the question that there might have been a data breach? Mr. Clayton. They raised it to me in August of this year. Senator Kennedy. Did they raise it at 10 o'clock in the morning and then call you at 11:00? Or did they know about it for a while? Mr. Clayton. I think they raised it promptly upon learning about it, but, you know, again, our response to this matter is something that I am concerned about and want to get to the bottom of. Senator Kennedy. Well, this bed was on fire when you laid down in it. I am not blaming you. Did Chairwoman White tell you about this breach when she was leaving and say, ``This is something you need to worry about''? Mr. Clayton. No, no. Like I said, I have no indication that Chair White had knowledge of this breach. Senator Kennedy. OK. Will you at some point tell us when the SEC first learned about the breach--not when you were first notified, but when the SEC first learned about the breach? Mr. Clayton. Yes, I have asked the Office of Inspector General to look into this matter. Those are questions I want to know the answer to, because they are going to help us do better going forward. Senator Kennedy. OK. Is there any possibility, realistic possibility that the SEC knew about this breach in 2016 and did not disclose it? Mr. Clayton. I do not want to go there. I want to wait until the facts come out. Senator Kennedy. OK. That is fair. Let me ask you about the Equifax breach. After the company, Equifax, learned about the data breach, several senior executives sold stock. Was that insider trading? Mr. Clayton. I am not going to comment on that specific matter for the reasons that I have discussed. Senator Kennedy. Are you going to investigate it? Mr. Clayton. We do not comment on investigations, including whether they are actually pending. Senator Kennedy. Well, you are not going to ignore it, are you? Mr. Clayton. I am not ignoring this. I am not ignoring this or other events like it. Senator Kennedy. So I take it you are neither confirming nor denying that there is an investigation? Mr. Clayton. That is correct. Senator Kennedy. OK. Well, if you decide--and I am not suggesting---- Mr. Clayton. It has been our policy for a long time. I want to say that, you know, the internal investigation is going on. Senator Kennedy. Sure. I understand. Mr. Clayton. I needed to disclose that one. I want to stick with our policy with respect to third parties. Senator Kennedy. It is the anti-Comey rule. I understand. Well, let me put it this way: I am not suggesting you will not investigate, but if you decide not to investigate, would you let us know so we can investigate? Mr. Clayton. I think that is a fair question. Senator Kennedy. OK. Fair enough. And I am not accusing anybody of anything. I am really not. But there is more than just the data breach involved here. There is the sanctity of our equity markets as well. And I am not accusing anybody of anything. I think the executives are taking the position that they knew nothing, saw nothing. This was just a coincidence. And that may well be, but trust and verify. And I am glad to hear that you are investigating. Mr. Clayton. Thank you. Senator Kennedy. I am about out of time. You know what strikes me and I think many Americans as curious about the credit reporting agencies? I did not hire them. I did not hire them to collect information about me. I mean, they do not represent me. They represent business, which I understand. But I did not hire them to collect all this information. And now all of a sudden my information is out there somewhere on the dark web. And it seems to me at some point, Mr. Chairman and Mr. Ranking Member, that that is something we need to talk about in this Committee, is what the role the credit reporting agencies play and to whom do they have an obligation. Well, I am going on too long. Thank you, Mr. Chairman. Mr. Clayton. Thank you. Senator Kennedy. This is more interesting than practicing law, isn't it? Mr. Clayton. Some days. Senator Kennedy. Yes. Chairman Crapo. Thank you, Senator. Senator Warner. Senator Warner. Thank you, Mr. Chairman. Let me, first of all, echo what Senator Kennedy has just said, the whole notion of the credit rating agencies and the public's ability to--we have no ability to opt-in to these systems. We are part of these systems, whether we like it or not. You know, I am often asked in my job on the Intelligence Committee what I think the single greatest vulnerability our country faces is, and I believe it is cybersecurity. And I believe we do not have a whole-of-Government or whole-of- society approach on cybersecurity. In recent times we have seen Russia take unprecedented action attacking 21 of our States' voting systems. We have seen our social media platforms being manipulated with false information in the first, I think, shots of disinformation and misinformation campaigns, at least indirectly related to cyber. I appreciate you, Mr. Chairman, coming forward with the recognition of the EDGAR system breach. I wish it would have been done quicker, although as has been pointed out, this is not in isolation. We have seen OPM and a series of other governmental breaches. I think Equifax is a travesty. I think the fact that the resignation of the CEO is by no means enough. I would say--and I understand your reluctance to acknowledge whether there is an investigation. Your colleagues at the FTC, who also have a process in place where they normally do not reveal an ongoing investigation, have felt that this was so serious that they acknowledged that there was an investigation going on. And the Equifax breach is so egregious, one, in terms of the sloppiness of their defenses; two, in terms of the fact that this was clearly a knowable vulnerability, they had known for months, and if they had simply put a patch in place, we might have precluded this. And then to add insult to injury, Equifax, when it put up the site to direct consumers after the breach, that site was not properly domain registered and was known to have vulnerabilities in its site itself. So if we do not send a very, very strong message--now, the market has already taken I think 25 percent off its market value. But I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity. I would also point out--and Senator Brown raised this question--this is not the first time. I mean, Yahoo last year, 500-million-user breach, and Yahoo did not believe that it was material enough to even report. My investigation has shown with 9,000 public companies, we have had less than 100 companies since 2010 feel that any level of cyber incursion was significant enough to meet that materiality standard to notify the public. I find that absolutely unacceptable. I know Senator Brown asked that, but, Mr. Clayton, do you want to make any other further comment about what the SEC might be looking at in terms of reviewing these materiality standards as it relates to cybersecurity? Mr. Clayton. Yes, I do. I agree with you generally. I do not think there has been enough disclosure around, as I said, the risk profile of companies with respect to cybersecurity. Where are the risks? What are the vulnerabilities? What do we know and not know? And then if there are breaches, the disclosure of those specific breaches. I do not think that there has been adequate disclosure in that regard. Senator Warner. Well, my hope would be that this would be something--I know I am very interested in it, and I think across both sides of the aisle, we would like to work with you on--whether we need legislative actions or whether we work with you as an entity. Let me move to one other topic. I think back in 2014 you created something called Reg. SCI, which looks at systems. I have prodded you repeatedly with letters and other items, both during your tenure and before your tenure, let me make clear. And this goes to the technical and risk standards of some of our market structures. It also includes cybersecurity. Currently, the SCI regs only apply to stock and option exchanges, registered clearing agencies, and certain alternative trading systems. We have, in my view, left out dark pools, alternative trading systems, Treasury markets, other trading platforms. And I feel if we had much more disclosure about what SCI--which market structures were covered, then shareholders and others could vote with their shares and move their transactions onto platforms who met these minimum standards rather than having this what I believe is kind of half coverage and half the market not coverage. I know we are out of time, but could you address the question of whether you will take a fresh look in terms of the SCI regulations about expanding to other parts of market coverage. Mr. Clayton. I thank you for your letter, which just by happenstance I read last night, and I agree with you that we need to look at those other important venues in our equity market system to see if they should be reporting on the same basis, and also as you raised in your letter whether the public has enough information about which entities are subject to Reg. SCI. Senator Warner. Mr. Chairman, I think that would be very important that we get that information out, because then responsible entities can vote and move to areas that have this kind of minimum protections in place. Thank you. Senator Brown. [Presiding.] Senator Rounds. Senator Rounds. Thank you, Mr. Chair. Good morning, sir. Mr. Clayton. Good morning. Senator Rounds. Some of my colleagues have already raised the issue of cyber attack against the SEC, the target of the SEC's electronic system for filing the corporate disclosures and reports. I know that this incident occurred before your nomination and confirmation, but I would like to hear your thoughts on what this incident might suggest about our Government's broader posture with regards to cybersecurity. I know it is difficult for any one agency to adequately protect itself against these kinds of intrusions, and sometimes the level of expertise necessary would help a number of different agencies and departments. From what you currently know about the attack that took place, do you feel like you have adequate resources to protect yourself in the future? And does there need to be more of a cross-cutting or interagency effort to prevent these serious intrusions in the future? Mr. Clayton. Senator, I do believe we need additional resources going forward. I think that this is an area and a data point I use to describe this to people. Let me take a step back. Other people in my position and in similar positions in other agencies feel the same way I do, which is that this is a risk to our agencies, it is a risk to the markets or the areas of the economy that we regulate and oversee. I believe we will need more resources going forward. If you will look at the resources that private actors in our capital markets devote to information technology and cybersecurity as part of that, single actors dwarf the amount that we have available to spend in this area. To me that just tells me we are a bit out of step and we need to up our game. Senator Rounds. If you take a look at the--I think the EDGAR system is your current system that is going to remain in place, and, basically, as indicated in your earlier testimony, it is complex. It has been modified; it has been customized. And based upon the information you have received, that makes it probably a little bit more vulnerable than some other types of larger systems that basically have a number of the patches put together before they ever end up in the public's hands or in agencies' hands. You have also got another system coming on board, the CAT system, the comprehensive audit trail, which will be coming in. I presume the two of them will be compatible or at least operational at the same time. When that happens, you will also have a huge amount of information that will be found at one location, including a lot of information about investors, their personal information and so forth, that you will have on the system itself. Is it time to say time out and to make darn sure that the new systems coming on board have been--naturally, we would do a vetting process anyway, but is it time to actually have those second and third opinions on this type to make sure that we have done everything we can to protect this very valuable data before we go online and then find out that there needs to be a few more patches made? What are your thoughts on this process of actually implementing the CAT system in the future? Mr. Clayton. Two responses. One, since I got to the Commission and learned more details about the CAT, as I said before, it has been clear to me that we do not want to be taking data from the CAT unless we need it and can protect it. With respect to whether we should have a time-out, I do not think a full time-out on the CAT makes sense. There is a lot of data that already exists that we can be collecting that will further our oversight and regulatory mission. But we should be examining whether we do, indeed, need that data. We can rank that data, we can phase in the CAT, and we should be doing--it is not a zero-one on-off, no pun intended, but we should be doing the kind of critical thinking that you are asking me to do in how we bring it online and how we sequence what we do. Senator Rounds. Do you have the resources to do that vetting process today? Mr. Clayton. That vetting process is a prerequisite. So if I do not have them, that will be time-determinative on how it comes online. Senator Rounds. OK. Let me turn to one other subject. I understand that certain Federal Reserve Bank capital regulations may be inadvertently causing some liquidity concerns in the listed options market that the SEC regulates. Will the Securities and Exchange Commission commit to working with interested parties on a solution and to make this a priority? Mr. Clayton. Liquidity in the options area---- Senator Rounds. Within the listed options market. Mr. Clayton. It is not just important for the options market. It is important for all of our markets. So, yes, if there is a liquidity issue in the options market, it can affect the cash equities market. And it is important that we focus on it. Senator Rounds. More than willing to work with---- Mr. Clayton. More than willing to work--it is an important issue. Senator Rounds. I appreciate it. Thank you, sir. Senator Brown. Senator Warren. Senator Warren. Thank you, Mr. Chairman. And thank you for being here, Chairman Clayton. In one of your first speeches as Chairman, you noted that there has been ``a 50-percent decline in the total number of U.S.-listed public companies over the last two decades,'' and you said that this decline was ``a serious issue for our markets and the country, and you wanted to encourage more companies to go public so more ordinary investors or ``Mr. and Mrs. 401(k),'' as you called them, could get opportunities to invest in emerging companies. And you used this rationale for arguing that we should review and possibly reduce the disclosure burdens on public companies. Now, I want to understand your thinking on this. You compared the number of public companies today with the number of companies in 1996 and 1997. That was your comparison point, which, as you know, was the height of the dot-com boom. And as you know, there was a sharp increase in the number of public companies leading up to the 1996 and 1997 years, and then a lot of those companies failed over the next few years, leaving Mr. and Mrs. 401(k) losing a whole lot of money. So when you picked 1996 and 1997 as your target years for comparison, were you arguing that those were the ideal market conditions for ordinary investors? Mr. Clayton. I am happy to pick any period over the last 20--any 5- to 7-year period over the last---- Senator Warren. Well, if you are happy to pick any period, if you pick other periods, you are not going to come up with the same conclusion you have. Mr. Clayton. I think I would. I think that trend has been-- -- Senator Warren. No, I do not think so. Let us talk about the trend. But I take it what you are saying is you do not wish to re-create the bubble that wiped out billions of dollars of investor value 20 years ago? Mr. Clayton. No, I definitely do not. Senator Warren. OK. So let us look at the trends then since the dot-com bubble popped. There has been a slight decline in the number of public companies since then. Most of the evidence shows that that is primarily because of an increase in mergers and acquisitions. So if you want more public companies, then I hope you are soon going to give a speech supporting stronger antitrust enforcement. But let us just look at the IPOs since that has been your focus. You said you want to get more investors involved in emerging companies, which is why you want to see more companies going public. Now, in 1996, the peak of the dot-com bubble, there were 624 IPOs with a total of $36 billion in deal volume. From 2012 to 2016, there were about half that number of IPOs, but the average annual deal volume was higher than it was in 1996. In 2014, IPOs raised $96 billion, nearly triple the total debt volume in 1996. So, in other words, in the last few years, people are investing more money in IPOs than they did even at the height of the dot-com boom. So if your primary focus is on investors, not on the bankers and the deal lawyers who make money on each of these IPOs, why do you care if there are fewer IPOs so long as IPOs overall are attracting more investor dollars? Mr. Clayton. Because I believe that those IPOs--here [indicating] is a company's growth curve. I believe those IPOs used to happen here [indicating], and if you invested in a portfolio of companies that were down here [indicating], as part of your overall investment strategy and as they go up the growth curve, you as a retail investor were better off than getting on up here [indicating] where the company is mature and not growing as much. Senator Warren. Well, I appreciate that that is your point of view, but have you looked at the data on this? Because the data show that having fewer but bigger IPOs is better for investors. The IPO companies now tend to have more revenue. They tend to perform better in the long run than in the past when there were more IPOs and more failures, which looks to me like a positive outcome for Mr. and Mrs. 401(k). Mr. Clayton. Well, it is a concern to me, Senator--and I understand different people have different perspectives on this. It is a concern to me that on the growth curve, most of that money--I should not say most of the money. A substantial portion of that money is private money, and those investors have done very well, and in many cases relatively much better than---- Senator Warren. Well, I am sorry. All I can do is look at the data, and what the data show us is that the later--the IPOs now are performing better for investors and less likely to wipe investors out. Let me just state my concern here, Chairman Clayton. You are using the decline in IPOs to argue that there is something wrong in the market and that our rules and regulations are making it too hard for companies to go public. But the data show that investors are putting more money into IPOs now than ever before, and that those IPO companies are doing better for investors because they are more stable before they come to market. Loosening the disclosure and the registration requirements may make life a whole lot more profitable for a handful of bankers and for corporate attorneys who just want more IPOs in the system, but there is no evidence that it will make life better for investors. And it is investors, not bankers and lawyers, who you are supposed to be watching out for at the SEC. Mr. Clayton. I understand that. Senator Warren. Thank you, Mr. Chairman. Chairman Crapo. [Presiding.] Senator Schatz. Senator Schatz. Thank you, Mr. Chairman. Commissioner, thank you for being here. You said materiality is the core of the system of disclosure. I agree. You said companies should disclose more. I agree. I want to talk a little bit about the risk of climate change and severe weather events. In the last 35 years, the average number of inflation- adjusted $1 billion severe weather events was about 5 \1/2\ per year. In the last 5 years, it has doubled. Now, I know in 2010 the SEC provided some guidance about climate disclosure, but not much additionally has happened. So I want you to talk about how you view climate change and its materiality, because it is becoming increasingly clear that we cannot ignore these severe weather events and the impact that they have on publicly traded companies. Mr. Clayton. I do believe--and there are a number of industries where, if there are patterns and changes in weather events, these type of things--those developments do have impacts on companies that should be disclosed. And they have impacts in many ways, the weather events, the recurrence of them. You know, are we experiencing increased loss? This is something that--trends in increased loss, that is something investors should know about. Regulatory responses to those events. If there are regulatory responses to those events that are going to affect those companies, those companies should discuss them. I believe that. Senator Schatz. Do you think the SEC is doing enough to require this disclosure? Mr. Clayton. We have issued guidance around this. We have guidance in a number of areas. I regularly--I cannot say every day, but on a fairly regular basis--discuss with the Division of Corporation Finance whether our guidance in this area, whether our guidance in the cybersecurity area, whether our guidance in other areas should be updated, emphasized, or, you know, otherwise changed. Senator Schatz. OK. I understand you are in conversation. What is your current thinking about this? Mr. Clayton. My current thinking is that the guidance is good. That is my current thinking, but we should continue to look at it. Senator, I agree with you that there are industries that need to pay close attention to these trends. Senator Schatz. Let me give you a specific example, if you would not mind. Valero Energy's 10-K filing for 2016 states, `` . . . some scientists have concluded that increasing concentrations of greenhouse gas emissions in the Earth's atmosphere may produce climate changes that have significant physical effects, such as increased frequency and severity of storms, droughts and floods, and other climate events. If any such effects were to occur, it is uncertain if they would have an adverse effect on our financial condition and operations.'' At the end of August of 2017, Hurricane Harvey, one of the strongest Atlantic storms in history, shuttered over 20 percent of the U.S. oil refinery industry, including five refineries owned by Valero. These refineries usually produce 1.1 million barrels a day, which is a third of Valero's total capacity. A week after the hurricane, Valero's refineries were not back online. Does it seem like Hurricane Harvey had a material adverse effect on Valero's financial condition? Mr. Clayton. I do not know the numbers, but it would not surprise me if an event of that type would have an adverse effect on a company's financial condition. Senator Schatz. Do you think that the SEC is doing enough to require disclosure from some of these companies? It seems to me that part of the problem is politics, that people do not want to--not for you, but for these companies, they do not want to weigh into something that is the subject of some controversy. And the other problem is that just institutionally the SEC measures risk that can be measured, that is customarily measured, and that this is a relatively new risk that people are, scientists are essentially stipulating to, and that the systems in the SEC and elsewhere in the financial services industry everywhere is actually not equipped to evaluate this. And so what we do is we book it at zero. We assume it does not exist because it is difficult to assess. When you assess political risk, regulatory risk, other risks that may be material, you have a way to get at that. But climate risk in the financial context is new, and so I would just ask that-- 2010 is actually a long time ago when it comes to our thinking about climate, and it is certainly a long time ago when it comes to the fiscal impact both on the public and the private sector when it comes to severe weather. So I do not think that 2010 guidance suffices, and I would just encourage you to maintain an open mind in this space and devote some staff time to articulating how we are going to quantify the adverse impacts of climate change on the industry. Mr. Clayton. I will. Senator Schatz. Thank you. Chairman Crapo. Thank you. Senator Perdue. Senator Perdue. Good morning, Mr. Clayton. Thank you for being here. I have got a concern, basically a reservation with the fact that SEC staff today do not have to abide by some of the same stringent security protocols that other users of the CAT database are required to abide by. The GAO has previously identified a few weaknesses related to the SEC's cybersecurity protocols. Can you give us an update on how you are addressing those concerns that the SEC has raised at this point and also the other safeguards around the NMS plan as well? Mr. Clayton. OK. Senator, I want to make this clear. With respect to the CAT, we are not going to take the data unless we need it and unless we can protect it. And with respect to your specific question about whether our security protocols for individuals are not as stringent as they should be, I do not have an answer to that right now, but I---- Senator Perdue. Do you agree with that conclusion? I know you are new on the job. Mr. Clayton. But they should be. Senator Perdue. But do you have a position yet, do you know yet whether they are, whether you agree with the GAO's conclusion on that? Mr. Clayton. I do not have a position on that now, but I think that we should be mindful of any guidance from the GAO as---- Senator Perdue. But you are looking at it today. Mr. Clayton. Yes. Senator Perdue. And will you come back to this Committee on that when you get more information, when you have a conclusion? Mr. Clayton. I am happy to. Senator Perdue. Great. The second part is the same sort of concern. Under the JOBS Act, companies with revenues under $1 billion are permitted to confidentially file IPO and secondary offering statements that would not be released to the public until 15 days before the road shows. Recently, under your leadership this ability has been extended to companies of all sizes. In your view, can you describe the advantages of a confidential filing how to improve our increasingly more complicated IPO process? Mr. Clayton. The confidential filing process greatly aids companies when they are transitioning to public companies, and we want companies to transition to public companies. They are better companies. When they have public company financial statements, when they go through the process of the SEC disclosure process, they do become better companies. Letting the world see all of your financials and all of your strategies and all of your risks long before you go public causes some companies to pull back from that. I am very comfortable and, in fact, think it is a great idea that we allow companies to confidentially submit that information so that it can be reviewed, we can comment on it, we can tell them where they need to improve; and then with plenty of time for investors to assess that information, make it public before the IPO. I think it is a very smart move that in no way lessens investor protection and actually increases the number of opportunities investors have. Senator Perdue. Thank you. I just have one last quick question. The conflict minerals rule, I know that is under review right now. Can you give us an update on how you guys are looking at that right now? Mr. Clayton. Well, there was a court determination that part of the rule had a First Amendment issue with it. The rule is on the books. We have issued no-action guidance in how to comply with the rule in the interim. We are now reviewing the rule, the no-action guidance, in light of the court case. That is where it stands. Senator Perdue. OK. Thank you. Thank you, Mr. Chairman. Chairman Crapo. Thank you, Senator. Senator Van Hollen. Senator Van Hollen. Thank you, Mr. Chairman. Thank you for your testimony. I want to pick up on some of the questions that Senator Brown asked regarding materiality. You indicated that you thought that the triggering event for disclosure would be whether there had been a material change in the circumstances of the company, right? Mr. Clayton. Yeah, that is generally---- Senator Van Hollen. Right. And I understand you do not want to get into the Equifax situation, but you would agree--I am not talking about any company--that if, in fact, there was a material change, it would be wrong for executives of that company to then knowingly trade stock before they had made any disclosure, right? Mr. Clayton. Yes, sir. Senator Van Hollen. OK. So I want to get to what materiality means, because I do not believe the SEC has any definition, at least in the context of a cybersecurity breach. Is that right? Mr. Clayton. I think the general definition of ``materiality'' does apply to the cyber context. Senator Van Hollen. No, I do not mean that the concept does not apply, but there is no standard or definition of how to apply the concept of materiality to a cyber breach. So, for example, the SEC does not say if a cyber breach would result in the disclosure of, you know, X amount of information about customers and that could lead to a significant change in the value of a company, the SEC does not itself have that? Mr. Clayton. That is correct. There is no prescriptive disclosure of this many people for this long--we do not have that type of---- Senator Van Hollen. So it is kind of you know it when you see it. Is that the idea? Mr. Clayton. That is correct. Senator Van Hollen. But does the SEC bring these kind of materiality cases for failure or violation of 8-K disclosure? Mr. Clayton. We do. Senator Van Hollen. OK. Well, let me ask you, if you agree that it is wrong for people to knowingly trade on information that is material but has not been disclosed, would you agree that once a company has decided something is material, that their executives should not be trading that stock, between the time they decided it is material and the time they actually file a disclosure to the public, which is now a 4-day period, potentially? Mr. Clayton. I am going to be very careful. I think what you are asking is a control issue. Should there be a control in place to ensure that when a decision has been made at a company that there has been a material event and there is going to be a disclosure, that the company has in place a control to prevent people---- Senator Van Hollen. Yes, that is exactly what I am suggesting. Wouldn't that make sense? Mr. Clayton. I think it is a very good question and a fair question. Whether that is an area--whether that is an area that goes into insider trading or whether it goes into a control failure is something that we need to---- Senator Van Hollen. I understand. It seems to me there should be a presumption that once a company has decided there has been a material change and before they disclose that to the public, there should be just a rule that executives do not trade that stock. Doesn't that make sense in terms of protecting the markets? Mr. Clayton. Having a--I am going to--I do not want to comment on any specific company, and---- Senator Van Hollen. No; I understand. I am not asking about a particular company. Mr. Clayton. Most companies have insider trading policies. Having a thoughtful insider trading policy with controls of the type you are suggesting is an important part of good corporate hygiene. Senator Van Hollen. Well, let me look. I am working with-- Congresswoman Maloney on the House side has a proposal. We are working on it with her. But there is a whole question about when you determine materiality. Right? We were talking about that. But it seems like a no-brainer that once a company has determined that there has been a material change and before they have notified the public, which they have 4 days to do, you would require them not to sell stock. Why isn't that just obvious? Mr. Clayton. I like the concept. When I was in the private sector, I put the concept into insider trading policies that, for example, a general counsel would be somebody that a set of executives had to clear all trades with. Those are types of things--those are types of---- Senator Van Hollen. Let me just say, so there was a study done back in September 2015 by Alma Cohen at Harvard Law School, Robert Jackson at Columbia Law School, Joshua Mitts, and others have done studies that showed what they called the 8-K trading gap, which is that executives have made money during this 4-day period, or whatever time elapses between a decision that some material change has been made and disclosure. Do you agree that it is wrong for executives to be making money during that period based on information they have about materiality? Mr. Clayton. Absolutely. Senator Van Hollen. Right. So should there not be a general rule that once the corporation has made a decision that something is material, that they not be allowed--their executives not be allowed to trade during that period? Mr. Clayton. I like the concept. I have incorporated the-- -- Senator Van Hollen. OK. We will look forward to working with you on this---- Mr. Clayton. We can work on this. We can definitely work on it. Senator Van Hollen.----because we are working on a bill. Thank you. Chairman Crapo. Thank you. Senator Shelby. Senator Shelby. Mr. Chairman, sorry I had to leave the hearing, but we all have some other things. Chairman Clayton, welcome. I did not have a chance to do this. Welcome to the Committee. I missed a lot of the testimony, but I hope this has not been one of the questions. During your confirmation hearing, you agreed with my longstanding belief that a cost-benefit analysis for rulemaking was appropriate at the SEC. I believe it is appropriate at all agencies. And I appreciate your leadership on this issue. What is the SEC doing or trying to do to come forth with a meaningful cost-benefit analysis rule? Because rules cost money. Sometimes they are really necessary. You know, we need them. Sometimes it is an overkill. But we all know and you know in your other life that--I do not believe enough work has been done in the cost-benefit analysis, and we are talking about securities in your area right now. Go ahead. Mr. Clayton. Senator, I agree with you that cost-benefit analysis is very important in rulemaking, and it is important in rulemaking not just in should we have the rule or not have the rule. If we have the rule, how should it be crafted? What are we getting for this component as opposed to the cost of that component? It is not just yes or no, but it is how we craft the rule and, importantly, you know, what people are going to do to demonstrate compliance. And are we getting the best compliance requiring them to demonstrate it that way? We want, you know, the best compliance, but we want it to be done in the most efficient way to get there, and I very much believe that. Senator Shelby. Where are you and what are you doing--I know you have not been at the SEC too long, and we are glad to see you there. But what do you expect to do as far as setting the tone and the standards down there? Mr. Clayton. This is an area that is of--I do not---- Senator Shelby. It is a complicated area. Mr. Clayton. It is a--I like it because it is complicated. Senator Shelby. It is. Mr. Clayton. And I like sitting with our economists, and I have enjoyed sitting with them and discussing exactly these things, including around some of the pending rulemakings that we have. So this is a focus. We brought on a new chief economist. I am very happy to have him on board. So this is an area that is of interest to me, and I agree with you in this area. Senator Shelby. I was not here earlier, but it is my understanding that the trend of fewer IPOs was mentioned, you know, which a lot of us do not like because that seems like the economy is not doing as it should. What is your thought on that without rehashing everything that has been gone over there? And what is the trend and what is the data there? What is the information? Mr. Clayton. People focus on IPO or no IPO. IPO is the water coming into the bathtub. There are going to be reasons things are going out of the bathtub. But I want a bigger bathtub. I want a bigger bathtub because I want people to have more choice. And I do not want--it is very difficult for retail investors, either directly by buying stock or indirectly through mutual funds, to have access to investment opportunities outside of the public capital markets. So on balance, I would like a larger public capital market because I would like retail investors to have more access to those choices. Senator Shelby. We have in this country, some people believe, $4 to $5 trillion in capital, I will just use the term, ``lying around,'' looking for a better investment. Look at the savings accounts. You know, people are not getting much there. The dividends, the money markets, you know, you name it. How can we put a lot of that money to work for the economy? I know this is not your total--you are not Secretary of the Treasury, but what you do and what your colleagues do at the SEC does feed right into our economic growth. Mr. Clayton. My aim is more and better investment opportunities, but I want to also be clear. A focus for me has been retail investor fraud, because while I want to get more and better investment opportunities, tamping out those repeat actors who prey on---- Senator Shelby. Get rid of them, absolutely. Mr. Clayton. And that is as important, if not more important, than increasing the number of opportunities. And so we have got to do both. Senator Shelby. Bring some confidence back to the retail-- the little person, right? Mr. Clayton. Yes, absolutely. Senator Shelby. Thank you. And we like what you are doing at the SEC. Thank you. Mr. Clayton. Thank you, Senator. Chairman Crapo. Thank you. Senator Heitkamp. Senator Heitkamp. Thank you, Mr. Chairman, and thank you, Mr. Clayton. Before I start with questions, I think you and I had a long conversation about a bill that Senator Heller and I had that would create a full-time small business advocate within the SEC. You have moved expeditiously to do that, and so I want to acknowledge that help and to tell you how critically important it is that we have that outreach, because what you are trying to do, in your exchange with Senator Warren, is really build that opportunity and see that next new startup that could, in fact, result in General Motors or Microsoft or whatever comes along. With that said--and I think they all started in a garage or they all started with a great idea. I want to just kind of walk through some of the thinking that people in my State have. You know, they think about gambling, and they think about Las Vegas, and a lot of them think that what you do is about gambling. And they think that if they go to Las Vegas, there is a whole regulatory body that, if someone cheats, they are going to get caught and the game is fair. And if they cheat--or if somebody is rigging the system, they have some level of confidence that they are going to go to jail. I think if you took, you know, gambling, straight up gambling--right?--and you used those same kind of guidelines or at least benchmarks that people feel about the equity markets, I think Las Vegas gets, you know, probably an A, A- minus for soundness and security and fairness. And I do not know you get an A or an A-minus. I think the equity markets, as best you could do, you are probably at a C. And if we do not respond to this and if we do not respond to the issues that have been raised across the table here on what happens when the public out there sees executives trading after a material event--and they would not use that language. They would say, ``Here it is again.'' You know, ``They make money and we lose money. We would have had shares. Had we known it, we would have sold our shares. But now we are worth 25 percent less in our 401(k) if we held that share.'' Tell me what we are going to do to convince my retail purchaser, which you just talked about, that what you are going to do is unrig this system and get it back to a level of confidence that the equity markets are fair. Mr. Clayton. I can tell you that I know the people at the Commission and I look at those people when we make decisions. You know, people make fun of it or do not make fun of it, Mr. and Mrs. 401(k). That is how I look at what I am doing. And that is in the markets, I mean, I know that what they want to know is that we are--we have their back, that we are policing the large public companies, that we are looking at what the executive is doing, that if they are taking unfair advantage of information in that 4-day window that Senator Heller mentioned, that that is not appropriate and we are going to do something about it. As far as retail folks go, I am also really worried about the amount of retail fraud. I will tell you that the amount of retail fraud I see every day in terms of the enforcement actions that we see disgusts me, and we just--you know, it has been in the works for some time. We just implemented a new retail fraud unit because, like you, I believe that if the Main Street investor does not think we have their back, we are not doing our job. Senator Heitkamp. Well, I think---- Mr. Clayton. That is how I feel. Senator Heitkamp. It is not if the Main Street investor thinks that you do not have--they do not really believe you have their back. Mr. Clayton. Well, I want to---- Senator Heitkamp. There has just been too much history here. And to act boldly and to act directly is absolutely what is essential to bring back that confidence. And if it is all behind the curtain, pay no attention, we are studying it, we are studying it, people go, yeah, they will study it until the next time it happens. Then they will study it again. And we are never protected because we do not have access to that information, and we lose money, because when that becomes--when the public knows, guess what happens? That stock tanks, and I take the loss while the executives walk away with the big payoff. It just is not a formula for success, and I honestly believe people trust the regulators at Las Vegas to make sure that that slot machine is fair more than they trust you to make sure that when they buy an equity on your markets that they are treated appropriately. Mr. Clayton. If that is the case, I want to change it. Senator Heitkamp. Well, I think you need to really focus, because I believe it is the case. Mr. Clayton. OK. Chairman Crapo. Thank you. Senator Cotton. Senator Cotton. Thank you, Mr. Chairman. And, Mr. Chairman, welcome to the Committee. Mr. Clayton. Thank you. Senator Cotton. I want to focus on some of the challenges that overregulation is putting on smaller businesses and smaller investors. You may be aware of a small business in Arkansas that we call Walmart, somewhat large now. There was a time, though, when it was kind of small. It continues to provide lots of great jobs for Arkansans, to provide their groceries and their kids' toys and their clothes and everything else under the sun. I have in my hand from 1970 a Walmart IPO document. Pretty thin, huh? Twenty-six pages--20 if you exclude the financials. It is Walmart's IPO from 1970. I have in my hand the Snap IPO document from just last year--247 pages, 10 times the size of Walmart's IPO. I think this explains one of the reasons why we have so many fewer IPOs than we once did, especially for smaller firms. I do not think you can attribute it simply to the dot-com boom from 20 years ago. After all, other developed countries have seen a 50-percent increase in listed companies over the same time period, and the types of those IPOs have changed as well. Many small-cap IPOs have declined significantly here or gone overseas. That means ultimately that small investors, the kind of people that invested in Walmart based on this--a document that any high school-educated person with a bit of business sense could understand and became pretty wealthy on it over the years. As Walmart grew and their stock split and they grew and their stock split--no longer have access to these kind of small-cap growth companies. They go increasingly into the private market. They benefit only the most affluent Americans. So without saying that private markets are bad, could you please give us a list of the steps that you are taking or you intend to take that are going to encourage more initial public offerings in this country? Mr. Clayton. So we have already taken a couple of steps. One is to allow more confidential filings, which under the JOBS Act has proven to be an encouragement for people to consider the public offering process. We have reduced the need to file financial statements that will not end up being part of the public disclosure package to reduce the burden on companies seeking to go public or otherwise using the public markets. The confidential filing process does extend for a period of time, which allows companies to get secondary liquidity, which also encourages them to go public. That is another aspect of it. On the agenda is our review of S-K, the broad disclosure package, to try and modernize and enhance it. I want the disclosure package to be just as good and provide just as much investor protection, but I want it to be more accessible. It needs to be more accessible. We cannot have documents that can only be read by lawyers. Senator Cotton. Do you think anybody reads a document that long and makes an investment decision on it besides a lawyer? Mr. Clayton. Very few. Senator Cotton. Do you think lawyers even read it? [Laughter.] Mr. Clayton. Lawyers do crazy things. Senator Cotton. I know lots of small mom-and-pop investors in Arkansas since 1970 have read this document, and they made a lot of money off of it, and they provide a lot of jobs and a lot of affordable price/quality goods, so I am glad to hear you are taking those steps. A related story I want to tell and get your response to, the president of a small broker-dealer in central Arkansas, really not much more than just a family-owned firm, they have got six people, said that he would not start that firm today given the regulatory burden he faces. One example he gives is that Dodd-Frank expanded the Public Company Accounting Oversight Board oversight to include annual audits for all broker-dealers registered with the SEC, so that means that his six-person firm now is held to the exact same auditing standards as a company the size of Walmart or Apple or Google or anything else. That means his costs have skyrocketed, and he does not think the quality of those audits are any better. This is just one more example, although in a different space, of the cost of overregulation. Do you think it would be appropriate to have some kind of threshold to exempt these smallest firms from that kind of regulation, much as we have different standards for community banks? If so, what kind of threshold might you consider? Mr. Clayton. Senator, I had a view, and it has been affirmed by my time at the Commission, that one-size-fits-all does not work in a lot of areas. It probably does not work in that area. Now, I also do not think that it should be you are either in or you are out; you know, you are either in regulation or you are out. Once you decide that one size does not fit all, the real question becomes: How do we scale it? Where do we put those steps? That is how I intend to approach regulation in some of these areas. Said another way, if we have one-size-fits-all in some of these areas, we are only going to get one size. Senator Cotton. I agree, and I appreciate that. This looks at another area in which I think that just because Walmart needs to use a giant accounting firm under existing law out of New York or Dallas or Chicago does not mean a six-person broker-dealer firm in central Arkansas cannot use a very competent, qualified auditing firm from Conway or Searcy or Bryant or what have you. Thank you. Mr. Clayton. Thank you. Chairman Crapo. Thank you. Senator Donnelly. Senator Donnelly. Thank you, Mr. Chairman. Thank you, Mr. Chairman. I understand the SEC is currently reviewing the proposed acquisition of the Chicago Stock Exchange by a Chinese company. I do not expect you to comment on the specific transaction, but can you please generally describe the review process within the SEC? Mr. Clayton. Yes, sir. The review process within the SEC is actually styled as a rulemaking, and there was 240 days for a division of the Commission, subject to delegated authority from the Commission, to review the application. That was approved. An approval like that provides the Commission with an opportunity to review the approval. The Commission took that opportunity, and we are reviewing the decision. Senator Donnelly. In light of recent high-profile cyber breaches, including at Equifax and the SEC, are you at all concerned that the ownership and control of an American exchange by a foreign entity could expose our markets to new risks and vulnerabilities? Mr. Clayton. I am not going to comment on the specific matter before the Commission at this time. It is a matter that I am going to be deciding on, so it would be inappropriate. But I am aware of the various issues raised by commentators. Senator Donnelly. So I am not asking you specifically in regards to this company. I am asking you as an overall policy. Does that concern you at all about a foreign entity that could possibly expose our markets to new risks and vulnerabilities? Mr. Clayton. Senator, absolutely. Not just a foreign owner, but state actor intrusions and state actor monitoring of our financial markets is an issue that troubles me. Senator Donnelly. As the SEC continues reviewing financial disclosure requirements under Regulation S-K, I hope you will consider whether corporations should disclose country-by- country employment data. It helps investors determine when companies employ American workers and better understand where outsourcing and offshoring has occurred. Are you willing to consider a country-by-country employment disclosure as part of the SEC's broader review? Mr. Clayton. I am willing to consider the S-K guidance on-- and the rest of S-K in terms of providing a more accessible disclosure package for investors, including in areas of employment. Senator Donnelly. I want to go back to an area you and I have talked about before, actually this spring, and that is, stock buybacks. At your confirmation hearing, we discussed my concerns with the flurry of stock buybacks at large corporations, often conducted mainly with the goal of increasing stock prices to impress Wall Street investors. I think that short-term thinking has come at the expense of long- term investments and innovation that would have benefited our country. And we have seen it again in recent times where a company chose to use some of the funds that were going to be used for stock buybacks to actually make an acquisition. And their stock was immediately hammered in large measure because it was not going to be the buyback. It was actually just trying to add to the business. And if you look long term, that does not make sense. But former Chair White publicly stated last year the SEC was looking into when and how often companies should tell investors about share repurchase programs. She was presumably referring to the SEC's concept release to solicit the public's views on financial disclosure requirements and Regulation S-K. Currently, stock repurchases are reported quarterly. Do you think companies should be required to disclose stock buybacks more frequently than once every quarter? Mr. Clayton. I am not going to comment specifically on something that, you know, we are reviewing. I am concerned, as you and I have discussed, I am concerned about this issue and any abuse of stock buybacks. I recognize they have a lot of value in certain circumstances. They are a way to return capital--many well-functioning companies see it as an efficient way to return capital to shareholders. Many investors engage with companies and, you know, we want investor engagement with companies, engage with companies and push for stock buybacks. Now, you know, we can determine whether their motives are-- we cannot determine in the abstract whether their motives are pure or long term or short term, but there are a lot of considerations that go into this. But as you and I have discussed, one thing that does trouble me is if these stock buybacks are motivated not by the long-term interest of the company but some short-term interest. And I am looking at disclosure in this area in that light. Senator Donnelly. And I will finish by saying if you take a look at what is going on with hedge funds and others, I think you will find that much of their efforts regarding stock buybacks have nothing to do with company development or strengthening but simply taking as much out as quickly as possible. Thank you, Mr. Chairman. Chairman Crapo. Thank you. Senator Reed. Senator Reed. Thank you very much, Mr. Chairman. And thank you, Chairman Clayton, for joining us today. In general, do you think investors understand the cybersecurity risk that the companies face that they invest in? And put another way, can companies do a better job, should they do a better job disclosing the risk in their disclosure documents? Mr. Clayton. No, I do not think the general level of understanding in the market is where I would like it to be, and I do not think the disclosure is where it should be. Senator Reed. And through your regulatory authority at the SEC, you could shape that disclosure. Are you working on that? Mr. Clayton. I am. Senator Reed. Thank you. There is also a kind of theory I have that, having watched the agency over several decades in this cybersecurity world it is expensive to stay ahead with technology software, and as a result, when Dodd-Frank was being written, I put in language that allows the SEC to deposit up to $50 million a year in a reserve fund for cybersecurity and other tools. First, are you funding this? Are you accessing this source from registration fees? Mr. Clayton. The $50 million? We want and need the $50 million for IT. Senator Reed. And you physically are taking it and depositing it? Mr. Clayton. We are using it. Senator Reed. OK. Mr. Clayton. It is part of our budget going forward. Senator Reed. And there was in our legislative process a $100 million limit put on the fund. So you are prepared to go up to $100 million? Mr. Clayton. Let me say this, Senator: I think we need to spend more money. When I got to the Commission, I made some assessments. We went with a flat budget for the next fiscal year. I will not be asking for a flat budget for fiscal year 2019. We are going to need more money in the area of cybersecurity and IT generally, and I intend to as for it. Senator Reed. Well, I appreciate that because, again, money is not the solution to every problem, but it is usually part of every solution. So you have got to have it. You have a mechanism with this reserve fund to take it right from the registration fees. It does not have to go through OMB or anyplace else. And there is a $100 million limit. At that point you cannot take any more. So I would urge you to aggressively do that. The other thing I would urge you to do is to resist any attempts to take away this fund because the Administration has proposed in 2018 that the fund be eliminated, that your ability to access these monies be gone. I think given the current situation with cybersecurity, you have to have the money, and I hope you agree. Mr. Clayton. Senator, I agree that the purpose of the fund including to be able to make longer-term commitments than year on year to cybersecurity is a very good idea. Senator Reed. Thank you. Let me just quickly go back to the point that Senator Donnelly was making about stock repurchases. You make a very thoughtful point about stepping back and looking at it in terms of the long run benefits to shareholders and to the investing public, not the quick in and out. And, you know, you went back and forth about using money for a stock buyback rather than purchases. I have heard of instances where companies were actually conducting stock repurchases while their pension plans were underfunded. Are you aware of any situations? Mr. Clayton. I am not aware of any specific situation. Senator Reed. Would that be something that you would want to look at in terms of the propriety of doing a stock repurchase when, you know, a commitment that has been made to employees is not fulfilled? Mr. Clayton. It is a very interesting question. I want to be responsive. I have not thought about that particular question. I would say, though, if what you were doing--what somebody is doing from a governance perspective--this may be a broader issue, but if what somebody is doing from a governance perspective is putting a funding obligation at jeopardy by buying back equity, you know, that is a serious consideration for a board of directors. Senator Reed. Would you have authority to stop the practice, either by rule or---- Mr. Clayton. I am not sure, Senator. I would need to look into that. Senator Reed. You know, Mr. Chairman, I think these are issues that deserve close review and study. I do not think there is--at this point jumping to a conclusion is not the way to approach it. But I think these are the types of issues that you should be considering because, again, I think we are both committed to the long-term profitability and effectiveness of these companies, not the short-run in and out. So thank you, Mr. Chairman. Mr. Clayton. Thank you. Chairman Crapo. Senator Cortez Masto. Senator Cortez Masto. Thank you, Mr. Chair. Chairman Clayton, good to see you again. Mr. Clayton. Good to see you. Senator Cortez Masto. Excuse me, I did not get to hear your opening. I am juggling two committees at the same time. But with your indulgence, I want to kind of follow up on the previous hearing that we had and your confirmation hearing and just follow up on some of the questions we had and just see where you are today with those. Beginning in 2009, as we were dealing with the peak of the foreclosure crisis, the SEC Chair at the time expanded the authority to issue investigative subpoenas to about a dozen or so senior officials in your Enforcement Division. Before that time, Commissioners themselves had to vote on each and every subpoena, and it slowed the enforcement down to a crawl. Before your tenure, Acting Chairman Piwowar initiated a review of whether the SEC should revert to the prior burdensome process for issuing subpoenas. When I asked you about this at your confirmation hearing, you said you needed to discuss this with other Commissioners and SEC staff before commenting. Now that you have been there 4 months, have you made a decision? Mr. Clayton. I have. I have. Senator Cortez Masto. And what is the decision? Mr. Clayton. There was a time, as you noted, that formal order authority rested with the Commissioners and the Commissioners had to vote on it. That was transitioned to the Director of the Division of Enforcement for efficiency reasons, as you cite. Later on, it was put out to the regional offices, and they had the ability to have formal order authority to open an investigation. It was pulled back to now the co-Directors of the Division of Enforcement, Stephanie Avakian and Steve Peikin. I have sat with them and discussed this with them, with an eye toward whether there was any kind of slowing down in the ability to open matters. They are totally comfortable that there is not. One or both of them are available. I have probed on this, whether there was any urgency, whether funds would be leaving the country or other reasons for having formal order authority out at the regional offices. I am comfortable that there is not one, and I am comfortable that there is a benefit having that authority resting with the two of them. Senator Cortez Masto. And their staff. Mr. Clayton. Well, their staff supports them, but---- Senator Cortez Masto. Right. Mr. Clayton. They, of course, get the information. Having it with them enables them to more efficiently manage the Enforcement Division across the offices and makes sure that we do not have, for example, somebody in San Francisco opening a case in Miami. Senator Cortez Masto. So it has reverted back. So you have pulled it back essentially. Mr. Clayton. No, we are not fully back. We are not back at the Commission. We are at the Division of Enforcement level, and I am very comfortable that that is where it belongs. Senator Cortez Masto. Right, and so that is essentially staff that has that authority. Mr. Clayton. Staff has the authority. Senator Cortez Masto. Right, so it is still--you pulled it back a little bit, but still gave the staff the authority, so it is not back at Commission level. Mr. Clayton. Correct, and I am very comfortable that they are doing a good job. Senator Cortez Masto. OK. I appreciate that. And then in our private meeting in the office and at your confirmation hearing, you stated your belief that individual accountability has a greater deterrent effect across the market and one tool to hold individuals accountable is the so-called Yates memo that was put out by the previous Administration, that my understanding current Attorney General Sessions and Deputy Attorney General Rosenstein are looking at right now. They are looking at rescinding it or weakening its directives to prosecutors. In your view, is this memo consistent with what you have told me in this Committee and you have emphasized in your speeches about the need to hold individual corporate executives responsible for corporate misconduct? Mr. Clayton. Senator, that is my view, that individual accountability, particularly in a corporate context, has a greater deterrent effect than simply corporate accountability. Senator Cortez Masto. And so have you thought about what you would do if DOJ, who is your partner in prosecution, rescinds the Yates memo? How would you handle that? Mr. Clayton. We coordinate with DOJ in these matters, but I do not think that--let me--I am comfortable that the way our Division of Enforcement is now approaching these matters and looking at individual accountability is correct, and that that is going to continue. Senator Cortez Masto. OK. So that is still your emphasis and concern? Mr. Clayton. Yes. Senator Cortez Masto. OK. Thank you. As a lawyer in private practice, you criticized aggressive enforcement of the Foreign Corrupt Practices Act for placing significant costs on U.S. companies, and President Trump himself criticized the FCPA when he was a businessman, basically saying it created competitive disadvantage for U.S. companies when they are not able to bribe foreign governments. Mr. Clayton. That is actually not what I said. Senator Cortez Masto. That is what President Trump said. Mr. Clayton. OK. Senator Cortez Masto. When he was a businessman. This world view now appears to be permeating law enforcement. One analysis found that as of September 1st, the Trump administration has brought only three of these enforcement actions, and the two from the SEC, each had roots in Obama administration investigations. And what is curious is at this point in time during the same time during the Obama administration, 25 cases had been filed, and 17 by the Bush administration. Can you tell me, is the SEC slowing down Foreign Corrupt Practices Act investigations and prosecutions? Or can you explain these numbers to me, why they are so low? Mr. Clayton. No, we are not slowing them down. And I want to go back to the 2011 article that I participated in writing. What I was saying was we need to think about whether we are doing this alone around the world and getting our partners in other countries on board, and our partners in other countries have come on board, and--not everywhere, but in some places, and that actually makes it easier to pursue this type of behavior and actually have an effect in doing so. Senator Cortez Masto. So what you are saying is our partners in other countries now have had an epiphany and they are all cooperating and following the law? Mr. Clayton. Not in every country, but the prosecutors in similar securities authorities in other countries have upped their game substantially. Senator Cortez Masto. OK. I notice my time is up. Thank you very much. Senator Shelby. [Presiding.] Senator Sasse. Senator Sasse. Chair Clayton, thank you for being here. I would like to discuss the history of cybersecurity breaches at the SEC. Can you tell me how many cybersecurity breaches there have been historically at the Commission? Mr. Clayton. I do not have that data with me today, Senator. Senator Sasse. And who---- Mr. Clayton. And defining what a breach is is---- Senator Sasse. Who would know? Who in your organization reports to you that has responsibility for this? Mr. Clayton. The Office of Information Technology is the office within the SEC that has overall responsibility. Since getting to the Commission, I have been reviewing how we handle these matters from an oversight perspective, including establishing a cybersecurity working group to get at these issues, including how we share information about breaches, attempted intrusions, risks across the Commission. As I testified earlier, these are areas that we need to bring focus to. Senator Sasse. And who heads that office? And how senior are they? Are they a direct report to you, or who do they report through? Mr. Clayton. The head of the Office of Information Technology is Pam Dyson, and she is a direct report to me and also to our Office of the Chief Operating Officer. Senator Sasse. And how many direct reports do you have? Mr. Clayton. Precise number? It is between 20 and 25. Senator Sasse. Got you. Is this the first breach at the SEC that you think could have facilitated the trading of inside information? Mr. Clayton. Senator, I cannot tell you with 100 percent certainty that this is the only breach that we have had. I am not in a position to tell you that. Senator Sasse. OK. The SEC statement has argued that, ``The intrusion did not result in the unauthorized access to personally identifiable information, did not jeopardize the operations of the Commission, or result in systemic risk.'' Do you think there has been any breach at the SEC that compromised personally identifiable information in the past? Mr. Clayton. So based on what we know now about the breach, the 2016 breach that I disclosed, we do not think there was personally identifiable information given the file type or where it houses, you know, a systemic risk. So I want to make that clear. That is based on what we know today. An investigation is ongoing. In terms of whether there has been a breach at the SEC where personally identifiable information was accessed, to my knowledge today, I do not know of any. But I cannot--in this area, I cannot give you a 100 percent certainty that that has not happened. Senator Sasse. OK. I want to ask a parallel question. So in this case, we do not think there was personally identifiable information, and you do not think that there ever has been historically. In this case, the SEC has a statement that says it did not jeopardize operations of the Commission. Historically, do we know of any breaches that have ever jeopardized operations at the SEC? Mr. Clayton. I know of no historic breaches that have jeopardized operations, but it is an area that is of concern to me. We do provide services that are essential to the functioning of the marketplace. Senator Sasse. Agreed. Mr. Clayton. And a denial-of-service attack at the SEC in one of those areas would have material effects across our market system. Senator Sasse. I share your concern, and I believe you to be greatly concerned about this. I was presiding over the Senate the last hour and a bit, so I did not get to hear the beginning of your testimony, and I know you have covered some of this information. Instead of trying to have you sort of repeat parts of it and pieces of it that may need to consult with Ms. Dyson and whatever other consultants you have on the project, I will send you an extensive list of QFRs, if that is OK. And so instead of staying here--but could I get your commitment that we will get a quick response to that list? And I want to acknowledge in advance that a lot of it is technical and long, but we would love--I think this Committee and the Senate would love to partner with you in trying to upgrade our cybersecurity. You do oversee critical functions of the Government and public trust in financial markets, and I think that we probably need more urgency on this, and I think this branch would love to partner with your branch. But we will send you a long list, but I would like your commitment that we will get a quick response, please. Mr. Clayton. I think it is entirely appropriate, and you have my commitment. Senator Sasse. Thank you, sir. Senator Sasse. Thank you, Chairman. Senator Shelby. Senator Brown. Senator Brown. Thank you, Mr. Chairman. I am not asking for a second round, just one question to wrap up, and thank you for your indulgence. In a recent speech, SEC Commissioner Piwowar suggested that companies that go public should be permitted to require that shareholders resolve claims in arbitration and not in the courts. That would be what we call ``forced arbitration.'' As you know, Mr. Chairman, this is contrary to corporate governance best practice and contrary to the SEC's stated views on this issue. My question is: Will you continue to support SEC practice that preserves shareholders' rights to go to court and to reject mandatory arbitration requirements for companies going public? Mr. Clayton. Senator, I am not going to prejudge that issue, but I do understand that this is also a State law issue, and in many States you are not permitted to have mandatory arbitration. But I am not going to categorically say that, you know, you would never have a situation where something other than accessing State law remedies for a particular or several particular items is off the table. But I am very cognizant--I am very cognizant--that the ability to go to court is something that is of great value to shareholders. Senator Brown. And it is the SEC's view on this issue today, as you know. Mr. Clayton. I do not think the SEC has articulated a definitive view on this issue. Senator Brown, we have done so in the context of particular requests in the past. There have been requests in the past, and there is a long history there that I am happy to discuss with your staff, but I do not think the SEC has articulated a firm view on this issue in the past. Senator Shelby. Mr. Chairman, I was told by the staff that the questions for the record that will be propounded to you are due next Tuesday. I know that is not long, but you are a pretty diligent man. You will get it in. Thank you for your appearance before the Committee today, and we wish you well in your job. Thank you. Mr. Clayton. Thank you, Senator Shelby. Senator Shelby. The hearing is adjourned. [Whereupon, at 11:55 a.m., the hearing was adjourned.] [Prepared statements, responses to written questions, and additional material supplied for the record follow:] PREPARED STATEMENT OF JAY CLAYTON Chairman, Securities and Exchange Commission September 26, 2017 Chairman Crapo, Ranking Member Brown, distinguished senators of the Committee, thank you for the opportunity to testify before you today about the work of the U.S. Securities and Exchange Commission (SEC or Commission).\1\ --------------------------------------------------------------------------- \1\ The views expressed in this testimony are those of the Chairman of the Securities and Exchange Commission and do not necessarily represent the views of the President, the full Commission, or any Commissioner. --------------------------------------------------------------------------- It is an honor to testify before this Committee for the first time since my confirmation. Since joining the SEC, my experience has strongly reinforced my view that our talented and committed staff is fundamental to the agency's effectiveness. The SEC's mission to protect investors, maintain fair, orderly and efficient markets and facilitate capital formation is deeply engrained throughout our offices and divisions. I also want to thank Commissioners Stein and Piwowar for their valuable counsel and guidance to me as well as for their unwavering commitment to the Commission. With a workforce of about 4,600 staff in Washington and across our 11 regional offices, the SEC oversees, among other things (1) approximately $72 trillion in securities trading annually on U.S. equity markets; (2) the disclosures of over 8,100 public companies, of which 4,300 are exchange listed; and (3) the activities of over 26,000 registered entities, including investment advisers, broker-dealers, transfer agents, securities exchanges, clearing agencies, mutual funds, exchange traded funds, the Financial Industry Regulatory Authority (FINRA) and the Municipal Securities Rulemaking Board (MSRB), among others. We also engage and interact with the investing public on a daily basis through a number of activities ranging from our investor education programs to alerts on our SEC.gov portal. Additionally, on a typical day, investors and other market participants view disclosure documents filed on our EDGAR system more than 50 million times. In a July speech, I outlined the principles that should chart the course for the SEC moving forward. The principles reflect my interactions with the men and women of the Commission staff. These guiding principles are as follows: 1) The SEC's tripartite mission is its touchstone; 2) Our analysis starts and ends with the long-term interests of the Main Street investor; 3) The SEC's historic approach to regulation is sound; 4) Regulatory actions drive change, and change can have lasting effects; 5) As markets evolve, so must the SEC; 6) Effective rulemaking does not end with rule adoption; 7) The costs of a rule now often include the cost of demonstrating compliance; and 8) Coordination is key.\2\ --------------------------------------------------------------------------- \2\ Remarks at the Economic Club of New York (July 12, 2017), available at https://www.sec.gov/news/speech/remarks-economic-club-new- york. While I will not go into great detail on all of the principles here, I would like to highlight the second principle, which is particularly important to me--that our analysis starts and ends with the long-term interests of the Main Street investor; or as I call them, ``Mr. and Ms. 401(k).'' At a time when greater responsibility is shifting to Main Street investors to save for their own retirement, I am confident that this is the correct metric for our analysis of success in meeting our tripartite mission. If Mr. and Ms. 401(k) are able to invest in a better future, then the SEC is serving them and our markets well. Cybersecurity Cybersecurity is an area that is vitally important to the SEC, our markets and me personally. The prominence of this issue and the heightened focus the agency has on it is the result of various factors, including (1) the increased use of and dependence on data and electronic communications, (2) the greater complexity of technologies present in the financial marketplace and (3) the continually evolving threats from a variety of sources. Cybersecurity touches the daily lives of virtually all Americans, whether it is our accounts with financial services firms, the companies we invest in or the markets through which we trade. Last week, I issued a press release and statement that discussed (1) the Commission's cyber risk profile, (2) reviewed our approach to oversight and enforcement and (3) disclosed a 2016 intrusion that I recently discovered may have led to illicit trading.\3\ The statement was part of an ongoing assessment of the SEC's cybersecurity risk profile and preparedness that I initiated upon joining the Commission in May. The initiative has various components, including the formation of a senior-level cybersecurity working group to coordinate information sharing, risk and threat monitoring, incident response and other cross- divisional and interagency efforts and an assessment of reporting and escalation procedures. --------------------------------------------------------------------------- \3\ Statement on Cybersecurity (Sept. 20, 2017), available at https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20. --------------------------------------------------------------------------- I will now discuss the 2016 intrusion. In August 2017, in connection with an ongoing investigation by our Division of Enforcement, I was notified of a possible intrusion into our EDGAR system. In response to this information, I immediately commenced an internal review. Through this review and the ongoing enforcement investigation, I was informed that the 2016 intrusion into the test filing component of our EDGAR system provided access to nonpublic EDGAR filing information and may have provided a basis for illicit gain through trading. We believe the 2016 intrusion involved the exploitation of a defect in custom software in the EDGAR system. When it was originally discovered, the SEC Office of Information Technology (OIT) staff took steps to remediate the defect in custom software code and reported the incident to the Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT). Based on the investigation to date, OIT staff believes that the prior remediation effort was successful. We also believe that the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission or result in systemic risk. Our review and investigation of these matters, however, as well as the extent and impact of the intrusion and related illicit activity, is ongoing and may take substantial time to complete. Our review and investigation of this matter consists of two related components. The first component has been focused on the 2016 intrusion itself, including efforts to determine its scope and whether there were or are any related vulnerabilities in our EDGAR system. Importantly, in conducting this review and related forensic analysis, it has been a priority and a constraint to maintain the security and operational capabilities of EDGAR, which is a critical component of our disclosure- based market system and accepts filings virtually continuously during the week. Various agency personnel, including members of the Enforcement Division, the Office of General Counsel and the Office of the Inspector General (OIG) have been involved in this effort. In addition, I have formally requested that the OIG begin a review into what led to the intrusion, the scope of nonpublic information compromised and our efforts in response. I have also asked the OIG to provide recommendations for how the SEC should remediate any related system or control deficiencies. We also are pursuing and considering other measures that may enhance our investigative, remediation and prevention efforts. The second component of our review and investigation consists of our investigation into trading potentially related to the intrusion. This investigation is being conducted by our Division of Enforcement and is ongoing. There are limits on what I know and can discuss about the 2016 incident due to the status (ongoing and incomplete) and nature (enforcement) of these reviews and investigations. Nevertheless, I directed the issuance of the press release and statement this past Wednesday. I made this disclosure because I believed that, once I knew enough to understand that the 2016 intrusion provided access to nonpublic EDGAR test filings and that this may have resulted in the misuse of nonpublic information for illicit gain, it was important to disclose the incident and our cyber risk profile more generally to the American public and Congress.\4\ --------------------------------------------------------------------------- \4\ Press Release 2017-170, SEC Chairman Clayton Issues Statement on Cybersecurity: Discloses the Commission's Cyber Risk Profile, Discusses Intrusions at the Commission, and Reviews the Commission's Approach to Oversight and Enforcement (Sept. 20, 2017), available at https://www.sec.gov/news/press-release/2017-170. --------------------------------------------------------------------------- Looking forward, I have authorized the immediate hiring of additional staff to aid in our efforts to protect the security of the agency's network, systems and data. I also directed the staff to enhance our escalation protocols for cybersecurity incidents in order to enable greater agency-wide visibility and understanding of potential cyber vulnerabilities and attacks. This matter involving our EDGAR system concerns me deeply. I recognize that I am not the only one who is deeply concerned. Rightfully, it will cause this Committee and others to increase their focus on whether the Commission's approach to cybersecurity appropriately addresses our cyber risk profile. This is all the more reason it was appropriate to disclose the 2016 intrusion now even though our review and investigation are ongoing. We must remain on top of evolving threats when it comes to securing our own networks and systems against intrusion. This is especially true when protecting systems dealing with sensitive market and other data involving personally identifiable information. This means regularly evaluating progress, pursuing improvements and making it a priority to invest sufficient resources so our systems keep up with the fast-changing threat environment. Other initiatives resulting from the general cybersecurity review we initiated in May are ongoing or will commence shortly. These include internal and inter-agency incident response exercises and continued interaction on cybersecurity efforts with other Government agencies and committees, including the Department of Homeland Security, the Government Accountability Office and the Financial and Banking Information Infrastructure Committee. Despite the attention given to widely publicized cyber-related incidents experienced by the Commission and others, I still am not confident that the Main Street investor has received a sufficient package of information from issuers, intermediaries and other market participants to understand the substantial risks resulting from cybersecurity and related issues. As a general matter, it is critical that investors be informed about the threats that issuers and other market participants face. To be sure, we are continuing to examine whether public companies are taking appropriate action to inform investors, including after a breach has occurred, and we will investigate issuers that mislead investors about material cybersecurity risks or data breaches. As is noted in my July speech and on various other occasions, I would like to see more and better disclosure in this area. Cybersecurity must be more than a firm-by-firm or agency-by-agency effort. Active and open communication between and among regulators and the private sector also is critical to ensuring the Nation's financial system is robust and effectively protected. Information sharing and coordination are essential for regulators to anticipate potential cyber threats and respond to a major cyberattack, should one arise. The SEC is therefore working closely with fellow financial regulators to improve our ability to receive critical information and alerts, react to cyber threats and harmonize regulatory approaches. Overall, by promoting effective cybersecurity practices in connection with both the Commission's internal operations and its external regulatory oversight efforts, it is our objective to contribute substantively to a financial market system that recognizes and addresses cybersecurity risks and, in circumstances in which these risks materialize, exhibits strong mitigation and resiliency. Regulatory Agenda We have been hard at work developing our regulatory agenda, consistent with the eight principles outlined above. As you know, we have a number of statutorily mandated items that we need to address, and we are considering how to advance those while also pursuing other initiatives that are central to the fulfillment of our statutory mission. Mandated rulemakings include those required by both the Fixing America's Surface Transportation (FAST) Act and the Dodd-Frank Wall- Street Reform and Consumer Protection Act. In the coming weeks and months, I expect the SEC's near-term rulemaking objectives to be fully reflected in our upcoming Regulatory Flexibility Act Agenda. As a general matter, I believe it is important that these publicly available agendas provide the necessary transparency and accountability for agency matters. If these plans are to meet their intended purpose, they must be streamlined to inform Congress, investors, issuers and other interested parties about what the SEC actually intends--and realistically expects--to accomplish over the coming year. Putting together a rulemaking agenda has not slowed work to fulfill the SEC's mission. As you know, Commissioners Michael Piwowar and Kara Stein advanced a number of important matters before I came on board, including moving to a two-business-day standard settlement cycle--or T+2. I would like to now highlight several of the SEC's accomplishments since I joined my fellow Commissioners and the women and men of the SEC in May. Facilitating Capital Formation The U.S. capital markets have long been the deepest, most dynamic and most liquid in the world. They provide businesses with the opportunity to grow, create jobs and furnish diverse investment opportunities for investors, including retail investors, pension funds and other retirement accounts. Our markets also have long provided the United States economy with a competitive advantage and American Main Street investors with better investment opportunities than comparable investors in other jurisdictions. We should be striving to maintain and enhance these complementary positions, including being mindful of emerging trends and related risks. In this regard, I continue to be troubled by the negative trend in the number of public companies--fewer companies are choosing to go public in their growth phase or at all and, consequently and significantly, there are fewer investment opportunities for Main Street investors. It is clear to me that our public capital markets are relatively less attractive to growing businesses than in the past. Based on my review and discussions with Commission staff and others, the reporting, compliance and oversight dynamic between private and public markets appears out of sync. Costs--ranging from direct compliance costs to the consumption of management and employee bandwidth--for public companies, particularly smaller and medium-sized companies, far outstrip those of comparable private companies. Thus, many companies with the choice of going public may be incentivized to stay private or stay private longer. I view Mr. and Ms. 401(k) as bearing a potentially significant cost as a result of the shrinking number of public companies. I expect this dynamic, if not addressed, will lead to fewer opportunities for Main Street investors to invest directly in high quality companies. To be clear, it is not fewer opportunities to invest in IPOs themselves that troubles me. But without IPOs of growing companies, we have a shrinking and generally more mature portfolio of public companies. This is a significant concern. A shrinking proportion of public companies, particularly smaller and medium-sized companies, has costs beyond investment choices, including that there will be less publicly available information about the operations and performance of companies that are important to our economy. I believe a key to restoring vibrancy in our public markets is a recognition that a one size regulatory structure does not fit all. Fortunately, this is not just a theory--through Congress's enactment of, and the SEC's work on, the Jumpstart Our Business Startups (JOBS) Act, there is an ecosystem displaying that a scaled disclosure and regulatory system provides incentives for companies to conduct public offerings while maintaining the world's most robust investor protections. To be clear, this does not mean that we would sacrifice or limit the core principles of our public disclosure regime and other essential investor protections for the sake of accelerating public issuances. It is clear to me that companies that go through the U.S. IPO process emerge as better companies, with better disclosure. We want to encourage and preserve that dynamic. Overall, the SEC will strive for efficiency in our processes to encourage more companies to consider going public, which will result in more choices for investors, job creation and a stronger U.S. economy. To this end, the SEC, through the Division of Corporation Finance (Corporation Finance), is undertaking efforts to promote capital formation, especially in our public markets. Corporation Finance recently announced that it would accept voluntary draft registration statement submissions for certain securities offerings, including for initial public offerings and offerings within 1 year of an IPO, for review by the staff on a nonpublic basis.\5\ This expanded policy builds on the confidential submission process established in response to the JOBS Act. We believe this approach provides a meaningful benefit to companies and investors, and a number of companies have already pursued this path. --------------------------------------------------------------------------- \5\ Draft Registration Statement Processing Procedures Expanded, Division of Corporation Finance Announcement (June 29, 2017) [Supplemented August 17, 2017], available at https://www.sec.gov/ corpfin/announcement/draft-registration-statement-processing- procedures-expanded. --------------------------------------------------------------------------- Corporation Finance also issued guidance clarifying that companies may omit from draft registration statements interim financial information that otherwise will not be required when a company files its registration statement.\6\ This guidance should enable a company to reduce costs associated with preparing financial information that ultimately would not be included in its filing. To be clear, this guidance saves costs, but investors continue to benefit from the full array of financial information required when a company publicly files its registration statement. --------------------------------------------------------------------------- \6\ See Securities Act Forms Compliance and Disclosure Interpretation 101.04 and 101.05, available at https://www.sec.gov/ divisions/corpfin/guidance/safinterp.htm. --------------------------------------------------------------------------- Corporation Finance is also considering whether there are other areas in which interpretive guidance could assist companies without reducing investor protections, and whether enhancements can be made to staff processes to further benefit companies and investors. Additionally, we are taking steps to fill the position of Advocate for Small Business Capital Formation (Advocate) and form the Office of the Advocate for Small Business Capital Formation (Office) and the Advisory Committee on Small Business Capital Formation (Advisory Committee), as required by Congress in the SEC Small Business Advocate Act of 2016. Among other statutorily mandated functions, the Advocate will identify areas in which small businesses and small business investors would benefit from changes in Commission regulations or self-regulatory organization (SRO) rules. The Advocate also will work to identify problems that small businesses have securing access to capital, including any unique challenges to minority- and women-owned businesses. We recently announced the application process for selecting the Advocate, which will cast a wide net that will encourage people with expertise and interest in facilitating capital formation throughout the country to apply. I anticipate that the Commission will select the Advocate in the coming months which will allow him or her to continue the agency's work through the Office and the Advisory Committee to facilitate capital formation for small businesses across the country. Much work remains to be done in this area, but I am pleased with the staff's efforts to provide additional opportunities for issuers and investors alike. Disclosure Effectiveness I expect that the Commission will move forward in the near term on a number of additional initiatives aimed at promoting capital formation. For example, the Commission will soon consider a rule proposal required by the FAST Act to modernize and simplify the disclosure requirements in Regulation S-K in a manner that reduces costs and burdens on companies while still providing for the disclosure of all required material information. The staff is also developing recommendations to finalize rule amendments that would eliminate redundant, overlapping, outdated or superseded disclosure requirements. In addition, the staff is developing recommendations for the Commission on final rule amendments to the ``smaller reporting company'' definition, which would expand the number of issuers eligible to provide scaled disclosures. Further, the agency is continuing our initiative to modernize and simplify our disclosure requirements generally. We have a number of projects underway related to that effort, including, among others: (1) Considering changes to the rules in Regulation S-X related to requirements for financial statements for entities other than the issuer; and (2) Updating industry-specific disclosure requirements, such as the property disclosure requirements for mining companies and preparing recommendations for proposed rules to modernize bank holding company disclosures. CEO Pay Ratio Disclosure Corporation Finance also is examining existing disclosure rules, with an eye toward easing compliance burdens while maintaining the mandated disclosure. To be clear, the SEC is required to implement rulemakings mandated by statute in accordance with applicable law, including the pay ratio disclosure rule adopted pursuant to Section 953(b) of the Dodd-Frank Act. This rule was adopted on August 5, 2015, and will continue to be implemented on schedule. In response to questions about the pay ratio rule, the Commission recently approved interpretative guidance to assist companies in their compliance efforts.\7\ Specifically, the interpretative guidance clarifies the disclosure rules mandated by Congress in a way that is true to the mandate and, to the extent practicable, allows companies to use operational data and otherwise readily available information to produce the disclosures. Additionally, the staff issued guidance which includes examples illustrating how reasonable estimates and statistical methodologies may be used. The staff will continue to monitor the rollout of the rule, in particular for whether unanticipated costs or difficulties have arisen. --------------------------------------------------------------------------- \7\ Press Release 2017-172, SEC Adopts Interpretative Guidance on Pay Ratio Rule (Sept. 21, 2017), available at https://www.sec.gov/news/ press-release/2017-172. --------------------------------------------------------------------------- Standards of Conduct for Investment Advisers and Broker-Dealers I have made clear in public statements that I am focused on the standards of conduct that investment professionals must follow in providing advice to Main Street investors. The extensive study of the subject to date illustrates the complexity of the issue and the fast- changing nature of our markets, including the evolving manner in which personalized investment advice is provided. Main Street investors should have access to high-quality, affordable investment advice and a diverse range of investment products without sacrificing the protections of the securities laws. Since my confirmation, the Department of Labor's (DOL's) fiduciary rule has partially taken effect. Staff conversations with investors and firms, prior to the DOL's proposed extension, as well as various press reports, indicate that broker-dealers are considering, and some have started taking, a variety of actions to comply with the DOL Rule, including: (1) increasing compliance resources and efforts (e.g., disclosure, documentation and training, in particular, with respect to costs and rollover recommendations); (2) increasing the use of robo- advice; and (3) reevaluating and changing the types of products and accounts (and related fees) offered to retirement investors, focusing particularly on products or accounts that would address the compliance requirements driven by the Best Interest Contract Exemption (e.g., shifting some or all of their retirement accounts to level-fee advisory accounts). Further, staff understands mutual fund complexes are considering various approaches to accommodate broker-dealers' efforts to level compensation across similar types of products in response to the DOL Rule. These approaches include, for example: (1) issuing ``clean shares'' that do not have any sales loads, charges or other asset-based fees for sales or distribution (thus allowing brokers to set their own commissions that would be paid directly by investors);\8\ and (2) issuing ``T-shares''--or ``transaction shares''--that have uniform sales charges across all fund categories. --------------------------------------------------------------------------- \8\ Related to this effort, on January 11, 2017, the Division of Investment Management issued interpretive guidance to Capital Group clarifying that Section 22(d) of the Investment Company Act of 1940 does not prevent a broker acting in an agency capacity from charging its customers a commission for transacting in ``clean shares'' of a registered investment company. Capital Group used the term ``clean shares'' to refer to a class of fund shares without any front-end load, deferred sales charge or other asset-based fee for sales or distribution. Capital Group, SEC Staff Letter (Jan. 11, 2017), available at https://www.sec.gov/divisions/investment/noaction/2017/ capital-group-011117-22d.htm. --------------------------------------------------------------------------- While the SEC and the DOL have different statutory mandates, rulemaking processes and jurisdictions, actions taken by one regarding standards of conduct are going to have a significant effect on the other's regulated entities and the marketplace. In other words, effects of the DOL rule extend well beyond the DOL's jurisdiction, and vice versa. It is important that we understand these effects and work closely and constructively with DOL to implement appropriate standards of conduct for financial professionals who provide advice to retail investors. We are engaging expeditiously and constructively with our colleagues at the DOL to best serve the interests of investors. As for Commission action related to standards of conduct, the SEC has been reviewing this area for some time. In recognition of the vast changes in the marketplace since the SEC last solicited information 4 years ago, on June 1, 2017, I issued a statement seeking public input on standards of conduct for investment advisers and broker-dealers.\9\ In it, I articulated some key principles--clarity, consistency and coordination--that I expect to guide our approach. Specifically, our standards should be clear and comprehensible to the average investor, consistent across retirement and nonretirement assets and coordinated with other regulatory entities, including the DOL and State insurance regulators. --------------------------------------------------------------------------- \9\ Public Comments from Retail Investors and Other Interested Parties on Standards of Conduct for Investment Advisers and Broker- Dealers (June 1, 2017), available at https://www.sec.gov/news/public- statement/statement-chairman-clayton-2017-05-31. --------------------------------------------------------------------------- I also hope that my June 2017 statement will shape constructively the conversation on this important matter, so that we can properly tailor an approach or package of approaches that we believe will best address the issues identified. To date, we have received over 150 comments from investors and the industry, expressing a range of views. I also have personally met with various Main Street investor and industry groups and have found those conversations beneficial. The Commission and its staff have extensive experience regulating broker-dealers and investment advisers, and we are reviewing the information interested parties have submitted. I look forward to continuing to work with my fellow Commissioners and the SEC staff as we evaluate our next steps on this important topic. Equity, Fixed Income and Security-Based Swap Markets The SEC has a responsibility to ensure that our securities markets provide vibrant, efficient and fair mechanisms for facilitating the transfer of capital. In the decade plus since the adoption of Regulation NMS, technological advancements and innovations and commercial developments have led to significant changes in the way our trading markets operate. Generally speaking, our securities markets continue to be highly efficient and resilient. That said, it is imperative that we continuously examine and reassess our regulatory market structure. There are a few specific market structure issues and initiatives that I would like to now highlight. Several recent Commission rulemaking proposals have been aimed at enhancing transparency in the market structure space. In July of last year, the Commission proposed amendments to Rule 606 of Regulation NMS that would require broker-dealers to disclose standardized information on their handling of large orders, both in response to customer requests and on a quarterly, aggregated basis. This proposal would also enhance existing broker-dealer order routing disclosure requirements for smaller orders. In November 2015, the Commission proposed amendments to Regulation ATS to impose new transparency requirements on alternative trading systems (ATSs) that facilitate transactions in NMS stocks. That proposal would also greatly increase the Commission's active oversight over the design and operation of such ATSs. Both of these transparency-focused rulemaking proposals, which the Commission released prior to my Chairmanship, have received broad support from commenters. I support both initiatives, and I have asked the Commission staff to prepare final rulemaking recommendations for the Commission's consideration. Just as investors look for material information upon which to base their investment decisions, the Commission uses data to support and enhance our oversight function, including in our analysis of market structure, as well as for investigations, examinations and market analyses and reconstructions. The SROs also use data in carrying out their regulatory responsibilities. Currently, trading activity in stocks is tracked through a number of systems. No single system tracks the orders that are routed and executed across multiple trading venues. As the Committee is aware, pursuant to Commission rule and the CAT National Market System (NMS) Plan, a Consolidated Audit Trail, or CAT, is currently being developed by a CAT plan processor (Thesys) and the securities exchanges and FINRA. The CAT is intended to provide these SROs and the Commission with consolidated cross-market data that is more complete, accurate, accessible and timely than the data currently available to regulators. Of paramount concern to the Commission is the protection of sensitive CAT data. I appreciate that security issues are particularly acute with respect to a data repository that contains comprehensive information on trading activity in the securities markets, especially in light of recent events. I am therefore focused on issues of data security with respect to CAT. I have made this point clear to both Thesys and the SROs, and will continue to do so. I expect that the roll-out of the various components of CAT data reporting, the first phase of which is scheduled to take effect on November 15, 2017 (wherein the SROs will report data to the central repository), will reflect an ongoing assessment of the sensitivity of the data reported and related security concerns and protections. Among the defenses built into the CAT NMS Plan are requirements for the plan processor to develop a comprehensive information security program that addresses the security and confidentiality of all information within the CAT data repository and associated operational risks. And the SROs, which have direct oversight of the plan processor, are obligated to monitor the information security program to ensure that it is consistent with the highest industry standards for the protection of data. For the subset of data that may be extracted from the CAT data repository, the SROs and the SEC have independent obligations to protect any such data. With respect to the SEC specifically, we have committed to review periodically the effectiveness of our confidentiality and data use procedures in connection with our access to the CAT. Other components of the Commission's analysis of market structure are two pilot programs--one currently in force, and the other being developed by Commission staff. The Tick Size Pilot, which began in October 2016, is testing the impact of wider tick sizes on the trading of stocks of certain smaller capitalization companies. Preliminary analyses of the pilot data indicate that the impact of the wider tick sizes on market quality has been mixed. For many covered securities, quoted spreads and depth of book have increased, and volatility has decreased. At the end of this month, trading center data will become publicly available and enable more robust analysis of the pilot data. I have also asked the Commission staff to develop a proposal for a pilot program that would test how adjustments to the access fee cap under Rule 610 of Regulation NMS would affect equities trading. The Equity Market Structure Advisory Committee (EMSAC) recommended a pilot program of this type. I am supportive of this type of pilot program because it should provide the Commission, as well as market participants and the public, with more data to assess how transaction- based fees and rebates affect order routing behavior, execution quality and market quality. I expect that the Commission will consider a transaction fee pilot proposal of this nature in the near future. More generally, I believe that a thoughtful and methodical, data driven approach to market structure will help us fulfill our mission to protect investors, maintain fair, orderly and efficient markets and facilitate capital formation. Pilot programs such as the ones I just described allow us to evaluate whether adjustments to our market structure are necessary or appropriate, and if so, how to appropriately tailor them. At the same time, I also recognize that pilot programs-- whether in the form of Commission or SRO initiatives--cannot simply live on in perpetuity. Once pilots have achieved their purpose in terms of providing the Commission and SROs with adequate data for reasoned decisionmaking, they should either be wound down or, when appropriate, made permanent. Overall, as the Commission has evaluated equity market structure, the EMSAC has been a valuable and helpful resource to the Commission in providing expert advice and recommendations. Specifically, in addition to an access fee pilot recommendation, the EMSAC has provided the Commission with six thoughtful recommendations relating to NMS plan governance, SROs' proposals requiring technology changes, limit-up/ limit-down mechanisms, market wide circuit breakers, the market opening and Regulation NMS Rules 605 and 606. The Commission recently extended the term for the EMSAC until early 2018, which will enable the EMSAC to continue to provide us with input as we consider market structure initiatives, including the contemplated transaction fee pilot proposal. Separately, as I have stated previously, I believe that the time is right for the Commission to broaden its review of market structure to include our fixed income markets. The fixed income markets are critical to our economy and, increasingly, Main Street investors, yet less attention has been paid to their efficiency, transparency and effectiveness relative to the equity markets. We are in the process of establishing the Fixed Income Market Structure Advisory Committee (FIMSAC). We hope to have the first FIMSAC meeting as soon as December of this year. Finally, with respect to the regulatory regime for swaps and security-based swaps, Commodity Futures Trading Commission (CFTC) Chairman Christopher Giancarlo and I started talking soon after I joined the Commission. At our very first meeting, we discussed ways in which we could harmonize our respective rules and regulations. SEC and CFTC staff have been meeting to identify initial areas of focus, and it is my hope that the continued coordination will result in real regulatory efficiencies. Enforcement I am committed to the responsibility of safeguarding our capital markets and American investors with energy and purpose and ensuring that there is no room for bad actors therein. Through the dedication and expertise of our Division of Enforcement (Enforcement) staff and its leadership, we are able to root out fraud and shady practices effectively and with unwavering purpose. Enforcement is focused on protecting all investors--without favor for account size, geography or other measures of priority--and that is clear from recent enforcement actions targeting pump and dump schemes, insider trading and a boiler room on Long Island ripping off seniors' hard earned retirement savings. Successful enforcement actions impose meaningful sanctions on securities law violators, result in penalties and disgorgement of ill- gotten gains that can be returned to harmed investors and deter wrongdoing. While a vigorous enforcement program is at the heart of the Commission's work to protect investors and maintain the integrity of the securities markets, the SEC's enforcement program also plays an important part in ensuring that investors and other market participants have access to material information to make informed investment decisions. The SEC has brought significant enforcement actions against issuers that committed reporting and disclosure violations. Comprehensive, accurate and timely financial reporting is the bedrock upon which our markets are based and Enforcement remains focused on pursuing violations in this area. Our actions against parties who engage in insider trading also help promote investor confidence. Trading on material, nonpublic information undermines the fairness and integrity of the securities markets and creates an unlevel playing field. The SEC is committed to taking action against those who breach their duties--and subvert our markets--in pursuit of personal gain, having charged more than 700 defendants in civil insider trading cases since fiscal year 2010. Through these efforts to root out financial fraud, insider trading and other misconduct in the securities industry, Enforcement serves a critical role in helping the Commission fulfill its tripartite mission. Moving forward, the SEC will continue to focus resources--including data collection and analysis, which has greatly enhanced our ability to detect unlawful behavior--on key areas where misconduct harms investors and impairs market integrity. In particular, I have asked the Division of Enforcement to evaluate regularly whether we are focusing appropriately on retail investor fraud and investment professional misconduct, insider trading, market manipulation, accounting fraud and cyber matters. I believe our Main Street investors would want us to focus on these areas. Examinations Another critical tool for the SEC to meet its mission is our national examination program, led by our Office of Compliance Inspections and Examinations (OCIE). Commission staff conduct risk- based examinations of registered entities, including broker-dealers, investment advisers, investment companies, municipal advisors, national securities exchanges, clearing agencies, transfer agents and FINRA, among others. Our examination staff work closely with staff members in our regulatory divisions to provide input on policy and regulatory issues and initiatives and also are in regular communication with Enforcement staff to discuss trends and observations and provide referrals. Our examination program is one of many areas where we have doubled down on our focus on doing more with our limited resources. In this regard, I note that registered investment advisers now manage more than $70 trillion in assets, which is more than triple 2001 levels. In light of this trend, in 2016, the SEC reassigned approximately 100 OCIE staff to the investment adviser examination unit. As a result of this shift and the introduction of various enhancements to OCIE processes, advancements in OCIE's use of technology and other efficiencies, the SEC is on track to deliver a 30 percent increase in the number of investment adviser examinations this fiscal year--to approximately 15 percent of all investment advisers.\10\ --------------------------------------------------------------------------- \10\ In fiscal year 2016, OCIE completed nearly 1,450 investment adviser exams, more than it had completed in any of the prior seven fiscal years and 20 percent more investment adviser exams than it completed in fiscal year 2015. In fiscal year 2017, OCIE completed more than 2,000 investment adviser exams, a significant increase over fiscal year 2016. --------------------------------------------------------------------------- While this has been a very positive step, more needs to be done to continue to increase investment adviser examination coverage levels, while at the same time being careful to avoid decreasing examination quality. To that end, the SEC will continue to explore additional efficiencies and improvements to our risk-based examination program. One way to achieve this is through the continued leveraging of data analysis. We have developed tools that scan an array of data fields to help us analyze and identify potentially problematic activities and firms. This allows us to make better decisions concerning which firms to examine and appropriately scope those examinations, among other things. I expect that for at least the next several years we will need to do more to increase the agency's examination coverage of investment advisers in light of continuing changes in the markets. In the coming fiscal year, OCIE also plans to increase the number of inspections to assess compliance with Commission rules, such as Regulation Systems Compliance and Integrity (Regulation SCI), to ensure that the cybersecurity infrastructure that is critical to the U.S. securities markets is effective. Agency Operations I have devoted a significant portion of my first 4 months as Chairman to developing a deeper understanding of the agency's internal operations and management. I have come to appreciate more directly what I had witnessed from my years in private practice--the knowledge, expertise and professionalism of the SEC staff. It has been a top priority for me to engage with, and understand the perspectives of, the SEC's workforce. I am particularly excited to report that the SEC staff's engagement and morale are high, thanks in significant part to the leadership and efforts of division and office directors, supervisors and staff. Setting a new record for the agency this year, nearly 80 percent of the eligible workforce shared their views by completing the Office of Personnel Management's Federal Employee Viewpoint Survey in May and June of 2017. This year's survey results showed notable increases in employee engagement, overall satisfaction and leader effectiveness indices. These are critical indicators for our organization because our diverse workforce is our most valuable asset. It is only through the hard work of our employees that we are able to accomplish our mission. Since 2012, the SEC's rating on the Partnership for Public Service ``Best Places to Work'' has improved by 20 percentage points, from 56 percent to 76 percent and last year we were ranked 6th among 27 mid- sized agencies. In fact, this success has earned us distinction as a role model for other Federal agencies. In April 2017, the House Oversight and Government Reform Committee invited the SEC's Chief Human Capital Officer to testify on the agency's survey results as the ``most improved'' mid-sized Federal agency.\11\ We aim to continue building upon these 2017 results in the years to come. --------------------------------------------------------------------------- \11\ April 6, 2017, testimony on ``The Best and Worst Places to Work in the Federal Government'' by Chief Human Capital Officer Lacey Dingman before the U.S. House of Representatives Subcommittee on Government Operations can be found at https://oversight.house.gov/wp- content/uploads/2017/04/Dingman_SEC_Testimony.pdf. --------------------------------------------------------------------------- Efficiencies and Resource Needs I take very seriously the SEC's responsibility to ensure that the SEC is a good steward of the funds Congress entrusts to our use, and maximizes the value of those funds to the American investor. We are engaged in ongoing efforts to find efficiencies in internal operations, including through automation, streamlined internal processes and better use of data. We will continue to develop and leverage our capabilities for risk analysis to inform our decisionmaking, including how most efficiently to use staff resources. Given the pace of change in today's capital markets, it is more important than ever that agency operations be nimble so we can direct resources where they are needed most. For example, with congressional approval, the SEC in June 2017 combined the agency's various EDGAR filer support functions into one EDGAR Program Office. As this Committee knows and as discussed above, the EDGAR system is central to the agency's mission and critical to the functioning of the capital markets. On a typical day, investors and other market participants view or download more than 50 million disclosure documents filed on EDGAR. This new office also will coordinate and rationalize the agency's enhancements and investments related to EDGAR, including modifications to conform with changes to Commission rules, and will help consolidate the agency's filer support functions. Other internal improvement initiatives include combining the agency's various communications-related functions, crafting proposals for Commission consideration to convert paper filings into electronic formats and exploring ways to better apply and schedule examination staff resources toward significant risks to investors. We will continue to explore opportunities for efficiencies and cost savings in the months to come. The agency's efforts to streamline operations are reflected in the SEC's budget requests over the next 2 years. The President's request for fiscal year 2018 is for $1.602 billion for SEC operations, which holds the SEC budget at essentially the same level it has been in fiscal years 2016 and 2017. This request reflects savings and efficiencies in progress throughout the SEC, sufficient to offset required cost increases, and continues investments in technology, as described further below. It is important to note that the SEC collects transaction fees that offset the annual appropriation to the Commission. Whatever amount Congress appropriates to the agency will, by law, be fully offset by transaction fees, and will not impact the deficit or the funding available for other agencies. The current transaction fee rate is just over two cents ($0.02) for every $1,000.00 in covered securities sales. Fiscal Year 2019 Authorization Request For fiscal year 2019, the SEC's authorization request totals approximately $1.7 billion for SEC operations. I do not make a request for additional funds lightly, especially in a tight budgetary environment. But after an evaluation of the SEC's capabilities and needs, I believe this request is necessary for the SEC to continue the effective pursuit of our tripartite mission. This request would allow the agency to lift the hiring freeze implemented at the start of fiscal year 2017 and recruit professionals with key skills and market expertise such as electronic trading, cybersecurity, retail investor fraud, investment adviser oversight and market analysis. The agency anticipates a need to hire such individuals in key positions to effectively carry out our core mission. The request seeks additional funds for development, modernization and enhancement of information technology systems, including additional investments in protecting the security of the SEC's network and systems. These funds, coupled with those from the SEC Reserve Fund, would allow the continued implementation of a number of key multi-year technology initiatives, discussed further below, which will enhance the SEC's ability to collect, analyze and act on large amounts of data. Leveraging Technology Advances in technology have driven significant changes in securities markets. Today, companies support human decisionmaking with automated algorithms, which ingest massive amounts of unstructured data to make trading decisions. Investors are using innovative platforms to conduct transactions and research investments. Firms solicit investors through sophisticated, multichannel communications. In recent years we have seen an extraordinary increase in the volume and velocity of data available to the securities industry, investors and the SEC. The ever-increasing volume of data demands advanced analytics tools and best-in-class infrastructure that is dynamic, scalable and secure. Similarly, demand from the public for SEC information has never been higher. Last year, SEC.gov received 10.4 billion page views--double from just 2 years ago--and the public downloaded more than 2.6 petabytes of data. The information the SEC provides is driving the marketplace, and helping companies attract funding, grow and create jobs. All of these shifts require the SEC to expand our own technology capabilities and increase our efficiency. The SEC's budget requests seek the resources needed to stay on top of these critical developments and promote our mission in an evolving landscape. The Commission has made progress in modernizing our technology systems, with the benefits of increasing our use of data analytics, increasing program effectiveness and streamlining operations. The $234 million that the SEC plans to spend on information technology in fiscal year 2018 is quite modest, by way of comparison, to the amounts that the major Wall Street firms spend on their own information technology systems. For example, in 2016 one large financial institution alone spent more than $9.5 billion on technology firm-wide, with $3 billion of that dedicated to new initiatives. Another large financial institution spent $6.6 billion in 2016 on technology initiatives. The fiscal year 2018 and fiscal year 2019 budget proposals would support a number of key information technology initiatives, such as: (1) Increasing investments in information security to address, as a top priority, the ability to monitor and avoid advanced persistent threats, and to improve risk management and monitoring; (2) Expanding data analytics tools to integrate and analyze the large and ever-increasing volume of financial data we receive, enabling us to detect potential fraud or suspicious behavior earlier and allocate resources more effectively; (3) Improving our examination program through advanced risk assessment and surveillance tools that help identify high-risk areas for further examination; (4) Enhancing additional systems that support our enforcement program, including applying sophisticated algorithms that foster the detection of potential insider trading and manipulation; (5) Streamlining public access to our EDGAR electronic filing system; and (6) Investing further in business processes automation and enhancements, including the retirement of legacy systems, which will drive cost efficiencies and improve security across the agency. Leasing An important component of the SEC's funding needs over the next 2 years is to support the leasing of office space. The current leases for the SEC's headquarters buildings (Station Place I, II and III) will expire in fiscal years 2019, 2020 and 2021, respectively. In addition to the funds requested to support our operations, the SEC is requesting funds in fiscal year 2018 necessary to participate in the General Services Administration's (GSA's) competitive procurement process for a successor lease for the SEC's headquarters. In accordance with its standard process, GSA has requested that the agency set aside the funds that might become necessary to cover construction and related costs should the SEC need to move from its current building.\12\ None of these funds would be used for the operations of the SEC, and the agency has proposed appropriation language that provides a mechanism whereby any unused portion of these funds would be refunded to fee payers. --------------------------------------------------------------------------- \12\ According to GSA's schedule, a new lease would be awarded in fiscal year 2018. --------------------------------------------------------------------------- Similarly, in fiscal year 2019, funds will be required for the GSA procurement of a new lease for the SEC's New York Regional Office, for which the current lease is set to expire in 2021. As with the SEC's headquarters lease procurement, GSA requires that the SEC set aside funds for potential construction and related costs in the event that the competitive acquisition process might result in the SEC needing to move to a new building. None of these funds would be used for the operation of the SEC, and any unused portion would be refunded to fee payers. Conclusion My aim for today's testimony is to provide a window into the scope of the SEC's daily work to advance our mission of protecting investors, maintaining fair, orderly and efficient markets and facilitating capital formation. In closing, I want each of you--and all of your constituents, including, in particular, Main Street investors--to know that the SEC is open for business. We want to serve you and hear from you. Whether it be through providing educational resources and investor alerts on investor.gov, supporting small businesses and other issuers seeking to raise capital or vigorously enforcing the securities laws, SEC staff and division and office leadership stand ready and willing to engage with any and all who we can assist, and who can inform us, on issues consistent with our tripartite mission. I thank this Committee and its Members, especially the Chairman and Ranking Member, for their continued support of the SEC and its staff, and I look forward to answering any questions you may have. RESPONSE TO WRITTEN QUESTIONS OF SENATOR SCOTT FROM JAY CLAYTON Q.1. I think it's important for us to recognize the fact that the Department of Labor's (DOL) fiduciary rule has had a negative impact on many Americans. The average South Carolinian has less than 1 year's salary in their retirement accounts. Restricting access to professionals in the financial industry has a negative impact on the resources available to the average American for retirement. The last thing we need to do at this point is to find ways to get financial advisory experts out of the household, which is the unintended consequence of the fiduciary rule in my perspective. A July 2017 Harper Polling survey of 600 financial advisers found that 75 percent of the professionals whose clients have starting assets under $25,000 will take on fewer small accounts due to increased compliance costs and legal risks under the DOL's rule. These folks desperately need financial experts to make good, sound financial decisions. I was pleased to see the DOL's 18-month delay in the rule's full implementation. What more can you tell me about your coordination with the DOL on the fiduciary rule? A.1. Secretary Acosta and his staff at the DOL have already been engaged in a productive dialogue with me and my staff on this issue. I anticipate that our interactions will continue or increase and become more substantive as the SEC moves forward with its rulemaking process. Our goal here is to get the rules right for Mr. & Ms. 401(k), the types of people cited in your question, and I believe a focus on four key attributes-- clarity, consistency, coordination and choice--will best position us to do so. It will be difficult to achieve these objectives in our rulemaking without meaningful cooperation with the DOL. Q.2. If the second part of the DOL's fiduciary rule takes effect on July 1, 2019, as proposed, will the Commission have enough time to have its own rule in effect by then? If not, what steps will you take to accelerate your own process or work with DOL on a joint schedule, so the two rules do not take effect at different times? A.2. We are working on a rule proposal, and we plan to engage expeditiously and constructively with our colleagues at the DOL. In response to my June 1 statement and request for comment regarding standards of conduct for investment advisers and broker-dealers (the June Statement), we have received over 150 comments from investors and the industry. This is a complex issue and commenters discussed a range of topics including disclosure, the standard of conduct for broker-dealers, and the impact of the DOL rule. Assessing these comments will assist us in evaluating the range of potential actions. While I have made it clear to staff that this is one of my top priorities, and staff are moving forward accordingly, the complexity of the issue and the potential for significant impacts on investors and market participants means that we need to engage in a thorough process, with full consideration of the potential economic effects of our actions. Q.3. State insurance regulators are the experts on fixed income annuities. How will you be involving State regulators in your work on the fiduciary rule? A.3. I appreciate the role of State insurance regulators and their expertise with respect to fixed income annuities. The National Association of Insurance Commissioners (NAIC) submitted a letter in response to my June Statement. That letter, among other things, discussed NAIC model regulations and noted that the NAIC is considering potential changes to its model suitability rules to potentially include a best interest standard of care. The staff and I will keep that letter and the NAIC's views in mind as we consider issues surrounding standards of conduct for investment advisers and broker- dealers, and will be in contact with NAIC personnel as well as State insurance regulators as we move forward. Q.4. Many States have moved forward with their own fiduciary standards, creating a patchwork of rules and regulations for investors and financial advisors. What can the SEC do to find a solution to this growing concern? A.4. Our markets are diverse and expansive and many financial advisors and other participants operate across State lines. I believe that consistency in the standards of conduct for investment professionals nationwide is important for the proper functioning of our markets, and that the best way to achieve that is for the Commission to move forward expeditiously with its rulemaking process in cooperation with the Department of Labor. Q.5. The fact that we're looking at Chinese investors trying to buy the Chicago Stock Exchange and you pumping the brakes on that decision--I think it's good. We all would like to encourage more FDI, but we need to do it in the most responsible way possible. Thank you for your position and perspective on that issue. Can you describe the actions that led to a Commission review of this transaction? A.5. On August 9, 2017, the Commission's Division of Trading and Markets (the Division) approved the proposed rule change filed by the Chicago Stock Exchange regarding the acquisition. The Division issued this approval order pursuant to delegated authority, and the Division's approval order was subsequently stayed pursuant to Exchange Act Section 4A and Rule 431 of the Commission's Rules of Practice, which provide for Commission review of actions made pursuant to delegated authority. At this time, the Commission continues to review the delegated action, and the Division's approval order remains stayed. Since August 9, the Commission has received 43 comments on the proposed rule change. Because this remains an open matter that is actively under consideration by the Commission, I am not in a position to comment further on what future action the Commission might take. Q.6. What criteria do Commissioners or Commission staff evaluate when reviewing transactions like this one? A.6. In evaluating a proposed rule change filed by a national securities exchange, the Commission carefully evaluates whether the proposed rule change is consistent with the requirements of the Exchange Act and the applicable rules thereunder. The Exchange Act contains a number of relevant provisions, including the requirement under Exchange Act Section 6(b)(5) that the rules of a national securities exchange be designed to promote just and equitable principles of trade, to remove impediments to and perfect the mechanism of a free and open market and a national market system, and, in general, to protect investors and the public interest. Q.7. Management at public companies should be held accountable by their shareholders. A balance between both sides ensures productivity and corporate transparency. That said, I wonder if the scales have not been tipped a little bit too far. As of now, we allow for the resubmission of shareholder proposals even if nearly 90 percent of shareholders have voted no in the past. That creates costs and distracts from long-term thinking, all the while doing little to protect investors. How are other shareholders impacted by such a low bar for proposal resubmissions? A.7. Shareholder proposals play an important role in corporate governance, but they are not without cost. The evaluation of and submission to shareholders of these proposals, including the discussion and recommendation in the proxy statement, requires board and management time, which imposes a cost to shareholders in addition to the out of pocket costs related to the proxy process. You are correct, when shareholder proposals with little chance of garnering meaningful shareholder support are resubmitted, these costs are borne by all shareholders, not just the shareholders who submit them or voted in favor of them. Q.8. Will the SEC revisit its past recommendation to raise such thresholds? A.8. I am mindful of concerns that have been raised about the shareholder proposal rule, including resubmission thresholds, and this area will be closely monitored during the upcoming proxy season. We have issued a Staff Legal Bulletin providing staff guidance on shareholder proposals, and I expect that we will be doing so again shortly. In thinking about any potential revisions in this area, the Commission would need to carefully balance shareholders' ability to submit proposals with the time and costs borne by companies and other shareholders to respond to those proposals. Q.9. Do you believe the shareholder proposal system today is working as it was originally intended to, or can it be reformed for the benefit of all investors? A.9. Shareholder proposals serve as an important accountability function and can lead to positive change. Nevertheless, I expect there may be ways to minimize unnecessary costs borne by shareholders in the ``quiet'' majority without compromising the important role of shareholder proposals. The resubmission thresholds may be one area in which these costs could be reduced without unnecessarily limiting shareholders' ability to submit proposals. Q.10. What is your view on making public company disclosures more comprehensible and useful for layman investors? A.10. Investors must have access to information about potential investments that is easily accessible and meaningful. In that regard, I believe there are ways we can update our disclosure requirements to make disclosures more useful for investors and to reduce burdens on companies. We took a step in that direction on October 11, 2017, when the Commission proposed amendments to Regulation S-K that are intended to modernize and simplify certain disclosure requirements in Regulation S-K and related rules and forms in a manner that reduces the costs and burdens on registrants while continuing to provide all material information to investors. The amendments are also intended to improve the readability and navigability of the Commission's disclosure documents and discourage repetition and disclosure of immaterial information. We also focused on the presentation and delivery of disclosure in the Regulation S-K concept release the Commission issued in April 2016. The concept release recognized that the presentation and delivery of information may play a significant role in investors' ability to access and use important disclosure. It also sought input on how our rules can facilitate the readability and navigability of disclosure documents. Q.11. Do you believe that proxy advisory firms are doing an adequate job of disclosing to their clients material conflicts of interest in light of the 2014 SEC guidance on the subject? A.11. The staff issued a Staff Legal Bulletin in 2014 to provide guidance to investment advisers about their responsibilities in voting client proxies and retaining proxy advisory firms. The bulletin also provided guidance on the availability and requirements of two exemptions to the proxy rules often relied upon by proxy advisory firms. The staff continues to monitor developments in this area. Q.12. Companies often identify conflicts of interest or significant errors that proxy advisory firms have made in their recommendations--do you believe that the SEC would benefit if issuers or other market participants brought these concerns to the attention of the Commission? A.12. The Commission is interested in the effective and efficient operation of the U.S. proxy system and welcomes outreach from issuers or other market participants. To this end, the staff actively seeks input in this area and regularly meets with, among others, industry groups, including several representing corporate issuers, and will continue to monitor developments and consider further action if needed. ------ RESPONSE TO WRITTEN QUESTIONS OF SENATOR MENENDEZ FROM JAY CLAYTON Q.1. In your testimony before the Committee last week, you emphasized your commitment to enforcement actions and a strong enforcement division. As I mentioned during your confirmation hearing, I was alarmed to learn of Commissioner Piwowar's steps earlier this year to rein in the enforcement division by revoking subpoena authority from 20 enforcement officials and limiting it to the division director. As you know, this was a significant reversal from post-crisis policy which empowered senior enforcement attorneys to quickly escalate informal inquiries to formal investigations. Can you please describe in detail the enforcement division's current procedures regarding subpoena authority? A.1. The Federal securities laws authorize the Commission, or any officer designated by the Commission, to issue subpoenas requiring a witness to provide documents and testimony under oath. The Commission itself has the power to designate members of the staff to act as officers of the Commission in an investigation by issuing a Formal Order of Investigation (formal order). The formal order serves two important functions. First, it directs that a nonpublic investigation be conducted, and second, it designates specific staff members to act as officers for purposes of the investigation and empowers them to administer oaths and affirmations, subpoena witnesses, compel their attendance, take evidence and require the production of documents and other materials. Although Commission staff in the Enforcement Division may in some circumstances obtain information without the need for a subpoena, performing a complete investigation will often require a formal order. For example, banks will not produce the account records typically needed in a Ponzi scheme investigation without a subpoena. In an insider trading investigation, subpoenas will be needed to obtain any relevant phone call records from telephone companies. Witnesses may refuse to testify unless they are subpoenaed. Enforcement Division staff may seek to have a formal order issued through one of two methods: pursuant to authority delegated by the Commission to the Division Co-Directors, or by recommending that the Commission issue the formal order. Commission staff seeking a formal order through the delegated authority process prepares a memorandum to the Co-Directors that provides information concerning the matter and addresses the need for a formal order. To obtain a formal order directly from the Commission, Enforcement staff prepares a memorandum to the Commission to recommend that the Commission issue a formal order. The memorandum includes the same types of information that is provided to the Co-Directors through the delegated authority method. I have discussed the delegation of formal order authority with the Co-Directors of the Enforcement Division, and I am comfortable that there are benefits to having that authority resting with the two of them, including that it enables them to more efficiently and effectively manage the nationwide Enforcement program. I do not believe that limiting the authority to the Enforcement Division Co-Directors has negatively affected the Commission's ability to protect investors and deter misconduct. Rather, my initial sense is that the current scope of delegation enhances investor protection as it provides for a more effective allocation of limited resources by the leadership of the Enforcement Division. I will continue to consult with the Enforcement Division Co-Directors to ensure that the procedures surrounding delegated subpoena power do not adversely impact the Enforcement Division's ability to fulfill its mission, including protecting investors. Q.2. On September 21, 2017, the SEC issued interpretive guidance to companies regarding compliance with the pay ratio disclosure requirement mandated by Section 953(b) of Dodd-Frank. In the guidance, the SEC provides companies considerable flexibility in determining the median employee and calculating employee compensation. Please explain the specific rationale the SEC relied on to justify these flexibilities. A.2. The pay ratio rule, as adopted, affords significant flexibility to registrants in determining the appropriate methodologies to identify the median employee and in calculating the median employee's annual total compensation. The guidance is intended to clarify the ways that registrants may use the flexibility that is already part of the rule. Specifically, the interpretative guidance clarifies the disclosure rules mandated by Congress in a way that is true to the mandate and, to the extent practicable, allows companies to use operational data and otherwise readily available information to produce the disclosures. Additionally, the staff issued guidance which includes examples illustrating how reasonable estimates and statistical methodologies may be used. Q.3. In light of the sweeping good faith efforts flexibility provided to companies by the guidance, what assurances can you provide that the SEC will take enforcement actions against companies that fail to provide disclosures in compliance with the requirements of the pay ratio disclosure rule? A.3. As with all new rules adopted by the Commission, we will closely monitor implementation of the pay ratio rule. Specifically, I expect that a review of the pay ratio disclosures will be part of the selective filing review process conducted by the Division of Corporation Finance. Q.4. At a forum in September, you stated that you do not think it is necessary for Congress to codify insider trading law. Please explain the rationale for this conclusion. A.4. The Commission's record of holding persons accountable for insider trading remains as strong as ever. We have charged more than 450 individuals with insider trading in the past 5 years, including more than 140 individuals in the past 18 months alone. In my view, the Commission is well positioned to punish insider trading and does not need further legislation defining insider trading. Proponents of a law defining insider trading cite clarity as an objective and a benefit. While such an approach likely would provide greater clarity in some circumstances, I am concerned that legislation would generate ancillary litigation over its meaning and application in other circumstances and that aspects of the body of law that has been built up over time would be reinterpreted. In addition, I am concerned that clarity may provide nefarious actors with the substantive equivalent of a legislative safe harbor for what turns out to be clearly abusive conduct. My views in this regard are informed by many factors including my discussions with the staff and my experience with statutory regimes outside the United States. Please do not take this answer as an indication that I do not believe we should be focused on or look to do more in this space. I have been very impressed with the knowledge and dedication of our staff in this area, including the market abuse unit in the Division of Enforcement. My interactions with them have led me to believe that additional efforts and resources, including possible legislative efforts, should be applied to detection and deterrence in this area. Further, I believe those efforts and resources should reflect the fact that insider trading and other market abuses have become increasingly international and cyber-based. Q.5. As you know, the New York Stock Exchange, among other international exchanges, requires listed companies to have an internal audit function within the first year of joining the NYSE. Public companies, however, do not typically disclose to investors whether they have an independent internal audit function. What is the SEC's current position on whether public companies should be required to disclose to shareholders whether they have an independent internal audit function? A.5. In 2013, the Commission expressed its belief that an internal audit function can assist companies in meeting their Exchange Act obligations to devise and maintain a system of internal accounting controls. In 2015, the Commission issued a concept release that sought public comment on audit committee reporting requirements. In that release, the Commission expressed an interest in understanding whether changes should be made to required disclosures about audit committees regarding oversight of the audit and the auditor relationship. The Commission specifically asked whether audit committees should provide disclosure about their oversight of the internal audit function. The Commission also asked whether to require disclosures about meetings the audit committee has had with the internal auditor. The staff is considering the extensive feedback we received in response to the request for comment. Q.6. I remain concerned that the current lack of transparency around short selling enables manipulative trading behaviors that harm growing companies and discourages long-term investment. I raised this concern to former SEC Chair Mary Jo White in a letter in January 2017. In my view, the current lack of transparency of short positions has a trifold impact on the securities market--it deprives investors of information critical to making meaningful investment decisions; it denies issuers of insights into trading activity and inhibits their ability to interface with investors; and it withholds crucial information from the market, ultimately impeding efficiencies and diluting transparency. There are currently two petitions for rulemaking pending before the SEC requesting that it promulgate rules to require disclosure of short positions in parity with the existing required disclosure of long positions (File No. 4-689 and File No. 4-691). Does the SEC plan to act on these pending rulemaking petitions, or consider any alternative options, in order to ensure fair disclosure of short positions? In your opinion, should the SEC implement a disclosure regime for short positions that would make this behavior more transparent and ultimately mitigate the effects of manipulative trading strategies? A.6. The Commission has considered the question of disclosure of short positions for a number of years.\1\ --------------------------------------------------------------------------- \1\ For instance, in 2014 the Commission's Division of Economic and Risk Analysis conducted a comprehensive study analyzing the feasibility, costs, and benefits of real-time short position reporting. See ``Short Sale Position and Transaction Reporting,'' June 5, 2014, DERA study as required by Section 417 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. --------------------------------------------------------------------------- Currently, each self-regulatory organization (SRO) publishes on its website aggregate daily short selling volume in each individual equity security listed on its exchange. The SROs also publish on their websites information regarding individual short sale transactions in all exchange-listed equity securities on a 1-month delayed basis. Additionally, the SROs publish statistics on short interest in securities that trade on their markets twice a month. Moreover, the Commission publishes on its website fails-to-deliver information for all equity securities twice a month (available at: https:// www.sec.gov/answers/shortsalevolume.htm). I also note that our Division of Enforcement is focused on identifying and pursuing cases that involve inappropriate short selling. Recently, the Commission has brought enforcement cases against market participants when they prompted the issuance of American Depositary Receipts (ADRs) without possessing the underlying foreign shares, thus creating opportunities for potential market abuse, including short selling.\2\ And, the Commission has charged financial institutions with violating the SEC's Regulation SHO by improperly providing locates--a representation that the firm has borrowed, arranged to borrow or reasonably believes it could borrow securities to settle a short sale--to customers where the firm had not performed an adequate review of the securities to be located or had systems improperly programmed to rely on stale locate information.\3\ --------------------------------------------------------------------------- \2\ Press Release 2017-144, Banca IMI to Pay $35 Million for Improper Handling of ADRs in Continuing SEC Crackdown (Aug. 18, 2017), available at https://www.sec.gov/news/press-release/2017-144; Press Release 2017-6, ITG Paying $24 Million for Improper Handling of ADRs (Jan. 12, 2017), available at https://www.sec.gov/news/pressrelease/ 2017-6.html. \3\ See, e.g., Press Release 2016-9, SEC Charges Goldman Sachs with Improper Securities Lending Practices (Jan. 14, 2016), available at https://www.sec.gov/news/pressrelease/2016-9.html; Press Release 2015- 105, Merrill Lynch Admits Using Inaccurate Data for Short Sale Orders, Agrees to $11 Million Settlement (June 1, 2015), available at https:// www.sec.gov/news/pressrelease/2015-105.html. --------------------------------------------------------------------------- The Commission continues to consider whether the current approach to transparency and reporting is appropriate and whether additional reporting of short sale transactions may be warranted. I have engaged with the staff, including the staff of the Division of Enforcement, on this and they are monitoring the issues. That said, I recognize that markets evolve and staff should be regularly asking whether our reporting regime for short selling appropriately reflects the potential for illicit practices. In that context, the Commission also takes into account feedback from all market participants, including the petitions from Nasdaq, Inc., and NYSE Group Inc., as well as comments from the public concerning these petitions. Q.7. Recently, certain hedge funds have challenged the legitimacy of a drug patent while simultaneously shorting a biopharmaceutical company's stock. In so doing, they increase the value of their short position by publicizing numerous patent challenges and provoking fear in the marketplace, ultimately driving down the stock prices of these smaller companies. Does the SEC plan to investigate potential abuses of securities laws whereby market participants target patents held by biopharmaceutical companies and short their stock? A.7. The use of the patent challenge process (the ``inter partes review'' or ``IPR'') as an investment strategy is a recent development and its impact on the capital markets remains to be seen. We understand that the process, which allows the filer to challenge the legitimacy of a patent, includes a series of procedural requirements that may serve as deterrents for abusive challenges. For example, the claimant typically must publicly specify the grounds for unpatentability and explain the relevance of evidence relied upon. Further, a petitioning party can be sanctioned by the U.S. Patent and Trademark Office for abuse of any improper use of the IPR process. In addition, we understand that there are several fees associated with an IPR, including a $9,000 fee simply for requesting a review. Because the use of the IPR is such a recent phenomenon, Commission staff continues to study the space and assess whether additional action, such as heightened disclosure requirements, may be useful or appropriate to expose potentially fraudulent or manipulative trading behavior. But, the Commission has the authority to address potential misconduct related to market manipulation, which includes fraudulent conduct designed to deceive investors by artificially affecting the market for a security. Manipulation can involve a range of misconduct, including: spreading false or misleading information about a company or rigging quotes, prices or trades to create a false or deceptive picture of the demand for a security. The Federal securities laws also contain requirements that apply to the short sale of securities.\4\ Where the Commission's Enforcement Division becomes aware of facts that suggest a possible violation of the Federal securities laws, it may investigate the conduct and, in appropriate cases where there is sufficient evidence of a violation, the Commission may bring enforcement actions against the wrongdoers. The Commission takes the possibility of manipulation, including potentially manipulative short selling, in our markets seriously. While short selling can provide the market with important benefits such as market liquidity and pricing efficiency, the Commission has brought cases against persons that violate the Commission's short sales rules or otherwise engage in abusive short selling. --------------------------------------------------------------------------- \4\ For example, under Exchange Act Rule 10b-21 it is a violation for a party to submit an order for a short sale of a security if the party deceives a broker dealer, a registered clearing agency or a purchaser about the party's intention or ability to deliver the security by the settlement date and the party fails to deliver the security on or before the settlement date. --------------------------------------------------------------------------- ------ RESPONSE TO WRITTEN QUESTIONS OF SENATOR SASSE FROM JAY CLAYTON Q.1. Understanding that this investigation is ongoing, I'd like to discuss the details of the breach of the SEC's EDGAR system.LOn what specific date did the EDGAR breach occur? LWhen did the SEC first identify the breach and how long were the hackers in the SEC's system? LWhen did the SEC first ascertain that this breach could have allowed the hackers to trade on nonpublic information? LWhy did it take so long for the SEC to determine that this breach could have allowed for the trading on nonpublic information? LWho was informed of this breach inside the SEC and outside of the organization in 2016? For example, were the Commissioners or then-SEC Chair White informed? What about the SEC's then-Chief Operating Officer? Why or why not? LDoes the SEC have any indication that the identity of the hackers could be nation-state hackers? LIt has been reported that the DHS in January found key vulnerabilities in the SEC's cybersecurity protections. Has the SEC fully addressed these vulnerabilities or does the SEC intend to do so? If the SEC already addressed these vulnerabilities, when did it do so? If not, when will the SEC address these vulnerabilities? LHas the DHS found any further vulnerabilities after that January report? LIn July, the GAO released a report that highlighted areas where the SEC could improve its treatment of cybersecurity issues. Does the SEC intend to fully comply with the GAO report's recommendations? If so, on what timeline? LWhat, if any, other law enforcement agencies is the SEC working with on this breach? LI'd like to discuss the history of cybersecurity breaches at the SEC. LHow many material cybersecurity breaches have there been at the SEC? LIs this the first breach at the SEC that could have facilitated the trading of inside information? LThe SEC's statement announcing the EDGAR breach said that ``the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in system risk.'' Has there been a breach at the SEC that compromised personally identifiable information? LHas there been a breach at the SEC that jeopardized the SEC's operations? LAre you concerned that a breach at the SEC could jeopardize the SEC's operations? If so, please describe the consequences of such a breach. LHas there been a breach at the SEC that resulted in systemic risk? LAre you concerned that hackers could pose a national security or systemic risk by accessing the live markets and shutting down trading, deleting trade information, or otherwise sparking a major crisis? If so, please describe the consequences of such a breach. LPlease provide an overview of the steps that the SEC has taken to avoid a breach that would endanger national security, cause systemic risk, or jeopardize the SEC's operations. A.1. In my September 20th press release and statement on cybersecurity, which was part of an ongoing assessment of the Commission's cybersecurity risk profile and preparedness that I initiated upon joining the Commission in May, and in my recent testimony before this Committee and before the House Committee on Financial Services, I noted that I was notified in August 2017 of a possible 2016 intrusion into our EDGAR system. In response to this information, which I learned in connection with an ongoing investigation by our Division of Enforcement, I immediately commenced an internal review of the 2016 intrusion. Through this review and the ongoing enforcement investigation, I was informed that the 2016 intrusion into the test filing component of our EDGAR system provided access to nonpublic EDGAR filing information and may have provided a basis for illicit gain through trading. After the initial disclosure of the intrusion on September 20th and my testimony before the Committee, I was informed that the ongoing staff investigation determined that an EDGAR test filing accessed by third parties as a result of the 2016 intrusion contained the names, dates of birth and social security numbers of two individuals. This determination was based on forensic data analysis conducted since my September 20th disclosure of the intrusion, which relied on the latest information available at that time.\1\ --------------------------------------------------------------------------- \1\ See Press Release 2017-170, SEC Chairman Clayton Issues Statement on Cybersecurity: Discloses the Commission's Cyber Risk Profile, Discusses Intrusions at the Commission, and Reviews the Commission's Approach to Oversight and Enforcement (Sept. 20, 2017), available at https://www.sec.gov/news/press-release/2017-170; see also Statement on Cybersecurity (Sept. 20, 2017), available at https:// www.sec.gov/news/public-statement/statement-clayton-2017-09-20; see also Press Release 2017-186, SEC Chairman Clayton Provides Update on Review of 2016 Cyber Intrusion Involving the EDGAR System (Oct. 2, 2017), available at https://www.sec.gov/news/press-release/2017-186. --------------------------------------------------------------------------- Based on what we know to date, we believe the 2016 intrusion involved the exploitation of a defect in custom software in the EDGAR system. When it was originally discovered, the SEC's Office of Information Technology (OIT) staff took steps to remediate the defect in custom software code and reported the incident to the Department of Homeland Security's (DHS's) U.S. Computer Emergency Readiness Team (US- CERT). Based on the investigation to date, OIT staff believes that the prior remediation effort was successful. In my October 4, 2017 testimony before the House Committee on Financial Services, I noted that we have multiple ongoing work streams concerning the 2016 incident and our steps to improve the cybersecurity risk profile of our EDGAR system and of the agency's systems more broadly.\2\ These work streams include: --------------------------------------------------------------------------- \2\ See Testimony on Examining the SEC's Agenda, Operation, and Budget, House Comm. on Fin. Serv. (Oct. 4, 2017), available at https:// www.sec.gov/news/testimony/testimony-examining-secs-agenda-operation- and-budget. 1. LThe review of the 2016 EDGAR intrusion by the Office of Inspector General. Staff have been instructed to --------------------------------------------------------------------------- provide their full cooperation with this effort; 2. LThe investigation by the Division of Enforcement into the potential illicit trading resulting from the 2016 EDGAR intrusion; 3. LA focused review of and, as necessary or appropriate, uplift of the EDGAR system. The EDGAR system has been undergoing modernization efforts. The agency has added, and expects to continue to add, additional resources to these efforts, which are expected to include outside consultants, and will increase the focus on cybersecurity matters; 4. LThe more general assessment and uplift of the agency's cybersecurity risk profile and efforts that were initiated shortly after my arrival at the Commission this past May, including, without limitation, the identification and review of all systems, current and planned (e.g., the Consolidated Audit Trail or CAT), that hold market sensitive data or personally identifiable information; and 5. LThe agency's internal review of the 2016 EDGAR intrusion to determine, among other things, the procedures followed in response to the intrusion. This review is being overseen by the Office of the General Counsel and has an interdisciplinary investigative team that includes personnel from regional offices and will involve outside technology consultants. There are limits on what I know and can discuss about the 2016 incident due to the status (ongoing and incomplete) and nature (enforcement) of our reviews and investigations. Each of these efforts is moving forward and, as is the nature of matters of this type, will require substantial time and effort to complete. Nevertheless, I directed the issuance of my September 20th press release and statement on cybersecurity because I believed that, once I knew enough to understand that the 2016 intrusion provided access to nonpublic EDGAR test filings and that this may have resulted in the misuse of nonpublic information for illicit gain, it was important to disclose the incident and our cybersecurity risk profile more generally to the American public and Congress. I will make sure to keep the Committee informed of the ultimate findings and conclusions of our internal review into the 2016 intrusion. Cybersecurity must be more than a firm-by-firm or agency- by-agency effort. Active and open communication between and among regulators and the private sector also is critical to ensuring the Nation's financial system is robust and effectively protected. Information sharing and coordination are essential for regulators to anticipate potential cyber threats and respond to a major cyberattack, should one arise. The SEC is therefore working closely with fellow financial regulators to improve our ability to receive critical information and alerts, react to cyber threats and harmonize regulatory approaches. We view our interaction with other Government agencies and committees, including DHS, Government Accountability Office (GAO) and the Financial and Banking Information Infrastructure Committee, as an important part of our cybersecurity efforts. For example, we work closely with GAO to address vulnerabilities in our IT and critical system infrastructure. Our most recent GAO audit report was issued on July 27, 2017. To date, SEC staff have worked to implement all eleven IT security recommendations that were open as of the start of fiscal year 2017 and have either completed or are working to address all of the recommendations issued as part of the GAO's most recent report. We have prioritized these recommendations and will continue to track them until GAO is satisfied with our implementation of the recommendations. Likewise, with regard to DHS, our Security Operations Center is required to report incidents to DHS as they occur pursuant to Federal directives and did so report the 2016 EDGAR intrusion. I am deeply concerned by the risks posed by cyber threat actors across the financial sector. Of paramount concern to the Commission with respect to its internal systems is the protection of nonpublic information, including personally identifiable information and information that is market sensitive; these issues are important to other regulatory agencies and market participants as well. Denial of service is another significant risk faced by regulatory agencies and market participants. As explained in my testimony before the House Committee on Financial Services, it is for these reasons that I have instituted a wide-scale review of both EDGAR and the overall cybersecurity risk profile of agency systems, and that we have continued to make cybersecurity considerations a priority in our outward-facing regulatory efforts. In my recent testimony before the Committee, I stated that, despite the attention given to widely publicized cyber-related incidents experienced by the Commission and others, I still am not confident that the Main Street investor has received a sufficient package of information from issuers, intermediaries and other market participants to understand the substantial risks resulting from cybersecurity and related issues. As a general matter, it is critical that investors be informed about the threats that issuers and other market participants face. The SEC will continue to examine whether public companies are taking appropriate action to inform investors, including after a breach has occurred, and we will investigate issuers that mislead investors about material cybersecurity risks or data breaches. As I have noted previously on various occasions, I would like to see more and better disclosure in this area.\3\ --------------------------------------------------------------------------- \3\ See Remarks at the Economic Club of New York (July 12, 2017), available at https://www.sec.gov/news/speech/remarks-economic-club-new- york. --------------------------------------------------------------------------- Overall, by promoting effective cybersecurity practices in connection with both the Commission's internal operations and its external regulatory oversight efforts, it is our objective to contribute substantively to a financial market system that recognizes and addresses cybersecurity risks and, in circumstances in which these risks materialize, exhibits strong mitigation and resiliency. Q.2. I'd like to discuss how the SEC's structure impacts your ability to manage the agency. How many direct reports does the SEC Chairman have? A.2. The SEC has 22 division and office heads who report to me as Chairman. In addition, the Commission is hiring a Director for a new Office of the Advocate for Small Business Capital Formation, which is being established pursuant to statute. Q.3. During your hearing last week, you said that the Office of Information Technology headed by Pam Dyson ``is the office within the SEC that has overall responsibility'' for cybersecurity. You also said that Pam Dyson ``is a direct report to me and also to our Office of the Operating Officer.'' Can you please elaborate on the cybersecurity duties of the Office of Information Technology and how that dual reporting structure works? A.3. Pamela Dyson serves as the Chief Information Officer and the Director of the Office of Information Technology. As the Chief Information Officer, Ms. Dyson's role is compliant with the mandate within the Clinger Cohen Act of 1996 that requires the Chief Information Office to report directly to the head of the Agency. In this capacity, Ms. Dyson serves as senior technology advisor to the Office of the Chairman. Ms. Dyson also receives day-to-day direction from the Chief Operating Officer. As the Director of the Office of Information Technology, Ms. Dyson oversees and supports the Commission and staff in all aspects of the Commission's information technology program. This includes application development, data management operations, infrastructure operations and engineering, user support, IT program management, capital planning, and enterprise architecture. The Office of Information Technology also includes the agency's information security staff, which is headed by the Chief Information Security Officer. Q.4. In March 2011, a Boston Consulting Group study \4\ authorized by the SEC argued that the ``large number of direct reports generally creates a management challenge for the Chairman.'' Do you agree? --------------------------------------------------------------------------- \4\ https://www.sec.gov/news/studies/2011/967study.pdf. A.4. I recognize that the management reporting structure of the Commission has more direct reports to the Chairman than would be expected in a commercial organization of similar size. Based on my time as Chairman thus far, I have not viewed the reporting structure as a material impediment to effective management of the agency. I am mindful of the substantial scale, diversity and importance of market and operational activity that the Commission is charged with overseeing on a continuous basis and, in response, establishing an effective day-to-day management and reporting environment. To provide more specific context, I meet on a weekly basis with all the division and office heads as a group, as well as one-on-one meetings on a regular basis. These one-on-one meetings generally occur more frequently with Division heads and in cases where an Office or Division is addressing a time sensitive or significant issue, and I have encouraged Office and Division heads to contact me promptly if any such issues arise. It is important to note that the staff in my immediate office, including the Chief of Staff, Deputy Chief of Staff, Chief Counsel and Managing Executive, play an important role in assisting me with overseeing the activities of the various Divisions and Offices. I also meet with my fellow Commissioners on a regular basis and, in those meetings, seek their input on organizational structure as well as staff reporting and performance. That said, I believe it is important that we continually reevaluate the SEC's operations and organizational structure to look for opportunities to improve efficiency, identify cost savings or streamline or consolidate operations where warranted, including in response to changes in the markets and activities we oversee. We also should be evaluating how to more effectively share information across our Divisions and Offices, including risk information. I am committed to these areas of self-assessment. One example where this self-assessment has resulted in a specific initiative is the formation of the EDGAR Program Office in June 2017 to better coordinate the agency's efforts to enhance this important system and support filers. A more recent example is the announcement of a new position, the Chief Risk Officer, whose responsibilities will include identifying, monitoring and mitigating risks across our Divisions and Offices. We will continue to explore and pursue such opportunities as they emerge. Q.5. Has the SEC Chairman's large number of direct reports hindered your ability to focus on cybersecurity while still focusing enough on the other responsibilities within your purview? A.5. I do not believe the number of Divisions and Offices reporting to me has hindered my ability to focus on this critical issue. As I mentioned in my testimony, in May 2017, I initiated a general assessment of our internal cybersecurity risk profile and the SEC's approach to cybersecurity from a regulatory and oversight perspective. Components of this initiative build on prior agency efforts in this area and include establishing a senior-level cybersecurity working group to coordinate information sharing, risk monitoring and incident response efforts throughout the agency. We also have a number of efforts underway to review and, as necessary, uplift our EDGAR system as well as systems that hold market sensitive data or personally identifiable information. I believe these efforts, which in certain cases are expected to involve outside consultants are important steps in improving our cybersecurity risk profile. Q.6. What would be the ideal number of direct reports for your position considering the management challenges that stem from having a large number of direct reports? Please set aside whether altering the number of direct reports would require legislative authorization. What are ways that your office can streamline the SEC's reporting structure to eliminate duplicative reporting and unnecessary strain on your resources? For example, does the BCG study contain any praiseworthy recommendations that the SEC has not yet acted upon? Do any of these changes require legislative authorization? A.6. The SEC's statutory mandate is very broad in scope and diversity of activity. It includes oversight of approximately $72 trillion in securities trading annually on U.S. equity markets; the disclosures of over 8,100 public companies, of which 4,300 are exchange listed; and the activities of over 26,000 registered entities, including investment advisers, broker-dealers, transfer agents, securities exchanges, clearing agencies, mutual funds, exchange traded funds, the Financial Industry Regulatory Authority (FINRA) and the Municipal Securities Rulemaking Board (MSRB), among others. We also engage and interact with the investing public on a daily basis through a number of activities ranging from our investor education programs to alerts on our SEC.gov portal. The SEC's organizational structure, and the number of divisions and offices reporting to the Chairman, has been developed over time to reflect the many different aspects of this broad mission. At this point, I do not have any specific plans to materially adjust the number of divisions and offices or their specific responsibilities. As discussed above, together with the staff in my immediate office and with the advice of my fellow Commissioners, I have implemented a senior management reporting structure that reflects the anticipated day-to-day realities of the Commission's operations. However, I do believe it is imperative that the agency continue to seek out any opportunities to improve the agency's efficiency and effectiveness, including through organizational reforms and in response to changes in the marketplace, and I am committed to do so. With respect to the 2011 BCG Study, I agree that it contained a number of very helpful recommendations for improving the agency's operations. The SEC in August 2017 provided a report to Congress, highlighting the various actions that the agency has taken in response. To date, the agency has taken action to address all but one of the recommendations, which is still in progress. The SEC's August 2017 status report also notes one recommendation that was completed but is subject to congressional action. This recommendation was for the SEC to seek flexibility from Congress on the structure of the four offices mandated by the Dodd-Frank Act (the Office of Municipal Securities, Office of Credit Ratings, Office of the Investor Advocate and Office of Minority and Women Inclusion) to report to the Chairman. The BCG Report concluded that the SEC should seek a revision to the Dodd-Frank Act to give the agency flexibility to determine the reporting lines for these offices. In 2011, the SEC put forth this legislative recommendation to the Congress, and then-Chairman Mary Schapiro also called attention to this recommendation in September 2011 testimony before the House Committee on Financial Services. Q.7. I'd like to discuss the cybersecurity risks associated with the Consolidated Audit Trail (CAT) which has been called the ``Fort Knox of Wall Street.''\5\ --------------------------------------------------------------------------- \5\ See https://www.cnbc.com/2017/09/21/heres-what-really- terrifies-wall-street-about-the-sec- hack.html?view=story&%24DEVICE%24=native-android-mobile. --------------------------------------------------------------------------- What value do you see in fully implementing the CAT? A.7. The U.S. securities markets have become substantially more automated, dispersed and complex in recent years. Trading activity in stocks and options is tracked through a number of systems, and no single system tracks the orders that are routed and executed across multiple trading venues. This patchwork approach can hinder the ability of regulators to look across our markets in pursuit of their mission. In short, to address more efficiently and effectively specific issues that span multiple markets and trading venues (e.g., the actions of a sophisticated market manipulation scheme) and system wide events (e.g., a ``flash crash'' or similar market event), we need access to consolidated information. The CAT is intended to provide the self-regulatory organizations (SROs) and the Commission with consolidated cross-market data that is more complete, accurate, accessible and timely than the data currently available. When fully implemented, the CAT should provide regulators with access to comprehensive information about all orders and trades in exchange-listed securities across the U.S. markets. The CAT is expected to track the life of an order, from origination with a particular customer, through routing, modification, cancellation or execution. As a result, the CAT should provide a much more efficient and effective means to identify, investigate and pursue market misconduct, perform timely market analyses and event reconstructions, and develop well-informed policy initiatives. Q.8. Would a breach of the CAT jeopardize the operations of the Commission? If so, how? LWould a breach of the CAT result in a systemic risk to our economy? If so, how? LAre you worried that a breach of the CAT could compromise the confidential investment strategies of trading firms, particularly if the trade information could be reverse engineered? LAre you worried that a breach of the CAT would cause some broker-dealers to reduce trading to protect their confidential trading strategies? A.8. The CAT repository is expected to contain comprehensive information on trading activity in the securities markets, and the Commission understands that this information is highly sensitive and that security issues with respect to such a system are particularly acute. Making sure there are appropriate mechanisms in place to protect the security and confidentiality of CAT data is of paramount concern both to the Commission and the SROs. The CAT national market system plan (CAT NMS Plan) calls for the CAT repository to store extensive information on all orders in exchange-listed securities, including customer identification information (which is expected to include personally identifiable information (PII)). This information will provide regulators with prompt access to the trading activity of individual market participants. While this information should greatly enhance the ability of regulators to effectively oversee the modern securities markets, its unauthorized access and use could cause substantial harm. For example, a breach of CAT security could compromise the confidential investment strategies of trading firms and, if sufficiently large, could undermine regulatory operations or have a systemic impact. Therefore, it is important that the design, roll-out and ongoing operation of the various components of CAT data reporting reflect an ongoing assessment of the sensitivity of the data reported and related security concerns and protections. Due to the importance of maintaining the security of CAT data, the CAT NMS Plan approved by the Commission requires the SROs to ensure that the CAT repository meets rigorous data security requirements, including those regarding connectivity and data transfer, encryption, storage, access and PII. The Plan Processor, as defined by the CAT NMS Plan, must develop a comprehensive information security program that addresses the security and confidentiality of all information within the CAT data repository and associated operational risks, and that includes all relevant standards from the NIST Cybersecurity Framework. The CAT NMS Plan also requires regular security audits performed by a qualified third-party auditor. The SROs, which have direct oversight of the Plan Processor, are obligated to monitor the information security program to ensure that it is consistent with the highest industry standards for the protection of data, and are required to implement comparable information security policies and procedures with respect to their handling of CAT data. Moreover, the Commission, in approving the CAT NMS Plan, committed to implementing policies and procedures relating to the Commission's handling of CAT data that are comparable to the standards applicable to the SROs, which are required to be comparable to the standards applicable to the CAT repository, and the Commission will periodically review the effectiveness of these policies and procedures. Q.9. In the event of a full breach of the CAT, how many Americans would have their information exposed under the SEC's current plans for the CAT? If you do not have a precise number, please provide the agency's best estimate. A.9. It is difficult to ascertain with certainty how many Americans would have their information exposed if there was a full breach of the CAT, but, assuming all orders result in the reporting of PII to the CAT, it would be a very large number, certainly in the millions. Approximately 43.3 million households have either a brokerage account or an IRA. Accordingly, as discussed above, the Commission required that the CAT NMS Plan--which sets forth the minimum requirements the SROs must follow as they build the CAT--be designed to minimize the risk of a breach that could result in access to customer PII. Q.10. Does the SEC intend to collect the PII of all retail investors, including those that engage in only limited trading? LWhat percentage of the PII stored in the CAT does the SEC expect will be operationally useful to the CAT's purpose, instead of being dormant in the CAT and never accessed? LHas the SEC explored alternatives to maintaining PII in the CAT? For example, would the SEC be able to fulfill its policy aims by requesting PII from individuals only when it is necessary for the SEC to fulfill its oversight duties? LHas or will the SEC determine what CAT-related information it can review without storing it in the CAT? For example, could the SEC merely require registrants to maintain and provide certain information to the SEC upon request, as opposed to keeping it in the CAT? Will you commit to ensuring that such information is omitted from the CAT? A.10. I expect that the Commission will only retrieve sensitive data stored in the CAT repository to the extent necessary to address a specific regulatory purpose. It is not my objective to regularly retrieve from the CAT repository PII of retail investors that engage in normal trading practices. Further, I expect that the Commission will implement and follow data security procedures that appropriately address the sensitive nature of the information. In approving the CAT NMS Plan, the Commission committed that its policies and procedures would impose security obligations on the Commission and its personnel that are comparable to the standards applicable to the SROs, and in turn the CAT repository. In addition, the Commission employs an agency-wide cybersecurity detection, protection and prevention program for the protection of agency operations and assets. This program includes cybersecurity protocols and controls, network protections, system monitoring and detection processes, vendor risk management processes, and regular cybersecurity and privacy training for employees. However, the CAT NMS Plan calls for the CAT repository itself to collect PII of all retail investors with brokerage accounts. This PII is already stored on the systems of other market participants, including retail investors' broker- dealers. The SROs and the Plan Processor have informed us that consistent with the CAT NMS Plan, this information will be subject to heightened security protocols and standards; for example, PII must be stored in a database that is physically separate from the transactional database, access to PII must follow a role-based access model and any login system that is able to access PII must be further secured via multi-factor authentication. The CAT NMS Plan also requires the Plan Processor to adhere to the NIST Risk Management framework and to implement baseline security controls identified in NIST. It has been 5 years since the Commission adopted the CAT rule--Rule 613 of Regulation NMS. Our markets have evolved since then, and will continue to do so. The Commission should continue to evaluate the use of the CAT--including with respect to the types of data maintained in the CAT and the types of data accessed by the Commission--in light of current market realities and the important regulatory objectives served by the CAT. I also believe it is important that the SROs and the Plan Processor continuously evaluate the approach to the collection, retention, and protection of PII and other sensitive data in light of developments in the various areas including cybersecurity, market structure and regulatory needs; and in that regard, I note that the CAT NMS Plan requires that the Chief Compliance Officer of the CAT to regularly review the CAT's information security program. I have asked the staff of the Commission to conduct such an evaluation with regards to the need for PII and expect that the SROs and the Plan Processor engage in a similar exercise. Q.11. In light of the EDGAR breach and the reasonable presumption that the CAT will be a target of a cyberattack, would it be prudent to extensively improve the security of the CAT before partially rolling out the CAT? My understanding is that the CAT will only be partially rolled out in November 15, 2017. Which elements of the CAT will the SEC implement and which elements of the CAT will the SEC delay implementing? How long will it take for the SEC to complete this review of the data inside the CAT? If the SEC cannot complete this review by November 15, 2017, do you commit to delaying the first phase of the CAT implementation? A.11. Protecting the information in the CAT repository is of paramount concern. I expect that the CAT will be a target for cyberattacks by sophisticated actors. As discussed above, the CAT NMS Plan imposes security requirements on the CAT repository and the SROs. The 2016 intrusion into the Commission's EDGAR system is currently under investigation, as I noted in my earlier public statements, and I have taken a number of steps designed to strengthen the Commission's cybersecurity risk profile and evaluate our cybersecurity risk governance structure, including initiating the identification and review of systems that hold market sensitive data or PII and the enhancement of escalation protocols for cybersecurity incidents in order to enable greater agency-wide visibility and understanding of potential cyber vulnerabilities and attacks. The Commission also now has a senior-level cybersecurity working group, we are in the process of hiring additional staff, including a Chief Risk Officer, and outside technology consultants, and we have a number of additional cybersecurity initiatives underway. The first phase of CAT implementation (i.e., reporting by SROs) will only include transaction data and not the submission of customer information or PII to the CAT repository. Both the Commission and the SROs must be confident the appropriate security measures are in place before CAT becomes operational. Regarding the Commission's use of the CAT, as discussed above, I expect that the Commission will only retrieve sensitive data stored in the CAT repository to the extent necessary to address a specific regulatory purpose. It is not my objective to regularly retrieve from the CAT repository PII of retail investors that engage in normal trading practices. Further, I expect that the Commission will implement and follow data security procedures that appropriately address the sensitive nature of the information. Q.12. In your Senate Banking testimony last week you said ``we don't want to be taking data [for] the CAT unless we need it and can protect it.'' What standards will the SEC follow to determine if a particular data set is absolutely needed for the CAT? What standards will the SEC follow to determine if the SEC can protect the information inside the CAT? A.12. I take very seriously the obligation to maintain the security and confidentiality of CAT data. As discussed above, I expect that the Commission will only retrieve sensitive data stored in the CAT repository to the extent necessary to address a specific regulatory purpose. Further, before retrieving such data, I expect the Commission will implement and follow data security procedures that appropriately address the sensitive nature of the information and, as a result, I expect that the Commission would not be regularly retrieving PII of retail investors that engage in normal trading practices. With regard to specific standards, in approving the CAT NMS Plan, the Commission committed that its policies and procedures would impose security obligations on the Commission and its personnel that are comparable to the standards applicable to the SROs and in turn the CAT repository. In addition, the Commission is subject to information security policies and procedures developed in accordance with Federal directives and NIST standards that prohibit the unauthorized disclosure or inappropriate use of confidential data. Q.13. My understanding is that Thesys will be the CAT's plan processor. Will it be subject to Regulation SCI? Why or why not? If not, what cybersecurity standards or principles will Thesys be subject to and how will Thesys be held accountable in the event of lax cybersecurity processes? A.13. The CAT repository, which collects and maintains the CAT data, is a facility of each SRO. The SROs are ``SCI Entities,'' and the CAT system is an SCI system. As a result, the CAT repository is subject to the requirements of Regulation SCI. The CAT NMS Plan states that data security standards of the CAT System shall, at a minimum, satisfy all applicable regulations regarding database security, including provisions of Regulation SCI. The SROs are responsible for ensuring that the CAT repository as operated by Thesys complies with Regulation SCI, including the establishment, maintenance and enforcement of written policies and procedures reasonably designed to ensure that the CAT system has levels of capacity, integrity, resiliency, availability, and security adequate to maintain its operational capability. Q.14. How many people will be able to access the CAT? Will a background check be conducted on everyone who can access the CAT? A.14. As noted above, the CAT NMS Plan requires the SROs and Plan Processor to have policies and procedures to ensure that only authorized regulatory personnel are able to access the CAT data for regulatory purposes, and the Commission committed to applying comparable standards to its own use of CAT data. The CAT NMS Plan requires the Plan Processor to conduct background checks (e.g., fingerprint-based) for all of its employees and contractors. Each SRO will also conduct background checks (including fingerprinting) of its employees and contractors that will use the CAT system. All Commission employees must have undergone a background check and fingerprinting prior to their joining the Commission. However, not all Commission employees will have access to the CAT. In fact, a cross-divisional steering committee of senior staff has been tasked with designing policies and procedures regarding Commission access to, use of, and protection of CAT data, and the major focus of these internal policies and procedures addresses which Commission staff will be authorized to access CAT data and under what circumstances. Q.15. What, if any, steps is the SEC taking to ensure that information in the CAT is compartmentalized, so that a breach will not provide a hacker complete access to information sets? For example, will a hacker be able to gain access to an individual's full name and social security number or a firm's complete trading activity within a dataset? What, if any, other steps is the SEC taking to prevent a hacker from being able to reverse engineer a trading firm's proprietary trading strategies using the information contained in the CAT? A.15. PII requires a heightened level of protection. As such, the CAT NMS Plan requires that PII be stored in a database that is physically separate from the transactional database. I believe appropriate compartmentalization, or separation of a customer's PII from the same customer's transactional data, can enhance security. The SEC will continue to encourage the SROs and the Plan Processor to explore compartmentalization strategies that will support critical regulatory uses of CAT and also minimize the risk that an unauthorized person could access an individual's PII or trading strategies. In addition, as noted above, I have asked the staff of the Commission to conduct such an evaluation with regards to the need for PII and expect that the SROs and the Plan Processor engage in a similar exercise. Q.16. I'd like to inquire more about Regulation SCI. In response to questions for the record from Senator Tillis during your confirmation process you stated that `` . . . we should be mindful that cybersecurity risks are continuously evolving, and regulation in this area should take into account its dynamic nature, including that, in such circumstances, specific requirements may be appropriate but also have the risk of becoming outdated.'' To that end, could Regulation SCI create some cybersecurity risk by introducing an incentive for companies to focus more on complying with the regulation, instead of leveraging private sector resources to implement innovative cybersecurity techniques? If so, what steps is the SEC taking to mitigate this risk? A.16. The heart of Regulation SCI is its requirement that SCI entities have reasonably designed policies and procedures to ensure that their core systems will function effectively in times of stress and be resistant to threats, including cybersecurity threats. Under Regulation SCI, the Commission does not mandate a specific set of standards with which an SCI entity must comply. In adopting Regulation SCI, the Commission understood that information technology and cybersecurity threats continue to evolve, and thus did not seek to hardcode a set of specific standards into the rule that could become outdated. Rather, the rule takes a risk-based approach and requires the SCI entities themselves to assess the relative riskiness and criticality of each of their systems and requires each SCI entity to develop appropriately tailored policies and procedures. Thus, an SCI entity can select the industry standards it believes to be appropriate for its policies and procedures and is also able to customize these policies and procedures for its own particular systems, so long as its policies and procedures remain reasonably designed in light of the importance of a given system. In addition, the rule requires SCI entities to periodically review their policies and procedures to ensure that they continue to be appropriate as technology and threats change. Q.17. Are you considering the possibility of requiring that more entities comply with Regulation SCI? If so, what policy considerations will you take into account when evaluating this question? A.17. In its adoption of Regulation SCI in 2014, the Commission applied the requirements of the rule to those entities it determined could, at that time because of their role in the U.S. securities markets and/or their level of trading activity, have the potential to pose the most significant risk in the event of a systems issue. Thus, Regulation SCI applies today to, among others, the stock and options exchanges, alternative trading systems (ATSs) that trade NMS and non-NMS stocks exceeding specified volume thresholds, FINRA, the MSRB and registered clearing agencies. When it adopted Regulation SCI, the Commission noted that a measured approach was appropriate for imposing the mandatory requirements of Regulation SCI given the potential costs of compliance. I believe that we should continue to evaluate what entities, because of their importance to the securities markets or investors, should be subject to Regulation SCI and have discussed this matter with the staff. The staff believes that extensions of Regulation SCI would need to be appropriately calibrated to reflect the business models and risks of additional entities, as well as their existing regulatory regimes. They believe certain aspects of the current rule may be inapplicable to other types of market participants, and there may also be different types of concerns that are not applicable to the current group of ``SCI entities'' and thus are not addressed in Regulation SCI today. Whether or not Regulation SCI or a Regulation SCI-type regulatory framework is appropriate for other types of market participants, it is clear that information technology and cybersecurity threats are of increasing importance in our securities markets today, and I have instructed that staff that they should continue to evaluate whether the current SCI framework is appropriate. Q.18. Is there sufficient transparency over if a market center is complying with Regulation SCI or is required to comply with Regulation SCI? What policy considerations will you take into account when evaluating this question? A.18. Regulation SCI applies to ``SCI entities,'' which include self-regulatory organizations (including national securities exchanges, registered clearing agencies, registered securities associations, and the MSRB) and ATSs that trade NMS and non-NMS stocks exceeding specified volume thresholds. There is no publicly available list of all entities subject to Regulation SCI, as discussed below. I have asked staff to examine this issue, including considering whether the Commission should publish a list of entities that file Form SCI with the Commission on a periodic basis or, alternatively, whether entities subject to Regulation SCI (e.g., certain ATSs) should be required to disclose that status on a periodic basis. That said, it is possible for market participants and the public to identify the entities that fall into nearly all of these categories through publicly available information. For example, a list of national securities exchanges and registered clearing agencies was included in the Regulation SCI adopting release, and a current list of self-regulatory organizations can be found on the Commission's website (https://www.sec.gov/ rules/sro.shtml). In addition, in the Regulation SCI adopting release, the Commission stated that FINRA is the only registered national securities association, and it identified SIAC and Nasdaq as the plan processors subject to Regulation SCI. Further, the Commission noted then that only one entity met the definition of exempt clearing agency (Omgeo Matching Services-US, LLC); subsequently, two additional entities have become exempt clearing agencies subject to Regulation SCI (Bloomberg STP and SS&C Technologies). Unlike the entities discussed above, which are subject to Regulation SCI because of their regulatory status, the determination of whether an ATS is subject to Regulation SCI is based on the ATS exceeding certain volume thresholds over a prescribed period. Accordingly, a determination regarding which ATSs are SCI ATSs is not static, as volume levels often change over time. While there is no publicly available list of ATSs that are subject to Regulation SCI, nothing prevents an SCI ATS from publicizing its status as an SCI entity. Q.19. How will the SEC ensure that any cybersecurity disclosure guidelines for public companies require only timely and material disclosure instead of that which is extraneous and untimely? A.19. The Commission's disclosure rules and regulations are a combination of prescriptive and principles-based requirements. Disclosure Guidance: Topic No. 2--Cybersecurity, issued by the Division of Corporation Finance in 2011, advised public companies that, although there were no specific line item requirements for cybersecurity and related issues, the existing rules and regulations do apply to these issues if they represent a material risk to a company's risk profile, business or financial statements. As such, companies are expected to provide timely and material disclosure about their cybersecurity to investors. The guidance reminded companies that the decisions to disclose should be based on their own facts and circumstances and that disclosure should not be generic or boilerplate. The guidance also reiterated principles of materiality in U.S. Supreme Court case precedent that information is considered material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision, or if the information would significantly alter the total mix of information made available. I have asked the Division of Corporation Finance to review the 2011 staff guidance and consider whether, and if so, how, it might be updated to provide companies with more guidance on their disclosure obligations. Q.20. What standard will the SEC follow in the future to determine if and when to disclose a cybersecurity event at the SEC? Will that standard be comparable to the standards that companies must follow to disclose their cybersecurity events? A.20. The scope and timing of disclosures of this type depend on facts and circumstances that vary from event to event and it is important to note that the considerations that apply to the Commission may be substantially different from those that apply to a public company. For example, unlike a public company, the Commission may be charged with investigating and ultimately filing an enforcement action against the individuals that attack its systems. That said, with regard to the recently disclosed 2016 EDGAR intrusion, which first came to my attention in August 2017, I specifically directed the public disclosure of the intrusion, as well as our ongoing efforts in response, once I knew enough to understand that nonpublic information may have been used for illicit gain and that competing considerations, including disclosing the existence of the ongoing Division of Enforcement investigation, were not of sufficient importance to necessitate a delay in the public disclosure. Should the Commission be subject to significant cybersecurity events in the future, I expect that we would conduct a similar analysis regarding public disclosure in light of our mission. I also note that the SEC will continue to report certain cybersecurity incidents to the Department of Homeland Security pursuant to the Federal Information Security Modernization Act of 2014 (FISMA) and the US-CERT Federal Incident Notification Guidelines. Q.21. In response to my questions for the record during your confirmation hearing, you stated that disclosures should achieve ``their important investor protection objectives in an effective and efficient manner'' and promised to engage with the SEC Commissioners and SEC staff on the Disclosure Effectiveness Initiative. Please provide an update on your efforts to this end. A.21. The Commission and the staff continue to move forward with the Disclosure Effectiveness Initiative and to date the Commission has issued six releases as part of the initiative. These releases include (1) a request for comment on financial disclosure requirements in Regulation S-X for entities other than the registrant, (2) a concept release on the business and financial disclosure requirements in Regulation S-K, (3) a proposal to revise property disclosure requirements and related guidance for mining registrants, (4) a proposal to eliminate redundant, overlapping, outdated or superseded disclosure requirements, (5) a request for comment on Regulation S-K disclosure requirements related to management, security holders and corporate governance matters and (6) a request for comment on bank holding company disclosures. The staff is currently developing recommendations to finalize rule amendments that would eliminate redundant, overlapping, outdated or superseded disclosure requirements and proposals to revise Regulation S-X rules related to financial statements for entities other than the issuer. The staff is also developing recommendations to update and modernize industry-specific disclosure requirements, such as the property disclosure requirements for mining companies and bank holding company disclosures. In addition, on October 11, 2017, the Commission proposed amendments to Regulation S-K to modernize and simplify disclosure requirements for public companies, investment advisers and investment companies. The proposal was mandated by the Fixing America's Surface Transportation (FAST) Act and would make adjustments to update, streamline or otherwise improve the Commission's disclosure framework. Q.22. During your confirmation process, I asked you the following question for the record: In light of the SEC's mission to `protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation,' I'd like to ask you about the SEC's rulemaking schedule. What factors should dictate the SEC's rulemaking schedule? Does the SEC's rulemaking schedule reflect the right balance between focusing on these three missions? If not, how would you change it? In response you stated that it would be premature to assess this question because you have not had a chance to discuss this issue inside the SEC. Now that you have been confirmed as Chair, how would you answer this question? A.22. The Commission recently approved publication of an agenda of rulemaking actions pursuant to the Regulatory Flexibility Act that reflects my priorities. That agenda will be published as part of the Unified Agenda of Regulatory and Deregulatory Actions. As a general matter, I believe it is important that these publicly available agendas provide the necessary transparency and accountability for agency matters. If these plans are to meet their intended purpose, they must be written in a way that informs Congress, investors, issuers and other interested parties about what the SEC actually intends--and realistically expects--to accomplish over the coming year. I developed the current regulatory agenda consistent with the eight principles that I outlined in a speech before the Economic Club of New York on July 12, 2017, and reiterated in my testimony before the Committee. Among other things, the agenda reflects my belief that our mission must focus on the long-term interests of the Main Street investor, and that investors must have access to information about potential investments that is easily accessible and meaningful. At the same time, I believe that the Commission must recognize the practical costs of demonstrating compliance with its rules, and that rules must be designed to ensure that Main Street investors have access to a range of investment choices. In addition, we have a number of statutorily mandated items that we need to address, and we are considering how to advance those while also pursuing other initiatives that are central to the pursuit of our statutory mission. Q.23. During your confirmation process, I asked you the following question for the record: Many argue that despite the JOBS Act, Reg. A+ is still prohibitively costly for smaller firms. Only around 44 firms qualified for Reg. A+ during its first year,\6\ compared to 33,429 who used Reg. D in 2014.\7\ I've been told that few if any investors in my State find it worthwhile to use Reg. A+. Is Reg. A+ currently workable for most smaller firms? As SEC Chair, will you examine how the SEC can make Reg. A+ easier to use for smaller firms, and advocate for such changes? --------------------------------------------------------------------------- \6\ https://www.crowdfundinsider.com/2016/07/87745-looking- regulation-one-year-later/ (cited by https://www.mercatus.org/system/ files/peirce_reframing_ch11.pdf, p. 278. \7\ https://www.mercatus.org/system/files/ peirce_reframing_ch11.pdf, p. 278. See also https:// www.nextgencrowdfunding.com/static/uploads/2016/10/03/ NextGenCrowdfundingReg A+WhitePaper_October62016.pdf. In response you said that you ``have not yet had the opportunity to engage with the Commissioners and the SEC staff regarding Regulation A+'' but would study ``this issue, including the potential impacts of any potential reform options.'' Now that you have been confirmed as Chair, how would --------------------------------------------------------------------------- you answer this question? A.23. Prior to the adoption of the JOBS Act amendments to Regulation A, offerings made pursuant that exemption were rare in comparison to offerings conducted pursuant to other Securities Act exemptions or on a registered basis. The release proposing amendments to Regulation A noted that there were 19 Regulation A offerings filed, and one Regulation A offering qualified, in 2011. Since effectiveness of the amendments to Regulation A, in the period from June 2015 through September 2017, companies have sought to raise approximately $5 billion in nearly 250 offerings pursuant to Regulation A, including up to $3.5 billion in over 150 offerings qualified by the Commission. As of the end of September 2017, 69 companies have reported raising approximately $611 million pursuant to Regulation A, as amended. While the data suggests that the amendments to Regulation A have increased the utility of the exemption, we plan to assess the rule on an ongoing basis. For example, Commission staff will study and submit a report to the Commission no later than 5 years following adoption of the Regulation A amendments on the impact of the amended rules on capital formation and investor protection. Additionally, Section 3(b)(5) of the Securities Act requires the Commission to review the $50 million offering limit every 2 years. The next review is required to take place not later than April 2018. Q.24. During your confirmation process, I asked you if anything needed ``to be done to improve the use of cost-benefit analysis at the SEC? In response you said `` . . . I believe retrospective review can be appropriate and important, and certain rules may merit re-evaluation over time,'' including ``the prior analysis itself . . . '' You promised to ``discuss[] this issue--what has been learned from past economic assessment exercises that can inform future efforts-- with the staff and my fellow Commissioners.'' Do you intend to implement a process for regulatory retrospective review? If so, please detail how the regulatory review process will occur. If not, please explain why. A.24. In my testimony before the Committee, I outlined eight guiding principles that I believe should chart the course for the SEC moving forward. Several of these principles focus specifically on our rulemaking process. For example, I emphasized that effective rulemaking does not end with rule adoption and that the costs of a rule now often include the cost of demonstrating compliance. These principles of effective rulemaking should, in my view, include retrospective reviews of Commission rules based on input from investors and other market participants about where the rules are, or are not, functioning as intended. As with economic analysis in the course of rulemaking, a focused post-implementation review of rules improves the regulatory process and helps us assess whether our rules are accomplishing their intended goals. The Commission has, in a number of recent adopting releases, directed staff to conduct post-implementation reviews of the impacts of new rules. For example, in adopting recent amendments to the securities transaction settlement cycle, the Commission directed staff to examine the impact of shortening the settlement cycle to T+2 as well as factors that could facilitate a move to a shorter settlement cycle in the future. The Commission directed staff to conduct similar reviews in the adopting releases for Regulation Crowdfunding and recent amendments to Regulation A. As we move forward with developing new policy recommendations, I have instructed staff to consider whether, as a part of adopting new rules, the Commission should require additional studies. In addition to these targeted areas, the Commission and its staff have formal and informal processes for identifying existing rules for review and for conducting those reviews to assess the rules' continued utility and effectiveness in light of continuing evolution in the securities markets and changes in the securities laws. For example, in accordance with current statutory requirements, we conduct 10-year retrospective rule reviews under the Regulatory Flexibility Act (RFA) on an annual basis. Along with formal processes, the Commission and its staff frequently receive and consider suggestions to review existing rules through various types of communications from a wide variety of constituencies. Likewise, the Commission and staff frequently discuss the need to revisit existing rules through public engagement, including advisory committees, roundtables, town hall meetings, speeches, conferences, and other meetings. Q.25. During your confirmation process I asked you if ``policymakers [should] be concerned about the public SIP as a single point of failure.'' In response you said ``I am not in a position to comment meaningfully on specific aspects of the SIP, including the types and severity of risks.'' Now that you have been confirmed as Chair, how would you answer this question? A.25. The consolidated market data provided by the SIPs is extremely important to the securities markets. Because of this, the SIPs are considered ``critical SCI systems'' under Regulation SCI. As a result, these systems are subject to heightened standards under Regulation SCI designed to ensure the capacity, integrity, resiliency, availability and security of those systems. Our staff has worked with the SIPs on their efforts to improve their systems resiliency. For example, in response to the Nasdaq SIP outage in 2013, the SIPs subsequently enhanced their disaster recovery sites and systems to establish a hot/ warm backup process. This backup process provides for a failover from the primary to the fully redundant backup SIP sites with a 10-minute or less recovery time. In addition, at their primary sites, the SIPs have secondary backup servers running in parallel to the primary servers, allowing exchanges immediate re-connectivity in the event of a disruption to the primary server that does not require failover to the disaster recovery site. The SIPs also established more rigorous review processes around technology change procedures to minimize technological malfunctions and errors. In addition, the SIPs implemented improvements to system capacity (the SIPs have system availability requirements of at least 99.98 percent) and controls around critical systems, such as managing inbound and outbound message traffic. Q.26. During your confirmation process in March, I sent you a letter requesting that during your tenure as SEC Chairman, you pay attention to how to ``promote the creation and sustaining of new firms, including by facilitating access to forms of equity for smaller firms.'' This is in addition to your important efforts to increase the number of IPOs and improve the public markets. This task has become even more important in light of finding from the Economic Innovation Group \8\ that economic growth is largely clustered in the most prosperous areas, instead of evenly distributed across areas like the Great Plains and the Midwest. What's more, our economy is more generally facing declining startup rates.\9\ --------------------------------------------------------------------------- \8\ See https://www.axios.com/americas-fractured-economic-well- being-2488460340.html and http://eig.org/dci. \9\ See https://www.axios.com/declining-startup-rates- 2453945620.html and http://eig.org/dynamism. LAre you concerned about the uneven geographic distribution of growth, particularly relating to new firms? Why or why not? ? Would increasing access to equity and crowdfunded debt improve the geographic --------------------------------------------------------------------------- distribution of new firms? LWould increasing access to equity and crowdfunded debt promote the creation and sustainability of new firms? If so, what kind of firms would this help the most? LIn what instances does data show that new and smaller firms tend to rely upon access to equity or crowdfunded debt instead of a generic bank loan? For example, would a particular type of firm have difficulty securing a traditional loan or do all firms have difficulty securing loans within a particular size bracket? LWhat are the biggest hurdles new and smaller firms have--regulatory or otherwise--in accessing equity and crowdfunded debt? LIs the SEC comprehensively reviewing how to address these problems, including but not limited to potential ways to improve Regulation A+, Regulation D, and crowdfunding, along with any helpful new means of accessing capital, such as a safe harbor for smaller equity raises? A.26. I am committed to each tenet of the SEC's three-part mission, including facilitating capital formation for all businesses across our country. I want American businesses to be able to raise the money they need to grow and create jobs, and I believe that we need to enhance the ability of every American to participate in investment opportunities. In the exempt market, we have seen that businesses are taking advantage of the new capital raising avenues available as a result of the JOBS Act. Early signs indicate that Regulation A may offer a potentially viable public offering on- ramp for smaller issuers as an alternative to a traditional registered IPO and offer either an alternative or a complement to other exempt offerings. The initial evidence shows that the Regulation Crowdfunding exemption, effective as of May 16, 2016, is being used primarily by small pre-revenue growth businesses as an initial foray into capital raising through a securities offering. Although the JOBS Act rules have been implemented, our work is far from done. Data shows that the geographic distribution of issuers using these exemptions is uneven, with some States accounting for a more significant presence than others. For example, many Regulation A offerings were made by issuers with a business location in California, Washington, DC, Virginia, Florida, or Texas. A significant number of issuers conducting offerings in reliance on Regulation Crowdfunding similarly were located in California, Texas or New York. As we continue to evaluate capital formation options, we are seeking to engage with businesses across the country, including those within the Great Plains and the Midwest. It is important for us to hear directly from businesses to understand what they see as the biggest hurdles and impediments to financing within their industry and geographic region. To advance this objective, we plan to hold the annual Government- Small Business Forum in Austin, Texas in November 2017 rather than Washington, DC, the traditional forum location, in order to get input from a different region of the country. As an example of outreach in geographic areas where some of the newer exemptions have not been used as frequently, the Director of the Division of Corporation Finance and I recently participated on a panel at the Montana High Jobs Summit. The purpose of our participation was to explain the use of the various approaches to small business capital formation and to get feedback from market participants. As the exempt market continues to grow and evolve, the Commission and its staff continue to monitor developments, gather and examine data and assess the effectiveness of these new exemptions, taking into account feedback provided by businesses and investors across the country. To this end, the staff will be conducting a look-back review of the impact of Regulation Crowdfunding on capital formation and investor protection no later than 3 years after effectiveness of the rules. In addition, the Commission will review the offering threshold limitations in Regulation A in 2018, as mandated by the JOBS Act. We are also taking a step back and looking at the entire framework of exemptions. A concern that we frequently hear--and one that resonates with me based on my experience--is that there are too many exemptions and that each exemption has a framework that is complex and difficult to navigate without an experienced securities law attorney. We understand these concerns and are thinking about ways to rationalize the framework of exemptions so that there is a harmonized and simplified approach that makes it easier for small businesses to raise capital while still providing appropriate investor protections. In rationalizing the framework of exemptions, we need to think about avoiding both gaps and duplication among the different types of exemptions. ------ RESPONSE TO WRITTEN QUESTIONS OF SENATOR TILLIS FROM JAY CLAYTON Q.1. Last time you were before the Banking Committee, we discussed how the SEC and our regulatory regime has made it less attractive for medium-sized companies, companies that are in their growth phase, to enter the public markets. Now that you have had an opportunity to view this issue from a different lens, can you give me specific ideas of how I can help you in our joint capital formation endeavors? Whether it is legislative suggestions or otherwise? A.1. Capital formation is a priority for me. I am focused on ways to do that not only through rulemaking, but through identifying ways that the process can be made more efficient for an issuer, not only to become a public company but to remain a public company. Any effort that we undertake should take care not to reduce the amount of material information that investors receive. To this end, the Division of Corporation Finance began accepting certain draft registration statements for review by staff on a nonpublic basis. The Division also issued guidance to clarify that companies may omit from draft registration statements interim financial information that otherwise will not be required when a company files its registration statement. As for rulemaking, the Commission recently voted to propose rules to implement a mandate under the FAST Act. Collectively, the FAST Act proposals can reduce costs for issuers and make the process of becoming a public company more efficient. We are continuing our review of the disclosure system, including recommendations to finalize rule amendments that would eliminate redundant, overlapping, outdated or superseded disclosure requirements. In addition, the staff is developing recommendations for the Commission on final rule amendments to the ``smaller reporting company'' definition, which would expand the number of issuers eligible to provide scaled disclosures. As we continue to review, and identify changes that should be made, we will consider the resources required and will reach out if we need legislative assistance. Q.2. I have asked you previously about the notion of having the SEC conduct a retrospective review of its existing rules and regulations. Can you provide me with your updated thoughts on formalizing a process to do this? We have a process for other regulators, can you provide me with your thoughts on putting a process in place for the SEC via a statutory requirement? A.2. In my testimony before the Committee, I outlined eight principles that will guide my SEC Chairmanship. Several of these principles focus specifically on our rulemaking process. For example, I emphasized that effective rulemaking does not end with rule adoption and that the costs of a rule now often include the cost of demonstrating compliance. These principles of effective rulemaking should, in my view, include retrospective reviews of Commission rules based on input from investors and other market participants about where the rules are, or are not, functioning as intended. As with economic analysis in the course of rulemaking, a focused post-implementation review of rules improves the regulatory process and helps us assess whether our rules are accomplishing their intended goals. The Commission has, in a number of recent adopting releases, directed staff to conduct post-implementation reviews of the impacts of new rules. For example, in adopting recent amendments to the securities transaction settlement cycle, the Commission directed staff to examine the impact of shortening the settlement cycle to T+2 as well as factors that could facilitate a move to a shorter settlement cycle in the future. The Commission directed staff to conduct similar reviews in the adopting releases for Regulation Crowdfunding and recent amendments to Regulation A. As we move forward with developing new policy recommendations, I have instructed staff to consider whether, as a part of adopting new rules, the Commission should require additional studies. In this regard, the Commission and its staff currently have formal and informal processes for identifying existing rules for review and for conducting those reviews to assess the rules' continued utility and effectiveness in light of continuing evolution in the securities markets and changes in the securities laws and regulatory priorities. For example, in accordance with current statutory requirements, we conduct 10-year retrospective rule reviews. Specifically, the Regulatory Flexibility Act (RFA) requires the Commission to review within 10 years of publication each final rule that has a significant economic impact upon a substantial number of small entities. Since 1981, the Commission has reviewed not only rules that had a significant impact on a substantial number of small entities when adopted, but included other final rules that it published for notice and comment. The Commission's RFA reviews, therefore, cover a broader scope of rules than that required under the RFA. The RFA directs that the review of each rule cover: (1) the continued need for the rule; (2) the nature of complaints or comments received concerning the rule from the public; (3) the complexity of the rule; (4) the extent to which the rule overlaps, duplicates or conflicts with other Federal rules, and, to the extent feasible, with State and local governmental rules; and (5) the length of time since the rule has been evaluated or the degree to which technology, economic conditions or other factors have changed in the area affected by the rule. Along with formal processes, the Commission and its staff frequently receive and consider suggestions to review existing rules through various types of communications from a wide variety of constituencies. Likewise, the Commission and staff frequently discuss the current impacts of past regulation and consider the need to revisit existing rules through public engagement, including advisory committees, roundtables, town hall meetings, speeches, conferences and other meetings. Q.3. We have had some dialogue regarding the European Union's Markets in Financial Instruments Directive II (MiFID II), and I appreciate your response from September 14th on this issue. There are increased concerns that exchanges are now concerned about a dark trading workaround and that equities underdogs will need to utilize a ``Plan B'' option to grow their market share post-MiFID II. This coupled with the Edgar system hack--to me--are issues that squeeze medium-sized companies that are making the decision to not enter the public markets. Can you provide me with your thoughts on this? A.3. The ``dark trading workaround'' refers to a concern raised by some EU exchanges (or U.S. corporations that own EU exchanges) that MiFID II may create an uneven playing field between EU exchanges and other EU multilateral trading venues, on the one hand, and EU systematic internalisers (SIs) (a category of EU investment firms created under MIFID I and modified under MIFID II), on the other hand. Some EU trading venues have argued that MiFID II may provide SIs with several advantages, including not counting SI transactions toward the EU MiFIR dark trading limits, not requiring SIs to publish the size associated with their quotations and the ability to quote in smaller tick sizes than other EU trading venues. Some EU trading venues argue that each of these could provide incentives to trade with SIs. Q.4. If I am a company concerned about analyst coverage and price volatility, it seems like a simple decision to not enter the public markets. As coverage falls, liquidity falls, volatility goes up, and valuation ratios go down. A McKinsey study said that banks would spend $1.2 BB less on mass- producing research and tailor more of it to specific audiences. During the recent response that I received from you on MiFID II, you suggested that you share my goal of reaching a resolution on this issue to minimize disruptions and that you are prioritizing cooperation with our European counterparts to reach a solution that avoids a disorderly transition. Do you plan to waive the rules to allow brokers to receive direct payments for research from investors who are subject to MiFID II? If so, do you view this as a short-term or long-term solution? Can you elaborate on what efforts are underway at the SEC to address this issue? Do you have a timeframe for making a decision? A.4. On October 26, 2017, staff in the Division of Investment Management issued a letter stating that they would not recommend enforcement action under the Investment Advisers Act of 1940 against a broker-dealer that provides investment advisory research services to an investment manager that is required under MiFID II to pay separately for such research services. In the letter, the staff indicated that this relief would last for 30 months from the implementation of MiFID II. This temporary period is intended to provide the staff with sufficient time to better understand the evolution of business practices after the implementation of MiFID II and take appropriate action, if necessary, in the future. Q.5. What are the economic consequence of U.S. brokers following EU standards? How does MiFID II and the potential importation of EU rules mesh with broader administrative policy of not importing foreign standards? I understand this is a delicate issue, but it seems to me that we should be focused on impressing upon the EU regulators the potential negative consequences of this rule on the United States; moreover, I think that we should be concerned with how this rule may impact the ability of smaller issuers to attract research and how this may impact their ability grow and succeed in the public markets. I understand that the SEC is engaged with the relevant EU regulators regarding the unintended consequences of the MiFID II directive, but can you elaborate on these conversations and whether there will be joint relief, relief from the United States, relief from the European Union, or otherwise? A.5. SEC staff has been actively engaged in various forms of outreach with key stakeholders, including industry groups and individual market participants, to better understand the potential economic impacts of MiFID II on current U.S. business models. I share your views on the importance of U.S. issuers' ability to attract research, especially smaller and mid-cap companies. MiFID II presents unique challenges to U.S. broker-dealers. SEC staff no-action relief addresses potential issues raised by the industry regarding the negative impact that MiFID II could have on these market participants, among others. SEC staff has discussed with our European counterparts the impact of MiFID II's research provisions on the U.S.-EU cross- border research market, the U.S. regulatory framework for research payments and affected U.S. market participants' ability to comply with the U.S. securities laws. The EC has issued FAQs related to the application of MiFID II's research provisions to non-EU firms, which are an important adjunct to the Commission's efforts to provide effective relief. SEC staff will continue to engage with industry stakeholders and our European counterparts as MiFID II comes into effect and its impacts may be better understood. Q.6. MiFID II is another example of the conflicts we see with many rules that either have joint regulators or when an international regulator issues a directive without studying the unintended consequences of its impact to other jurisdictions. Is this something you will be working on at the SEC to help harmonizing rulemakings where you hold jurisdiction? A.6. The SEC staff regularly communicates with foreign counterparts, including those in the European Union, regarding developments that could potentially impact U.S. issuers, market intermediaries and other market participants. SEC staff has ongoing bilateral dialogues with key regulatory counterparts that can serve as mechanisms for identifying and discussing common issues of regulatory concern, as well as current regulatory reform efforts and their impact. With respect to the European Union, the SEC's partners in these bilateral dialogues include the EC and ESMA. In addition, SEC staff communicates frequently with the FCA and markets regulators in Europe and elsewhere. For example, the SEC participates in the Joint U.S.- EU Financial Regulatory Forum led by the U.S. Treasury. This forum seeks to enable regulatory cooperation as early as practicable in our respective lawmaking and rulemaking processes, with the general operational objective to improve transparency, reduce uncertainty, identify potential cross- border implementation issues, work toward avoiding regulatory arbitrage and toward compatibility, as appropriate, of each other's standards and, when relevant, promote domestic implementation consistent with international standards. Q.7. It appears as if the larger European asset managers will be paying for research out of P&L, and others may follow suit for competitive reasons. This could overflow to the United States. As such, whatever action the SEC takes will need to account for paying for research out of P&L. How is the SEC prepared to address this and how is the SEC prepared to deal with the notion that U.S. asset managers may feel as if they need to emulate the European Union asset managers for competitiveness reasons? A.7. In the letter mentioned above, staff in the Division of Investment Management provided relief where an investment manager subject to MiFID II is required to make separate payments for investment advisory research services. This relief would apply where an investment manager subject to MiFID II pays for such research out of its own money, a separate research payment account or some combination of the two. As the staff stated in the letter, their intent was to address concerns that have arisen in light of the adoption of MiFID II while preserving choice in maintaining the Commission's long- standing approach to access to research. At the same time, in considering approaches to address these various concerns, the staff was mindful of the possibility that inaction could lead to a disruption in the availability of important research. The staff therefore sought to preserve the status quo in the U.S. market while any market changes resulting from MiFID II take shape. That said, I am also aware that certain U.S. investment managers are dissatisfied with the status quo, in that some broker-dealers may refuse to accept hard dollar payments from investment managers in exchange for research despite that the U.S. investment manager might prefer to make a hard dollar payment rather than using order flow. Because this is an important, complex and evolving issue, in the press release accompanying the letter, the staff requested comment to assist in better understanding the evolution of business practices after the implementation of MiFID II in order to take appropriate action, if necessary, in the future. Q.8. You have previously suggested that we need to look for ways to regulate a dynamic and evolving set of risks when it comes to cybersecurity. What options are you now considering with your staff and fellow Commissioners? What is the SEC doing now to promote IT modernization? What new regulations do you foresee promulgating? A.8. Over the past several fiscal years, the Office of Information Technology has been leading an effort to modernize the SEC's technological infrastructure. Among other things, the SEC is developing a comprehensive IT Modernization Plan to: 1) LPrioritize the modernization of high-risk high value assets with an emphasis on the enhancement of security and privacy controls; 2) LExpedite the retirement of legacy systems; 3) LSeek to leverage enterprise-wide acquisition vehicles to gain cost efficiency and effectiveness; and 4) LImprove user experience and increase user interface capabilities. The Commission's IT modernization efforts closely adhere to several OMB mandates and Federal frameworks, including OMB Circular A-130, Managing Information as a Strategic Resource, the Federal Information Security Management Act of 2002 and the Federal IT Acquisition Reform Act. The Commission's efforts also leverage the guidance and recommendations outlined in the 2017 Draft Report to the President on Federal IT Modernization. Promoting effective cybersecurity practices by market participants is critical to all three elements of the SEC's mission. The Commission incorporates cybersecurity considerations in its disclosure and supervisory programs, including in the context of the Commission's review of public company disclosures, its oversight of critical market technology infrastructure and its oversight of other regulated entities, including broker-dealers, investment advisers and investment companies. Despite the attention given to widely publicized cyber- related incidents experienced by the Commission and others, I still am not confident that the Main Street investor has received a sufficient package of information from issuers, intermediaries and other market participants to understand the substantial risks resulting from cybersecurity and related issues. As a general matter, it is critical that investors be informed about the threats that issuers and other market participants face. To be sure, we are continuing to examine whether public companies are taking appropriate action to inform investors, including after a breach has occurred, and we will investigate issuers that mislead investors about material cybersecurity risks or data breaches. As is noted in my July speech and on various other occasions, I would like to see more and better disclosure in this area. Cybersecurity must be more than a firm-by-firm or agency- by-agency effort. Active and open communication between and among regulators and the private sector also is critical to ensuring the Nation's financial system is robust and effectively protected. Information sharing and coordination are essential for regulators to anticipate potential cyber threats and respond to a major cyberattack, should one arise. The SEC is therefore working closely with fellow financial regulators to improve our ability to receive critical information and alerts, react to cyber threats and harmonize regulatory approaches. Q.9. Can you talk a little about the cyber risks and threats within the context of equity market structure? What are we missing with regard to the current structure of Reg. NMS? Just a few years ago, there was a trading outage at an exchange and there were subsequent reforms that were announced, and I know that Regulation SCI is on the books. I suppose the question today is, what are you doing to ensure that Regulation NMS accounts for the dynamic risks that are posed today, and what do we need to do better from an infrastructure and resiliency standpoint to ensure that our public markets are as secure as possible and are the least vulnerable as possible to a cyber- attack? Also, from a market data perspective, as you know there are public and private market data feeds--do you view one of those as being more vulnerable than the other from a cyber- attack perspective? A.9. The infrastructure underpinning the securities markets has become increasingly reliant on technology and subject to ever- changing operational risks and cyber threats. To help address this, the SEC adopted Regulation SCI in 2014 to strengthen the technology infrastructure of the U.S. securities markets by imposing requirements on key market participants intended to reduce the occurrence of systems issues, improve resiliency when systems problems do occur, and enhance the SEC's oversight and enforcement in these areas. Regulation SCI applies to ``SCI entities,'' which include stock and options exchanges, FINRA, the MSRB, significant alternative trading systems, the clearing agencies, and the systems that generate consolidated market data. Regulation SCI addresses information technology operational risks broadly, and includes a focus on the cybersecurity risks of SCI entities. Among other things, Regulation SCI requires SCI entities to establish, maintain and enforce policies and procedures reasonably designed to ensure that their core systems are sufficiently secure to maintain operational capability. If the SCI entity maintains any other systems that, if breached, would be reasonably likely to pose a security threat to its SCI systems, then those other systems are subject to the same security standards as SCI systems. Although Regulation SCI does not mandate that specific security standards be followed, the industry standards referenced in staff guidance, such as those issued by NIST, cover many areas, including cyber risk governance and risk management. Regulation SCI also requires SCI entities to immediately notify the Commission, and provide specified updates, upon any responsible SCI personnel having a reasonable basis to conclude that a systems intrusion has occurred. Affected market participants generally are to be notified as well. In addition, SCI entities must (1) have policies and procedures for regular reviews and testing of core systems to identify, among other things, vulnerabilities posed by internal or external threats, (2) periodically review the effectiveness of the policies and procedures and take prompt action to remedy any deficiencies, (3) conduct annual objective reviews for compliance with Regulation SCI and (4) conduct penetration testing at least every 3 years. In adopting Regulation SCI, the Commission focused on the most critical market infrastructure in the securities markets. However, the Commission and its staff continue to evaluate the risks posed by the technology of other market participants and how the markets may be made even more resilient against IT and cybersecurity risks. With respect to market data, because of its importance to the securities markets, market data systems of SCI entities are subject to Regulation SCI's requirements. This includes both the consolidated market data feeds, as well as proprietary market data feeds provided by exchanges. Given the critical nature of the consolidated market data feeds, those systems are included in the definition of ``critical SCI systems'' and are held to the highest standards. Q.10. Is the SEC looking to leverage artificial intelligence technology to help fight financial fraud? A.10. Machine Learning methods are being applied by the Commission in various areas. Topic modeling and cluster analysis techniques are producing groups of ``like'' documents and disclosures that identify both common and outlier behaviors among market participants. These analyses are able to more quickly identify latent trends in large amounts of unstructured financial information that may warrant further scrutiny by Enforcement staff. Quantitative staff in the SEC's Division of Economic and Risk Analysis leverage knowledge from these collaborations to train ``supervised'' Machine Learning algorithms. From a fraud detection perspective, these successive algorithms can be applied to new data as it is generated, for example from new SEC filings. When new data arrives, the trained ``machine'' will predict the current likelihood of possible fraud based on what it learned constituted possible fraud from past data. The SEC's Enforcement Division also utilizes analytical tools and data to proactively identify potential misconduct and streamline investigations. For example, the Enforcement Division's Market Abuse Unit has an Analysis & Detection Center (A&D Center), which is staffed by 10 specialists who have industry experience in areas such as manual and algorithmic trading, trading operations, data analytics and market structure. A key tool for the A&D Center is a database of historical trading data, so called ``Bluesheet'' data, which is trading data that SEC staff request from broker-dealers during their investigations. The A&D Center uses a system called Advanced Relational Trading Enforcement Metric Investigation System, or ``ARTEMIS,'' to analyze this trade data. ARTEMIS combines the historical bluesheet data with other data sources, such as historical prices and information about different types of market moving events. Based on conduct identified through ARTEMIS, the Commission has been able to pursue complex insider trading and market manipulation schemes; since September 2014, the Commission has brought 17 cases using these types of tools. The SEC's National Examination Program also has been developing and deploying a variety of analytics over the last several years, including those that use artificial intelligence technology. Many of these projects are still in their initial phases, but they complement the ongoing analytical work in the examination program. Specifically, staff has evaluated and created various risk models based on Machine Learning and predicative analytics. The analytical tools being developed and deployed enhance the identification of registrants and areas of focus for risk-based examinations by maximizing the use of data and information available to the Commission. In addition, staff has developed a trade data analytic tool called the National Exam Analytics Tool, which allows examiners to leverage statistical analytics to identify outlier and anomalous trading events. Staff has also created applications that leverage dashboard technology sitting atop various risk models, including predictive models, to help staff analyze and select examination targets. Q.11. How has the SEC been monitoring the early stage use of block chain or distributed ledger technology in capital markets? Does the SEC feel that this technology represents the future of capital markets infrastructure and if so, how will the SEC be updating its policies? For example, in a block chain environment, entities in foreign jurisdictions may maintain copies of the ledger and may verify transactions occurring between U.S. counterparties--how will the SEC maintain regulatory oversight in these types of scenarios? A.11. The Commission's staff has been monitoring the use of blockchain or distributed ledger technology (DLT) in the capital markets in a number of ways: 1) LDistributed Ledger Technology Working Group: In late 2013, the Commission established the DLT Working Group, which is tasked with building expertise in DLT, identifying emerging risk areas and coordinating efforts among the SEC's divisions and offices. DLT Working Group members from all areas of the Commission also assist in coordinating with Federal, State, local and international law enforcement and regulatory partners and liaising with industry participants. 2) LSEC FinTech Forum: The SEC hosted a forum to discuss innovation in the financial services industry in November 2016, at SEC headquarters in Washington, DC. Forum panels discussed issues such as blockchain technology, automated investment advice or robo-advisers, online marketplace lending and crowdfunding and how they may impact investors. 3) LInvestor Advisory Committee: On October 12, 2017, the Commission's Investor Advisory Committee met to discuss, among other things, blockchain and other distributed ledger technology and implications for securities markets. 4) LSEC Staff Participation in Third-Party Forums: Members of the DLT Working Group regularly participate in various forums hosted and attended by entrepreneurs, attorneys, academics, other professionals and interested parties. 5) LDedicated Email Address for Related Inquiries: In connection with our July 2017 Report relating to The DAO, we established a new email address-- [email protected] directed interested parties to send their questions concerning the use of DLT and other FinTech developments in the securities industry to that address. SEC staff members have been dedicated to monitoring that email box and responding to inquiries. 6) LRecent Creation of Cyber Unit in the Division of Enforcement: In September 2017, we created a Cyber Unit within the Division of Enforcement that will focus Enforcement's substantial cyber-related expertise on targeting cyber-related misconduct, including violations involving distributed ledger technology and initial coin offerings. 7) LTips, Complaints, and Referrals: The Commission welcomes the public to raise concerns about any aspect of the capital markets through our Tips, Complaints, and Referrals Portal, available through SEC.gov and Investor.gov. Technological innovations in the financial industry have the potential to transform how the securities industry operates-- promising new ways to place, clear and settle trades and novel means to issue securities, raise capital and advise investor clients. It is too early to assess the impact recent technological advancements, such as DLT, will have on our capital markets, but we have observed that existing players are embracing the technology to deliver services to investors and the markets. For example, the Division of Corporation Finance declared effective a shelf registration statement covering the issuance of equity and debt that may be offered as traditional securities, digital securities or both. In December 2016, the company sold both traditional and digital securities through a rights offering to existing security holders. The following characteristics distinguished the digital securities from the traditional securities included in the offering: 1) LThe digital securities are traded on an ATS. 2) LThe digital securities have a shorter settlement period than traditional securities. 3) LThe digital securities will be held directly by security holders as record holder in a digital wallet held at a broker-dealer authorized to provide investors with access to the digital securities, while traditional securities are typically held in ``street name.'' Right now, our policy has not changed. As in the past, we will apply existing laws to the use of new technologies in the securities industry. We believe we have the authority, flexibility and resources to do so in a manner that strikes the appropriate balance between encouraging innovation and protecting investors. For example, in our July 2017 report on The DAO, we explained that existing laws govern the offer and sale of securities regardless of their form. The test for what is a ``security'' is flexible and will depend on the facts and circumstances, including the economic realities of the transaction. The DAO Report demonstrates that even an instrument that operates on distributed ledger technology can meet the definition of security. Where purchasers invest money in a common enterprise with a reasonable expectation of profits to be derived from the entrepreneurial or managerial efforts of others, then our jurisdiction is invoked. Where appropriate, we will file enforcement actions against those who violate the Federal securities laws. Our message in the Report was clear: those that offer and sell securities in the United States and those who facilitate their resale will be subject to the Federal securities laws. Of course, where policy changes or revision of rules are appropriate and necessary to fulfill our mission, we will take that course of action. In the case of investigating and prosecuting violations involving conduct or persons outside the United States, we regularly seek the cooperation of foreign jurisdictions with whom we have a Memoranda of Understanding and other agreements, overseen by our Office of International Affairs. ------ RESPONSE TO WRITTEN QUESTIONS OF SENATOR HEITKAMP FROM JAY CLAYTON Q.1. The Financial Accounting Standards Board (FASB) issued the final current expected credit loss (CECL) standard in June 2016. The FASB's new credit loss model comes in response to the financial crisis and was intended to protect banks, their customers and investors against a future downturn. The CECL model makes fundamental changes to accounting standards and its adoption could have a variety of impacts on financial institutions. Given the substantial change to long-standing accounting rules and the potential consequential impact that the accounting standards will have on how banks make credit decisions--from the duration of loans, to the pro-cyclical effects on banks during a downturn, to the cost of credit to borrowers--should the SEC engage in its own review of this FASB rule? A.1. The FASB is an independent standard setter focused on developing accounting standards for financial reporting that provides investors with the information they need to make informed investment decisions. When setting standards, the FASB states that it weighs whether the expected improvement in the quality of the information provided to users justifies the cost of preparing and providing that information. Better information in turn could change what capital allocation decisions should be made or what actions should be taken by management, but the FASB does not seek to influence the outcome of those decisions. I believe that it is entirely appropriate for the FASB to focus on the quality of the information provided to investors to ensure continued investor confidence in the accuracy and quality of reported information, which is critical to capital formation. The FASB's project that led to the issuance of CECL has its origins in the financial crisis, where some market participants believed the existing ``incurred loss'' model resulted in the untimely and delayed recognition of credit losses, and ultimately, lower levels of loan loss reserves than otherwise may have been anticipated. Accordingly, the FASB's stated objective for issuing CECL was to provide users of financial statements with ``more decision-useful information about the credit risk inherent in financial assets and the change in expected credit losses occurring during the period.'' As opposed to the ``incurred loss'' model, the CECL approach is intended to more closely align an entity's financial reporting with management's estimate of expected credit losses which, even today, are informed by and incorporated into the entity's underwriting, servicing and collateral management practices. In other words, it is intended to provide investors with reporting that is more closely aligned with managements' assessment of the issuer's financial condition. Achieving consensus on the financial reporting standard for credit losses was a substantial undertaking. The FASB's extensive outreach activities prior to finalizing the standard included meeting with over 200 users of financial statements and holding more than 85 meetings and workshops with preparers, including field work at 25 company locations to get direct input. Feedback provided to the FASB during the standard setting process included, among other things, concerns with how the new standard will impact loan duration, cost of credit to borrowers and the potential pro-cyclical effects on banks. It is my understanding that the FASB considered all feedback received and included amendments in the final standard to address many of the concerns raised by stakeholders. The Commission staff has actively monitored the standard setting process and continues to monitor implementation activities undertaken by stakeholders and the FASB. In particular, staff has actively monitored the FASB's Transition Resource Group for Credit Losses (TRG), whose members include financial statement preparers (including community banks and credit unions), auditors, users and financial services regulators, and has encouraged banks to bring questions about the accounting standard before the TRG for discussion. In short, the staff has been and will continue to assess whether CECL is having its intended effect of aligning reporting with management's analysis and whether there are any unintended negative consequences, including those discussed in the next question. Q.2. Has the SEC engaged in discussions with the Federal Reserve about the potential impacts that the new CECL standards will have on the Comprehensive Capital and Review (CCAR) process? A.2. While the FASB establishes accounting standards for the benefit of investors, prudential regulators also use the information generated by financial reporting for their own regulatory purposes, including in setting capital standards for financial institutions. There is a long history of engagement between the SEC and the prudential regulators on accounting issues, particularly in areas where the needs of investors and the supervisory needs of the prudential regulators have diverged to some extent. The SEC staff has been engaged in ongoing discussions with the banking regulators regarding the potential effects of the new CECL standard. We are aware that the regulatory capital requirements are currently being analyzed by the appropriate banking regulators and other supervisory bodies in connection with the changing accounting standards. For example, the Basel Committee on Banking Supervision, which provides a forum for regulator cooperation on banking supervisory matters, recently issued transition guidance with respect to the impact of accounting changes on regulatory capital. The Basel Committee has indicated that it will monitor the effect of the new standard's impact on capital, including a quantitative impact assessment. Additionally, the U.S. Treasury has recommended that the potential impact of the new standard on banks' capital levels be carefully reviewed by U.S. prudential regulators with a view toward harmonizing the application of the standard with regulators' supervisory efforts.\1\ Finally, the Commission's Chief Accountant has expressed his encouragement and support for this review to ensure regulatory requirements are updated, if necessary, to account for the impact of any change resulting from the new standard.\2\ --------------------------------------------------------------------------- \1\ See U.S. Department of Treasury, A Financial System that Creates Economic Opportunities--Banking and Credit Unions (June 2017), available at https://www.treasury.gov/press-center/press-releases/ Documents/A%20Financial%20System.pdf. \2\ Wesley R. Bricker, Chief Accountant, U.S. Securities and Exchange Commission, Remarks Before the AICPA National Conference on Banks & Savings Institutions: Advancing High-Quality Financial Reporting in Our Financial and Capital Markets (Sept. 11, 2017), available at https://www.sec.gov/news/speech/speech-bricker-2017-09- 011. --------------------------------------------------------------------------- I believe that these reviews are entirely appropriate and necessary--when an accounting standard is changed in a way that provides investors with better information, but that gives rise to unwarranted results under bank capital rules, it may be necessary to modify other rules (e.g., the bank capital rules) to eliminate that unwarranted result. SEC staff will continue to engage with the prudential regulators on this issue and provide any assistance they require as they undertake their process for reviewing their standards. Q.3. Are you concerned that the CECL standards could create incentives to keep banks from lending in an economic downturn (an impact that could be amplified by stress testing requirements) and slow a recovery? A.3. While financial institutions are still evaluating the effect of the new standard, some have indicated that the new requirement to immediately recognize expected losses, instead of deferring losses until ``incurred'' (as under the existing standard), could adversely impact an entity's ability to lend in an economic downturn or slow an economic recovery. I am concerned by these issues. But I would also be concerned if financial reporting standards were not providing investors with relevant, reliable and timely information about a financial institution's credit risk and its change in expected credit losses. Many of the concerns expressed by banks appear to me to be the result of the interaction of the new CECL standard with existing regulatory capital requirements. I support the ongoing efforts by the appropriate banking regulators and other supervisory bodies to analyze the regulatory capital requirements in connection with the changing accounting standards. ------ RESPONSE TO WRITTEN QUESTIONS OF SENATOR CORTEZ MASTO FROM JAY CLAYTON Q.1. Can you elaborate on the changes made to the Securities and Exchange Commission's (SEC) delegated subpoena power that you described during the question and answer period of your testimony? A.1. The Federal securities laws authorize the Commission, or any officer designated by the Commission, to issue subpoenas requiring a witness to provide documents and testimony under oath. The Commission itself has the power to designate members of the staff to act as officers of the Commission in an investigation by issuing a Formal Order of Investigation (formal order). The formal order serves two important functions. First, it directs that a nonpublic investigation be conducted, and second, it designates specific staff members to act as officers for purposes of the investigation and empowers them to administer oaths and affirmations, subpoena witnesses, compel their attendance, take evidence and require the production of documents and other materials. Once a formal order issues, staff in the Enforcement Division who are named as officers in the formal order can issue subpoenas for documents and testimony. In the wake of the financial crisis, the Commission, by rule, delegated the authority to issue formal orders to the Director of the Enforcement Division. This authority was then sub-delegated by the Chairman of the Commission to additional senior officers in the Enforcement Division. This sub- delegation to the Division's senior officers was removed before I joined the Commission, but the Commission's rule delegating authority to the Enforcement Division's Co-Directors remains in place. I have discussed the delegation of formal order authority with the Co-Directors of the Enforcement Division, and I am comfortable that there are benefits to having that authority resting with the two of them, including that it enables them to more efficiently and effectively manage the nationwide Enforcement program. I do not believe that limiting the authority to the Enforcement Division Co-Directors has negatively affected the Commission's ability to protect investors and deter misconduct. Rather, following consultation with the Co-Directors, I believe at this time that the current scope of delegation enhances investor protection as it provides for a more effective allocation of limited resources by the leadership of the Enforcement Division. Q.2. Please describe what specific steps you have taken during your tenure, or that you intend to take, to increase individual accountability for wrongdoers at offending firms subject to enforcement actions from the SEC. A.2. As I stated at my confirmation hearing, I strongly believe in the deterrent effect of enforcement proceedings that include individual accountability. I firmly believe that individual accountability drives behavior more than corporate accountability. Bad actors undermine the hard-earned confidence that is essential to the efficient operation of our capital markets and there is zero room for them in our capital markets. The Commission considers individual liability in every case; it is a core principle of our enforcement program and holding individuals accountable for wrongdoing is a priority for me. To date, the Commission's publicly announced enforcement actions and investigations have borne out the premium I place on individual accountability. As Chairman, I will continue to support the Enforcement Division's efforts to hold individuals accountable when it is appropriate to do so under the facts and the law. In this regard, it is important to note that, while no two matters involving individuals and corporations are the same, on balance and across a large sample of matters, pursuing a greater number of individuals may require more resources (including time) and may lead to lower aggregate fines and collections as individuals generally have fewer resources than corporations. However, I believe the beneficial effects--mostly significantly deterrence and removal of bad actors--weigh in favor of pursuing individual accountability where the facts warrant. Q.3. I am deeply concerned about the cyber breach of the SEC's EDGAR system, and the hacking of sensitive, nonpublic and market-moving corporate information. But in addition to the EDGAR breach, I'm concerned about potential other vulnerabilities at the SEC. For example, the SEC has a ``Tips, Complaints and Referrals'' public-facing portal, where potential whistleblowers may go to report illegal behavior. If this data was compromised, it could serve as a roadmap of potential sensitive investigations of SEC-regulated entities, and could expose confidential whistleblowers to serious harm and retaliation. How confident are you that the SEC's whistleblower portal is secure? And do you need further resources from Congress or support from the Administration to ensure that this repository of sensitive information is protected? A.3. The Tips, Complaints and Referrals (TCR) system is an integral element of the SEC's whistleblower program. The whistleblower program alerts the SEC to possible fraud and other violations earlier than might otherwise be possible and helps to minimize harm to investors. To better protect whistleblower data, several security improvements were applied to the TCR system in fiscal year 2017, and the staff continues to evaluate the safety and soundness of the security protocols surrounding the system. The staff believes the improvements made in fiscal year 2017, together with other improvements that the SEC expects to implement, will augment and improve the security of the TCR system. As I said in my confirmation hearing and in my written testimony before the Committee and the House Financial Services Committee, cybersecurity is an area that is vitally important to the SEC, our markets and me personally, and I commit to studying and evaluating whether additional support or resources are needed from Congress or the Administration. Q.4. In the statement you released on September 20th regarding cybersecurity, you noted that the SEC was, ``in the process of implementing the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity.''\1\ These standards are meant to provide ``best practices'' for the roles and responsibilities of agency officials in carrying out the SEC's information security objectives, including training efforts. Please describe why the Commission is still ``in the process'' of implementing the NIST Framework. This is particularly pressing since this framework was first proposed in February 2014, meaning the SEC has had three and a half years to implement it. When is your timeline for completing implementation? Can you speak to whether, if the SEC had fully implemented this framework by 2016, could the EDGAR hack have been prevented? --------------------------------------------------------------------------- \1\ https://www.sec.gov/news/public-statement/statement-clayton- 2017-09-20. A.4. All Federal agencies, including the SEC, have been required to follow the NIST Risk Management Framework (RMF), a framework to improve information security and strengthen risk management processes.\2\ The NIST Cybersecurity Framework (CSF) was created in 2014 as a voluntary framework of industry standards and best practices to help private sector organizations manage cybersecurity risk. On May 11, 2017, the President issued Executive Order 13800 (Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure) that, for the first time, required implementation of the CSF for all Executive departments and agencies.\3\ Because the CSF introduces entirely new cybersecurity nomenclatures, outcomes and metrics for organizations, successful implementation is a significant undertaking that entails top-to-bottom review and redesign of all aspects of an agency's cybersecurity program and significant staff training to educate staff on the new framework. Implementation also necessitates that agencies first understand how best to leverage the RMF alongside the newer CSF, which has key differences. --------------------------------------------------------------------------- \2\ https://csrc.nist.gov/projects/risk-management/risk-management- framework-(rmf)-overview. \3\ https://www.whitehouse.gov/the-press-office/2017/05/11/ Presidential-executive-order-strengthening-cybersecurity-federal. --------------------------------------------------------------------------- The SEC began work to implement the CSF shortly after the May 2017 Executive Order. We have submitted an implementation plan to the Department of Homeland Security, and its successful implementation is a priority. I support adoption of the CSF because I believe that it will provide both technical and nontechnical personnel with a heightened understanding of the risk and vulnerabilities associated with agency systems, which is vital to ensure security protections are implemented commensurate with risk. It is important to note that I have also initiated a general assessment and uplift of our cybersecurity risk profile, including the identification and review of all systems that hold market sensitive data or personally identifiable information. It is my aim and expectation that this exercise will provide valuable context in the SEC's continued efforts to implement the CSF. Q.5. Chair Clayton, at your confirmation hearing, I asked you for your thoughts on financial companies' use of mandatory pre- dispute arbitration clauses--or what's commonly known as ``forced arbitration clauses,'' which prohibit consumers and investors from banding together in court and force them to ``go it alone'' in a system tilted to the benefit of large corporations. Your response to my question at your confirmation hearing, and to my questions for the record, indicated that you needed to learn more about this issue and consult with SEC staff before offering an opinion. Now that you've had 4 months on the job, are you willing to commit to have the SEC staff study the use of forced arbitration clauses by companies within the SEC's jurisdiction? A.5. The prospect of prohibiting, limiting, or conditioning the use of mandatory pre-dispute arbitration agreements raises a number of complex issues, including potential effects on: (1) retail investor choice; (2) forum access; (3) finality and appellate rights; (4) development of legal precedent; (5) time to resolution and cost of resolution; and (6) identification and removal of wrongdoers. To help better understand the concerns surrounding mandatory pre-dispute arbitration agreements, the Commission has solicited public comment about the ability of retail customers to bring claims against their financial professionals \4\ and has received letters reflecting, among other things, deeply held but disparate opinions on this issue. --------------------------------------------------------------------------- \4\ See Duties of Brokers, Dealers, and Investment Advisers, Exchange Act Release No. 69013 (Mar. 1, 2013), 78 FR 14848, 14853 (Mar. 7, 2013). The Commission also made available email boxes with respect to various provisions of the Dodd-Frank Act, including Section 921 (Authority to Restrict Mandatory Pre-Dispute Arbitration). See Public Comments on SEC Regulatory Initiatives Under the Dodd-Frank Act, available at http://www.sec.gov/spotlight/regreformcom ments.shtml. Additionally, on June 1 of this year, I issued a statement requesting public comments on standards of conduct for investment advisers and broker-dealers. See Public Statement by Chairman Jay Clayton, ``Public Comments from Retail Investors and Other Interested Parties on Standards of Conduct for Investment Advisers and Broker- Dealers'' (June 1, 2017) available at https://www.sec.gov/news/public- statement/statement-chairman-clayton-2017-05-31. --------------------------------------------------------------------------- Because of the potential impact of any changes to current practice, as well as the strong views on both sides of this debate, I believe further information, data, and analysis would be beneficial to assist in determining whether and if so, how, to address the use of mandatory pre-dispute arbitration agreements. To that end, I have asked the staff to undertake additional information gathering on this issue. I have asked the staff to then brief me in the coming months. [all]