Jay clayton testified before the Banking Committee about a data breach at the agency. He answered questions about the Security Breach at equifax. Today, we will receive testimony from securities and Exchange Commission chairman, jay clayton, regarding the work and agenda of the fcc. Thank you, mr. Chairman, for attending here today. Oversight of the fcc is a critical function of the committee. We have an important threepart mission, to protect investors, maintain fair, orderly and efficient markets. No one part of this mission is more important than the other. The scc increases transparency and trust in the u. S. Stock market providing investors with the information they need to make informed Investment Decisions. It helps investors artis pate on a firm footing to participate in college, retirement or other lifechanging events. It is critical they fulfill this mission. At the same time, scc must be cognizant their work may carry risks to the investors it seeks to help. I commend you for initiating the cyber risk profile, mr. Chairman. They collect and store public and nonpublic data. If this data were subject to a cyber breach, it could have severe consequences to the markets, Market Participants and the American Public. I was disturbed to learn they suffered a cyber breach of the system in 2016 but did not notify the public or all the commissioners until it was discovered during your recent review. It is critical that the scc safeguards the data it collects and maintains especially as the audit trail or c. A. T. Becomes operational. Through the c. A. T. , the scc has access to significant nonmarket public data and unidentifiable information including names, addresses, dates of birth and Social Security numbers. The Equifax Breach we need to ensure entities only collect this type of information if and when absolutely necessary and if it is collected, that is it problemerly secured. Im glad to see under your leadership, the scc is taking Cyber Security seriously. Other regulators and agencies should follow your lead and delineate the profiles. If breached, disclose events to congress and the public. Cyber attacks and breaches are a significant risk at all entities, both regulators and companies. As a part of your work in the Cyber Security area, you should review current cyber risk disclosure guidance to ensure they understand the magnitude and cyber risks at Public Companies. Along with your attention to cyber, i appreciate your focus on the standards of comment for broker dpeelers. The few dishary rule will limit the choice making it more expensive for americans and ultimately hurt the ability to save for retirement. If clarification needs to be made for broker dealers and investment advisers, they have the most expertise for all investors. I also appreciate your focus in public discussions on encouraging capital formation. They are essential to helping markets grow, facilitating and making sure americans have Investment Opportunities. Im interested in hearing your ideas to encourage them to go more public. The senate recently passed several bipartisan bills and would be interested in additional ways to improve the laws to help all americans. I look forward to hearing your thoughts on these issues and the future of the commission. Senator brown . Thank you, chairman. Welcome chair clayton to the committee. Last week, just about every adult in america was trying to comprehend the risk they or someone in their family faces because of the Equifax Breach. The integrity of the system, it allowed hackers to obtain nonpublic information. We expect the companies that hold americas personal Financial Data will keep it secure and be up front with lawmakers than breaches. Regulatory agencies must bide by the same, for frankly a higher standard. When we learn a year after the fact that scc had its own breach and likely led to illegal stock trades, it raises questions about why the scc seems to have swept this under the rug. What else are we not tolt . What other information is at risk . What are the consequences to the American Public . Of course this breach took place under your predecessor, we recognize that. The disclosure or lack thereof is yours. How are main Street Investors confident to hold them accountable when the scc is not or immediately forthcoming. Equifax violated the trust twice. First, when it failed to secure the data it collects and profits from about americans Financial Lives and the second time, waited a month to admit to a breach. How can you expect companies to do the right thing when your agency has not. We have to earn the publics faith. Right now, scc needs to do more and make sure its companies it regulates that they do better. Doing more doesnt end with Cyber Security. The mandate has never been more important, making sure main Street Investors are treated fairly, companies do not abuse accounting rules and markets are efficient and transparent should be at the top of your list at the scc as you consider offering reforms and reducing disclosure. Protecting investors and maintaining Financial Stability mean that scc needs to finish the doddfrank title vii rules, the compensation rules the rules on equity compensation. Each will help enhance investors and the Publics Trust in our financial system. Its been five months, almost, since your swearing in. I bet the next five months will be the most demanding than the last five. Everyone will look at how you hold companies accountable. Thank you, senator brown. Chairman, your full, written testimony handmade part of the record. I understand you asked for an extra minute in your opening statement. You are welcome to have that. I dont want the senators to think everyone is granted an extra minute in their questioning. I encourage them to remember the time. With that, mr. Chairman, please proceed. Thank you for your endull jens. Chairman crapo, Ranking Member brown, members of the committee, thank you for the opportunity to testify before you today about the Exchange Commission. I will attempt to be concise in remarks as you and the American People have questions regarding among other things cyber risk profile and the intrusion we disclosed last week. I will start with a thank you. My fellow commissioners and people of the agency have been welcoming to me. I have benefited from each interaction. During my four months at the commission, i devoted a substantial portion of my efforts to Agency Operations including whether we have the people, technology and office space necessary. As discussed in more detail in my written testimony, i believe there are four areas where additional focus and resources are most needed. Cyber security, Retail Investment protection, market integrity, risk and resiliency and capital formation. Specifically, with regard to Cyber Security, i have been focused on this since my first weeks in the commission. As recent events demonstrate, this is an area we need attention to respond to market developments and meet the expectations of the American People. I will turn to the recently disclosed incident. In august, 2017, in connection with an Ongoing Investigation by the division of enforcement, i was notified of a possible intrusion into the system. In response to this, i immediately commenced an internal review. Through this review and the ongoing enforcement, i was informed of the 2016 intrusion, one, provide access to the filing information and two, may have provided a basis for illicit gain for trading. We believe the intrusion was an exploitation in a defect in the software in the system. When it was originally discovered, the office of Information Technology, oit, took steps to fix the defect and reported it to the department of homeland security. Based on the investigation, to date, oit staff believe the effort was successful. We also believe the intrusion did not result in unauthorized access to identifiable information and result in Systemic Risk. I note, our review and investigation of these matters is ongoing and may take substantial time to complete. This review has two related components. The first is focused on the 2016 intrusion itself including efforts to determine the scope and whether there were or are vulnerabilities in the system. Importantly, in conducting this review, it has been a priority and constraint to maintain the security and operational capabilities of edgar. A criticf our disclosure based market system and accepts filings virtually continuously during the week. Various agency personnel, including members of Enforcement Division, the office of general counsel, and the office of Inspector General, have been involved in this effort. In addition, i have formally requested that the office of Inspector General begin a review into, one, what led to this intrusion, two, the scope of nonpublic information kproe compromised, and three, our efforts in response. Ive asked the office of Inspector General to provide recommendations for how the sec should remediate any related system or control deficiencies. The second component of our review consists of our investigation into trading, potentially related to the intrusion. The investigation is being kukd by our division of enforcement and is ongoing. There are limits on what i know and can discuss about the 2016 incident due to the status and nature of these reviews. Nevertheless, this past wednesday i directed the issuance of a cyber risk profile statement and a press release highlighting the 2016 intrusion. I directed this disclosure because although many questions remain, i believe that, one, once i knew enough to understand that the intrusion provided access to nonpublic edgar test filings and, two, that this may have resulted in misuse of nonpublic information for illicit gain, it was important to make that disclosure to the American People and congress. The matter involving our edgar system concerns me deeply. I recognize that i am not the only one who is deeply concerned. Rightfully it will cause this committee and others to increase their focus on whether the commissions approach to cybersecurity appropriately addresses our cyber risk profile. This is all the more reason it was appropriate to disclose the intrusion now even though our review and investigation are ongoing. As a result of this incident, some have questioned whether we can appropriately protect the Sensitive Information we receive and whether we should receive Additional Data to further our mission. This is not the time for the sec to pull back from our important market oversight role by limiting our access to Sensitive Information. Our mission is too important to millions of main street investigators,ish wers and Market Participants to do so. We must be vigilant and we do better. We must also recognize in both the public and private sectors, including the sec, there will be intrusions and that key components of Cyber Risk Management for organizations and Market Participants generally are resilience and recovery. Turning to policy matters, my written testimony discusses our recent regulatory efforts in detail. I will highlight only one item, the upcoming regulatory flexibility act agenda. A semi annual disclosure of the commissions near term priorities. Ible it is important that these agendas provide transparency and accountability for agency matters. If they are to meet their intended purpose these agsds must be streamlined to inform congress, investigators and or interested parties about what we expect to do over the coming kwleer. We intend to provide just such an agenda. Thank you for your indull ens on the extra time. Thank you very much chairman. First ive been long concerned with the data requirements by our regulators. Im very concerned also about the massive Data Collection thats going on in the private sector. Information about peoples lives that can and we are seeing has resulted in damage to them. My concerns have only grown given the disclosed Cyber Breaches at the fdic, the irs, the opm, your commission and other agencies. Ive mentioned many times in hearings that Consumer FinancialProtection Bureau and its massive Data Collection that im very concerned about. In addition, the sec itself has come under scrutiny in recent gao reports for its own security controls over its key Financial Systems and information. The sec and other agencies monitor, regulate and enforce the data safeguards in place at regulated entities. Given the amount of data that they collect, as well as the roles they play as the stewards of our markets, the sec and other Government Agencies must be held to a higher standard when it comes to cyber readiness. A couple questions about the current cyberattack that you are dealing with. Can you give us any more information about the defect in the software that caused this attack or is this not the time to discuss that . I do not have any more information about the type of defect that led to the intrusion. There is an Ongoing Investigation. Weve got the office of Inspector General involved, and as relevant facts become available, we intend to work with this committee to ensure that you have the information you need in your oversight role. And youve said this already in your testimony generally, but what actions did you take as you found out about this breach . So its not like you find out about a breach and you know everything on day one. Right. This came to my attention in august of this year. I immediately instructed an investigation take place. Over the course of that investigation and review, it became clear to me that this was a serious matter. When it became clear to me that this was a serious matter, i made the determination to take a number of steps, including eninsuring that the system was continuing to work. As i said, it is a system that is critical to the operations of our markets and the sec. Also, disclosure. I know that thats a focus for this committee. Let me get right to it. I decided when this was serious that disclosure was necessary. Then the question is what facts do you have . We tried to gather more facts. You want to make a clear disclosure. You dont want to make disclosure thats misleading. I made the decision over the last past weekend that the time had come to make disclosure. We knew enough to make the disclosure. We werent going to learn any more and we made the disclosure. Weve taken a number of additional steps, including hiring outside consultants to do penetration testing, constant reviews of our system. One of the worries in a situation like this is when you make a Public Disclosure, other people try to test and probe. We are under constant attack from nefarious actors. So i can go through other things, but thats a high level summary of the steps taken. All right. Thank you very much. Id like to talk about the consolidated audit trail for just a moment. The consolidated audit trail or cat is an issue that has been important to me and many members of the committee for a number of years. Once implemented cat will capture customer and order event information from the time of the order inception through execution. Such information will also include personally identifiable information. As i mentioned, im concerned by the governments collection of such information. Do you believe that this data must be collected and if so, how can you assure that it will be adequately protected . I do believe that data of the type were discussing in cat is very valuable to our oversight role. If you look at Insider Trading or monitoring of investment managers, broker dealers, this type of data enables us to detect Insider Trading that we would not have been able to detect in the past. It enables us to prioritize our examination efforts. Its important. That said, when i got to the commission and investigated the cat system as a person responsible for it as opposed to someone from the outside, i quickly made the decision that we do not want to take Sensitive Data that we do not need to further our mission. And we need to examine that data. We also should not take any Sensitive Data unless we can protect it. And i felt that way a month ago, two months ago. I feel that way even more so today. All right. Thank you. Senator brown. Thanks, mr. Chairman. Equifax as we know so well waited six weeks to disclose its cyber breach, the personal identifiable of 143 million americans were in the hands of criminal, as we know. Companies may often say if a matter does not have a Material Impact on its Financial Results they dont need to disclose it to investors and the public. Is material although the right disclosure standards when a company has a breach and americans personal information is stolen . Senator, i believe material although is the core of our disclosure system. I believe its the touchstone. Going to your question about whether companies are making the right material although assessment, i think thats a very good question. So when its left in the hands of the company with the sec, from your just that response, doesnt seem its engaged maybe in this question, in this issue as we might like. They may continue this kind of behavior. Companies should be disclosing more. Im want going to talk about a specific company or a specific set of circumstances. Thats inappropriate in my position. As i look across the landscape of disclosure, and i have been saying this for some time, companies should be providing better disclosure about their risk profile. Companies should be providing sooner disclosure about intrusions that may affect shareholders Investment Decisions. And i also believe that across the landscape of our markets, not just company by company or regulator by regulator, but across our markets, there should be better disclosure as to the cyber risks we face. So you would totally disagree with equifaxs decision to withhold that information for those several weeks . Im not citing material although if they were . Senator, im not going to get into a particular companys decision or nondecision. So you cant say to this committee that equifax wasnt wrong in withholding this information . It would be from your perspective of the executives that dump their stock, forget that for a moment. You cant say to this committee they were wrong in withholding that information . It would be inappropriate for me to comment to that matter, that specific matter. Let me say this about making the decision on when to disclose. We expect people to constantly assess. When they have notice of a cyber breach, we expect people to constantly assess whether that breach is material to investors and when they determine that it is, make appropriate disclosure promptly. Well, thats a pretty big concern. If a company did what they did and the chair of the sec is not willing to be critical of that, thats a concern to a lot of us. Let me move to another part of equifax. This morning equifax announced its ceo is retiring. Two weeks the ci o and chief Security Officer retire. Do you think its appropriate, mr. Chair, for the chefs who ran the company during the massive breach that they get to retire and keep their bonuses and stock awards . Again, senator, that is a specific matter, a matter that may come before the commission, may come before me to make decisions. It would be inappropriate for me to comment on that specific matter. Do i believe that if executives have profited from a high stock price thats a result of failure to disclose, other acts that are clearly violations of our securities laws, should there be an ability to get back those gains . Yes, i do. And you think the claw back should be ordered by the sec, not relying on the board as wells fargo apparently did . As you know, there is a pending rule making in this regard and were looking at that. And isnt it time the sec finished the to do frank claw back rule . It is one of many mandates i intend to finish the mandate. There is a priorityization. I am going to be very open with this committee and the American People and the regulatory flexibility agenda about our priorities and i welcome your continued input on how weve prioritized those. And you understand the American Public in case after case after case feels this government let it down when executives through massive incompetent which may have been all it was with equifax or fraud if the failure to disclose contributed to the executives dumping their stock, you understand the American Publics anger with fact forgetting anybody going to prison. I get that. But not even claw backs for these executives. You understand the American Publics outrage about that . Yes, i do. Okay. Glad to hear it. Thank you. Thank you. Senator scott. Thank you, mr. Chairman. Thank you to chair. Thank you for being here this morning and thank you for your important work. I have once had to answer to the sec as a financial representative, and that was never fun to have you guys walk into the office and share your valuable time with those of us in the business. However, i do think its important for us to recognize the fact that the fiduciary rule has had a negative impact on Many Americans. The average south carolinian has less than one years salary in their retirement accounts. Restricting access to professionals in the financial industry has a negative impact on the Resources Available to the average american for retirement. And the last thing we need to do at this point is to find ways to get experts out of the household, which is the unintended consequence of the fiduciary rule from my perspective. There was a survey of 600 financial advisers. They found that 75 of the professional whose clients have starting assets under 25,000 will take on fewer small accounts due to increased Compliance Costs and legal risks under the dols rule. These folks desperately need the experts to make good sound financial decisions. I was pleased to see the 18month delay, so my question to you is what more can you tell us about your coordination with the dol on the fiduciary rule and the 18month delay . Yeah. Thank you, senator. I want to thank secretary acosta for reaching out to the sec in this regard. Reaching out to say we should Work Together on this. And i believe we should Work Together. Steps we have taken, ive issued a request for updated views from investors and from industry participants on the effects of the dol rule and what we should do Going Forward in terms of standards of conduct. Were reviewing the information received. Ive made it clear that based on what i know to date, there are a couple of things that i want to make sure are reflected in any rule making joint rule making we do in this regard, including with the state regulators. First that investors of the type you describe have choice, that theyre not pushed into a narrow set of circumstances as a result of whatever steps we take. Second, that theres clarity. That investors know the type of person theyre dealing with and they know the obligations owed to them. Third, that there is consistency. If you have two different types of accounts but youre facing the same person, a retirement account and a nonretirement account, there ought to be consistency with respect to to those accounts. And last coordination, that we, the dol and state regulators are coordinated in how we approach this. And im very much looking forward to working with the department of labor as we proceed. Thank you. It certainly is good to have the sec and dol working together on such an importantish on. State insurance regulators are the experts on fixed income annuities. How will you be volg the state regulators . I been in dialogue with the state regular lartsz since i got on the job they will be part of this effort. Excellent. I know im running out of time so i do want to make two more points. One on the Chicago Stock Exchange. The fact that we are looking at chinese investors trying to buy the Chicago Stock Exchange, and you pumping the breaakes on tha decision. I think its good. We all would like to encourage more fdi, but we need to do it in a more responsible way. Another issue that seems to be really important these days is shareholder resubmissions. Management of Public Companies should be held accountable by their shared every shareholders. A balance between both sides ensures productivity and corporate transparency. That said i wonder if the scales have not been tipped a little bit too far. As of now we allow for the resubmission of shareholder proposals even if nearly 90 of shareholders have already voted no in the past. That creates cost and distracts from longterm thinking. All the while doing little to protect investors. How are other shareholders impacted by such a low bar for proposal of resubmission . Senator, i agree with you. This is an area that we should be continuingly examining because shareholder access to management is important. There are many times where shareholders have made proposals that have gotten traction and have led to positive change. That said, you identify an issue that you can have not widely held i had sin accurateic vuds of a few shareholders cost the other shareholders a substantial amount of time and Cost Management a substantial amount of time which is valuable time you dont get back. And we need to continually look at that balance in our oversight role. Thank you. Thank you, mr. Chairman. Thank you, sthor scott. On a topic that senator scott just brought up with the u. S. Stock exchange potential purchase by a chinese company. I hope your review would come back negative in that. Thats just my opinion as a dirt farmer. Earlier this month we learned that 360,000 people had their private information stolen when the Equifax Breach happened. To put that in perspective thats over 60 of the adults in our state. I think if the election said anything last time, and it said many things, its that people on the ground, regular folks are tired of getting away with apparent wrong doings. Your answer, chairman clayton, to the Ranking Member on it was inappropriate to comment on the sixweek delay. The sixdelay seems a little bit bizarre to me, especially if in fact these folks dump stock and tried to why would they wait six weeks . Senator, these are good questions. Theyre valid questions. Yeah. They are questions that the American Public should have. In my position as a person who may have to thats why you dont want to comment because its your position you believe firmly that these folks need to be held accountable and if theres any wrongdoing, whether they still have their position or resign from their position, you will to the full extent of the law enforce the law . Thats my job. Good. I would just say that what transpired here,and im not in your position, but six weeks is way, way, way too long. And i just cannot fwlooef that, quite frankly and by the way, mr. Chairman, i know Richard Smith resigned today, but i hope he still comes in front of the committee. I hope you can still get him in front of the committee next week because i think its less of spending time with his family and more of not spending time with us. And i think thats really important. And let me dpif you an example. They spent six weeks announcing the breach, but his resignation was parpgs were signed yesterday. It was announced today. And so they could do it quicker if they wanted to do it. And i hope that moving forward well be watching. Okay . As far as your the secs breach, when in 2016 did that happen . What month . Thats part of our ongoing internal investigation. You dont know for sure . I dont think we can say for sure. Okay. One of the questions the chairman asked you is what type of defect caused the breach, and you said you didnt know what that defect was. And its an honest answer, but the question is is whats stopping them from doing it again . If you dont know what the dwelkt is and tremendous breached your system, it looks to me like they can breach your system anytime they want if you dont know what the defect is gloo ill tell you what i do know. Im told it was a defect in a custom piece of software for our edgar system. I dont want im want a Computer Science expert. Its been a long time since ive done programming. My understanding of this landscape, though, is the more Custom Software is, the more likely it is to be vulnerable. So you were able to cut the kmuchl portion out that was your characterization and mine are going to be lay mens. I think thats fair enough. I got it. So you did say that you were in process of review that would determine the scope of the breach and the response to that scope. Whats your timeline for that . I cant dpi you a timeline. I have experience with these kinds of investigations. One of the things were constrained by is, you know, youve got to pull a lot of data to look at this. Yeah. Including in terms of scope. Yep. Just let me ask you this. Do you feel that this is an urgent matter . I do. So when there isnt definite time lines, its been my experience that these things go on forever. And i would hope that you as chairman of the sec will put the screws to these folks and make sure thoo theyre getting this job done so we can find out whats going on. This is a big deal. I will and ive already involved the office of Inspector General, because they should be looking at this as well. One other thing. Dol, fiduciary rule. And senator scott said that you were working together to harmonize those rules. I was thinking about something else. I didnt pick that up. I just want to confirm that. Are you, woing with the dol to harmonize that fiduciary rule so people dont get ping pongd back and forth between two rules . Yes. And do you anticipate that that harmon iced rule will be out when . This is a priority for me. Everything cant be a priority. This is a priority for me. Youve got a lot of people that work for you so you can have were pushing this one. This is the top of my list in that area of the commission. Thank you very much. Thank you, senator. Senator kennedy. Thank you, mr. Chairman and mr. Chairman. You said you found out about the sec data breach in august of this year . Yes, sir. When did the sec find out about it . In 2016. Did chairman woman polite know about it . What happened in 2016 and who knew about it is going to be the subject of this review that ive asked the office of Inspector General. I have no belief sitting here that chair white knew about this. When you found out about it in august of 2016, how did you find out about it . Our division of enforcement had an Ongoing Investigation. Informs that they gained in connection with that investigation caused them to question whether there had been a breach of our system. And thats the time i launched an investigation. And when did they raise that question . When did they raise that question . When did they raise the question that there might have been a data breach . They raised it to me in august of this year. Did they like raise it at 10 00 in the morning and call you at 11 or did they know about it for a while . I think they raised it promptly upon learning about it. But, you know, again, our response to this matter is something that im concerned about and wanted to get to the bottom of. Well, this bed was on fire when you lay down in it. Im not blaming you. Did chairwoman white tell you about this breach when she was leaving and say this is something you need to worry about . No, no. Like i said, i have no indication that chair white had knowledge of this breach. Okay. Can you will you at some point tell us when the sec first learned about the breach, not when you were first notified but when the sec first learned about the breach . Yes. Ive asked the office of Inspector General to look into this matter. Those are questions i want to know the answer to. Because theyre going to help us do better Going Forward. Okay. Is there any possibility, realistic possibility that the sec knew about this breach in 2016 and didnt disclose it . I dont want to go there. I want to wait until the facts come out. Okay. Thats fair. Let me ask you about the Equifax Breach. After the company, equifax, learned about the data breach, several Senior Executives sold stock. Was that Insider Trading . I am not going to im not going to comment on that specific matter for the reasons that i have discussed. Are you going to investigate it . We dont comment on pending or investigation, including whether they are actually pending. Well, youre not going to ignore it, are you . Im not ignoring this. Im not ignoring this or other events like it. So i take it youre never confirming nor denying that theres an investigation. Thats correct. Well, if you decide and im not suggesting its been our policy for a long time. I want to say that the investigation is going on sure. I understand. I needed to disclose that one. I understand. Im going to stick to our policy with respect to third parties. Its the anticomey rule. I understand. Let me put it this way. Im not suggesting you wont investigate. But if you decide not to investigate, would you let us know so we can investigate . I think thats a fair question. Okay. Fair enough. And im not accusing anybody of anything. Im really not. But theres more than just the data breach involved here. Theres the sanktyty of our he can quit markets as well. And im not accusing anybody of anything. I think the executives are taking the position that they knew nothing, saw nothing. This was just a coincidence, and that may well be. But trust but verify. And im glad to hear that youre investigating. Thank you. Thank you. One of the im about out of time. Up what strikes me, and i think Many Americans is curious about the credit reporting agencies. I didnt hire them. I didnt hire them to collect information about me. I mean, they dont represent me. They represent business, which i understand, but i didnt hire them to collect all this information. And now all of a sudden my information is out there somewhere on the dark web. And it seems to me at some point, mr. Chairman, and mr. Ranking member, that thats something we need to talk about in this committee, about what the role that the credit reporting agencies play and to whom do they have an obligation. Well, im going on too long. Thank you, mr. Chairman. Thank you. This is more interesting than practicing law, isnt it . Some days. Yes, sir. Thank you, senator. Senator warner. Thank you, mr. Chairman. Let me, first of all, echo what senator kennedy has just said. The whole notion of the Credit Rating agencies and the publics ability to we have no ability to opt into these systems. We are part of these systems, whether we like it or not. You know, im often asked in my job on the Intelligence Committee what i think the single greatest vulnerability our country faces is and i believe its cybersecurity. And i believe we do not have a whole of government or a whole of Society Approach on cybersecurity. In recent times we have seen russia take unprecedented action attacking 21 of our states voting systems. Weve seen our social media platforms being manipulated with false information in the first, i think, shots of disinformation and misinformation campaigns, at least indirectly related to cyber. I appreciate you, mr. Chairman, coming forward with the recognition of the edgar system breach. I wish it would have been done quicker, although as has been point out, this is not in isolation. Weve seen opm and a series of other governmental breaches. I think equifax is a travesty. I think the fact that the resignation of the ceo is by no means enough. I would say and i understand your reluctance to acknowledge whether there is an investigation, your colleagues at the ftc who also have a process in place where they normally dont reveal an Ongoing Investigation have felt that this was so serious that they acknowledged that there was an investigation going on. And the Equifax Breach is so egregious, one in terms of the sloppiness of their defenses, two in terms of the fact that this was clearly a knowable vul veshlt. They had known for months and if they had simply put a patch in place we might have precluded this. And then to add fult to injury equifax when it put up the site to direct consumers after the breach, that site was not properly domain registered and was known to have vulnerabilities in its site itself. So if we dont send a very, very strong message now, the market has already taken, i think, 25 off its market value, but i question whether equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to suber suitor. Id also point out and nor brown raised this question. This is not the fist time. I mean, yahoo last year, 500 million user breach and yahoo did not believe that it was material to even report. My investigation has shown with 9,000 Public Companies we have had less than a hundred Companies Since 2010 feel that any level of cyber inkurgs was significant enough to meet that material although standard to notify the public. I find that absolutely unacceptable. And i know senator brown asked that, but mr. Clayton, could you do you want to make any other further comment about what the sec might be looking at in terms of reviewing these material although standards as it relates to cybersecurity . Yes. I do. I agree with you generally. I dont think theres been enough disclosure around, as i said, the risk profile of companies with respect to cybersecurity. Where are the risks, what are the vulnerabilities. What do we know and not know. And then if there are breaches, the disclosure of those specific breaches. I dont think that there has been adequate disclosure in that regard. Well, my hope would be that this would be something i know im very interested in and i think across both sides of the aisle wed like to work with you on whether we need legislative actions or whether we work with you as an entity. Let me move to one other topic. I think back in 2014 you created called s ci, which looks at systems. Ive prodded you repeatedly with letters and other items, both during your tenure and before your tenure, let me make clear. And this goes to the technical and risk standards of some of our market structures that also includes cybersecurity. Currently the s ci regs only auto ply to stock and option changes, registered clearing agencies and certain alternative trading systems. Weve in my view left out dark pools, alternative trading systems, treasury markets, other trading platforms. And i feel if we had much more disclosure about what s ci, which market structures were covered, then people then shareholders and others could vote with their shares and move their transactions on to platforms who met these minimum standards rather than having this what i believe is kind of half coverage and half the market not coverage. I know were out of time. But could you address the question of whether you will take a fresh look in terms of the s ci regulations about expanding to other parts of market coverage. I thank you for your letter, which just by happenstance i read last night. And i agree with you that we need to look at those other important venues in our equity market system to see if they should be reporting on the same basis and also, as you raised in your letter, whether the public has enough information about which entities are subject to mr. Chairman, i think it would be very important that we get that information out because then responsible entities can vote and move to areas that have this kind of minimum protections in place. Thank you. Senator rounds. Thank you, mr. Chair. Good morning, sir. Good morning. Some of my colleagues have already raised the issue of cyberattack against the sec that targeted the secs Electronic System for filing the corporate disclosures and reports. I know that this incident occurred before your nomination and confirmation, but id like to hear your thoughts on what this incident might suggest about our governments broader posture with regards to cybersecurity. I know its difficult for any one agency to adequately protect itself against these kinds of intrusions and sometimes the level of expertise necessary would help a number of different agencies and departments. From what you currently know about the attack that took place, do you feel like you have adequate resources to protect yourself in the future and does there need to be more of a cross cutting or an enter Agency Effort to prevent these serious intrusions in the future . Senator, i do believe we need Additional ResourcesGoing Forward. I think that this is an area and data point i use to describe this to people. Let me take a step back. Other people in my position and in similar positions in other agencies feel the same way i do, which is this is a risk to our agencies. Its a risk to the markets or the areas of the economy that we regulate and oversee. I believe well need more resources Going Forward. If you look at the resources that private actors in our Capital Markets devote to Information Technology and cybersecurity as part of that, single actors dwarf the amount that we have available to spend in this area. To me that just tells me were a bit out of step and we need to up our game. If you take a look at i think the edgar system is the Current System thats going to remain in place and it basically, as indicated in your earlier today, its complex. Its been modified. Its been customized. And based upon the information you have received, that makes it probably a little bit more vulnerable than some other types of larger systems that are that basically have a number of the patches put together before they ever end up in the publics hands or in an agencys hands. Youve also got another system coming on board, the cat system and the comprehensive audit trail which will be coming in. I presume the two of them will be compatible or at least operational at the same time. When that happens youll also have a huge amount of information that will be found at one location, including a lot of information about investors, their personal information and so forth that youll have on the system itself. Is it time to say time out and to make darn sure that the new systems coming on board have been, and naturally wed do a vetting process anyway, but is it time to have those second and third opinions on this type to make sure that weve done everything we can to protect this very valuable data before we go online and then find out that there needs to be a few more patches made . Whats your thoughts on this process of actually implementing the cat system in the future . Two responses. One, since i got to the commission and learned more details about the cat, as i said before, its been clear to me that we dont want to be taking data from the cat unless we need it and can protect it. With respect to whether we should have a time out, i dont think a full time out on the cat makes sense. There is a lot of data that already exists that we can be collecting that will further our oversight and regulatory mission. But we should be examining whether we do indeed need that data. We can rank that data. We can phase in the cat. And we should be doing its not a zero one onoff. No pun intended. But we should be doing the kind of Critical Thinking that youre asking me to do in how we bring it online and how we sequence what we do. Do you have the resources to do that vetting process today . That vetting process is a prerequisite. So if i dont have them, that will be time determinative on how it comes online. Okay. Let me turn to one other subject. I understand that a certain Federal Reserve bank capital regulations may be inadvertently causing some liquidity concerns in theisted Options Market that the sec regulates. Will the securities and Exchange Commission commit to working with interested parties on a solution and to make this a priority . Liquidity in the options area . Within the listed Options Market. Its not just important for the Options Market. Its important for all of our markets. And so, yes, if theres a liquidity issue in the Options Market gs, it can affect the cash equities market and its important that we focus on it. More than willing to work with more than willing to work, yeah. Its an important issue. Appreciate it. Thanks. Thank you, sir. Senator war reign. Thank you, mr. Chairman and thank you for being here, chairman clayton. In one of your first speeches as chairman you noted that there has been, quote, a 50 decline in the total number of u. S. Listed Public Companies over the last two decades. And you said that this decline was, quote, a serious issue for our markets and the country. And you wanted to encourage more companies to go public so more ordinary investors or mr. And mrs. 401 k as you called them could get opportunities to invest in emerging companies. And you used this rationale for arguing that we should review and possibly reduce the disclosure burdens on Public Companies. Now, i want to understand your thinking on this. You compared the number of Public Companies today with the number of companies in 1996 and 1997. That was your comparison point, which as you know was the height of the. Com boom. And as you know, there was a sharp increase in the number of Public Companies leading up to the 1996 and 1997 years. And then a lot of those companies failed over the next few years, leaving mr. And mrs. 401 k losing a whole lot of money. So when you pick 1996 and 1997 as your target years for comparison, were you arguing that those were the ideal Market Conditions for ordinary investors . Im happy to pick any period over the last 20 any five to seven year period over the last well, if youre happy to pick any period, if you pick other periods, youre not going to come up with the same conclusion you have. I think i would. I think the trend no, i dont think so. Lets talk about the trend. I take it is what youre saying is you do not wish to recreate the bubble that wiped out billions of dollars of investor value 20 years ago . No, i definitely do not. Okay. So lets look at the trends, then. Since the dot come bubble popped, theres been a slight decline in the number of Public Companies since then. Most of the evidence shows that that is primarily because of an increase in memoriers and acquisitions. So if you want more Public Companies, then i hope you are soon going to give a speech supporting stronger antitrust enforcement. But lets just look at the ipos, since that has been your focus. You said you want to get more investors involved in emerging companies, which is why you want to see more Companies Going public. Now, in 1996 the peak of the dot come bubble there were 624 ipos with a total of 36 billion in deal volume. From 2012 to 2016 there were about half that number of ipos, but the average annual deal volume was higher than it was in 1996. In 2014 ipos raised 96 billion, nearly triple the total debt volume in 1996. So in other words, in the last few years people are investing more money in ipos than they did even at the height of the dot come boom. So if your primary focus is on investors, not on the bankers and the deal lawyers who make money on each of these ipos, why do you care if there are fewer ipos as long as ipos overall are attracting more investor dollars . Because i believe that those ipos here is a companys growth curve. I believe those ipos used to happen here, and if you invested in a portfolio of companies that were down here as part of your Overall Investment strategy and as they go up the growth curve, you as a retailer investor were better off than getting on up here where the company is mature and not growing as much. Well, i appreciate that thats your point of view, but have you looked at the data on this . Because the data show that having fewer but bigger ipos is better for investors. The Ipo Companies now tend tow more revenue. They tend to perform better in the long run than in the past when there were more ipos and more failures. Which looks to me like a positive outcome for mr. And mrs. 401 k. Well, its a concern to me, senator, and i understand different people have different perspectives on this. Its a concern to me that on that growth curve most of that i shouldnt say most of the money. Substantial portion of that money is private money. And those investors have done very well and in many cases relatively much better than so well, im sorry. All i can do is look at the data. What the data show us is that the later that the ipos now are performing period of time for investors and less likely to wipe investors out. Let me just state my concern here, chairman clayton. Youre using the decline in ipos to argue that theres something wrong in the market and that our rules and regulations are making it too hard for companies to go public. But the data show that investors are putting more money into ipos now than ever before and that those Ipo Companies are doing better for investors because theyre more stable before they come to market. Loosening the closure and the Registration Requirements may make life a whole lot more profitable for a handful of bankers and for corporate attorneys who just want more ipos in the system, but there is no evidence that it will make life better for investors. And it is investors, not bankers and lawyers, who youre supposed to be watching out for at the sec. I understand that. Thank you, mr. Chairman. Senator shots. Thank you, mr. Chairman. Commissioner, thank you for being here. You said material although is the core of the system of disclosure. I agree. You said companies should disclose more. I agree. I want to talk a little bit about the risk of Climate Change and Severe Weather events. In the last 35 years the average number of inflation adjusted one billion Severe Weather events was about five and a half per year. In the last five years it has doubled. Now, i know in 2010 the sec provided some guidance about climate disclosure, but not much additionally has happened. So i want you to talk about how you view Climate Change and its material although, because its becoming increasingly clear that we cannot ignore these Severe Weather events and the impact that they have on publicly traded companies. I do believe and there are a number of industries where if there are patterns and changes in weather events and this type of things, those developments do have impacts on companies that should be disclosed. And they have impacts in many ways. The weather eepts, the recurrence of them,up, are we experiencing increased loss. This is something that trends in increased loss. Thats something investigators should know about. Regulatory responses to those events. If there are regulatory spontsds to those events that are going to affect the companies, those companies should discuss them. I believe that. Do you think the sec is doing enough to require this disclosure . We have issued guidance around this. We have guidance in a number of areas. I regularly, cant say every day, but on a fairly regular basis discuss with the division of Corporation Finance whether our guidance in this area, whether our guidance in the cybersecurity area, whether our dpied answer in other areas should be updated, emphasized or, you know, or otherwise changed. Okay. I understand youre in conversation. What is your current thinking about this . My current thinking is that the guidance is good. Thats fine. But we should continue to look at it. I senator, i agree with you that there are industries that need to pay close attention to these trends. Let me give you a specific example, if you wouldnt mind. Va her row industries ten k filing for 2016 states some scientists have concluded that the increasing concentrations of Greenhouse Gas emissions in the earths atmosphere may produce Climate Changes that have significant physical effects such as increased frequency of storms drauts and floods and other climate events. If any such effects were to occur, it is uncertain if they would have an adverse effect on our Financial Condition and operations. At the end of august of 2017 Hurricane Harvey, one of the strongest atlantic storms in history, shuttered over 20 of the u. S. Oil refinery industry, including five refineries owned by va her row. These refineries usually produce is. 1 Million Barrels a day which is a third of its total capacity. A week after the hurricane va her rows refineries were not back online. Does it seem like Hurricane Harvey had a material, adverse effect on va her ohs Financial Condition . I dont know the numbers, but it would not surprise me if an event of that type would have an adverse effect on a companys Financial Condition. Do you think that the sec is doing enough to require disclosure from some of these companies . It seems to me that part of the problem is that is politics. That people dont want to not for you, but for these companies. They dont want to weigh into something that is the summing of some controversy. And the other problem is that Just Institution alley the sec measures risk that can be measured, that is customarily measured and that this is a relatively new risk that people are scientists are essentially stipulating to and that the systems in the sec and elsewhere in the Financial Services industry everywhere is actually not equipped to evaluate this. And so what we do is we book it at zero. We assume it doesnt exist. Because it is difficult to assess. When you assess political risk, regulatory risk, other risks that may be material, you have a way to get at that. But climate risk in the financial context is new. And so i would just ask that 2010 is actually a long time ago when it comes to our thinking about climate and its certainly a long time ago when it comes to the fiscal impact both on the public and the private sector when it comes to Severe Weather. So i dont think that 2010 guidance suffices and i would just encourage you to maintain an open mind in this space and devote some staff time to articulating how were going to quantify the adverse impacts of Climate Change on the industry. I will. Thank you. Thank you. Senator purdue. Good morning, mr. Clayton. Thank you for being here. Ive got a concern, basically a reservation with the fact that sec staff today do not have to abide by some of the same stringent security protocols that other users of the cat database are required to abide by. The geo has previously identified a few weaknesses related to the secs cybersecurity protocols. Can you give us an update on how you are addressing those concerns that the sec has raised at this point . And also the other safeguards around the that the nms plan as well. Okay. Senator, i want to make this clear. With respect to the cat, were not going to take the data unless we need it and unless we can protect it. And with respect to your specific question about whether our security protocols for individuals are not as stringent as they should be, i dont have an answer to that right now. Do you agree with that conclusion . I know youre new on the job, so but they should be. But do you have a position yet . Do you know yet whether they are, whether you agree with the gaos conclusion on that . I dont have a position on that now, but i think that we should be mindful of any guidance from the gao. But youre looking at it today. Yes. And will you come back to that committee on that when you get more information when you come to a conclusion . Id be happy to. Brat. The second part is the same sort of concern. Under the jobs act companies under a billion dollars were permitted to file ipo and secondary offering statements that would be released to the public until 15 days before recently under your leadership this ability has been extended to companies of all sizes. In your view can you describe the advantages of a confidential filing, how it will improve our increasingly more complicated ipo process . The confidential filing process greatly aides companies when they are transitioning to Public Companies. And we Want Companies to transition to Public Companies. Theyre Better Companies the when they have Public CompanyFinancial Statements, when they go through the process of the sec discloses youre process, they do become Better Companies. Letting the world see all of your financials and all of your strategies and all of your risks before long before you go public causes some companies to pull back from that. I am very comfortable and in fact think its a great idea that we allow companies to confidentially submit that information so that it can be reviewed. We can comment on it. We can tell them where they need to broouf. And then with plenty of time for investors to assess that information make it public prosecute the ipo. I think its a very smart move that in no way lessons Investor Protection and actually increases the number of opportunities investors have. Thank you. I just have one last quick question. The conflict minerals rule. I know thats under review right now. Can you give us an update on how you guys are looking at that right now . Well, there was a Court Determination that part of the rule was had a First Amendment issue with it. The rule is on the books. Weve issued no action guidance on on you to comply with the rule in the interim. Were now reviewing the rule, the no action guidance in light of the court case. And thats where it stands. Okay. Thank you. Thank you, mr. Chairman. Thank you, senator. Senator van hall lond. Thank you, mr. Chairman. Thank you for your testimony. I wanted to pick up on some of the questions that senator brown asked regarding material although. You indicated that you thought that the triggering event for disclosure would be whether there had been a Material Change in the circumstance of the company, right . Yeah. Thats generally right. And i understand you dont want to get into the equifax situation, but you would agree that, not talking about any company, that if in fact there was a Material Change, it would be wrong for executives of that company to then knowingly trade stock before they made any disclosure, right . Yes, sir. Okay. So i want to get to what material although means, because i dont believe the sec has any definition, at least in the context of a cyberSecurity Breach. Is that right . I think the general definition of materiality does apply to the cyber context. I dont mean that the concept doesnt apply, but theres no standard or definition of how to apply the concept of materiality to a cyber breach. So, for example, the sec doesnt say if a cyber breach would result in the disclosure of, you know, x amount of information about customers and that could lead to a significant change in the value of a company of the the sec doesnt itself have that thats correct. Theres no precrypt active disclosure of this many for this long we dont have that type of so its kind of you know it when you see it. Is that the idea . Thats correct. But does the sec bring these kind of materiality cases for failure of violation of ak, disclosure . We do. Let me ask you, if you agree that it is wrong for people to knowingly trade on information thats material but has not been disclosed, would you agree that once a company has decided something is material, that their executives should not be trading that stock . Between the time they decide its material and the time they actually file a disclosure to the public, which is now a fourday period, potentially. Im going to be very yeah. I think what youre asking is a control issue is should there be a control in place to ensure that when a decision has been made at a company that there has been a material event and theres going to be a disclosure, that the company has in place a control to prevent yes. That is exactly what im suggesting. Would that make sense . And i think its a very good question and a fair question. Well whether thats an area whether thats an area over that goes into Insider Trading or whether it goes into a control failure is something that we i understand. It seems to me there should be a presumption that once a company has decided there has been a Material Change and before they disclose that to the public there should be just a rule that executives dont trade that stock. Doesnt that make sense in terms of protecting the protecting th markets . Having i do not want to comment on any specific company and i understand that. Im not asking about a particular company. Most companies have Insider Trading policies. Having a thoughtful Insider Trading policy with controls of the type youre suggesting is an important part of good corporate hygiene. Well, look, im working with congressman maloney on the house side has a proposal, were working on it with her but there is a whole question about when you determine materiality. Were talking about that. But it seems like a nobrainer that once a company has determine there hads been a Material Change and before theyve notified the public, which they have four days to do, you would require them not to sell stock. Why isnt that just obvious . I i like the concept. When i was in the private sector i put the concept into Insider Trading policies, for example a general counsel would be somebody that a set of executives had to clear all trades with. Let me just say, so there was a study done back in september, 2015, by ama cohen at harvard law school, Robert Jackson at Columbia Law School and others have done studied that showed what they call the 8k trading gaps which that executives have made money. During this fourday period or whatever time elapses between a decision that some Material Change has been made and disclosure. Do you agree its wrong for executives to be making money during that period based on information they have about materiality . Absolutely. So shouldnt there be a rule that once the corporation has made a decision that something is material that they not be allowed their executives not be allowed to trade during the period . I like the concept. We look forward to working with you on this. We can adopt it. That you can. Senator shelby. Mr. Chairman, im sorried had to leave the hearing but we all have some other things, chairman clayton, welcome. I didnt have a chance to do this, welcome to the committee. I miss a lot of the testimony but i hope this has not been one of the questions. During your confirmation hearing you agreed with my longstanding belief that a cost benefit analysis for rule making was appropriate at the s. E. C. I believe its a appropriate, all agencies and appreciate your leadership on this issue. Whats the s. E. C. Doing or trying to do to come forth with a meaningful cost benefit analysis rule . Because rules cost money. Sometimes theyre really necessary. We need them. Sometimes its an overkill but we all know and you know in your other life that i dont believe anoth enough work has been done in the cost benefit analysis. Were talking about securities in your area right now. Go ahead. Senator, i agree with you that cost benefit analysis is very important in rule making and its important in rule making not just in a should we have the rule or not have the rule, if we have the rule how should it be crafted . What are we getting for this component as opposed to the cost of that component . Its not just yes or no but its how we craft the rule and, importantly what people are going to do to demonstrate compliance and are we getting the best compliance requiring them to demonstrate in that way . We want the best compliance but we want it to be done in the most efficient way to get there and i very much believe that. What are you where are you in and what have you been doing . I know you havent been at the s. E. C. Too long. Were glad to see you there but what do you expect to do as far as setting the tobe and the standards down there . This is an area thats of its a complicated area. I like it because it is complicated and i like sitting with our economists and ive enjoyed discussing exactly these things including around some of the pending rule makings that we have. This is a focus group. We brought on a new chief economist, im very happy to have him on board so this is an area that is of interest to me and i agree with you in this area. I was not here earlier but it was my understanding that the trend of fewer ipos was mentioned. You know, which a lot of us dont like because that seems like the economy is not doing as it should. Whats your thought on that without rehashing everything thats been gone over there and whats the trend and whats the data there . Whats the information . People focus on ipo or no ipo. Iepy is the its the water coming into the bathtub. There are going to be reasons things are going out but i want a bigger bathtub because i want people to have more choice and i dont want its very difficult for Retail Investors either directly by buying stock or indirectly through mutual funds to have access to Investment Opportunities outside of the public Capital Markets. So i on balance id like a larger public cap pal market because id like Retail Investors to have more access to those choices. We have in this country some people believe 4 trillion to 5 trillion in capital. Ill just use the term lying around. Looking for a better investment. Look at the savings accounts. People arent getting much there. The dividends, the money markets, you name it. How can we put a lot of that money to work for the economy . I know youre not secretary of the treasury, but what you do and what your colleagues do at the s. E. C. Does feed right into our economic growth. My aim is more and better Investment Opportunities but i want to be clear, a focus for me has been Retail Investor fraud because while i want to get more and better, tamping out those bad actors who prey on get rid of them, absolutely. That is as important if not more important than increasing the number of opportunities and so we have to do both. Bring confidence back to the little person, right . Yes. Absolutely. Thank you. We like what youre doing at the s. E. C. Thank you. Thank you, senator. Senator heitkamp . Thank you, mr. Chairman, and thank you, mr. Clayton. Before i start with questions i think you and i had a long conversation about a bill that senator heller and i had that would create a full time Small Business advocate within the s. E. C. Youve moved expeditiously to do that so i want to acknowledge that help and to tell you how critically important it is that we have that outreach because what youre trying to do is in your exchange with senator warren was is really build that opportunity and see that next new startup that could, in fact, result in General Motors or microsoft or whatever comes along. With that said and i think they all started in a garage or they all started with a great idea. I want to just kind of walk through some of the thinking that people in my state have. You know, they think about gambling and they think about las vegas and a lot of them think what you do is about gambling. And they think that if they go to las vegas theres a whole regulatory body that if someone cheats theyre going get caught and the game is fair and if they cheat if somebody is rigging the system, they have some level of confidence that theyre going to go to jail. I think if you took you know, you took gambling, straight up gambling, right, and you used those same kind of guidelines or at least benchmarks that people feel about the equity markets, i think las vegas gets probably an a, aminus for soundness and security and fairness and i dont know if you get an a or an aminus. I think the equity markets as best you could do youre probably at a c. And if we dont respond to this and if we dont respond to the issues that have been raised across the table here on what happens when the public out there sees executives trading after a material event and they wouldnt use those languages, they would say heres here it is again. They make money and we lose money, we would have had shares had we known it we would have sold our shares but now were worth 25 less in our 401 k if we held that share. Tell me what were going to do to convince my retail purchaser which you just talked about that what youre going to do is unrig this system and get it back to a level of confidence that the equity markets are fair. I can tell you that i know the people at the commission and i look at those people when we make decisions. That is what i you know, people make fun of it or not make fun of it, mr. And ms. 401 k , that is how i look at what im doing. And that is in the markets. I mean, i know that what they want to know is that we have their back. That we are policing the large Public Companies, that were looking at what the executives are doing. That if theyre taking unfair advantage of that fourday window that senator heller mentioned that thats not appropriate and were going to do something about it. As far as retail folks go, im also really worried about the amount of retail fraud. I will tell you the amount of retail fraud i see everyday in terms of the Enforcement Actions that we see disgusts me and we just its been in the works for some time, we just implemented a new retail fraud unit because, like you, i believe that if the main street investor doesnt think we have their back, were not doing our job. Well i think thats how i feel. I think its not if the main street investor thinks they dont really believe you have their back. Theres just been too much history here and to act boldly and directly is absolutely whats essential to bring back that confidence and if its all behind the curtain, pay no attention, were studying it, people go, yeah, that ill study it until the next time it happens then theyll study it again and were never protected because we dont have access to that information and we lose money because when that becomes knowledge when the public knows, guess what happens . That stock tanks and i take the loss while the executives walk away with the big payoff. It just is not a formula for success and i honestly believe people trust the regulators at las vegas to make sure that slot machine is fair more than they trust you to make sure that when they buy an equity on your markets that theyre treated appropriately. If thats the case, i want to change it. Well, i think you need to really focus because i believe it is the case. Thank you, senator cotton . Thank you, mr. Chairman, and mr. Chairman welcome to the committee. I want to focus on the challenges that overregulation is putting on smaller businesses and smaller investors. You may be aware of a Small Business in arkansas that we call walmart. Somewhat large now. There was a time, though, when it was kind of small, it continues to provide lots of great jobs for arkansans to provide their groceries and kids toys and Everything Else under the sun. I have many my hand from 1970 the walmart ipo document. Pretty thin, huh . 26 pages. 20 if you exclude the financials. Thats walmarts ipo from 1970. I have in my hand the snap ipo document from just last year. 247 pages. Ten times the size of walmarts ipo. I think this explains one of the reasons why we have so many fewer ipos than we once did, especially for smaller firms. I dont think you can attribute it simply to the dotcom boom from 50 years ago and the types of those ipos have changed as well. Many small cap ipos have declined significantly. That means small investors, the kind of people that invested in walmart based on this, a document that any high school educated person with a bit of business sense could understand and became pretty well think on it over the years as walmart grew and their stock split and they grew and their stock split no longer has access to these small cap growth companies. They go increasingly into the private market and benefit only the most affluence americans so without saying that private markets are bad, could you please give us a list of the steps that youre taking or intend to take that will encourage more initial Public Offerings in this country . So weve already taken a couple of steps. One is to allow more confidential filings which under the jobs act has proven to be an encouragement for people to consider the Public Offering process. We have reduced the need to file Financial Statements that will not end up being part of the Public Disclosure package to reduce the burden on Companies Seeking to go public or otherwise using the public markets. The confidential filing process does extend for a period of time which allows companies to get secondary liquidity which also encourages them to go public. Thats another aspect of it. On the agenda is our review of sk the broad disclosure package to try and modernize and enhance it. I want the disclosure package to be just as good and provide just as much Investor Protection but i want it to be more accessible. It needs to be more accessible. We cant have documents that can only be read by lawyers. Do you think anybody reads a document that long and makes an Investment Decision on it besides a lawyer . Very few. Do you think lawyers even read it . I lawyers do crazy things. I know lots of small momandpop investors in arkansas since 1970 read this document and they made a lot of money off of it and they provide a lot of jobs and a lot of affordable pricequality goods so im glad to hear youre taking those steps. A related story i want to tell and get your response to, the president of a small broker dealer in Central Arkansas, not much more than just a family owned official, six people said he wouldnt start that official today given the Regulatory Burden he faces. One example he gives is that dodd frank expanded the Public Company accounting Oversight Board to include annual audits for all broker dealers registered with the s. E. C. So that means his sixperson firm is held to exact same auditing standards as a company the size of walmart or apple or google or anything else. That means his costs have skyrocketed and he doesnt think the quality of those audits are any better. This is just one more example although in a different space of the cost of overregulation. Do you think it would be appropriate to have some kind of threshold to exempt these smallest firms from that kind of regulation much as we have different standards for Community Banks . If so, what kind of threshold might you consider . Senator, i had a view and its been affirmed by my time at the commission that one size fits all doesnt work in a lot of areas, probably doesnt work in that area, now i also dont think it should be youre either in or youre out, youre either in regulation or youre out. Once you decide one size doesnt fit all becomes the real question which is how do we scale it, where do we put those steps . Thats how i intend to approach regulation in some of these areas. Said another way, if we have one size fits all, were only going to get one size. I agree and appreciate that. Like i said, another area in which i think that just because walmart needs to use a giant Accounting Firm under existing law out of new york or dallas or chicago doesnt mean a sixperson broker dealer firm in Central Arkansas cant use a competent qualified Auditing Firm from conway or circe or bryant. Thank you, mr. Chairman. I understand the s. E. C. Is reviewing the proposed acquisition of the Chicago Stock Exchange by a chinese company. I dont expect you to comment on the specific transaction but can you please generally describe the review process within the senator kerry. Yes, sir. The review process within the s. E. C. Is actually styled as a rulemakin rulemaking. And there was 240 days for a division of the commission subject to delegated authority from the commission to review the application. That was approved. An approval like that provides the commission with an opportunity to review the approval, the commission took that opportunity and were reviewing the decision. In light of recent highprofile Cyber Breaches, including equifax and the s. E. C. Are you at all concerned the ownership and control of an American Exchange by a foreign entity could expose our markets to new risks and vulnerabilities . Im not going to comment on the specific matter before the commission at this time. Its a matter im going to be deciding on so it would be inappropriate but i am aware of the various issues raised by commentators. Im not asking you specifically in regards to this company. Im asking you as overall policy. Does that concern you at all about a foreign entity that could possibly expose our markets to new risks and vulnerabilities . Senator, absolutely. Not just a foreign owner but state actor intrusions and state act ormon or thing of our Financial Markets is an issue that troubles me. As the s. E. C. Continues reviewing Financial Disclosure requirements under regulation sk, i hope youll consider whether corporations should disclose country by country employment data. It helps investors determine and better understand where outsourcing and offshoring has occurred. Are you willing to consider a countrybycountry exposure as part of the s. E. C. s broader review . I am willing to consider the sk guidance on and the rest of sk in terms of providing a more accessible disclosure package for investors, including in areas of employment. I want to go back to an area you and i have talked about before actually this spring and thats stock buybacks. At your confirmation hearing we discussed with the stock buybacks at large corporations often conducted mainly with the goal of increasing stock prices to impress wall Street Investors. I think that shortterm thinking as come at the expense of longterm investments in innovation that would have benefitted our country. And weve seen it again in recent times where a company chose to use some of the funds that were going to be used for stock buybacks to actually make an acquisition and their stock was immediately hammered in large measure because it wasnt going to be the byeback it was just trying to add to the business and if you look long term that doesnt make sense but former chair white stated the s. E. C. Was looking into when and how often companies should tell investors about Share Repurchase programs. She was presumably referring to the s. E. C. s concept release to solicit the publics views on Financial Disclosure requirements in regulation sk. Currently stock rewhich you are which is as are reported quarterly. Do you think companies should be required to disclose stock buy backs frequently than once ever quarter . Im not going to comment specifically on something that we are reviewing. I am cant as you and i have discussed, i am concerned about this issue and any abuse of stock buybacks. I recognize they have a lot of value in certain circumstances. Many wellfunctioning companies see it as an efficient way to return capital to shareholders. Many investors engage with companies and we want investor engagement with companies, engage with companies and push for stock buybacks. Now we can determine whether their motives are we cant determine in the abstract whether their motives are pure or longterm or shortterm but there are a lot of considerations that go into this. But as you and i have discussed, one thing that does trouble me is if these stock buybacks are motivated not by the longterm interest of the company but some but shortterm interests and im looking at the disclosure in this area in that light. I will finish by saying if you take a look at what the going on with hedge funds and others i think you will find that much of their efforts regarding stock byebauybacks ha nothing to do with Company Development or strengthening but taking as much out as quickly as possible. Thank you, mr. Chairman. Thank you. Senator reid . Thank you very much, mr. Chairman. Thank you for joining us today. In general do you think investors understand the Cyber Security risks that the Companies Face that they invest in . Put another way, can companies do a better job disclosing the risk in their disclosure documents . No, i dont think the general level of understanding in the market is where id like it to be and i dont think the disclosure is where it should be. And through the your Regulatory Authority at the s. E. C. You could shape that disclosure. Are you working on that . I am. Thank you. There is also a kind of theory i have is that having watched the agency over several decades in this Cyber Security world its expensive to stay ahead with technology, software and as a result when dodd frank was being written i put in language that allows the s. E. C. To put 50 million in a year in a reserve fund for Cyber Security and other tools. First, are you funding this . Are you accessing this source from registration fees . The 50 million . We want and need the 50 million for i. T. And you physically are taking it and depositing it . We are using it. Okay. Its part of our budget Going Forward. And there was in our legislative process a 100 million limit put on the fund. So youre prepared to go up to 100 million . I would let me say this, senator, i think we need to spend more money. When i got to the commission i made some assessments, we went with a flat budget for the next fiscal year. I will not be asking for a flat budget for fiscal year 19. Were going to need more money in the area of Cyber Security and i. T. Generally and i intend to ask for. It appreciate that because, again, money is not the solution to every problem but its usually part of every solution so you have to have it. You have a mechanism with this reserve fund to take it right from registration fees, it doesnt have to go through omb or any place else and theres a 100 million limit, at that point you cant take anymore so i would urge you to aggressively do that. The other thing i would urge you to do is resist any attempts to take away this fund because the administration is proposed in 2019 that the fund be eliminated. That your ability to access these monies be gone. I think given the Current Situation with Cyber Security you have to have the money. I hope you agree. Senator, i agree that the purpose of the fund, including to be able to make longer term commitments than year on year to Cyber Security is a very good idea. Thank you. Let me quickly go back to the point senator donnelly was making about stock repurchases and you might a thoughtful point about tenning back and looking at it in terms of the long run benefits to shareholders and the investing public, not the quick inandout. And you went back and forth about using money for stock buyback rather than purchases. I have heard of instances where companies were conducting stock repurchases while their Pension Plans were underfunded. Are you aware of any situations . Im not aware of any specific situations. Would that be something youd want to look at in terms of the propriety of doing a stock repurchase when a commitment that has been made to employees is not fulfilled . Its a very interesting question. I want to be responsive. I havent thought about that particular question. I would say if somewhat is somebody doing from a governance perspective. This may be a broader issue be what somebodys doing from a governance perspective is putting a funding obligation in jeopardy by buying back equity, thats a serious consideration for a board of directors. Would you have authority to stop that practice either by rule or im not sure senator i would need to look into that. Mr. Chairman, i think these are issues that are deserve close review and study. I dont think theres a at this point jumping to a conclusion is not the way to approach it but i think these are the types of issues that you should be considering because were both committed to the long term profitability and effectiveness of these companies not the short run in and out, how long the, mr. Chairman. Thank you. Senator. Thank you, mr. Chairman. Chairman clayton, good to see you again. Good to see you. Excuse me i didnt get to hear your opening, im juggling two committees at the same time. But with your indulgence, i want to kind of follow up on the previous hearing we had and your confirmation hearing and follow up on the questions and see where you are today with those. Beginning in 2009 as we were dealing with the peak of the foreclosure crisis, the s. E. C. Chair at the time expanded the authority to issue investigative subpoenas to about a dozen or so senior officials in your Enforcement Division. Before that time, commissioners themselves had to vote on each and every subpoena and it slowed the enforcement down to a crawl. Acting before your tenure, acting chairman, people initiated a review of whether the s. E. C. Should revert to the prior burdensome process for issuing subpoenas. When i asked you about this at your confirmation hearing you said you needed to discuss this with other commissioners and s. E. C. Staff before commenting. Now that youve been there for four months, have you made a decision . I have. And what is the decision . There was a time as you noted that formal Order Authority rested with the commissioners and the commissioners had to vote on it. That was transitioned to the directors of the division, the director of the division of enforcement for efficiency reasons as you sicite. Later it was put to regional offices and hay had the ability to have formal Order Authority, it was pulled back to the codirectors of the division of enforcement. I have sat with stephanie and steve and discussed this with them with an eye toward whether there was any slowing down in the ability to open matters. Theres totally comfortable theres not, one or both of them are available. Ive probed on this whether there was any urgency whether funds would be leaving the country or other reasons for having formal Order Authority at the regional offices. Im comfortable there isnt one and im comfortable theres a benefit. Having that that short wresting with the two of them and their staff. Well, their staff supports them but they of course get the information, but having it with them enables them to more efficiently manage the Enforcement Division across the offices and make sure we dont have, for example, somebody in San Francisco opening in a case in miami. So its reverted back, so youve pulled it back essentially. No, were not back at the commission level. Were at the division of enforcement level and im very comfortable thats where its belong. So its staff that has the authority. Staff has the authority. You pulled it back a little bit but gave staff the authority so its not back at commission level. Correct. And im very comfortable theyre doing a good job. Okay, appreciate that. In a private meeting in the office and at your confirmation hearing you stated your belief that individual accountability has a greater deterrent effect across the market and one tool to hold individuals accountable is the socalled yates memo that was put out by the Previous Administration that my understanding the current attorney general sessions and Deputy Attorney general rosenstein are looking at right now. Theyre looking at rescinding it or weakening its directives to prosecuto prosecutors. In your view, is this memo consistent about what youve emphasized in your speeches about the need to hold individual corporate speckive thes responsible for corporate misconduct . Senator, that is my view that individual accountability, particularly in a corporate context has a greater deterrent effect than simply corporate accountability. Have you thought about what you would do if doj, whos your partner in profession, rescinds the yates memo . How would you handle that . We coordinate with doj in these matters but i dont think that that let me im comfortable the way our division of enforcement is approaching these matters and looking at individual accountability is correct and that thats going to continue. Okay, so that is still your emphasis . Yes. Okay, thank you. As a lawyer in private practice you chris sized aggressive enforcement of the foreign corrupt practices act, replacing significant costs on u. S. Companies and President Trump himself criticized ifcpa when he was a businessman saying it created competitive disadvantage for u. S. Companies when they arent able to bribe foreign governments. Thats not what i yesterday . Thats what President Trump said when he was a businessman. This world view now appears to be permeating law enforcement. One analysis found that as of september 1, the Trump Administration has had only has brought only three of these Enforcement Actions and the two from the s. E. C. Each had roots in Obama Administration investigations. And whats curious is at this point in time during the sometime time during the Obama Administration 25 cases had been filed and 17 by the bush administration. Can you tell me, is the s. E. C. Slowing down foreign corrupt practices act investigations and prosecutions or can you explain these numbers . Why theyre so low . No, were not slowing them down and i want to go back to the 2011 article that i participated in writing. What i was saying was we need to think about whether were doing this alone around the world and getting our partners in other countries on board and our partners in other countries have come on board and not everywhere but in some places and that actually makes it easier to pursue this type of behavior and actually have an effect in doing so. So what youre saying is our partners in other countries have had an epiphany and theyre all cooperating and following the law . Not in every country but the prosecutors in similar securities authorities in other countries have upped their game substantially. Okay. I notice my time is up. Thank you very much. Thank you. Senator sasse. Thank you for being here. Id like to discuss the history of cyber Security Breaches at the s. E. C. Can you tell me how many cyber Security Breach there is have been historically. I dont have that data with me today, senator. And defining what a breach is is who would know . Who in your organization reports to you that has responsibility for this . The office of Information Technology is the office within the s. E. C. That has overall responsibility. Since getting to the commission i have been reviewing how we handle these matters from an oversight perspective including establishing a Cyber Security working group. To get at these issues, including how we share information about breaches, attempted intrusions, risks across the commission as i testified earlier, these are areas we need to bring focus to who heads that office and how senior are they . Are they a direct report to you or who do they report to . The head of the office of Information Technology is pam dyson and she is a direct report to me and also to our office of the operating officer. Thanks, how many direct reports do you have . Precise number, between 20 and 25. Gotcha. Is this the first breach at the s. E. C. That you think could have facilitated the trading of inside information . Senator, i cannot tell you with 100 certainty that this is the only breach that we have had. I am not in a position to tell you that. The s. E. C. Statement argued that the intrusion did not result in the unauthorized access to personally identifiable information, did not jeopardize the operations of the commission or result in Systemic Risk. Do you think there has been any breach at the s. E. C. That compromised personally identifiable information the past . Based on what we know now about the 2016 breach that i disclosed, we dont think there was personally identifiable information given the file type or where it housed a Systemic Risk so i want to make that clear, thats based on what we know today. The investigation is on going. In terms of whether there has been a breach at the s. E. C. Where personally identifiable information was accessed, to my knowledge today i dont know of any. But i cannot in this area i cannot give you a 100 certainty that that hasnt happened. Okay. So i want to ask a parallel question. In this case we dont think there was personally identifiable information and you dont think there has been historically. In this case the s. E. C. Has a statement that says it didnt jeopardize operations of the commission. Historically do we know of breaches that have ever jeopardized operations at the s. E. C. . I know of know historic breaches that have jeopardized operations but it is an area that is of concern to me. We do provide services that are essential to the functioning of the marketplace. Agreed. And a denial of Service Attack at the s. E. C. In one of those areas would have material effects across our market system. I share your concern and i believe you to be greatly concerned about this. I was presiding over the senate the last hour and a bit so i didnt get to hear the beginning of your testimony and i know you covered some of this information. Instead of trying to have you repiece pieces of it that with ms. Die son and whatever con tonights you have, ill send you a list of qfrs. But can i get your commitment well get a Quick Response and i want to acknowledge that a lot of it is technical and long but we would love i think this committee and the senate would love to partner with you in trying to upgrade Cyber Security. You oversee critical functions of the government and public trust in Financial Markets and i think we probably need more urgency on this and i think this branch would love to partner with your branch but well send you a long list. Id like your commitment well get a Quick Response please. I think its entirely appropriate and you have my commitment. Thank you, sir. Senator brown . Thank you, mr. Chairman, im not asking for a second round, just one question to wrap up and thank you for your indulgence. In a recent speech, the s. E. C. Commissioner suggested companies that go public should be permitted to require that shareholders resolve claims in arbitration and not the courts. That would be what we call forced arbitration this is, as you know, mr. Chairman, this contrary to Corporate Governance best practice and contrary to the s. E. C. s stated views on this issue. Will you my question is will you continue to support s. E. C. Practice that preserves shareholders rights to go to court and reject mandatory arbitration requirements for Companies Going public . Senator, im not going to prejudge that issue but i understand this is also a state law issue and in many states youre not permitted to have mandatory arbitration. But i am not going to categorially say that you would never have a situation where something other than accessing state law remedies for a particular or several particular items is off the table but i am very cognizant that this that the ability to go to court is something that is of great value to shareholders. And it is the s. E. C. s view on this issue today as you know . I dont think the s. E. C. Has articulated a definitive view on this issue. Is that right . Senator brown, we have done so in the context of particular requests in the past. There have been requests in the past and theres a long history there im happy to discuss with your staff but i dont think the s. E. C. Has articulated a firm view on this issue in the past. Mr. Chairman, i was told by staff that questions for the record that will be propounded to you are due next tuesday. I know thats not long but you r youre a pretty diligent manage. Thank you for your appearance before the committee and we wish you well in your job thank you, senator shelby. The meeting is adjourned. [ indistinct audio ] [ i distinct audio ] [ indistinct audio ] [ indistinct audio ] [ indistinct audio ] [ indistinct audio ] [ indistinct audio ] [ indistinct audio ] this weekend on American History tv on cspan 3, saturday at 8 00 p. M. Eastern on lectures in history, university of virginia professor Gary Gallagher on the legacy of the civil war. The loyal white citizenry and africanamericans and former confederates had very different takes on the war as they went forward after appomattox. They embraced versions of the war that suited their purposes. And sunday at 10 00 a. M. , president bill clinton marking the 60th anniversary of the integration of little rock central high school. I wanted to say you did 60 years, take a victory lap, put on your dancing shoes, have a good time. But instead i have to say youve got to put on your marching bootboot s and lead us again. At 7 00 p. M. Eastern on oral histori histories, we continue our series on photojournalists with an interview with darrell heikess. You always tried to be in any place where we were working, especially the white house, to have the optimum lens in your hand and the maximum amount of film whenever something happens because somebody in a split second it could be there and youve got it and the person standing next to you does or doesnt have it. At 9 00 p. M. Eastern, hamilton play write and actor Lin Manuel Miranda accepts the u. S. Historical societys 2017 theater award. When youre a theater kid you make friends from different grades and social groups. You learn to work hard to create something greater than the sum of your parts and for the sake of making something great you learn to trust your passion and let it lead the way. Without humanities and arts programs i wouldnt be standing here and without Alexander Hamilton and the countless other immigrants who built this country its very probable that very few of us would be here, either. American history tv all weekend every weekend only on cspan 3. So this is what churchill faced when hi came to power in those awful days in may, 1940. Practically from his first day in office he begged Franklin Roosevelt for help to stave off hitler but the president was very aware of the isolationist mood of the country and even though he really wanted to help save britain, he was very cautious. He didnt want to get involved in this war if he could help it. Besides, most people in washington, including him were pretty much convinced that britain would be easily defeated. How could it possibly survive when no other european country had . Former u. S. Secretary of state Madeleine Albright called her our eras foremost chronicler of world war ii politics and diplomacy. And on sunday on indepth, author lynne olson will be our guests. Her books include freedoms daughters, those angry days and her most recent last hope island, britain, occupied europe and the brotherhood that helped turn the tide of war. During our live threehour conversation, well take your calls, tweets and facebook questions. Watch indepth with lynne olson sunday live from noon to 3 00 p. M. Eastern on book tv on cspan 2. Next week on cspan 3, former equifax ceo Richard Smith testifying before the House Energy Commerce committee about the data breach at the Credit Reporting Agency he used to lead. The hearing is tuesday at 10 00 a. M. Eastern and you can see it live on cspan 3 online at cspan. Org or on the cspan