[Senate Hearing 115-134]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 115-134


        OVERSIGHT OF THE U.S. SECURITIES AND EXCHANGE COMMISSION

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
                   BANKING,HOUSING,AND URBAN AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS

                             FIRST SESSION

                                   ON

 RECEIVING TESTIMONY FROM THE CHAIRMAN OF THE SECURITIES AND EXCHANGE 
           COMMISSION REGARDING THE AGENCY'S WORK AND AGENDA

                               __________

                           SEPTEMBER 26, 2017

                               __________

  Printed for the use of the Committee on Banking, Housing, and Urban
                                    Affairs
                                    
                                    
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

                Available at: http: //www.govinfo.gov /


                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
28-283 PDF                  WASHINGTON : 2018                     
          
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, [email protected]. 


            COMMITTEE ON BANKING, HOUSING, AND URBAN AFFAIRS

                      MIKE CRAPO, Idaho, Chairman

RICHARD C. SHELBY, Alabama           SHERROD BROWN, Ohio
BOB CORKER, Tennessee                JACK REED, Rhode Island
PATRICK J. TOOMEY, Pennsylvania      ROBERT MENENDEZ, New Jersey
DEAN HELLER, Nevada                  JON TESTER, Montana
TIM SCOTT, South Carolina            MARK R. WARNER, Virginia
BEN SASSE, Nebraska                  ELIZABETH WARREN, Massachusetts
TOM COTTON, Arkansas                 HEIDI HEITKAMP, North Dakota
MIKE ROUNDS, South Dakota            JOE DONNELLY, Indiana
DAVID PERDUE, Georgia                BRIAN SCHATZ, Hawaii
THOM TILLIS, North Carolina          CHRIS VAN HOLLEN, Maryland
JOHN KENNEDY, Louisiana              CATHERINE CORTEZ MASTO, Nevada

                     Gregg Richard, Staff Director

                 Mark Powden, Democratic Staff Director

                      Elad Roisman, Chief Counsel

                    Michelle Mesack, Senior Counsel

            Laura Swanson, Democratic Deputy Staff Director

                 Elisha Tuku, Democratic Chief Counsel

                       Dawn Ratliff, Chief Clerk

                     James Guiliano, Hearing Clerk

                      Shelvin Simmons, IT Director

                          Jim Crowell, Editor

                                  (ii)


                            C O N T E N T S

                              ----------                              

                      TUESDAY, SEPTEMBER 26, 2017

                                                                   Page

Opening statement of Chairman Crapo..............................     1

Opening statements, comments, or prepared statements of:
    Senator Brown................................................     2

                                WITNESS

Jay Clayton, Chairman, Securities and Exchange Commission........     3
    Prepared statement...........................................    37
    Responses to written questions of:
        Senator Scott............................................    49
        Senator Menendez.........................................    52
        Senator Sasse............................................    57
        Senator Tillis...........................................    78
        Senator Heitkamp.........................................    88
        Senator Cortez Masto.....................................    91

                                 (iii)

 
        OVERSIGHT OF THE U.S. SECURITIES AND EXCHANGE COMMISSION

                              ----------                              


                      TUESDAY, SEPTEMBER 26, 2017

                                       U.S. Senate,
          Committee on Banking, Housing, and Urban Affairs,
                                                    Washington, DC.
    The Committee met at 10:02 a.m. in room SD-538, Dirksen 
Senate Office Building, Hon. Mike Crapo, Chairman of the 
Committee, presiding.

            OPENING STATEMENT OF CHAIRMAN MIKE CRAPO

    Chairman Crapo. The Committee will come to order.
    Today we will receive testimony from Securities and 
Exchange Commission Chairman Jay Clayton regarding the work and 
agenda of the SEC.
    Thank you, Mr. Chairman, for attending here today.
    Oversight of the SEC is a critical function of this 
Committee, and the SEC has an important three-part mission: to 
protect investors; maintain fair, orderly, and efficient 
markets; and facilitate capital formation. No one part of this 
mission is more important than the other.
    The SEC increases transparency and trust in the U.S. stock 
market, providing investors with the material information they 
need to make informed investment decisions. It also helps 
investors participate in our markets on a fair footing so that 
they can prepare for important milestones in their lives, such 
as college, retirement, or other life-changing events. It is 
critical that the SEC continue its important work to fulfill 
this mission.
    At the same time, the SEC must be cognizant that its work 
may carry risks to the very markets and investors it seeks to 
help. I commend you for initiating an assessment of the SEC's 
cybersecurity risk profile, Mr. Chairman.
    The Commission collects and stores a huge amount of public 
and nonpublic data. If this data were subject to a cyber 
breach, it could have severe consequences to the markets, 
market participants, and to the American public.
    I was disturbed to learn that the SEC suffered a cyber 
breach of its EDGAR system in 2016, but did not notify the 
public, or even all of its Commissioners, until it was 
discovered during your recent review.
    It is critical that the SEC safeguards the data it collects 
and maintains, especially as the consolidated audit trail, or 
CAT, becomes operational.
    Through the CAT, the SEC will have access to significant 
nonpublic market data and personally identifiable information, 
including individuals' names, addresses, dates of birth, and 
Social
Security numbers. The recent Equifax breach has highlighted the 
need to protect this sensitive and valuable information. We 
need to ensure that entities only collect this type of 
information if and when absolutely necessary and, if it is 
collected, that it is properly secured.
    I am glad to see that under your leadership, Chairman 
Clayton, the SEC is taking cybersecurity seriously. Other 
regulators and agencies should follow your lead and delineate 
their own cyber risk profiles and, if breached, they too should 
disclose such events to Congress and the public.
    Cyber attacks and breaches are a significant risk at all 
entities, both regulators and companies. As part of your work 
in the cybersecurity area, you should also review current cyber 
risk disclosure guidance to ensure that investors understand 
the magnitude and complexity of cyber risks at public 
companies.
    Along with your attention to cyber, I appreciate your focus 
on the standards of conduct for investment advisers and broker-
dealers. The DOL fiduciary rule will limit investor choice, 
making investing more expensive for many Americans, and 
ultimately hurt the ability for people to save for retirement.
    If clarification needs to be made about the standards of 
conduct for broker-dealers and investment advisers, I believe 
the SEC has the most expertise and is the best positioned to 
establish consistent standards for all investors.
    I also appreciate your focus and public discussions on the 
importance of encouraging capital formation. The capital 
markets are
essential to helping companies grow, facilitating job growth, 
and ensuring that Americans have investment opportunities.
    I am interested in hearing your ideas of how we can 
encourage more companies to go public without discouraging the 
availability of capital in the private market.
    The Senate recently passed several bipartisan securities 
bills, and we would be interested in additional ways Congress 
can improve securities laws to help all Americans.
    I look forward to hearing your thoughts on these issues and 
on the future agenda of the Commission.
    Senator Brown.

               STATEMENT OF SENATOR SHERROD BROWN

    Senator Brown. Thank you, Chairman Crapo. Welcome, Chair 
Clayton, to our Committee for one of many visits I am sure you 
will make.
    Last week, as just about every adult in America was trying 
to comprehend the risks that they or someone in their family 
face because of the Equifax cyber breach, you disclosed the 
SEC's own breach in 2016. In addition to raising serious 
concerns about the integrity of the SEC's data systems, that 
breach allowed hackers to obtain nonpublic information and 
perhaps make illegal stock trades.
    We expect that companies that hold Americans' personal and 
financial data will keep that information secure and be upfront 
with the public, with regulators, and with lawmakers when 
breaches, in fact, occur.
    Our regulatory agencies must abide by the same or, frankly, 
a higher standard. So when we learn a year after the fact that 
the SEC had its own breach and that it likely led to illegal 
stock trades, it raises questions about why the SEC seems to 
have swept this under the rug. What else are we not being told? 
What other information is at risk? What are the consequences to 
the American investing public and the American public 
generally?
    Of course, this breach took place under your predecessor, 
we recognize that, but the disclosure, or the lack thereof, is 
all yours. How are Main Street investors expected to have 
confidence that the SEC can hold big companies accountable when 
the SEC is not more immediately forthcoming?
    Equifax violated the public's trust twice--first when it 
failed to secure the volumes of data it collects and profits 
from about Americans' financial lives, and then a second time 
when it waited over a month to admit to the breach. How can you 
expect companies to do the right thing when your agency has 
not?
    We all have to earn the public's trust every day. Right 
now, the SEC needs to do more, and it needs to make sure that 
the companies it regulates do better.
    Doing more does not end with cybersecurity. The SEC's 
investor protection mandate has never been more important. 
Making sure Main Street investors are treated fairly, companies 
do not abuse accounting rules, and markets are efficient and 
transparent should be at the top of your list at the SEC as you 
consider offering reforms and reducing disclosure.
    Protecting investors and maintaining financial stability 
also means that the SEC needs to finish the Dodd-Frank Title 
VII derivatives rules, the incentive compensation rule, and the 
rules on clawbacks and hedging equity compensation. Each of 
these rulemakings will help enhance investors' and the public's 
trust in our markets and the financial system.
    Chair Clayton, it's been almost 5 months since your 
swearing in. I expect the next 5 months will be more demanding 
than the last five.
    The list of your responsibilities grows. Now everyone is 
watching how the SEC responds and how you personally, as 
Chairman of the SEC, hold companies accountable.
    Thank you.
    Chairman Crapo. Thank you, Senator Brown.
    Chairman Clayton, as you know, your full written testimony 
has been made a part of the record. I understand that you have 
asked for an extra minute for your opening statement, and you 
are welcome to have that. But I do not want the Senators to 
think that everybody is being granted an extra minute in their 
questioning, and I encourage them to remember the time.
    With that, Mr. Chairman, please proceed.

  STATEMENT OF JAY CLAYTON, CHAIRMAN, SECURITIES AND EXCHANGE 
                           COMMISSION

    Mr. Clayton. Thank you for your indulgence.
    Chairman Crapo, Ranking Member Brown, distinguished Members 
of the Committee, thank you for the opportunity to testify 
before you today about the work of the U.S. Securities and 
Exchange Commission. I will attempt to be concise in my 
remarks, as I know you and the American people have many 
important questions regarding, among other things, our cyber 
risk profile and the intrusion we disclosed last week.
    I will start with a thank you. My fellow Commissioners and 
the people of the agency have been incredibly welcoming to me. 
I have benefited from each interaction with these dedicated 
individuals.
    During my four months at the Commission, I have devoted a 
substantial portion of my efforts to agency operations, 
including assessing whether we have the people, technology, and 
office space necessary to succeed in our mission.
    As discussed in more detail in my written testimony, I 
believe there are four areas where additional focus and 
resources are most needed: cybersecurity; retail investor 
protection; market integrity, including market structure, risk, 
and resiliency; and capital formation.
    Specifically with regard to cybersecurity, I have been 
focused on this issue, internally and externally, since my 
first weeks at the Commission. As recent events demonstrate all 
too well, this is an area where we need to devote significant 
resources and attention to respond to market developments and 
meet the expectations of the American people.
    I will turn to the recently disclosed incident. In August 
2017, in connection with an ongoing investigation by our 
Division of Enforcement, I was notified of a possible intrusion 
into our EDGAR system. In response to this information, I 
immediately commenced an internal review.
    Through this review and the ongoing enforcement 
investigation, I was informed that the 2016 intrusion, one, 
provided access to nonpublic EDGAR filing information and, two, 
may have provided a basis for illicit gain through trading.
    We believe the intrusion involved the exploitation of a 
defect in custom software in our EDGAR system. When it was 
originally discovered, our Office of Information Technology--we 
refer to it as ``OIT''--took steps to remediate the defect and 
reported the incident to the Department of Homeland Security. 
Based on the investigation to date, OIT staff believes that the 
prior remediation effort was successful. We also believe that 
the intrusion did not result in unauthorized access to 
personally identifiable information, jeopardize the operations 
of the Commission, or result in systemic risk. I note our 
review and investigation of these matters is ongoing, and it 
may take substantial time to complete.
    This review has two related components. The first is 
focused on the 2016 intrusion itself, including efforts to 
determine its scope and whether there were or are any related 
vulnerabilities in our EDGAR system. Importantly, in conducting 
this review, it has been a priority and a constraint to 
maintain the security and operational capabilities of EDGAR. 
EDGAR is a critical component of our disclosure-based market 
system and accepts filings virtually continuously during the 
week.
    Various agency personnel, including members of the 
Enforcement Division, the Office of General Counsel, and the 
Office of Inspector General, have been involved in this effort. 
In addition, I have formally requested that the Office of 
Inspector General begin a review into, one, what led to this 
intrusion; two, the scope of nonpublic information compromised; 
and, three, our efforts in response. I have asked the Office of 
Inspector General to provide recommendations for how the SEC 
should remediate any related system or control deficiencies.
    The second component of our review consists of our 
investigation into trading potentially related to the 
intrusion. The investigation is being conducted by our Division 
of Enforcement and is ongoing.
    There are limits on what I know and can discuss about the 
2016 incident due to the status and nature of these reviews. 
Nevertheless, this past Wednesday I directed the issuance of a 
cyber risk profile statement and a press release highlighting 
the 2016 intrusion. I directed this disclosure because, 
although many questions remain, I believed that, one, once I 
knew enough to understand that the intrusion provided access to 
nonpublic EDGAR test filings and, two, that this may have 
resulted in the misuse of nonpublic information for illicit 
gain, it was important to make that disclosure to the American 
public and Congress.
    The matter involving our EDGAR system concerns me deeply. I 
recognize that I am not the only one who is deeply concerned. 
Rightfully, it will cause this Committee and others to increase 
their focus on whether the Commission's approach to 
cybersecurity appropriately addresses our cyber risk profile. 
This is all the more reason it was appropriate to disclose the 
intrusion now even though our review and investigation are 
ongoing.
    As a result of this incident, some have questioned whether 
we can appropriately protect the sensitive information we 
receive and whether we should receive additional data to 
further our mission. This is not the time for the SEC to pull 
back from our important market oversight role by limiting our 
access to sensitive information. Our mission is too important 
to millions of Main Street investors, issuers, and market 
participants to do so. We must be vigilant, and we must do 
better.
    We must also recognize in both the public and private 
sectors, including the SEC, there will be intrusions and that 
key components of cyber risk management for organizations and 
market participants generally are resilience and recovery.
    Turning to policy matters, my written testimony discusses 
our recent regulatory efforts in detail. I will highlight only 
one item: the upcoming Regulatory Flexibility Act Agenda, a 
semiannual disclosure of the Commission's near-term priorities. 
I believe it is important that these agendas provide 
transparency and accountability for agency matters. If they are 
to meet their intended purpose, these agendas must be 
streamlined to inform Congress, investors, and other interested 
parties about what we intend to do and realistically expect to 
do over the coming year. We intend to provide just such an 
agenda.
    Thank you, and thank you for your indulgence on the extra 
time.
    Chairman Crapo. Thank you very much, Chairman Clayton.
    First, I have been long concerned with the growing data 
collection requirements by our regulators. I am very concerned 
also about the massive data collection that is going on in the 
private sector, information about people's lives that can and, 
we are seeing, has resulted in damage to them. My concerns have 
only grown given the disclosed cyber breaches at the FDIC, the 
IRS, the OPM, your Commission, and at other agencies. I have 
mentioned many times in hearings the Consumer Financial 
Protection Bureau and its massive data collection that I am 
very concerned about.
    In addition, the SEC itself has come under scrutiny in 
recent GAO reports for its own security controls over its key 
financial systems and information. The SEC and other agencies 
monitor, regulate, and enforce the data safeguards in place at 
regulated entities.
    Given the amount of data that they collect as well as the 
roles they play as the stewards of our markets, the SEC and 
other Government agencies must be held to a higher standard 
when it comes to cyber readiness.
    A couple questions about the current cyber attack that you 
are dealing with. Can you give us any more information about 
the defect in the software that caused this attack? Or is this 
not the time to discuss that?
    Mr. Clayton. I do not have any more information about the 
type of defect that led to the intrusion. There is an ongoing 
investigation. We have gotten the Office of Inspector General 
involved, and as relevant facts become available, we intend to 
work with this Committee to ensure that you have the 
information you need in your oversight role.
    Chairman Crapo. And you have said this already in your 
testimony generally, but what actions did you take as you found 
out about this breach?
    Mr. Clayton. So it is not like you find out about a breach 
and you know everything on day one.
    Chairman Crapo. Right.
    Mr. Clayton. This came to my attention in August of this 
year. I immediately instructed that an investigation take 
place. Over the course of that investigation and review, it 
became clear to me that this was a serious matter. When it 
became clear to me that this was a serious matter, I made the 
determination to take a number of steps, including ensuring 
that the system was continuing to work. As I said, it is a 
system that is critical to the operations of our markets and 
the SEC.
    Also, disclosure. I know that that is a focus for this 
Committee. Let me get right to it. I decided when this was 
serious that disclosure was necessary. Then the question is: 
What facts do you have? We tried to gather more facts. You want 
to make a clear disclosure. You do not want to make disclosure 
that is misleading. I made the decision over the last past 
weekend that the time had come to make disclosure. We knew 
enough to make the disclosure. We were not going to learn any 
more at that time, and we made the disclosure.
    We have taken a number of additional steps, including 
hiring outside consultants to do penetration testing, constant 
reviews of our system. One of the worries in a situation like 
this is when you make a public disclosure, other people try to 
test and probe. You know, we are under constant attack from 
nefarious actors.
    So I can go through other things, but that is a high-level 
summary of the steps taken.
    Chairman Crapo. All right. Thank you very much.
    I would like to talk about the consolidated audit trail for 
just a moment. The consolidated audit trail, or CAT, is an 
issue that has been important to me and many Members of the 
Committee for a number of years. Once implemented, CAT will 
capture customer and order event information from the time of 
the order inception through execution. Such information will 
also include personally identifiable information. As I 
mentioned, I am concerned by the Government's collection of 
such information.
    Do you believe that this data must be collected? And if so, 
how can you assure that it will be adequately protected?
    Mr. Clayton. I do believe that data of the type we are 
discussing in CAT is very valuable to our oversight role. If 
you look at insider trading or monitoring of investment 
managers, broker-dealers, this type of data enables us to 
detect insider trading that we would not have been able to 
detect in the past. It enables us to prioritize our examination 
efforts. It is important.
    That said, when I got to the Commission and investigated 
the CAT system as a person responsible for it as opposed to 
someone from the outside, I quickly made the decision that we 
do not want to take sensitive data that we do not need to 
further our mission, and we need to examine that data. We also 
should not take any sensitive data unless we can protect it, 
and I felt that way a month ago, 2 months ago. I feel that way 
even more so today.
    Chairman Crapo. All right. Thank you.
    Senator Brown.
    Senator Brown. Thanks, Mr. Chairman.
    Equifax, as we know so well, waited 6 weeks to disclose its 
cyber breach. The personal identifiers of 143 million Americans 
were in the hands of criminals, as we know. Companies may often 
say if a matter does not have a material impact on its 
financial results, they do not need to disclose it to investors 
and the public. Is materiality the right disclosure standard 
when a company has a breach and Americans' personal information 
is stolen?
    Mr. Clayton. Senator, I believe materiality is the core of 
our disclosure system. I believe it is the touchstone. Going to 
your question about whether companies are making the right 
materiality assessment, I think that is a very good question.
    Senator Brown. So when it is left in the hands of the 
company, with the SEC, just from that response, it does not 
seem as engaged maybe in this question and this issue as we 
might like. They may continue this kind of behavior.
    Mr. Clayton. Companies should be disclosing more. I am not 
going to talk about a specific company or a specific set of 
circumstances. That is inappropriate in my position. As I look 
across the landscape of disclosure--and I have been saying this 
for some time--companies should be providing better disclosure 
about their risk profile. Companies should be providing sooner 
disclosure about intrusions that may affect shareholders' 
investment decisions. And I also believe that across the 
landscape of our markets, not just company by company or 
regulator by regulator but across our markets, there should be 
better disclosure as to the cyber risks we face.
    Senator Brown. So you would totally disagree with Equifax's 
decision to withhold that information for those several weeks, 
citing materiality, if they were?
    Mr. Clayton. Senator, I am not going to get into a 
particular company's decision or nondecision.
    Senator Brown. So you cannot say to this Committee that 
Equifax was not wrong in withholding this information? 
Irrespective of the executives that dumped their stock, forget 
that for a moment. You cannot say to this Committee they were 
wrong in withholding that information?
    Mr. Clayton. It would be inappropriate for me to comment on 
that matter, that specific matter. Let me say this about making 
the decision on when to disclose: We expect people to 
constantly assess--when they have notice of a cyber breach, we 
expect people to constantly assess whether that breach is 
material to investors and, when they determine that it is, make 
appropriate disclosure promptly.
    Senator Brown. Well, that is a pretty big concern. If a 
company did what they did and the Chair of the SEC is not 
willing to be critical of that, that is a concern to a lot of 
us.
    Let me move to another part of Equifax. This morning, 
Equifax announced its CEO is retiring. Two weeks ago, the CIO 
and the chief security officer retired. Do you think it is 
appropriate, Mr. Chair, for the executives who ran the company 
during the massive breach, that they get to retire and keep 
their bonuses and stock awards?
    Mr. Clayton. Again, Senator, that is a specific matter, a 
matter that may come before the Commission, may come before me 
to make decisions. It would be inappropriate for me to comment 
on that specific matter.
    Do I believe that if executives have profited from a high 
stock price that is the result of failure to disclose other 
acts that are clearly violations of our securities laws, should 
there be an ability to get back those gains? Yes, I do.
    Senator Brown. And you think the clawback should be ordered 
by the SEC, not relying on the board, as Wells Fargo apparently 
did?
    Mr. Clayton. As you know, there is a pending rulemaking in 
this regard, and we are looking at that.
    Senator Brown. And isn't it time the SEC finished the Dodd-
Frank clawback rule?
    Mr. Clayton. It is one of many mandates. I intend to finish 
the mandate. There is a prioritization. I am going to be very 
open with this Committee and the American people in the 
Regulatory Flexibility Agenda about our priorities, and I 
welcome your continued input on how we prioritize those.
    Senator Brown. And you understand the American public in 
case after case after case feels this Government let it down 
when executives through massive incompetence, which may have 
been all it was with Equifax, or fraud, if the failure to 
disclose contributed to the executives dumping their stock, you 
understand the American public's anger with the fact--
forgetting anybody going to
prison, I get that; but not even clawbacks for these 
executives, you understand the American public's outrage about 
that?
    Mr. Clayton. Yes, I do.
    Senator Brown. OK. Glad to hear it. Thank you.
    Chairman Crapo. Thank you.
    Senator Scott.
    Senator Scott. Thank you, Mr. Chairman. And thank you to 
Chair Clayton for being here this morning, and thank you for 
your important work.
    I once had to answer to the SEC as a financial 
representative, and it was never fun to have you guys walk into 
the office and share your valuable time with those of us in the 
business. However, I do think it is important for us to 
recognize the fact that the fiduciary rule has had a negative 
impact on many Americans. The average South Carolinian has less 
than 1 year's salary in their retirement accounts. Restricting 
access to professionals in the financial industry has a 
negative impact on the resources available to the average 
American for retirement, and the last thing we need to do at 
this point is to find ways to get experts out of the household, 
which is the unintended consequence of the fiduciary rule from 
my perspective.
    There was a survey of 600 financial advisers. They found 
that 75 percent of the professionals whose clients have 
starting assets under $25,000 will take on fewer small accounts 
due to increased compliance costs and legal risk under the 
DOL's rule. These folks desperately need the experts to make 
good, sound financial decisions.
    I was pleased to see the 18-month delay, so my question to 
you is: What more can you tell us about your coordination with 
the DOL on the fiduciary rule and the 18-month delay?
    Mr. Clayton. Yes, thank you, Senator. I want to thank 
Secretary Acosta for reaching out to the SEC in this regard, 
reaching out to say we should work together on this. And I 
believe we should work together.
    With respect to steps we have taken, I have issued a 
request for updated views from investors and from industry 
participants on the effects of the DOL rule and what we should 
do going forward in terms of standards of conduct. We are 
reviewing the information received. I have made it clear that, 
based on what I know to date, there are a couple of things that 
I want to make sure are reflected in any rulemaking, including 
joint rulemaking, we do in this regard, including with the 
State regulators:
    First, that investors of the type you describe have choice, 
that they are not pushed into a narrow set of circumstances as 
a result of whatever steps we take;
    Second, that there is clarity, that investors know the type 
of person they are dealing with, and they know the obligations 
owed to them;
    Third, that there is consistency. If you have two different 
types of accounts--a retirement account and a nonretirement 
account--but you are facing the same person, there ought to be 
consistency with respect to those accounts;
    And, last, coordination, that we, the DOL, and the State 
regulators are coordinated in how we approach this.
    And I am very much looking forward to working with the 
Department of Labor as we proceed.
    Senator Scott. Thank you. It certainly is good to have the 
SEC and the DOL working together on such an important issue.
    State insurance regulators are the experts on fixed-income 
annuities. How will you be involving the State regulators?
    Mr. Clayton. I have been in dialogue with the State 
regulators since I got on the job, and they will be part of 
this effort.
    Senator Scott. Excellent. I know I am running out of time, 
so I do want to make two more points, one on the Chicago Stock 
Exchange. The fact that we are looking at Chinese investors 
trying to buy the Chicago Stock Exchange, and you pumping the 
brakes on that decision I think is good. We all would like to 
encourage more FDI, but we need to do it in the most 
responsible way possible, so thank you for your position and 
your perspective on that issue.
    Another issue that seems to be really important these days 
is shareholder resubmissions. Management of public companies 
should be held accountable by their shareholders. A balance 
between both sides ensures productivity and corporate 
transparency.
    That said, I wonder if the scales have not been tipped a 
little bit too far. As of now, we allow for the resubmission of 
shareholder proposals even if nearly 90 percent of shareholders 
have already voted no in the past. That increases costs and 
distracts from long-term thinking, all the while doing little 
to protect investors.
    How are other shareholders impacted by such a low bar for 
proposal of resubmission?
    Mr. Clayton. Senator, I agree with you, this is an area 
that we should be continually examining because shareholder 
access to management is important. There are many times where 
shareholders have made proposals that have gotten traction and 
have led to positive change.
    That said, you identify an issue that you can have: Not 
widely held and idiosyncratic views of a few shareholders cost 
the other shareholders a substantial amount of time and cost 
management a substantial amount of time, which is valuable time 
you do not get back. And we need to continually look at that 
balance in our oversight role.
    Senator Scott. Thank you.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you, Senator Scott.
    Senator Tester.
    Senator Tester. Thank you, Mr. Chairman.
    On the topic that Senator Scott just brought up with the 
U.S. stock exchange potential purchase by a Chinese company, I 
hope your review would come back negative in that regard. That 
is just my opinion as a dirt farmer, OK?
    Look, earlier this month, we learned in Montana that 
360,000 people had their private information stolen when the 
Equifax breach happened. To put that in perspective, that is 
over 60 percent of the adults in our State, OK?
    I think if the election said anything last time--and it 
said many things--it said people on the ground, regular folks, 
are tired of folks getting away with apparent wrongdoings. Your 
answer, Chairman Clayton, to the Ranking Member that it was
inappropriate to comment on the 6-week delay, the 6-week delay 
seems a little bit bizarre to me, especially if, in fact, these 
folks dumped stock and tried to--why would they wait 6 weeks?
    Mr. Clayton. Senator, these are good questions. They are 
valid questions.
    Senator Tester. Yeah.
    Mr. Clayton. They are questions that the American public 
should have. In my position as a person who may have to----
    Senator Tester. That is why you do not want to comment, 
because it is your position--you believe firmly that these 
folks need to be held accountable if there is any wrongdoing, 
whether they still have their position or resigned from their 
position? You will, to the full extent of the law, enforce the 
law?
    Mr. Clayton. That is my job.
    Senator Tester. Good. I would just say that what transpired 
here--and I am not in your position, but 6 weeks is way, way, 
way too long. And I just cannot believe that, quite frankly--
and, by the way, Mr. Chairman, I know Richard Smith resigned 
today, but I hope he still comes in front of the Committee. I 
hope you still can get him in front of the Committee next week, 
because I think it is less spending time with his family and 
more of not spending time with us. And I think that is really 
important. And let me give you an example. They spent 6 weeks 
announcing the breach, but his resignation was--papers were 
signed yesterday. It was announced today. And so they could do 
it quicker if they wanted to do it, and I hope that moving 
forward we will be watching, OK?
    As far as the SEC's breach, when in 2016 did that happen? 
What month?
    Mr. Clayton. That is part of our ongoing internal 
investigation.
    Senator Tester. You do not know for sure?
    Mr. Clayton. I do not think we can say for sure.
    Senator Tester. OK. One of the questions the Chairman asked 
you is: What type of defect caused the breach? And you said you 
did not know what that defect was. And it is an honest answer, 
but the question is: What is stopping them from doing it again? 
If you do not know what the defect is and they breached your 
system, it looks to me like they can breach your system anytime 
they want if you do not know what the defect is?
    Mr. Clayton. I will tell you what I do know. I am told it 
was a defect in a custom piece of software for our EDGAR 
system. I am not a computer science expert. It has been a long 
time since I have done programming. But my understanding of 
this landscape, though, is the more custom software is, the 
more likely it is to be vulnerable.
    Senator Tester. So you were able to cut the custom portion 
out that was----
    Mr. Clayton. Your characterization and mine are going to be 
laymen's. I think that is----
    Senator Tester. All right. I got it.
    Mr. Clayton.----fair enough.
    Senator Tester. So you did say that you were in the process 
of a review that would involve--that would determine the scope 
of the breach and the response to that scope. What is your 
timeline for that?
    Mr. Clayton. I cannot give you a timeline. I have 
experience with these kinds of investigations. One of the 
things we are constrained by is, you know, you have got to pull 
a lot of data to look at this, including in terms of scope.
    Senator Tester. Yeah. Just let me ask you this: Do you feel 
that this is an urgent matter?
    Mr. Clayton. I do.
    Senator Tester. So when there are not definite timelines, 
it has been my experience that these things go on forever. And 
I would hope that you as Chairman of the SEC will put the 
screws to these folks and make sure that they are getting this 
job done so we can find out what is going on. This is a big 
deal.
    Mr. Clayton. I will, and I have already involved the Office 
of Inspector General.
    Senator Tester. OK.
    Mr. Clayton. Because they should be looking at this as 
well.
    Senator Tester. One other thing: DOL fiduciary rule. And 
Senator Scott said that you were working together to harmonize 
those rules. I was thinking about something else. I did not 
pick that up. I just want to confirm that. Are you working with 
the DOL to harmonize that fiduciary rule so that people do not 
get ping-ponged back and forth between two rules?
    Mr. Clayton. Yes.
    Senator Tester. OK. And do you anticipate--that harmonized 
rule will be out when?
    Mr. Clayton. This is a priority for me. Everything cannot 
be a priority. This is a priority for me.
    Senator Tester. Well, you have got a lot of people that 
work for you, so you can have more than one----
    Mr. Clayton. Yeah, we are pushing this one. This is the top 
of my list in that area of the Commission.
    Senator Tester. Thank you very much.
    Chairman Crapo. Thank you, Senator.
    Senator Kennedy.
    Senator Kennedy. Thank you, Mr. Chairman, and Mr. Chairman.
    You said you found out about the SEC data breach in August 
of this year?
    Mr. Clayton. Yes, sir.
    Senator Kennedy. When did the SEC find out about it?
    Mr. Clayton. In 2016.
    Senator Kennedy. Did Chairwoman White know about it?
    Mr. Clayton. What happened in 2016 and who knew about it is 
going to be the subject of this review that I have asked the 
Office of Inspector General to--I have no belief sitting here 
that Chair White knew about this.
    Senator Kennedy. Well, when you found out about it in 
August of 2016, how did you find out about it?
    Mr. Clayton. Our Division of Enforcement had an ongoing 
investigation. Information that they gained in connection with 
that investigation caused them to question whether there had 
been a breach of our system. And that is the time I launched an 
investigation.
    Senator Kennedy. And when did they raise that question?
    Mr. Clayton. When did they raise that question?
    Senator Kennedy. When did they raise the question that 
there might have been a data breach?
    Mr. Clayton. They raised it to me in August of this year.
    Senator Kennedy. Did they raise it at 10 o'clock in the 
morning and then call you at 11:00? Or did they know about it 
for a while?
    Mr. Clayton. I think they raised it promptly upon learning 
about it, but, you know, again, our response to this matter is 
something that I am concerned about and want to get to the 
bottom of.
    Senator Kennedy. Well, this bed was on fire when you laid 
down in it. I am not blaming you. Did Chairwoman White tell you 
about this breach when she was leaving and say, ``This is 
something you need to worry about''?
    Mr. Clayton. No, no. Like I said, I have no indication that 
Chair White had knowledge of this breach.
    Senator Kennedy. OK. Will you at some point tell us when 
the SEC first learned about the breach--not when you were first 
notified, but when the SEC first learned about the breach?
    Mr. Clayton. Yes, I have asked the Office of Inspector 
General to look into this matter. Those are questions I want to 
know the answer to, because they are going to help us do better 
going forward.
    Senator Kennedy. OK. Is there any possibility, realistic 
possibility that the SEC knew about this breach in 2016 and did 
not disclose it?
    Mr. Clayton. I do not want to go there. I want to wait 
until the facts come out.
    Senator Kennedy. OK. That is fair.
    Let me ask you about the Equifax breach. After the company, 
Equifax, learned about the data breach, several senior 
executives sold stock. Was that insider trading?
    Mr. Clayton. I am not going to comment on that specific 
matter for the reasons that I have discussed.
    Senator Kennedy. Are you going to investigate it?
    Mr. Clayton. We do not comment on investigations, including 
whether they are actually pending.
    Senator Kennedy. Well, you are not going to ignore it, are 
you?
    Mr. Clayton. I am not ignoring this. I am not ignoring this 
or other events like it.
    Senator Kennedy. So I take it you are neither confirming 
nor denying that there is an investigation?
    Mr. Clayton. That is correct.
    Senator Kennedy. OK. Well, if you decide--and I am not 
suggesting----
    Mr. Clayton. It has been our policy for a long time. I want 
to say that, you know, the internal investigation is going on.
    Senator Kennedy. Sure. I understand.
    Mr. Clayton. I needed to disclose that one. I want to stick 
with our policy with respect to third parties.
    Senator Kennedy. It is the anti-Comey rule. I understand.
    Well, let me put it this way: I am not suggesting you will 
not investigate, but if you decide not to investigate, would 
you let us know so we can investigate?
    Mr. Clayton. I think that is a fair question.
    Senator Kennedy. OK. Fair enough. And I am not accusing 
anybody of anything. I am really not. But there is more than 
just the data breach involved here. There is the sanctity of 
our equity markets as well. And I am not accusing anybody of 
anything. I think the executives are taking the position that 
they knew nothing, saw nothing. This was just a coincidence. 
And that may well be, but trust and verify. And I am glad to 
hear that you are investigating.
    Mr. Clayton. Thank you.
    Senator Kennedy. I am about out of time. You know what 
strikes me and I think many Americans as curious about the 
credit reporting agencies? I did not hire them. I did not hire 
them to collect information about me. I mean, they do not 
represent me. They represent business, which I understand. But 
I did not hire them to collect all this information. And now 
all of a sudden my information is out there somewhere on the 
dark web. And it seems to me at some point, Mr. Chairman and 
Mr. Ranking Member, that that is something we need to talk 
about in this Committee, is what the role the credit reporting 
agencies play and to whom do they have an obligation.
    Well, I am going on too long. Thank you, Mr. Chairman.
    Mr. Clayton. Thank you.
    Senator Kennedy. This is more interesting than practicing 
law, isn't it?
    Mr. Clayton. Some days.
    Senator Kennedy. Yes.
    Chairman Crapo. Thank you, Senator.
    Senator Warner.
    Senator Warner. Thank you, Mr. Chairman.
    Let me, first of all, echo what Senator Kennedy has just 
said, the whole notion of the credit rating agencies and the 
public's ability to--we have no ability to opt-in to these 
systems. We are part of these systems, whether we like it or 
not. You know, I am often asked in my job on the Intelligence 
Committee what I think the single greatest vulnerability our 
country faces is, and I believe it is cybersecurity. And I 
believe we do not have a whole-of-Government or whole-of-
society approach on cybersecurity.
    In recent times we have seen Russia take unprecedented 
action attacking 21 of our States' voting systems. We have seen 
our social media platforms being manipulated with false 
information in the first, I think, shots of disinformation and 
misinformation campaigns, at least indirectly related to cyber.
    I appreciate you, Mr. Chairman, coming forward with the 
recognition of the EDGAR system breach. I wish it would have 
been done quicker, although as has been pointed out, this is 
not in isolation. We have seen OPM and a series of other 
governmental breaches.
    I think Equifax is a travesty. I think the fact that the 
resignation of the CEO is by no means enough. I would say--and 
I understand your reluctance to acknowledge whether there is an 
investigation. Your colleagues at the FTC, who also have a 
process in place where they normally do not reveal an ongoing 
investigation, have felt that this was so serious that they 
acknowledged that there was an investigation going on. And the 
Equifax breach is so egregious, one, in terms of the sloppiness 
of their defenses; two, in terms of the fact that this was 
clearly a knowable vulnerability, they had known for months, 
and if they had simply put a patch in place, we might have 
precluded this. And then to add insult to injury, Equifax, when 
it put up the site to direct consumers after the breach, that 
site was not properly domain registered and was known to have 
vulnerabilities in its site itself.
    So if we do not send a very, very strong message--now, the 
market has already taken I think 25 percent off its market 
value. But I question whether Equifax has the right to even 
continue providing these services with the level of sloppiness 
and lack of attention to cybersecurity.
    I would also point out--and Senator Brown raised this 
question--this is not the first time. I mean, Yahoo last year, 
500-million-user breach, and Yahoo did not believe that it was 
material enough to even report. My investigation has shown with 
9,000 public companies, we have had less than 100 companies 
since 2010 feel that any level of cyber incursion was 
significant enough to meet that materiality standard to notify 
the public. I find that absolutely unacceptable.
    I know Senator Brown asked that, but, Mr. Clayton, do you 
want to make any other further comment about what the SEC might 
be looking at in terms of reviewing these materiality standards 
as it relates to cybersecurity?
    Mr. Clayton. Yes, I do. I agree with you generally. I do 
not think there has been enough disclosure around, as I said, 
the risk profile of companies with respect to cybersecurity. 
Where are the risks? What are the vulnerabilities? What do we 
know and not know? And then if there are breaches, the 
disclosure of those specific breaches. I do not think that 
there has been adequate disclosure in that regard.
    Senator Warner. Well, my hope would be that this would be 
something--I know I am very interested in it, and I think 
across both sides of the aisle, we would like to work with you 
on--whether we need legislative actions or whether we work with 
you as an entity.
    Let me move to one other topic. I think back in 2014 you 
created something called Reg. SCI, which looks at systems. I 
have prodded you repeatedly with letters and other items, both 
during your tenure and before your tenure, let me make clear. 
And this goes to the technical and risk standards of some of 
our market structures. It also includes cybersecurity.
    Currently, the SCI regs only apply to stock and option 
exchanges, registered clearing agencies, and certain 
alternative trading systems. We have, in my view, left out dark 
pools, alternative trading systems, Treasury markets, other 
trading platforms. And I feel if we had much more disclosure 
about what SCI--which market structures were covered, then 
shareholders and others could vote with their shares and move 
their transactions onto platforms who met these minimum 
standards rather than having this what I believe is kind of 
half coverage and half the market not coverage.
    I know we are out of time, but could you address the 
question of whether you will take a fresh look in terms of the 
SCI regulations about expanding to other parts of market 
coverage.
    Mr. Clayton. I thank you for your letter, which just by 
happenstance I read last night, and I agree with you that we 
need to look at those other important venues in our equity 
market system to see if they should be reporting on the same 
basis, and also as you raised in your letter whether the public 
has enough information about which entities are subject to Reg. 
SCI.
    Senator Warner. Mr. Chairman, I think that would be very 
important that we get that information out, because then 
responsible entities can vote and move to areas that have this 
kind of minimum protections in place.
    Thank you.
    Senator Brown. [Presiding.] Senator Rounds.
    Senator Rounds. Thank you, Mr. Chair.
    Good morning, sir.
    Mr. Clayton. Good morning.
    Senator Rounds. Some of my colleagues have already raised 
the issue of cyber attack against the SEC, the target of the 
SEC's electronic system for filing the corporate disclosures 
and reports. I know that this incident occurred before your 
nomination and confirmation, but I would like to hear your 
thoughts on what this incident might suggest about our 
Government's broader posture with regards to cybersecurity.
    I know it is difficult for any one agency to adequately 
protect itself against these kinds of intrusions, and sometimes 
the level of expertise necessary would help a number of 
different agencies and departments. From what you currently 
know about the attack that took place, do you feel like you 
have adequate resources to protect yourself in the future? And 
does there need to be more of a cross-cutting or interagency 
effort to prevent these serious intrusions in the future?
    Mr. Clayton. Senator, I do believe we need additional 
resources going forward. I think that this is an area and a 
data point I use to describe this to people. Let me take a step 
back.
    Other people in my position and in similar positions in 
other agencies feel the same way I do, which is that this is a 
risk to our agencies, it is a risk to the markets or the areas 
of the economy that we regulate and oversee. I believe we will 
need more resources going forward. If you will look at the 
resources that private actors in our capital markets devote to 
information technology and cybersecurity as part of that, 
single actors dwarf the amount that we have available to spend 
in this area. To me that just tells me we are a bit out of step 
and we need to up our game.
    Senator Rounds. If you take a look at the--I think the 
EDGAR system is your current system that is going to remain in 
place, and, basically, as indicated in your earlier testimony, 
it is complex. It has been modified; it has been customized. 
And based upon the information you have received, that makes it 
probably a little bit more vulnerable than some other types of 
larger systems that basically have a number of the patches put 
together before they ever end up in the public's hands or in 
agencies' hands.
    You have also got another system coming on board, the CAT 
system, the comprehensive audit trail, which will be coming in. 
I presume the two of them will be compatible or at least 
operational at the same time. When that happens, you will also 
have a huge amount of information that will be found at one 
location, including a lot of information about investors, their 
personal information and so forth, that you will have on the 
system itself.
    Is it time to say time out and to make darn sure that the 
new systems coming on board have been--naturally, we would do a 
vetting process anyway, but is it time to actually have those 
second and third opinions on this type to make sure that we 
have done everything we can to protect this very valuable data 
before we go online and then find out that there needs to be a 
few more patches made? What are your thoughts on this process 
of actually implementing the CAT system in the future?
    Mr. Clayton. Two responses. One, since I got to the 
Commission and learned more details about the CAT, as I said 
before, it has been clear to me that we do not want to be 
taking data from the CAT unless we need it and can protect it.
    With respect to whether we should have a time-out, I do not 
think a full time-out on the CAT makes sense. There is a lot of 
data that already exists that we can be collecting that will 
further our oversight and regulatory mission. But we should be 
examining whether we do, indeed, need that data. We can rank 
that data, we can phase in the CAT, and we should be doing--it 
is not a zero-one on-off, no pun intended, but we should be 
doing the kind of critical thinking that you are asking me to 
do in how we bring it online and how we sequence what we do.
    Senator Rounds. Do you have the resources to do that 
vetting process today?
    Mr. Clayton. That vetting process is a prerequisite. So if 
I do not have them, that will be time-determinative on how it 
comes online.
    Senator Rounds. OK. Let me turn to one other subject. I 
understand that certain Federal Reserve Bank capital 
regulations may be inadvertently causing some liquidity 
concerns in the listed options market that the SEC regulates. 
Will the Securities and Exchange Commission commit to working 
with interested parties on a solution and to make this a 
priority?
    Mr. Clayton. Liquidity in the options area----
    Senator Rounds. Within the listed options market.
    Mr. Clayton. It is not just important for the options 
market. It is important for all of our markets. So, yes, if 
there is a liquidity issue in the options market, it can affect 
the cash equities market. And it is important that we focus on 
it.
    Senator Rounds. More than willing to work with----
    Mr. Clayton. More than willing to work--it is an important 
issue.
    Senator Rounds. I appreciate it. Thank you, sir.
    Senator Brown. Senator Warren.
    Senator Warren. Thank you, Mr. Chairman. And thank you for 
being here, Chairman Clayton.
    In one of your first speeches as Chairman, you noted that 
there has been ``a 50-percent decline in the total number of 
U.S.-listed public companies over the last two decades,'' and 
you said that this decline was ``a serious issue for our 
markets and the country, and you wanted to encourage more 
companies to go public so more ordinary investors or ``Mr. and 
Mrs. 401(k),'' as you called them, could get opportunities to 
invest in emerging companies. And you used this rationale for 
arguing that we should review and possibly reduce the 
disclosure burdens on public companies.
    Now, I want to understand your thinking on this. You 
compared the number of public companies today with the number 
of companies in 1996 and 1997. That was your comparison point, 
which, as you know, was the height of the dot-com boom. And as 
you know, there was a sharp increase in the number of public 
companies leading up to the 1996 and 1997 years, and then a lot 
of those companies failed over the next few years, leaving Mr. 
and Mrs. 401(k) losing a whole lot of money.
    So when you picked 1996 and 1997 as your target years for 
comparison, were you arguing that those were the ideal market 
conditions for ordinary investors?
    Mr. Clayton. I am happy to pick any period over the last 
20--any 5- to 7-year period over the last----
    Senator Warren. Well, if you are happy to pick any period, 
if you pick other periods, you are not going to come up with 
the same conclusion you have.
    Mr. Clayton. I think I would. I think that trend has been--
--
    Senator Warren. No, I do not think so. Let us talk about 
the trend. But I take it what you are saying is you do not wish 
to re-create the bubble that wiped out billions of dollars of 
investor value 20 years ago?
    Mr. Clayton. No, I definitely do not.
    Senator Warren. OK. So let us look at the trends then since 
the dot-com bubble popped. There has been a slight decline in 
the number of public companies since then. Most of the evidence 
shows that that is primarily because of an increase in mergers 
and acquisitions. So if you want more public companies, then I 
hope you are soon going to give a speech supporting stronger 
antitrust enforcement. But let us just look at the IPOs since 
that has been your focus.
    You said you want to get more investors involved in 
emerging companies, which is why you want to see more companies 
going public. Now, in 1996, the peak of the dot-com bubble, 
there were 624 IPOs with a total of $36 billion in deal volume. 
From 2012 to 2016, there were about half that number of IPOs, 
but the average annual deal volume was higher than it was in 
1996.
    In 2014, IPOs raised $96 billion, nearly triple the total 
debt volume in 1996. So, in other words, in the last few years, 
people are investing more money in IPOs than they did even at 
the height of the dot-com boom. So if your primary focus is on 
investors, not on the bankers and the deal lawyers who make 
money on each of these IPOs, why do you care if there are fewer 
IPOs so long as IPOs overall are attracting more investor 
dollars?
    Mr. Clayton. Because I believe that those IPOs--here 
[indicating] is a company's growth curve. I believe those IPOs 
used to happen here [indicating], and if you invested in a 
portfolio of companies that were down here [indicating], as 
part of your overall investment strategy and as they go up the 
growth curve, you as a retail investor were better off than 
getting on up here [indicating] where the company is mature and 
not growing as much.
    Senator Warren. Well, I appreciate that that is your point 
of view, but have you looked at the data on this? Because the 
data show that having fewer but bigger IPOs is better for 
investors. The IPO companies now tend to have more revenue. 
They tend to perform better in the long run than in the past 
when there were more IPOs and more failures, which looks to me 
like a positive outcome for Mr. and Mrs. 401(k).
    Mr. Clayton. Well, it is a concern to me, Senator--and I 
understand different people have different perspectives on 
this. It is a concern to me that on the growth curve, most of 
that money--I should not say most of the money. A substantial 
portion of that money is private money, and those investors 
have done very well, and in many cases relatively much better 
than----
    Senator Warren. Well, I am sorry. All I can do is look at 
the data, and what the data show us is that the later--the IPOs 
now are performing better for investors and less likely to wipe 
investors out.
    Let me just state my concern here, Chairman Clayton. You 
are using the decline in IPOs to argue that there is something 
wrong in the market and that our rules and regulations are 
making it too hard for companies to go public. But the data 
show that investors are putting more money into IPOs now than 
ever before, and that those IPO companies are doing better for 
investors because they are more stable before they come to 
market.
    Loosening the disclosure and the registration requirements 
may make life a whole lot more profitable for a handful of 
bankers and for corporate attorneys who just want more IPOs in 
the system, but there is no evidence that it will make life 
better for investors. And it is investors, not bankers and 
lawyers, who you are supposed to be watching out for at the 
SEC.
    Mr. Clayton. I understand that.
    Senator Warren. Thank you, Mr. Chairman.
    Chairman Crapo. [Presiding.] Senator Schatz.
    Senator Schatz. Thank you, Mr. Chairman.
    Commissioner, thank you for being here. You said 
materiality is the core of the system of disclosure. I agree. 
You said companies should disclose more. I agree. I want to 
talk a little bit about the risk of climate change and severe 
weather events.
    In the last 35 years, the average number of inflation-
adjusted $1 billion severe weather events was about 5 \1/2\ per 
year. In the last 5 years, it has doubled. Now, I know in 2010 
the SEC provided some guidance about climate disclosure, but 
not much additionally has happened. So I want you to talk about 
how you view climate change and its materiality, because it is 
becoming increasingly clear that we cannot ignore these severe 
weather events and the impact that they have on publicly traded 
companies.
    Mr. Clayton. I do believe--and there are a number of 
industries where, if there are patterns and changes in weather 
events, these type of things--those developments do have 
impacts on companies that should be disclosed. And they have 
impacts in many ways, the weather events, the recurrence of 
them. You know, are we experiencing increased loss? This is 
something that--trends in increased loss, that is something 
investors should know about.
    Regulatory responses to those events. If there are 
regulatory responses to those events that are going to affect 
those companies, those companies should discuss them. I believe 
that.
    Senator Schatz. Do you think the SEC is doing enough to 
require this disclosure?
    Mr. Clayton. We have issued guidance around this. We have 
guidance in a number of areas. I regularly--I cannot say every 
day, but on a fairly regular basis--discuss with the Division 
of Corporation Finance whether our guidance in this area, 
whether our guidance in the cybersecurity area, whether our 
guidance in other areas should be updated, emphasized, or, you 
know, otherwise changed.
    Senator Schatz. OK. I understand you are in conversation. 
What is your current thinking about this?
    Mr. Clayton. My current thinking is that the guidance is 
good. That is my current thinking, but we should continue to 
look at it. Senator, I agree with you that there are industries 
that need to pay close attention to these trends.
    Senator Schatz. Let me give you a specific example, if you 
would not mind. Valero Energy's 10-K filing for 2016 states, `` 
. . . some scientists have concluded that increasing 
concentrations of greenhouse gas emissions in the Earth's 
atmosphere may produce climate changes that have significant 
physical effects, such as increased frequency and severity of 
storms, droughts and floods, and other climate events. If any 
such effects were to occur, it is uncertain if they would have 
an adverse effect on our financial condition and operations.''
    At the end of August of 2017, Hurricane Harvey, one of the 
strongest Atlantic storms in history, shuttered over 20 percent 
of the U.S. oil refinery industry, including five refineries 
owned by Valero. These refineries usually produce 1.1 million 
barrels a day, which is a third of Valero's total capacity. A 
week after the hurricane, Valero's refineries were not back 
online.
    Does it seem like Hurricane Harvey had a material adverse 
effect on Valero's financial condition?
    Mr. Clayton. I do not know the numbers, but it would not 
surprise me if an event of that type would have an adverse 
effect on a company's financial condition.
    Senator Schatz. Do you think that the SEC is doing enough 
to require disclosure from some of these companies? It seems to 
me that part of the problem is politics, that people do not 
want to--not for you, but for these companies, they do not want 
to weigh into something that is the subject of some 
controversy. And the other problem is that just institutionally 
the SEC measures risk that can be measured, that is customarily 
measured, and that this is a relatively new risk that people 
are, scientists are essentially stipulating to, and that the 
systems in the SEC and elsewhere in the financial services 
industry everywhere is actually not equipped to evaluate this. 
And so what we do is we book it at zero. We assume it does not 
exist because it is difficult to assess. When you assess 
political risk, regulatory risk, other risks that may be 
material, you have a way to get at that. But climate risk in 
the financial context is new, and so I would just ask that--
2010 is actually a long time ago when it comes to our thinking 
about climate, and it is certainly a long time ago when it 
comes to the fiscal impact both on the public and the private 
sector when it comes to severe
weather.
    So I do not think that 2010 guidance suffices, and I would 
just encourage you to maintain an open mind in this space and 
devote some staff time to articulating how we are going to 
quantify the adverse impacts of climate change on the industry.
    Mr. Clayton. I will.
    Senator Schatz. Thank you.
    Chairman Crapo. Thank you.
    Senator Perdue.
    Senator Perdue. Good morning, Mr. Clayton. Thank you for 
being here.
    I have got a concern, basically a reservation with the fact 
that SEC staff today do not have to abide by some of the same 
stringent security protocols that other users of the CAT 
database are required to abide by. The GAO has previously 
identified a few weaknesses related to the SEC's cybersecurity 
protocols. Can you give us an update on how you are addressing 
those concerns that the SEC has raised at this point and also 
the other safeguards around the NMS plan as well?
    Mr. Clayton. OK. Senator, I want to make this clear. With 
respect to the CAT, we are not going to take the data unless we 
need it and unless we can protect it. And with respect to your 
specific question about whether our security protocols for 
individuals are not as stringent as they should be, I do not 
have an answer to that right now, but I----
    Senator Perdue. Do you agree with that conclusion? I know 
you are new on the job.
    Mr. Clayton. But they should be.
    Senator Perdue. But do you have a position yet, do you know 
yet whether they are, whether you agree with the GAO's 
conclusion on that?
    Mr. Clayton. I do not have a position on that now, but I 
think that we should be mindful of any guidance from the GAO 
as----
    Senator Perdue. But you are looking at it today.
    Mr. Clayton. Yes.
    Senator Perdue. And will you come back to this Committee on 
that when you get more information, when you have a conclusion?
    Mr. Clayton. I am happy to.
    Senator Perdue. Great. The second part is the same sort of 
concern. Under the JOBS Act, companies with revenues under $1 
billion are permitted to confidentially file IPO and secondary 
offering statements that would not be released to the public 
until 15 days before the road shows. Recently, under your 
leadership this ability has been extended to companies of all 
sizes. In your view, can you describe the advantages of a 
confidential filing how to improve our increasingly more 
complicated IPO process?
    Mr. Clayton. The confidential filing process greatly aids 
companies when they are transitioning to public companies, and 
we want companies to transition to public companies. They are 
better companies. When they have public company financial 
statements, when they go through the process of the SEC 
disclosure process, they do become better companies.
    Letting the world see all of your financials and all of 
your strategies and all of your risks long before you go public 
causes some companies to pull back from that.
    I am very comfortable and, in fact, think it is a great 
idea that we allow companies to confidentially submit that 
information so that it can be reviewed, we can comment on it, 
we can tell them where they need to improve; and then with 
plenty of time for investors to assess that information, make 
it public before the IPO. I think it is a very smart move that 
in no way lessens investor protection and actually increases 
the number of opportunities investors have.
    Senator Perdue. Thank you. I just have one last quick 
question. The conflict minerals rule, I know that is under 
review right now. Can you give us an update on how you guys are 
looking at that right now?
    Mr. Clayton. Well, there was a court determination that 
part of the rule had a First Amendment issue with it. The rule 
is on the books. We have issued no-action guidance in how to 
comply with the rule in the interim. We are now reviewing the 
rule, the no-action guidance, in light of the court case. That 
is where it stands.
    Senator Perdue. OK. Thank you.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you, Senator.
    Senator Van Hollen.
    Senator Van Hollen. Thank you, Mr. Chairman. Thank you for 
your testimony.
    I want to pick up on some of the questions that Senator 
Brown asked regarding materiality. You indicated that you 
thought that the triggering event for disclosure would be 
whether there had been a material change in the circumstances 
of the company, right?
    Mr. Clayton. Yeah, that is generally----
    Senator Van Hollen. Right. And I understand you do not want 
to get into the Equifax situation, but you would agree--I am 
not talking about any company--that if, in fact, there was a 
material change, it would be wrong for executives of that 
company to then knowingly trade stock before they had made any 
disclosure, right?
    Mr. Clayton. Yes, sir.
    Senator Van Hollen. OK. So I want to get to what 
materiality means, because I do not believe the SEC has any 
definition, at least in the context of a cybersecurity breach. 
Is that right?
    Mr. Clayton. I think the general definition of 
``materiality'' does apply to the cyber context.
    Senator Van Hollen. No, I do not mean that the concept does 
not apply, but there is no standard or definition of how to 
apply the concept of materiality to a cyber breach. So, for 
example, the SEC does not say if a cyber breach would result in 
the disclosure of, you know, X amount of information about 
customers and that could lead to a significant change in the 
value of a company, the SEC does not itself have that?
    Mr. Clayton. That is correct. There is no prescriptive 
disclosure of this many people for this long--we do not have 
that type of----
    Senator Van Hollen. So it is kind of you know it when you 
see it. Is that the idea?
    Mr. Clayton. That is correct.
    Senator Van Hollen. But does the SEC bring these kind of 
materiality cases for failure or violation of 8-K disclosure?
    Mr. Clayton. We do.
    Senator Van Hollen. OK. Well, let me ask you, if you agree 
that it is wrong for people to knowingly trade on information 
that is material but has not been disclosed, would you agree 
that once a company has decided something is material, that 
their executives should not be trading that stock, between the 
time they decided it is material and the time they actually 
file a disclosure to the public, which is now a 4-day period, 
potentially?
    Mr. Clayton. I am going to be very careful. I think what 
you are asking is a control issue. Should there be a control in 
place to ensure that when a decision has been made at a company 
that there has been a material event and there is going to be a 
disclosure, that the company has in place a control to prevent 
people----
    Senator Van Hollen. Yes, that is exactly what I am 
suggesting. Wouldn't that make sense?
    Mr. Clayton. I think it is a very good question and a fair 
question. Whether that is an area--whether that is an area that 
goes into insider trading or whether it goes into a control 
failure is something that we need to----
    Senator Van Hollen. I understand. It seems to me there 
should be a presumption that once a company has decided there 
has been a material change and before they disclose that to the 
public, there should be just a rule that executives do not 
trade that stock. Doesn't that make sense in terms of 
protecting the markets?
    Mr. Clayton. Having a--I am going to--I do not want to 
comment on any specific company, and----
    Senator Van Hollen. No; I understand. I am not asking about 
a particular company.
    Mr. Clayton. Most companies have insider trading policies. 
Having a thoughtful insider trading policy with controls of the 
type you are suggesting is an important part of good corporate 
hygiene.
    Senator Van Hollen. Well, let me look. I am working with--
Congresswoman Maloney on the House side has a proposal. We are 
working on it with her. But there is a whole question about 
when you determine materiality. Right? We were talking about 
that. But it seems like a no-brainer that once a company has 
determined that there has been a material change and before 
they have notified the public, which they have 4 days to do, 
you would require them not to sell stock. Why isn't that just 
obvious?
    Mr. Clayton. I like the concept. When I was in the private 
sector, I put the concept into insider trading policies that, 
for example, a general counsel would be somebody that a set of 
executives had to clear all trades with. Those are types of 
things--those are types of----
    Senator Van Hollen. Let me just say, so there was a study 
done back in September 2015 by Alma Cohen at Harvard Law 
School, Robert Jackson at Columbia Law School, Joshua Mitts, 
and others have done studies that showed what they called the 
8-K trading gap, which is that executives have made money 
during this 4-day period, or whatever time elapses between a 
decision that some material change has been made and 
disclosure. Do you agree that it is wrong for executives to be 
making money during that period based on information they have 
about materiality?
    Mr. Clayton. Absolutely.
    Senator Van Hollen. Right. So should there not be a general 
rule that once the corporation has made a decision that 
something is material, that they not be allowed--their 
executives not be allowed to trade during that period?
    Mr. Clayton. I like the concept. I have incorporated the--
--
    Senator Van Hollen. OK. We will look forward to working 
with you on this----
    Mr. Clayton. We can work on this. We can definitely work on 
it.
    Senator Van Hollen.----because we are working on a bill. 
Thank you.
    Chairman Crapo. Thank you.
    Senator Shelby.
    Senator Shelby. Mr. Chairman, sorry I had to leave the 
hearing, but we all have some other things.
    Chairman Clayton, welcome. I did not have a chance to do 
this. Welcome to the Committee. I missed a lot of the 
testimony, but I hope this has not been one of the questions. 
During your confirmation hearing, you agreed with my 
longstanding belief that a cost-benefit analysis for rulemaking 
was appropriate at the SEC. I believe it is appropriate at all 
agencies. And I appreciate your leadership on this issue.
    What is the SEC doing or trying to do to come forth with a 
meaningful cost-benefit analysis rule? Because rules cost 
money. Sometimes they are really necessary. You know, we need 
them. Sometimes it is an overkill. But we all know and you know 
in your other life that--I do not believe enough work has been 
done in the cost-benefit analysis, and we are talking about 
securities in your area right now. Go ahead.
    Mr. Clayton. Senator, I agree with you that cost-benefit 
analysis is very important in rulemaking, and it is important 
in rulemaking not just in should we have the rule or not have 
the rule. If we have the rule, how should it be crafted? What 
are we getting for this component as opposed to the cost of 
that component? It is not just yes or no, but it is how we 
craft the rule and, importantly, you know, what people are 
going to do to demonstrate compliance. And are we getting the 
best compliance requiring them to demonstrate it that way?
    We want, you know, the best compliance, but we want it to 
be done in the most efficient way to get there, and I very much 
believe that.
    Senator Shelby. Where are you and what are you doing--I 
know you have not been at the SEC too long, and we are glad to 
see you there. But what do you expect to do as far as setting 
the tone and the standards down there?
    Mr. Clayton. This is an area that is of--I do not----
    Senator Shelby. It is a complicated area.
    Mr. Clayton. It is a--I like it because it is complicated.
    Senator Shelby. It is.
    Mr. Clayton. And I like sitting with our economists, and I 
have enjoyed sitting with them and discussing exactly these 
things,
including around some of the pending rulemakings that we have. 
So this is a focus. We brought on a new chief economist. I am 
very happy to have him on board. So this is an area that is of 
interest to me, and I agree with you in this area.
    Senator Shelby. I was not here earlier, but it is my 
understanding that the trend of fewer IPOs was mentioned, you 
know, which a lot of us do not like because that seems like the 
economy is not doing as it should. What is your thought on that 
without rehashing everything that has been gone over there? And 
what is the trend and what is the data there? What is the 
information?
    Mr. Clayton. People focus on IPO or no IPO. IPO is the 
water coming into the bathtub. There are going to be reasons 
things are going out of the bathtub. But I want a bigger 
bathtub. I want a bigger bathtub because I want people to have 
more choice. And I do not want--it is very difficult for retail 
investors, either directly by buying stock or indirectly 
through mutual funds, to have access to investment 
opportunities outside of the public capital markets. So on 
balance, I would like a larger public capital market because I 
would like retail investors to have more access to those 
choices.
    Senator Shelby. We have in this country, some people 
believe, $4 to $5 trillion in capital, I will just use the 
term, ``lying around,'' looking for a better investment. Look 
at the savings accounts. You know, people are not getting much 
there. The dividends, the money markets, you know, you name it. 
How can we put a lot of that money to work for the economy? I 
know this is not your total--you are not Secretary of the 
Treasury, but what you do and what your colleagues do at the 
SEC does feed right into our economic growth.
    Mr. Clayton. My aim is more and better investment 
opportunities, but I want to also be clear. A focus for me has 
been retail investor fraud, because while I want to get more 
and better investment opportunities, tamping out those repeat 
actors who prey on----
    Senator Shelby. Get rid of them, absolutely.
    Mr. Clayton. And that is as important, if not more 
important, than increasing the number of opportunities. And so 
we have got to do both.
    Senator Shelby. Bring some confidence back to the retail--
the little person, right?
    Mr. Clayton. Yes, absolutely.
    Senator Shelby. Thank you. And we like what you are doing 
at the SEC. Thank you.
    Mr. Clayton. Thank you, Senator.
    Chairman Crapo. Thank you.
    Senator Heitkamp.
    Senator Heitkamp. Thank you, Mr. Chairman, and thank you, 
Mr. Clayton. Before I start with questions, I think you and I 
had a long conversation about a bill that Senator Heller and I 
had that would create a full-time small business advocate 
within the SEC. You have moved expeditiously to do that, and so 
I want to acknowledge that help and to tell you how critically 
important it is that we have that outreach, because what you 
are trying to do, in your exchange with Senator Warren, is 
really build that opportunity and see that next new startup 
that could, in fact, result in General Motors or Microsoft or 
whatever comes along. With that said--and I think they all 
started in a garage or they all started with a great idea.
    I want to just kind of walk through some of the thinking 
that people in my State have. You know, they think about 
gambling, and they think about Las Vegas, and a lot of them 
think that what you do is about gambling. And they think that 
if they go to Las Vegas, there is a whole regulatory body that, 
if someone cheats, they are going to get caught and the game is 
fair. And if they cheat--or if somebody is rigging the system, 
they have some level of confidence that they are going to go to 
jail.
    I think if you took, you know, gambling, straight up 
gambling--right?--and you used those same kind of guidelines or 
at least benchmarks that people feel about the equity markets, 
I think Las Vegas gets, you know, probably an A, A- minus for 
soundness and security and fairness. And I do not know you get 
an A or an A-minus. I think the equity markets, as best you 
could do, you are probably at a C. And if we do not respond to 
this and if we do not respond to the issues that have been 
raised across the table here on what happens when the public 
out there sees executives trading after a material event--and 
they would not use that language. They would say, ``Here it is 
again.'' You know, ``They make money and we lose money. We 
would have had shares. Had we known it, we would have sold our 
shares. But now we are worth 25 percent less in our 401(k) if 
we held that share.''
    Tell me what we are going to do to convince my retail 
purchaser, which you just talked about, that what you are going 
to do is unrig this system and get it back to a level of 
confidence that the equity markets are fair.
    Mr. Clayton. I can tell you that I know the people at the 
Commission and I look at those people when we make decisions. 
You know, people make fun of it or do not make fun of it, Mr. 
and Mrs. 401(k). That is how I look at what I am doing. And 
that is in the markets, I mean, I know that what they want to 
know is that we are--we have their back, that we are policing 
the large public companies, that we are looking at what the 
executive is doing, that if they are taking unfair advantage of 
information in that 4-day window that Senator Heller mentioned, 
that that is not appropriate and we are going to do something 
about it.
    As far as retail folks go, I am also really worried about 
the amount of retail fraud. I will tell you that the amount of 
retail fraud I see every day in terms of the enforcement 
actions that we see disgusts me, and we just--you know, it has 
been in the works for some time. We just implemented a new 
retail fraud unit because, like you, I believe that if the Main 
Street investor does not think we have their back, we are not 
doing our job.
    Senator Heitkamp. Well, I think----
    Mr. Clayton. That is how I feel.
    Senator Heitkamp. It is not if the Main Street investor 
thinks that you do not have--they do not really believe you 
have their back.
    Mr. Clayton. Well, I want to----
    Senator Heitkamp. There has just been too much history 
here. And to act boldly and to act directly is absolutely what 
is essential to bring back that confidence. And if it is all 
behind the curtain, pay no attention, we are studying it, we 
are studying it, people go, yeah, they will study it until the 
next time it happens. Then they will study it again. And we are 
never protected because we do not have access to that 
information, and we lose money, because when that becomes--when 
the public knows, guess what happens? That stock tanks, and I 
take the loss while the executives walk away with the big 
payoff.
    It just is not a formula for success, and I honestly 
believe people trust the regulators at Las Vegas to make sure 
that that slot machine is fair more than they trust you to make 
sure that when they buy an equity on your markets that they are 
treated appropriately.
    Mr. Clayton. If that is the case, I want to change it.
    Senator Heitkamp. Well, I think you need to really focus, 
because I believe it is the case.
    Mr. Clayton. OK.
    Chairman Crapo. Thank you.
    Senator Cotton.
    Senator Cotton. Thank you, Mr. Chairman. And, Mr. Chairman, 
welcome to the Committee.
    Mr. Clayton. Thank you.
    Senator Cotton. I want to focus on some of the challenges 
that overregulation is putting on smaller businesses and 
smaller investors. You may be aware of a small business in 
Arkansas that we call Walmart, somewhat large now. There was a 
time, though, when it was kind of small. It continues to 
provide lots of great jobs for Arkansans, to provide their 
groceries and their kids' toys and their clothes and everything 
else under the sun.
    I have in my hand from 1970 a Walmart IPO document. Pretty 
thin, huh? Twenty-six pages--20 if you exclude the financials. 
It is Walmart's IPO from 1970.
    I have in my hand the Snap IPO document from just last 
year--247 pages, 10 times the size of Walmart's IPO.
    I think this explains one of the reasons why we have so 
many fewer IPOs than we once did, especially for smaller firms. 
I do not think you can attribute it simply to the dot-com boom 
from 20 years ago. After all, other developed countries have 
seen a 50-percent increase in listed companies over the same 
time period, and the types of those IPOs have changed as well. 
Many small-cap IPOs have declined significantly here or gone 
overseas. That means ultimately that small investors, the kind 
of people that invested in Walmart based on this--a document 
that any high school-educated person with a bit of business 
sense could understand and became pretty wealthy on it over the 
years. As Walmart grew and their stock split and they grew and 
their stock split--no longer have access to these kind of 
small-cap growth companies. They go increasingly into the 
private market. They benefit only the most affluent Americans.
    So without saying that private markets are bad, could you 
please give us a list of the steps that you are taking or you 
intend to take that are going to encourage more initial public 
offerings in this country?
    Mr. Clayton. So we have already taken a couple of steps. 
One is to allow more confidential filings, which under the JOBS 
Act has proven to be an encouragement for people to consider 
the public offering process.
    We have reduced the need to file financial statements that 
will not end up being part of the public disclosure package to 
reduce the burden on companies seeking to go public or 
otherwise using the public markets.
    The confidential filing process does extend for a period of 
time, which allows companies to get secondary liquidity, which 
also encourages them to go public. That is another aspect of 
it.
    On the agenda is our review of S-K, the broad disclosure 
package, to try and modernize and enhance it. I want the 
disclosure package to be just as good and provide just as much 
investor protection, but I want it to be more accessible. It 
needs to be more accessible. We cannot have documents that can 
only be read by lawyers.
    Senator Cotton. Do you think anybody reads a document that 
long and makes an investment decision on it besides a lawyer?
    Mr. Clayton. Very few.
    Senator Cotton. Do you think lawyers even read it?
    [Laughter.]
    Mr. Clayton. Lawyers do crazy things.
    Senator Cotton. I know lots of small mom-and-pop investors 
in Arkansas since 1970 have read this document, and they made a 
lot of money off of it, and they provide a lot of jobs and a 
lot of affordable price/quality goods, so I am glad to hear you 
are taking those steps.
    A related story I want to tell and get your response to, 
the president of a small broker-dealer in central Arkansas, 
really not much more than just a family-owned firm, they have 
got six people, said that he would not start that firm today 
given the regulatory burden he faces. One example he gives is 
that Dodd-Frank expanded the Public Company Accounting 
Oversight Board oversight to include annual audits for all 
broker-dealers registered with the SEC, so that means that his 
six-person firm now is held to the exact same auditing 
standards as a company the size of Walmart or Apple or Google 
or anything else. That means his costs have skyrocketed, and he 
does not think the quality of those audits are any better. This 
is just one more example, although in a different space, of the 
cost of overregulation.
    Do you think it would be appropriate to have some kind of 
threshold to exempt these smallest firms from that kind of 
regulation, much as we have different standards for community 
banks? If so, what kind of threshold might you consider?
    Mr. Clayton. Senator, I had a view, and it has been 
affirmed by my time at the Commission, that one-size-fits-all 
does not work in a lot of areas. It probably does not work in 
that area.
    Now, I also do not think that it should be you are either 
in or you are out; you know, you are either in regulation or 
you are out. Once you decide that one size does not fit all, 
the real question becomes: How do we scale it? Where do we put 
those steps? That is how I intend to approach regulation in 
some of these areas.
    Said another way, if we have one-size-fits-all in some of 
these areas, we are only going to get one size.
    Senator Cotton. I agree, and I appreciate that. This looks 
at another area in which I think that just because Walmart 
needs to use a giant accounting firm under existing law out of 
New York or Dallas or Chicago does not mean a six-person 
broker-dealer firm in central Arkansas cannot use a very 
competent, qualified auditing firm from Conway or Searcy or 
Bryant or what have you.
    Thank you.
    Mr. Clayton. Thank you.
    Chairman Crapo. Thank you.
    Senator Donnelly.
    Senator Donnelly. Thank you, Mr. Chairman. Thank you, Mr. 
Chairman.
    I understand the SEC is currently reviewing the proposed 
acquisition of the Chicago Stock Exchange by a Chinese company. 
I do not expect you to comment on the specific transaction, but 
can you please generally describe the review process within the 
SEC?
    Mr. Clayton. Yes, sir. The review process within the SEC is 
actually styled as a rulemaking, and there was 240 days for a 
division of the Commission, subject to delegated authority from 
the Commission, to review the application. That was approved. 
An approval like that provides the Commission with an 
opportunity to review the approval. The Commission took that 
opportunity, and we are reviewing the decision.
    Senator Donnelly. In light of recent high-profile cyber 
breaches, including at Equifax and the SEC, are you at all 
concerned that the ownership and control of an American 
exchange by a foreign entity could expose our markets to new 
risks and vulnerabilities?
    Mr. Clayton. I am not going to comment on the specific 
matter before the Commission at this time. It is a matter that 
I am going to be deciding on, so it would be inappropriate. But 
I am aware of the various issues raised by commentators.
    Senator Donnelly. So I am not asking you specifically in 
regards to this company. I am asking you as an overall policy. 
Does that concern you at all about a foreign entity that could 
possibly expose our markets to new risks and vulnerabilities?
    Mr. Clayton. Senator, absolutely. Not just a foreign owner, 
but state actor intrusions and state actor monitoring of our 
financial markets is an issue that troubles me.
    Senator Donnelly. As the SEC continues reviewing financial 
disclosure requirements under Regulation S-K, I hope you will 
consider whether corporations should disclose country-by-
country employment data. It helps investors determine when 
companies employ American workers and better understand where 
outsourcing and offshoring has occurred.
    Are you willing to consider a country-by-country employment 
disclosure as part of the SEC's broader review?
    Mr. Clayton. I am willing to consider the S-K guidance on--
and the rest of S-K in terms of providing a more accessible 
disclosure package for investors, including in areas of 
employment.
    Senator Donnelly. I want to go back to an area you and I 
have talked about before, actually this spring, and that is, 
stock buybacks. At your confirmation hearing, we discussed my 
concerns with the flurry of stock buybacks at large 
corporations, often conducted mainly with the goal of 
increasing stock prices to impress Wall Street investors. I 
think that short-term thinking has come at the expense of long-
term investments and innovation that would have benefited our 
country. And we have seen it again in recent times where a 
company chose to use some of the funds that were going to be 
used for stock buybacks to actually make an acquisition. And 
their stock was immediately hammered in large measure because 
it was not going to be the buyback. It was actually just trying 
to add to the business. And if you look long term, that does 
not make sense.
    But former Chair White publicly stated last year the SEC 
was looking into when and how often companies should tell 
investors about share repurchase programs. She was presumably 
referring to the SEC's concept release to solicit the public's 
views on financial disclosure requirements and Regulation S-K. 
Currently, stock repurchases are reported quarterly. Do you 
think companies should be required to disclose stock buybacks 
more frequently than once every quarter?
    Mr. Clayton. I am not going to comment specifically on 
something that, you know, we are reviewing. I am concerned, as 
you and I have discussed, I am concerned about this issue and 
any abuse of stock buybacks. I recognize they have a lot of 
value in certain circumstances. They are a way to return 
capital--many well-functioning companies see it as an efficient 
way to return capital to shareholders. Many investors engage 
with companies and, you know, we want investor engagement with 
companies, engage with companies and push for stock buybacks.
    Now, you know, we can determine whether their motives are--
we cannot determine in the abstract whether their motives are 
pure or long term or short term, but there are a lot of 
considerations that go into this. But as you and I have 
discussed, one thing that does trouble me is if these stock 
buybacks are motivated not by the long-term interest of the 
company but some short-term interest. And I am looking at 
disclosure in this area in that light.
    Senator Donnelly. And I will finish by saying if you take a 
look at what is going on with hedge funds and others, I think 
you will find that much of their efforts regarding stock 
buybacks have nothing to do with company development or 
strengthening but simply taking as much out as quickly as 
possible.
    Thank you, Mr. Chairman.
    Chairman Crapo. Thank you.
    Senator Reed.
    Senator Reed. Thank you very much, Mr. Chairman. And thank 
you, Chairman Clayton, for joining us today.
    In general, do you think investors understand the 
cybersecurity risk that the companies face that they invest in? 
And put another way, can companies do a better job, should they 
do a better job disclosing the risk in their disclosure 
documents?
    Mr. Clayton. No, I do not think the general level of 
understanding in the market is where I would like it to be, and 
I do not think the disclosure is where it should be.
    Senator Reed. And through your regulatory authority at the 
SEC, you could shape that disclosure. Are you working on that?
    Mr. Clayton. I am.
    Senator Reed. Thank you.
    There is also a kind of theory I have that, having watched 
the agency over several decades in this cybersecurity world it 
is expensive to stay ahead with technology software, and as a 
result, when Dodd-Frank was being written, I put in language 
that allows the SEC to deposit up to $50 million a year in a 
reserve fund for cybersecurity and other tools.
    First, are you funding this? Are you accessing this source 
from registration fees?
    Mr. Clayton. The $50 million? We want and need the $50 
million for IT.
    Senator Reed. And you physically are taking it and 
depositing it?
    Mr. Clayton. We are using it.
    Senator Reed. OK.
    Mr. Clayton. It is part of our budget going forward.
    Senator Reed. And there was in our legislative process a 
$100 million limit put on the fund. So you are prepared to go 
up to $100 million?
    Mr. Clayton. Let me say this, Senator: I think we need to 
spend more money. When I got to the Commission, I made some 
assessments. We went with a flat budget for the next fiscal 
year. I will not be asking for a flat budget for fiscal year 
2019. We are going to need more money in the area of 
cybersecurity and IT generally, and I intend to as for it.
    Senator Reed. Well, I appreciate that because, again, money 
is not the solution to every problem, but it is usually part of 
every solution. So you have got to have it. You have a 
mechanism with this reserve fund to take it right from the 
registration fees. It does not have to go through OMB or 
anyplace else. And there is a $100 million limit. At that point 
you cannot take any more. So I would urge you to aggressively 
do that.
    The other thing I would urge you to do is to resist any 
attempts to take away this fund because the Administration has 
proposed in 2018 that the fund be eliminated, that your ability 
to access these monies be gone. I think given the current 
situation with cybersecurity, you have to have the money, and I 
hope you agree.
    Mr. Clayton. Senator, I agree that the purpose of the fund 
including to be able to make longer-term commitments than year 
on year to cybersecurity is a very good idea.
    Senator Reed. Thank you.
    Let me just quickly go back to the point that Senator 
Donnelly was making about stock repurchases. You make a very 
thoughtful point about stepping back and looking at it in terms 
of the long run benefits to shareholders and to the investing 
public, not the quick in and out. And, you know, you went back 
and forth about using money for a stock buyback rather than 
purchases.
    I have heard of instances where companies were actually 
conducting stock repurchases while their pension plans were 
underfunded. Are you aware of any situations?
    Mr. Clayton. I am not aware of any specific situation.
    Senator Reed. Would that be something that you would want 
to look at in terms of the propriety of doing a stock 
repurchase when, you know, a commitment that has been made to 
employees is not fulfilled?
    Mr. Clayton. It is a very interesting question. I want to 
be responsive. I have not thought about that particular 
question. I would say, though, if what you were doing--what 
somebody is doing from a governance perspective--this may be a 
broader issue, but if what somebody is doing from a governance 
perspective is putting a funding obligation at jeopardy by 
buying back equity, you know, that is a serious consideration 
for a board of directors.
    Senator Reed. Would you have authority to stop the 
practice, either by rule or----
    Mr. Clayton. I am not sure, Senator. I would need to look 
into that.
    Senator Reed. You know, Mr. Chairman, I think these are 
issues that deserve close review and study. I do not think 
there is--at this point jumping to a conclusion is not the way 
to approach it. But I think these are the types of issues that 
you should be considering because, again, I think we are both 
committed to the long-term profitability and effectiveness of 
these companies, not the short-run in and out. So thank you, 
Mr. Chairman.
    Mr. Clayton. Thank you.
    Chairman Crapo. Senator Cortez Masto.
    Senator Cortez Masto. Thank you, Mr. Chair. Chairman 
Clayton, good to see you again.
    Mr. Clayton. Good to see you.
    Senator Cortez Masto. Excuse me, I did not get to hear your 
opening. I am juggling two committees at the same time. But 
with your indulgence, I want to kind of follow up on the 
previous hearing that we had and your confirmation hearing and 
just follow up on some of the questions we had and just see 
where you are today with those.
    Beginning in 2009, as we were dealing with the peak of the 
foreclosure crisis, the SEC Chair at the time expanded the 
authority to issue investigative subpoenas to about a dozen or 
so senior officials in your Enforcement Division. Before that 
time, Commissioners themselves had to vote on each and every 
subpoena, and it slowed the enforcement down to a crawl.
    Before your tenure, Acting Chairman Piwowar initiated a 
review of whether the SEC should revert to the prior burdensome 
process for issuing subpoenas. When I asked you about this at 
your confirmation hearing, you said you needed to discuss this 
with other Commissioners and SEC staff before commenting. Now 
that you have been there 4 months, have you made a decision?
    Mr. Clayton. I have. I have.
    Senator Cortez Masto. And what is the decision?
    Mr. Clayton. There was a time, as you noted, that formal 
order authority rested with the Commissioners and the 
Commissioners had to vote on it. That was transitioned to the 
Director of the Division of Enforcement for efficiency reasons, 
as you cite. Later on, it was put out to the regional offices, 
and they had the ability to have formal order authority to open 
an investigation.
    It was pulled back to now the co-Directors of the Division 
of Enforcement, Stephanie Avakian and Steve Peikin. I have sat 
with them and discussed this with them, with an eye toward 
whether there was any kind of slowing down in the ability to 
open matters. They are totally comfortable that there is not. 
One or both of them are available. I have probed on this, 
whether there was any urgency, whether funds would be leaving 
the country or other reasons for having formal order authority 
out at the regional offices. I am comfortable that there is not 
one, and I am comfortable that there is a benefit having that 
authority resting with the two of them.
    Senator Cortez Masto. And their staff.
    Mr. Clayton. Well, their staff supports them, but----
    Senator Cortez Masto. Right.
    Mr. Clayton. They, of course, get the information. Having 
it with them enables them to more efficiently manage the 
Enforcement Division across the offices and makes sure that we 
do not have, for example, somebody in San Francisco opening a 
case in Miami.
    Senator Cortez Masto. So it has reverted back. So you have 
pulled it back essentially.
    Mr. Clayton. No, we are not fully back. We are not back at 
the Commission. We are at the Division of Enforcement level, 
and I am very comfortable that that is where it belongs.
    Senator Cortez Masto. Right, and so that is essentially 
staff that has that authority.
    Mr. Clayton. Staff has the authority.
    Senator Cortez Masto. Right, so it is still--you pulled it 
back a little bit, but still gave the staff the authority, so 
it is not back at Commission level.
    Mr. Clayton. Correct, and I am very comfortable that they 
are doing a good job.
    Senator Cortez Masto. OK. I appreciate that.
    And then in our private meeting in the office and at your 
confirmation hearing, you stated your belief that individual 
accountability has a greater deterrent effect across the market 
and one tool to hold individuals accountable is the so-called 
Yates memo that was put out by the previous Administration, 
that my understanding current Attorney General Sessions and 
Deputy Attorney General Rosenstein are looking at right now. 
They are looking at rescinding it or weakening its directives 
to prosecutors.
    In your view, is this memo consistent with what you have 
told me in this Committee and you have emphasized in your 
speeches about the need to hold individual corporate executives 
responsible for corporate misconduct?
    Mr. Clayton. Senator, that is my view, that individual 
accountability, particularly in a corporate context, has a 
greater deterrent effect than simply corporate accountability.
    Senator Cortez Masto. And so have you thought about what 
you would do if DOJ, who is your partner in prosecution, 
rescinds the Yates memo? How would you handle that?
    Mr. Clayton. We coordinate with DOJ in these matters, but I 
do not think that--let me--I am comfortable that the way our 
Division of Enforcement is now approaching these matters and 
looking at individual accountability is correct, and that that 
is going to continue.
    Senator Cortez Masto. OK. So that is still your emphasis 
and concern?
    Mr. Clayton. Yes.
    Senator Cortez Masto. OK. Thank you.
    As a lawyer in private practice, you criticized aggressive 
enforcement of the Foreign Corrupt Practices Act for placing 
significant costs on U.S. companies, and President Trump 
himself criticized the FCPA when he was a businessman, 
basically saying it created competitive disadvantage for U.S. 
companies when they are not able to bribe foreign governments.
    Mr. Clayton. That is actually not what I said.
    Senator Cortez Masto. That is what President Trump said.
    Mr. Clayton. OK.
    Senator Cortez Masto. When he was a businessman. This world 
view now appears to be permeating law enforcement. One analysis 
found that as of September 1st, the Trump administration has 
brought only three of these enforcement actions, and the two 
from the SEC, each had roots in Obama administration 
investigations. And what is curious is at this point in time 
during the same time during the Obama administration, 25 cases 
had been filed, and 17 by the Bush administration. Can you tell 
me, is the SEC slowing down Foreign Corrupt Practices Act 
investigations and prosecutions? Or can you explain these 
numbers to me, why they are so low?
    Mr. Clayton. No, we are not slowing them down. And I want 
to go back to the 2011 article that I participated in writing. 
What I was saying was we need to think about whether we are 
doing this alone around the world and getting our partners in 
other countries on board, and our partners in other countries 
have come on board, and--not everywhere, but in some places, 
and that actually makes it easier to pursue this type of 
behavior and actually have an effect in doing so.
    Senator Cortez Masto. So what you are saying is our 
partners in other countries now have had an epiphany and they 
are all cooperating and following the law?
    Mr. Clayton. Not in every country, but the prosecutors in 
similar securities authorities in other countries have upped 
their game substantially.
    Senator Cortez Masto. OK. I notice my time is up. Thank you 
very much.
    Senator Shelby. [Presiding.] Senator Sasse.
    Senator Sasse. Chair Clayton, thank you for being here. I 
would like to discuss the history of cybersecurity breaches at 
the SEC. Can you tell me how many cybersecurity breaches there 
have been historically at the Commission?
    Mr. Clayton. I do not have that data with me today, 
Senator.
    Senator Sasse. And who----
    Mr. Clayton. And defining what a breach is is----
    Senator Sasse. Who would know? Who in your organization 
reports to you that has responsibility for this?
    Mr. Clayton. The Office of Information Technology is the 
office within the SEC that has overall responsibility. Since 
getting to the Commission, I have been reviewing how we handle 
these matters from an oversight perspective, including 
establishing a cybersecurity working group to get at these 
issues, including how we share information about breaches, 
attempted intrusions, risks across the Commission. As I 
testified earlier, these are areas that we need to bring focus 
to.
    Senator Sasse. And who heads that office? And how senior 
are they? Are they a direct report to you, or who do they 
report through?
    Mr. Clayton. The head of the Office of Information 
Technology is Pam Dyson, and she is a direct report to me and 
also to our Office of the Chief Operating Officer.
    Senator Sasse. And how many direct reports do you have?
    Mr. Clayton. Precise number? It is between 20 and 25.
    Senator Sasse. Got you. Is this the first breach at the SEC 
that you think could have facilitated the trading of inside 
information?
    Mr. Clayton. Senator, I cannot tell you with 100 percent 
certainty that this is the only breach that we have had. I am 
not in a position to tell you that.
    Senator Sasse. OK. The SEC statement has argued that, ``The 
intrusion did not result in the unauthorized access to 
personally identifiable information, did not jeopardize the 
operations of the Commission, or result in systemic risk.'' Do 
you think there has been any breach at the SEC that compromised 
personally identifiable information in the past?
    Mr. Clayton. So based on what we know now about the breach, 
the 2016 breach that I disclosed, we do not think there was 
personally identifiable information given the file type or 
where it houses, you know, a systemic risk. So I want to make 
that clear. That is based on what we know today. An 
investigation is ongoing.
    In terms of whether there has been a breach at the SEC 
where personally identifiable information was accessed, to my 
knowledge today, I do not know of any. But I cannot--in this 
area, I cannot give you a 100 percent certainty that that has 
not happened.
    Senator Sasse. OK. I want to ask a parallel question. So in 
this case, we do not think there was personally identifiable 
information, and you do not think that there ever has been 
historically. In this case, the SEC has a statement that says 
it did not jeopardize operations of the Commission. 
Historically, do we know of any breaches that have ever 
jeopardized operations at the SEC?
    Mr. Clayton. I know of no historic breaches that have 
jeopardized operations, but it is an area that is of concern to 
me. We do provide services that are essential to the 
functioning of the marketplace.
    Senator Sasse. Agreed.
    Mr. Clayton. And a denial-of-service attack at the SEC in 
one of those areas would have material effects across our 
market system.
    Senator Sasse. I share your concern, and I believe you to 
be greatly concerned about this. I was presiding over the 
Senate the last hour and a bit, so I did not get to hear the 
beginning of your testimony, and I know you have covered some 
of this information. Instead of trying to have you sort of 
repeat parts of it and pieces of it that may need to consult 
with Ms. Dyson and whatever other consultants you have on the 
project, I will send you an extensive list of QFRs, if that is 
OK. And so instead of staying here--but could I get your 
commitment that we will get a quick response to that list? And 
I want to acknowledge in advance that a lot of it is technical 
and long, but we would love--I think this Committee and the 
Senate would love to partner with you in trying to upgrade our 
cybersecurity. You do oversee critical functions of the 
Government and public trust in financial markets, and I think 
that we probably need more urgency on this, and I think this 
branch would love to partner with your branch. But we will send 
you a long list, but I would like your commitment that we will 
get a quick response, please.
    Mr. Clayton. I think it is entirely appropriate, and you 
have my commitment.
    Senator Sasse. Thank you, sir.
    Senator Sasse. Thank you, Chairman.
    Senator Shelby. Senator Brown.
    Senator Brown. Thank you, Mr. Chairman. I am not asking for 
a second round, just one question to wrap up, and thank you for 
your indulgence.
    In a recent speech, SEC Commissioner Piwowar suggested that 
companies that go public should be permitted to require that 
shareholders resolve claims in arbitration and not in the 
courts. That would be what we call ``forced arbitration.'' As 
you know, Mr. Chairman, this is contrary to corporate 
governance best practice and contrary to the SEC's stated views 
on this issue.
    My question is: Will you continue to support SEC practice 
that preserves shareholders' rights to go to court and to 
reject mandatory arbitration requirements for companies going 
public?
    Mr. Clayton. Senator, I am not going to prejudge that 
issue, but I do understand that this is also a State law issue, 
and in many States you are not permitted to have mandatory 
arbitration. But I am not going to categorically say that, you 
know, you would never have a situation where something other 
than accessing State law remedies for a particular or several 
particular items is off the table. But I am very cognizant--I 
am very cognizant--that the ability to go to court is something 
that is of great value to shareholders.
    Senator Brown. And it is the SEC's view on this issue 
today, as you know.
    Mr. Clayton. I do not think the SEC has articulated a 
definitive view on this issue.
    Senator Brown, we have done so in the context of particular 
requests in the past. There have been requests in the past, and 
there is a long history there that I am happy to discuss with 
your staff, but I do not think the SEC has articulated a firm 
view on this issue in the past.
    Senator Shelby. Mr. Chairman, I was told by the staff that 
the questions for the record that will be propounded to you are 
due next Tuesday. I know that is not long, but you are a pretty 
diligent man. You will get it in.
    Thank you for your appearance before the Committee today, 
and we wish you well in your job. Thank you.
    Mr. Clayton. Thank you, Senator Shelby.
    Senator Shelby. The hearing is adjourned.
    [Whereupon, at 11:55 a.m., the hearing was adjourned.]
    [Prepared statements, responses to written questions, and 
additional material supplied for the record follow:]
                   PREPARED STATEMENT OF JAY CLAYTON
              Chairman, Securities and Exchange Commission
                           September 26, 2017
    Chairman Crapo, Ranking Member Brown, distinguished senators of the 
Committee, thank you for the opportunity to testify before you today 
about the work of the U.S. Securities and Exchange Commission (SEC or 
Commission).\1\
---------------------------------------------------------------------------
    \1\ The views expressed in this testimony are those of the Chairman 
of the Securities and Exchange Commission and do not necessarily 
represent the views of the President, the full Commission, or any 
Commissioner.
---------------------------------------------------------------------------
    It is an honor to testify before this Committee for the first time 
since my confirmation. Since joining the SEC, my experience has 
strongly reinforced my view that our talented and committed staff is 
fundamental to the agency's effectiveness. The SEC's mission to protect 
investors, maintain fair, orderly and efficient markets and facilitate 
capital formation is deeply engrained throughout our offices and 
divisions. I also want to thank Commissioners Stein and Piwowar for 
their valuable counsel and guidance to me as well as for their 
unwavering commitment to the Commission.
    With a workforce of about 4,600 staff in Washington and across our 
11 regional offices, the SEC oversees, among other things (1) 
approximately $72 trillion in securities trading annually on U.S. 
equity markets; (2) the disclosures of over 8,100 public companies, of 
which 4,300 are exchange listed; and (3) the activities of over 26,000 
registered entities, including investment advisers, broker-dealers, 
transfer agents, securities exchanges, clearing agencies, mutual funds, 
exchange traded funds, the Financial Industry Regulatory Authority 
(FINRA) and the Municipal Securities Rulemaking Board (MSRB), among 
others. We also engage and interact with the investing public on a 
daily basis through a number of activities ranging from our investor 
education programs to alerts on our SEC.gov portal. Additionally, on a 
typical day, investors and other market participants view disclosure 
documents filed on our EDGAR system more than 50 million times.
    In a July speech, I outlined the principles that should chart the 
course for the SEC moving forward. The principles reflect my 
interactions with the men and women of the Commission staff.
    These guiding principles are as follows:

  1)  The SEC's tripartite mission is its touchstone;

  2)  Our analysis starts and ends with the long-term interests of the 
        Main Street investor;

  3)  The SEC's historic approach to regulation is sound;

  4)  Regulatory actions drive change, and change can have lasting 
        effects;

  5)  As markets evolve, so must the SEC;

  6)  Effective rulemaking does not end with rule adoption;

  7)  The costs of a rule now often include the cost of demonstrating 
        compliance; and

  8)  Coordination is key.\2\
---------------------------------------------------------------------------
    \2\ Remarks at the Economic Club of New York (July 12, 2017), 
available at https://www.sec.gov/news/speech/remarks-economic-club-new-
york.

    While I will not go into great detail on all of the principles 
here, I would like to highlight the second principle, which is 
particularly important to me--that our analysis starts and ends with 
the long-term interests of the Main Street investor; or as I call them, 
``Mr. and Ms. 401(k).'' At a time when greater responsibility is 
shifting to Main Street investors to save for their own retirement, I 
am confident that this is the correct metric for our analysis of 
success in meeting our tripartite mission. If Mr. and Ms. 401(k) are 
able to invest in a better future, then the SEC is serving them and our 
markets well.
Cybersecurity
    Cybersecurity is an area that is vitally important to the SEC, our 
markets and me personally. The prominence of this issue and the 
heightened focus the agency has on it is the result of various factors, 
including (1) the increased use of and dependence on data and 
electronic communications, (2) the greater complexity of technologies 
present in the financial marketplace and (3) the continually evolving 
threats from a variety of sources. Cybersecurity touches the daily 
lives of virtually all Americans, whether it is our accounts with 
financial services firms, the companies we invest in or the markets 
through which we trade.
    Last week, I issued a press release and statement that discussed 
(1) the Commission's cyber risk profile, (2) reviewed our approach to 
oversight and enforcement and (3) disclosed a 2016 intrusion that I 
recently discovered may have led to illicit trading.\3\ The statement 
was part of an ongoing assessment of the SEC's cybersecurity risk 
profile and preparedness that I initiated upon joining the Commission 
in May. The initiative has various components, including the formation 
of a senior-level cybersecurity working group to coordinate information 
sharing, risk and threat monitoring, incident response and other cross-
divisional and interagency efforts and an assessment of reporting and 
escalation procedures.
---------------------------------------------------------------------------
    \3\ Statement on Cybersecurity (Sept. 20, 2017), available at 
https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20.
---------------------------------------------------------------------------
    I will now discuss the 2016 intrusion. In August 2017, in 
connection with an ongoing investigation by our Division of 
Enforcement, I was notified of a possible intrusion into our EDGAR 
system. In response to this information, I immediately
commenced an internal review. Through this review and the ongoing 
enforcement investigation, I was informed that the 2016 intrusion into 
the test filing component of our EDGAR system provided access to 
nonpublic EDGAR filing information and may have provided a basis for 
illicit gain through trading.
    We believe the 2016 intrusion involved the exploitation of a defect 
in custom software in the EDGAR system. When it was originally 
discovered, the SEC Office of Information Technology (OIT) staff took 
steps to remediate the defect in custom software code and reported the 
incident to the Department of Homeland Security's United States 
Computer Emergency Readiness Team (US-CERT). Based on the investigation 
to date, OIT staff believes that the prior remediation effort was 
successful. We also believe that the intrusion did not result in 
unauthorized access to personally identifiable information, jeopardize 
the operations of the Commission or result in systemic risk. Our review 
and investigation of these matters, however, as well as the extent and 
impact of the intrusion and related illicit activity, is ongoing and 
may take substantial time to complete.
    Our review and investigation of this matter consists of two related 
components. The first component has been focused on the 2016 intrusion 
itself, including efforts to determine its scope and whether there were 
or are any related vulnerabilities in our EDGAR system. Importantly, in 
conducting this review and related forensic analysis, it has been a 
priority and a constraint to maintain the security and operational 
capabilities of EDGAR, which is a critical component of our disclosure-
based market system and accepts filings virtually continuously during 
the week.
    Various agency personnel, including members of the Enforcement 
Division, the Office of General Counsel and the Office of the Inspector 
General (OIG) have been involved in this effort. In addition, I have 
formally requested that the OIG begin a review into what led to the 
intrusion, the scope of nonpublic information compromised and our 
efforts in response. I have also asked the OIG to provide 
recommendations for how the SEC should remediate any related system or 
control deficiencies. We also are pursuing and considering other 
measures that may enhance our investigative, remediation and prevention 
efforts.
    The second component of our review and investigation consists of 
our investigation into trading potentially related to the intrusion. 
This investigation is being conducted by our Division of Enforcement 
and is ongoing.
    There are limits on what I know and can discuss about the 2016 
incident due to the status (ongoing and incomplete) and nature 
(enforcement) of these reviews and investigations. Nevertheless, I 
directed the issuance of the press release and statement this past 
Wednesday. I made this disclosure because I believed that, once I knew 
enough to understand that the 2016 intrusion provided access to 
nonpublic EDGAR test filings and that this may have resulted in the 
misuse of nonpublic information for illicit gain, it was important to 
disclose the incident and our cyber risk profile more generally to the 
American public and Congress.\4\
---------------------------------------------------------------------------
    \4\ Press Release 2017-170, SEC Chairman Clayton Issues Statement 
on Cybersecurity: Discloses the Commission's Cyber Risk Profile, 
Discusses Intrusions at the Commission, and Reviews the Commission's 
Approach to Oversight and Enforcement (Sept. 20, 2017), available at 
https://www.sec.gov/news/press-release/2017-170.
---------------------------------------------------------------------------
    Looking forward, I have authorized the immediate hiring of 
additional staff to aid in our efforts to protect the security of the 
agency's network, systems and data. I also directed the staff to 
enhance our escalation protocols for cybersecurity incidents in order 
to enable greater agency-wide visibility and understanding of potential 
cyber vulnerabilities and attacks. This matter involving our EDGAR 
system concerns me deeply.
    I recognize that I am not the only one who is deeply concerned. 
Rightfully, it
will cause this Committee and others to increase their focus on whether 
the
Commission's approach to cybersecurity appropriately addresses our 
cyber risk profile. This is all the more reason it was appropriate to 
disclose the 2016 intrusion now even though our review and 
investigation are ongoing. We must remain on top of evolving threats 
when it comes to securing our own networks and systems against 
intrusion. This is especially true when protecting systems dealing with 
sensitive market and other data involving personally identifiable 
information. This means regularly evaluating progress, pursuing 
improvements and making it a priority to invest sufficient resources so 
our systems keep up with the fast-changing threat environment.
    Other initiatives resulting from the general cybersecurity review 
we initiated in May are ongoing or will commence shortly. These include 
internal and inter-agency incident response exercises and continued 
interaction on cybersecurity efforts with other Government agencies and 
committees, including the Department of Homeland Security, the 
Government Accountability Office and the Financial and Banking 
Information Infrastructure Committee.
    Despite the attention given to widely publicized cyber-related 
incidents experienced by the Commission and others, I still am not 
confident that the Main Street investor has received a sufficient 
package of information from issuers, intermediaries and other market 
participants to understand the substantial risks resulting from 
cybersecurity and related issues. As a general matter, it is critical 
that investors be informed about the threats that issuers and other 
market participants face.
    To be sure, we are continuing to examine whether public companies 
are taking appropriate action to inform investors, including after a 
breach has occurred, and we will investigate issuers that mislead 
investors about material cybersecurity risks or data breaches. As is 
noted in my July speech and on various other occasions, I would like to 
see more and better disclosure in this area.
    Cybersecurity must be more than a firm-by-firm or agency-by-agency 
effort. Active and open communication between and among regulators and 
the private sector also is critical to ensuring the Nation's financial 
system is robust and effectively protected. Information sharing and 
coordination are essential for regulators to anticipate potential cyber 
threats and respond to a major cyberattack, should one arise. The SEC 
is therefore working closely with fellow financial regulators to 
improve our ability to receive critical information and alerts, react 
to cyber threats and harmonize regulatory approaches.
    Overall, by promoting effective cybersecurity practices in 
connection with both the Commission's internal operations and its 
external regulatory oversight efforts, it is our objective to 
contribute substantively to a financial market system that recognizes 
and addresses cybersecurity risks and, in circumstances in which these 
risks materialize, exhibits strong mitigation and resiliency.
Regulatory Agenda
    We have been hard at work developing our regulatory agenda, 
consistent with the eight principles outlined above. As you know, we 
have a number of statutorily mandated items that we need to address, 
and we are considering how to advance those while also pursuing other 
initiatives that are central to the fulfillment of our statutory 
mission. Mandated rulemakings include those required by both the Fixing 
America's Surface Transportation (FAST) Act and the Dodd-Frank Wall-
Street Reform and Consumer Protection Act. In the coming weeks and 
months, I expect the SEC's near-term rulemaking objectives to be fully 
reflected in our upcoming Regulatory Flexibility Act Agenda. As a 
general matter, I believe it is important that these publicly available 
agendas provide the necessary transparency and accountability for 
agency matters. If these plans are to meet their intended purpose, they 
must be streamlined to inform Congress, investors, issuers and other 
interested parties about what the SEC actually intends--and 
realistically expects--to accomplish over the coming year.
    Putting together a rulemaking agenda has not slowed work to fulfill 
the SEC's mission. As you know, Commissioners Michael Piwowar and Kara 
Stein advanced a number of important matters before I came on board, 
including moving to a two-business-day standard settlement cycle--or 
T+2.
    I would like to now highlight several of the SEC's accomplishments 
since I joined my fellow Commissioners and the women and men of the SEC 
in May.
Facilitating Capital Formation
    The U.S. capital markets have long been the deepest, most dynamic 
and most liquid in the world. They provide businesses with the 
opportunity to grow, create jobs and furnish diverse investment 
opportunities for investors, including retail investors, pension funds 
and other retirement accounts. Our markets also have long
provided the United States economy with a competitive advantage and 
American Main Street investors with better investment opportunities 
than comparable investors in other jurisdictions. We should be striving 
to maintain and enhance these complementary positions, including being 
mindful of emerging trends and related risks.
    In this regard, I continue to be troubled by the negative trend in 
the number of public companies--fewer companies are choosing to go 
public in their growth phase or at all and, consequently and 
significantly, there are fewer investment opportunities for Main Street 
investors. It is clear to me that our public capital markets are 
relatively less attractive to growing businesses than in the past. 
Based on my review and discussions with Commission staff and others, 
the reporting, compliance and oversight dynamic between private and 
public markets appears out of sync. Costs--ranging from direct 
compliance costs to the consumption of management and employee 
bandwidth--for public companies, particularly smaller and medium-sized 
companies, far outstrip those of comparable private companies. Thus, 
many companies with the choice of going public may be incentivized to 
stay private or stay private longer.
    I view Mr. and Ms. 401(k) as bearing a potentially significant cost 
as a result of the shrinking number of public companies. I expect this 
dynamic, if not addressed, will lead to fewer opportunities for Main 
Street investors to invest directly in high quality companies. To be 
clear, it is not fewer opportunities to invest in IPOs themselves that 
troubles me. But without IPOs of growing companies, we have a shrinking 
and generally more mature portfolio of public companies. This is a 
significant concern. A shrinking proportion of public companies, 
particularly smaller and medium-sized companies, has costs beyond 
investment choices, including that there will be less publicly 
available information about the operations and performance of companies 
that are important to our economy.
    I believe a key to restoring vibrancy in our public markets is a 
recognition that a one size regulatory structure does not fit all. 
Fortunately, this is not just a theory--through Congress's enactment 
of, and the SEC's work on, the Jumpstart Our Business Startups (JOBS) 
Act, there is an ecosystem displaying that a scaled disclosure and 
regulatory system provides incentives for companies to conduct public 
offerings while maintaining the world's most robust investor 
protections. To be clear, this does not mean that we would sacrifice or 
limit the core principles of our public disclosure regime and other 
essential investor protections for the sake of accelerating public 
issuances. It is clear to me that companies that go through the U.S. 
IPO process emerge as better companies, with better disclosure. We want 
to encourage and preserve that dynamic. Overall, the SEC will strive 
for efficiency in our processes to encourage more companies to consider 
going public, which will result in more choices for investors, job 
creation and a stronger U.S. economy.
    To this end, the SEC, through the Division of Corporation Finance 
(Corporation Finance), is undertaking efforts to promote capital 
formation, especially in our public markets. Corporation Finance 
recently announced that it would accept voluntary draft registration 
statement submissions for certain securities offerings, including for 
initial public offerings and offerings within 1 year of an IPO, for 
review by the staff on a nonpublic basis.\5\ This expanded policy 
builds on the confidential submission process established in response 
to the JOBS Act. We believe this approach provides a meaningful benefit 
to companies and investors, and a number of companies have already 
pursued this path.
---------------------------------------------------------------------------
    \5\ Draft Registration Statement Processing Procedures Expanded, 
Division of Corporation Finance Announcement (June 29, 2017) 
[Supplemented August 17, 2017], available at https://www.sec.gov/
corpfin/announcement/draft-registration-statement-processing-
procedures-expanded.
---------------------------------------------------------------------------
    Corporation Finance also issued guidance clarifying that companies 
may omit from draft registration statements interim financial 
information that otherwise will not be required when a company files 
its registration statement.\6\ This guidance should enable a company to 
reduce costs associated with preparing financial information that 
ultimately would not be included in its filing. To be clear, this 
guidance saves costs, but investors continue to benefit from the full 
array of financial information required when a company publicly files 
its registration statement.
---------------------------------------------------------------------------
    \6\ See Securities Act Forms Compliance and Disclosure 
Interpretation 101.04 and 101.05, available at https://www.sec.gov/
divisions/corpfin/guidance/safinterp.htm.
---------------------------------------------------------------------------
    Corporation Finance is also considering whether there are other 
areas in which interpretive guidance could assist companies without 
reducing investor protections, and whether enhancements can be made to 
staff processes to further benefit companies and investors. 
Additionally, we are taking steps to fill the position of Advocate for 
Small Business Capital Formation (Advocate) and form the Office of the 
Advocate for Small Business Capital Formation (Office) and the Advisory 
Committee on Small Business Capital Formation (Advisory Committee), as 
required by Congress in the SEC Small Business Advocate Act of 2016. 
Among other statutorily mandated functions, the Advocate will identify 
areas in which small businesses and small business investors would 
benefit from changes in Commission regulations or self-regulatory 
organization (SRO) rules. The Advocate also will work to identify 
problems that small businesses have securing access to capital, 
including any unique challenges to minority- and women-owned 
businesses.
    We recently announced the application process for selecting the 
Advocate, which will cast a wide net that will encourage people with 
expertise and interest in facilitating capital formation throughout the 
country to apply. I anticipate that the Commission will select the 
Advocate in the coming months which will allow him or her to continue 
the agency's work through the Office and the Advisory Committee to 
facilitate capital formation for small businesses across the country.
    Much work remains to be done in this area, but I am pleased with 
the staff's efforts to provide additional opportunities for issuers and 
investors alike.
Disclosure Effectiveness
    I expect that the Commission will move forward in the near term on 
a number of additional initiatives aimed at promoting capital 
formation. For example, the Commission will soon consider a rule 
proposal required by the FAST Act to modernize and simplify the 
disclosure requirements in Regulation S-K in a manner that reduces 
costs and burdens on companies while still providing for the disclosure 
of all required material information.
    The staff is also developing recommendations to finalize rule 
amendments that would eliminate redundant, overlapping, outdated or 
superseded disclosure requirements. In addition, the staff is 
developing recommendations for the Commission on final rule amendments 
to the ``smaller reporting company'' definition, which would expand the 
number of issuers eligible to provide scaled disclosures.
    Further, the agency is continuing our initiative to modernize and 
simplify our disclosure requirements generally. We have a number of 
projects underway related to that effort, including, among others:

    (1) Considering changes to the rules in Regulation S-X related to 
requirements for financial statements for entities other than the 
issuer; and

    (2) Updating industry-specific disclosure requirements, such as the 
property disclosure requirements for mining companies and preparing 
recommendations for proposed rules to modernize bank holding company 
disclosures.
CEO Pay Ratio Disclosure
    Corporation Finance also is examining existing disclosure rules, 
with an eye toward easing compliance burdens while maintaining the 
mandated disclosure. To be clear, the SEC is required to implement 
rulemakings mandated by statute in accordance with applicable law, 
including the pay ratio disclosure rule adopted pursuant to Section 
953(b) of the Dodd-Frank Act. This rule was adopted on August 5, 2015, 
and will continue to be implemented on schedule.
    In response to questions about the pay ratio rule, the Commission 
recently approved interpretative guidance to assist companies in their 
compliance efforts.\7\ Specifically, the interpretative guidance 
clarifies the disclosure rules mandated by Congress in a way that is 
true to the mandate and, to the extent practicable, allows companies to 
use operational data and otherwise readily available information to 
produce the disclosures. Additionally, the staff issued guidance which 
includes examples illustrating how reasonable estimates and statistical 
methodologies may be used. The staff will continue to monitor the 
rollout of the rule, in particular for whether unanticipated costs or 
difficulties have arisen.
---------------------------------------------------------------------------
    \7\ Press Release 2017-172, SEC Adopts Interpretative Guidance on 
Pay Ratio Rule (Sept. 21, 2017), available at https://www.sec.gov/news/
press-release/2017-172.
---------------------------------------------------------------------------
Standards of Conduct for Investment Advisers and Broker-Dealers
    I have made clear in public statements that I am focused on the 
standards of conduct that investment professionals must follow in 
providing advice to Main Street investors. The extensive study of the 
subject to date illustrates the complexity of the issue and the fast-
changing nature of our markets, including the evolving manner in which 
personalized investment advice is provided. Main Street investors 
should have access to high-quality, affordable investment advice and a 
diverse range of investment products without sacrificing the 
protections of the securities laws.
    Since my confirmation, the Department of Labor's (DOL's) fiduciary 
rule has partially taken effect. Staff conversations with investors and 
firms, prior to the DOL's proposed extension, as well as various press 
reports, indicate that broker-dealers are considering, and some have 
started taking, a variety of actions to comply with the DOL Rule, 
including: (1) increasing compliance resources and efforts (e.g.,
disclosure, documentation and training, in particular, with respect to 
costs and rollover recommendations); (2) increasing the use of robo-
advice; and (3) reevaluating and changing the types of products and 
accounts (and related fees) offered to retirement investors, focusing 
particularly on products or accounts that would address the compliance 
requirements driven by the Best Interest Contract Exemption (e.g., 
shifting some or all of their retirement accounts to level-fee advisory 
accounts).
    Further, staff understands mutual fund complexes are considering 
various approaches to accommodate broker-dealers' efforts to level 
compensation across similar types of products in response to the DOL 
Rule. These approaches include, for example: (1) issuing ``clean 
shares'' that do not have any sales loads, charges or other asset-based 
fees for sales or distribution (thus allowing brokers to set their own 
commissions that would be paid directly by investors);\8\ and (2) 
issuing ``T-shares''--or ``transaction shares''--that have uniform 
sales charges across all fund categories.
---------------------------------------------------------------------------
    \8\ Related to this effort, on January 11, 2017, the Division of 
Investment Management issued interpretive guidance to Capital Group 
clarifying that Section 22(d) of the Investment Company Act of 1940 
does not prevent a broker acting in an agency capacity from charging 
its customers a commission for transacting in ``clean shares'' of a 
registered investment company. Capital Group used the term ``clean 
shares'' to refer to a class of fund shares without any front-end load, 
deferred sales charge or other asset-based fee for sales or 
distribution. Capital Group, SEC Staff Letter (Jan. 11, 2017), 
available at https://www.sec.gov/divisions/investment/noaction/2017/
capital-group-011117-22d.htm.
---------------------------------------------------------------------------
    While the SEC and the DOL have different statutory mandates, 
rulemaking processes and jurisdictions, actions taken by one regarding 
standards of conduct are going to have a significant effect on the 
other's regulated entities and the marketplace. In other words, effects 
of the DOL rule extend well beyond the DOL's jurisdiction, and vice 
versa. It is important that we understand these effects and work 
closely and constructively with DOL to implement appropriate standards 
of conduct for financial professionals who provide advice to retail 
investors. We are engaging expeditiously and constructively with our 
colleagues at the DOL to best serve the interests of investors.
    As for Commission action related to standards of conduct, the SEC 
has been reviewing this area for some time. In recognition of the vast 
changes in the marketplace since the SEC last solicited information 4 
years ago, on June 1, 2017, I issued a statement seeking public input 
on standards of conduct for investment advisers and broker-dealers.\9\ 
In it, I articulated some key principles--clarity, consistency and 
coordination--that I expect to guide our approach. Specifically, our 
standards should be clear and comprehensible to the average investor, 
consistent across retirement and nonretirement assets and coordinated 
with other regulatory entities, including the DOL and State insurance 
regulators.
---------------------------------------------------------------------------
    \9\ Public Comments from Retail Investors and Other Interested 
Parties on Standards of Conduct for Investment Advisers and Broker-
Dealers (June 1, 2017), available at https://www.sec.gov/news/public-
statement/statement-chairman-clayton-2017-05-31.
---------------------------------------------------------------------------
    I also hope that my June 2017 statement will shape constructively 
the conversation on this important matter, so that we can properly 
tailor an approach or package of approaches that we believe will best 
address the issues identified. To date, we have received over 150 
comments from investors and the industry, expressing a range of views. 
I also have personally met with various Main Street investor and 
industry groups and have found those conversations beneficial.
    The Commission and its staff have extensive experience regulating 
broker-dealers and investment advisers, and we are reviewing the 
information interested parties have submitted. I look forward to 
continuing to work with my fellow Commissioners and the SEC staff as we 
evaluate our next steps on this important topic.
Equity, Fixed Income and Security-Based Swap Markets
    The SEC has a responsibility to ensure that our securities markets 
provide vibrant, efficient and fair mechanisms for facilitating the 
transfer of capital. In the decade plus since the adoption of 
Regulation NMS, technological advancements and innovations and 
commercial developments have led to significant changes in the way our 
trading markets operate. Generally speaking, our securities markets 
continue to be highly efficient and resilient. That said, it is 
imperative that we continuously examine and reassess our regulatory 
market structure. There are a few specific market structure issues and 
initiatives that I would like to now highlight.
    Several recent Commission rulemaking proposals have been aimed at 
enhancing transparency in the market structure space. In July of last 
year, the Commission proposed amendments to Rule 606 of Regulation NMS 
that would require broker-dealers to disclose standardized information 
on their handling of large orders, both in response to customer 
requests and on a quarterly, aggregated basis. This proposal would also 
enhance existing broker-dealer order routing disclosure requirements 
for smaller orders.
    In November 2015, the Commission proposed amendments to Regulation 
ATS to impose new transparency requirements on alternative trading 
systems (ATSs) that facilitate transactions in NMS stocks. That 
proposal would also greatly increase the Commission's active oversight 
over the design and operation of such ATSs.
    Both of these transparency-focused rulemaking proposals, which the 
Commission released prior to my Chairmanship, have received broad 
support from commenters. I support both initiatives, and I have asked 
the Commission staff to prepare final rulemaking recommendations for 
the Commission's consideration.
    Just as investors look for material information upon which to base 
their investment decisions, the Commission uses data to support and 
enhance our oversight function, including in our analysis of market 
structure, as well as for investigations, examinations and market 
analyses and reconstructions. The SROs also use data in carrying out 
their regulatory responsibilities.
    Currently, trading activity in stocks is tracked through a number 
of systems. No single system tracks the orders that are routed and 
executed across multiple trading venues. As the Committee is aware, 
pursuant to Commission rule and the CAT National Market System (NMS) 
Plan, a Consolidated Audit Trail, or CAT, is currently being developed 
by a CAT plan processor (Thesys) and the securities exchanges and 
FINRA. The CAT is intended to provide these SROs and the Commission 
with consolidated cross-market data that is more complete, accurate, 
accessible and timely than the data currently available to regulators.
    Of paramount concern to the Commission is the protection of 
sensitive CAT data. I appreciate that security issues are particularly 
acute with respect to a data repository that contains comprehensive 
information on trading activity in the securities markets, especially 
in light of recent events. I am therefore focused on issues of data 
security with respect to CAT. I have made this point clear to both 
Thesys and the SROs, and will continue to do so. I expect that the 
roll-out of the various components of CAT data reporting, the first 
phase of which is scheduled to take effect on November 15, 2017 
(wherein the SROs will report data to the central repository), will 
reflect an ongoing assessment of the sensitivity of the data reported 
and related security concerns and protections.
    Among the defenses built into the CAT NMS Plan are requirements for 
the plan processor to develop a comprehensive information security 
program that addresses the security and confidentiality of all 
information within the CAT data repository and associated operational 
risks. And the SROs, which have direct oversight of the plan processor, 
are obligated to monitor the information security program to ensure 
that it is consistent with the highest industry standards for the 
protection of data. For the subset of data that may be extracted from 
the CAT data repository, the SROs and the SEC have independent 
obligations to protect any such data. With respect to the SEC 
specifically, we have committed to review periodically the 
effectiveness of our confidentiality and data use procedures in 
connection with our access to the CAT.
    Other components of the Commission's analysis of market structure 
are two pilot programs--one currently in force, and the other being 
developed by Commission staff. The Tick Size Pilot, which began in 
October 2016, is testing the impact of wider tick sizes on the trading 
of stocks of certain smaller capitalization companies. Preliminary 
analyses of the pilot data indicate that the impact of the wider tick 
sizes on market quality has been mixed. For many covered securities, 
quoted spreads and depth of book have increased, and volatility has 
decreased. At the end of this month, trading center data will become 
publicly available and enable more robust analysis of the pilot data.
    I have also asked the Commission staff to develop a proposal for a 
pilot program that would test how adjustments to the access fee cap 
under Rule 610 of Regulation NMS would affect equities trading. The 
Equity Market Structure Advisory Committee (EMSAC) recommended a pilot 
program of this type. I am supportive of this type of pilot program 
because it should provide the Commission, as well as market 
participants and the public, with more data to assess how transaction-
based fees and rebates affect order routing behavior, execution quality 
and market quality. I expect that the Commission will consider a 
transaction fee pilot proposal of this nature in the near future.
    More generally, I believe that a thoughtful and methodical, data 
driven approach to market structure will help us fulfill our mission to 
protect investors, maintain fair, orderly and efficient markets and 
facilitate capital formation. Pilot programs such as the ones I just 
described allow us to evaluate whether adjustments to our market 
structure are necessary or appropriate, and if so, how to appropriately 
tailor them. At the same time, I also recognize that pilot programs--
whether in the form of Commission or SRO initiatives--cannot simply 
live on in perpetuity. Once pilots have achieved their purpose in terms 
of providing the Commission and SROs with adequate data for reasoned 
decisionmaking, they should either be wound down or, when appropriate, 
made permanent.
    Overall, as the Commission has evaluated equity market structure, 
the EMSAC has been a valuable and helpful resource to the Commission in 
providing expert advice and recommendations. Specifically, in addition 
to an access fee pilot recommendation, the EMSAC has provided the 
Commission with six thoughtful recommendations relating to NMS plan 
governance, SROs' proposals requiring technology changes, limit-up/
limit-down mechanisms, market wide circuit breakers, the market opening 
and Regulation NMS Rules 605 and 606. The Commission recently extended 
the term for the EMSAC until early 2018, which will enable the EMSAC to 
continue to provide us with input as we consider market structure 
initiatives, including the contemplated transaction fee pilot proposal.
    Separately, as I have stated previously, I believe that the time is 
right for the Commission to broaden its review of market structure to 
include our fixed income markets. The fixed income markets are critical 
to our economy and, increasingly, Main Street investors, yet less 
attention has been paid to their efficiency, transparency and 
effectiveness relative to the equity markets. We are in the process of 
establishing the Fixed Income Market Structure Advisory Committee 
(FIMSAC). We hope to have the first FIMSAC meeting as soon as December 
of this year.
    Finally, with respect to the regulatory regime for swaps and 
security-based swaps, Commodity Futures Trading Commission (CFTC) 
Chairman Christopher Giancarlo and I started talking soon after I 
joined the Commission. At our very first meeting, we discussed ways in 
which we could harmonize our respective rules and regulations. SEC and 
CFTC staff have been meeting to identify initial areas of focus, and it 
is my hope that the continued coordination will result in real 
regulatory efficiencies.
Enforcement
    I am committed to the responsibility of safeguarding our capital 
markets and American investors with energy and purpose and ensuring 
that there is no room for bad actors therein. Through the dedication 
and expertise of our Division of Enforcement (Enforcement) staff and 
its leadership, we are able to root out fraud and shady practices 
effectively and with unwavering purpose. Enforcement is focused on 
protecting all investors--without favor for account size, geography or 
other measures of priority--and that is clear from recent enforcement 
actions targeting pump and dump schemes, insider trading and a boiler 
room on Long Island ripping off seniors' hard earned retirement 
savings. Successful enforcement actions impose meaningful sanctions on 
securities law violators, result in penalties and disgorgement of ill-
gotten gains that can be returned to harmed investors and deter 
wrongdoing.
    While a vigorous enforcement program is at the heart of the 
Commission's work to protect investors and maintain the integrity of 
the securities markets, the SEC's enforcement program also plays an 
important part in ensuring that investors and other market participants 
have access to material information to make informed investment 
decisions. The SEC has brought significant enforcement actions against 
issuers that committed reporting and disclosure violations. 
Comprehensive, accurate and timely financial reporting is the bedrock 
upon which our markets are based and Enforcement remains focused on 
pursuing violations in this area.
    Our actions against parties who engage in insider trading also help 
promote investor confidence. Trading on material, nonpublic information 
undermines the fairness and integrity of the securities markets and 
creates an unlevel playing field. The SEC is committed to taking action 
against those who breach their duties--and subvert our markets--in 
pursuit of personal gain, having charged more than 700 defendants in 
civil insider trading cases since fiscal year 2010.
    Through these efforts to root out financial fraud, insider trading 
and other misconduct in the securities industry, Enforcement serves a 
critical role in helping the Commission fulfill its tripartite mission. 
Moving forward, the SEC will continue to focus resources--including 
data collection and analysis, which has greatly enhanced our ability to 
detect unlawful behavior--on key areas where misconduct harms investors 
and impairs market integrity. In particular, I have asked the Division 
of Enforcement to evaluate regularly whether we are focusing 
appropriately on retail investor fraud and investment professional 
misconduct, insider trading, market manipulation, accounting fraud and 
cyber matters. I believe our Main Street investors would want us to 
focus on these areas.
Examinations
    Another critical tool for the SEC to meet its mission is our 
national examination program, led by our Office of Compliance 
Inspections and Examinations (OCIE). Commission staff conduct risk-
based examinations of registered entities, including broker-dealers, 
investment advisers, investment companies, municipal advisors, national 
securities exchanges, clearing agencies, transfer agents and FINRA, 
among others. Our examination staff work closely with staff members in 
our regulatory divisions to provide input on policy and regulatory 
issues and initiatives and also are in regular communication with 
Enforcement staff to discuss trends and observations and provide 
referrals.
    Our examination program is one of many areas where we have doubled 
down on our focus on doing more with our limited resources. In this 
regard, I note that registered investment advisers now manage more than 
$70 trillion in assets, which is more than triple 2001 levels. In light 
of this trend, in 2016, the SEC reassigned approximately 100 OCIE staff 
to the investment adviser examination unit. As a result of this shift 
and the introduction of various enhancements to OCIE processes, 
advancements in OCIE's use of technology and other efficiencies, the 
SEC is on track to deliver a 30 percent increase in the number of 
investment adviser examinations this fiscal year--to approximately 15 
percent of all investment advisers.\10\
---------------------------------------------------------------------------
    \10\ In fiscal year 2016, OCIE completed nearly 1,450 investment 
adviser exams, more than it had completed in any of the prior seven 
fiscal years and 20 percent more investment adviser exams than it 
completed in fiscal year 2015. In fiscal year 2017, OCIE completed more 
than 2,000 investment adviser exams, a significant increase over fiscal 
year 2016.
---------------------------------------------------------------------------
    While this has been a very positive step, more needs to be done to 
continue to increase investment adviser examination coverage levels, 
while at the same time being careful to avoid decreasing examination 
quality. To that end, the SEC will continue to explore additional 
efficiencies and improvements to our risk-based examination program. 
One way to achieve this is through the continued leveraging of data 
analysis. We have developed tools that scan an array of data fields to 
help us analyze and identify potentially problematic activities and 
firms. This allows us to make better decisions concerning which firms 
to examine and appropriately scope those examinations, among other 
things. I expect that for at least the next several years we will need 
to do more to increase the agency's examination coverage of investment 
advisers in light of continuing changes in the markets.
    In the coming fiscal year, OCIE also plans to increase the number 
of inspections to assess compliance with Commission rules, such as 
Regulation Systems Compliance and Integrity (Regulation SCI), to ensure 
that the cybersecurity infrastructure that is critical to the U.S. 
securities markets is effective.
Agency Operations
    I have devoted a significant portion of my first 4 months as 
Chairman to developing a deeper understanding of the agency's internal 
operations and management. I have come to appreciate more directly what 
I had witnessed from my years in private practice--the knowledge, 
expertise and professionalism of the SEC staff. It has been a top 
priority for me to engage with, and understand the perspectives of, the 
SEC's workforce.
    I am particularly excited to report that the SEC staff's engagement 
and morale are high, thanks in significant part to the leadership and 
efforts of division and office directors, supervisors and staff. 
Setting a new record for the agency this year, nearly 80 percent of the 
eligible workforce shared their views by completing the Office of 
Personnel Management's Federal Employee Viewpoint Survey in May and 
June of 2017.
    This year's survey results showed notable increases in employee 
engagement, overall satisfaction and leader effectiveness indices. 
These are critical indicators for our organization because our diverse 
workforce is our most valuable asset. It is only through the hard work 
of our employees that we are able to accomplish our mission.
    Since 2012, the SEC's rating on the Partnership for Public Service 
``Best Places to Work'' has improved by 20 percentage points, from 56 
percent to 76 percent and last year we were ranked 6th among 27 mid-
sized agencies. In fact, this success has earned us distinction as a 
role model for other Federal agencies. In April 2017, the House 
Oversight and Government Reform Committee invited the SEC's Chief Human 
Capital Officer to testify on the agency's survey results as the ``most 
improved'' mid-sized Federal agency.\11\ We aim to continue building 
upon these 2017 results in the years to come.
---------------------------------------------------------------------------
    \11\ April 6, 2017, testimony on ``The Best and Worst Places to 
Work in the Federal Government'' by Chief Human Capital Officer Lacey 
Dingman before the U.S. House of Representatives Subcommittee on 
Government Operations can be found at https://oversight.house.gov/wp-
content/uploads/2017/04/Dingman_SEC_Testimony.pdf.
---------------------------------------------------------------------------
Efficiencies and Resource Needs
    I take very seriously the SEC's responsibility to ensure that the 
SEC is a good steward of the funds Congress entrusts to our use, and 
maximizes the value of those funds to the American investor. We are 
engaged in ongoing efforts to find efficiencies in internal operations, 
including through automation, streamlined internal processes and better 
use of data. We will continue to develop and leverage our capabilities 
for risk analysis to inform our decisionmaking, including how most 
efficiently to use staff resources. Given the pace of change in today's 
capital markets, it is more important than ever that agency operations 
be nimble so we can direct resources where they are needed most.
    For example, with congressional approval, the SEC in June 2017 
combined the agency's various EDGAR filer support functions into one 
EDGAR Program Office. As this Committee knows and as discussed above, 
the EDGAR system is central to the agency's mission and critical to the 
functioning of the capital markets. On a typical day, investors and 
other market participants view or download more than 50 million 
disclosure documents filed on EDGAR. This new office also will 
coordinate and rationalize the agency's enhancements and investments 
related to EDGAR, including modifications to conform with changes to 
Commission rules, and will help consolidate the agency's filer support 
functions.
    Other internal improvement initiatives include combining the 
agency's various communications-related functions, crafting proposals 
for Commission consideration to convert paper filings into electronic 
formats and exploring ways to better apply and schedule examination 
staff resources toward significant risks to investors. We will continue 
to explore opportunities for efficiencies and cost savings in the 
months to come.
    The agency's efforts to streamline operations are reflected in the 
SEC's budget requests over the next 2 years. The President's request 
for fiscal year 2018 is for $1.602 billion for SEC operations, which 
holds the SEC budget at essentially the same level it has been in 
fiscal years 2016 and 2017. This request reflects savings and 
efficiencies in progress throughout the SEC, sufficient to offset 
required cost increases, and continues investments in technology, as 
described further below.
    It is important to note that the SEC collects transaction fees that 
offset the annual appropriation to the Commission. Whatever amount 
Congress appropriates to the agency will, by law, be fully offset by 
transaction fees, and will not impact the deficit or the funding 
available for other agencies. The current transaction fee rate is just 
over two cents ($0.02) for every $1,000.00 in covered securities sales.
Fiscal Year 2019 Authorization Request
    For fiscal year 2019, the SEC's authorization request totals 
approximately $1.7 billion for SEC operations. I do not make a request 
for additional funds lightly, especially in a tight budgetary 
environment. But after an evaluation of the SEC's capabilities and 
needs, I believe this request is necessary for the SEC to continue the 
effective pursuit of our tripartite mission.
    This request would allow the agency to lift the hiring freeze 
implemented at the start of fiscal year 2017 and recruit professionals 
with key skills and market expertise such as electronic trading, 
cybersecurity, retail investor fraud, investment adviser oversight and 
market analysis. The agency anticipates a need to hire such
individuals in key positions to effectively carry out our core mission. 
The request seeks additional funds for development, modernization and 
enhancement of information technology systems, including additional 
investments in protecting the security of the SEC's network and 
systems. These funds, coupled with those from the SEC Reserve Fund, 
would allow the continued implementation of a number of key multi-year 
technology initiatives, discussed further below, which will enhance the 
SEC's ability to collect, analyze and act on large amounts of data.
Leveraging Technology
    Advances in technology have driven significant changes in 
securities markets. Today, companies support human decisionmaking with 
automated algorithms, which ingest massive amounts of unstructured data 
to make trading decisions. Investors are using innovative platforms to 
conduct transactions and research investments. Firms solicit investors 
through sophisticated, multichannel communications.
    In recent years we have seen an extraordinary increase in the 
volume and velocity of data available to the securities industry, 
investors and the SEC. The ever-increasing volume of data demands 
advanced analytics tools and best-in-class infrastructure that is 
dynamic, scalable and secure. Similarly, demand from the public for SEC 
information has never been higher. Last year, SEC.gov received 10.4 
billion page views--double from just 2 years ago--and the public 
downloaded more than 2.6 petabytes of data. The information the SEC 
provides is driving the marketplace, and helping companies attract 
funding, grow and create jobs.
    All of these shifts require the SEC to expand our own technology 
capabilities and increase our efficiency. The SEC's budget requests 
seek the resources needed to stay on top of these critical developments 
and promote our mission in an evolving landscape. The Commission has 
made progress in modernizing our technology systems, with the benefits 
of increasing our use of data analytics, increasing program 
effectiveness and streamlining operations.
    The $234 million that the SEC plans to spend on information 
technology in fiscal year 2018 is quite modest, by way of comparison, 
to the amounts that the major Wall Street firms spend on their own 
information technology systems. For example, in 2016 one large 
financial institution alone spent more than $9.5 billion on technology 
firm-wide, with $3 billion of that dedicated to new initiatives. 
Another large financial institution spent $6.6 billion in 2016 on 
technology initiatives.
    The fiscal year 2018 and fiscal year 2019 budget proposals would 
support a number of key information technology initiatives, such as:

  (1)  Increasing investments in information security to address, as a 
        top priority, the ability to monitor and avoid advanced 
        persistent threats, and to improve risk management and 
        monitoring;

  (2)  Expanding data analytics tools to integrate and analyze the 
        large and ever-increasing volume of financial data we receive, 
        enabling us to detect potential fraud or suspicious behavior 
        earlier and allocate resources more effectively;

  (3)  Improving our examination program through advanced risk 
        assessment and surveillance tools that help identify high-risk 
        areas for further examination;

  (4)  Enhancing additional systems that support our enforcement 
        program, including applying sophisticated algorithms that 
        foster the detection of potential insider trading and 
        manipulation;

  (5)  Streamlining public access to our EDGAR electronic filing 
        system; and

  (6)  Investing further in business processes automation and 
        enhancements, including the retirement of legacy systems, which 
        will drive cost efficiencies and improve security across the 
        agency.
Leasing
    An important component of the SEC's funding needs over the next 2 
years is to support the leasing of office space. The current leases for 
the SEC's headquarters buildings (Station Place I, II and III) will 
expire in fiscal years 2019, 2020 and 2021, respectively. In addition 
to the funds requested to support our operations, the SEC is requesting 
funds in fiscal year 2018 necessary to participate in the General 
Services Administration's (GSA's) competitive procurement process for a 
successor lease for the SEC's headquarters. In accordance with its 
standard process, GSA has requested that the agency set aside the funds 
that might become necessary to cover construction and related costs 
should the SEC need to move from its current building.\12\ None of 
these funds would be used for the operations of the SEC, and the agency 
has proposed appropriation language that provides a mechanism whereby 
any unused portion of these funds would be refunded to fee payers.
---------------------------------------------------------------------------
    \12\ According to GSA's schedule, a new lease would be awarded in 
fiscal year 2018.
---------------------------------------------------------------------------
    Similarly, in fiscal year 2019, funds will be required for the GSA 
procurement of a new lease for the SEC's New York Regional Office, for 
which the current lease is set to expire in 2021. As with the SEC's 
headquarters lease procurement, GSA requires that the SEC set aside 
funds for potential construction and related costs in the event that 
the competitive acquisition process might result in the SEC needing to 
move to a new building. None of these funds would be used for the 
operation of the SEC, and any unused portion would be refunded to fee 
payers.
Conclusion
    My aim for today's testimony is to provide a window into the scope 
of the SEC's daily work to advance our mission of protecting investors, 
maintaining fair, orderly and efficient markets and facilitating 
capital formation. In closing, I want each of you--and all of your 
constituents, including, in particular, Main Street investors--to know 
that the SEC is open for business. We want to serve you and hear from 
you. Whether it be through providing educational resources and investor 
alerts on investor.gov, supporting small businesses and other issuers 
seeking to raise capital or vigorously enforcing the securities laws, 
SEC staff and division and office
leadership stand ready and willing to engage with any and all who we 
can assist, and who can inform us, on issues consistent with our 
tripartite mission.
    I thank this Committee and its Members, especially the Chairman and 
Ranking Member, for their continued support of the SEC and its staff, 
and I look forward to answering any questions you may have.

RESPONSE TO WRITTEN QUESTIONS OF SENATOR SCOTT FROM JAY CLAYTON

Q.1. I think it's important for us to recognize the fact that 
the Department of Labor's (DOL) fiduciary rule has had a 
negative impact on many Americans. The average South Carolinian 
has less than 1 year's salary in their retirement accounts. 
Restricting access to professionals in the financial industry 
has a negative impact on the resources available to the average 
American for retirement. The last thing we need to do at this 
point is to find ways to get financial advisory experts out of 
the household, which is the unintended consequence of the 
fiduciary rule in my perspective.
    A July 2017 Harper Polling survey of 600 financial advisers 
found that 75 percent of the professionals whose clients have 
starting assets under $25,000 will take on fewer small accounts 
due to increased compliance costs and legal risks under the 
DOL's rule. These folks desperately need financial experts to 
make good, sound financial decisions. I was pleased to see the 
DOL's 18-month delay in the rule's full implementation.
    What more can you tell me about your coordination with the 
DOL on the fiduciary rule?

A.1. Secretary Acosta and his staff at the DOL have already 
been engaged in a productive dialogue with me and my staff on 
this issue. I anticipate that our interactions will continue or 
increase and become more substantive as the SEC moves forward 
with its rulemaking process. Our goal here is to get the rules 
right for Mr. & Ms. 401(k), the types of people cited in your 
question, and I believe a focus on four key attributes--
clarity, consistency, coordination and choice--will best 
position us to do so. It will be difficult to achieve these 
objectives in our rulemaking without meaningful cooperation 
with the DOL.

Q.2. If the second part of the DOL's fiduciary rule takes 
effect on July 1, 2019, as proposed, will the Commission have 
enough time to have its own rule in effect by then? If not, 
what steps will you take to accelerate your own process or work 
with DOL on a joint schedule, so the two rules do not take 
effect at different times?

A.2. We are working on a rule proposal, and we plan to engage 
expeditiously and constructively with our colleagues at the 
DOL. In response to my June 1 statement and request for comment 
regarding standards of conduct for investment advisers and 
broker-dealers (the June Statement), we have received over 150 
comments from investors and the industry. This is a complex 
issue and commenters discussed a range of topics including 
disclosure, the standard of conduct for broker-dealers, and the 
impact of the DOL rule. Assessing these comments will assist us 
in evaluating the range of potential actions. While I have made 
it clear to staff that this is one of my top priorities, and 
staff are moving forward accordingly, the complexity of the 
issue and the potential for significant impacts on investors 
and market participants means that we need to engage in a 
thorough process, with full consideration of the potential 
economic effects of our actions.

Q.3. State insurance regulators are the experts on fixed income 
annuities. How will you be involving State regulators in your 
work on the fiduciary rule?

A.3. I appreciate the role of State insurance regulators and 
their expertise with respect to fixed income annuities. The 
National Association of Insurance Commissioners (NAIC) 
submitted a letter in response to my June Statement. That 
letter, among other things, discussed NAIC model regulations 
and noted that the NAIC is considering potential changes to its 
model suitability rules to potentially include a best interest 
standard of care. The staff and I will keep that letter and the 
NAIC's views in mind as we consider issues surrounding 
standards of conduct for investment advisers and broker-
dealers, and will be in contact with NAIC personnel as well as 
State insurance regulators as we move forward.

Q.4. Many States have moved forward with their own fiduciary 
standards, creating a patchwork of rules and regulations for 
investors and financial advisors. What can the SEC do to find a 
solution to this growing concern?

A.4. Our markets are diverse and expansive and many financial 
advisors and other participants operate across State lines. I 
believe that consistency in the standards of conduct for 
investment professionals nationwide is important for the proper 
functioning of our markets, and that the best way to achieve 
that is for the Commission to move forward expeditiously with 
its rulemaking process in cooperation with the Department of 
Labor.

Q.5. The fact that we're looking at Chinese investors trying to 
buy the Chicago Stock Exchange and you pumping the brakes on 
that decision--I think it's good. We all would like to 
encourage more FDI, but we need to do it in the most 
responsible way possible. Thank you for your position and 
perspective on that issue.
    Can you describe the actions that led to a Commission 
review of this transaction?

A.5. On August 9, 2017, the Commission's Division of Trading 
and Markets (the Division) approved the proposed rule change 
filed by the Chicago Stock Exchange regarding the acquisition. 
The Division issued this approval order pursuant to delegated 
authority, and the Division's approval order was subsequently 
stayed pursuant to Exchange Act Section 4A and Rule 431 of the 
Commission's Rules of Practice, which provide for Commission 
review of actions made pursuant to delegated authority. At this 
time, the Commission continues to review the delegated action, 
and the Division's approval order remains stayed. Since August 
9, the Commission has received 43 comments on the proposed rule 
change. Because this remains an open matter that is actively 
under consideration by the Commission, I am not in a position 
to comment further on what future action the Commission might 
take.

Q.6. What criteria do Commissioners or Commission staff 
evaluate when reviewing transactions like this one?

A.6. In evaluating a proposed rule change filed by a national 
securities exchange, the Commission carefully evaluates whether 
the proposed rule change is consistent with the requirements of 
the Exchange Act and the applicable rules thereunder. The 
Exchange Act contains a number of relevant provisions, 
including the requirement under Exchange Act Section 6(b)(5) 
that the rules of a national securities exchange be designed to 
promote just and equitable principles of trade, to remove 
impediments to and perfect the mechanism of a free and open 
market and a national market system, and, in general, to 
protect investors and the public interest.

Q.7. Management at public companies should be held accountable 
by their shareholders. A balance between both sides ensures 
productivity and corporate transparency. That said, I wonder if 
the scales have not been tipped a little bit too far. As of 
now, we allow for the resubmission of shareholder proposals 
even if nearly 90 percent of shareholders have voted no in the 
past. That creates costs and distracts from long-term thinking, 
all the while doing little to protect investors.
    How are other shareholders impacted by such a low bar for 
proposal resubmissions?

A.7. Shareholder proposals play an important role in corporate 
governance, but they are not without cost. The evaluation of 
and submission to shareholders of these proposals, including 
the discussion and recommendation in the proxy statement, 
requires board and management time, which imposes a cost to 
shareholders in addition to the out of pocket costs related to 
the proxy process. You are correct, when shareholder proposals 
with little chance of garnering meaningful shareholder support 
are resubmitted, these costs are borne by all shareholders, not 
just the shareholders who submit them or voted in favor of 
them.

Q.8. Will the SEC revisit its past recommendation to raise such 
thresholds?

A.8. I am mindful of concerns that have been raised about the 
shareholder proposal rule, including resubmission thresholds, 
and this area will be closely monitored during the upcoming 
proxy season. We have issued a Staff Legal Bulletin providing 
staff guidance on shareholder proposals, and I expect that we 
will be doing so again shortly. In thinking about any potential 
revisions in this area, the Commission would need to carefully 
balance shareholders' ability to submit proposals with the time 
and costs borne by companies and other shareholders to respond 
to those proposals.

Q.9. Do you believe the shareholder proposal system today is 
working as it was originally intended to, or can it be reformed 
for the benefit of all investors?

A.9. Shareholder proposals serve as an important accountability 
function and can lead to positive change. Nevertheless, I 
expect there may be ways to minimize unnecessary costs borne by 
shareholders in the ``quiet'' majority without compromising the 
important role of shareholder proposals. The resubmission 
thresholds may be one area in which these costs could be 
reduced without unnecessarily limiting shareholders' ability to 
submit proposals.

Q.10. What is your view on making public company disclosures 
more comprehensible and useful for layman investors?

A.10. Investors must have access to information about potential 
investments that is easily accessible and meaningful. In that 
regard, I believe there are ways we can update our disclosure 
requirements to make disclosures more useful for investors and 
to reduce burdens on companies. We took a step in that 
direction on October 11, 2017, when the Commission proposed 
amendments to Regulation S-K that are intended to modernize and 
simplify certain disclosure requirements in Regulation S-K and 
related rules and forms in a manner that reduces the costs and 
burdens on registrants while continuing to provide all material 
information to investors. The amendments are also intended to 
improve the readability and navigability of the Commission's 
disclosure documents and discourage repetition and disclosure 
of immaterial information.
    We also focused on the presentation and delivery of 
disclosure in the Regulation S-K concept release the Commission 
issued in April 2016. The concept release recognized that the 
presentation and delivery of information may play a significant 
role in investors' ability to access and use important 
disclosure. It also sought input on how our rules can 
facilitate the readability and navigability of disclosure 
documents.

Q.11. Do you believe that proxy advisory firms are doing an 
adequate job of disclosing to their clients material conflicts 
of interest in light of the 2014 SEC guidance on the subject?

A.11. The staff issued a Staff Legal Bulletin in 2014 to 
provide guidance to investment advisers about their 
responsibilities in voting client proxies and retaining proxy 
advisory firms. The bulletin also provided guidance on the 
availability and requirements of two exemptions to the proxy 
rules often relied upon by proxy advisory firms. The staff 
continues to monitor developments in this area.

Q.12. Companies often identify conflicts of interest or 
significant errors that proxy advisory firms have made in their 
recommendations--do you believe that the SEC would benefit if 
issuers or other market participants brought these concerns to 
the attention of the Commission?

A.12. The Commission is interested in the effective and 
efficient operation of the U.S. proxy system and welcomes 
outreach from issuers or other market participants. To this 
end, the staff actively seeks input in this area and regularly 
meets with, among others, industry groups, including several 
representing corporate issuers, and will continue to monitor 
developments and consider further action if needed.
                                ------                                


  RESPONSE TO WRITTEN QUESTIONS OF SENATOR MENENDEZ FROM JAY 
                            CLAYTON

Q.1. In your testimony before the Committee last week, you 
emphasized your commitment to enforcement actions and a strong
enforcement division. As I mentioned during your confirmation 
hearing, I was alarmed to learn of Commissioner Piwowar's steps
earlier this year to rein in the enforcement division by 
revoking subpoena authority from 20 enforcement officials and 
limiting it to the division director. As you know, this was a 
significant reversal from post-crisis policy which empowered 
senior enforcement attorneys to quickly escalate informal 
inquiries to formal investigations.
    Can you please describe in detail the enforcement 
division's current procedures regarding subpoena authority?

A.1. The Federal securities laws authorize the Commission, or 
any officer designated by the Commission, to issue subpoenas 
requiring a witness to provide documents and testimony under 
oath. The Commission itself has the power to designate members 
of the staff to act as officers of the Commission in an 
investigation by issuing a Formal Order of Investigation 
(formal order). The formal order serves two important 
functions. First, it directs that a nonpublic investigation be 
conducted, and second, it designates specific staff members to 
act as officers for purposes of the investigation and empowers 
them to administer oaths and affirmations, subpoena witnesses, 
compel their attendance, take evidence and require the 
production of documents and other materials.
    Although Commission staff in the Enforcement Division may 
in some circumstances obtain information without the need for a 
subpoena, performing a complete investigation will often 
require a
formal order. For example, banks will not produce the account 
records typically needed in a Ponzi scheme investigation 
without a
subpoena. In an insider trading investigation, subpoenas will 
be needed to obtain any relevant phone call records from 
telephone companies. Witnesses may refuse to testify unless 
they are subpoenaed.
    Enforcement Division staff may seek to have a formal order 
issued through one of two methods: pursuant to authority 
delegated by the Commission to the Division Co-Directors, or by 
recommending that the Commission issue the formal order. 
Commission staff seeking a formal order through the delegated 
authority process prepares a memorandum to the Co-Directors 
that provides information concerning the matter and addresses 
the need for a formal order.
    To obtain a formal order directly from the Commission, 
Enforcement staff prepares a memorandum to the Commission to 
recommend that the Commission issue a formal order. The 
memorandum includes the same types of information that is 
provided to the Co-Directors through the delegated authority 
method.
    I have discussed the delegation of formal order authority 
with the Co-Directors of the Enforcement Division, and I am 
comfortable that there are benefits to having that authority 
resting with the two of them, including that it enables them to 
more efficiently and effectively manage the nationwide 
Enforcement program. I do not believe that limiting the 
authority to the Enforcement Division Co-Directors has 
negatively affected the Commission's ability to protect 
investors and deter misconduct. Rather, my initial sense is 
that the current scope of delegation enhances investor 
protection as it provides for a more effective allocation of 
limited resources by the leadership of the Enforcement 
Division. I will continue to consult with the Enforcement 
Division Co-Directors to ensure that the procedures surrounding 
delegated subpoena power do not adversely impact the 
Enforcement Division's ability to fulfill its mission, 
including protecting investors.

Q.2. On September 21, 2017, the SEC issued interpretive 
guidance to companies regarding compliance with the pay ratio 
disclosure
requirement mandated by Section 953(b) of Dodd-Frank. In the 
guidance, the SEC provides companies considerable flexibility 
in determining the median employee and calculating employee 
compensation.
    Please explain the specific rationale the SEC relied on to 
justify these flexibilities.

A.2. The pay ratio rule, as adopted, affords significant 
flexibility to registrants in determining the appropriate 
methodologies to identify the median employee and in 
calculating the median employee's annual total compensation. 
The guidance is intended to clarify the ways that registrants 
may use the flexibility that is already part of the rule. 
Specifically, the interpretative guidance clarifies the 
disclosure rules mandated by Congress in a way that is true to 
the mandate and, to the extent practicable, allows companies to 
use operational data and otherwise readily available 
information to produce the disclosures. Additionally, the staff 
issued guidance which includes examples illustrating how 
reasonable estimates and statistical methodologies may be used.

Q.3. In light of the sweeping good faith efforts flexibility 
provided to companies by the guidance, what assurances can you 
provide that the SEC will take enforcement actions against 
companies that fail to provide disclosures in compliance with 
the requirements of the pay ratio disclosure rule?

A.3. As with all new rules adopted by the Commission, we will 
closely monitor implementation of the pay ratio rule. 
Specifically, I expect that a review of the pay ratio 
disclosures will be part of the selective filing review process 
conducted by the Division of Corporation Finance.

Q.4. At a forum in September, you stated that you do not think 
it is necessary for Congress to codify insider trading law. 
Please explain the rationale for this conclusion.

A.4. The Commission's record of holding persons accountable for 
insider trading remains as strong as ever. We have charged more 
than 450 individuals with insider trading in the past 5 years, 
including more than 140 individuals in the past 18 months 
alone.
    In my view, the Commission is well positioned to punish 
insider trading and does not need further legislation defining 
insider trading. Proponents of a law defining insider trading 
cite clarity as an objective and a benefit. While such an 
approach likely would provide greater clarity in some 
circumstances, I am concerned that legislation would generate 
ancillary litigation over its meaning and application in other 
circumstances and that aspects of the body of law that has been 
built up over time would be reinterpreted. In addition, I am 
concerned that clarity may provide nefarious actors with the 
substantive equivalent of a legislative safe harbor for what 
turns out to be clearly abusive conduct. My views in this 
regard are informed by many factors including my discussions 
with the staff and my experience with statutory regimes outside 
the United States.
    Please do not take this answer as an indication that I do 
not believe we should be focused on or look to do more in this 
space. I have been very impressed with the knowledge and 
dedication of our staff in this area, including the market 
abuse unit in the Division of Enforcement. My interactions with 
them have led me to believe that additional efforts and 
resources, including possible legislative efforts, should be 
applied to detection and deterrence in this area. Further, I 
believe those efforts and resources should reflect the fact 
that insider trading and other market abuses have become 
increasingly international and cyber-based.

Q.5. As you know, the New York Stock Exchange, among other 
international exchanges, requires listed companies to have an 
internal audit function within the first year of joining the 
NYSE. Public companies, however, do not typically disclose to 
investors whether they have an independent internal audit 
function. What is the SEC's current position on whether public 
companies should be required to disclose to shareholders 
whether they have an independent internal audit function?

A.5. In 2013, the Commission expressed its belief that an 
internal audit function can assist companies in meeting their 
Exchange Act obligations to devise and maintain a system of 
internal accounting controls. In 2015, the Commission issued a 
concept release that sought public comment on audit committee 
reporting requirements. In that release, the Commission 
expressed an interest in understanding whether changes should 
be made to required disclosures about audit committees 
regarding oversight of the audit and the auditor relationship. 
The Commission specifically asked whether audit committees 
should provide disclosure about their oversight of the internal 
audit function. The Commission also asked whether to require 
disclosures about meetings the audit committee has had with the 
internal auditor. The staff is considering the extensive 
feedback we received in response to the request for comment.

Q.6. I remain concerned that the current lack of transparency 
around short selling enables manipulative trading behaviors 
that harm growing companies and discourages long-term 
investment. I raised this concern to former SEC Chair Mary Jo 
White in a letter in January 2017. In my view, the current lack 
of transparency of short positions has a trifold impact on the 
securities market--it deprives investors of information 
critical to making meaningful investment decisions; it denies 
issuers of insights into trading activity and inhibits their 
ability to interface with investors; and it withholds crucial 
information from the market, ultimately impeding efficiencies 
and diluting transparency. There are currently two petitions 
for rulemaking pending before the SEC requesting that it 
promulgate rules to require disclosure of short positions in 
parity with the existing required disclosure of long positions 
(File No. 4-689 and File No. 4-691).
    Does the SEC plan to act on these pending rulemaking 
petitions, or consider any alternative options, in order to 
ensure fair disclosure of short positions?
    In your opinion, should the SEC implement a disclosure 
regime for short positions that would make this behavior more 
transparent and ultimately mitigate the effects of manipulative 
trading strategies?

A.6. The Commission has considered the question of disclosure 
of short positions for a number of years.\1\
---------------------------------------------------------------------------
    \1\ For instance, in 2014 the Commission's Division of Economic and 
Risk Analysis conducted a comprehensive study analyzing the 
feasibility, costs, and benefits of real-time short position reporting. 
See ``Short Sale Position and Transaction Reporting,'' June 5, 2014, 
DERA study as required by Section 417 of the Dodd-Frank Wall Street 
Reform and Consumer Protection Act.
---------------------------------------------------------------------------
    Currently, each self-regulatory organization (SRO) 
publishes on its website aggregate daily short selling volume 
in each individual equity security listed on its exchange. The 
SROs also publish on their websites information regarding 
individual short sale transactions in all exchange-listed 
equity securities on a 1-month delayed basis. Additionally, the 
SROs publish statistics on short interest in securities that 
trade on their markets twice a month. Moreover, the Commission 
publishes on its website fails-to-deliver information for all 
equity securities twice a month (available at: https://
www.sec.gov/answers/shortsalevolume.htm).
    I also note that our Division of Enforcement is focused on 
identifying and pursuing cases that involve inappropriate short 
selling. Recently, the Commission has brought enforcement cases 
against market participants when they prompted the issuance of 
American Depositary Receipts (ADRs) without possessing the 
underlying foreign shares, thus creating opportunities for 
potential market abuse, including short selling.\2\ And, the 
Commission has charged financial institutions with violating 
the SEC's Regulation SHO by improperly providing locates--a 
representation that the firm has borrowed, arranged to borrow 
or reasonably believes it could borrow securities to settle a 
short sale--to customers where the firm had not performed an 
adequate review of the securities to be located or had systems 
improperly programmed to rely on stale locate information.\3\
---------------------------------------------------------------------------
    \2\ Press Release 2017-144, Banca IMI to Pay $35 Million for 
Improper Handling of ADRs in Continuing SEC Crackdown (Aug. 18, 2017), 
available at https://www.sec.gov/news/press-release/2017-144; Press 
Release 2017-6, ITG Paying $24 Million for Improper Handling of ADRs 
(Jan. 12, 2017), available at https://www.sec.gov/news/pressrelease/
2017-6.html.
    \3\ See, e.g., Press Release 2016-9, SEC Charges Goldman Sachs with 
Improper Securities Lending Practices (Jan. 14, 2016), available at 
https://www.sec.gov/news/pressrelease/2016-9.html; Press Release 2015-
105, Merrill Lynch Admits Using Inaccurate Data for Short Sale Orders, 
Agrees to $11 Million Settlement (June 1, 2015), available at https://
www.sec.gov/news/pressrelease/2015-105.html.
---------------------------------------------------------------------------
    The Commission continues to consider whether the current 
approach to transparency and reporting is appropriate and 
whether additional reporting of short sale transactions may be 
warranted. I have engaged with the staff, including the staff 
of the Division of Enforcement, on this and they are monitoring 
the issues. That said, I recognize that markets evolve and 
staff should be regularly asking whether our reporting regime 
for short selling appropriately reflects the potential for 
illicit practices. In that context, the Commission also takes 
into account feedback from all market participants, including 
the petitions from Nasdaq, Inc., and NYSE Group Inc., as well 
as comments from the public concerning these petitions.

Q.7. Recently, certain hedge funds have challenged the 
legitimacy of a drug patent while simultaneously shorting a 
biopharmaceutical company's stock. In so doing, they increase 
the value of their short position by publicizing numerous 
patent challenges and provoking fear in the marketplace, 
ultimately driving down the stock prices of these smaller 
companies.
    Does the SEC plan to investigate potential abuses of 
securities laws whereby market participants target patents held 
by biopharmaceutical companies and short their stock?

A.7. The use of the patent challenge process (the ``inter 
partes review'' or ``IPR'') as an investment strategy is a 
recent development and its impact on the capital markets 
remains to be seen. We understand that the process, which 
allows the filer to challenge the legitimacy of a patent, 
includes a series of procedural requirements that may serve as 
deterrents for abusive challenges. For example, the claimant 
typically must publicly specify the grounds for unpatentability 
and explain the relevance of evidence relied upon. Further, a 
petitioning party can be sanctioned by the U.S. Patent and 
Trademark Office for abuse of any improper use of the IPR 
process. In addition, we understand that there are several fees 
associated with an IPR, including a $9,000 fee simply for 
requesting a review.
    Because the use of the IPR is such a recent phenomenon, 
Commission staff continues to study the space and assess 
whether additional action, such as heightened disclosure 
requirements, may be useful or appropriate to expose 
potentially fraudulent or manipulative trading behavior. But, 
the Commission has the authority to address potential 
misconduct related to market manipulation, which includes 
fraudulent conduct designed to deceive investors by 
artificially affecting the market for a security. Manipulation 
can involve a range of misconduct, including: spreading false 
or misleading
information about a company or rigging quotes, prices or trades 
to create a false or deceptive picture of the demand for a 
security.
    The Federal securities laws also contain requirements that 
apply to the short sale of securities.\4\ Where the 
Commission's Enforcement Division becomes aware of facts that 
suggest a possible violation of the Federal securities laws, it 
may investigate the conduct and, in appropriate cases where 
there is sufficient evidence of a violation, the Commission may 
bring enforcement actions against the wrongdoers. The 
Commission takes the possibility of manipulation, including 
potentially manipulative short selling, in our markets 
seriously. While short selling can provide the market with 
important benefits such as market liquidity and pricing 
efficiency, the Commission has brought cases against persons 
that violate the Commission's short sales rules or otherwise 
engage in abusive short selling.
---------------------------------------------------------------------------
    \4\ For example, under Exchange Act Rule 10b-21 it is a violation 
for a party to submit an order for a short sale of a security if the 
party deceives a broker dealer, a registered clearing agency or a 
purchaser about the party's intention or ability to deliver the 
security by the settlement date and the party fails to deliver the 
security on or before the settlement date.
---------------------------------------------------------------------------
                                ------                                


RESPONSE TO WRITTEN QUESTIONS OF SENATOR SASSE FROM JAY CLAYTON

Q.1. Understanding that this investigation is ongoing, I'd like 
to discuss the details of the breach of the SEC's EDGAR system.

   LOn what specific date did the EDGAR breach occur?

   LWhen did the SEC first identify the breach and how 
        long were the hackers in the SEC's system?

   LWhen did the SEC first ascertain that this breach 
        could have allowed the hackers to trade on nonpublic 
        information?

   LWhy did it take so long for the SEC to determine 
        that this breach could have allowed for the trading on 
        nonpublic information?

   LWho was informed of this breach inside the SEC and 
        outside of the organization in 2016? For example, were 
        the Commissioners or then-SEC Chair White informed? 
        What about the SEC's then-Chief Operating Officer? Why 
        or why not?

   LDoes the SEC have any indication that the identity 
        of the hackers could be nation-state hackers?

   LIt has been reported that the DHS in January found 
        key vulnerabilities in the SEC's cybersecurity 
        protections. Has the SEC fully addressed these 
        vulnerabilities or does the SEC
        intend to do so? If the SEC already addressed these 
        vulnerabilities, when did it do so? If not, when will 
        the SEC address these vulnerabilities?

   LHas the DHS found any further vulnerabilities after 
        that January report?

   LIn July, the GAO released a report that highlighted 
        areas where the SEC could improve its treatment of 
        cybersecurity issues. Does the SEC intend to fully 
        comply with the GAO report's recommendations? If so, on 
        what timeline?

   LWhat, if any, other law enforcement agencies is the 
        SEC working with on this breach?

   LI'd like to discuss the history of cybersecurity 
        breaches at the SEC.

   LHow many material cybersecurity breaches have there 
        been at the SEC?

   LIs this the first breach at the SEC that could have 
        facilitated the trading of inside information?

   LThe SEC's statement announcing the EDGAR breach 
        said that ``the intrusion did not result in 
        unauthorized access to personally identifiable 
        information, jeopardize the operations of the 
        Commission, or result in system risk.'' Has there been 
        a breach at the SEC that compromised personally 
        identifiable information?

   LHas there been a breach at the SEC that jeopardized 
        the SEC's operations?

   LAre you concerned that a breach at the SEC could 
        jeopardize the SEC's operations? If so, please describe 
        the consequences of such a breach.

   LHas there been a breach at the SEC that resulted in 
        systemic risk?

   LAre you concerned that hackers could pose a 
        national security or systemic risk by accessing the 
        live markets and shutting down trading, deleting trade 
        information, or otherwise sparking a major crisis? If 
        so, please describe the consequences of such a breach.

   LPlease provide an overview of the steps that the 
        SEC has taken to avoid a breach that would endanger 
        national security, cause systemic risk, or jeopardize 
        the SEC's operations.

A.1. In my September 20th press release and statement on 
cybersecurity, which was part of an ongoing assessment of the 
Commission's cybersecurity risk profile and preparedness that I 
initiated upon joining the Commission in May, and in my recent 
testimony before this Committee and before the House Committee 
on Financial Services, I noted that I was notified in August 
2017 of a possible 2016 intrusion into our EDGAR system. In 
response to this information, which I learned in connection 
with an ongoing investigation by our Division of Enforcement, I 
immediately
commenced an internal review of the 2016 intrusion. Through 
this review and the ongoing enforcement investigation, I was 
informed that the 2016 intrusion into the test filing component 
of our EDGAR system provided access to nonpublic EDGAR filing 
information and may have provided a basis for illicit gain 
through trading. After the initial disclosure of the intrusion 
on September 20th and my testimony before the Committee, I was 
informed that the ongoing staff investigation determined that 
an EDGAR test filing accessed by third parties as a result of 
the 2016 intrusion contained the names, dates of birth and 
social security numbers of two individuals. This determination 
was based on forensic data analysis conducted since my 
September 20th disclosure of the intrusion, which relied on the 
latest information available at that time.\1\
---------------------------------------------------------------------------
    \1\ See Press Release 2017-170, SEC Chairman Clayton Issues 
Statement on Cybersecurity: Discloses the Commission's Cyber Risk 
Profile, Discusses Intrusions at the Commission, and Reviews the 
Commission's Approach to Oversight and Enforcement (Sept. 20, 2017), 
available at https://www.sec.gov/news/press-release/2017-170; see also 
Statement on Cybersecurity (Sept. 20, 2017), available at https://
www.sec.gov/news/public-statement/statement-clayton-2017-09-20; see 
also Press Release 2017-186, SEC Chairman Clayton Provides Update on 
Review of 2016 Cyber Intrusion Involving the EDGAR System (Oct. 2, 
2017), available at https://www.sec.gov/news/press-release/2017-186.
---------------------------------------------------------------------------
    Based on what we know to date, we believe the 2016 
intrusion involved the exploitation of a defect in custom 
software in the EDGAR system. When it was originally 
discovered, the SEC's Office of Information Technology (OIT) 
staff took steps to remediate the defect in custom software 
code and reported the incident to the Department of Homeland 
Security's (DHS's) U.S. Computer Emergency Readiness Team (US-
CERT). Based on the investigation to date, OIT staff believes 
that the prior remediation effort was successful.
    In my October 4, 2017 testimony before the House Committee 
on Financial Services, I noted that we have multiple ongoing 
work streams concerning the 2016 incident and our steps to 
improve the cybersecurity risk profile of our EDGAR system and 
of the agency's systems more broadly.\2\ These work streams 
include:
---------------------------------------------------------------------------
    \2\ See Testimony on Examining the SEC's Agenda, Operation, and 
Budget, House Comm. on Fin. Serv. (Oct. 4, 2017), available at https://
www.sec.gov/news/testimony/testimony-examining-secs-agenda-operation-
and-budget.

  1. LThe review of the 2016 EDGAR intrusion by the Office of 
        Inspector General. Staff have been instructed to 
---------------------------------------------------------------------------
        provide their full cooperation with this effort;

  2. LThe investigation by the Division of Enforcement into the 
        potential illicit trading resulting from the 2016 EDGAR 
        intrusion;

  3. LA focused review of and, as necessary or appropriate, 
        uplift of the EDGAR system. The EDGAR system has been 
        undergoing modernization efforts. The agency has added, 
        and expects to continue to add, additional resources to 
        these efforts, which are expected to include outside 
        consultants, and will increase the focus on 
        cybersecurity matters;

  4. LThe more general assessment and uplift of the agency's 
        cybersecurity risk profile and efforts that were 
        initiated shortly after my arrival at the Commission 
        this past May, including, without limitation, the 
        identification and review of all systems, current and 
        planned (e.g., the Consolidated Audit Trail or CAT), 
        that hold market sensitive data or personally 
        identifiable information; and

  5. LThe agency's internal review of the 2016 EDGAR intrusion 
        to determine, among other things, the procedures 
        followed in response to the intrusion. This review is 
        being overseen by the Office of the General Counsel and 
        has an interdisciplinary investigative team that 
        includes personnel from regional offices and will 
        involve outside technology consultants.

    There are limits on what I know and can discuss about the 
2016 incident due to the status (ongoing and incomplete) and 
nature (enforcement) of our reviews and investigations. Each of 
these efforts is moving forward and, as is the nature of 
matters of this type, will require substantial time and effort 
to complete. Nevertheless, I directed the issuance of my 
September 20th press release and statement on cybersecurity 
because I believed that, once I knew enough to understand that 
the 2016 intrusion provided access to nonpublic EDGAR test 
filings and that this may have resulted in the misuse of 
nonpublic information for illicit gain, it was important to 
disclose the incident and our cybersecurity risk profile more 
generally to the American public and Congress. I will make sure 
to keep the Committee informed of the ultimate findings and 
conclusions of our internal review into the 2016 intrusion.
    Cybersecurity must be more than a firm-by-firm or agency-
by-agency effort. Active and open communication between and 
among regulators and the private sector also is critical to 
ensuring the Nation's financial system is robust and 
effectively protected. Information sharing and coordination are 
essential for regulators to anticipate potential cyber threats 
and respond to a major cyberattack, should one arise. The SEC 
is therefore working closely with fellow financial regulators 
to improve our ability to receive critical information and 
alerts, react to cyber threats and harmonize regulatory 
approaches.
    We view our interaction with other Government agencies and 
committees, including DHS, Government Accountability Office 
(GAO) and the Financial and Banking Information Infrastructure 
Committee, as an important part of our cybersecurity efforts. 
For example, we work closely with GAO to address 
vulnerabilities in our IT and critical system infrastructure. 
Our most recent GAO audit report was issued on July 27, 2017. 
To date, SEC staff have worked to implement all eleven IT 
security recommendations that were open as of the start of 
fiscal year 2017 and have either completed or are working to 
address all of the recommendations issued as part of the GAO's 
most recent report. We have prioritized these recommendations 
and will continue to track them until GAO is satisfied with our 
implementation of the recommendations. Likewise, with regard to 
DHS, our Security Operations Center is required to report 
incidents to DHS as they occur pursuant to Federal directives 
and did so report the 2016 EDGAR intrusion.
    I am deeply concerned by the risks posed by cyber threat 
actors across the financial sector. Of paramount concern to the 
Commission with respect to its internal systems is the 
protection of nonpublic information, including personally 
identifiable information and information that is market 
sensitive; these issues are important to other regulatory 
agencies and market participants as well. Denial of service is 
another significant risk faced by regulatory agencies and 
market participants. As explained in my testimony before the 
House Committee on Financial Services, it is for these reasons 
that I have instituted a wide-scale review of both EDGAR and 
the overall cybersecurity risk profile of agency systems, and 
that we have continued to make cybersecurity considerations a 
priority in our outward-facing regulatory efforts.
    In my recent testimony before the Committee, I stated that, 
despite the attention given to widely publicized cyber-related 
incidents experienced by the Commission and others, I still am 
not confident that the Main Street investor has received a 
sufficient package of information from issuers, intermediaries 
and other market participants to understand the substantial 
risks resulting from cybersecurity and related issues. As a 
general matter, it is critical that investors be informed about 
the threats that issuers and other market participants face.
    The SEC will continue to examine whether public companies 
are taking appropriate action to inform investors, including 
after a breach has occurred, and we will investigate issuers 
that mislead investors about material cybersecurity risks or 
data breaches. As I have noted previously on various occasions, 
I would like to see more and better disclosure in this area.\3\
---------------------------------------------------------------------------
    \3\ See Remarks at the Economic Club of New York (July 12, 2017), 
available at https://www.sec.gov/news/speech/remarks-economic-club-new-
york.
---------------------------------------------------------------------------
    Overall, by promoting effective cybersecurity practices in 
connection with both the Commission's internal operations and 
its external regulatory oversight efforts, it is our objective 
to contribute substantively to a financial market system that 
recognizes and addresses cybersecurity risks and, in 
circumstances in which these risks materialize, exhibits strong 
mitigation and resiliency.

Q.2. I'd like to discuss how the SEC's structure impacts your 
ability to manage the agency.
    How many direct reports does the SEC Chairman have?

A.2. The SEC has 22 division and office heads who report to me 
as Chairman. In addition, the Commission is hiring a Director 
for a new Office of the Advocate for Small Business Capital 
Formation, which is being established pursuant to statute.

Q.3. During your hearing last week, you said that the Office of 
Information Technology headed by Pam Dyson ``is the office 
within the SEC that has overall responsibility'' for 
cybersecurity. You also said that Pam Dyson ``is a direct 
report to me and also to our Office of the Operating Officer.'' 
Can you please elaborate on the cybersecurity duties of the 
Office of Information Technology and how that dual reporting 
structure works?

A.3. Pamela Dyson serves as the Chief Information Officer and 
the Director of the Office of Information Technology. As the 
Chief Information Officer, Ms. Dyson's role is compliant with 
the mandate within the Clinger Cohen Act of 1996 that requires 
the Chief Information Office to report directly to the head of 
the Agency. In this capacity, Ms. Dyson serves as senior 
technology advisor to the Office of the Chairman. Ms. Dyson 
also receives day-to-day direction from the Chief Operating 
Officer.
    As the Director of the Office of Information Technology, 
Ms. Dyson oversees and supports the Commission and staff in all 
aspects of the Commission's information technology program. 
This includes application development, data management 
operations, infrastructure operations and engineering, user 
support, IT program management, capital planning, and 
enterprise architecture. The Office of Information Technology 
also includes the agency's information security staff, which is 
headed by the Chief Information Security Officer.

Q.4. In March 2011, a Boston Consulting Group study \4\ 
authorized by the SEC argued that the ``large number of direct 
reports generally creates a management challenge for the 
Chairman.'' Do you agree?
---------------------------------------------------------------------------
    \4\ https://www.sec.gov/news/studies/2011/967study.pdf.

A.4. I recognize that the management reporting structure of the 
Commission has more direct reports to the Chairman than would 
be expected in a commercial organization of similar size.
    Based on my time as Chairman thus far, I have not viewed 
the reporting structure as a material impediment to effective 
management of the agency. I am mindful of the substantial 
scale, diversity and importance of market and operational 
activity that the Commission is charged with overseeing on a 
continuous basis and, in response, establishing an effective 
day-to-day management and reporting environment. To provide 
more specific context, I meet on a weekly basis with all the 
division and office heads as a group, as well as one-on-one 
meetings on a regular basis. These one-on-one meetings 
generally occur more frequently with Division heads and in 
cases where an Office or Division is addressing a time 
sensitive or significant issue, and I have encouraged Office 
and Division heads to contact me promptly if any such issues 
arise. It is important to note that the staff in my immediate 
office, including the Chief of Staff, Deputy Chief of Staff, 
Chief Counsel and Managing Executive, play an important role in 
assisting me with overseeing the activities of the various 
Divisions and Offices. I also meet with my fellow Commissioners 
on a regular basis and, in those meetings, seek their input on 
organizational structure as well as staff reporting and 
performance.
    That said, I believe it is important that we continually 
reevaluate the SEC's operations and organizational structure to 
look for opportunities to improve efficiency, identify cost 
savings or streamline or consolidate operations where 
warranted, including in response to changes in the markets and 
activities we oversee. We also should be evaluating how to more 
effectively share information across our Divisions and Offices, 
including risk information. I am committed to these areas of 
self-assessment. One example where this self-assessment has 
resulted in a specific initiative is the formation of the EDGAR 
Program Office in June 2017 to better coordinate the agency's 
efforts to enhance this important system and support filers. A 
more recent example is the announcement of a new position, the 
Chief Risk Officer, whose responsibilities will include 
identifying, monitoring and mitigating risks across our 
Divisions and Offices. We will continue to explore and pursue 
such opportunities as they emerge.

Q.5. Has the SEC Chairman's large number of direct reports 
hindered your ability to focus on cybersecurity while still 
focusing enough on the other responsibilities within your 
purview?

A.5. I do not believe the number of Divisions and Offices 
reporting to me has hindered my ability to focus on this 
critical issue. As I mentioned in my testimony, in May 2017, I 
initiated a general assessment of our internal cybersecurity 
risk profile and the SEC's approach to cybersecurity from a 
regulatory and oversight perspective. Components of this 
initiative build on prior agency efforts in this area and 
include establishing a senior-level cybersecurity working group 
to coordinate information sharing, risk monitoring and incident 
response efforts throughout the agency. We also have a number 
of efforts underway to review and, as necessary, uplift our 
EDGAR system as well as systems that hold market sensitive data 
or personally identifiable information. I believe these 
efforts, which in certain cases are expected to involve outside 
consultants are important steps in improving our cybersecurity 
risk profile.

Q.6. What would be the ideal number of direct reports for your 
position considering the management challenges that stem from 
having a large number of direct reports? Please set aside 
whether altering the number of direct reports would require 
legislative
authorization.
    What are ways that your office can streamline the SEC's 
reporting structure to eliminate duplicative reporting and 
unnecessary strain on your resources? For example, does the BCG 
study contain any praiseworthy recommendations that the SEC has 
not yet acted upon? Do any of these changes require legislative 
authorization?

A.6. The SEC's statutory mandate is very broad in scope and 
diversity of activity. It includes oversight of approximately 
$72 trillion in securities trading annually on U.S. equity 
markets; the disclosures of over 8,100 public companies, of 
which 4,300 are exchange listed; and the activities of over 
26,000 registered entities, including investment advisers, 
broker-dealers, transfer agents, securities exchanges, clearing 
agencies, mutual funds, exchange traded funds, the Financial 
Industry Regulatory Authority (FINRA) and the Municipal 
Securities Rulemaking Board (MSRB), among others. We also 
engage and interact with the investing public on a daily basis 
through a number of activities ranging from our investor 
education programs to alerts on our SEC.gov portal.
    The SEC's organizational structure, and the number of 
divisions and offices reporting to the Chairman, has been 
developed over time to reflect the many different aspects of 
this broad mission. At this point, I do not have any specific 
plans to materially adjust the number of divisions and offices 
or their specific responsibilities. As discussed above, 
together with the staff in my immediate office and with the 
advice of my fellow Commissioners, I have implemented a senior 
management reporting structure that reflects the anticipated 
day-to-day realities of the Commission's operations. However, I 
do believe it is imperative that the agency continue to seek 
out any opportunities to improve the agency's efficiency and 
effectiveness, including through organizational reforms and in 
response to changes in the marketplace, and I am committed to 
do so.
    With respect to the 2011 BCG Study, I agree that it 
contained a number of very helpful recommendations for 
improving the agency's operations. The SEC in August 2017 
provided a report to Congress, highlighting the various actions 
that the agency has taken in response. To date, the agency has 
taken action to address all but one of the recommendations, 
which is still in progress.
    The SEC's August 2017 status report also notes one 
recommendation that was completed but is subject to 
congressional action. This recommendation was for the SEC to 
seek flexibility from Congress on the structure of the four 
offices mandated by the Dodd-Frank Act (the Office of Municipal 
Securities, Office of Credit Ratings, Office of the Investor 
Advocate and Office of Minority and Women Inclusion) to report 
to the Chairman. The BCG Report concluded that the SEC should 
seek a revision to the Dodd-Frank Act to give the agency 
flexibility to determine the reporting lines for these offices. 
In 2011, the SEC put forth this legislative recommendation to 
the Congress, and then-Chairman Mary Schapiro also called 
attention to this recommendation in September 2011 testimony 
before the House Committee on Financial Services.

Q.7. I'd like to discuss the cybersecurity risks associated 
with the Consolidated Audit Trail (CAT) which has been called 
the ``Fort Knox of Wall Street.''\5\
---------------------------------------------------------------------------
    \5\ See https://www.cnbc.com/2017/09/21/heres-what-really-
terrifies-wall-street-about-the-sec-
hack.html?view=story&%24DEVICE%24=native-android-mobile.
---------------------------------------------------------------------------
    What value do you see in fully implementing the CAT?

A.7. The U.S. securities markets have become substantially more 
automated, dispersed and complex in recent years. Trading 
activity in stocks and options is tracked through a number of 
systems, and no single system tracks the orders that are routed 
and executed across multiple trading venues. This patchwork 
approach can hinder the ability of regulators to look across 
our markets in pursuit of their mission. In short, to address 
more efficiently and effectively specific issues that span 
multiple markets and trading venues (e.g., the actions of a 
sophisticated market manipulation scheme) and system wide 
events (e.g., a ``flash crash'' or similar market event), we 
need access to consolidated information. The CAT is intended to 
provide the self-regulatory organizations (SROs) and the 
Commission with consolidated cross-market data that is more 
complete, accurate, accessible and timely than the data 
currently available. When fully implemented, the CAT should 
provide regulators with access to comprehensive information 
about all orders and trades in exchange-listed securities 
across the U.S. markets. The CAT is expected to track the life 
of an order, from origination with a particular customer, 
through routing, modification, cancellation or execution. As a 
result, the CAT should provide a much more efficient and 
effective means to identify, investigate and pursue market 
misconduct, perform timely market analyses and event 
reconstructions, and develop well-informed policy initiatives.

Q.8. Would a breach of the CAT jeopardize the operations of the 
Commission? If so, how?

   LWould a breach of the CAT result in a systemic risk 
        to our economy? If so, how?

   LAre you worried that a breach of the CAT could 
        compromise the confidential investment strategies of 
        trading firms, particularly if the trade information 
        could be reverse engineered?

   LAre you worried that a breach of the CAT would 
        cause some broker-dealers to reduce trading to protect 
        their confidential trading strategies?

A.8. The CAT repository is expected to contain comprehensive 
information on trading activity in the securities markets, and 
the Commission understands that this information is highly 
sensitive and that security issues with respect to such a 
system are particularly acute. Making sure there are 
appropriate mechanisms in place to protect the security and 
confidentiality of CAT data is of paramount concern both to the 
Commission and the SROs. The CAT national market system plan 
(CAT NMS Plan) calls for the CAT repository to store extensive 
information on all orders in exchange-listed securities, 
including customer identification information (which is 
expected to include personally identifiable information (PII)). 
This information will provide regulators with prompt
access to the trading activity of individual market 
participants. While this information should greatly enhance the 
ability of regulators to effectively oversee the modern 
securities markets, its unauthorized access and use could cause 
substantial harm. For example, a breach of CAT security could 
compromise the confidential investment strategies of trading 
firms and, if sufficiently large, could undermine regulatory 
operations or have a systemic impact. Therefore, it is 
important that the design, roll-out and ongoing operation of 
the various components of CAT data reporting reflect an ongoing 
assessment of the sensitivity of the data reported and related 
security concerns and protections.
    Due to the importance of maintaining the security of CAT 
data, the CAT NMS Plan approved by the Commission requires the 
SROs to ensure that the CAT repository meets rigorous data 
security requirements, including those regarding connectivity 
and data transfer, encryption, storage, access and PII. The 
Plan Processor, as defined by the CAT NMS Plan, must develop a 
comprehensive information security program that addresses the 
security and confidentiality of all information within the CAT 
data repository and associated operational risks, and that 
includes all relevant standards from the NIST Cybersecurity 
Framework. The CAT NMS Plan also requires regular security 
audits performed by a qualified third-party auditor. The SROs, 
which have direct oversight of the Plan Processor, are 
obligated to monitor the information security program to ensure 
that it is consistent with the highest industry standards for 
the protection of data, and are required to implement 
comparable information security policies and procedures with 
respect to their handling of CAT data. Moreover, the 
Commission, in approving the CAT NMS Plan, committed to 
implementing policies and procedures relating to the 
Commission's handling of CAT data that are comparable to the 
standards applicable to the SROs, which are required to be 
comparable to the standards applicable to the CAT repository, 
and the Commission will periodically review the effectiveness 
of these policies and procedures.

Q.9. In the event of a full breach of the CAT, how many 
Americans would have their information exposed under the SEC's 
current plans for the CAT? If you do not have a precise number, 
please provide the agency's best estimate.

A.9. It is difficult to ascertain with certainty how many 
Americans would have their information exposed if there was a 
full breach of the CAT, but, assuming all orders result in the 
reporting of PII to the CAT, it would be a very large number, 
certainly in the millions. Approximately 43.3 million 
households have either a brokerage account or an IRA. 
Accordingly, as discussed above, the Commission required that 
the CAT NMS Plan--which sets forth the minimum requirements the 
SROs must follow as they build the CAT--be designed to minimize 
the risk of a breach that could result in access to customer 
PII.

Q.10. Does the SEC intend to collect the PII of all retail 
investors, including those that engage in only limited trading?

   LWhat percentage of the PII stored in the CAT does 
        the SEC expect will be operationally useful to the 
        CAT's purpose, instead of being dormant in the CAT and 
        never accessed?

   LHas the SEC explored alternatives to maintaining 
        PII in the CAT? For example, would the SEC be able to 
        fulfill its policy aims by requesting PII from 
        individuals only when it is necessary for the SEC to 
        fulfill its oversight duties?

   LHas or will the SEC determine what CAT-related 
        information it can review without storing it in the 
        CAT? For example, could the SEC merely require 
        registrants to maintain and provide certain information 
        to the SEC upon request, as opposed to keeping it in 
        the CAT? Will you commit to ensuring that such 
        information is omitted from the CAT?

A.10. I expect that the Commission will only retrieve sensitive 
data stored in the CAT repository to the extent necessary to 
address a specific regulatory purpose. It is not my objective 
to regularly retrieve from the CAT repository PII of retail 
investors that engage in normal trading practices. Further, I 
expect that the Commission will implement and follow data 
security procedures that appropriately address the sensitive 
nature of the information.
    In approving the CAT NMS Plan, the Commission committed 
that its policies and procedures would impose security 
obligations on the Commission and its personnel that are 
comparable to the standards applicable to the SROs, and in turn 
the CAT repository. In addition, the Commission employs an 
agency-wide cybersecurity detection, protection and prevention 
program for the protection of agency operations and assets. 
This program includes cybersecurity protocols and controls, 
network protections, system monitoring and detection processes, 
vendor risk management processes, and regular cybersecurity and 
privacy training for employees.
    However, the CAT NMS Plan calls for the CAT repository 
itself to collect PII of all retail investors with brokerage 
accounts. This PII is already stored on the systems of other 
market participants, including retail investors' broker-
dealers. The SROs and the Plan Processor have informed us that 
consistent with the CAT NMS Plan, this information will be 
subject to heightened security protocols and standards; for 
example, PII must be stored in a database that is physically 
separate from the transactional database, access to PII must 
follow a role-based access model and any login system that is 
able to access PII must be further secured via multi-factor 
authentication. The CAT NMS Plan also requires the Plan 
Processor to adhere to the NIST Risk Management framework and 
to implement baseline security controls identified in NIST.
    It has been 5 years since the Commission adopted the CAT 
rule--Rule 613 of Regulation NMS. Our markets have evolved 
since then, and will continue to do so. The Commission should 
continue to evaluate the use of the CAT--including with respect 
to the types of data maintained in the CAT and the types of 
data accessed by the Commission--in light of current market 
realities and the important regulatory objectives served by the 
CAT. I also believe it is important that the SROs and the Plan 
Processor continuously evaluate the approach to the collection, 
retention, and protection of PII and other sensitive data in 
light of developments in the various areas including 
cybersecurity, market structure and regulatory needs; and in 
that regard, I note that the CAT NMS Plan requires that the 
Chief Compliance Officer of the CAT to regularly review the 
CAT's information security program. I have asked the staff of 
the Commission to conduct such an evaluation with regards to 
the need for PII and expect that the SROs and the Plan 
Processor engage in a similar exercise.

Q.11. In light of the EDGAR breach and the reasonable 
presumption that the CAT will be a target of a cyberattack, 
would it be prudent to extensively improve the security of the 
CAT before partially rolling out the CAT?
    My understanding is that the CAT will only be partially 
rolled out in November 15, 2017. Which elements of the CAT will 
the SEC implement and which elements of the CAT will the SEC 
delay implementing?
    How long will it take for the SEC to complete this review 
of the data inside the CAT? If the SEC cannot complete this 
review by November 15, 2017, do you commit to delaying the 
first phase of the CAT implementation?

A.11. Protecting the information in the CAT repository is of 
paramount concern. I expect that the CAT will be a target for 
cyberattacks by sophisticated actors. As discussed above, the 
CAT NMS Plan imposes security requirements on the CAT 
repository and the SROs.
    The 2016 intrusion into the Commission's EDGAR system is 
currently under investigation, as I noted in my earlier public 
statements, and I have taken a number of steps designed to 
strengthen the Commission's cybersecurity risk profile and 
evaluate our cybersecurity risk governance structure, including 
initiating the identification and review of systems that hold 
market sensitive data or PII and the enhancement of escalation 
protocols for cybersecurity incidents in order to enable 
greater agency-wide visibility and understanding of potential 
cyber vulnerabilities and attacks. The Commission also now has 
a senior-level cybersecurity working group, we are in the 
process of hiring additional staff, including a Chief Risk 
Officer, and outside technology consultants, and we have a 
number of additional cybersecurity initiatives underway.
    The first phase of CAT implementation (i.e., reporting by 
SROs) will only include transaction data and not the submission 
of
customer information or PII to the CAT repository. Both the 
Commission and the SROs must be confident the appropriate 
security measures are in place before CAT becomes operational.
    Regarding the Commission's use of the CAT, as discussed 
above, I expect that the Commission will only retrieve 
sensitive data stored in the CAT repository to the extent 
necessary to address a specific regulatory purpose. It is not 
my objective to regularly retrieve from the CAT repository PII 
of retail investors that engage in normal trading practices. 
Further, I expect that the Commission will implement and follow 
data security procedures that appropriately address the 
sensitive nature of the information.

Q.12. In your Senate Banking testimony last week you said ``we 
don't want to be taking data [for] the CAT unless we need it 
and can protect it.'' What standards will the SEC follow to 
determine if a particular data set is absolutely needed for the 
CAT?
    What standards will the SEC follow to determine if the SEC 
can protect the information inside the CAT?

A.12. I take very seriously the obligation to maintain the 
security and confidentiality of CAT data. As discussed above, I 
expect that the Commission will only retrieve sensitive data 
stored in the CAT repository to the extent necessary to address 
a specific regulatory purpose. Further, before retrieving such 
data, I expect the Commission will implement and follow data 
security procedures that appropriately address the sensitive 
nature of the information and, as a result, I expect that the 
Commission would not be regularly retrieving PII of retail 
investors that engage in normal trading practices. With regard 
to specific standards, in approving the CAT NMS Plan, the 
Commission committed that its policies and procedures would 
impose security obligations on the Commission and its personnel 
that are comparable to the standards applicable to the SROs and 
in turn the CAT repository. In addition, the Commission is 
subject to information security policies and procedures 
developed in accordance with Federal directives and NIST 
standards that prohibit the unauthorized disclosure or 
inappropriate use of confidential data.

Q.13. My understanding is that Thesys will be the CAT's plan 
processor. Will it be subject to Regulation SCI? Why or why 
not? If not, what cybersecurity standards or principles will 
Thesys be subject to and how will Thesys be held accountable in 
the event of lax cybersecurity processes?

A.13. The CAT repository, which collects and maintains the CAT 
data, is a facility of each SRO. The SROs are ``SCI Entities,'' 
and the CAT system is an SCI system. As a result, the CAT 
repository is subject to the requirements of Regulation SCI. 
The CAT NMS Plan states that data security standards of the CAT 
System shall, at a minimum, satisfy all applicable regulations 
regarding database security, including provisions of Regulation 
SCI. The SROs are responsible for ensuring that the CAT 
repository as operated by Thesys complies with Regulation SCI, 
including the establishment, maintenance and enforcement of 
written policies and procedures reasonably designed to ensure 
that the CAT system has levels of capacity, integrity, 
resiliency, availability, and security adequate to maintain its 
operational capability.

Q.14. How many people will be able to access the CAT?

    Will a background check be conducted on everyone who can 
access the CAT?

A.14. As noted above, the CAT NMS Plan requires the SROs and 
Plan Processor to have policies and procedures to ensure that 
only authorized regulatory personnel are able to access the CAT 
data for regulatory purposes, and the Commission committed to 
applying comparable standards to its own use of CAT data.
    The CAT NMS Plan requires the Plan Processor to conduct 
background checks (e.g., fingerprint-based) for all of its 
employees and contractors. Each SRO will also conduct 
background checks (including fingerprinting) of its employees 
and contractors that will use the CAT system. All Commission 
employees must have undergone a background check and 
fingerprinting prior to their joining the Commission. However, 
not all Commission employees will have access to the CAT. In 
fact, a cross-divisional steering committee of senior staff has 
been tasked with designing policies and procedures regarding 
Commission access to, use of, and protection of CAT data, and 
the major focus of these internal policies and procedures 
addresses which Commission staff will be authorized to access 
CAT data and under what circumstances.

Q.15. What, if any, steps is the SEC taking to ensure that 
information in the CAT is compartmentalized, so that a breach 
will not provide a hacker complete access to information sets? 
For example, will a hacker be able to gain access to an 
individual's full name and social security number or a firm's 
complete trading activity within a dataset?
    What, if any, other steps is the SEC taking to prevent a 
hacker from being able to reverse engineer a trading firm's 
proprietary trading strategies using the information contained 
in the CAT?

A.15. PII requires a heightened level of protection. As such, 
the CAT NMS Plan requires that PII be stored in a database that 
is physically separate from the transactional database. I 
believe appropriate compartmentalization, or separation of a 
customer's PII from the same customer's transactional data, can 
enhance security. The SEC will continue to encourage the SROs 
and the Plan Processor to explore compartmentalization 
strategies that will support critical regulatory uses of CAT 
and also minimize the risk that an unauthorized person could 
access an individual's PII or trading strategies. In addition, 
as noted above, I have asked the staff of the Commission to 
conduct such an evaluation with regards to the need for PII and 
expect that the SROs and the Plan Processor engage in a similar 
exercise.

Q.16. I'd like to inquire more about Regulation SCI.
    In response to questions for the record from Senator Tillis 
during your confirmation process you stated that `` . . . we 
should be mindful that cybersecurity risks are continuously 
evolving, and regulation in this area should take into account 
its dynamic nature, including that, in such circumstances, 
specific requirements may be appropriate but also have the risk 
of becoming outdated.'' To that end, could Regulation SCI 
create some cybersecurity risk by introducing an incentive for 
companies to focus more on complying with the regulation, 
instead of leveraging private sector resources to implement 
innovative cybersecurity techniques? If so, what steps is the 
SEC taking to mitigate this risk?

A.16. The heart of Regulation SCI is its requirement that SCI 
entities have reasonably designed policies and procedures to 
ensure that their core systems will function effectively in 
times of stress and be resistant to threats, including 
cybersecurity threats. Under Regulation SCI, the Commission 
does not mandate a specific set of standards with which an SCI 
entity must comply. In adopting Regulation SCI, the Commission 
understood that information technology and cybersecurity 
threats continue to evolve, and thus did not seek to hardcode a 
set of specific standards into the rule that could become 
outdated. Rather, the rule takes a risk-based approach and 
requires the SCI entities themselves to assess the relative 
riskiness and criticality of each of their systems and requires 
each SCI entity to develop appropriately tailored policies and 
procedures. Thus, an SCI entity can select the industry 
standards it believes to be appropriate for its policies and 
procedures and is also able to customize these policies and 
procedures for its own particular systems, so long as its 
policies and procedures remain reasonably designed in light of 
the importance of a given system. In addition, the rule 
requires SCI entities to periodically review their policies and 
procedures to ensure that they continue to be appropriate as 
technology and threats change.

Q.17. Are you considering the possibility of requiring that 
more entities comply with Regulation SCI? If so, what policy 
considerations will you take into account when evaluating this 
question?

A.17. In its adoption of Regulation SCI in 2014, the Commission 
applied the requirements of the rule to those entities it 
determined could, at that time because of their role in the 
U.S. securities markets and/or their level of trading activity, 
have the potential to pose the most significant risk in the 
event of a systems issue. Thus, Regulation SCI applies today 
to, among others, the stock and options exchanges, alternative 
trading systems (ATSs) that trade NMS and non-NMS stocks 
exceeding specified volume thresholds, FINRA, the MSRB and 
registered clearing agencies. When it adopted Regulation SCI, 
the Commission noted that a measured
approach was appropriate for imposing the mandatory 
requirements of Regulation SCI given the potential costs of 
compliance.
    I believe that we should continue to evaluate what 
entities, because of their importance to the securities markets 
or investors, should be subject to Regulation SCI and have 
discussed this matter with the staff. The staff believes that 
extensions of Regulation SCI would need to be appropriately 
calibrated to reflect the business models and risks of 
additional entities, as well as their existing regulatory 
regimes. They believe certain aspects of the current rule may 
be inapplicable to other types of market participants, and 
there may also be different types of concerns that are not 
applicable to the current group of ``SCI entities'' and thus 
are not addressed in Regulation SCI today. Whether or not 
Regulation SCI or a Regulation SCI-type regulatory framework is 
appropriate for other types of market participants, it is clear 
that information technology and cybersecurity threats are of 
increasing importance in our securities markets today, and I 
have instructed that staff that they should continue to 
evaluate whether the current SCI framework is appropriate.

Q.18. Is there sufficient transparency over if a market center 
is complying with Regulation SCI or is required to comply with 
Regulation SCI? What policy considerations will you take into 
account when evaluating this question?

A.18. Regulation SCI applies to ``SCI entities,'' which include 
self-regulatory organizations (including national securities 
exchanges, registered clearing agencies, registered securities 
associations, and the MSRB) and ATSs that trade NMS and non-NMS 
stocks exceeding specified volume thresholds. There is no 
publicly available list of all entities subject to Regulation 
SCI, as discussed below. I have asked staff to examine this 
issue, including considering whether the Commission should 
publish a list of entities that file Form SCI with the 
Commission on a periodic basis or, alternatively, whether 
entities subject to Regulation SCI (e.g., certain ATSs) should 
be required to disclose that status on a periodic basis.
    That said, it is possible for market participants and the 
public to identify the entities that fall into nearly all of 
these categories through publicly available information. For 
example, a list of national securities exchanges and registered 
clearing agencies was included in the Regulation SCI adopting 
release, and a current list of self-regulatory organizations 
can be found on the Commission's website (https://www.sec.gov/
rules/sro.shtml). In addition, in the Regulation SCI adopting 
release, the Commission stated that FINRA is the only 
registered national securities association, and it identified 
SIAC and Nasdaq as the plan processors subject to Regulation 
SCI. Further, the Commission noted then that only one entity 
met the definition of exempt clearing agency (Omgeo Matching 
Services-US, LLC); subsequently, two additional entities have 
become exempt clearing agencies subject to Regulation SCI 
(Bloomberg STP and SS&C Technologies).
    Unlike the entities discussed above, which are subject to 
Regulation SCI because of their regulatory status, the 
determination of whether an ATS is subject to Regulation SCI is 
based on the ATS exceeding certain volume thresholds over a 
prescribed period.
Accordingly, a determination regarding which ATSs are SCI ATSs 
is not static, as volume levels often change over time. While 
there is no publicly available list of ATSs that are subject to 
Regulation SCI, nothing prevents an SCI ATS from publicizing 
its status as an SCI entity.

Q.19. How will the SEC ensure that any cybersecurity disclosure 
guidelines for public companies require only timely and 
material disclosure instead of that which is extraneous and 
untimely?

A.19. The Commission's disclosure rules and regulations are a 
combination of prescriptive and principles-based requirements. 
Disclosure Guidance: Topic No. 2--Cybersecurity, issued by the 
Division of Corporation Finance in 2011, advised public 
companies that, although there were no specific line item 
requirements for cybersecurity and related issues, the existing 
rules and regulations do apply to these issues if they 
represent a material risk to a company's risk profile, business 
or financial statements. As such, companies are expected to 
provide timely and material disclosure about their 
cybersecurity to investors. The guidance reminded companies 
that the decisions to disclose should be based on their own 
facts and circumstances and that disclosure should not be 
generic or boilerplate. The guidance also reiterated principles 
of materiality in U.S. Supreme Court case precedent that 
information is considered material if there is a substantial 
likelihood that a reasonable investor would consider it 
important in making an investment decision, or if the 
information would significantly alter the total mix of 
information made available.
    I have asked the Division of Corporation Finance to review 
the 2011 staff guidance and consider whether, and if so, how, 
it might be updated to provide companies with more guidance on 
their disclosure obligations.

Q.20. What standard will the SEC follow in the future to 
determine if and when to disclose a cybersecurity event at the 
SEC? Will that standard be comparable to the standards that 
companies must follow to disclose their cybersecurity events?

A.20. The scope and timing of disclosures of this type depend 
on facts and circumstances that vary from event to event and it 
is important to note that the considerations that apply to the 
Commission may be substantially different from those that apply 
to a public company. For example, unlike a public company, the 
Commission may be charged with investigating and ultimately 
filing an enforcement action against the individuals that 
attack its systems. That said, with regard to the recently 
disclosed 2016 EDGAR intrusion, which first came to my 
attention in August 2017, I specifically directed the public 
disclosure of the intrusion, as well as our ongoing efforts in 
response, once I knew enough to understand that nonpublic 
information may have been used for illicit gain and that 
competing considerations, including disclosing the existence of 
the ongoing Division of Enforcement investigation, were not of 
sufficient importance to necessitate a delay in the public 
disclosure. Should the Commission be subject to significant 
cybersecurity events in the future, I expect that we would 
conduct a similar analysis regarding public disclosure in light 
of our mission.
    I also note that the SEC will continue to report certain 
cybersecurity incidents to the Department of Homeland Security 
pursuant to the Federal Information Security Modernization Act 
of 2014 (FISMA) and the US-CERT Federal Incident Notification 
Guidelines.

Q.21. In response to my questions for the record during your 
confirmation hearing, you stated that disclosures should 
achieve ``their important investor protection objectives in an 
effective and efficient manner'' and promised to engage with 
the SEC Commissioners and SEC staff on the Disclosure 
Effectiveness Initiative. Please provide an update on your 
efforts to this end.

A.21. The Commission and the staff continue to move forward 
with the Disclosure Effectiveness Initiative and to date the 
Commission has issued six releases as part of the initiative. 
These releases include (1) a request for comment on financial 
disclosure requirements in Regulation S-X for entities other 
than the registrant, (2) a concept release on the business and 
financial disclosure requirements in Regulation S-K, (3) a 
proposal to revise property disclosure requirements and related 
guidance for mining registrants, (4) a proposal to eliminate 
redundant, overlapping, outdated or superseded disclosure 
requirements, (5) a request for comment on Regulation S-K 
disclosure requirements related to management, security holders 
and corporate governance matters and (6) a request for comment 
on bank holding company disclosures.
    The staff is currently developing recommendations to 
finalize rule amendments that would eliminate redundant, 
overlapping, outdated or superseded disclosure requirements and 
proposals to revise Regulation S-X rules related to financial 
statements for entities other than the issuer. The staff is 
also developing recommendations to update and modernize 
industry-specific disclosure requirements, such as the property 
disclosure requirements for mining companies and bank holding 
company disclosures.
    In addition, on October 11, 2017, the Commission proposed 
amendments to Regulation S-K to modernize and simplify 
disclosure requirements for public companies, investment 
advisers and investment companies. The proposal was mandated by 
the Fixing America's Surface Transportation (FAST) Act and 
would make adjustments to update, streamline or otherwise 
improve the Commission's disclosure framework.

Q.22. During your confirmation process, I asked you the 
following question for the record:

        In light of the SEC's mission to `protect investors, maintain 
        fair, orderly, and efficient markets, and facilitate capital 
        formation,' I'd like to ask you about the SEC's rulemaking 
        schedule. What factors should dictate the SEC's rulemaking 
        schedule? Does the SEC's rulemaking schedule reflect the right 
        balance between focusing on these three missions? If not, how 
        would you change it?

In response you stated that it would be premature to assess 
this question because you have not had a chance to discuss this 
issue inside the SEC. Now that you have been confirmed as 
Chair, how would you answer this question?

A.22. The Commission recently approved publication of an agenda 
of rulemaking actions pursuant to the Regulatory Flexibility 
Act that reflects my priorities. That agenda will be published 
as part of the Unified Agenda of Regulatory and Deregulatory 
Actions. As a general matter, I believe it is important that 
these publicly available agendas provide the necessary 
transparency and accountability for agency matters. If these 
plans are to meet their intended purpose, they must be written 
in a way that informs Congress, investors, issuers and other 
interested parties about what the SEC actually intends--and 
realistically expects--to accomplish over the coming year.
    I developed the current regulatory agenda consistent with 
the eight principles that I outlined in a speech before the 
Economic Club of New York on July 12, 2017, and reiterated in 
my testimony before the Committee. Among other things, the 
agenda reflects my belief that our mission must focus on the 
long-term interests of the Main Street investor, and that 
investors must have access to information about potential 
investments that is easily accessible and meaningful. At the 
same time, I believe that the Commission must recognize the 
practical costs of demonstrating compliance with its rules, and 
that rules must be designed to ensure that Main Street 
investors have access to a range of investment choices. In 
addition, we have a number of statutorily mandated items that 
we need to address, and we are considering how to advance those 
while also pursuing other initiatives that are central to the 
pursuit of our statutory mission.

Q.23. During your confirmation process, I asked you the 
following question for the record:

        Many argue that despite the JOBS Act, Reg. A+ is still 
        prohibitively costly for smaller firms. Only around 44 firms 
        qualified for Reg. A+ during its first year,\6\ compared to 
        33,429 who used Reg. D in 2014.\7\ I've been told that few if 
        any investors in my State find it worthwhile to use Reg. A+. Is 
        Reg. A+ currently workable for most smaller firms? As SEC 
        Chair, will you examine how the SEC can make Reg. A+ easier to 
        use for smaller firms, and advocate for such changes?
---------------------------------------------------------------------------
    \6\ https://www.crowdfundinsider.com/2016/07/87745-looking-
regulation-one-year-later/ (cited by https://www.mercatus.org/system/
files/peirce_reframing_ch11.pdf, p. 278.
    \7\ https://www.mercatus.org/system/files/
peirce_reframing_ch11.pdf, p. 278. See also https://
www.nextgencrowdfunding.com/static/uploads/2016/10/03/
NextGenCrowdfundingReg
A+WhitePaper_October62016.pdf.

In response you said that you ``have not yet had the 
opportunity to engage with the Commissioners and the SEC staff 
regarding Regulation A+'' but would study ``this issue, 
including the potential impacts of any potential reform 
options.'' Now that you have been confirmed as Chair, how would 
---------------------------------------------------------------------------
you answer this question?

A.23. Prior to the adoption of the JOBS Act amendments to 
Regulation A, offerings made pursuant that exemption were rare 
in comparison to offerings conducted pursuant to other 
Securities Act exemptions or on a registered basis. The release 
proposing amendments to Regulation A noted that there were 19 
Regulation A offerings filed, and one Regulation A offering 
qualified, in 2011. Since effectiveness of the amendments to 
Regulation A, in the period from June 2015 through September 
2017, companies have sought to raise approximately $5 billion 
in nearly 250 offerings pursuant to Regulation A, including up 
to $3.5 billion in over 150 offerings qualified by the 
Commission. As of the end of September 2017, 69 companies have 
reported raising approximately $611 million pursuant to 
Regulation A, as amended.
    While the data suggests that the amendments to Regulation A 
have increased the utility of the exemption, we plan to assess 
the rule on an ongoing basis. For example, Commission staff 
will study and submit a report to the Commission no later than 
5 years following adoption of the Regulation A amendments on 
the impact of the amended rules on capital formation and 
investor protection. Additionally, Section 3(b)(5) of the 
Securities Act requires the Commission to review the $50 
million offering limit every 2 years. The next review is 
required to take place not later than April 2018.

Q.24. During your confirmation process, I asked you if anything 
needed ``to be done to improve the use of cost-benefit analysis 
at the SEC? In response you said `` . . . I believe 
retrospective review can be appropriate and important, and 
certain rules may merit re-evaluation over time,'' including 
``the prior analysis itself . . . '' You promised to 
``discuss[] this issue--what has been learned from past 
economic assessment exercises that can inform future efforts--
with the staff and my fellow Commissioners.''
    Do you intend to implement a process for regulatory 
retrospective review? If so, please detail how the regulatory 
review process will occur. If not, please explain why.

A.24. In my testimony before the Committee, I outlined eight 
guiding principles that I believe should chart the course for 
the SEC moving forward. Several of these principles focus 
specifically on our rulemaking process. For example, I 
emphasized that effective rulemaking does not end with rule 
adoption and that the costs of a rule now often include the 
cost of demonstrating compliance. These principles of effective 
rulemaking should, in my view, include retrospective reviews of 
Commission rules based on input from investors and other market 
participants about where the rules are, or are not, functioning 
as intended.
    As with economic analysis in the course of rulemaking, a 
focused post-implementation review of rules improves the 
regulatory process and helps us assess whether our rules are 
accomplishing their intended goals. The Commission has, in a 
number of recent adopting releases, directed staff to conduct 
post-implementation reviews of the impacts of new rules. For 
example, in adopting recent amendments to the securities 
transaction settlement cycle, the Commission directed staff to 
examine the impact of shortening the settlement cycle to T+2 as 
well as factors that could facilitate a move to a shorter 
settlement cycle in the future. The Commission directed staff 
to conduct similar reviews in the adopting releases for 
Regulation Crowdfunding and recent amendments to Regulation A. 
As we move forward with developing new policy recommendations, 
I have instructed staff to consider whether, as a part of 
adopting new rules, the Commission should require additional 
studies.
    In addition to these targeted areas, the Commission and its 
staff have formal and informal processes for identifying 
existing rules for review and for conducting those reviews to 
assess the rules'
continued utility and effectiveness in light of continuing 
evolution in the securities markets and changes in the 
securities laws. For
example, in accordance with current statutory requirements, we 
conduct 10-year retrospective rule reviews under the Regulatory 
Flexibility Act (RFA) on an annual basis. Along with formal 
processes, the Commission and its staff frequently receive and 
consider suggestions to review existing rules through various 
types of communications from a wide variety of constituencies. 
Likewise, the Commission and staff frequently discuss the need 
to revisit existing rules through public engagement, including 
advisory committees, roundtables, town hall meetings, speeches, 
conferences, and other meetings.

Q.25. During your confirmation process I asked you if 
``policymakers [should] be concerned about the public SIP as a 
single point of failure.'' In response you said ``I am not in a 
position to comment meaningfully on specific aspects of the 
SIP, including the types and severity of risks.''
    Now that you have been confirmed as Chair, how would you 
answer this question?

A.25. The consolidated market data provided by the SIPs is 
extremely important to the securities markets. Because of this, 
the SIPs are considered ``critical SCI systems'' under 
Regulation SCI. As a result, these systems are subject to 
heightened standards under Regulation SCI designed to ensure 
the capacity, integrity, resiliency, availability and security 
of those systems.
    Our staff has worked with the SIPs on their efforts to 
improve their systems resiliency. For example, in response to 
the Nasdaq SIP outage in 2013, the SIPs subsequently enhanced 
their disaster recovery sites and systems to establish a hot/
warm backup process. This backup process provides for a 
failover from the primary to the fully redundant backup SIP 
sites with a 10-minute or less recovery time. In addition, at 
their primary sites, the SIPs have secondary backup servers 
running in parallel to the primary servers, allowing exchanges 
immediate re-connectivity in the event of a disruption to the 
primary server that does not require failover to the disaster 
recovery site. The SIPs also established more rigorous review 
processes around technology change procedures to minimize 
technological malfunctions and errors. In addition, the SIPs 
implemented improvements to system capacity (the SIPs have 
system availability requirements of at least 99.98 percent) and 
controls around critical systems, such as managing inbound and 
outbound message traffic.

Q.26. During your confirmation process in March, I sent you a 
letter requesting that during your tenure as SEC Chairman, you 
pay attention to how to ``promote the creation and sustaining 
of new firms, including by facilitating access to forms of 
equity for smaller firms.'' This is in addition to your 
important efforts to increase the number of IPOs and improve 
the public markets. This task has become even more important in 
light of finding from the Economic Innovation Group \8\ that 
economic growth is largely clustered in the most prosperous 
areas, instead of evenly distributed across areas like the 
Great Plains and the Midwest. What's more, our economy is more 
generally facing declining startup rates.\9\
---------------------------------------------------------------------------
    \8\ See https://www.axios.com/americas-fractured-economic-well-
being-2488460340.html and http://eig.org/dci.
    \9\ See https://www.axios.com/declining-startup-rates-
2453945620.html and http://eig.org/dynamism.

   LAre you concerned about the uneven geographic 
        distribution of growth, particularly relating to new 
        firms? Why or why not? ? Would increasing access to 
        equity and crowdfunded debt improve the geographic 
---------------------------------------------------------------------------
        distribution of new firms?

   LWould increasing access to equity and crowdfunded 
        debt promote the creation and sustainability of new 
        firms? If so, what kind of firms would this help the 
        most?

   LIn what instances does data show that new and 
        smaller firms tend to rely upon access to equity or 
        crowdfunded debt instead of a generic bank loan? For 
        example, would a particular type of firm have 
        difficulty securing a traditional loan or do all firms 
        have difficulty securing loans within a particular size 
        bracket?

   LWhat are the biggest hurdles new and smaller firms 
        have--regulatory or otherwise--in accessing equity and 
        crowdfunded debt?

   LIs the SEC comprehensively reviewing how to address 
        these problems, including but not limited to potential 
        ways to improve Regulation A+, Regulation D, and 
        crowdfunding, along with any helpful new means of 
        accessing capital, such as a safe harbor for smaller 
        equity raises?

A.26. I am committed to each tenet of the SEC's three-part 
mission, including facilitating capital formation for all 
businesses across our country. I want American businesses to be 
able to raise the money they need to grow and create jobs, and 
I believe that we need to enhance the ability of every American 
to participate in investment opportunities.
    In the exempt market, we have seen that businesses are 
taking advantage of the new capital raising avenues available 
as a result of the JOBS Act. Early signs indicate that 
Regulation A may offer a potentially viable public offering on-
ramp for smaller issuers as an alternative to a traditional 
registered IPO and offer either an alternative or a complement 
to other exempt offerings. The initial evidence shows that the 
Regulation Crowdfunding exemption, effective as of May 16, 
2016, is being used primarily by small pre-revenue growth 
businesses as an initial foray into capital raising through a 
securities offering.
    Although the JOBS Act rules have been implemented, our work 
is far from done. Data shows that the geographic distribution 
of issuers using these exemptions is uneven, with some States 
accounting for a more significant presence than others. For 
example, many Regulation A offerings were made by issuers with 
a business location in California, Washington, DC, Virginia, 
Florida, or Texas. A significant number of issuers conducting 
offerings in reliance on Regulation Crowdfunding similarly were 
located in California, Texas or New York. As we continue to 
evaluate capital formation options, we are seeking to engage 
with businesses across the country, including those within the 
Great Plains and the Midwest.
    It is important for us to hear directly from businesses to 
understand what they see as the biggest hurdles and impediments 
to financing within their industry and geographic region. To 
advance this objective, we plan to hold the annual Government-
Small Business Forum in Austin, Texas in November 2017 rather 
than Washington, DC, the traditional forum location, in order 
to get input from a different region of the country. As an 
example of outreach in geographic areas where some of the newer 
exemptions have not been used as frequently, the Director of 
the Division of Corporation Finance and I recently participated 
on a panel at the Montana High Jobs Summit. The purpose of our 
participation was to explain the use of the various approaches 
to small business capital formation and to get feedback from 
market participants.
    As the exempt market continues to grow and evolve, the 
Commission and its staff continue to monitor developments, 
gather and examine data and assess the effectiveness of these 
new exemptions, taking into account feedback provided by 
businesses and investors across the country. To this end, the 
staff will be conducting a look-back review of the impact of 
Regulation Crowdfunding on capital formation and investor 
protection no later than 3 years after effectiveness of the 
rules. In addition, the Commission will review the offering 
threshold limitations in Regulation A in 2018, as mandated by 
the JOBS Act.
    We are also taking a step back and looking at the entire 
framework of exemptions. A concern that we frequently hear--and 
one that resonates with me based on my experience--is that 
there are too many exemptions and that each exemption has a 
framework that is complex and difficult to navigate without an 
experienced securities law attorney. We understand these 
concerns and are thinking about ways to rationalize the 
framework of exemptions so that there is a harmonized and 
simplified approach that makes it easier for small businesses 
to raise capital while still providing appropriate investor 
protections. In rationalizing the framework of exemptions, we 
need to think about avoiding both gaps and duplication among 
the different types of exemptions.
                                ------                                


   RESPONSE TO WRITTEN QUESTIONS OF SENATOR TILLIS FROM JAY 
                            CLAYTON

Q.1. Last time you were before the Banking Committee, we 
discussed how the SEC and our regulatory regime has made it 
less attractive for medium-sized companies, companies that are 
in their growth phase, to enter the public markets. Now that 
you have had an opportunity to view this issue from a different 
lens, can you give me specific ideas of how I can help you in 
our joint capital formation endeavors? Whether it is 
legislative suggestions or otherwise?

A.1. Capital formation is a priority for me. I am focused on 
ways to do that not only through rulemaking, but through 
identifying ways that the process can be made more efficient 
for an issuer, not only to become a public company but to 
remain a public company. Any effort that we undertake should 
take care not to reduce the amount of material information that 
investors receive. To this end, the Division of Corporation 
Finance began accepting certain draft registration statements 
for review by staff on a nonpublic basis. The Division also 
issued guidance to clarify that companies may omit from draft 
registration statements interim financial information that 
otherwise will not be required when a company files its 
registration statement.
    As for rulemaking, the Commission recently voted to propose 
rules to implement a mandate under the FAST Act. Collectively, 
the FAST Act proposals can reduce costs for issuers and make 
the process of becoming a public company more efficient. We are 
continuing our review of the disclosure system, including 
recommendations to finalize rule amendments that would 
eliminate redundant, overlapping, outdated or superseded 
disclosure requirements. In addition, the staff is developing 
recommendations for the Commission on final rule amendments to 
the ``smaller reporting company'' definition, which would 
expand the number of issuers eligible to provide scaled 
disclosures.
    As we continue to review, and identify changes that should 
be made, we will consider the resources required and will reach 
out if we need legislative assistance.

Q.2. I have asked you previously about the notion of having the 
SEC conduct a retrospective review of its existing rules and 
regulations. Can you provide me with your updated thoughts on 
formalizing a process to do this? We have a process for other 
regulators, can you provide me with your thoughts on putting a 
process in place for the SEC via a statutory requirement?

A.2. In my testimony before the Committee, I outlined eight 
principles that will guide my SEC Chairmanship. Several of 
these principles focus specifically on our rulemaking process. 
For example, I emphasized that effective rulemaking does not 
end with rule adoption and that the costs of a rule now often 
include the cost of demonstrating compliance. These principles 
of effective rulemaking should, in my view, include 
retrospective reviews of Commission rules based on input from 
investors and other market participants about where the rules 
are, or are not, functioning as intended.
    As with economic analysis in the course of rulemaking, a 
focused post-implementation review of rules improves the 
regulatory process and helps us assess whether our rules are 
accomplishing their intended goals. The Commission has, in a 
number of recent adopting releases, directed staff to conduct 
post-implementation reviews of the impacts of new rules. For 
example, in adopting recent amendments to the securities 
transaction settlement cycle, the Commission directed staff to 
examine the impact of shortening the settlement cycle to T+2 as 
well as factors that could facilitate a move to a shorter 
settlement cycle in the future. The Commission directed staff 
to conduct similar reviews in the adopting releases for 
Regulation Crowdfunding and recent amendments to Regulation A. 
As we move forward with developing new policy recommendations, 
I have instructed staff to consider whether, as a part of 
adopting new rules, the Commission should require additional 
studies.
    In this regard, the Commission and its staff currently have 
formal and informal processes for identifying existing rules 
for review and for conducting those reviews to assess the 
rules' continued
utility and effectiveness in light of continuing evolution in 
the
securities markets and changes in the securities laws and 
regulatory priorities. For example, in accordance with current 
statutory requirements, we conduct 10-year retrospective rule 
reviews. Specifically, the Regulatory Flexibility Act (RFA) 
requires the Commission to review within 10 years of 
publication each final rule that has a significant economic 
impact upon a substantial number of small entities. Since 1981, 
the Commission has reviewed not only rules that had a 
significant impact on a substantial number of small entities 
when adopted, but included other final rules that it published 
for notice and comment. The Commission's RFA reviews, 
therefore, cover a broader scope of rules than that required 
under the RFA. The RFA directs that the review of each rule 
cover: (1) the continued need for the rule; (2) the nature of 
complaints or comments received concerning the rule from the 
public; (3) the complexity of the rule; (4) the extent to which 
the rule overlaps, duplicates or conflicts with other Federal 
rules, and, to the extent feasible, with State and local 
governmental rules; and (5) the length of time since the rule 
has been evaluated or the degree to which technology, economic 
conditions or other factors have changed in the area affected 
by the rule.
    Along with formal processes, the Commission and its staff 
frequently receive and consider suggestions to review existing 
rules through various types of communications from a wide 
variety of constituencies. Likewise, the Commission and staff 
frequently discuss the current impacts of past regulation and 
consider the need to revisit existing rules through public 
engagement, including advisory committees, roundtables, town 
hall meetings, speeches, conferences and other meetings.

Q.3. We have had some dialogue regarding the European Union's 
Markets in Financial Instruments Directive II (MiFID II), and I 
appreciate your response from September 14th on this issue.
    There are increased concerns that exchanges are now 
concerned about a dark trading workaround and that equities 
underdogs will need to utilize a ``Plan B'' option to grow 
their market share post-MiFID II. This coupled with the Edgar 
system hack--to me--are issues that squeeze medium-sized 
companies that are making the decision to not enter the public 
markets. Can you provide me with your thoughts on this?

A.3. The ``dark trading workaround'' refers to a concern raised 
by some EU exchanges (or U.S. corporations that own EU 
exchanges) that MiFID II may create an uneven playing field 
between EU exchanges and other EU multilateral trading venues, 
on the one hand, and EU systematic internalisers (SIs) (a 
category of EU investment firms created under MIFID I and 
modified under MIFID II), on the other hand. Some EU trading 
venues have argued that MiFID II may provide SIs with several 
advantages, including not counting SI transactions toward the 
EU MiFIR dark trading limits, not requiring SIs to publish the 
size associated with their quotations and the ability to quote 
in smaller tick sizes than other EU trading venues. Some EU 
trading venues argue that each of these could provide 
incentives to trade with SIs.

Q.4. If I am a company concerned about analyst coverage and 
price volatility, it seems like a simple decision to not enter 
the public markets. As coverage falls, liquidity falls, 
volatility goes up, and valuation ratios go down. A McKinsey 
study said that banks would spend $1.2 BB less on mass-
producing research and tailor more of it to specific audiences.
    During the recent response that I received from you on 
MiFID II, you suggested that you share my goal of reaching a 
resolution on this issue to minimize disruptions and that you 
are prioritizing cooperation with our European counterparts to 
reach a solution that avoids a disorderly transition.
    Do you plan to waive the rules to allow brokers to receive 
direct payments for research from investors who are subject to 
MiFID II? If so, do you view this as a short-term or long-term 
solution? Can you elaborate on what efforts are underway at the 
SEC to address this issue? Do you have a timeframe for making a 
decision?

A.4. On October 26, 2017, staff in the Division of Investment 
Management issued a letter stating that they would not 
recommend enforcement action under the Investment Advisers Act 
of 1940 against a broker-dealer that provides investment 
advisory research services to an investment manager that is 
required under MiFID II to pay separately for such research 
services. In the letter, the staff indicated that this relief 
would last for 30 months from the implementation of MiFID II. 
This temporary period is intended to provide the staff with 
sufficient time to better understand the evolution of business 
practices after the implementation of MiFID II and take 
appropriate action, if necessary, in the future.

Q.5. What are the economic consequence of U.S. brokers 
following EU standards? How does MiFID II and the potential 
importation of EU rules mesh with broader administrative policy 
of not importing foreign standards? I understand this is a 
delicate issue, but it seems to me that we should be focused on 
impressing upon the EU regulators the potential negative 
consequences of this rule on the United States; moreover, I 
think that we should be concerned with how this rule may impact 
the ability of smaller issuers to attract research and how this 
may impact their ability grow and succeed in the public 
markets. I understand that the SEC is engaged with the relevant 
EU regulators regarding the unintended consequences of the 
MiFID II directive, but can you elaborate on these 
conversations and whether there will be joint relief, relief 
from the United States, relief from the European Union, or 
otherwise?

A.5. SEC staff has been actively engaged in various forms of 
outreach with key stakeholders, including industry groups and 
individual market participants, to better understand the 
potential
economic impacts of MiFID II on current U.S. business models. I 
share your views on the importance of U.S. issuers' ability to 
attract research, especially smaller and mid-cap companies. 
MiFID II presents unique challenges to U.S. broker-dealers. SEC 
staff no-action relief addresses potential issues raised by the 
industry regarding the negative impact that MiFID II could have 
on these market participants, among others.
    SEC staff has discussed with our European counterparts the 
impact of MiFID II's research provisions on the U.S.-EU cross-
border research market, the U.S. regulatory framework for 
research payments and affected U.S. market participants' 
ability to comply with the U.S. securities laws. The EC has 
issued FAQs related to the application of MiFID II's research 
provisions to non-EU firms, which are an important adjunct to 
the Commission's efforts to provide effective relief. SEC staff 
will continue to engage with industry stakeholders and our 
European counterparts as MiFID II comes into effect and its 
impacts may be better understood.

Q.6. MiFID II is another example of the conflicts we see with 
many rules that either have joint regulators or when an 
international regulator issues a directive without studying the 
unintended consequences of its impact to other jurisdictions. 
Is this something you will be working on at the SEC to help 
harmonizing rulemakings where you hold jurisdiction?

A.6. The SEC staff regularly communicates with foreign 
counterparts, including those in the European Union, regarding 
developments that could potentially impact U.S. issuers, market 
intermediaries and other market participants. SEC staff has 
ongoing bilateral dialogues with key regulatory counterparts 
that can serve as mechanisms for identifying and discussing 
common issues of regulatory concern, as well as current 
regulatory reform efforts and their impact. With respect to the 
European Union, the SEC's partners in these bilateral dialogues 
include the EC and ESMA. In addition, SEC staff communicates 
frequently with the FCA and markets regulators in Europe and 
elsewhere. For example, the SEC participates in the Joint U.S.-
EU Financial Regulatory Forum led by the U.S. Treasury. This 
forum seeks to enable regulatory cooperation as early as 
practicable in our respective lawmaking and rulemaking 
processes, with the general operational objective to improve 
transparency, reduce uncertainty, identify potential cross-
border implementation issues, work toward avoiding regulatory 
arbitrage and toward compatibility, as appropriate, of each 
other's standards and, when relevant, promote domestic 
implementation consistent with international standards.

Q.7. It appears as if the larger European asset managers will 
be paying for research out of P&L, and others may follow suit 
for competitive reasons. This could overflow to the United 
States. As such, whatever action the SEC takes will need to 
account for paying for research out of P&L. How is the SEC 
prepared to address this and how is the SEC prepared to deal 
with the notion that U.S. asset managers may feel as if they 
need to emulate the European Union asset managers for 
competitiveness reasons?

A.7. In the letter mentioned above, staff in the Division of 
Investment Management provided relief where an investment 
manager subject to MiFID II is required to make separate 
payments for investment advisory research services. This relief 
would apply where an investment manager subject to MiFID II 
pays for such research out of its own money, a separate 
research payment account or some combination of the two. As the 
staff stated in the letter, their intent was to address 
concerns that have arisen in light of the adoption of MiFID II 
while preserving choice in maintaining the Commission's long-
standing approach to access to research. At the same time, in 
considering approaches to address these various concerns, the 
staff was mindful of the possibility that inaction could lead 
to a disruption in the availability of important research. The 
staff therefore sought to preserve the status quo in the U.S. 
market while any market changes resulting from MiFID II take 
shape. That said, I am also aware that certain U.S. investment 
managers are dissatisfied with the status quo, in that some 
broker-dealers may refuse to accept hard dollar payments from 
investment managers in exchange for research despite that the 
U.S. investment manager might prefer to make a hard dollar 
payment rather than using order flow.
    Because this is an important, complex and evolving issue, 
in the press release accompanying the letter, the staff 
requested comment to assist in better understanding the 
evolution of business practices after the implementation of 
MiFID II in order to take appropriate action, if necessary, in 
the future.

Q.8. You have previously suggested that we need to look for 
ways to regulate a dynamic and evolving set of risks when it 
comes to cybersecurity. What options are you now considering 
with your staff and fellow Commissioners?
    What is the SEC doing now to promote IT modernization? What 
new regulations do you foresee promulgating?

A.8. Over the past several fiscal years, the Office of 
Information Technology has been leading an effort to modernize 
the SEC's technological infrastructure. Among other things, the 
SEC is developing a comprehensive IT Modernization Plan to:

  1) LPrioritize the modernization of high-risk high value 
        assets with an emphasis on the enhancement of security 
        and privacy controls;

  2) LExpedite the retirement of legacy systems;

  3) LSeek to leverage enterprise-wide acquisition vehicles to 
        gain cost efficiency and effectiveness; and

  4) LImprove user experience and increase user interface 
        capabilities.

    The Commission's IT modernization efforts closely adhere to 
several OMB mandates and Federal frameworks, including OMB 
Circular A-130, Managing Information as a Strategic Resource, 
the Federal Information Security Management Act of 2002 and the 
Federal IT Acquisition Reform Act. The Commission's efforts 
also leverage the guidance and recommendations outlined in the 
2017 Draft Report to the President on Federal IT Modernization.
    Promoting effective cybersecurity practices by market 
participants is critical to all three elements of the SEC's 
mission. The Commission incorporates cybersecurity 
considerations in its disclosure and supervisory programs, 
including in the context of the Commission's review of public 
company disclosures, its oversight of critical market 
technology infrastructure and its oversight of other regulated 
entities, including broker-dealers, investment advisers and 
investment companies.
    Despite the attention given to widely publicized cyber-
related incidents experienced by the Commission and others, I 
still am not confident that the Main Street investor has 
received a sufficient package of information from issuers, 
intermediaries and other
market participants to understand the substantial risks 
resulting from cybersecurity and related issues. As a general 
matter, it is critical that investors be informed about the 
threats that issuers and other market participants face.
    To be sure, we are continuing to examine whether public 
companies are taking appropriate action to inform investors, 
including after a breach has occurred, and we will investigate 
issuers that mislead investors about material cybersecurity 
risks or data breaches. As is noted in my July speech and on 
various other occasions, I would like to see more and better 
disclosure in this area.
    Cybersecurity must be more than a firm-by-firm or agency-
by-agency effort. Active and open communication between and 
among regulators and the private sector also is critical to 
ensuring the Nation's financial system is robust and 
effectively protected. Information sharing and coordination are 
essential for regulators to anticipate potential cyber threats 
and respond to a major cyberattack, should one arise. The SEC 
is therefore working closely with fellow financial regulators 
to improve our ability to receive critical information and 
alerts, react to cyber threats and harmonize regulatory 
approaches.

Q.9. Can you talk a little about the cyber risks and threats 
within the context of equity market structure? What are we 
missing with regard to the current structure of Reg. NMS? Just 
a few years ago, there was a trading outage at an exchange and 
there were subsequent reforms that were announced, and I know 
that Regulation SCI is on the books. I suppose the question 
today is, what are you doing to ensure that Regulation NMS 
accounts for the dynamic risks that are posed today, and what 
do we need to do better from an infrastructure and resiliency 
standpoint to ensure that our public markets are as secure as 
possible and are the least vulnerable as possible to a cyber-
attack? Also, from a market data perspective, as you know there 
are public and private market data feeds--do you view one of 
those as being more vulnerable than the other from a cyber-
attack perspective?

A.9. The infrastructure underpinning the securities markets has 
become increasingly reliant on technology and subject to ever-
changing operational risks and cyber threats. To help address 
this, the SEC adopted Regulation SCI in 2014 to strengthen the 
technology infrastructure of the U.S. securities markets by 
imposing
requirements on key market participants intended to reduce the 
occurrence of systems issues, improve resiliency when systems 
problems do occur, and enhance the SEC's oversight and 
enforcement in these areas. Regulation SCI applies to ``SCI 
entities,'' which include stock and options exchanges, FINRA, 
the MSRB, significant alternative trading systems, the clearing 
agencies, and the systems that generate consolidated market 
data.
    Regulation SCI addresses information technology operational 
risks broadly, and includes a focus on the cybersecurity risks 
of SCI entities. Among other things, Regulation SCI requires 
SCI entities to establish, maintain and enforce policies and 
procedures reasonably designed to ensure that their core 
systems are sufficiently secure to maintain operational 
capability. If the SCI entity maintains any other systems that, 
if breached, would be reasonably likely to pose a security 
threat to its SCI systems, then those other systems are subject 
to the same security standards as SCI systems. Although 
Regulation SCI does not mandate that specific security 
standards be followed, the industry standards referenced in 
staff guidance, such as those issued by NIST, cover many areas, 
including cyber risk governance and risk management.
    Regulation SCI also requires SCI entities to immediately 
notify the Commission, and provide specified updates, upon any 
responsible SCI personnel having a reasonable basis to conclude 
that a systems intrusion has occurred. Affected market 
participants generally are to be notified as well. In addition, 
SCI entities must (1) have policies and procedures for regular 
reviews and testing of core systems to identify, among other 
things, vulnerabilities posed by internal or external threats, 
(2) periodically review the effectiveness of the policies and 
procedures and take prompt action to remedy any deficiencies, 
(3) conduct annual objective reviews for compliance with 
Regulation SCI and (4) conduct penetration testing at least 
every 3 years.
    In adopting Regulation SCI, the Commission focused on the 
most critical market infrastructure in the securities markets. 
However, the Commission and its staff continue to evaluate the 
risks posed by the technology of other market participants and 
how the markets may be made even more resilient against IT and 
cybersecurity risks.
    With respect to market data, because of its importance to 
the securities markets, market data systems of SCI entities are 
subject to Regulation SCI's requirements. This includes both 
the consolidated market data feeds, as well as proprietary 
market data feeds provided by exchanges. Given the critical 
nature of the consolidated market data feeds, those systems are 
included in the definition of ``critical SCI systems'' and are 
held to the highest standards.

Q.10. Is the SEC looking to leverage artificial intelligence 
technology to help fight financial fraud?

A.10. Machine Learning methods are being applied by the 
Commission in various areas. Topic modeling and cluster 
analysis techniques are producing groups of ``like'' documents 
and disclosures that identify both common and outlier behaviors 
among market participants. These analyses are able to more 
quickly identify latent trends in large amounts of unstructured 
financial information that may warrant further scrutiny by 
Enforcement staff. Quantitative staff in the SEC's Division of 
Economic and Risk Analysis leverage knowledge from these 
collaborations to train ``supervised'' Machine Learning 
algorithms. From a fraud detection perspective, these 
successive algorithms can be applied to new data as it is 
generated, for example from new SEC filings. When new data 
arrives, the trained ``machine'' will predict the current 
likelihood of possible fraud based on what it learned 
constituted possible fraud from past data.
    The SEC's Enforcement Division also utilizes analytical 
tools and data to proactively identify potential misconduct and 
streamline investigations. For example, the Enforcement 
Division's Market Abuse Unit has an Analysis & Detection Center 
(A&D Center), which is staffed by 10 specialists who have 
industry experience in areas such as manual and algorithmic 
trading, trading operations, data analytics and market 
structure. A key tool for the A&D Center is a database of 
historical trading data, so called ``Bluesheet'' data, which is 
trading data that SEC staff request from broker-dealers during 
their investigations. The A&D Center uses a system called 
Advanced Relational Trading Enforcement Metric Investigation 
System, or ``ARTEMIS,'' to analyze this trade data. ARTEMIS 
combines the historical bluesheet data with other data sources, 
such as historical prices and information about different types 
of market moving events. Based on conduct identified through 
ARTEMIS, the Commission has been able to pursue complex insider 
trading and market manipulation schemes; since September 2014, 
the Commission has brought 17 cases using these types of tools.
    The SEC's National Examination Program also has been 
developing and deploying a variety of analytics over the last 
several years, including those that use artificial intelligence 
technology. Many of these projects are still in their initial 
phases, but they complement the ongoing analytical work in the 
examination program. Specifically, staff has evaluated and 
created various risk models based on Machine Learning and 
predicative analytics. The analytical tools being developed and 
deployed enhance the identification of registrants and areas of 
focus for risk-based examinations by maximizing the use of data 
and information available to the Commission. In addition, staff 
has developed a trade data analytic tool called the National 
Exam Analytics Tool, which allows examiners to leverage 
statistical analytics to identify outlier and anomalous trading 
events. Staff has also created applications that leverage 
dashboard technology sitting atop various risk models, 
including predictive models, to help staff analyze and select 
examination targets.

Q.11. How has the SEC been monitoring the early stage use of 
block chain or distributed ledger technology in capital 
markets? Does the SEC feel that this technology represents the 
future of capital markets infrastructure and if so, how will 
the SEC be updating its policies? For example, in a block chain 
environment, entities in foreign jurisdictions may maintain 
copies of the ledger and may verify transactions occurring 
between U.S. counterparties--how will the SEC maintain 
regulatory oversight in these types of scenarios?

A.11. The Commission's staff has been monitoring the use of 
blockchain or distributed ledger technology (DLT) in the 
capital markets in a number of ways:

  1) LDistributed Ledger Technology Working Group: In late 
        2013, the Commission established the DLT Working Group, 
        which is tasked with building expertise in DLT, 
        identifying emerging risk areas and coordinating 
        efforts among the SEC's divisions and offices. DLT 
        Working Group members from all areas of the Commission 
        also assist in coordinating with Federal, State, local 
        and international law enforcement and regulatory 
        partners and liaising with industry participants.

  2) LSEC FinTech Forum: The SEC hosted a forum to discuss 
        innovation in the financial services industry in 
        November 2016, at SEC headquarters in Washington, DC. 
        Forum panels discussed issues such as blockchain 
        technology, automated
        investment advice or robo-advisers, online marketplace 
        lending and crowdfunding and how they may impact 
        investors.

  3) LInvestor Advisory Committee: On October 12, 2017, the 
        Commission's Investor Advisory Committee met to 
        discuss, among other things, blockchain and other 
        distributed ledger technology and implications for 
        securities markets.

  4) LSEC Staff Participation in Third-Party Forums: Members of 
        the DLT Working Group regularly participate in various 
        forums hosted and attended by entrepreneurs, attorneys, 
        academics, other professionals and interested parties.

  5) LDedicated Email Address for Related Inquiries: In 
        connection with our July 2017 Report relating to The 
        DAO, we established a new email address--
        [email protected] directed interested parties to 
        send their questions concerning the use of DLT and 
        other FinTech developments in the securities industry 
        to that address. SEC staff members have been dedicated 
        to monitoring that email box and responding to 
        inquiries.

  6) LRecent Creation of Cyber Unit in the Division of 
        Enforcement: In September 2017, we created a Cyber Unit 
        within the Division of Enforcement that will focus 
        Enforcement's substantial cyber-related expertise on 
        targeting cyber-related misconduct, including 
        violations involving distributed ledger technology and 
        initial coin offerings.

  7) LTips, Complaints, and Referrals: The Commission welcomes 
        the public to raise concerns about any aspect of the 
        capital markets through our Tips, Complaints, and 
        Referrals Portal, available through SEC.gov and 
        Investor.gov.

Technological innovations in the financial industry have the 
potential to transform how the securities industry operates--
promising new ways to place, clear and settle trades and novel 
means to issue securities, raise capital and advise investor 
clients. It is too early to assess the impact recent 
technological advancements, such as DLT, will have on our 
capital markets, but we have observed that existing players are 
embracing the technology to deliver services to investors and 
the markets.
    For example, the Division of Corporation Finance declared 
effective a shelf registration statement covering the issuance 
of equity and debt that may be offered as traditional 
securities, digital securities or both. In December 2016, the 
company sold both traditional and digital securities through a 
rights offering to existing security holders. The following 
characteristics distinguished the digital securities from the 
traditional securities included in the offering:

  1) LThe digital securities are traded on an ATS.

  2) LThe digital securities have a shorter settlement period 
        than traditional securities.

  3) LThe digital securities will be held directly by security 
        holders as record holder in a digital wallet held at a 
        broker-dealer
        authorized to provide investors with access to the 
        digital
        securities, while traditional securities are typically 
        held in ``street name.''

    Right now, our policy has not changed. As in the past, we 
will apply existing laws to the use of new technologies in the 
securities industry. We believe we have the authority, 
flexibility and resources to do so in a manner that strikes the 
appropriate balance between encouraging innovation and 
protecting investors.
    For example, in our July 2017 report on The DAO, we 
explained that existing laws govern the offer and sale of 
securities regardless of their form. The test for what is a 
``security'' is flexible and will depend on the facts and 
circumstances, including the economic realities of the 
transaction. The DAO Report demonstrates that even an 
instrument that operates on distributed ledger technology can 
meet the definition of security. Where purchasers invest money 
in a common enterprise with a reasonable expectation of profits 
to be derived from the entrepreneurial or managerial efforts of 
others, then our jurisdiction is invoked. Where appropriate, we 
will file enforcement actions against those who violate the 
Federal securities laws. Our message in the Report was clear: 
those that offer and sell securities in the United States and 
those who facilitate their resale will be subject to the 
Federal securities laws.
    Of course, where policy changes or revision of rules are 
appropriate and necessary to fulfill our mission, we will take 
that course of action.
    In the case of investigating and prosecuting violations 
involving conduct or persons outside the United States, we 
regularly seek the cooperation of foreign jurisdictions with 
whom we have a Memoranda of Understanding and other agreements, 
overseen by our Office of International Affairs.
                                ------                                


  RESPONSE TO WRITTEN QUESTIONS OF SENATOR HEITKAMP FROM JAY 
                            CLAYTON

Q.1. The Financial Accounting Standards Board (FASB) issued the 
final current expected credit loss (CECL) standard in June 
2016. The FASB's new credit loss model comes in response to the 
financial crisis and was intended to protect banks, their 
customers and investors against a future downturn. The CECL 
model makes fundamental changes to accounting standards and its 
adoption could have a variety of impacts on financial 
institutions.
    Given the substantial change to long-standing accounting 
rules and the potential consequential impact that the 
accounting standards will have on how banks make credit 
decisions--from the
duration of loans, to the pro-cyclical effects on banks during 
a downturn, to the cost of credit to borrowers--should the SEC 
engage in its own review of this FASB rule?

A.1. The FASB is an independent standard setter focused on 
developing accounting standards for financial reporting that 
provides
investors with the information they need to make informed 
investment decisions. When setting standards, the FASB states 
that it weighs whether the expected improvement in the quality 
of the information provided to users justifies the cost of 
preparing and providing that information. Better information in 
turn could change what capital allocation decisions should be 
made or what actions should be taken by management, but the 
FASB does not seek to influence the outcome of those decisions. 
I believe that it is entirely appropriate for the FASB to focus 
on the quality of the information provided to investors to 
ensure continued investor confidence in the accuracy and 
quality of reported information, which is critical to capital 
formation.
    The FASB's project that led to the issuance of CECL has its 
origins in the financial crisis, where some market participants 
believed the existing ``incurred loss'' model resulted in the 
untimely and delayed recognition of credit losses, and 
ultimately, lower levels of loan loss reserves than otherwise 
may have been anticipated. Accordingly, the FASB's stated 
objective for issuing CECL was to provide users of financial 
statements with ``more decision-useful information about the 
credit risk inherent in financial assets and the change in 
expected credit losses occurring during the period.'' As 
opposed to the ``incurred loss'' model, the CECL approach is 
intended to more closely align an entity's financial reporting 
with management's estimate of expected credit losses which, 
even today, are informed by and incorporated into the entity's 
underwriting, servicing and collateral management practices. In 
other words, it is intended to provide investors with reporting 
that is more closely aligned with managements' assessment of 
the issuer's financial condition.
    Achieving consensus on the financial reporting standard for 
credit losses was a substantial undertaking. The FASB's 
extensive outreach activities prior to finalizing the standard 
included meeting with over 200 users of financial statements 
and holding more than 85 meetings and workshops with preparers, 
including field work at 25 company locations to get direct 
input. Feedback provided to the FASB during the standard 
setting process included, among other things, concerns with how 
the new standard will impact loan duration, cost of credit to 
borrowers and the potential pro-cyclical effects on banks. It 
is my understanding that the FASB considered all feedback 
received and included amendments in the final standard to 
address many of the concerns raised by stakeholders.
    The Commission staff has actively monitored the standard 
setting process and continues to monitor implementation 
activities undertaken by stakeholders and the FASB. In 
particular, staff has actively monitored the FASB's Transition 
Resource Group for Credit Losses (TRG), whose members include 
financial statement preparers (including community banks and 
credit unions), auditors, users and financial services 
regulators, and has encouraged banks to bring questions about 
the accounting standard before the TRG for discussion. In 
short, the staff has been and will continue to
assess whether CECL is having its intended effect of aligning 
reporting with management's analysis and whether there are any 
unintended negative consequences, including those discussed in 
the next question.

Q.2. Has the SEC engaged in discussions with the Federal 
Reserve about the potential impacts that the new CECL standards 
will have on the Comprehensive Capital and Review (CCAR) 
process?

A.2. While the FASB establishes accounting standards for the 
benefit of investors, prudential regulators also use the 
information generated by financial reporting for their own 
regulatory purposes, including in setting capital standards for 
financial institutions. There is a long history of engagement 
between the SEC and the prudential regulators on accounting 
issues, particularly in areas where the needs of investors and 
the supervisory needs of the prudential regulators have 
diverged to some extent.
    The SEC staff has been engaged in ongoing discussions with 
the banking regulators regarding the potential effects of the 
new CECL standard. We are aware that the regulatory capital 
requirements are currently being analyzed by the appropriate 
banking regulators and other supervisory bodies in connection 
with the changing accounting standards. For example, the Basel 
Committee on Banking Supervision, which provides a forum for 
regulator cooperation on banking supervisory matters, recently 
issued transition guidance with respect to the impact of 
accounting changes on regulatory capital. The Basel Committee 
has indicated that it will monitor the effect of the new 
standard's impact on capital, including a quantitative impact 
assessment.
    Additionally, the U.S. Treasury has recommended that the 
potential impact of the new standard on banks' capital levels 
be carefully reviewed by U.S. prudential regulators with a view 
toward harmonizing the application of the standard with 
regulators' supervisory efforts.\1\ Finally, the Commission's 
Chief Accountant has expressed his encouragement and support 
for this review to ensure regulatory requirements are updated, 
if necessary, to account for the impact of any change resulting 
from the new standard.\2\
---------------------------------------------------------------------------
    \1\ See U.S. Department of Treasury, A Financial System that 
Creates Economic Opportunities--Banking and Credit Unions (June 2017), 
available at https://www.treasury.gov/press-center/press-releases/
Documents/A%20Financial%20System.pdf.
    \2\ Wesley R. Bricker, Chief Accountant, U.S. Securities and 
Exchange Commission, Remarks Before the AICPA National Conference on 
Banks & Savings Institutions: Advancing High-Quality Financial 
Reporting in Our Financial and Capital Markets (Sept. 11, 2017), 
available at https://www.sec.gov/news/speech/speech-bricker-2017-09-
011.
---------------------------------------------------------------------------
    I believe that these reviews are entirely appropriate and 
necessary--when an accounting standard is changed in a way that 
provides investors with better information, but that gives rise 
to unwarranted results under bank capital rules, it may be 
necessary to modify other rules (e.g., the bank capital rules) 
to eliminate that unwarranted result. SEC staff will continue 
to engage with the prudential regulators on this issue and 
provide any assistance they require as they undertake their 
process for reviewing their standards.

Q.3. Are you concerned that the CECL standards could create 
incentives to keep banks from lending in an economic downturn 
(an impact that could be amplified by stress testing 
requirements) and slow a recovery?

A.3. While financial institutions are still evaluating the 
effect of the new standard, some have indicated that the new 
requirement to immediately recognize expected losses, instead 
of deferring losses until ``incurred'' (as under the existing 
standard), could adversely impact an entity's ability to lend 
in an economic downturn or slow an economic recovery. I am 
concerned by these issues. But I would also be concerned if 
financial reporting standards were not providing investors with 
relevant, reliable and timely information about a financial 
institution's credit risk and its change in expected credit 
losses.
    Many of the concerns expressed by banks appear to me to be 
the result of the interaction of the new CECL standard with 
existing regulatory capital requirements. I support the ongoing 
efforts by the appropriate banking regulators and other 
supervisory bodies to analyze the regulatory capital 
requirements in connection with the changing accounting 
standards.
                                ------                                


RESPONSE TO WRITTEN QUESTIONS OF SENATOR CORTEZ MASTO FROM JAY 
                            CLAYTON

Q.1. Can you elaborate on the changes made to the Securities 
and Exchange Commission's (SEC) delegated subpoena power that 
you described during the question and answer period of your 
testimony?

A.1. The Federal securities laws authorize the Commission, or 
any officer designated by the Commission, to issue subpoenas 
requiring a witness to provide documents and testimony under 
oath. The Commission itself has the power to designate members 
of the staff to act as officers of the Commission in an 
investigation by issuing a Formal Order of Investigation 
(formal order). The formal order serves two important 
functions. First, it directs that a nonpublic investigation be 
conducted, and second, it designates specific staff members to 
act as officers for purposes of the investigation and empowers 
them to administer oaths and affirmations, subpoena witnesses, 
compel their attendance, take evidence and require the 
production of documents and other materials. Once a formal 
order issues, staff in the Enforcement Division who are named 
as officers in the formal order can issue subpoenas for 
documents and testimony.
    In the wake of the financial crisis, the Commission, by 
rule, delegated the authority to issue formal orders to the 
Director of the Enforcement Division. This authority was then 
sub-delegated by the Chairman of the Commission to additional 
senior officers in the Enforcement Division. This sub-
delegation to the Division's senior officers was removed before 
I joined the Commission, but the Commission's rule delegating 
authority to the Enforcement Division's Co-Directors remains in 
place.
    I have discussed the delegation of formal order authority 
with the Co-Directors of the Enforcement Division, and I am 
comfortable that there are benefits to having that authority 
resting with the two of them, including that it enables them to 
more efficiently and effectively manage the nationwide 
Enforcement program. I do not believe that limiting the 
authority to the Enforcement Division Co-Directors has 
negatively affected the Commission's ability to protect 
investors and deter misconduct. Rather, following consultation 
with the Co-Directors, I believe at this time that the current 
scope of delegation enhances investor protection as it provides 
for a more effective allocation of limited resources by the 
leadership of the Enforcement Division.

Q.2. Please describe what specific steps you have taken during 
your tenure, or that you intend to take, to increase individual
accountability for wrongdoers at offending firms subject to 
enforcement actions from the SEC.

A.2. As I stated at my confirmation hearing, I strongly believe 
in the deterrent effect of enforcement proceedings that include 
individual accountability. I firmly believe that individual 
accountability drives behavior more than corporate 
accountability. Bad actors undermine the hard-earned confidence 
that is essential to the efficient operation of our capital 
markets and there is zero room for them in our capital markets.
    The Commission considers individual liability in every 
case; it is a core principle of our enforcement program and 
holding individuals accountable for wrongdoing is a priority 
for me. To date, the Commission's publicly announced 
enforcement actions and investigations have borne out the 
premium I place on individual accountability. As Chairman, I 
will continue to support the Enforcement Division's efforts to 
hold individuals accountable when it is appropriate to do so 
under the facts and the law. In this regard, it is important to 
note that, while no two matters involving individuals and 
corporations are the same, on balance and across a large sample 
of matters, pursuing a greater number of individuals may 
require more resources (including time) and may lead to lower 
aggregate fines and collections as individuals generally have 
fewer resources than corporations. However, I believe the 
beneficial effects--mostly significantly deterrence and removal 
of bad actors--weigh in favor of pursuing individual 
accountability where the facts warrant.

Q.3. I am deeply concerned about the cyber breach of the SEC's 
EDGAR system, and the hacking of sensitive, nonpublic and 
market-moving corporate information. But in addition to the 
EDGAR breach, I'm concerned about potential other 
vulnerabilities at the SEC. For example, the SEC has a ``Tips, 
Complaints and Referrals'' public-facing portal, where 
potential whistleblowers may go to report illegal behavior. If 
this data was compromised, it could serve as a roadmap of 
potential sensitive investigations of SEC-regulated entities, 
and could expose confidential whistleblowers to serious harm 
and retaliation. How confident are you that the SEC's 
whistleblower portal is secure? And do you need further 
resources from Congress or support from the Administration to 
ensure that this repository of sensitive information is 
protected?

A.3. The Tips, Complaints and Referrals (TCR) system is an
integral element of the SEC's whistleblower program. The 
whistleblower program alerts the SEC to possible fraud and 
other violations earlier than might otherwise be possible and 
helps to minimize harm to investors. To better protect 
whistleblower data,
several security improvements were applied to the TCR system in 
fiscal year 2017, and the staff continues to evaluate the 
safety and soundness of the security protocols surrounding the 
system. The staff believes the improvements made in fiscal year 
2017, together with other improvements that the SEC expects to 
implement, will augment and improve the security of the TCR 
system. As I said in my confirmation hearing and in my written 
testimony before the Committee and the House Financial Services 
Committee, cybersecurity is an area that is vitally important 
to the SEC, our markets and me personally, and I commit to 
studying and evaluating whether additional support or resources 
are needed from Congress or the Administration.

Q.4. In the statement you released on September 20th regarding 
cybersecurity, you noted that the SEC was, ``in the process of 
implementing the National Institute of Standards and Technology 
Framework for Improving Critical Infrastructure 
Cybersecurity.''\1\ These standards are meant to provide ``best 
practices'' for the roles and responsibilities of agency 
officials in carrying out the SEC's information security 
objectives, including training efforts. Please describe why the 
Commission is still ``in the process'' of implementing the NIST 
Framework. This is particularly pressing since this framework 
was first proposed in February 2014, meaning the SEC has had 
three and a half years to implement it. When is your timeline 
for completing implementation? Can you speak to whether, if the 
SEC had fully implemented this framework by 2016, could the 
EDGAR hack have been prevented?
---------------------------------------------------------------------------
    \1\ https://www.sec.gov/news/public-statement/statement-clayton-
2017-09-20.

A.4. All Federal agencies, including the SEC, have been 
required to follow the NIST Risk Management Framework (RMF), a 
framework to improve information security and strengthen risk 
management processes.\2\ The NIST Cybersecurity Framework (CSF) 
was created in 2014 as a voluntary framework of industry 
standards and best practices to help private sector 
organizations manage cybersecurity risk. On May 11, 2017, the 
President issued Executive Order 13800 (Strengthening the 
Cybersecurity of Federal Networks and Critical Infrastructure) 
that, for the first time, required implementation of the CSF 
for all Executive departments and agencies.\3\ Because the CSF 
introduces entirely new cybersecurity nomenclatures, outcomes 
and metrics for organizations, successful implementation is a 
significant undertaking that entails top-to-bottom review and 
redesign of all aspects of an agency's cybersecurity program 
and significant staff training to educate staff on the new 
framework. Implementation also necessitates that agencies first 
understand how best to leverage the RMF alongside the newer 
CSF, which has key differences.
---------------------------------------------------------------------------
    \2\ https://csrc.nist.gov/projects/risk-management/risk-management-
framework-(rmf)-overview.
    \3\ https://www.whitehouse.gov/the-press-office/2017/05/11/
Presidential-executive-order-strengthening-cybersecurity-federal.
---------------------------------------------------------------------------
    The SEC began work to implement the CSF shortly after the 
May 2017 Executive Order. We have submitted an implementation 
plan to the Department of Homeland Security, and its successful 
implementation is a priority. I support adoption of the CSF 
because I believe that it will provide both technical and 
nontechnical personnel with a heightened understanding of the 
risk and vulnerabilities associated with agency systems, which 
is vital to ensure security protections are implemented 
commensurate with risk. It is important to note that I have 
also initiated a general assessment and uplift of our 
cybersecurity risk profile, including the identification and 
review of all systems that hold market sensitive data or 
personally identifiable information. It is my aim and 
expectation that this exercise will provide valuable context in 
the SEC's continued efforts to implement the CSF.

Q.5. Chair Clayton, at your confirmation hearing, I asked you 
for your thoughts on financial companies' use of mandatory pre-
dispute arbitration clauses--or what's commonly known as 
``forced arbitration clauses,'' which prohibit consumers and 
investors from banding together in court and force them to ``go 
it alone'' in a system tilted to the benefit of large 
corporations. Your response to my question at your confirmation 
hearing, and to my questions for the record, indicated that you 
needed to learn more about this issue and consult with SEC 
staff before offering an opinion. Now that you've had 4 months 
on the job, are you willing to commit to have the SEC staff 
study the use of forced arbitration clauses by companies within 
the SEC's jurisdiction?

A.5. The prospect of prohibiting, limiting, or conditioning the 
use of mandatory pre-dispute arbitration agreements raises a 
number of complex issues, including potential effects on: (1) 
retail investor choice; (2) forum access; (3) finality and 
appellate rights; (4) development of legal precedent; (5) time 
to resolution and cost of resolution; and (6) identification 
and removal of wrongdoers. To help better understand the 
concerns surrounding mandatory pre-dispute arbitration 
agreements, the Commission has solicited public comment about 
the ability of retail customers to bring claims against their 
financial professionals \4\ and has received letters 
reflecting, among other things, deeply held but disparate 
opinions on this issue.
---------------------------------------------------------------------------
    \4\ See Duties of Brokers, Dealers, and Investment Advisers, 
Exchange Act Release No. 69013 (Mar. 1, 2013), 78 FR 14848, 14853 (Mar. 
7, 2013). The Commission also made available email boxes with respect 
to various provisions of the Dodd-Frank Act, including Section 921 
(Authority to Restrict Mandatory Pre-Dispute Arbitration). See Public 
Comments on SEC Regulatory Initiatives Under the Dodd-Frank Act, 
available at http://www.sec.gov/spotlight/regreformcom
ments.shtml. Additionally, on June 1 of this year, I issued a statement 
requesting public comments on standards of conduct for investment 
advisers and broker-dealers. See Public Statement by Chairman Jay 
Clayton, ``Public Comments from Retail Investors and Other Interested 
Parties on Standards of Conduct for Investment Advisers and Broker-
Dealers'' (June 1, 2017) available at https://www.sec.gov/news/public-
statement/statement-chairman-clayton-2017-05-31.
---------------------------------------------------------------------------
    Because of the potential impact of any changes to current 
practice, as well as the strong views on both sides of this 
debate, I believe further information, data, and analysis would 
be beneficial to assist in determining whether and if so, how, 
to address the use of mandatory pre-dispute arbitration 
agreements. To that end, I have asked the staff to undertake 
additional information gathering on this issue. I have asked 
the staff to then brief me in the coming months.

                                   [all]