Press Releases

WASHINGTON – This morning, in a hearing of the Senate Banking Committee with Securities and Exchange Commission (SEC) Chairman Jay Clayton, Sen. Mark R. Warner (D-VA) slammed the credit bureau Equifax for its cybersecurity failures and weak response in the wake of a data breach affecting the personal information of 143 million Americans. Sen. Warner, Ranking Member of the Subcommittee on Securities, Annuities, and Other Financial Investments, pressed the SEC Chairman to work with the Banking Committee to push for more transparency and accountability when a public company is breached and Americans’ personal information is exposed.

Said Warner of the Equifax breach, We have no ability to opt-in to these systems. We are part of these systems whether we like it or not. I’m often asked in my job on the Intelligence Committee what I think the single greatest vulnerability our country faces is, and I believe it’s cybersecurity.” 

Added the Senator, “I think Equifax is a travesty. I think the resignation of the CEO is by no means enough… Number one, in terms of the sloppiness of their defenses. Two, in terms of the fact that this was clearly a knowable vulnerability – they had known for months, and if they had simply put a patch in place we might have precluded this. And to add insult to injury, Equifax, when it put up the site to direct consumers after the breach, that site was not properly domain-registered and was known to have vulnerabilities in the site itself. So if we don’t send a very, very strong message – now the market has already taken, I think, 25 percent off its market value – but I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity.”

Noting a number of significant data breaches in both the public and private sector have affected hundreds of millions of people in recent years, Warner pressed the SEC Chairman on whether he believes the publicly-traded companies regulated by the agency are being sufficiently forthcoming with shareholders and the public when their systems are breached by hackers.

The SEC Chairman told Sen. Warner, “I agree with you generally. I don’t think there’s been enough disclosure around the risk profile of companies with respect to cybersecurity. Where are the risks, what are the vulnerabilities, what do we know, not know. And then, if there are breaches, the disclosure of those specific breaches. I don’t think there’s been adequate disclosure in that regard.” 

Warner urged Chairman Clayton to work with the Banking Committee to strengthen those reporting standards through the SEC rulemaking process or by working with Senators to craft appropriate legislation that would improve disclosure and transparency for companies that suffer a data breach. A full transcript of their exchange is below.

In a September 13 letter, Sen. Warner also asked the Federal Trade Commission (FTC) to examine whether credit reporting agencies such as Equifax have adequate cybersecurity safeguards in place for “the enormous amounts of sensitive data they gather and commercialize.” In a response to Sen. Warner’s questions, dated September 21 and newly released today, the FTC disclosed that the agency is considering whether an existing FTC consent degree with Equifax for violations of the Fair Credit Reporting Act could allow the FTC to assess additional sanctions and civil penalties on Equifax for its failure to maintain acceptable data security practices. The FTC also agreed with Sen. Warner’s assessment that Equifax has not adopted sufficient security practices for consumers wishing to place a credit freeze on their accounts following the theft of their personal information.  

The FTC also recommended that Congress take up comprehensive data security legislation that would provide timely notification to consumers when there is a data breach – a cause Sen. Warner has championed for more than three years. 

The FTC’s full response to Sen. Warner is available here.   

Transcript:

WARNER: Let me first of all echo what Senator Kennedy has just said. The whole notion of the credit rating agencies, and the public’s ability – we have no ability to opt-in to these systems. We are part of these systems whether we like it or not. I’m often asked in my job on the Intelligence Committee what I think the single greatest vulnerability our country faces is, and I believe it’s cybersecurity. I believe we do not have a whole-of-government, or whole-of-society approach on cybersecurity. In recent times, we have seen Russia take unprecedented action attacking 21 of our states’ voting systems. We’ve seen our social media platforms being manipulated with false information and misinformation and disinformation campaigns that are at least indirectly related to cyber.

I appreciate you, Mr. Chairman, coming forward with the recognition of the EDGAR system breach. I wish it had been done quicker, though as has been pointed out, this is not in isolation. We’ve seen, as has been pointed out, OPM and a series of other governmental breaches. I think Equifax is a travesty. I think the resignation of the CEO is by no means enough. I would say, and I understand your reluctance to acknowledge whether there is an investigation, your colleagues at the FTC, who also have a process in place where they normally don’t reveal an ongoing investigation, felt that this was so serious that they acknowledged that there was an investigation going on.

And the Equifax breach is so egregious. Number one, in terms of the sloppiness of their defenses. Two, in terms of the fact that this was clearly a knowable vulnerability – they had known for months, and if they had simply put a patch in place we might have precluded this. And to add insult to injury, Equifax, when it put up the site to direct consumers after the breach, that site was not properly domain-registered and was known to have vulnerabilities in the site itself. So if we don’t send a very, very strong message – now the market has already taken, I think, 25 percent off its market value – but I question whether Equifax has the right to even continue providing these services with the level of sloppiness and lack of attention to cybersecurity. 

I’d also point out – and Senator Brown raised this question – this not the first time. I mean, Yahoo last year. 500 million user breach, and Yahoo did not believe that it was material enough to even report. One investigation has shown, with 9,000 public companies, we have less than 100 companies, since 2010, feel that any level of cyber incursion was significant enough to meet that materiality standard to notify the public. I find that absolutely unacceptable. 

I know Senator Brown asked that, but Mr. Clayton, do you want to make any further comment about what the SEC might be looking at in terms of reviewing these materiality standards as it relates to cybersecurity? 

CLAYTON: Yes, I do. I agree with you generally. I don’t think there’s been enough disclosure around the risk profile of companies with respect to cybersecurity. Where are the risks, what are the vulnerabilities, what do we know, not know. And then, if there are breaches, the disclosure of those specific breaches. I don’t think there’s been adequate disclosure in that regard.

WARNERWell my hope would be that this would be something – I know I’m very interested in, and I think across both sides of the aisle, we’d like to work with you on – whether we need legislative actions, or whether we work with you as an entity. 

###