Recent revelations regarding cybersecurity breaches at the U.S. Securities and Exchange Commission highlight the mismanagement and misplaced priorities that took place at the agency during the Obama administration. Between 2009 and 2016, critical operational issues and infrastructure problems were ignored as the SEC strayed from its tripartite mission of protecting investors, facilitating capital formation, and ensuring efficient capital markets.
Fortunately, the response of the SEC’s new chairman, Jay Clayton, to revelations of damage caused to the agency by its Obama-era operational deficiencies show that he is competently tackling these issues that he inherited and demonstrate his preparedness to undo the SEC’s misguided approaches to rulemaking, management, and organization of the last eight years.
{mosads}A prime example of the agency’s previously misguided agenda is the suite of investment management-focused rulemakings advanced by the SEC in 2015 and 2016, including final rules on data reporting and liquidity risk management, and proposed rules governing the use of derivatives and transition planning by funds. Each of these rulemakings began with a public discussion of how to efficiently modernize disclosure for the benefit of mutual fund investors.
They ended with overly complex and burdensome reporting requirements that are ill-suited for investors and the asset management industry. These outcomes conflict with President Trump’s executive order on “core principles” for financial regulation, which aims to reduce regulatory complexity and help retail investors build wealth. Accordingly, the SEC should reexamine, modify, and potentially rescind overly-complex mutual fund regulations, such as its fund data reporting and liquidity risk management rules.
Likewise, the SEC should reassess rulemakings of the last eight years that address special interests’ priorities instead of the agency’s core mission. Thanks to the Dodd-Frank Act, the SEC focused on constructing CEO-to-average-employee-pay ratios and required firms to track minerals supply chains, rather than examining how to best protect investors, markets, and the agency itself. Indeed, amid the misguided regulatory efforts of the previous administration, the SEC was plagued by institutional deficiencies that went ignored, as evidenced by numerous oversight reports and high-profile operational incidents.
The recently uncovered cybersecurity breaches were in fact par for the course for an SEC that throughout the Obama years exhibited frequent cybersecurity deficiencies. In 2015, the Government Accountability Office profiled the agency’s extensive cybersecurity vulnerabilities, noting that its absence of sufficient controls could result in “exploitation without detection.”
Just a year earlier, the GAO found that the agency’s access controls to sensitive data were deficient and that it consistently failed to authenticate users, encrypt data, audit and monitor network actions, and restrict physical access. Also that year, the SEC’s inspector general documented that the SEC’s information technology inventory procedures were inadequate and its employees lost laptops, thus exposing the agency to potential cybersecurity incidents. And in 2013, the SEC revealed that personally identifiable information was compromised after an SEC employee inadvertently downloaded onto a thumb drive data on individuals who worked at the agency.
Government reports also suggest financial irresponsibility and organizational shortcomings existed across the agency. A 2011 Inspector General report found that the agency improperly leased for $557 million almost one million square feet of prime office space. The year before, the SEC was lambasted in a House report for its siloed divisional structures that undermine communication, operational effectiveness, and information technology management within the agency. Notably, all of these issues took place at an agency where 75 percent of employees earn more than $147,000, a salary that is 75 percent more than the average government employee’s salary and nearly two-and-a-half times what the median American household earns.
SEC Chairman Jay Clayton is the right steward to address these myriad institutional deficiencies, as his mature and attentive reaction to the discovery of the SEC’s 2016 cybersecurity breach shows. Going forward, those who contributed to the severity of this incident and failed to report it should be held accountable. The SEC should also rebalance its priorities towards internal issues, and away from misguided rules unrelated to the agency’s core mission, such as bank-like rulemakings for the capital markets.
With a budget that quintupled between 1995 and 2016 to more than $1.6 billion while the workforce grew just 50 percent, resource constraints are certainly not what drove the problems that plagued the SEC during the last eight years. Rather, the causes were a lack of focus and mismanagement. The time has come for the SEC to pivot away from misguided regulatory priorities. The agency should instead address its well-documented organizational deficiencies and prioritize its statutory mandate to protect and enhance our capital markets.
Paul S. Atkins served as a Republican member of the U.S. Securities and Exchange Commission from 2002 to 2008 under President George W. Bush. He is now chief executive officer of Patomak Global Partners, a financial services consulting firm.