In the wake of the 2016 hack of one of its key databases, the Securities and Exchange Commission is looking for a chief risk officer to oversee the data it collects and how it protects it.
SEC Commissioner Will Piwowar said Wednesday that the agency is looking to develop the new role in the agency as part of its broader cybersecurity strategy, following the breach of its Electronic Data Gathering, Analysis, and Retrieval, or EDGAR, system.
“One of the things that [SEC Chairman Jay Clayton] has come to is… that you need a chief risk officer, someone to oversee all of this,” he said at the Data Coalition’s first RegTech Data Summit. “We are having discussions right now with folks in industry in terms of what type of qualities we would need someone to have to take the role.”
The SEC does already have a CISO role, currently held by Andrew Krug. It’s unclear how exactly the new risk officer would work with Krug. FedScoop reached out to the SEC for comment on how the roles would cooperate but didn’t hear back prior to publication.
SEC officials disclosed last October that the 2016 breach of the EDGAR database — which the agency uses to store information derived from the required filings of corporations, funds and individuals — compromised the personal information of two individuals, as well as possibly exposing information that could be used for insider trading.
Piwowar said the breach provided a catalyst for Clayton to examine what information the SEC should collect, possibly limiting the personally identifiable information it maintains.
“Are we collecting the right data?” he asked. “The data we collect, oftentimes, are the result of rulemaking.
He continued: “How are we going to measure the success of a particular rulemaking regulation? What data do we need to use to find metrics that we need to do evaluate those? To the extent that we are collecting the right information, then we can make informed decisions about changing the regulations in the future.”
In addition to a chief risk officer to help oversee the SEC’s cybersecurity posture, the commissioner added that the agency will need more funding to bolster its cyberdefense, which, Piwowar added, was a top priority for Clayton.
He also said that while advancements in emerging technology, such as blockchain and artificial intelligence, can streamline regulatory reporting, they must be balanced with a strong cybersecurity infrastructure.
“Although I am excited about the potential for [regulation technology and financial technology], I cannot end this discussion without admitting that they give me a certain level of trepidation,” Piwowar said. “As each technological advancement occurs, the Commission must confront a new opportunity for cyber threats to develop. These threats are just as pressing for the latest evolution of technology as they are for our legacy ecosystem.”