Securities and Exchange Commission lawyers reluctantly realized while investigating an insider-trading case in August that it was time to tell new chairman Jay Clayton about a major breach of the agency’s systems that happened in 2016. Why now? Because despite immediately patching the hole that hackers went through, their case was based on the non-public information stolen from the SEC’s own systems.

In an unexpected 4,000-word statement on general cybersecurity issues published Sept. 20, Clayton buried the news of the 2016 hack at the halfway point.

He will tell the Senate Banking Committee on Tuesday that the agency believes the 2016 intrusion was caused by the exploitation of a defect in custom software in its Edgar filing system. According to his prepared congressional testimony seen by MarketWatch on Monday, Clayton says he wasn’t told about it until three months into his new job.

The SEC Office of Information Technology staff took steps in 2016 to fix the defect in the custom-developed software code and reported the incident to the Department of Homeland Security’s Computer Emergency Readiness Team. Then SEC staff crossed their fingers and hoped that the thieves would never use the non-public Edgar filing information for illegal insider trading.

Those prayers were not answered. The agency, and fellow self-regulators like Nasdaq and Finra, are getting too good at identifying unusual trading patterns. They look for the “too good to be true” wins that likely come from timely confidential information. Recent insider-trading cases highlight the SEC’s enhanced capabilities in tracking and zeroing in on traders who are cheating.

See also:SEC using high tech to connect illegal insider trading to sources

Read: How Nasdaq watches for insider trading

Clayton will tell senators on Tuesday that the investigations and enforcement actions are incomplete but ongoing.

Clayton believes “Main Street” investors are not getting enough information from companies to understand the threats that companies and they themselves face, according to the prepared remarks. His testimony calls for “more and better disclosure,” and he says the SEC plans to investigate companies that mislead investors about material cybersecurity risks or data breaches.

Clayton plans to tell senators he’s authorized the immediate hiring of additional staff to aid in “efforts to protect the security of the agency’s network, systems and data,” according to the testimony.

The SEC’s 2018 fiscal-year budget request to Congress in May showed a total of 165 staff planned for the information technology group, a decline from 2017, when 169 were budgeted, and 2016, when the number was 173. The agency budgeted 4,543 positions in total for 2018, down 2% from 4,653 budgeted positions in fiscal 2017, which ended in July.