ARTICLE
2 March 2021

SIFMA Argues CAT Should Be Liable For Data Breaches

CW
Cadwalader, Wickersham & Taft LLP

Contributor

Cadwalader, established in 1792, serves a diverse client base, including many of the world's leading financial institutions, funds and corporations. With offices in the United States and Europe, Cadwalader offers legal representation in antitrust, banking, corporate finance, corporate governance, executive compensation, financial restructuring, intellectual property, litigation, mergers and acquisitions, private equity, private wealth, real estate, regulation, securitization, structured finance, tax and white collar defense.
In a new report, SIFMA continued to object to a FINRA-proposed amendment that would hold industry members liable for a system breach of the National Market System Plan Governing the Consolidated Audit Trail.
United States Finance and Banking

In a new report, SIFMA continued to object to a FINRA-proposed amendment that would hold industry members liable for a system breach of the National Market System Plan Governing the Consolidated Audit Trail ("CAT"). (See previous coverage.)

SIFMA followed up on its comment letter with a report that concludes that the proposed amendment would indirectly harm investors.

In the report, SIFMA states that should the proposed amendments be adopted:

  1. CAT LLC would not be properly incentivized to protect CAT data, thereby increasing the risk that investor's data would be compromised; and
  2. to protect themselves against liability for a data breach over which they had no control, industry members would make "inefficient" insurance purchases for litigation-related expenses - costs that the members would likely pass to investors.

SIFMA states that if CAT LLC were itself liable for data breaches, then CAT LLC would be "incentivized to invest in the socially optimal level of protection" and would be more "efficient" in purchasing insurance.

Commentary Steven Lofchie

Risks presented by the entire CAT enterprise are significant. Does it really make sense to gather this much financial information under one roof, given the likelihood that hackers from foreign governments and criminal groups will be targeting the system for that information?

The risks of moving forward are compounded if the entity that is holding the information (and responsible for its protection) is insulated from financial loss in the event of a cyber event.

Two obvious questions are:

  • Why should CAT invest in the best (most expensive) cyber protections if the cost of failure will be borne elsewhere?
  • Why does it make sense to impose cyber-liability on firms that have no independent ability to protect the CAT data?

Unless there are good answers to those questions, the liability provisions should be reconsidered.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More