The SEC proposed amendments to the national market system plan governing the Consolidated Audit Trail (the "CAT NMS Plan") that would (i) increase security requirements for the use of CAT data and (ii) reduce the scope of sensitive information required to be collected.
The proposed amendments to the CAT NMS Plan would, among other things, require the use of "Secure Analytical Workplaces" for the analysis of large CAT data sets and incorporate restrictions for accessing and analyzing customer information, subject to the CAT's "Comprehensive Information Security Program." Additionally, the amendments would modify the Customer-ID creation and reporting processes, specifically removing "sensitive" personally identifiable information (e.g., social security numbers, individual taxpayer identification numbers and account numbers for natural person customers) from CAT reporting requirements. The amendments would require CAT participants to establish, maintain, enforce and publish their own individual written data confidentiality policies and procedures.
In a statement, SEC Chair Jay Clayton, Division of Trading and Markets Director Brett Redfearn and Regulatory Reporting Senior Policy Advisor Manisha Kimmel said that the proposed amendments would result in a "more secure CAT," and noted that the amendments would not impact the "regulatory value" of the CAT. In a separate statement, SEC Commissioner Hester Peirce explained that while she supported the proposed amendments, she would have preferred a broader consideration of the CAT's impact on "liberty, privacy and freedom," citing her previous criticism of the CAT's security implications (see prior coverage).
Comments on the proposal must be submitted within 45 days of its publication in the Federal Register.
Commentary
CAT raises considerable cybersecurity risks that far exceed any regulatory value of the project. (See, e.g., SIFMA Urges SEC Not to Make Broker-Dealers Liable for CAT Database Breaches.) At a time when the United States is highlighting the cyber risks posed by a video streaming service used by teenagers, the SEC should be giving a good bit more concern to whether there is any material reason to order the aggregation of so much economic data. While reducing the amount of such data is a good ameliorative step, many basic questions remain: (i) is this exercise worth the risk; (ii) who is responsible for data security, (and who will be held responsible if there is a breach); and (iii) can FINRA develop and maintain sufficient technological expertise to hold off foreign hackers backed by very substantial resources?
Primary Sources
- SEC Press Release: SEC Proposes Data Security Enhancements to the CAT NMS Plan
- SEC Proposed Rule: Amendments to the National Market System Plan Governing the Consolidated Audit Trail to Enhance Data Security
- SEC Public Statement: Update on the Consolidated Audit Trail - Data Security and Implementation Progress
- SEC Statement, Hester Peirce: Statement on Proposed Amendments to the National Market System Plan Governing the Consolidated Audit Trail to Enhance Data Security
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.