The SEC’s consolidated audit trail passed two major milestones this summer without any major hiccups, but concerns about cybersecurity persist from many industry members.
Broker-dealers were required to begin submitting data to the CAT, a comprehensive database, on trades they execute on behalf of clients — including institutional investors — on June 22 for equities trades and July 20 for options trades.
Initial reporting has gone smoothly, as many firms took advantage of an extended testing period and started reporting in advance of the respective deadlines to work out any kinks, sources said. Broker-dealer reporting went live April 13 before the deadlines, when the CAT opened.
Still, organizations like the Securities Industry and Financial Markets Association have raised concerns about securing CAT data, particularly when it is “bulk downloaded” by one of the 24 self-regulatory organizations, or SROs, made up of exchanges and securities associations.
“Our concern is really when the data leaves (the) CAT and goes out to all of these exchanges,” said Ellen Greene, New York-based managing director of equity and options market structure at SIFMA. “We have concerns about the security — the more instances of data being downloaded, the more risk there is.”
Ms. Greene said the data could be exploited by foreign actors or even insiders at the exchanges. “Given the richness of the data, the insight into how both exchange competitors are doing as well as broker-dealers that have their own (alternative trading systems), we really do think that limiting access is critical to that,” she said.
Moreover, with many people working from home during the pandemic, additional security risks have percolated, Ms. Greene added. “I think there are other concerns that come to the surface about how that data is used; does it remain in a corporate system, is it taken out of it?” she said. “It seems more than ever at this time that it is so important to keep it within this secure environment.”
In a statement, CAT LLC — the group formed by U.S. exchanges to establish a plan to implement and manage the CAT — said the security of CAT data is of “critical importance to the SROs, and that applies both to data in the CAT itself and data the SROs download. With respect to downloads of data, the CAT plan requires that SROs have the ability to download CAT data. However, the SROs will not have the ability to conduct bulk downloads of customer information, and any information that the SROs do download will be used solely for regulatory purposes.”
Cybersecurity protocols will be the responsibility of each SRO once the data is downloaded.
CAT’s cybersecurity has long been a concern for stakeholders. When fully implemented, it will be a single database for all equity and options trades on U.S. exchanges.
It’s intended to allow regulators to track illegal or manipulative trades and show a way to quickly determine what caused large, sudden losses in trading value, such as the flash crash of May 6, 2010. That event resulted in the loss of nearly $1 trillion in U.S. equity value in the Dow Jones Industrial Average in a little more than 30 minutes.
In March, the SEC exempted the SROs from having to collect or retain certain retail customer data, including individual Social Security numbers or individual taxpayer identification numbers, dates of birth and account numbers. Instead of including these most sensitive pieces of personally identifiable information, broker-dealers are required to report an account holder’s name, address and birth year.
SEC Chairman Jay Clayton also in March asked SEC staff to prepare a recommendation on improving data security requirements in the national market system plan governing the CAT, including exploring any alternatives to bulk downloading data by each SRO that would better secure CAT data.
“While getting rid of Social Security numbers is critically important to CAT, it’s also very important that we achieve the goals of CAT, which are to allow for a (CAT Customer ID) that crosses broker-dealers that will allow regulators to see activity of a customer across the marketplace,” said Manisha Kimmel, who oversees the CAT project for the SEC as senior policy adviser for regulatory reporting, during a SIFMA webinar in June.
Jim Toes, president and CEO of the Security Traders Association (STA), New York, said that while requiring less information to be stored in the CAT is good, there’s still cause for concern.
“We’re taking all this transactional data, putting it into a warehouse and we’re letting a whole bunch of people see it,” he said. “Right now, the New York Stock Exchange can only see my activity as it pertains to the New York Stock Exchange, they don’t know what I’m doing on Nasdaq. Now they’re going to have the ability to see that. It just increases the risk.”
To read the full article, click here.