Forefront Communications

S&P Global: Wall Street Still Worries SEC’s Massive Trading Database Could Be Hacked

Confluence

Amanda Perrucci

Amanda Perrucci

Wall Street is not yet satisfied with the security of a massive SEC trading database set to begin collecting investor data in the coming days.

On Nov. 15, U.S. stock and option exchanges such as those owned by Intercontinental Exchange Inc., Nasdaq Inc. and Cboe Global Markets Inc., as well as the Financial Industry Regulatory Authority, will start reporting data into the SEC’s Consolidated Audit Trail, or CAT. Those institutions, as well as system developer Thesys CAT LLC, are building the CAT at the SEC’s request. The Nov. 15 launch is the first stage in a four-year rollout of the CAT, a database expected to receive more than 58 billion records daily that will give regulators an unprecedented view into U.S. markets.

But banks, broker/dealers and other market participants remain worried about the safety of the data that will eventually be stored there.

“The industry is going to continue to have concerns about the system and the protection of the information,” said Gary Goldsholle, a partner with law firm Steptoe & Johnson and a former official with the SEC’s Division of Trading and Markets, in an interview.

Born out of the 2010 flash crash, the CAT is expected to modernize market surveillance for regulators, who have until now relied on a patchwork of technical systems to monitor trading. The CAT will include information about trading across exchanges, allowing regulators to link manipulative behavior back to an account’s owner based on a uniform CAT customer identifier derived from some form of personally identifiable information, such as a Social Security Number.

The CAT’s security has come under fire, though, particularly after a hack into the SEC’s corporate filings database was disclosed weeks before exchanges and FINRA were originally scheduled to report to the CAT in 2017.

Around that time, the exchanges requested a 12-month delay in the CAT’s launch, an inquiry the SEC eventually rejected. Still, the upcoming reporting stage will take place exactly one year after the original target date.

Several industry participants said they expect it to go smoothly. But the next phase of the system’s launch could be more problematic because it includes large broker/dealers, all of which will have to rethink their reporting systems.

Those complex companies will have to be reporting to the system by Nov. 15, 2019, a deadline that will be “very tight,” according to one person familiar with the CAT’s progress who spoke on background because the matter is not public.

Wall Street’s security concerns stretch across the CAT’s two data pools, which together could make the system a holy grail for hackers.

On one hand, broker/dealers and some lawmakers are worried that everyday Americans’ names and addresses could be revealed in a breach. But some of Wall Street’s biggest companies have grown more anxious about the system’s trading database, with many firms fearing that it could expose valuable intellectual property to their competitors.

While piecing another company’s trading information together would be a costly and cumbersome task, it could unmask years of proprietary work through reverse engineering.

“More people will have access to [the trading database], and whenever you have more eyes, safeguarding it becomes a little bit more challenging,” Security Traders Association (STA) President and CEO Jim Toes said in an interview.

To read the full article, click here.