While exchanges will start submitting equity and options data to the SEC's consolidated audit trail on Nov. 15, institutional investors will be more concerned about what's coming a year later.
That's because on Nov. 15, 2019, broker-dealers will be required to submit data to the CAT on trades they execute on behalf of clients, adding a much larger amount of information to the audit trail that will specify how their clients — including institutional investors — trade equities and options. That huge data repository could attract the attention of cybercriminals, sources said.
"One thing true about the world we live in, if you create a super-rich pile of data, it'll become a target for hacking," said George Black, New York-based partner, U.S. head of capital markets domain, at business and technology consultant Capco. "Just like Olympic athletes getting past drug testing, hackers will find a way to get around cybersecurity. There's been a big hullabaloo about buy-side data being attached to the CAT. Nov. 15 (2018) isn't related to that, but a year from now, that'll be a concern the buy side will have to grapple with. There's a lot of tension on the buy side about this."
CAT will be a single database for all equity and options trades executed on U.S. exchanges. It's intended to allow regulators to track illegal or manipulative trades and give them a way to quickly determine what caused large, sudden losses in trading value, such as the flash crash of May 6, 2010, which resulted in the loss of nearly $1 trillion in U.S. equity value in the Dow Jones Industrial Average in just over 30 minutes.
The Securities and Exchange Commission approved creating CAT in 2012. The submission of exchanges' equity and options trade data for CAT was originally scheduled to begin Nov. 15, 2017, but was delayed for a year after exchanges and the Financial Industry Regulatory Authority said they wouldn't be ready for the initial date.
That delay turned out to be a smart move, said James C. Dolan, chief compliance officer at Luminex Trading & Analytics LLC, Boston.
"This is the most sophisticated repository of data ever conceived," Mr. Dolan said. "That's why it's been delayed, to get it right. That's why it's smart to be prudent."
Thesys CAT LLC — created by capital markets technology provider Thesys Technologies LLC after it was selected by the SEC to administer the consolidated audit trail — and CAT NMS LLC — formed by U.S. exchanges to establish a plan to implement the audit trail — are both ready to ensure that the cybersecurity requirements of such a large database are met, said Vas Rajan, chief information security officer of CAT NMS.
"There is a robust security program in place that is managed not only by Thesys CAT, but which has rigorous oversight from the (exchanges) and transparency with the SEC," Mr. Rajan said. "The program is built upon well-understood industry standards, as specified in the CAT NMS Plan."
Mr. Rajan said CAT security "was tested prior to the loading of any production data. … A separate independent validation is occurring prior to go-live (on Nov. 15). In addition, part of the continuous monitoring suite of controls includes ongoing testing of various types, and there is likely to be a further assessment prior to the industry submitting information."
Capco's Mr. Black said asset owners and money managers will need to monitor how secure exchanges' data is with the CAT, since it'll be their trading data and information submitted by broker-dealers next year.
"The burden on the broker-dealer is far more than on exchanges," Mr. Black said. Exchanges, or self-regulating organizations, "are just packaging the data they receive. For broker-dealers, up until this program was announced, this data didn't exist with this timeliness and precision."
The security of that trading data from investors is a major concern because of what it will contain, particularly information related to trading activity, said Jim Toes, president, Security Traders Association, New York.
"Under the CAT plan, there has to be a customer ID database and data that's actively captured," Mr. Toes said. "The activity part is where more of the concern is. How do we control who has access to that activity? Whatever unique customer ID is used ... the concern about that ID being hacked as well as (information) leakage around the activity, those are the chief concerns with CAT security."
The transmission of data to the CAT is a "concern" for cybersecurity, Mr. Black said, "but also the data store. As you get access to everyone's information in one place, there'll be ways hackers will look at getting access." The Securities Industry and Financial Markets Association, the industry group representing money managers, banks and securities firms, "has said simply that bringing data together creates attention," he said. "That will draw the flies and bees."
Peter Maragos, CEO of Dash Financial Technologies, a New York trading technology and analytics provider, said cybersecurity risk is nothing new in trading. "This data exists. It's out there," Mr. Maragos said. "Security is here forever. You've got to expect people to tamper with our systems, so you need to protect them. That's the job of broker-dealers, exchanges, the SEC. To me, cybersecurity is meat-and-potatoes stuff."
