In an effort to improve data security related to the consolidated audit trail, the SEC on Friday proposed amendments to the national market system plan governing the comprehensive database.
Stakeholders inside and outside the SEC have long voiced cybersecurity concerns around the CAT, which when fully implemented will be a single database for all equity and options trades on U.S. exchanges. Broker-dealers were required to begin submitting data to the CAT on trades they execute on behalf of clients — including institutional investors — on June 22 for equities trades and July 20 for options trades. Operations have run smoothly to date.
With its proposal Friday, the SEC said it's seeking to accomplish a number of security-enhancing goals, including:
- Providing greater oversight, consistency and transparency regarding the appropriate use of CAT data.
- Requiring use of secure analytic workspaces, or SAWs, for the analysis of large data sets permitting exceptions only when non-SAW environments are subject to third party security assessments and monitoring.
- Incorporating specific restrictions for the access and analysis of customer and account information including required use of the SAW and a defined workflow.
- Preserving and enhancing existing security requirements.
- Removing sensitive personal identifiable information from CAT reporting requirements. The SEC in March issued an exemption order stating that CAT reporting requirements do not include Social Security numbers, account numbers and dates of birth.
"The net result of these changes would be a more secure CAT, operating without sensitive (personal identifiable information)," the SEC said in a statement issued by Chairman Jay Clayton, Brett Redfearn, director of division of trading and markets, and Manisha Kimmel, who oversees the CAT project for the SEC as senior policy adviser for regulatory reporting. "Importantly, these changes would not affect the regulatory value of CAT. While these improvements are substantial, they should not represent the conclusion of the commission's consideration of the sufficiency of CAT's data security."
The SEC officials said it's important for the commission, the self-regulatory organizations, or SROs, made up of exchanges and securities associations, and FINRA CAT, the plan processor, to continuously evaluate CAT's cybersecurity.
The CAT is intended to allow regulators to track illegal or manipulative trades and show a way to quickly determine what caused large, sudden losses in trading value, such as the flash crash of May 6, 2010. That event resulted in the loss of nearly $1 trillion in U.S. equity value in the Dow Jones Industrial Average in a little more than 30 minutes.
SEC Commissioner Hester Peirce supported the proposed amendments Friday but still expressed reservations about the CAT in a statement.
"The CAT treats every American as a presumptive wrongdoer," Ms. Peirce said. "The CAT will watch everything you do in the securities marketplace, record it for employees of the SEC and self-regulators to monitor, and store it in databases that hackers undoubtedly will attack. The discomfort we feel about similar monitoring in other marketplaces is something we should also feel when the government watches our every move in the financial markets."
There will be a 60-day comment period on the proposed amendments.