Senators had questions Tuesday about the Consolidated Audit Trail's cybersecurity capabilities.
Shelly Bohlin, president and chief operating officer of FINRA CAT — a subsidiary created by FINRA to build the audit trail — Judy McDonald, chair of the CAT NMS Plan Advisory Committee, and Michael Simon, chair of the CAT NMS Plan Operating Committee, testified before the Senate Banking Committee.
CAT NMS was formed by U.S. exchanges to establish a plan to implement the audit trail, which will be a single database for all equity and options trades executed on those exchanges. The Securities and Exchange Commission approved the audit trail's creation in 2012.
It's intended to allow regulators to track illegal or manipulative trades and show a way to quickly determine what caused large, sudden losses in trading value, such as the flash crash of May 6, 2010. That event resulted in the loss of nearly $1 trillion in U.S. equity value in the Dow Jones industrial average in a little more than 30 minutes.
Senators on the committee said the audit trail will be a target for hackers and nations that would like to cause harm to the U.S. markets.
Sen. Tom Cotton, R-Ark., said he had been skeptical of the audit trail for some time but he's now "downright opposed" to the concept. "I appreciate you're doing everything you can to protect the information of individual users, but you are creating a database that is so large and so valuable and so attractive I cannot imagine that at some point in the future this committee (isn't) going to be having an oversight hearing on how a breach of that database occurred," he said.
In her written testimony, Ms. Bohlin said the FINRA CAT security program includes significant layers of architectural-level security controls and program-level security controls, including secure infrastructure for connecting to the CAT system and architectural separation between transaction data and personally identifying information, or PII.
Moreover, the overall CAT security program is subject to regular third-party review to verify that the program is operating in accordance with its system security plan and with applicable standards, Mr. Simon said in his testimony.
Sen. Sherrod Brown, D-Ohio, the committee's ranking member, spoke about the benefits of having a consolidated audit trail to prevent insider trading, market manipulation and other misconduct that cheats the system.
"Some take issue with the SEC, or any government agency, having this much data and call the system a target for hackers," Mr. Brown said. "I refuse to accept that we can't both protect people's personal information, and go after criminals who take advantage of our markets."
When fully implemented, the CAT will ingest more than 58 billion records a day and be the world's largest data repository of information on securities transactions, tracking all orders throughout their life cycles, according to a CAT NMS news release earlier this year.
On Oct. 16, Mr. Simon and the CAT NMS Plan Operating Committee wrote to the SEC requesting exemptive relief to exclude Social Security numbers and other personal information from the reported data.
Mike Crapo, R-Idaho, who chairs the committee, said: "There's a strong understanding of the importance and the benefits of CAT. There's also a very high level of concern about the data collection and privacy impacts here, which I share — on both sides."
He added: "I think we're far from where I have a comfort level and I think that's true for a number of members of the committee, but we understand and appreciate the efforts that are being undertaken to address these issues."
Beginning in April 2020, broker-dealers will be required to submit data to the CAT on trades they execute on behalf of clients — including institutional investors.
