The SEC's consolidated audit trail passed two major milestones this summer without any major hiccups, but concerns about cybersecurity persist from many industry members.
Broker-dealers were required to begin submitting data to the CAT, a comprehensive database, on trades they execute on behalf of clients — including institutional investors — on June 22 for equities trades and July 20 for options trades.
Initial reporting has gone smoothly, as many firms took advantage of an extended testing period and started reporting in advance of the respective deadlines to work out any kinks, sources said. Broker-dealer reporting went live April 13 before the deadlines, when the CAT opened.
Still, organizations like the Securities Industry and Financial Markets Association have raised concerns about securing CAT data, particularly when it is "bulk downloaded" by one of the 24 self-regulatory organizations, or SROs, made up of exchanges and securities associations.
"Our concern is really when the data leaves (the) CAT and goes out to all of these exchanges," said Ellen Greene, New York-based managing director of equity and options market structure at SIFMA. "We have concerns about the security — the more instances of data being downloaded, the more risk there is."
Ms. Greene said the data could be exploited by foreign actors or even insiders at the exchanges. "Given the richness of the data, the insight into how both exchange competitors are doing as well as broker-dealers that have their own (alternative trading systems), we really do think that limiting access is critical to that," she said.
Moreover, with many people working from home during the pandemic, additional security risks have percolated, Ms. Greene added. "I think there are other concerns that come to the surface about how that data is used; does it remain in a corporate system, is it taken out of it?" she said. "It seems more than ever at this time that it is so important to keep it within this secure environment."
In a statement, CAT LLC — the group formed by U.S. exchanges to establish a plan to implement and manage the CAT — said the security of CAT data is of "critical importance to the SROs, and that applies both to data in the CAT itself and data the SROs download. With respect to downloads of data, the CAT plan requires that SROs have the ability to download CAT data. However, the SROs will not have the ability to conduct bulk downloads of customer information, and any information that the SROs do download will be used solely for regulatory purposes."
Cybersecurity protocols will be the responsibility of each SRO once the data is downloaded.