A proposed amendment to the plan governing the consolidated audit trail would hurt investors and increase the chances of having their data compromised, according to a report released Thursday from the Securities Industry and Financial Markets Association.
SIFMA has long expressed concerns about securing CAT data and has taken issue with a December proposal from CAT LLC — the group formed by U.S. exchanges to establish a plan to implement and manage the CAT. The proposed amendment would add several "limitation of liability provisions" in the CAT Reporter Agreement, which industry members must sign before connecting to the CAT.
In the event of a data breach, the provisions include stipulating that CAT LLC; the self-regulatory organizations, or SROs, made up of exchanges and securities associations; and their respective representatives "shall not be liable for the loss or corruption of any data submitted by a CAT Reporter or CAT Reporting Agent to the CAT System."
SIFMA's report — called the "Economic Analysis of the Proposed Amendment to NMS Plan Governing the Consolidated Audit Trail" — was sent to the Securities and Exchange Commission Feb. 19 and made public Thursday. It was written by Craig M. Lewis, a professor at Vanderbilt University.
The report said that if the amendment is adopted, investors would be at "greater risk of having their data compromised since CAT LLC's incentives to invest in security to protect the CAT data would be reduced."
Moreover, since industry members do not have the ability to directly control the security of the CAT data, "it will likely require their purchase of additional liability insurance beyond their existing coverage to address the risk of a breach or misuse of that data," the report said.
In the proposed amendment from CAT LLC, which was supported by research from Charles River Associates, allowing industry members to further litigate against the SROs "for damages resulting from cyber breaches would not better align the incentives or meaningfully increase the motivation of CAT LLC, the plan processor (FINRA CAT), or the (SROs) to pursue additional economically appropriate measures to reduce the frequency and severity of cyber breaches."
The exchanges selected the Financial Industry Regulatory Authority as the plan processor in February 2019, which then created FINRA CAT to build the audit trail.
The SIFMA report said the if the proposed amendment were not adopted — a decision for the SEC — CAT LLC would have an incentive to invest in the "socially optimal level of protection."
"While SIFMA supports the goals of the CAT and our members have invested substantial resources toward its implementation, we cannot ignore the risks to sensitive customer information being compiled in one government-mandated database, and we oppose efforts to shield responsibility for maintaining the security and privacy of such data," said Ellen Greene, SIFMA managing director, equity and options market structure, in a news release
A spokesman for the CAT NMS Operating Committee in an email said the panel is "reviewing the report and will be submitting a response to the SEC in due course."
The CAT when fully implemented will be a single database for all equity and options trades on U.S. exchanges. Broker-dealers were required to begin submitting data to the CAT on trades they execute on behalf of clients — including institutional investors — on June 22 for equities trades and July 20 for options trades.
