Sept. 9, 2019
Today, the Commission proposed amendments to the national market system (“NMS”) plan governing the consolidated audit trail (“CAT NMS Plan”). The amendments are designed to bring greater transparency and financial accountability to the development of the consolidated audit trail (“CAT”) by FINRA and the national securities exchanges (collectively, the “SROs”). A discussion of the proposed amendments is available here.
This is also an appropriate time to provide investors, market participants and the public with an update on the SROs’ efforts to develop and implement the CAT, including in the area of cybersecurity and the protection of sensitive information.
CAT Implementation Status
The CAT is intended to enhance regulatory oversight of our securities markets. Our equities and options markets operate through multiple exchanges and other venues and the CAT will facilitate cross-market oversight and analysis, thereby improving investor protection and market integrity. In 2016, the Commission approved the CAT NMS Plan prepared by the SROs, which set forth deadlines for the CAT’s implementation beginning in November 2017. The SROs have not met the CAT NMS Plan deadlines for the implementation of the CAT.
That said, recently, some progress has been made. For example, the SROs began reporting certain data to the CAT, the SROs have published final specifications for the initial reporting of equities and options to facilitate broker-dealer reporting and the SROs and the broker-dealer industry are working together to develop ways to conduct Large Trader Reporting through the CAT. Today’s proposed amendments[1] to the CAT NMS Plan are designed to facilitate additional progress by providing important transparency and information to market participants, investors and the public generally, as well as establishing financial accountability provisions based on implementation milestone dates.
Cybersecurity and the Protection of Sensitive Information
The protection of sensitive information submitted to the CAT is of paramount importance, and I share many of the concerns that have been raised about the protection of any investors’ personally identifiable information (“PII”) that would be stored in the CAT.
More specifically, the Commission and the SROs must be mindful of the volume of data that the CAT collects, and its sensitive nature, and be responsible in their collection and use of that data. To that end, I support the SROs’ ongoing efforts to address various PII and data protection concerns. I understand that one approach the SROs are currently considering is the removal of social security numbers, account numbers and dates of birth from the CAT. I look forward to seeing more details about this approach, which merits serious consideration. I believe that the regulatory objectives of the CAT can still be achieved without these most sensitive pieces of investor information. However, I recognize the need to retain other data elements that have proven necessary to support market surveillance and investigations.
Make no mistake, even if the SROs significantly reduce the scope of PII included in the CAT, the nature of the data to be included in the CAT necessitates robust security protections. The CAT NMS Plan developed by the SROs includes specific security requirements designed to mitigate the risk of a breach of the CAT and the possibility of misuse of data reported to the CAT. The security features required by the CAT NMS Plan include, among other things: (i) the encryption of PII and all other CAT data, as well as a System Security Plan; (ii) adherence to the NIST 800-53 security standards, a set of security and privacy controls for federal information systems and organizations; (iii) incorporation of tools that will enable logging, auditing and access controls for the CAT system; (iv) secure methods of connectivity; and (v) development of a Cyber Incident Response Plan.
Further, with regard to the use of the CAT by the SEC, as I have previously noted, the SEC will not retrieve any PII from the CAT unless there is a regulatory need for the information and we are confident that there are appropriate protections in place to safeguard the information. Looking ahead, I believe we can and should take additional steps to ensure the security and confidentiality of CAT data, including in response to developments in data systems and cybersecurity. To that end, and recognizing the significant interest in this issue, I have asked the staff to regularly review the security posture of the CAT and advise the Commission if additional amendments to the CAT NMS Plan or other steps are necessary or advisable to further enhance CAT data security.
Conclusion
I believe that the next six to twelve months will be critical for moving the CAT from concept to reality. I urge the SROs to continue their efforts to work cooperatively with each other and with the industry to fulfill their obligations under the CAT NMS Plan as promptly as practicable, always keeping front of mind the importance of cybersecurity and the protection of sensitive data.