Back to News

CAT Data Security: The Clock is Ticking

The SEC has proposed new cybersecurity risk management rules for registered investment advisers and investment companies.  This follows a steady stream of new rule proposals, but there are a number of pending SEC proposals that need to be finalized, not the least of which is the August 2020 data security proposal for the Consolidated Audit Trail (CAT).

The CAT began collecting all equity and options trade data in 2020 and beginning in July, the CAT’s Customer and Account Information System will start operations.  This system will collect related personally identifiable information (PII) for every retail and institutional investor in the US. Once fully operational, the CAT will be the largest database regarding securities transactions ever built, containing a treasure trove of valuable and potentially vulnerable information.  Importantly, as mandated by the SEC, the CAT is owned and operated by 25 self-regulatory organizations (SROs) including several exchanges owned by for-profit, publicly-traded holding companies.  As currently configured, once broker-dealers report trade and PII data to the CAT, as mandated by the SEC, control, access and protection of that information shifts to these organizations and their thousands of employees.

The SEC currently has a proposal pending before it, the CAT Data Security Proposal, that would greatly enhance the security of data held in the CAT.  The proposal would, among other things, prohibit the bulk downloading of CAT data by the SROs by requiring them to use Secure Analytical Workspaces (SAWs) to review of CAT data, subject to a strict exception process in which an SRO has the ability to seek a limited exemption to download CAT transaction data in its own environment provided its security is as robust as the CAT System’s security.  The proposal also would strictly and clearly prohibit the use of CAT data for any commercial purpose by the SROs, such as a rule filing that has both a commercial and regulatory purpose.

SIFMA supports much of what is included in the proposal, some of which we previously recommended.  We have recommended to the SEC, as discussed in our comment letter, certain minor enhancements to the proposal that the Commission should consider in connection with finalizing it.  We believe our recommendations will help further increase the security of data within the CAT, which in turn should help enhance the overall confidence of the investing public.

Given the impending go-live date of the CAT Customer and Account Information System and the target value of the data held within it, it is critically important that the SEC finalize the proposal immediately.  The value of the CAT data is immeasurable, and as the recent SolarWinds and ransomware attacks have highlighted, the SEC and the federal government must do everything in their power to ensure that the data is protected and secure.

In addition, we note that FINRA, which operates and maintains the CAT system through its subsidiary FINRA CAT, has a key role to play to ensure that CAT data is secure.  SIFMA and other trade associations recently sent a letter to FINRA urging it to provide much greater transparency into the specific data security standards deployed by FINRA CAT and the SRO Participants in the CAT NMS Plan.  We note that there are entities within the federal government accustomed to dealing with very large electronic databases that are meant to be kept secret and secure from external threat. We strongly believe that FINRA CAT should look to this model to fully leverage the best-in-class information security infrastructure employed by the federal government as well as by certain companies in the private sector.  We further believe that FINRA CAT should look to adopt the security initiatives from the SEC’s CAT Data Security Proposal, even in the absence of the Commission adoption of this proposal, as these initiatives would greatly enhance the security of CAT data.

As we approach the July 11, 2022 full CAT implementation date, we call on the SEC and FINRA CAT to take immediate, concrete steps to ensure the data in the CAT is secure, including the SEC’s adoption of the CAT Data Security Proposal.

Kenneth E. Bentsen, Jr. is president and CEO of SIFMA, the voice of the nation’s securities industry. He is also chief executive officer of the Global Financial Markets Association (GFMA).

 

 

More News