A massive new Securities and Exchange Commission database faces renewed scrutiny after recent revelations of a cyber-breach. It is also serving as a catalyst for legislative action.
Rep. Warren Davidson (R-Ohio) has introduced the Market Data Protection Act, a House bill that directs the Securities and Exchange Commission, the Financial Industry Regulatory Authority, and Thesys Technologies “to accelerate cyber-security risk controls before collecting data in the Consolidated Audit Trail to prevent future hacker attacks.”
“We need to make sure our house is in order at the SEC,” Davidson said in a statement. “The CAT will be the world’s largest repository of securities transactions and the second largest database in the country. Given the recent data security issues in the current EDGAR database, we know there are serious flaws in the way the SEC maintains its data, and in the ways they respond to and communicate errors and omissions. These flaws undermine the trust and confidence of the customers the SEC regulates.”
The CAT is a massive database the SEC is developing to improve its supervisory capacity of financial firms.
Following a massive “flash crash” in 2010, the SEC adopted Rule 613, a plan to create a consolidated audit trail that allows regulators to efficiently and accurately track all trading activity throughout the U.S. markets.
Once the CAT is active, each broker-dealer and national securities exchange will be assigned a code that uniquely and consistently identifies them and links them to transactions. Ideally, regulators will have more timely access to a comprehensive set of trading data, enabling us to more efficiently and effectively conduct research, reconstruct market events, monitor market behavior, and identify and investigate misconduct.
In January 2017, the Selection Committee for the CAT NMS Plan selected Thesys Technologies as the plan processor. With a vendor selected, the CAT system is tentatively slated to begin operation in 2018.
Various technical issues—including clock synchronization among covered firms, SROs, and the database—have presented themselves as implementation challenges. Another debate, one exacerbated by recent events, is data security. The Securities Industry and Financial Markets Association, although generally supportive of the plan, voiced those concerns in a July comment letter to the SEC.
“Keeping CAT data secure and confidential is of primary importance not only to the efficacy of the system itself, but also to the confidence of market participants,” it wrote. “It is therefore imperative that the CAT be held to the highest security standards, with particular focus on ongoing security and confidentiality of information transmitted to and stored within the CAT and the primary importance of securing customers’ personally identifiable information.”
Security fears were once again stoked in September when SEC Chairman Jay Clayton revealed that hackers breached the EDGAR database which stores millions of public and nonpublic filings.
Additionally, a recent Government Accountability Office report found “information security control deficiencies in the SEC computing environment may jeopardize the confidentiality, integrity, and availability of information residing in and processed by its systems.”
“Until SEC mitigates its control deficiencies, it’s financial and support systems and the information they contain will be at unnecessary risk of compromise,” the report says.
In response to these concerns, Davidson’s Market Data Protection Act directs the SEC “to develop and implement proper risk assessment protocols to reduce, stem or eliminate potential exposure to cyber-threats.”
Jim Allen, head of Americas capital markets policy for CFA Institute, has been pondering the situation and implications for market integrity.
“If people are interested in committing fraud, through insider trading or by other means, and they are able to hack into the SEC’s website, that is a serious problem for investors. They won’t know when they’ve been duped by someone on the other side of a trade who had better information because that person was able to get an early peek before material information was made available to the rest of the market,” he says.
With regard to the CAT, “remember that this system was implemented to track fraud and counterparty risks,” Allen says. “Most everyone supported efforts to monitor potentially systemic exposures after the 2008 financial crisis. This hacking case, however, raises concerns about plans that CAT will collect personal identifier information about investment firms’ clients and how safe that information will be.”
“The SEC and FINRA will have to carefully calibrate how they balance the need for market information in their efforts to monitor potential problems against their fiduciary duty to secure and protect the information of market participants, particularly for the 99% of market participants who will never engage in fraud or create systemic problems,” he adds.
As for what they might do, they first will need to bolster their defenses against these kinds of hacks in the future. “That is a costly endeavor, and one that Congress should handsomely fund,” Allen says. “They also should consider whether they need to collect the personal identifier information about firms’ clients, or whether an alternative solution may be devised to protect the identities of those clients.”
An ongoing complaint in Washington, notably Republican’s critical of data collection efforts by the CFPB which fuels many of its initiatives with the consumer data it collects. Should companies be concerned about so much crucial and confidential data in the hands of regulators via various disclosure regimes?
“Companies should be concerned about every party that has access to their material, nonpublic information, whether it is the SEC, their auditors, investment and commercial bankers, or their attorneys,” Allen says. “The SEC noted that hackers targeted the systems of a couple of large law firms for time- and price-sensitive information about clients. So, yes, they should be concerned and take precautions, but hopefully this will heighten concerns about the security of the handling of their proprietary information across the board.”
Although SEC officials say they plan to stay the course with the CAT rollout—Clayton promised no significant of prolonged “timeouts” in recent Senate testimony—others are urging a delay. Among them is Rep. Jeb Hensarling (R-Texas), chairman of the House Financial Services Committee. He wants the Nov. 15 deadline for exchanges to file orders and trades to the database extended until safeguards and internal controls are fully vetted.
With the Consolidated Audit Trail serving as a central repository for order and trading activity data, he urged the SEC to “delay its implementation date until the commission can ensure that the appropriate safeguards and internal controls are in place to protect this data.”
Hensarling’s suggestion is also renewing calls for the bipartisan Data Security Act, which passed in the House two years ago and has lingered ever since in the Senate.
“The need to revisit that legislation and, where necessary, improve upon it should be obvious to all,” Hensarling said.
The bipartisan bill was introduced by Reps Randy Neugebauer (R-Texas) and John Carney (D-Del.).It sought to create and impose uniform national standards for protecting consumers’ personal information.
“Current laws already require financial institutions of all sizes to develop and maintain robust internal procedures to combat and address network intrusions and data theft, and to notify consumers in the event of a breach,” the Financial Services Roundtable said in a statement supporting the bill. “Many other sectors, including retailers, are not subject to these same requirements. This loophole leaves consumers’ important personal and payment information potentially exposed during a financial transaction at a retailer.
The business group, in 2015, went so far as to publish a graphic novel in support of the legislation.
Hensarling renewed his call “for national standards for data security and breach notification” in an Oct. 5 statement that was largely in response to a 145-million-customer data breach at the credit rating agency Equifax, also touched upon ongoing issues at the SEC.
“Clearly, action by the Federal Trade Commission, the Consumer Financial Protection Bureau and potentially other regulators is required,” he said. “Congress must ensure that federal law enforcement and federal regulators do their jobs so justice can be served and victims are made whole. We must thoroughly examine if our agencies and statutes like Gramm, Leach, Bliley; the Fair Credit Reporting Act; and UDAAP are up to the job.”
“Given the federal government’s own poor track record when it comes to protecting personal information – witness the SEC and the Office of Personnel Management hacks as two recent examples—we must be cautious about attempts to “never let a good crisis go to waste” and impose a Washington-forced technology solution that may be antiquated as soon as it is imposed. However, we do need a consistent national standard for both data security and breach notification in order to better protect our consumers, hold companies accountable and assure that this affair does not repeat itself.”