SEC wants to curb sensitive data contained in CAT submissions, EDGAR filings

The CAT-related changes would eliminate the requirement that data submitted by brokerage firms for the CAT include social security numbers of private investors and would replace investor dates of birth with birth year. The SEC also proposes to create a security working group that would include representation of chief security information officers from firms submitting data to the CAT.

“Data security is an essential pillar of the CAT,” said SEC Chairman Jay Clayton in a press release. “The requirements outlined in the proposal, including requiring the removal of sensitive PII, are designed to both (1) significantly reduce the amount of sensitive data collected without affecting the operational effectiveness of the CAT and (2) provide market participants with greater certainty regarding how CAT data will be protected and used.”

The CAT is a massive database developed by the SEC to improve its supervisory capacity of financial firms. Its creation was a reaction to the massive 2010 “flash crash,” when the market fell nearly 1,000 points. The CAT is designed to allow regulators to efficiently and accurately track all trading activity throughout the U.S. markets.

More recently, concerns have been raised by privacy groups and some companies participating in the CAT that including such sensitive personal information makes the database a target for hackers and identity thieves. In May, the American Securities Association (ASA) sued the SEC over the CAT’s data collection.

The “collection of investors’ PII into a centralized database is an unnecessary and substantial risk to the privacy of American investors,” said Ron Kruszewski, chairman and CEO of both the ASA and Stifel Financial Corp., in a statement. “There can be no reasonable cost benefit analysis which supports risking investors’ privacy, especially when this data is currently available today on a when-needed basis.”

On July 31, large brokerage firms were required to begin reporting data to the CAT, and all firms will be required to begin reporting by Dec. 31, according to the SEC. The entire project, including the creation of a searchable CAT database and other requirements, is scheduled to be completed by 2022.

The proposed data security changes to the CAT will be subject to a 45-day comment period following publication in the Federal Register.

In a separate proposal Friday, the SEC presented a series of tweaks to the way public company filings are reviewed before being posted to EDGAR, the SEC’s online database of public company filings. SEC staff would be authorized to redact certain types of PII in public filings before making them public; could delay posting of filings if there was a cyber-security issue, like embedded malware; and make factual corrections as necessary.

But the proposal would also give SEC staff the power to prevent acceptance or dissemination of a public company’s filing “if the Commission has reason to believe that a submission or an attempted submission may be misleading or manipulative.” The submission would be held until the company addressed the SEC’s concerns about the information, according to the proposed rule.

Comments on the proposed rule are welcomed by the SEC 30 days after publication in the Federal Register, either by using the SEC’s online comment form or by sending an email to rule-comments@sec.gov.