By Joanne Cursinella, J.D.
In a June 4 letter to SEC Chairman Clayton, Securities Industry and Financial Markets Association (SIFMA) offered input on the data security questions raised earlier this year by the Commission to its staff regarding the consolidated audit trail (CAT). According to the letter, SIFMA has long supported the development of CAT and believes that it will be a critical addition to the current market infrastructure. But SIFMA also emphasized its concerns with the security of the CAT, particularly with regard to the ability of self-regulatory organizations (SROs) to bulk download CAT Data. SIFMA said it has “serious” concerns about the need for and security of customer data provided to and maintained in the CAT.
Alternatives to “bulk downloading” data. While noting recent efforts that have been taken to protect the most sensitive PII of retail customers in the CAT, SIFMA “strongly believes” that much more should be done to protect the sensitive data of market participants’ customers that is transmitted to and stored within the CAT System. It believes “an obvious and avoidable significant threat” to the security of the CAT Data is the ability of SROs to bulk download customer and transaction data from the CAT to their own systems, including PII data, according to SIFMA. “It is inconceivable from a risk management standpoint that the Commission would allow bulk downloading customer and transaction data by 24 separate entities.”
Among other concerns, the letter continues, bulk transfers can subject CAT Data to additional abuses by bad actors, who have increasingly sophisticated methods of orchestrating cyber breaches, as well as expose SROs that bulk download and others to liability resulting from improper disclosure of sensitive trading data. SIFMA believes that the only way to address security concerns related to bulk downloading CAT Data by SROs is to prohibit this.
SIFMA believes that further plan amendments should be considered that would require that the SROs use a secure analytics workspace (SAW) approach so the SROs are required to access all CAT Data from within the CAT security perimeter, and no such data ever leaves the CAT. Also, each exchange’s access to CAT Data in the SAW should provide that an exchange can only see data for trading activity conducted on that exchange (and not trading activity on other markets), with the only exception being for limited and well-defined regulatory purposes. And SIFMA recommended that only FINRA, which by its own data, said its surveillance canvassed 99.5 percent of U.S. stock market trading volume and about 65 percent of U.S. options trading activity, should be provided the broad ability to access cross-market CAT Data in the SAW.
Risks of proliferation of CAT data. Once populated, the CAT will be the world’s largest data repository of securities transactions, maintaining data on more than one hundred million customer accounts and their trading information, the SIFMA pointed out, and it will be a large, valuable target for criminals, nation-states, and other potential bad actors. Bulk downloading CAT Data outside of the CAT System renders ineffective even at the most advanced security measures that may be employed. Risk of exposure of CAT Data increases exponentially when it is downloaded and stored in multiple environments outside the CAT System, SIFMA continued. Further, there does not appear to be a set of uniform or baseline standards among the SROs regarding their security controls related to the handling of bulk downloaded CAT Data, SIFMA said, thus increasing the risk of data exposure because this creates an environment in which the SRO with the fewest security controls or least experience could serve as the weak link that could be exploited by a malicious actor to access the CAT Data.
Additional data security issues. SIFMA strongly believes that the parameters regarding the appropriate use of CAT Data should be clearly defined and not left open to interpretation. The CAT environment will allow an exchange to view the trading data from all markets. Thus, the pressure to use such data for commercial purposes could increase dramatically, given the for-profit status of many exchanges, especially if the exchanges were able to bulk download CAT Data, where its further usage could not be as effectively monitored as it could be if it were required to stay within the CAT System environment, SIFMA noted. Also, if bulk downloading is permitted, once the data has been downloaded, it is likely that the data would proliferate in multiple environments outside of the one in which it was downloaded, SIFMA warned. In view of this, SIFMA said that further consideration should be given to spelling out in more detail the limited regulatory manner in which the CAT Data can be used by SROs. So, in addition to prohibiting bulk downloading and limiting an exchange’s access to transaction data, there should be a requirement to provide more detail on the appropriate regulatory uses of CAT Data by SROs.
Restricting access to information. In addition to prohibiting bulk downloading, as an overarching principle, only those SRO employees with a need to access CAT Data should have the ability to access it within the SAW, the SIFMA recommended. Moreover, appropriate policies and procedures should be in place for user access administration, including provisioning of administrators, user data management, password management, and audit of user access management. Further, SROs should be required to periodically review their access to, and use of, CAT Data in the SAW to ensure that the security measures employed regarding the access to and use of CAT Data continue to be appropriately designed to meet current circumstances.
Oversight. The CAT should be governed in a transparent manner that delivers collaboration between the SROs and their members, the SIFMA said. To achieve this, SRO member firms must be integrally involved in the governance of the CAT with full voting rights. SIFMA recommends the representation of member firms on the CAT Operating Committee.
Security and transparency. SIFMA requests that affected member firms that are CAT Reporters and Authorized Reporting Agents be notified of system disruptions and system compliance issues, and SIFMA further asks that member firms be periodically apprised of the completion and results of any CAT-related security reviews conducted by the Plan Processor and SROs. Member firms have vast experience in handling and protecting sensitive customer data and increased input by the firms could significantly help bolster the overall security of CAT Data.
“It is imperative the CAT be held to the highest security standards, not only to maximize the efficacy of the CAT System itself, but also to bolster the confidence of market participants reporting into the system, and to ensure investors their personally identifiable information will not be at risk of a data breach,” said SIFMA president and CEO Kenneth E. Bentsen, Jr., in a press release. “SIFMA continues to have grave concerns about the need for and security of customer data provided to and maintained in the CAT and we continue to believe there are more secure alternatives.