In a comment letter filed with the SEC, SIFMA strongly opposes the SEC’s proposed amendment to the National Market System Plan governing the Consolidated Audit Trail (CAT) that would force all CAT Reporters to effectively assume all liability associated with a breach of the CAT data system. The proposal permits the self-regulatory organizations (SROs) to disclaim liability for a breach or misuse of CAT data which goes beyond the regulatory immunity they already have.
“We support the development of the CAT but have had longstanding concerns about the security of the CAT data. This is the largest collection of customer and trading data that has ever been collected and consolidated and a breach would have devastating effects on market integrity, investors and financial firms,” said Ellen Greene, SIFMA managing director, equity and options market structure. “Shifting the liability to industry members is fundamentally unfair because the SROs have the exclusive responsibility for maintaining the CAT and for implementing measures to protect the CAT against a data breach. We strongly believe those responsible for the data should bear the liability for any breaches, and we encourage the highest levels of security measures be put in place to protect investors.”
https://twitter.com/SIFMA/status/1354513278672769028
The Proposal seeks to force all industry members that are obligated to report to the CAT under SEC and SRO rules to effectively to assume all the liability associated with a breach or misuse of data in the CAT System, which has been developed and is operated exclusively by the SROs. The Proposal would accomplish this by amending the CAT NMS Plan to require industry members and their reporting agents each to sign a mandatory agreement as a condition of reporting to the CAT that effectively eliminates the liability of CAT LLC and the SROs in the event of a breach or misuse of CAT Data. The SROs would be shielded from liability not only for a breach of the CAT System by malicious third-party actors but even from the theft or other misuse of CAT Data by SRO employees. This risk is particularly acute because data from the CAT System can be accessed by three thousand employees or contractors of 24 separate exchanges, FINRA and the SEC.
SIFMA notes the shifting of liability is inconsistent with industry standards and is not necessary to ensure the financial stability of the CAT. The extent of cyber-breach insurance coverage the CAT has obtained has also not been disclosed. If the proposed liability limitation provisions were approved, every firm submitting data to the CAT would need to enhance its individual insurance coverage, at substantial cost, to address the same core risks of data breach or misuse within the CAT system, while the CAT LLC would be permitted to rely on insurance coverage that has not been shown to be sufficient.
Finally, SIFMA believes the economic analysis used to develop the proposal is flawed in several respects. The analysis focuses only on a breach by external actors and fails to address at all the risk of misuse of CAT data by personnel at CAT LLC and the SROs who have access to the data. The report notes additional investment in CAT data security would not be economically justified despite the significant downside of a data breach and fails to recognize the firms have no choice but to bear the liability under the proposal and to insure themselves accordingly.
Source: SIFMA