We believe that the implementation of CAT to be an important step forward in regulating the market.

The House Subcommittee on Capital Markets, Securities and Investment held a hearing on November 30, 2017 to examine the security concerns of the Consolidated Audit Trail (CAT) Repository to which all market participants have to begin reporting order and trade data and activities.1 This hearing followed a request from the Securities Industry and Financial Markets Association (SIFMA) to delay the implementation of CAT.2 While the request for delay was denied, the House Financial Services Subcommittee hearing examined the status of the CAT implementation and the current adequacy of existing data security protections regarding the storage and use of CAT data by entities that are part of the CAT operating committee, the CAT plan processor, and the Securities and Exchange Commission (SEC). The hearing also examined whether additional cybersecurity protocols are necessary to properly safeguard collected data, including personally identifiable information (PII).3

As stated by Subcommittee chairman Bill Huizenga, “The importance of cybersecurity cannot be overstated.”4 Mr. Huizenga also commented that the federal government, namely the SEC cannot afford to get the safeguarding of non-public financial information and other highly sensitive data wrong as it may diminish confidence in the markets.5

The hearing included testimonies from Thesys Technologies, LLC CEO Mike Beller, Pershing LLC CEO Lisa Dolly (on behalf of SIFMA), Healthy Markets Association Executive Director Tyler Gellasch, and Chicago Board of Options Exchange (Cboe) Global Markets, Inc. President and Chief Operating Officer Chris Concannon.

Topline Quotes from Witnesses

  • “The CAT must be secure … The immense ‘connectedness’ of the internet means that today systems with very sensitive information are directly or indirectly connected to billions of individuals around the globe.” — Mike Beller, Chief Executive Officer, Thesys Technologies 6
  • “I commend the Subcommittee for conducting this hearing and for continuing to focus on ensuring that the CAT is developed efficiently and effectively while insisting that data security around the CAT is vigorous and robust. I am concerned about the risks associated with storing PII in the CAT database …” — Chris Concannon, President and Chief Operation Officer, Cboe Global Markets7
  • “… the Audit Trail is not unique in the security and implementation challenges it poses, and the self regulatory organizations and plan processor have spent years ensuring that they meet industry standards and best practices in dealing with those challenges.” ­— Tyler Gellasch, Executive Director Healthy Markets Association8
  • “If sensitive identifying information is going to be included in the CAT, then the SEC and the SROs must provide much better assurances on data security than they have so far. Financial firms and regulatory agencies share a common goal in securing and protecting the data entrusted to them by clients and financial institutions. However, the current CAT development plan raises serious concerns around data protection and the ability to confidently secure the critical information it will contain. In particular, the draft CAT technical specifications that have been released to date include alarmingly few details on data security and protection.” — Lisa Dolly, Chief Executive Officer, Pershing (on behalf of SIFMA)

Top Considerations for SEC, Self-Regulatory Organizations (SROs) & other CAT Reporters

With the effective date looming ahead to begin reporting to the CAT repository, reporters and the SEC should focus efforts on implementing comprehensive security and risk controls to prevent and/or mitigate security breaches and to safeguard data. In doing this, actions should be based on the following considerations:

  1. Heightened Regulatory Compliance: SROs and market participants have to adhere to various Cybersecurity guidelines and requirements including the Market Data Protection Act (2017) passed by the House on November 11, 2017. The Market Data Protection Act will prohibit the CAT Plan Processor from accepting data and the SROs from accessing CAT data until each entity develops risk controls and the SEC certifies them. Market participants will also have to comply with other regulations such as Regulation Systems Compliance and Integrity (Regulation SCI), standards from the National Institute of Standards and Technology, Federal Financial Institutions Examination Council (FFIEC) guidelines, and the Cybersecurity Information Sharing Act.10
  2. Comprehensive Cybersecurity Plan: In developing the CAT National Market System (NMS) Plan, Thesys Technologies (CAT Plan Processor) stated “… we needed to adopt the best controls available, using two factor authentication, and pervasively encrypting data both when stored on systems and in transit between systems, and we needed to ensure that we had best practices to ensure security procedures …”11 In the same manner, we feel market participants that have not established such measures should do so without further delay.
  3. Opportunity for CAT as a Utility: While broker-dealers are expected to bear the majority of the CAT operating costs, no consideration is being given to how they can access the data they’re reporting to the CAT repository.12 If this changes in the future, firms should expect additional challenges to emerge, creating more security complexities.
  4. Customized Data Analytics: In keeping data secure and eliminating the need for the SEC or SRO to extract data from CAT, some are suggesting that Thesys Technologies provide data analytic tools to enable analysis to be performed directly in the repository.13

Conclusion 

We believe that the implementation of CAT to be an important step forward in regulating the market. As data volumes and complexity continue to soar, transparency in regulatory reporting should continue to be a challenge and CAT may be a solution to permit more transparency.14 In the face of the challenges CAT introduces and testimony from the subcommittee hearings, supporters believe the challenges are not new and can be adequately resolved in due course.

References

  1. “Subcommittee Examines Cybersecurity of Consolidated Audit Trail,” U.S House of Representatives Financial Services Committee, Press Release, November 30, 2017. Access at: https://financialservices.house.gov/news/documentsingle.aspx?DocumentID=402734
  2. “SIFMA Requests Delay in CAT In Light of Ongoing Concerns,” SIFMA, November 8, 2017. Access at: https://www.sifma.org/resources/news/sifma-requests-delay-in-cat-in-light-of-ongoing-concerns/
  3. “November 30, 2017 Subcommittee on Capital Markets, Securities, and Investment Hearing Entitled ‘Implementation and Cybersecurity Protocols of the Consolidated Audit Trail’.” United States House of Representatives Committee on Financial Services, Memorandum, November 27, 2017. Access at: https://financialservices.house.gov/uploadedfiles/113017_cm_memo.pdf
  4. “Subcommittee Examines Cybersecurity of Consolidated Audit Trail,” U.S House of Representatives Financial Services Committee, Press Release, November 30, 2017. Access at: https://financialservices.house.gov/news/documentsingle.aspx?DocumentID=402734
  5. Ibid
  6. “Hearing: Implementation and Cybersecurity Protocols of the Consolidated Audit Trail,” U.S. House of Representatives Committee Repository, Mike Beller Testimony. November 30, 2017. Access at: http://docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID=106686
  7. “Hearing: Implementation and Cybersecurity Protocols of the Consolidated Audit Trail,” U.S. House of Representatives Committee Repository, Chris Concannon Testimony. November 30, 2017. Access at: http://docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID=106686
  8. “Hearing: Implementation and Cybersecurity Protocols of the Consolidated Audit Trail,” U.S. House of Representatives Committee Repository, Tyler Gellasch Testimony. November 30, 2017. Access at: http://docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID=106686
  9. “Hearing: Implementation and Cybersecurity Protocols of the Consolidated Audit Trail,” U.S. House of Representatives Committee Repository, Lisa Dolly Testimony. November 30, 2017. Access at: http://docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID=106686
  10. “House Financial Services Committee Markup,” SIFMA, October 12, 2017. Access at: https://www.sifma.org/resources/general/house-financial-services-committee-markup/
  11. “Hearing: Implementation and Cybersecurity Protocols of the Consolidated Audit Trail,” U.S. House of Representatives Committee Repository, Mike Beller Testimony. November 30, 2017. Access at: http://docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID=106686
  12. “New U.S. trading database to cost industry $50.7 million this year,” Reuters, May 5, 2017. Access at: https://www.reuters.com/article/us-sec-database-costs/new-u-s-trading-database-to-cost-industry-50-7-million-this-year-idUSKBN1811WD?il=0
  13. “Consolidated Audit Trail: The CAT’s Out of the Bag,” Harvard Law School Forum on Corporate Governance and Financial Regulation,” July 16, 2016. Access at: https://corpgov.law.harvard.edu/2016/07/16/consolidated-audit-trail-the-cats-out-of-the-bag/
  14. “Hearing: Implementation and Cybersecurity Protocols of the Consolidated Audit Trail,” U.S. House of Representatives Committee Repository, Mike Beller Testimony. November 30, 2017. Access at: http://docs.house.gov/Committee/Calendar/ByEvent.aspx?EventID=106686

 

Newsletter Author: Olutosin Oguntunde, Mairi Bryan

Newsletter Contact Person: Olutosin Oguntunde, Venetia Woo

Visit www.accenture.com/RegulatoryCompliance for latest insights on regulatory remediation and compliance transformation.

Disclaimer

This blog is intended for general informational purposes only, does not take into account the reader’s specific circumstances, may not reflect the most current developments, and is not intended to provide advice on specific circumstances. Accenture disclaims, to the fullest extent permitted by applicable law, all liability for the accuracy and completeness of the information in this blog and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professional.

About Accenture:

Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialized skills across more than 40 industries and all business functions—underpinned by the world’s largest delivery network—Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With more than 373,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Its home page is www.accenture.com.

Copyright © 2017 Accenture. All rights reserved.

Accenture, its logo, and High Performance Delivered are trademarks of Accenture. This document is produced by Accenture as general information on the subject. It is not intended to provide advice on your specific circumstances.

Submit a Comment

Your email address will not be published. Required fields are marked *