H.R. 3973 requires the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), and the operator of the Consolidated Audit Trail (CAT), in consultation with the SEC’s Chief Economist, to develop comprehensive internal risk control mechanisms to safeguard and govern the storage of market data, market data sharing agreements, and academic research using market data. The legislation also prohibits market data reporting to the Consolidated Audit Trail until the operator develops internal control mechanisms.
In April 2016, the Government Accountability Office identified weaknesses in the SEC’s information security protocols and noted the failure to implement an agency-wide data security program. In May 2017, Chairman Clayton initiated an assessment of the SEC’s internal cybersecurity risk profile. According to the Committee, both reports have cast more doubt as to the reliability of data and cyber security at the SEC.
Largely in response to the 2010 Flash Crash, on November 15, 2016, the SEC approved a plan for the Consolidated Audit Trail (CAT) system, which will collect and identify every order, cancellation, and trade execution for all exchange-listed equities and options across all U.S. markets. On November 15, 2017, self-regulatory organizations will be required to start reporting data to the CAT, with broker-dealers reporting information beginning in November 2018.
Many have voiced concerns with the amount of PII that will be required to be collected by the CAT and the data security of such information, as well as who will have access to such information. According to the Committee, some 3,000 individuals, including SEC staff members, will have access to the CAT data, and the SEC does not have to follow the same security protocols as the CAT plan participants.
On September 20, 2017, Chairman Clayton issued a statement on cybersecurity in which he revealed that a cyber breach “previously detected in 2016 may have provided illicit gain through trading.” Specifically, a software vulnerability existed in the test filing component of the SEC’s Electronic Data Gathering Analysis and Retrieval (“EDGAR”) system which resulted in access to nonpublic information. Further, Chairman Clayton revealed that personally identifiable information including names, dates of birth, and social security numbers was compromised for two individuals. Given the breach at the SEC, and the collection of data that will be collected under the CAT, this legislation directs the SEC and FINRA to develop comprehensive internal risk control mechanisms to safeguard market data.