Update on Consolidated Audit Trail; Temporary COVID-19 Staff No-Action Letter; Reducing Cybersecurity Risks
March 17, 2020
The consolidated audit trail (“CAT”) is intended to enhance regulatory oversight of our securities markets. Our equities and options markets operate through multiple exchanges and other venues and the CAT will facilitate cross-market oversight and analysis, thereby improving investor protection and market integrity. The CAT NMS Plan governing the CAT was approved in November 2016 and required the development of the CAT by FINRA and the national securities exchanges (collectively, the “SROs”). According to the CAT NMS Plan, broker-dealers were to start reporting to the CAT by November 2018. While the SROs were unable to establish an operational CAT by November 2018, the SROs have made progress with respect to testing in advance of broker-dealer reporting including opening the test environment for broker-dealer reporting in December 2019 and continued roll-out of functionality into that environment earlier this year.
Temporary COVID-19 Staff No Action Letter
At this time, a wide range of broker-dealers are actively testing and refining their ability to report to CAT. COVID-19’s impact on market participants, including necessitating SROs and broker-dealers to implement their business continuity plans, has placed stress on their information technology infrastructure and required the deployment of significant resources, including to implement and adapt business continuity plans. To allow firms to maintain focus on operational readiness and reduce operational risk, SEC staff has issued a no-action letter regarding the SROs’ enforcement of their CAT compliance rules through May 20, 2020 so that personnel who are working on CAT matters but are important to maintaining critical operations and implementing business continuity plans can focus their attention on those immediate needs.
Reducing CAT Cybersecurity Risks
While the SEC staff has provided a temporary no-action letter with respect to certain CAT compliance rules in response to COVID-19’s impact on market participants, the SEC remains committed to establishing a fully operational CAT. It is important that CAT implementation becomes a reality. A critical step towards doing so is ensuring the protection of sensitive information submitted to the CAT, particularly retail investors’ personally identifiable information. This issue has been, and will remain, of paramount importance.
I believe the CAT’s regulatory objectives can be achieved without collection of the most sensitive pieces of retail investor information. It is important to minimize the impact of any potential data breaches, while also evaluating the need for cybersecurity improvements to the CAT.
To that end, today the Commission issued relief that exempts the SROs from collecting or retaining certain retail customer data, including (1) individual social security numbers or individual tax payer identification numbers (collectively, “SSNs”); (2) dates of birth and (3) account numbers. Instead of including these most sensitive pieces of personally identifiable information in the CAT, broker-dealers would be required to report an account holder’s name, address, and birth year. Given the limitation of personally identifiable information to “phone book”-type information, I believe this represents an important step in significantly reducing the risk of retail investor identity theft associated with the CAT. This is a significant step towards standing up the CAT.
Additionally, I understand and share the concern regarding the risk and impact of potential data breaches.
While the CAT NMS Plan currently has extensive security requirements, I believe we can and should consider taking additional steps to ensure the security and confidentiality of CAT data, including in response to developments in data systems and cybersecurity since the 2016 adoption of the CAT NMS Plan. I have asked the staff to prepare a recommendation for the Commission on improving the data security requirements in the CAT NMS Plan this year. In developing the recommendation, I have asked that staff consider the following questions:
- Are there alternatives to “bulk downloading” data by each SRO that would better secure CAT data?
- What are the risks of proliferation of CAT data across multiple environments?
- Are there additional data security issues regarding the use of CAT data for regulatory purposes that should be addressed?
- How will access to customer and account information be addressed to restrict access to the greatest extent possible while still preserving the ability to achieve regulatory purposes?
- Is oversight of Plan Processor security decisions effective and comprehensive?
- To what extent can there be additional transparency regarding the security of CAT and the use of CAT data without making the CAT system vulnerable to bad actors?
- Are there additional security measures that would enhance the security of CAT data, both within and outside of the CAT system?
We will continue to closely monitor the impact of COVID-19 on our markets more generally as well as on the roll-out of CAT. In addition, with the issuance of the cybersecurity-enhancing exemptive relief, we take another significant step towards a more secure CAT. As we look towards further efforts in this area, I believe we should continue to have data security as our priority while preserving the intended regulatory value of CAT.
 Birth year information is included, among other reasons, to facilitate the detection of senior investor fraud.
 The security features required by the CAT NMS Plan include, among other things: (1) the encryption of customer data and all other CAT data, as well as a System Security Plan; (2) adherence to the NIST 800-53 security standards, a set of security and privacy controls for federal information systems and organizations; (3) incorporation of tools that will enable logging, auditing and access controls for the CAT system; (4) secure methods of connectivity; and (5) development of a Cyber Incident Response Plan.
 See U.S. Sec. and Exch. Commission Agency Rule List (Fall 2019), available at https://www.reginfo.gov/public/do/eAgendaMain?operation=OPERATION_GET_AGENCY_RULE_LIST¤tPub=true&agencyCode=&showStage=active&agencyCd=3235