Statement

Update on the Consolidated Audit Trail: Data Security and Implementation Progress

Washington D.C.

Today, the Commission proposed amendments to the national market system (“NMS”) plan governing the consolidated audit trail (“CAT NMS Plan”). The proposed amendments are designed to enhance data security related to the ongoing development and operations of the consolidated audit trail ("CAT"). In 2016, the Commission approved the CAT NMS Plan prepared by FINRA and the national securities exchanges (collectively, the “SROs”) which included various security requirements.[1] Today’s proposal would take additional steps to reduce cybersecurity risks and is the latest in a series of Commission actions to move the development of the CAT forward and enhance the CAT’s data security standards and posture, including  by reducing the scope of sensitive data collected.

The CAT’s principal purpose is to enhance regulatory oversight of our securities markets.  Our equities and options markets operate through multiple exchanges and other trading venues, and the CAT is designed to facilitate cross-market oversight and analysis, thereby improving market integrity and investor protection. As discussed below, the proposal and our recent efforts with respect to CAT represent further steps towards our continued goal of implementing a secure CAT in a timely manner that efficiently achieves its regulatory purpose.

Enhancing CAT Data Security

Today’s proposal seeks to accomplish a number of security-enhancing goals including: (1) providing greater oversight, consistency and transparency regarding the appropriate use of CAT data, (2) requiring use of secure analytic workspaces (SAWs) for the analysis of large data sets permitting exceptions only when non-SAW environments are subject to third party security assessments and monitoring, (3) incorporating specific restrictions for the access and analysis of customer and account information including required use of the SAW and a defined workflow, (4) removing sensitive PII from CAT reporting requirements in accordance with the March 2020 PII Exemption Order[2] in order to bring greater certainty to market participants that CAT reporting requirements do not include social security numbers, account numbers and dates of birth, and (5) preserving and enhancing existing security requirements.[3]

The net result of these changes would be a more secure CAT, operating without sensitive PII. Importantly, these changes would not affect the regulatory value of CAT. While these improvements are substantial, they should not represent the conclusion of the Commission’s consideration of the sufficiency of CAT’s data security. It is important that the Commission, the SROs, and the plan processor continuously evaluate the approach to the protection of customer and other sensitive data, as development and operation of the CAT proceeds, including in light of changing circumstances.  

CAT Implementation Progress

The 2016 CAT NMS Plan set forth deadlines for the CAT’s implementation beginning in November 2017, but the SROs were unable to implement an operational CAT by the timelines established in the original Plan or subsequent deadlines. Given the importance of CAT for the securities markets, addressing these delays has been a particular focus of ours,[4]  along with staff in the Division of Trading and Markets as well as our other divisions and offices.[5] That collective focus has resulted in a series of Commission actions designed to help move CAT from concept to reality.

More specifically, the Commission has issued several exemptive orders,[6] and CAT has an established timeline for broker-dealer reporting and several operational issues have been addressed. Additionally, with the Commission’s approval of the financial accountability amendments[7] in May 2020, the SROs will be working towards meeting four critical implementation milestones that include regulator and reporter functionality, and will have financial accountability if deadlines are not met.

We are pleased to report that we have seen concrete progress with respect to CAT implementation in recent months. The SROs and the industry have achieved key milestones, including the start of equities reporting on June 22, 2020 and the start of options reporting on July 20, 2020. While we are encouraged by this progress, substantial work remains, and we will continue to work with the SROs and industry participants in their efforts to meet future implementation and financial accountability milestones within the required error rates.

One of the outcomes of CAT implementation that has been discussed is the enhanced availability of cross-market order lifecycle data. This enhancement, as a matter of operational capability, will enable multiple SROs to have access to cross-market data previously unavailable to them. While a number of factors may impact the availability and use of cross-market data, including existing regulatory coordination agreements and security considerations, regulatory coordination may evolve over time. We remain receptive to feedback and recommendations on regulatory coordination among the SROs.

Conclusion

We believe today’s proposal on CAT data security is a significant step towards further enhancing the security of CAT data and systems as well as the development and implementation of the CAT more generally. As we move forward with CAT implementation, we hope to see the progress made over the past several months continue, including as a result of constructive efforts among SROs and industry participants partnering to meet future milestones and establish an operational and secure CAT.  

 

[1] The security features required by the CAT NMS Plan include, among other things: (1) the encryption of customer data and all other CAT data, as well as a System Security Plan; (2) adherence to the NIST 800-53 security standards, a set of security and privacy controls for federal information systems and organizations; (3) incorporation of tools that will enable logging, auditing and access controls for the CAT system; (4) secure methods of connectivity; and (5) development of a Cyber Incident Response Plan.

[2] Securities Exchange Act Release No. 88393 (March 17, 2020), 85 FR 16152, (March 20, 2020) (“PII Exemption Order”).

[4] In January 2019, Manisha Kimmel was named Senior Policy Advisor to the Chairman to coordinate the SEC’s oversight of the SROs creation and implementation of the CAT. See https://www.sec.gov/news/press-release/2019-5.

[5] The Division of Economic and Risk Analysis (DERA), Office of Compliance Inspections and Examinations (OCIE), Division of Enforcement and Office of Information Technology are also actively involved in CAT implementation, among others.

Last Reviewed or Updated: Aug. 21, 2020