House Subcommittee Considers CAT Delay
Cybersecurity remains the top concern.
U.S. Securities and Exchange Chairman Jay Clayton’s declined to delay implementation of the Consolidated Audit Trail in early November. But the House Financial Services Committee’s Capital Markets, Securities, and Investment subcommittee may have other ideas.
In an extended two-hour hearing, subcommittee members quizzed representatives of the CAT Plan Processor, the National Market System Plan, and industry bodies over the necessity of the CAT requiring personally identifiable information, whether there alternatives to PII that the CAT could employ, and how well the Plan Processor could protect such sensitive data.
The CAT requires PII because its plan calls for the CAT to collect PII, said Mike Beller, CEO of Thesys Technologies and whose Thesys CAT LLC is the Plan Processor, responding to subcommittee chairman Bill Huizenga (MI-R).
Fellow witness, Tyler Gellasch, executive director of the Healthy Markets Association, testified that the use of legal entity identifiers or large trader IDs could provide regulators with an elegant method to identify a trade’s beneficial owner without relying on PII, “but that is now how the plan was developed.”
Without access to PII or its alternatives, regulators will still need to glue together Order Audit Trail System data with data from SRO proprietary data feeds and “blue sheets” to detect market manipulation, which it does quite well, he added.
“FINRA has great surveillance capabilities, but without knowing who is doing the trading, you either need a whistle-blower or get lucky scanning the screens to detect market manipulation.”
Chris Concannon, president and COO of Cboe Global Markets, took exception to Gellasch’s characterization of the state of market surveillance and cited that FINRA and the SROs gather thousands of alerts of possible manipulation daily.
“We are well-protected as we build this system, which needs to be perfect,” he said.
When the subcommittee’s questions turned towards whether the plan processor could securely maintain the PII that it would receive, Beller said that the CAT plan uses the cybersecurity framework established framework developed by the National Institute of Standards and Technology as well as the best practices developed by the SROs.
The plan calls for PII data to be stored separately from the rest of CAT data and only those with specifically defined roles in the SEC and SROs having access to the data, he added.
When subcommittee vice chairman Rep. Randy Hultgren, (IL-R), enquired whether the Plan Processor should be subject to the SEC’s Regulation System Compliance and Integrity like the SROs, Cboe’s Concannon responded positively.
“Not just because of the PII, but the proprietary trading information that also needs protection,” he said. “It would make sense if everyone in the chain were SCI entities.”
However, it may prove challenging for the Plan Processor to meet Reg SCI and CAT plan requirements in the near term since it remains without a chief information security officer.
Thesys’ Beller cited the difficulty in finding a proper candidate who has the necessary policy, technology, and management experience on whom the Plan Processor and SROs could agree.
The Plan Processor has employed an outside recruiter to develop a list of approximately 23 candidates for the CISO role, he added.
“It’s one of the hottest spaces and a difficult senior position to fill,” said Concannon. “We have a very high standard and are using our own cyber-security experts to evaluate the candidates.”
Throughout the hearing, Lisa Dolly, CEO of Pershing and who testified on behalf of the Securities Industry and Financial Markets Association, that sell-side community, which is mandated to submit PII data during the second phase of the CAT’s rollout, still has not received the final technical specifications regarding the cybersecurity aspect of the CAT.
“It would be helpful to have the instructions to build the house we have been asked to build,” she said. “We have a duty to protect investors’ private information.”
Dolly also testified that if the Plan Processor and NMS Plan members decided to replace PII with LEIs or large trader IDs, it would not make much of a technological difference but would still take firms 12 months to implement the necessary changes.
In the meantime, subcommittee member Rep. Warren Davidson (R-OH), who co-sponsored the Market Data Protection Act of 2017, expects to file a follow-up bill, The American Customer and Market Data Protection Act, that would specify that would prohibit the Plan Processor from gathering any PII data before the SEC performs a cost-benefit analysis and certifies its cybersecurity protection mechanisms.
The new working group hits the ground running.
Firms need an infrastructure capable of handling and relaying massive amounts of data.
Industry survey notes fewer than 10% of firms have project governance in place.
Industry body fears database will be too attractive to hackers.
The Plan Processor mints a new president and CTO.