The agency’s proposal for the Consolidated Audit Trail aims to limit the collection of sensitive information as well as to increase protections for information collected.
The SEC has proposed amendments to the national market system plan governing the Consolidated Audit Trail (the "CAT NMS Plan") in an effort to boost CAT data security. The proposed amendments to the CAT NMS Plan seek to limit the scope of sensitive information required to be collected, as well as to enhance the security of the CAT and the protections afforded to CAT data. The SEC’s release notes that the current CAT NMS Plan already sets forth a number of requirements regarding the security and confidentiality of CAT data.
Key features of the proposal. Some of the main elements of the Commission’s proposed amendment to the CAT NMS plan include:
- defining the scope of the current information security program;
- establishing and maintaining a security-focused working group;
- creating secure analytical workspaces, and directing participants to use these workspaces to access and analyze personal identifying information (PII) and CAT data;
- limiting the amount of CAT data that can be extracted from the central repository outside of a secure analytical workspace;
- imposing requirements related to the reporting of certain PII;
- defining the workflow process that should be applied to govern access to customer and account attributes that will still be reported to the central repository;
- modifying and supplementing existing requirements relating to participant policies and procedures regarding the confidentiality of CAT data;
- refining the existing requirement that CAT data be used only for regulatory or surveillance purposes;
- codifying existing practices and enhancing the security of connectivity to the CAT infrastructure;
- requiring a formal cyber incident response plan to incorporate corrective actions and breach notifications;
- amending reporting requirements relating to firm designated IDs and allocation reports; and
- clarifying that Appendix C of the CAT NMS plan has not been updated to reflect subsequent amendments to the CAT NMS Plan.
SEC leadership weighs in. In a statement, Chairman Jay Clayton declared, "Data security is an essential pillar of the CAT." He added, "The requirements outlined in the proposal, including requiring the removal of sensitive PII, are designed to both (1) significantly reduce the amount of sensitive data collected without affecting the operational effectiveness of the CAT and (2) provide market participants with greater certainty regarding how CAT data will be protected and used." Chairman Clayton was joined in his statement by Trading and Markets Director Brett Redfern and Senior Policy Advisor Manisha Kimmel.
In a separate statement, Commissioner Hester Peirce indicated that the proposed rule should have taken the bolder step of confronting of what she sees as the CAT’s real and serious liberty implications. She reiterated prior statements that the CAT treats every American as a presumptive wrongdoer, observing that "The CAT will watch everything you do in the securities marketplace, record it for employees of the SEC and self-regulators to monitor, and store it in databases that hackers undoubtedly will attack." The commissioner added, "The discomfort we feel about similar monitoring in other marketplaces is something we should also feel when the government watches our every move in the financial markets."
The public comment period will begin following publication on SEC.gov and remain open for 45 days after publication in the Federal Register.
MainStory: TopStory CyberPrivacyFeed Enforcement ExchangesMarketRegulation SECNewsSpeeches
Interested in submitting an article?
Submit your information to us today!Learn More
Securities Regulation Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on securities regulation legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.