Broker-dealer firms aren’t confident the SEC’s consolidated audit trail (CAT) – a single, comprehensive database expected to store an unprecedented amount of sensitive trade data and personal identifiable information (PII) – is secure, according to testimony delivered before the U.S. House of Representatives.

“There is concern remaining over the security of privacy issues … The technical specifications that have been released to date do not, alarmingly, include many details around data security and protection,” Lisa Dolly, Pershing CEO and Sifma board member, said at a November 30 hearing on the implementation and cybersecurity protocols of the CAT before the U.S. House of Representatives’ Subcommittee on Capital Markets, Securities and Investments. Dolly testified on behalf of Sifma and its member broker-dealer firms.

National securities exchanges, Finra, alternative trading systems and broker-dealer firms have been required to submit information on trading activities – including customer information and prices – to the CAT daily since November 15 of this year. Large broker-dealers will be required to start submitting information to the CAT by November 15, 2018, while small broker-dealers are expected to do so by November 15, 2019.

The CAT is expected to take in 58 billion records daily – including orders, cancellations, modifications, executions and quotes for the equities and options markets – and maintain data for more than 100 million customer accounts and their unique customer information, according to parties involved in the CAT.

At the hearing, subcommittee chair Rep. Bill Huizenga, R-MI, said the CAT is expected to be “the world’s second largest database, behind only the NSA” and he has “very serious concerns” over the security of the PII in the CAT. He said insufficient data controls could undermine investors’ confidence in U.S. capital markets.

Among the top concerns of broker-dealer firms -- voiced by Dolly and echoed by Huizenga and most of the other legislators present at the hearing -- is the delay in hiring a chief information security officer (CISO), a critical role in ensuring cybersecurity, for the CAT.

Defending the absence of a CISO for the CAT, Mike Beller, CEO of Thesys Technologies, which built and operates the central repository of the CAT, said the hiring for this role – a position which will have a fiduciary responsibility for the CAT – needs to be a collaborative effort between Thesys and the SROs. He notes that they have not yet agreed on a candidate out of the 24 individuals on a shortlist.

“The role is a very challenging role to fill,” he said, noting there are expectations of policy, technology, and management skills and capabilities from this individual.

Dolly said broker-dealer firms are also worried that too many people will have access to information stored in the CAT. She noted that the SEC and 22 SROs will be allowed to “download any or bulk data from the CAT onto their system,” with access allowed for up to 3,000 users.

Beller tried to assuage those concerns by explaining there are security measures in place for the CAT. He said that while trade data will be stored in the cloud, PII will be “completely segregated” and kept in physical storage facilities in Illinois and New Jersey. He added that employees and contractors will undergo background checks and fingerprinting, and only “empowered” users will have access to the PII. In addition, there will be physical security in the CAT facilities, and data in transit and stored in the CAT will be encrypted.

Dolly said broker-dealer firms still believe the implementation of the CAT should be delayed so the SEC can examine whether storing PII in the CAT is actually necessary. And if it is indeed required, then “it is absolutely imperative” the CAT data security protocol must be “strong and secure,” said Dolly. Sifma believes collecting PII “creates tremendous risk in the event of a breach.”

Even Chris Concannon, president and COO of the Chicago Board of Options Exchange (CBOE), said he is worried about the risks of storing PII, adding he is “very interested in exploring alternatives to PII,” such as assigning a large trader ID number.

A delay in the CAT implementation will also give broker-dealer firms more time to prepare for the requirements, Dolly said. Sifma says the current funding model for the CAT imposes the “vast majority of the building and operational costs” on broker-dealer firms. Huizenga said the SEC has estimated initial CAT implementation costs would amount to $2.4 billion, and its annual upkeep would cost around $1.7 billion.

On November 13 – two days before the SROs were required to start submitting data to the CAT – the SROs appealed to the SEC to delay their deadline by a year, and the other deadlines by a year or two. The SEC had already denied this request but SEC Chairman Jay Clayton said the need for PII was being reviewed.

Lisa Dolly

Huizenga said he believes the PII requirement is “most troubling” because requiring an investor’s Social Security number, address, date of birth and other sensitive data could leave them vulnerable to attacks similar to the cyberbreaches at the SEC’s Edgar automated document filing system and at Equifax.

In August the SEC learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. Equifax, meanwhile, suffered a data breach between mid-May and July which exposed the personal information of around 146 million consumers.

“Even the SEC was a victim of data breach,” he said. “Concerns regarding data security are not unfounded.”

Meanwhile, draft legislation entitled “The American Customer and Market Information Protection Act” is pending before the subcommittee on Capital Markets, Securities and Investments. It would require safeguards so the CAT can be implemented within a reasonable timeline while also requiring the SEC to perform a cost-benefit analysis of the CAT to ensure the collection of PII outweighs the costs of potential harm.

Tyler Gellasch, executive director of the Healthy Markets Association, is against any delay in implementing the CAT. The group is made up of buyside firms – including large asset managers, pension plans and hedge funds – seeking to promote data-driven reform in the U.S. equity market structure.

“Exchanges and Finra have not provided new info as to why the provider they selected [Thesys] and the expectations and standards that they set are somehow inadequate,” he said.

Gellasch suggested detractors of the CAT are simply playing on “convenient public fear” to try and derail the CAT. The draft legislation to require the SEC to produce a cost-benefit analysis of the CAT would “leave it tied up in legal complexity for years … if it doesn’t kill [it] in entirely,” he said.

CBOE’s Concannon balked at that suggestion. “The evidence is pretty clear that we’re not exploiting public fear when we see so many breaches that are taking place,” he said.

The CAT was created in response to the flash crash of May 2010, which saw up to $1 trillion in the value of U.S. stocks erased in a matter of minutes before markets rebounded. It took five months before the SEC and the Commodity Futures Trading Commission completed a report on their investigation of the flash crash, which placed the blame on one trader in London.

The CAT is intended to give the SEC and SROs the ability to monitor, analyze and investigate trading activities in the equities and options markets on a consolidated basis with the end goal of better protecting investors. The current CAT plan was prepared by the SROs and approved by the SEC in November 2016.