The Securities and Exchange Commission's long-awaited consolidated audit trail may be in trouble as lawmakers and industry participants grow wary over its cybersecurity.
Key members of the U.S. House Financial Services Committee urged SEC Chairman Jay Clayton for a review, or even a delay, of the system, which would be the world's largest data repository for securities transactions. Scrutiny of the consolidated audit trail, or CAT, has intensified in recent weeks following a string of high-profile hacks into the SEC's corporate filing system and credit monitoring agency Equifax Inc.
"I urge the SEC again to delay its implementation date until the Commission can ensure that the appropriate safeguards and internal controls are in place to protect this data," Committee Chairman Rep. Jeb Hensarling, R-Texas, said during the Oct. 4 hearing with Clayton. "The SEC has only one chance to get this right. Please make sure you do."
When fully operational in 2019, the CAT will house data on every financial transaction in U.S. equities and options markets, tracking about 58 billion records daily. The system will also hold investor information including names, addresses and Social Security numbers.
The system was designed as a response to the 2010 flash crash, a massive free fall for stocks that recovered minutes later. The SEC's review of the flash crash took much longer than expected, largely because of its inability to monitor the market's entire scope, according to Spencer Mindlin, an analyst with research and advisory company Aite Group.
Self-regulatory organizations such as stock and options exchanges are set to begin reporting data to the CAT on Nov. 15. The SEC has not yet said it will delay the CAT, but Clayton expressed concern over the amount of data it will hold and its rapidly approaching rollout.
"I don't want information unless we need it for our mission," Clayton said at the hearing. "What information are we taking in that's sensitive? Do we need it to fulfill our mission? And can we protect it? We're not going to take [the information] until those questions with respect to the SEC are answered to my satisfaction."
On Oct. 5, Rep. Warren Davidson, R-Ohio, and Rep. Brad Sherman, D-Calif., introduced the Market Data Protection Act in the House to ensure exchanges, the Financial Industry Regulatory Authority and Thesys Technologies LLC bolster the CAT's cybersecurity measures for investor data. Thesys, a Tradeworx Inc. unit, was contracted in January to build out the CAT.
"The whole country is focused on the security of financial data," Sherman said in an interview.
The renewed scrutiny on the CAT was prompted by a hack into the SEC's own EDGAR filing system, which exposed the personal information of two individuals. The EDGAR hack has made some industry participants reluctant to send data to CAT without reassurances. An SEC spokesperson declined to comment for this story.
"When it comes to cybersecurity, your security is only as strong as your weakest link. All eyes are on the SEC now being that weak link," said Richard Johnson, vice president of market structure and technology for advisory company Greenwich Associates, in an interview. "The EDGAR hack hopefully was a wake-up call for the SEC."
As the CAT's security comes under fire, Thesys is including the "latest cybersecurity best practices" into the system, a Thesys spokesperson said. The security system is "exceptionally secure," the company said.
But the U.S. exchanges overseeing the Thesys contract are now reportedly weighing a delay as well, according to The Wall Street Journal, which reported that Thesys CAT has not met certain data-security markers. The exchanges have not requested a delay yet but would not hesitate to do so, according to the report.
When reached for comment, Thesys disagreed with the report, which it said mischaracterized its performance. "Thesys was selected in part because of its unique vision on how to keep CAT secure as well as how to make it useful and cost-effective," Thesys Technologies CEO Mike Beller said in a statement. "Getting the security right is our top priority."
Even if a delay does occur, the CAT is expected to move forward eventually after more than seven years in development.
"It's not like this isn't going to go forward just because it's a concentrated security risk," Patrick Flannery, co-founder and CEO of market technology company Maystreet, said in an interview. "[Making] it much easier to understand market events is good for regulation. If you can reduce the latency, or the time it takes to iterate and understand events, it'll make regulators more effective."