? Supporters say the Securities and Exchange Commission's consolidated audit trail will revitalize a system not equipped to hold the volumes of data generated by modern markets.
? Cyber concerns over the CAT are understandable, according to the head of the company building it.
? Access to personally identifiable information, including investors' Social Security numbers, will be "isolated" in the CAT.
In the wake of a series of high-profile hacks, the Securities and Exchange Commission plans to push forward with its securities data repository, the consolidated audit trail. The system has faced mounting concerns from lawmakers and Wall Street institutions as companies review their own safeguards.
With self-regulatory organizations expected to begin reporting to the system Nov. 15, the worries over the CAT and its security have thrust the industry's attention onto Thesys Technologies, an eight-year-old market technology company that is creating the CAT through its wholly owned subsidiary Thesys CAT LLC. In January, the company was tapped to build and operate the system over other bidders like Google and Amazon Web Services. The CAT is expected to be fully operational in 2019.
Thesys Technologies CEO Mike Beller sat down with S&P Global Market Intelligence to discuss how the company secured the CAT bid and to respond to the industry's security concerns.
The following is a transcript of that conversation edited for length and clarity.
Mike Beller, CEO of Thesys Technologies
S&P Global Market Intelligence: What will the CAT provide to markets and the SEC? Do the benefits of the system still outweigh the concerns over the CAT's cybersecurity that lawmakers and executives are raising?
Mike Beller: Our mission is better markets through technology. Part of that mission is making sure that regulators have the appropriate visibility into the markets, and they don't now. They're running on a regulatory system that's 15 [or] 20 years old, was clunky when it started and was not designed for the enormous amount of data that we produce today. An upgrade is necessary if we want to continue to have the best markets.
I'm hearing concerns [that] when you collect data you have to make sure that other people can't get at it. That's a very valid concern. But Thesys was selected for this job partially because of the strength of its approach to cybersecurity and its innovative way of looking at it. Before people were even talking about it, the first thing out of the doorway were three principles: Make it secure, make it useful and make it easy to report to. We developed innovative approaches to cybersecurity to make the systems hard to penetrate, [and] even if it's penetrated, to reduce the consequences.
If you build a big database, and all it is is a big database, then all the regulators are going to have to build their own systems in order to extract all the data and run their own analysis. Our view is that the CAT should have all the tools in it that it needs for regulators to do their jobs. By doing that, you reduce the need for them to remove data from the [system].
The CAT is a new type of system. It's not what we have right now, and it's worth building.
Are there any plans right now to expand the CAT beyond just equities and options markets?
In the bidding process, there were questions at least about the possibility of, for example, putting other asset classes into the CAT. But the current plan does not make those concrete for now.
When fully operational, the CAT will hold millions of investors' personally identifiable information, including Social Security numbers. The inclusion of such data has been highly criticized, including by New York Stock Exchange President Thomas Farley. Why include the personally identifiable information?
If there's no way to identify who's doing the trading, then certain types of maleficence become difficult to detect.
What's being glossed over is the nuance versus the general concept. You could make some big, scary statement like "my daughter's [personally identifiable information] will be in this thing," but I don't think that's particularly helpful when it gets down to what's actually going on.
Personally identifiable information would be isolated to a very small portion of the system, and we'll have all different types of safeguards. It won't just be provided willy-nilly with every query that happens to the CAT. There's a layered approach to security, and at the very highest level is the protection of the [personally identifiable information].
If the SEC did decide to delay the CAT's rollout until the cybersecurity measures of the self-regulatory organizations, Thesys and the SEC were all satisfactory, what would that mean for the CAT and its launch?
If the SEC were to delay, that would be fine. And if they were to go forward, that would be fine.
Thesys won the CAT bid in January over companies like Google and Amazon known for not only their technical prowess but also their ability to hold data. What do you think put Thesys over the edge to win the bid?
In the end, I think it's almost symptomatic of a problem that's going on in the financial industry right now. Silicon Valley is innovating on pure tech but doesn't understand the needs of [the financial industry]. At the other end of the spectrum, there are a lot of players involved in the bidding process who understand finance, but are really far away from the advances in technology. Thesys was a firm that sat right at the nexus of the most advanced trading, [regulatory] technology and market knowledge.
We had practitioners of the markets, who also happened to be deeply skilled practitioners of advanced technology like big data technology and cloud technology. By combining those heads together in one place, we had a unique perspective, and we were thought leaders throughout the bidding process. We were always pushing forward on what the CAT should be, or could be, relative to just the next version of the existing system.