SEC Chairman Clayton Directs Staff to Provide Recommendations on Consolidated Audit Trail Data Security
[32324]
March 26, 2020 TO: Chief Information Security Officer CommitteeEquity Markets Advisory Committee
Technology Committee RE: SEC Chairman Clayton Directs Staff to Provide Recommendations on Consolidated Audit Trail Data Security
On March 17, SEC Chairman Jay Clayton issued a public statement on issues related to the consolidated audit trail (“CAT”). In addition to highlighting recent CAT-related regulatory relief measures,[1] Chairman Clayton announced that he has called upon SEC staff to prepare a recommendation for how the SEC might improve the data security requirements in the CAT NMS Plan this year.[2]
Chairman Clayton has asked staff to focus upon the following data security-related points in their recommendation:
- whether alternatives exist to “bulk downloading” data by each SRO that would better secure CAT data;
- the risks of proliferation of CAT data across multiple environments;
- whether there are additional data security issues regarding the use of CAT data for regulatory purposes that should be addressed;
- how access to customer and account information will be addressed to restrict access to the greatest extent possible, while still preserving the ability to achieve regulatory purposes;
- whether oversight of Plan Processor security decisions is effective and comprehensive;
- the extent to which there can be additional transparency regarding the security of CAT and the use of CAT data without making the system vulnerable to bad actors; and
- whether there are additional security measures that would enhance the security of CAT data, both within and outside of the CAT system.
ICI continues to advocate for greater clarity regarding the infrastructure of the CAT NMS Plan, including the data security measures to be implemented by the plan. Specifically, ICI has requested clarity from FINRA CAT on (i) the relationship between FINRA CAT and FINRA and where independent oversight of security controls will be performed; (ii) the most salient perceived and modeled threats to CAT data and FINRA CAT’s plan to counter to those threats; (iii) the parameters regarding data to be extracted from the CAT and the protections around the extracted data; and (iv) FINRA CAT’s breach notification policies and procedures.
Nhan Nguyen
Counsel, Securities Regulation
endnotes
[1] The SEC issued an order on March 17 providing conditional relief exempting SROs from collecting or retaining certain retail customer data. Securities Exchange Act Release No. 34-88393 (Mar. 17, 2020), available at https://www.sec.gov/rules/exorders/2020/34-88393.pdf. On March 16, the SEC’s Division of Trading and Markets issued staff no-action relief for SROs from CAT implementation deadlines based on ongoing issues related to COVID-19. Consolidated Audit Trail Reporting (Mar. 16, 2020), available at https://www.sec.gov/divisions/marketreg/mr-noaction/2020/consolidated-audit-trail-reporting-031620.pdf.
[2] Update on Consolidated Audit Trail; Temporary COVID-19 Staff No-Action Letter; Reducing Cybersecurity Risks (Mar. 17, 2020), available at https://www.sec.gov/news/public-statement/statement-clayton-cat-covid-19-nal-cybersecurity-2020-03-17.