November 30, 2017
House Financial Services Capital Markets Subcommittee “Implementation and Cybersecurity Protocols of the Consolidated Audit Trail”
Key Topics & Takeaways
- Consolidated Audit Trail (CAT) CISO: Representatives had numerous questions about the unfilled Chief Information Security Officer (CISO) position for the CAT. The CISO is a critical position for the success of the CAT, and Thesys CEO Mike Beller assured the committee that the exchanges and Thesys are currently evaluating candidates for the CISO role.
- Data Security: Much of the discussion at the hearing concerned the safety of data submitted to CAT, particularly the safety of personally identifiable information (PII). Many Representatives from both parties expressed concern that the data reported to the CAT could be compromised, and pressed witnesses for information about data security in CAT. There was also discussion about the bulk downloads of data, the merits of requiring CAT plan participants to develop their own internal controls, and the viability of alternatives to PII.
- CAT Implementation Issues: Thesys’s CEO fielded numerous direct questions about the delays in implementation for the CAT. It was frequently noted that reporting to CAT was supposed to begin in mid-November of this year, but that the exchanges required to begin reporting at that time have asked for an extension to deal with outstanding data security concerns (such as the CISO vacancy). Lisa Dolly, testifying on behalf of SIFMA, also used the hearing to call on CAT plan participants to work with the broker-dealer community on the technical specifications for reporting data to the CAT, noting that building compliant reporting systems will take broker-dealers at least a year and will be a complex process. Dolly also noted that technical specifications have yet to be shared with reporting broker-dealers.
- H.R. ____, “American Customer and Market Information Protection Act”
- Mike Beller, CEO Thesys Technologies, LLC
- Chris Concannon, President and COO, Chicago Board of Options Exchange
- Tyler Gellasch, Executive Director, Health Markets Association
- Lisa Dolly, CEO, Pershing, on behalf of the Securities Industry and Financial Markets Association
Subcommittee Chairman Bill Huizenga (R-Mich.)
In his opening statement, Huizenga outlined the inception and creation of the Consolidated Audit Trail (CAT) by the Securities and Exchange Commission (SEC) and noted that the CAT will gather a vast amount of data on equity orders throughout their lifecycle and include cancelled orders. Huizenga discussed the selection of Thesys as plan processor and noted that the self-regulatory organizations (SROs) subject to CAT (in short, the exchanges) recently missed a November 15th deadline to begin reporting (and he noted that broker-dealers are required to start reporting in one years’ time). Huizenga expressed several concerns about the CAT, including its cost ($2.4 billion in initial costs, followed by a $1.7 billion expected annual cost). He also expressed concern about the CAT’s collection of personally identifiable information (PII), especially considering the hack of the SEC’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system.
Huizenga discussed the discussion draft of a bill called the American Customer and Market Information Protection Act, that would require the SEC, each SRO involved in the CAT National Market Structure (NMS) Plan, and the plan processor (Thesys) to develop internal risk control mechanisms to safeguard information reported to or accessed from the CAT. The bill would also require the SEC to conduct a cost-benefit analysis on the collection of PII before certifying the CAT. Huizenga closed his opening statement by saying that the SEC “can’t afford to get [CAT implementation] wrong.”
Subcommittee Ranking Member Carolyn Maloney (D-N.Y.)
In her opening statement, Maloney discussed the “Flash Crash” of 2010, which she alleged had a major and lasting effect on investor confidence in US capital markets. She noted that it took numerous agencies a long time to put together a report on the Flash Crash, due to the lack of a central depository for trade data for US equity and fixed income markets. She deplored the fact that while the CAT was initially proposed in 2010, there is still no functional audit trail, describing this as “an American scandal.” She criticized the actors involved in creating the CAT for missing deadlines and requesting delays. She expressed support for SEC Chairman Clayton’s push to get the CAT operational as soon as possible.
Mike Beller, CEO, Thesys Technologies, LLC
In his testimony, Beller called the CAT a “vital step forward” for US capital markets and noted that the final rule creating the CAT was enacted with bipartisan support. Beller discussed the process through which Thesys won the SRO’s contract to be the CAT plan processor, and defended the CAT as necessary to catch bad actors while dramatically reducing the amount of resources regulators need for enforcement. Beller described Thesys’s steps to build cybersecurity measures into the CAT at each step, and said Thesys built the CAT with a “security first” mindset. Beller also briefly discussed the internal protection mechanisms and breach detection capabilities that the CAT will have.
Chris Concannon, President and COO, Chicago Board of Options Exchange (Cboe)
In his testimony, Concannon outlined Cboe’s business lines and discussed his firm’s (as well as other SRO’s) reporting requirements under the CAT. He also described the resources Cboe has expended on the creation of the CAT, and said that all the SROs have been working “diligently” on the audit trail. Concannon outlined the development of the CAT thus far, but conceded that “work on the CAT is not complete” and said the SROs believe more secure controls are needed for the audit trail in light of several high-profile data breaches. Concannon said the SRO’s proposed revised schedule for implementation accounts for data security needs. Concannon also expressed concern in storing PII in the CAT and expressed interest in exploring alternatives to PII.
Tyler Gellasch, Executive Director, Healthy Markets Association
In his testimony, Gellasch argued that “informed regulators and investors” are critical for healthy markets and said that the hearing is about whether “for-profit market participants” will be able to “exploit public fear” to delay the creation of the CAT. Gellasch contended that the SROs and FINRA have not provided any information about why the data requirements in the CAT plan are now insufficient to protect data, and said that regulators need data that can identify end beneficiaries of trades to catch market manipulators and insider trading. Gellasch also criticized the NMS plan process used to build the CAT, saying the SEC has outsourced key regulatory functions to the SROs, who have in turn failed to meet numerous deadlines (including the November 15th deadline for exchange reporting to CAT). Gellasch criticized the draft legislation, saying the SEC is unprepared to certify the safety of the CAT and questioning if such a certification would inoculate Thesys from liability. He also criticized the SEC for delaying a decision on the CAT’s funding model. He closed by calling on the CAT to also include information about futures, and called on Congress to “end the NMS Plan” process that was used to build the CAT.
Lisa Dolly, CEO, Pershing, on behalf of the Securities Industry and Financial Markets Association
In her testimony, Dolly said that a secure and operational CAT would have great value to US capital markets, but noted that there are numerous implementation issues that have yet to be addressed. Dolly provided an overview of the type of information that will be gathered in the CAT, but noted that the technical specification related to CAT reporting have yet to be released to broker-dealers. Dolly also pointed out that Thesys and the SRO’s have yet to hire a Chief Information Security Officer (CISO) to oversee the CAT plan, and that having a CISO is a major component of the CAT NMS plan. Dolly said the CAT should be delayed so that the SEC can examine the need to include PII in the CAT, and to provide more time to develop better data security policies and procedures. Dolly also drew attention to the large number of users who will have access to CAT data, as well as their ability to conduct bulk downloads of this data, and said the SROs need to have internal risk controls to prevent extracted CAT data from being compromised. Dolly said the draft legislation under consideration by the committee would be beneficial for the CAT as well. Dolly closed by pointing out that broker-dealers have yet to receive their reporting technical specifications and said that the industry will need at least one year to build systems that can comply with the CAT.
Question & Answer
Huizenga asked the first of many questions from Members about the current CISO vacancy for the CAT. Beller said that the CISO must be hired collaboratively with the SROs and will be responsible to the CAT plan, not to Thesys. Beller said that the SROs and Thesys have yet to agree on a candidate. Huizenga (and other members, including Maloney) strongly encouraged the SROs and Thesys to hire a CISO for the CAT quickly. Later in the hearing, Beller described hiring a CISO as the largest outstanding step for Thesys to meet the cybersecurity requirements outlined in the CAT NMS plan.
Rep. Warren Davidson (R-Ohio) asked Beller for the person who is currently serving as CISO, and Beller said that there are several individuals currently filling in for different aspects of the CISO role. Concannon said that Thesys and the SROs have interviewed several candidates, but said that it is a difficult role to fill due to the large amount of responsibility the position will have. Rep. Brad Sherman (D-Calif.) also asked Beller to describe the search process for a CISO. Davidson later asked Beller who will be responsible for verifying that Thesys is complying with the CAT plan’s requirements, and Beller said that the CISO will be responsible for that.
Much of the discussion at the hearing concerned the safety of data submitted to CAT (particularly the safety of PII). Rep. Randy Hultgren (R-Ill.) asked Dolly for her thoughts on what could be done to address concerns that trade data submitted to the CAT could be compromised, and allow market manipulators to reverse engineer trading strategies or take advantage of certain positions. Dolly noted that that many of Pershing’s clients have their own trading strategies that Pershing wants to protect, and she criticized the SROs for not sharing their data protection plan with other reporting entities. Rep. David Scott (D-Ga.) also asked Dolly to describe short-term steps that could make firms more confident in CAT. Dolly replied that the SROs should work with broker-dealers to develop technical specifications for CAT reporting. Scott also asked if PII should be collected at all, and Dolly (and others) noted that PII will not be collected until later in the CAT implementation process. Dolly (and others) also noted that legal entity identifiers (LEI) and large trader identities were possible alternatives to PII.
Rep. Bill Foster (D-Ill.) had numerous questions about data security as well, specifically relating to the query function that will be used to parse CAT data for market surveillance purposes. Beller pointed out that only regulators will be able to query the data, and that queries on trade data will not return PII. Beller pointed out several times that PII will be stored separately from trade data and will only be narrowly accessible on a need-to-know basis. Foster pointed out that if PII is necessary to identify insider trading patterns, the separation of data types is essentially “illusory.”
In the second round of questions, Hultgren asked Beller about the security of information downloaded from the CAT to external servers. Beller noted that the NMS plan required the SROs be given the ability to remove data from the system, and said that Thesys does not control the data once it leaves the system.
Davidson also asked Dolly about the importance of protecting downloaded data. Dolly said that every access point creates a potential vulnerability for CAT data so all entities with access to this data should have some requirement to certify their own security measures.
CAT Implementation Issues
Maloney asked Beller directly for an explanation about why the CAT has taken so long to build. Beller said that it is a complex system that requires unanimity amongst many stakeholders for many decisions, and defended Thesys’s work on the audit trail thus far.
Rep. David Scott noted that several witnesses’ testimony acknowledges that the work on the CAT is incomplete and delayed, and asked for information about data security measures being taken by the CAT. Concannon assured the Congressman that the SROs are “hard at work” developing the necessary defenses.
Maloney asked Gellasch to elaborate on the draft legislation, and Gellasch argued that the cost-benefit analysis required by the draft legislation is a delaying mechanism of little value to the CAT. Gellasch also said that collection of PII is important to identify who is placing trades and is critical for market surveillance.
CAT Technical Specifications
Rep. Ted Budd (R-N.C.) asked Dolly to describe the information about technical specifications that has not yet been shared with reporting broker-dealers. Dolly said that those reporting entities have essentially zero information about the specifications, and said that building systems to comply with the specifications will be a lengthy process. Sherman also asked Dolly to say what actions by the SROs would make broker-dealers more comfortable with the CAT. Dolly stressed the importance of providing broker-dealers with the reporting specifications [she also called for a robust discussion on the necessity of PII to identify trading patterns.]
Maloney asked Gellasch to describe how the CAT will help the SEC perform its traditional market surveillance functions. Gellasch noted that today, the SEC and FINRA have blind spots regarding identifying the end beneficiaries of certain trades, as the current audit trail system does not collect this data.
Huizenga asked the panel about whether retail investors are typically involved in market manipulations, and Dolly and Concannon agreed that there is usually an institutional angle in manipulation. Huizenga then asked if large trader identification could replace PII without compromising the market surveillance goals of the CAT. Concannon noted that many industry participants have discussed using a large trader ID, and that this is the standard in the futures market. Gellasch agreed, saying that FINRA proposed a large trader ID system as part of CAT many years ago. Gellasch also praised a legal entity identifier (LEI) regime as a possible alternative to PII.
Rep Juan Vargas (D-Calif.) asked the panel to describe the importance of being able to identify the end beneficiary of trading. Gellasch noted that market manipulation investigations suffer if the trail “goes dark” in foreign countries and venues, and said that requiring end beneficiary information will ameliorate this problem. Concannon noted that FINRA and the SROs cannot sanction individuals, only members, and the SEC sometimes struggles to identify the end beneficiaries of manipulation, especially when foreign individuals are involved.
Elimination of Systems
Sherman asked Beller to discuss whether the CAT will allow regulators to retire older reporting systems such as the Order Audit Trail System (OATS) administered by FINRA. Beller noted that FINRA has already published an explanation on the process to retire OATS once the CAT meets certain standards. Dolly agreed that the ideal should be to not have duplicative reporting requirements. Maloney also asked about OATS, and Gellasch said that while OATS is a comprehensive audit trail, it will not have the precision of CAT, and does not collect beneficial ownership information, which makes CAT an upgrade.
Sherman asked Gellasch to describe how NMS plans differ from traditional notice-and-comment rulemaking. Gellasch described NMS plans as “vestiges of history” that are long since passed their “useful life,” noting that in the 1970s (when NMS plans were first used) the SROs were nonprofit entities. Gellasch pointed out that SROs today are for-profit entities that are given rulemaking powers and the ability to set cost structures for things like the CAT. Gellasch criticized NMS plans for advantaging a small number of market participants who are given de facto regulatory power over their competitors.
For more information on this hearing, please click here.