In the wake of a highly-publicized cybersecurity breach involving the SEC’s EDGAR system, SEC Chairman Jay Clayton has been in the hot seat at recent congressional hearings, fielding pointed questions as to whether the SEC should delay implementation of the Consolidated Audit Trail (“CAT”).  The SEC has not announced a delay, although Clayton indicated he may be willing to modify its implementation.

On September 26 and October 4, Clayton testified before the Senate Banking Committee and the House Financial Services Committee, respectively, and one of the areas he focused on was the SEC’s cybersecurity efforts, particularly in response to the 2016 intrusion into EDGAR.  The hackers who accessed the system obtained sensitive information disclosed in filings, including the names, birth dates and social security numbers for two individuals.  Members of both committees asked whether security concerns justified extending the timeframes for implementing the SEC-mandated CAT.

The CAT is a multi-year effort by FINRA and the securities exchanges (the “SROs”) to build a central repository for SROs and broker-dealers to submit extensive information in standardized formats regarding securities trading activity.  While the CAT data itself is not submitted to the SEC (and therefore the SEC does not have direct control over the repository and its data protections), the staffs of the SEC, FINRA and other SROs—potentially thousands of users—will have access to the CAT data.  SROs are scheduled to begin the first phase of CAT reporting next month, and large broker-dealers are currently slated to begin reporting in November 2018.  Data security concerns have been raised because broker-dealers will be required to report sensitive personal customer identifying information, including customers’ names, addresses, dates of birth and social security numbers. Industry commenters, such as SIFMA and the ICI, have also long been vocal in raising misgivings about the CAT’s data protections, including regarding the perceived potential to reengineer CAT data to reveal sensitive trading strategies and holdings.

During the hearings Senator Mike Rounds (R-S.D.) and House Financial Services Chair, Rep. Jeb Hensarling (R-Texas), encouraged Clayton to delay the launch of the CAT until the SEC can ensure that it has the necessary data controls in place to protect the CAT data.  Clayton acknowledged that the protection of CAT data is of paramount concern to the SEC, and that security issues are particularly acute with respect to a data repository that contains comprehensive information on trading in the securities markets. While Clayton would not commit to a “full timeout,” he said the SEC will continue to evaluate its ability to safeguard CAT data.  Clayton stated that the SEC should not be obtaining CAT data unless the SEC can protect it, and implied that the SEC could consider as part of its  evaluation the phase-in process and schedule for the CAT.

Observation: Getting assurances from the SEC on the security of the information it receives is particularly important considering the lack of remedies available if that information is breached.  See our blog post, Your Sensitive Information Was Accessed in a Government Hack? You May Have No Remedy for more information.