In a move that took some by surprise, SEC Chairman Jay Clayton on Tuesday rejected requests from the SROs to delay the implementation of the Consolidated Audit Trail (“CAT”), despite the SROs’ cybersecurity concerns and indications that the CAT is not yet operationally ready. Thus, the first phase of CAT reporting technically went into effect on Wednesday.
The exemptive request submitted by the SROs sought a one-year delay of the first phase of data reporting to the CAT. In his statement denying the relief, Clayton acknowledged that the request by the SROs evidenced their inability to meet Wednesday’s deadline and that SROs should work to meet their responsibilities “as promptly as practical.” Clayton said he was “not in a position to support the issuance of the requested relief on the terms currently proposed,” although he provided no hint of what terms would prompt him to change his position. He also noted that he continues to give a high priority to the protection of CAT data, and he is open to various paths for addressing cybersecurity matters. The SEC staff is currently conducting a review of the agency’s need for personally identifiable information (“PII”) from the CAT, and Clayton pledged that the SEC will not retrieve this information until the agency has implemented appropriate protections. This commitment ignores cybersecurity concerns relating to access by the SROs to PII or breaches of the CAT itself.
Reading between the lines in Chairman Clayton’s statement—and given that it is not clear whether reporting to the CAT is operationally possible at this time—we suspect that the SEC is continuing to negotiate a potential further phasing of implementation.