In a comment letter filed with the Securities and Exchange Commission (SEC), SIFMA expressed both its ongoing concerns about the security of investors’ data in the Consolidated Audit Trail (CAT) and its opposition to the efforts of the self-regulatory organizations (SROs) who control and operate the CAT to limit their liability for any breach or misuse of the data.
“When fully implemented, the CAT will be the largest database of retail and institutional trading data ever created. It also will include personal information on every retail brokerage customer in America, as well as identifying information for every pension fund, mutual fund, and other institutional account,” said Ellen Greene, SIFMA managing director, equity and options market structure.
“SIFMA has long believed those responsible for the CAT data should bear the liability for any security breaches. It is imperative the CAT be held to the highest security standards to protect investors. To that end, we oppose the proposal to limit the SROs’ liability in the event of a data breach and once again call on the SEC to adopt its August 2020 CAT data security proposal, which is designed to significantly enhance the security of data held within CAT.”
As currently configured, once broker-dealers report trade and personally identifiable information (PII) data to the CAT, as mandated by the SEC, all control, access and protection of that data shifts to the SROs and their thousands of employees and contractors.
For that reason, SIFMA also has consistently raised concerns about the security of CAT Data, its susceptibility to breach or misuse, and the potentially significant liabilities that could flow from such a breach or misuse of CAT Data or the CAT System.
The SROs have offered repeated assurances that CAT Data will be fully secured, though SIFMA notes in its comment letter that the SROs undercut those assurances by repeatedly seeking to limit their own liability for breach or misuse of the data.
SIFMA consistently has opposed, and the SEC ultimately disapproved, previous inclusions of limitation of liability provisions, including a proposed disclaimer of warranties clause, or DWC, in the CAT Agreements.
The DWC is essentially identical to the warranty disclaimers included in the original CAT Agreements, which SIFMA successfully negotiated out, and in the Limitation of Liability Proposal, which the SEC disapproved.
SIFMA believes the SEC should reject this third attempt by the SROs to impose, without any proper basis, a limitation on their CAT duties, responsibilities and potential liability.
In SIFMA’s view, it is seriously concerning that the SROs appear simultaneously to be telling industry members and the SEC that the CAT System and CAT Data are appropriately protected, but that the SROs are unwilling to be responsible for basic representations and warranties regarding the integrity and security of the system that they control and operate.
The impermissible goal of the DWC proposed by the SROs is to shift risk, responsibility, and potential liability away from the SROs, which fully control and operate the CAT System and the data that is part of the CAT System, and toward industry members and, by extension, their customers, whose data is embedded within the system, but which exercise no control over the safety, security, integrity or operations of the system.