In a comment letter filed yesterday with the Securities and Exchange Commission (SEC) on improving the data security requirements in the Consolidated Audit Trail (CAT) NMS Plan, SIFMA emphasized its concerns with the security of the CAT, particularly with regard to the ability of self-regulatory organizations (SROs) to bulk download CAT Data. SIFMA also noted that heightened firm involvement is critical. Given the vast experience firms have in handling and protecting sensitive customer data, allowing them increased input could significantly help bolster the overall security of CAT Data, SIFMA wrote.
“It is imperative the CAT be held to the highest security standards, not only to maximize the efficacy of the CAT System itself, but also to bolster the confidence of market participants reporting into the system, and to ensure investors their personally identifiable information will not be at risk of a data breach,” said SIFMA president and CEO Kenneth E. Bentsen, Jr. “SIFMA continues to have grave concerns about the need for and security of customer data provided to and maintained in the CAT and we continue to believe there are more secure alternatives.
“SIFMA believes that an obvious and avoidable significant threat to the security of the CAT Data is the ability of SROs to bulk download customer and transaction data from the CAT to their own systems, including PII data,” continued Mr. Bentsen. “Such a process would remove the data from the single secure CAT environment and place it in the hands of potentially multiple SROs and the individuals who work there. Rather than mitigating risk, bulk downloading would only serve to exponentially broaden the risk that the data could be exposed. It is inconceivable from a risk management standpoint that the Commission would allow bulk downloading customer and transaction data by 24 separate entities.”
SIFMA also noted that the parameters regarding the appropriate use of CAT Data should be clearly defined and not left open to interpretation. SIFMA further noted access to customer data should be provided only in the rarest of instances and FINRA CAT as the Plan Processor should have appropriate protocols that govern the request for access and the approval process to gain such access.
Finally, SIFMA suggested additional measures regarding the oversight of the Plan Processor should be adopted, and requested that member firms that are CAT Reporters and Authorized Reporting Agents be notified of any anticipated major changes to systems, technology and architecture that are planned for the CAT as a result of regular system reviews. This would provide firms with transparency regarding such changes and afford them the opportunity to provide valuable feedback regarding such changes, SIFMA wrote, “especially given the firms’ extensive experience in protecting sensitive customer data and could serve as an invaluable resource to the CAT.”