Cybersecurity Concerns Surround SEC's Audit Trail Plan

Stay up-to-date with the latest developments in securities law through access to both news and all statutes and regulations. Find relevant corporate filings through a searchable EDGAR database. And...

By Rob Tricchinelli

July 19 — Cybersecurity concerns dominate industry groups’ reaction to the Securities and Exchange Commission’s plan for a consolidated audit trail, an expansive database to collect trading information from U.S. exchanges and broker-dealers.

National securities exchanges and the Financial Industry Regulatory Authority created the plan to build the long-awaited trail, which was released by the SEC for public comment in April (82 SLD, 4/28/16). The comment deadline was July 18.

Although most groups support the plan, they warned that such a huge database would be a target of hackers looking to exploit personal information and trading data.

‘Treasure Trove.'

The plan has inadequate security measures, the Investment Company Institute warned. “This treasure trove of order and execution information has tremendous commercial value, and we are gravely concerned that cyber criminals and others will seek to access and use it for their personal gain to the detriment of funds and their shareholders.”

The agency could address these concerns by limiting access to the central database, enhancing security measures over time and making sure those protections apply regardless of where CAT data is accessed.

The Securities Industry and Financial Markets Association, Managed Funds Association and Financial Services Roundtable made similar points.

MFA cautioned that the plan doesn't account for the likelihood of chaos across the financial system caused by a coordinated attack.

“Because the requirements in the Plan do not contemplate this type of systemic risk, they are insufficient to address the actual risks of the CAT.”


The SEC's rule requiring the self-regulatory organizations to build the CAT was adopted in July 2012.

Under the plan, the central database will be established and maintained by a vendor that the SROs select from three finalists—a group led by SunGard, a group led by Thesys, or FINRA itself.

Firms will have to submit order data to the central repository, where the SEC could access it.

The SEC has 180 days from the April release to approve the plan, after which the SROs will have two months to pick a vendor and a year to begin submitting some data to the central processor.

To contact the reporter on this story: Rob Tricchinelli in Washington at

To contact the editor responsible for this story: Phyllis Diamond at

For More Information

For all comments on the CAT, visit

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Securities & Capital Markets on Bloomberg Law