Wall Street group rips US exchanges’ proposal to cap their Consolidated Audit Trail liability for data breaches

A Wall Street banking group said it was “fundamentally unfair” of the US stock and options exchanges to propose limiting their liability for data breaches on the Consolidated Audit Trail that they run.

The 24 exchanges and Finra, the brokerage self-policing group that also helps operate the comprehensive database of stock quotes, orders and trades, have proposed that their liability be capped at $500 a year.

Banks and other industry members that must report trade data would have to assume the rest of the liability for a breach or misuse of data on the database, which is intended to allow regulators to identify sources of volatility and market manipulation.

The proposal “is fundamentally unfair because the [self-regulatory organizations] are exclusively responsible for maintaining the CAT system and for implementing measures to protect against a breach of the CAT system,” according to a letter last week from the Securities Industry and Financial Markets Association, a leading group of banks, brokerages and asset managers.

The plan also would allow the self-regulators "to under-invest in data security and cyber insurance,” the letter said. “This approach is inefficient as a matter of risk mitigation and ultimately will result in higher costs borne by investors in the capital markets.”

The letter to the US Securities and Exchange Commission, which oversees the database that is still under development by the self-regulatory organizations, said they should be encouraged to buy supplemental cyber insurance and implement other “appropriate risk-mitigation measures.”

Among the exchanges that run CAT are the New York Stock Exchange, Nasdaq and the Chicago Board Options Exchange.

They were required by the SEC in 2012 to build the database. It started going into effect in June 2020 without limited liability provisions.

— Exchanges’ proposal —

The self-regulators said their limited liability proposal falls “squarely within industry norms.”

They said they are “not aware of any context in which liability that is usually borne by industry members is shifted to their regulators, and there is no compelling reason to do so here,” according to the December 2020 proposal.

The self-regulators said that they have obtained “the maximum extent of cyber-breach insurance coverage available and [have] implemented a full cybersecurity program to safeguard data stored in the CAT.”

In addition, the SEC has proposed limiting use of personally identifiable information, or PII, such as social security numbers and dates of birth in the database, the proposal said.

This “minimizes the risk of theft of SSNs — the most sensitive piece of PII — by allowing the elimination of SSNs from the CAT while still facilitating the creation of a reliable and accurate customer ID,” the proposal said.

The SEC limitations on use of confidential information were proposed in August 2020, but haven’t been finalized. Since that time, the Republican-run commission under Jay Clayton has converted to one that will be dominated by Democrats.