Regulators call planned SEC financial database a ‘treasure trove’ for hackers

SEC CAT NMS financial database prompts cybersecurity fears from SROs, NYSE

A lack of clear cybersecurity measures attached to a forthcoming financial database, mandated by the Securities and Exchange Commission, is causing financial self-regulatory organizations to publicly voice their concerns, documents show.

The Consolidated Audit Trail, or CAT, is a proposed national market system that will eventually give regulators an analytical oversight tool to help better track trading activity in the U.S. equity and options market.

“This treasure trove of order and execution information has tremendous commercial value, and we are gravely concerned that cyber criminals and others will seek to access and use it for their personal gain to the detriment of funds and their shareholders,” wrote Investment Company Institute General Counsel David Blass.

Data stored in the CAT will include, information about who is receiving, originating, routing or executing specific trades. A vendor chosen by the SROs will be responsible for eventually constructing and entering data into the CAT for the SEC to access for review.


The SEC did not respond to FedScoop’s request for comment regarding how the commission plans to handle these concerns.

SEC Chair Mary Jo White has previously said “[the database] will significantly increase the ability of regulators to conduct research, reconstruct market events, monitor market behavior, and identify and investigate misconduct.”

The CAT is also expected to, according to the original proposal, cut down on the time SEC regulators must currently allocate to manually enter data and organize it for cases.

Although many groups support the plan, some self-regulatory organizations, or SROs, are skeptical that current plans will provide enough digital security given the high value of economic information that will be stored within the system.

A FAQs page published alongside the commission’s trade information repository plan estimates that there will be approximately 3,000 authorized users with access to CAT data. This would including regulatory staff of the SROs and SEC staff.


The architects of the CAT plan — the National Securities Exchanges and the Financial Industry Regulatory Authority — opened up the project for comment in late April. Last week was the deadline for comments from partnering SROs to submit their reactions.

The New York Stock Exchange, Investment Company Institute and Managed Funds Association all criticized the CAT plan due to lingering, unresolved fears prompted by the online databases’ proposed structure.

“Considering the large number of individuals with access to the Central Repository, the possibility of a security breach that may result in the disclosure of CAT Data, including PII, is a material threat with substantial consequences,” NYSE General Counsel Elizabeth King warned.

Kelvin To, founder and president of big data financial tech firm Data Boiler Technologies, wrote in another comment that the CAT should be monitored for “threats, attacks and anomalous activity” by the National Cybersecurity & Communications Integration Center — a cybersecurity incident response and management division housed within the Department of Homeland Security.

The SEC now has a remaining three months to react to those comments and ultimately approve the CAT plan.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts