Jay Clayton, the chairman of the Securities and Exchange Commission, indicated there would be no delay in the effective date of the first phase of Consolidated Audit Trail (November 15), despite the 2016 hack of the SEC’s own Electronic Data Gathering, Analysis, and Retrieval ("EDGAR") system reported by the SEC two weeks ago (click here for background regarding this hack in the article, “SEC Discloses Trading May Have Occurred Based on Confidential Information Illicitly Obtained From Hack of EDGAR System in 2016” in the September 24, 2017 edition of Bridging the Week.)
Mr. Clayton made this statement in testimony last week before the US Senate’s Committee on Banking, Housing and Urban Affairs.
During his remarks, Mr. Clayton confirmed that he only learned of the possible EDGAR hack in August 2017. In response, he commenced an internal review. Mr. Clayton subsequently learned that the hack of EDGAR’s test filing system provided access to confidential filing information and may have provided a basis for unauthorized trading. The SEC’s Division of Enforcement is now investigating whether illicit trading occurred on the hacked data while the agency’s Office of Inspector General is reviewing how the intrusion occurred; the scope of non-public information compromised; and the agency’s response. OIG will also recommend how the SEC should correct any related system or control issues.
Although Mr. Clayton indicated that protection of data within CAT is of “paramount concern” to the Commission and he is “focused on issues of data security with respect to CAT,” he offered no delay in the first phase of CAT’s rollout, which involves self-regulatory organizations reporting certain data to CAT related to each quote and order in a National Market System security.
CAT is being developed pursuant to SEC rule by a third-party vendor, Thesys Technologies, LLC, in conjunction with US securities exchanges and the Financial Industry Regulatory Authority. (Click here for background regarding CAT and the SEC Rule 613 requiring it.)
My View: Given the tremendous amount of information scheduled to be maintained in one location under CAT, it seems prudent to delay the first phase of CAT from being implemented until the OIG report on the EDGAR intrusion is finalized. This seems like common sense.