Audit trail could boost cybersecurity threat, exchanges say

Register now

(Bloomberg) -- Stock exchanges could become more exposed to cyberattacks through a trade database being built to help U.S. regulators police markets, industry executives said Tuesday.

NYSE Group Inc. and CBOE Holdings Inc. officials speaking at a conference in Washington questioned whether the Securities and Exchange Commission should push back the Nov. 15 deadline for exchange operators to begin feeding information to the Consolidated Audit Trail until it can ensure that sensitive data can be protected.

“I would argue the current construct of the CAT sets us back on surveillance,” CBOE President Chris Concannon said during a panel discussion, adding that the current setup promises little benefit for the extra risk. “Why be reckless with our data?” he asked later.

NYSE President Tom Farley, who expressed particular concern about including personal information on investment account holders in the database, said he hopes “cooler heads prevail and come to a different decision as an industry.”

The executives echoed criticisms that have mounted since the SEC’s Sept. 20 disclosure that its Edgar system for corporate filings had been breached by hackers who may have traded on illegally obtained information. House Financial Services Committee Chairman Jeb Hensarling last week urged SEC Chairman Jay Clayton to delay implementation of the system until appropriate safeguards and internal controls are in place.

Essential StepStock exchanges helped write the requirements for the CAT system, which could ultimately include personal details for more than 100 million trading accounts. The database, meant to track billions of daily orders to buy and sell stocks, has been billed as an essential step to improve monitoring and understanding market moves.

Brokers and exchanges have clashed over who will pick up the tab for the system being built by Thesys Technologies. Both brokers and exchanges have privately sought a delay in the deadline for reporting data, but neither has called for the CAT to be scrapped altogether.

Thesys Chief Executive Officer Mike Beller said in an interview that his company “designed the system from the ground up with cybersecurity in mind.” The system will be more secure than the current data repositories because it included additional protections, Beller said.

“The negative of the fear around cybersecurity is that if it’s used to kill every initiative that might involve gathering more data, then society loses,” he said said at the conference.

Speaking later at the same event, SEC Republican Commissioner Michael Piwowar said that concerns about the agency’s data protections weren’t going to delay the project.

“It’s not going to delay the audit trail -- full stop,” he said. “We at the SEC are not going to take any of that data until we are confident and comfortable that we have a robust cybersecurity,” he said, echoing comments from Clayton last week.

Bloomberg News