Thursday, September 10. 2020
The new modifications will drastically decrease the amount of sensitive data collected without affecting the operational effectiveness of the CAT and provide market participants with greater confidence regarding the way CAT data will be protected and used. The SEC will be assessing these concerns and addressing changes in risks and other issues as roll out and operation of the CAT continues.
The proposed amendments to the CAT NMS Plan would specifically define the scope of the CAT’s information security program and would:
- add the term “Comprehensive Information Security Program” (CISP) to set forth all elements of the information security program, including the planned Secure Analytical Workspaces
- require the permanent establishment of a security working group comprised of the CAT’s Chief Information Security Officer and the chief information security officer or deputy chief information security officer of each self-regulatory organization that is a participant to the CAT NMS Plan.
- define a Secure Analytical Workspace (“SAW”) as an analytic environment account that is part of the CAT system, subject to the CISP, where CAT data is accessed and evaluated and require the CISP to establish data access and extraction policies and require CAT NMS Plan participants to use their SAWs for analyzing CAT data accessed via user-defined direct inquiry.
- limit the maximum amount of records that regulators can download using an online targeted query tool and make logging requirements more complex by requiring logging of extraction of CAT data.
- modify the reporting requirements and Customer-ID creation process following the order issued by the SEC on March 17, 2020, eliminating the requirement for Industry Members to report social security numbers, individual taxpayer identification numbers, and account numbers for customers who are natural person.
- define the workflow for retrieving customer and account attributes and establish limits governing such access.
- require the CAT NMS Plan participants to establish, maintain. and enforce procedures and usage restrictions and publish matching written data confidentiality policies
- define the term “Regulatory Staff” and the data privacy policies adopted by CAT NMS Plan participants that would be required to restrict access to CAT data to Regulatory Staff (and specific technology and operations staff) except when there is an explicit regulatory need.
- regulate the extraction of CAT data, define the functions and regulatory activities of specific users, and require implementation of the Customer Identifying Systems workflow along with supporting requirements for monitoring and testing.
- require CAT data be accessed only for surveillance and regulatory purposes and prohibit the use of CAT data where that use may serve surveillance and/or regulatory purposes or a commercial purpose (such as economic analyses or market structure analyses in support of rule filings).
- require the CAT NMS plan processor to carry out “allow” listing, restricting access to CAT only to those countries where CAT reporting or regulatory use is both necessary and expected, while requiring connectivity to CAT infrastructure in a manner consistent with current implementation. The proposed revisions would also require that data centers housing CAT systems be physically located in the United States.
- modify current requirements associated with breach management policies and procedures to specifically require that corrective actions and breach notifications to CAT reporters be a component of the plan processor’s cyber incident response plan, patterned after Regulation SCI obligations.
Additionally, the proposed amendment would explicitly require that customer and account attributes be reported for Firm Designated IDs that are submitted in allocation reports, consistent with previously allowed exemptive relief, as is required for Firm Designated IDs associated with the initial receipt or origination of an order.
The public comment period for these amendments will begin following publication on SEC.gov and remain open for 45 days after publication in the Federal Register. You can submit comments using the form available on the SEC’s website or by e-mailing firstname.lastname@example.org with the proposed rules’ reference number in the subject line. You can also use the Federal Rulemaking Portal to submit comments or send your comments by mail to Secretary, Securities and Exchange Commission, 100 F Street, NE, Washington, DC 20549-1090. In all cases, be sure to reference File Number S7-10-20.