SIFMA President and CEO Kenneth E. Bentsen, Jr. urged the SEC not to make broker-dealers liable for any potential security breaches in the agency's consolidated audit trail ("CAT"). In a published statement, Mr. Bentsen asserted that broker-dealers should not be held accountable for potential security breaches over which they have no control. He stated that self-regulatory organizations ("SROs") should bear the liability in such cases, adding that the contract governing the CAT system was being improperly forced on them.
SIFMA also filed a series of actions, including (i) an Application for Review of SRO Action That Violates Exchange Act Sections 19(d) and 19(f), (ii) a Motion to Stay SRO Action Pending Commission Review of SIFMA's Application pursuant to Exchange Act Sections 19(d) and 19(f) and Incorporated Memorandum of Law and (iii) a Declaration in Support of SIFMA's Application pursuant to Exchange Act Sections 19(d) and 19(f).
Commentary
The argument that broker-dealers should not be responsible for the misuse of data that they do not control seems on its face quite reasonable. It re-raises, however, a more fundamental question. Is the collection of so much sensitive data in a single location a good idea? The SEC simply cannot guarantee that the system will be always safe from hacking. The regulatory benefits do not seem to justify the cybersecurity risks.
Leaving aside CAT-specific issues, the dispute between the broker-dealers and the SROs as to liability is a small portion of a continuing dispute between the two opposing groups over the use of trade data and the right to profit from that data.
Primary Sources
Originally published April 23, 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.