[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
IMPLEMENTATION AND CYBERSECURITY.
PROTOCOLS OF THE
CONSOLIDATED AUDIT TRAIL
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON CAPITAL MARKETS,
SECURITIES, AND INVESTMENT
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
NOVEMBER 30, 2017
__________
Printed for the use of the Committee on Financial Services
Serial No. 115-61
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
__________
U.S. GOVERNMENT PUBLISHING OFFICE
31-288 PDF WASHINGTON : 2018
-----------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
HOUSE COMMITTEE ON FINANCIAL SERVICES
JEB HENSARLING, Texas, Chairman
PATRICK T. McHENRY, North Carolina, MAXINE WATERS, California, Ranking
Vice Chairman Member
PETER T. KING, New York CAROLYN B. MALONEY, New York
EDWARD R. ROYCE, California NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma BRAD SHERMAN, California
STEVAN PEARCE, New Mexico GREGORY W. MEEKS, New York
BILL POSEY, Florida MICHAEL E. CAPUANO, Massachusetts
BLAINE LUETKEMEYER, Missouri WM. LACY CLAY, Missouri
BILL HUIZENGA, Michigan STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin DAVID SCOTT, Georgia
STEVE STIVERS, Ohio AL GREEN, Texas
RANDY HULTGREN, Illinois EMANUEL CLEAVER, Missouri
DENNIS A. ROSS, Florida GWEN MOORE, Wisconsin
ROBERT PITTENGER, North Carolina KEITH ELLISON, Minnesota
ANN WAGNER, Missouri ED PERLMUTTER, Colorado
ANDY BARR, Kentucky JAMES A. HIMES, Connecticut
KEITH J. ROTHFUS, Pennsylvania BILL FOSTER, Illinois
LUKE MESSER, Indiana DANIEL T. KILDEE, Michigan
SCOTT TIPTON, Colorado JOHN K. DELANEY, Maryland
ROGER WILLIAMS, Texas KYRSTEN SINEMA, Arizona
BRUCE POLIQUIN, Maine JOYCE BEATTY, Ohio
MIA LOVE, Utah DENNY HECK, Washington
FRENCH HILL, Arkansas JUAN VARGAS, California
TOM EMMER, Minnesota JOSH GOTTHEIMER, New Jersey
LEE M. ZELDIN, New York VICENTE GONZALEZ, Texas
DAVID A. TROTT, Michigan CHARLIE CRIST, Florida
BARRY LOUDERMILK, Georgia RUBEN KIHUEN, Nevada
ALEXANDER X. MOONEY, West Virginia
THOMAS MacARTHUR, New Jersey
WARREN DAVIDSON, Ohio
TED BUDD, North Carolina
DAVID KUSTOFF, Tennessee
CLAUDIA TENNEY, New York
TREY HOLLINGSWORTH, Indiana
Kirsten Sutton Mork, Staff Director
Subcommittee on Capital Markets, Securities, and Investment
BILL HUIZENGA, Michigan, Chairman
RANDY HULTGREN, Illinois, Vice CAROLYN B. MALONEY, New York,
Chairman Ranking Member
PETER T. KING, New York BRAD SHERMAN, California
PATRICK T. McHENRY, North Carolina STEPHEN F. LYNCH, Massachusetts
SEAN P. DUFFY, Wisconsin DAVID SCOTT, Georgia
STEVE STIVERS, Ohio JAMES A. HIMES, Connecticut
ANN WAGNER, Missouri KEITH ELLISON, Minnesota
LUKE MESSER, Indiana BILL FOSTER, Illinois
BRUCE POLIQUIN, Maine GREGORY W. MEEKS, New York
FRENCH HILL, Arkansas KYRSTEN SINEMA, Arizona
TOM EMMER, Minnesota JUAN VARGAS, California
ALEXANDER X. MOONEY, West Virginia JOSH GOTTHEIMER, New Jersey
THOMAS MacARTHUR, New Jersey VICENTE GONZALEZ, Texas
WARREN DAVIDSON, Ohio
TED BUDD, North Carolina
TREY HOLLINGSWORTH, Indiana
C O N T E N T S
----------
Page
Hearing held on:
November 30, 2017............................................ 1
Appendix:
November 30, 2017............................................ 41
WITNESSES
Thursday, November 30, 2017
Beller, Mike, Chief Executive Officer, Thesys Technologies, LLC.. 5
Concannon, Chris, President and Chief Operating Officer, Chicago
Board of Options Exchange...................................... 6
Dolly, Lisa, Chief Executive Officer, Pershing, on behalf of the
Securities Industry and Financial Markets Association.......... 10
Gellasch, Tyler, Executive Director, Healthy Markets Association. 8
APPENDIX
Prepared statements:
Beller, Mike................................................. 42
Concannon, Chris............................................. 50
Dolly, Lisa.................................................. 54
Gellasch, Tyler.............................................. 61
IMPLEMENTATION AND CYBERSECURITY
PROTOCOLS OF THE
CONSOLIDATED AUDIT TRAIL
----------
Thursday, November 30, 2017
U.S. House of Representatives,
Subcommittee on Capital Markets,
Securities, and Investment,
Committee on Financial Services,
Washington, D.C.
The subcommittee met, pursuant to notice, at 10:06 a.m., in
room 2128, Rayburn House Office Building, Hon. Bill Huizenga
[chairman of the subcommittee] presiding.
Present: Representatives Huizenga, Hultgren, Poliquin,
Emmer, MacArthur, Davidson, Budd, Hollingsworth, Maloney,
Sherman, Scott, Foster, Vargas, Gottheimer, and Gonzalez.
Chairman Huizenga. The committee will come to order. The
Chair is authorized to declare a recess of the committee at any
time. This hearing is entitled, ``Implementation and
Cybersecurity Protocols of the Consolidated Audit Trail.''
And I want to thank our guests and witnesses for being here
today.
I now recognize myself for 5 minutes to give an opening
statement.
Until now there has been no single database that provides
comprehensive and readily accessible data about market orders
and executions across securities markets. Regulators tracking
suspicious activity or investigating unusual events had to
collect and aggregate large amounts of data from different
markets and participants.
Regulators needed one system that would permit them to
track orders and executions across securities markets. The
thinking was that a consolidated audit trail system or database
that would help regulators keep up with new technology and
trading patterns in the market would fit the bill.
That is why, following the Flash Crash of 2010, the
Securities and Exchange Commission (SEC) adopted a rule to
require self-regulatory organizations (SROs), including
national securities exchanges and the Financial Industry
Regulatory Authority (FINRA), to develop and implement the
Consolidated Audit Trail, or CAT, as a data repository to
collect and accurately identify every order from origination
through its entire lifecycle, including any cancellation,
modification, and trade execution for all exchange-listed
equities and options across the U.S. markets.
In January 2017, the SROs selected Thesys Technologies, LLC
to build the CAT as the Plan processor, and the SROs were to
begin reporting trade and order data to the CAT on November 15
of 2017, of this year. Exactly 1 year later, beginning in
November 2018, the SEC's order currently will require broker
dealers to submit data, including certain sensitive customer
information, to Thesys, the CAT Plan processor.
Many have voiced concerns about the cost of building and
implementing such a system. Initial rough estimates by the SEC
expect the CAT to carry a one-time implementation cost of $2.4
billion, in addition to a $1.7 billion cost in ongoing annual
reports, which will be passed on to customers.
Most troubling, however, is the amount of personally
identifiable information, or PII, that will be required to be
collected by the CAT, in my opinion. Not only will CAT be
collecting such data points as Social Security numbers,
addresses, and dates of birth for individual customers, but it
will also gather identifiable proprietary transaction data that
could potentially be reversed engineered and used for nefarious
activity, such as market manipulation.
Let's not forget even the SEC was the victim of a data
breach of highly sensitive personally identifiable information.
April of 2016 the GAO identified weaknesses regarding
information security protocols at the SEC and noted that the
Securities and Exchange Commission's failure to implement an
agency-wide data security program. Additionally, the SEC's own
internal assessment, initiated once Chairman Clayton came on
board, found that the agency had inadequate controls and that
there were serious cyber and data risks.
Concerns regarding data security are not unfounded. In
September of this year, we learned of a software vulnerability
in the test filing component in the SEC's EDGAR--or electronic
data gathering, analysis, and retrieval system. Because of this
lapse in security, hackers were able to gain access to highly
sensitive material, including the names, dates of birth, and
Social Security numbers of two individuals.
A recent report from the Government Accountability Office
highlights how the EDGAR data breach only underscores what is
now even of greater concern: The sufficiency of risk control
mechanisms for the SEC approved in the Consolidated Audit
Trail. The CAT system will be the most comprehensive repository
of market data we have ever seen for all exchange-listed
equities and options across all U.S. markets. Some have
indicated that this database will be the world's second-largest
single database, only behind the National Security Agency.
I continue to express very serious concerns about the
security of such extraordinary amounts of personally
identifiable information being collected and held by the CAT,
as well as who might have access to such confidential and
sensitive information. I think that is a vital question.
While the CAT may be a helpful resource for the SEC and
even the SROs once fully implemented, insufficient data
security controls will only undermine confidence in our
markets.
Today's hearing will examine the status of the CAT's
implementation and the adequacy of existing data security
protections regarding the storage and use of CAT data by
entities that are part of the CAT operating committee, the CAT
Plan processor, and the SEC. It will also example whether
additional cybersecurity protocols are necessary to properly
safeguard collected data, including that PII--personally
identifiable information.
Additionally, the hearing will examine a discussion draft
legislative proposal that we have titled, ``The American
Customer and Market Information Protection Act,'' which would
require the SEC, each SRO that is a participant of the CAT NMS
(national market system) Plan, and the CAT Plan processor to
develop comprehensive internal risk control mechanisms to
safeguard and govern the security of information reported,
stored, or accessed from the CAT.
The legislation would prohibit the CAT Plan processor from
accepting data until it develops such risk controls and the SEC
certifies those controls. The legislation would also prohibit
the SROs from accessing CAT data until each entity develops
risk controls and the SEC certifies them, as well. Last, the
discussion draft would require the SEC to conduct a cost-
benefit analysis on the CAT's use of PII, as well as report to
Congress whether such information is a necessary input for the
CAT, the risks posed to investors by using that information,
and alternatives that the SEC could consider.
The importance of cybersecurity cannot be overstated. The
ability of the SEC to safeguard nonpublic financial information
and other highly sensitive data is paramount because it
instills confidence in our markets.
The Federal Government--namely, the SEC--cannot afford to
get this wrong. In fact, SEC Commissioner Michael Piwowar
recently commented regarding CAT that, quote, ``deadlines are
important, but the SEC has one chance to get this right. We
have to make sure we have everything locked down. We can get it
done, or we can get it done right. We need to get it done
right,'' end quote.
I couldn't agree more.
And I look forward to hearing from our distinguished panel
today.
So with that, the Chair now recognizes the Ranking Member
for a very generous 5 minutes as well, as I went over for a
bit. And the gentlelady has 5 minutes, as well. Thank you.
Mrs. Maloney. You had a lot to say and it was all
important.
And I thank you for holding this important hearing and for
all of our panelists for being here today with us.
The so-called Flash Crash in 2010 was an extraordinary and
terrifying event in which markets simply went haywire. They
experienced a sudden inexplicable crash and then recovered most
of their losses just as quickly.
The entire episode lasted only 36 minutes, but it had a
lasting effect on investor confidence in our markets. And I
have always said that markets run more on confidence than they
do on capital.
In the aftermath of that wild-day market, participants,
regulators, and Members of Congress were all asking the same
questions: What happened, and why did it happen?
To answer those questions the SEC and CFTC (Commodity
Futures Trading Commission) attempted to reconstruct all of the
trading activity that occurred that day. This should have been
a relatively straightforward exercise to the agencies with
oversight of the stock and futures market, but it took the
agency over 4 months to issue a report on the Flash Crash, and
even then the report was inconclusive.
Why did it take the agency so long? Because they didn't
actually have a comprehensive system in place to collect all of
the information about the trading that takes place in U.S.
markets.
And I must share with you, when Fuld, head of Lehman, was
testifying on the financial crisis I asked him, ``What is the
one thing that we could do that would prevent it in the
future?'' And it was to collect this trading information and
have it in one place. So this is an important project for the
stability of our markets and our economy.
Instead, they were relying on a patchwork of audit trails
operated by individual exchanges or other trading venues. And
each of these audit trails had different types of information,
which made it very difficult to track orders that were routed
from one exchange to another.
As a result of all of this, the SEC proposed to create the
Consolidate Audit Trail, or CAT, which would serve as a
comprehensive record of all trading activity in the U.S. equity
markets. The SEC proposed the CAT back in 2010, and 7 years
later we still do not have a fully functioning audit trail.
We can go to the moon, but we can't figure out how to have
a fully functioning audit trail. I would say that this is an
American scandal.
The creation of the CAT has been subject to endless delays
and too many missed deadlines to count. The CAT was supposed to
go live 2 weeks ago, on November 15th. But at the last minute
the exchanges charged with implementing the CAT requested
another delay and stated that they could not start submitting
data to the CAT on time.
SEC Chairman Clayton rejected the exchanges' request for
another delay, but the reality is that even though the deadline
has passed the CAT is still not up and running. I completely
support Chairman Clayton in his demand to start right now.
Some market participants have raised concerns about data
security due to the large volume of confidential information
that will be stored in the CAT. The plan for the CAT, which was
approved by all of the exchanges and the SEC, does include data
security standards, and I will be interested in hearing whether
our panel believes these security data standards are strong
enough or need to be enhanced.
So I want to thank all of the panelists for appearing
today.
And I yield back my time, and I am under budget and on
time.
Chairman Huizenga. If you--
Mrs. Maloney. That is what we need the CAT system to be--
Chairman Huizenga. Yes, yes.
Mrs. Maloney. --Right?
Chairman Huizenga. If you average it out we took our 10
minutes, so--
Mrs. Maloney. OK.
Chairman Huizenga. Thank you. Appreciate the gentlelady's
attention to this.
And today we welcome a great panel. Appreciate them all
being here.
First we have Mr. Mike Beller, CEO of Thesys Technologies,
LLC. We also have Chris Concannon, President and Chief
Operating Officer of the Chicago Board of Options Exchange.
Welcome.
We have Tyler Gellasch, Executive Director of Healthy
Markets Association. And last but certainly not least, Lisa
Dolly, who is the CEO of Pershing, LLC.
And we welcome our panel. Thank you very much.
And with that, Mr. Beller, you are recognized for 5
minutes.
STATEMENT OF MIKE BELLER
Mr. Beller. Thank you, Chairman Huizenga, Ranking Member
Maloney, and members of the subcommittee, for inviting me to
testify.
The Consolidated Audit Trail is a vital step forward to
dramatically improve the regulation and protection of the U.S.
capital markets, and I applaud the committee for organizing
this hearing and playing an active oversight role in this area
for the benefit of all investors. My name is Mike Beller and I
am the Chief Executive Officer of Thesys Technologies, the
parent company of Thesys CAT, which is the Plan processor
designated by the CAT NMS Plan. I am a technologist and
financial technology business executive with over 30 years of
industry experience.
In 2010, in response to the Flash Crash, the Commission
began working on a rule to develop the CAT. As Chairman Clayton
recently stated, ``The CAT is intended to enable regulators to
oversee our securities markets on a consolidated basis and, in
so doing, better protect these markets and investors.''
The SEC's final rule was adopted with bipartisan support in
July 2012. In accordance with the rule, in February 2013 the
SROs, acting together as CAT NMS, LLC, issued an RFP for a firm
to be designated as the Plan processor to build and operate the
CAT system.
We were one of over 30 companies that expressed an intent
to bid. November 2016 the SEC unanimously approved the CAT NMS
Plan, and in January 2017, after a 4-year bidding process,
Thesys Technologies was selected as the Plan processor.
On April 6, 2017, only 7 months ago, Thesys Tech and CAT
NMS reached a contractual agreement, known as the Plan
Processor Agreement, and Thesys established a subsidiary known
as Thesys CAT to execute its responsibilities under that
agreement.
When we began this process we viewed the CAT as an
opportunity to apply our expertise to meaningfully upgrade the
regulatory infrastructure of the markets. This is a powerful
expression of our mission of better markets through technology.
The CAT improves on existing systems by significantly
increasing the information available to regulators, allowing
them to better track orders and identify the individuals
involved in trading activity. And we believe the CAT will
drastically reduce the amount of time and effort required to
find and stop bad actors in the market.
From the outset we have focused on cybersecurity as a
unique challenge and responsibility in the context of CAT.
While cybersecurity was our priority in developing a CAT
solution, the project was hardly our introduction as
professionals to the critical importance of cybersecurity.
I personally was introduced to the issue in a very visceral
way almost 30 years ago on November 2nd of 1988, when systems I
managed were attacked by the first wide-scale Internet worm,
the Morris Internet Worm. In 1988 there were only approximately
80,000 computers on the Internet and the worm spread from one
computer to another through the Internet with ease.
The analogy I often use is that at the time none of us had
good locks on our doors, but the Internet was like a small town
30 years ago, and we could perhaps be excused for not locking
our doors and not expecting anyone to break in. But times have
changed.
The Internet is now a global platform connecting billions
of people. Very often, when building systems, firms focus
heavily on securing the perimeter, making sure there are good
locks on the doors; but once the perimeter security is breached
systems inside the wall are entirely too vulnerable, as we saw
in the case of the Equifax breach.
In developing our solution for the CAT, we adopted best
practices, using multi-factor authentication and encrypting all
data, both at rest and in transit between systems. But beyond
that, we determined to build the system with a security-first
mindset, where cybersecurity is not an afterthought but is
built into the systems and processes from the start.
By building encryption technology into the very storage and
query systems of the CAT from the ground up we have designed a
system that not only has a very strong perimeter but, if
breached, has an array of extra protections to limit the
information a cybercriminal can obtain and to make it easier to
detect a breach when it happens.
So in conclusion, we at Thesys believe that the CAT is an
important step forward in the regulation of our markets. From
the time we signed the contract 7 months ago we have been hard
at work assembling our team, working with the SROs and the
industry to develop specifications, and building out the CAT's
technical and operational components.
We look forward to deploying and operating the CAT with all
stakeholders having confidence that the system is safe and
secure and having had sufficient time to discharge their
various requirements and responsibilities.
Thank you again for inviting me today, and I look forward
to answering your questions.
[The prepared statement of Mr. Beller can be found on page
42 of the appendix.]
Chairman Huizenga. Thank you.
With that, Mr. Concannon, you are recognized for 5 minutes.
STATEMENT OF CHRIS CONCANNON
Mr. Concannon. Thank you.
Mr. Chairman, members of the subcommittee, I am Chris
Concannon, President and Chief Operating Officer of Cboe Global
Markets. I have over 20 years of experience as an exchange
executive, trading firm executive, and a regulator.
Cboe operates six national securities exchanges consisting
of four options exchange and four equity markets. We operate
the largest U.S. options exchange; we are the second-largest
U.S. equities exchange operator. Cboe also operates a U.S.
futures exchange, the largest European exchange, and a foreign
exchange platform.
I would like to thank the subcommittee for inviting me to
testify today regarding the Consolidated Audit Trail, or CAT.
In August 2012 the Securities and Exchange Commission
adopted rule 613 under the Securities and Exchange Act of 1934
to require securities exchanges and FINRA to submit a national
market system plan to create a consolidated order tracking
system. The primary rationale behind the establishment of the
CAT was to improve upon and consolidate a regulatory framework
that at the time was supported by disparate audit trail
sources.
The SROs initially submitted a CAT Plan to the SEC on
September 30, 2014. The Commission approved the CAT Plan on
November 15, 2016.
For several years, including during the last year since
that approval, the SROs have been working diligently on
execution of the CAT project. This has entailed, among other
things, a comprehensive bidding process to determine the
operator of the CAT Plan processor, selection of the CAT Plan
processor, negotiations of a contract with the chosen entity,
and commencement of the building of the CAT itself.
Accomplishing each of these steps is no small feat, given
that there are over 20 SROs operated by multiple holding
companies that must effectively agree every step of the way.
Per the milestones set forth in rule 613, the Plan
processor was selected in January of this year. And the
development of specific details in the CAT design framework,
including data submission layouts and, in particular, security
protocols, have taken some time.
Pursuant to rule 613, the phase one implementation of the
CAT reporting process was due to go live on November 15th of
this year, 1 year from the approval order. Unfortunately, work
on the CAT is not complete.
In planning for the completion of the CAT project, the SROs
have taken into account the heightened need to maximize the
CAT's security planning and protocols, given the recent
proliferation of data breaches that have occurred and the
highly sensitive nature of the data that will be stored in the
CAT. The SROs have also thoroughly consulted and forecasted
with the CAT Plan processor and considered ample feedback from
industry participants on deliverables and expectations.
The proposed revised schedule takes into account these
factors, as well as forecasting based on detailed framework
plans.
We continue to work toward expeditiously completing the CAT
project. Indeed, our efforts on the CAT have been substantial.
To date, Cboe has spent over $10 million on CAT, we have over a
dozen employees regularly involved in the CAT project, and we
have spent approximately 30,000 man-hours on CAT.
I commend the subcommittee for conducting this hearing and
for continuing to focus on ensuring that the CAT is developed
efficiently and effectively while insisting that the data
security around the CAT is vigorous and robust. I am concerned
about the risks associated with storing PII in the CAT database
and can assure you that Cboe is very interested in working with
the Commission and other stakeholders on exploring alternatives
around PII as a necessary component of CAT.
While I recognize there are benefits to be derived from the
CAT, I also must point out that costs associated with this
project likely are ultimately funded by investors. We are
committed to building the CAT as currently contemplated and
remain committed to maintaining a strong regulatory program.
While the CAT buildout continues, please let there be no
doubt that our existing surveillance and regulatory framework
is robust and our markets are well protected. Indeed, the U.S.
financial markets are the most efficient and liquid markets in
the world and the regulatory framework around those markets,
led by the SEC, is second to none.
The CAT will be an important component of that framework,
and we look forward to the completion of a smart, secure, and
efficient CAT system.
Thank you for the opportunity to appear before you today. I
am happy to answer any questions.
[The prepared statement of Mr. Concannon can be found on
page 50 of the appendix.]
Chairman Huizenga. Thank you.
Mr. Gellasch, you are recognized for 5 minutes.
STATEMENT OF TYLER GELLASCH
Mr. Gellasch. Thank you.
Chairman Huizenga, Ranking Member Maloney, and other
members of the subcommittee, thanks for having us here today. I
am the executive director of a trade association of those
investors, the pension plans, and investment advisors who
believe that informed market participants and regulators are
essential for healthy markets.
Almost exactly 7 years ago--next week--then staffer Kara
Stein staffed a hearing across the Capitol where the SEC and
CFTC chairmen assured the public and our bosses that the
Consolidated Audit Trail was going to be up and running by now
and not be billions of dollars that had been projected in their
recent proposal, and we are now still years away from that.
We are ostensibly here to talk today about data security,
but rather, I will assert that this hearing is really about
whether for-profit market participants, some of whom may have
the most to lose by the creation of the CAT, are able to
exploit a convenient public fear to continue to deny regulators
the basic tools to police the markets. After years of delays
and exemptions, they have simply run out of other excuses.
The exchanges and FINRA have not offered any significant
new information as to why the provider that they selected and
the expectations and standards that they set are somehow
inadequate, other than repeating the words ``cybersecurity
risk,'' ``PII,'' and ``breach'' as many times and in as grave
of tones as they can muster. I don't know why the next major
market participant--or the next major market event or
manipulation will happen, but I can safely say that they will,
and the real question is whether or not you are going to give
the regulators the tools that they need to enforce and protect
investors.
Today, private market participants have a much more
comprehensive view of the markets than the regulators tasked
with overseeing them. Currently, if regulators want to see who
is conducting trading they have to ask FINRA, who then asks the
broker dealers for the personal identifying information. So the
broker dealers have it and it is just the regulators who don't.
But because there is no automated way to link the trading
and the underlying beneficial owner, there is actually very
little chance to identify and stop sophisticated market abuses
without a whistleblower. In fact, it is only those who are not
smart enough to spread around their trading who get caught.
And in fact, we only need to look at the Flash Crash to see
how this all works or doesn't. The Flash Crash was concerning
for a lot of reasons. And it was months before the SEC or CFTC
figured it out, and that is concerning in its own right.
But it wasn't until 5 years later that we learned the role
of one market manipulator outside of London in his parent's
basement--5 years later, and that was only because of a
whistleblower.
By using the NMS Plan process to build the CAT, the SEC
essentially outsourced every function for it, including who is
going to pay. It puts some of the parties who stood to lose the
most from the CAT's existence in charge of creating it.
The SROs were supposed to have the CAT Plan by April 2013.
When they weren't going to meet the deadline they asked for an
extension; they got it. When they weren't going to meet the new
deadline they asked for another extension; they got it.
More years, more exemptions, more delays. Now we are
finally about ready to have it, and we have reached the moment
where it is about ready to happen, and it is not going to
happen either. And the excuse is data security.
After 7 years of planning and hundreds of meetings and tens
of thousands of hours for some of these folks, what the heck
have they been doing if not worrying about data security?
Interestingly, they have been. They set detailed security
protocols and information-handling, some that actually SIFMA
(Securities Industry and Financial Markets Association) and
others have called the gold standard.
So I am not aware of any allegations that Thesys can't meet
the standards that the SROs set or that the standards
themselves are somehow inadequate.
The legislation this committee has passed and is now
considering would unquestionably delay the CAT and leave it
tied up in legal complexities and red tape for years--frankly,
if it doesn't kill it entirely. The new bill would prevent
Thesys from accepting data until the SEC certifies that its
required internal risk control mechanisms.
To be blunt, do we really think the SEC are the experts on
data security right now? Isn't that why--part of the reason why
we are here?
But there are dozens of other questions, including the
adequacy: What is the SEC going to do? What is the standard?
Are they going to test the adequacy of those mechanisms? Does
that somehow inoculate Thesys from liability if there is a
breach because the SEC blessed it?
The bill would also require an entirely new and duplicative
cost-benefit analysis and a report to Congress on the need for
identifying information. That is not forwarding the process.
That is not talking about data security. That is the primary
reason for the CAT, to figure out who is doing the trading.
I also want to take a couple of seconds here to point out
that that is not the only thing that is delayed. Who is going
to fund it is also delayed. The SEC has delayed that decision
until January 2018, and I am sure you will be surprised to
learn that the exchanges have decided to try to push most of
that burden onto the broker dealers, not themselves.
Longer term, I hope you push for the Consolidated Audit
Trail to be implemented without delay to include futures, and I
hope you end the NMS Plan process that got us into this mess.
Thank you.
[The prepared statement of Mr. Gellasch can be found on
page 61 of the appendix.]
Chairman Huizenga. Ms. Dolly, you are recognized for 5
minutes.
STATEMENT OF LISA DOLLY
Ms. Dolly. Thank you, Chairman Huizenga, Ranking Member
Maloney, and distinguished members of the subcommittee, for the
opportunity to testify today on behalf of SIFMA and share our
views on the implementation plan for the Consolidated Audit
Trail.
My name is Lisa Dolly. I am the CEO of Pershing, which is a
bank of New York Mellon company. Pershing is custodian for over
6 million U.S. institutional and retail clients, and we
safekeep, on behalf for those clients, more than $1.5 trillion
in assets.
This subcommittee's review of CAT implementation is
incredibly important and timely. There is a great value in a
workable, secure CAT, but the implementation issues remain
largely unaddressed and incomplete. Quite frankly, there is
concern remaining over the security of privacy issues.
When the CAT is fully operational, as mentioned before, it
will capture all customer and order event information for
equities and listed options from the time of execution,
becoming one of the world's largest databases. In fact, every
day the system will take in over 58 billion records--orders,
executions, quotes--and will maintain this to become a 100
million-data point database for institutional and retail
investors and their unique customer identifying information.
So despite the unprecedented amount of sensitive
information being stored in the central repository and the
associated data protection concerns, the technical
specifications that have been released to date do not,
alarmingly, include many details around data security and
protection. And as the SROs' initial reporting deadline
approached and passed, Thesys had not yet hired a chief
information security officer, who would be responsible to
review and implement the data security policies and procedures
to ensure the protection of CAT data, as required by the CAT
NMS Plan.
The SEC and the SROs should make the case that PII is
actually necessary for CAT. If sensitive identifying
information is included in the CAT, then the SEC and the SROs
must provide better assurances on the data security than they
have to date. Financial firms and regulatory agencies share a
common goal in securing and protecting the data entrusted to
them by clients and financial institutions, and this issue
trumps everything else.
In addition to the question of the uses of CAT data, all of
the 22 SROs and the SEC will be allowed to download any or bulk
data from CAT into their own systems, and the NMS Plan requires
the CAT to accommodate up to 3,000 users' access to that data.
As a result, the protection of the data depends not only on the
security of the CAT system but also the security of each of the
SROs plus the SEC.
SIFMA believes the draft legislation being discussed today
would benefit the protection of this information. At this
point, we think there should be a delay in the CAT
implementation to allow the SEC to examine the need to include
PII in the CAT, and if the SEC decides that such information is
necessary it is absolutely imperative that the CAT's data
security protocol be strong and secure.
The CAT NMS Plan should also be amended so that no PII or
identifying trade data can be extracted from the CAT processor.
Rather, the regulators should perform surveillance within the
CAT security perimeter.
A delay is also required to allow additional time for the
broker dealers' CAT implementation. Once the technical
specifications have been finalized, broker dealers should have
a minimum of 12 months to complete the implementation and
testing based upon final specifications.
Going forward, a collaboration among industry participants,
the SROs, and Thesys could really provide the opportunity for
CAT to be informed by the insights and interests of all those
affected and all the market participants so they can be
incorporated and provide for a successful CAT construction and
implementation. There is still time to get this right.
In conclusion, SIFMA appreciates the interest of the
subcommittee and is supportive of further efforts to legislate
improvements to the CAT. And I thank you for the opportunity to
testify and look forward to answering your questions.
Thank you.
[The prepared statement of Ms. Dolly can be found on page
54 of the appendix.]
Chairman Huizenga. Thank you, Ms. Dolly. Appreciate that.
And with that, I will recognize myself for 5 minutes for
questioning.
Many, including myself, have raised concerns about
cybersecurity and the protection of data submitted to the CAT.
Apparently some believe that it is, quote, ``just to exploit
convenient public fear.'' I don't believe that is the case. As
you know, the CAT NMS Plan requires a plan processor to appoint
a chief information security officer who will be responsible
for creating and enforcing appropriate policies, procedures,
control structures.
Mr. Beller, in your statement you said that Thesys
developed three principles that guided the design of the CAT
database. Specifically, you say, quote, ``third and most
importantly, the CAT must be secure,'' close quote.
If cybersecurity is top of mind for you and Thesys, why has
a chief information security officer not been hired to date?
Mr. Beller. Thank you, Chairman.
The selection and approval of a chief information security
officer is an activity that is collaborative between Thesys, as
the Plan processor, and the SROs acting as CAT NMS. As yet, we
have not agreed on a candidate.
The role is a very challenging role to fill that has
expectations in policy areas, in technology areas, in
management areas. And we are working collaboratively to find
the right person to fill that role. Our recent activities
together lead me to believe that we should come to a positive
conclusion shortly.
Chairman Huizenga. OK.
Mr. Concannon, is this simply private companies trying to,
quote, ``exploit convenient public fear'' for the concerns that
you have been expressing?
Mr. Concannon. I think the evidence is pretty clear that we
are not exploiting public fear when we see so many breaches
that have taken place, including our own Government, which has
been breached multiple times. And some of the most
sophisticated agencies of our Government have been breached.
So when I think about the information that we have planned
under the current construct to put into the CAT, I am more than
concerned that we are putting--in fact, all of your Social
Security numbers, as designed, will be in the CAT. And so we
all sitting around this table should be concerned how we
protect that information.
Chairman Huizenga. Has Thesys presented any CISO (chief
information security officer)--he--Mr. Beller said it is a
collaborative process. Have they presented any candidates for
that CISO position? And if so, why have they been rejected or
not--
Mr. Concannon. First of all, that entire space is very
difficult to find candidates. It is one of the hottest employee
spaces. We have had difficulty trying to attract cyber
specialists.
So it is a very difficult role to fill. This is a senior
cyber expert that we are trying to find.
We have looked at candidates. We have a very high standard.
All of the exchanges and SROs have a very high standard, and we
are using our own cyber professionals to evaluate, and they
have an even higher standard of one another.
So we have evaluated candidates and we have rejected
candidates.
Chairman Huizenga. OK. Since the CISO has not been put in
place and this agreement hasn't happened under the Plan, would
SROs really actually be able to begin reporting trade data to
the CAT?
Mr. Concannon. The SROs are subject to numerous rules. Data
protection is covered by Reg SCI (Regulation Systems Compliance
and Integrity).
Chairman Huizenga. So there may be--and just to get to that
there may be the physical ability, but is there the legal
ability? Is that what you are saying?
Mr. Concannon. In fact, there is the physical ability
today. We can put our data in the current CAT system.
Chairman Huizenga. So I could collect all of your Social
Security numbers and put them in my phone. Would that make you
feel OK?
Mr. Concannon. It would not make me feel--
Chairman Huizenga. You would be OK with that? I loan my
phone out to my kids once in a while. Is that--I think we made
the point that just because you can do something, we have to
make sure that it is prepared on that. And I am curious who
actually verifies that Thesys is complying with all the
cybersecurity requirements, as well.
Mr. Beller or Mr. Concannon or Ms. Dolly?
Mr. Beller. So there is a--the Plan itself lays out a very
robust framework for security and a bunch of audits and
approvals that must be completed in order for the CAT to go
live and operate. We need to collaboratively select the chief
information security officer.
The chief information security officer then has a fiduciary
duty, actually, to the SROs via CAT NMS, LLC. So that duty
actually trumps that person's duties to Thesys CAT itself.
Chairman Huizenga. And presumably the SEC, or no?
Mr. Beller. I don't know of anything in the Plan that
places an expectation that the CISO reports to the SEC. This, I
think, has to do with how the Plan is structured and the
relationship of the SROs to the SEC, so maybe--
Mr. Concannon. I have had a rule throughout my career that
nothing trumps the SEC.
Chairman Huizenga. Spoken like a truly regulated entity.
OK. So I am over, but let me just encourage you to move
forward, both of you--collectively, not you individually, but
collectively. We need to get this CISO in place so that we can
start meeting with that.
I am well over, but I recognize the Ranking Member for 5
minutes.
Mrs. Maloney. Thank you. And I join you in saying that we
have to get this CISO appointed. I suggest that we have a
hearing on this every month until we get them appointed and
hear what the success of it is.
Let me tell you, the stock market is exploding and many
people are putting their faith and hope in it. And I think if
we had a crash it would totally destroy the confidence of
Americans in the system. So I think this truly, is probably the
most important thing we could do in our Capital Markets
Subcommittee.
Where is Thesys located? You beat out 30 major companies.
Where is your headquarters?
Mr. Beller. Our headquarters is in New York City, and we
have offices in Charleston, South Carolina additionally.
Mrs. Maloney. OK. And where are you developing the CAT
system? In New York City?
Mr. Beller. In both locations.
Mrs. Maloney. In both locations. And why is it taking so
long?
Mr. Beller. The CAT is taking a long time because it is a
complex system with multiple stakeholders who need to act
collaboratively in order to get this complex system up and
secure. We obtained the contract to build the CAT 7 months ago
and in that time have built out an organization, developed
technical specifications, built out pieces of the CAT and the
security program, and put them in place. And there are some
items that remain that have to be done collaboratively by the
stakeholders, including--
Mrs. Maloney. I think we should have a collaborative
meeting once a month and bring in all the stakeholders with the
SEC and see how we can get an agreement so we can move this
thing forward. I think this is a priority for our Nation.
I would like to ask Mr. Gellasch, you noted that the CAT
was developed in response to the Flash Crash, and certainly the
CAT will help the SEC reconstruct another market crash like the
Flash Crash. But apart from helping to reconstruct market
crashes, will the CAT help the SEC perform their normal day-to-
day oversight functions? What will the CAT allow the SEC to do
that it cannot do today or that it is doing very inefficiently
today?
Mr. Gellasch. Thank you for that question.
A couple of things. One is most people talk about the Flash
Crash as the precipitating event for the audit trail. That is
actually a little bit untrue, and here is why: As far back as
early 2009 there was an effort underway to understand who large
traders were and who was actually engaged in trading. And in
fact, there was a large-trader reporting regime that preceded
the Consolidated Audit Trail, and the Consolidated Audit Trail
proposal was released on May 26th of 2010.
The SEC didn't write that several-hundred-page document in
3 weeks. The SEC doesn't do anything that fast. So I would say
the Consolidated Audit Trail itself came together after the
Flash Crash, and certainly that was the precipitating event in
providing public feedback.
The reason why the underlying concern existed even before
the Flash Crash was because the SEC and FINRA--neither know who
conducts trading in our capital markets. So the current audit
trial systems tell you who the broker is but not whose trading
underlies it.
What does that mean? So assume for a moment you have those
who--for example, a market manipulator engages with a couple of
different brokers and trades in a couple of different venues--
perhaps equities and maybe in options. Those things would not
be seen in a coherent way.
And so because you don't know who is doing the trading, the
manipulations get lost in the noise of the markets. That is why
it takes a whistleblower to find market manipulation cases.
FINRA has incredible surveillance now that did not exist 7
years ago either. They have actually put in--99.5 percent of
equities trading goes into FINRA's pipe for surveillance. But
even with that it is still only the stupid who get caught.
Mrs. Maloney. OK. I would like to ask you what do you think
of the proposed legislation that would prohibit the CAT from
accepting personally identifiable information under the SEC
has--unless the SEC has conducted a cost-benefit analysis? And
is the collection of personally identifiable information
necessary for a system like CAT?
Mr. Gellasch. Well first, the whole point of the CAT is to
find out who is doing the trading, and you have to have a
certain amount of basic information about them in order to do
that. Now, there are a number of ways that could be done.
One would be to have all the personal identifying
information in it. Another could easily be legal entity
identifiers, which the CAT declines to do--doesn't do. I might
argue that might be a more elegant way of solving some of these
issues.
But the cost-benefit analysis suggested by the proposed
legislation, to me that cost-benefit analysis was done in 2009,
2010, 2011, it was done in 2012 in the final rule for this. So
it was done as part of the large-trader reporting analysis; it
was done as part of the Consolidated Audit Trail analysis.
It is long past settled that we actually need to know who
is doing the trading in our markets. So I would argue that that
is actually just to frustrate the purposes here.
I 100 percent agree with trying to make sure that data
security is important, and they should have someone there in
that role. But it also requires cooperation.
When we talk about what is taking so long to get this up
and built, they have had it 7 years--or 7 months they have had
the contract. They were involved in designing the
specifications for years before that, along with the SROs, but
that was only after several years of the SROs designing the
specifications.
Mrs. Maloney. OK. My time is up.
I would be inclined to join the gentleman with his
legislation if he removes the cost-benefit analysis, which,
according to your analysis--2009, 2010, 2011--is past settled.
I think this is a critical, critical issue.
After the financial crash in 2008, the Flash Crash,
everybody said, ``We have to know this information.'' If we
care about the future of the financial system of our country we
have to get this system up and running.
All of you are going to be part of making that happen.
I would like to get, if I could real quick, Mike Beller, to
get from you exactly the elements that you will be collecting,
send it to the committee. And I would like a monthly report on
whether or not you have gotten the person assigned. Let us know
or I will be calling you directly, because I think this is
incredibly important to our financial security and to our
country.
I yield back.
Chairman Huizenga. The gentlelady's time is expired.
And the Chair right now recognizes the Vice Chair of the
committee, Mr. Hultgren from Illinois, for 5 minutes.
Mr. Hultgren. Thank you, Chairman.
Thank you all. Grateful that you are here.
It was stated that the SEC doesn't move too quickly. I
think that is an understatement. And a big part of the delay
has--it was over 2 years, I think, that this has stuck within
SEC, so it is not just industry but there are other bureaucracy
problems that are a challenge, as well.
Mr. Concannon, I wonder if I could--first, welcome. Glad
you are here. Thanks for your work.
And if I can address my first couple of questions to you, I
wanted to get your opinion on making sure the cybersecurity
standards we are discussing today are really enforceable.
As you know, the CAT operator is contractually obligated to
be compliant with Reg SCI. Is there any reason to not make this
a statutory requirement? Would this be an improvement to the
discussion of the bill?
And then also, do you believe compliance with Reg SCI, NIST
(National Institute of Standards and Technology) standards, and
other cybersecurity protocols would improve if the CAT operator
were required to register with the SEC?
Mr. Concannon. It is a great question.
So Reg SCI is probably one of the most powerful rules I
have seen by the SEC in a long time. The requirements that come
with Reg SCI, because they are based on the NIST standards and
they are global standards, require a great deal of work and a
great deal of technical work included in that.
So all of the SROs, all the exchanges have to comply with
Reg SCI and, by definition, our vendors have to be in
compliance with Reg SCI standards. So it would makes sense if
the CAT was--obviously it has to be compliant with Reg SCI
because of our own obligations and our vendor, but it would
make sense if they were even a Reg SCI entity and registered
with the SEC.
That is really how the SIP, the securities information
processor, where all the quotes come from our markets, is
currently an SCI entity, as we call it. So it would make sense
that others in the NMS Plan, including the surveillance part--
and more importantly, if they are carrying all this critical
information--not just PII, but proprietary trading information
is critical information that needs to be protected--it would
make sense that everybody in the chain is a Reg SCI registered
entity.
Mr. Hultgren. Thanks. I am going to shift a little bit, but
stay with you, Mr. Concannon, if I could.
I was hoping to see if you could speak to some of the
opportunities and challenges of data standardization. I
understand all the exchanges and broker dealers could
potentially report data in different formats, which would make
it extremely difficult for the CAT operator to transform this
data--these data sets into useful information for its users.
What steps should be taken to be sure data standardization
processes are as frictionless as possible? It seems like this
could be an opportunity to minimize costs. I wonder if you have
any thoughts on that.
Mr. Concannon. Yes. This is a critical element that is less
talked about because it is in the technical details of how
orders are--and information is sent into really any database
that we use for surveillance today.
We outsource all of our surveillance, or some of our
surveillance and market manipulation requirements to FINRA,
where they have become the master of normalization or data
standardization. All of the exchanges and the brokers have
different order types. There are thousands of different order
types that we have registered with the SEC, unfortunately.
Each order type becomes a new standard, a new piece of
information for surveillance purposes. If we don't standardize
all those order types it makes surveilling that database very
difficult. So it is critical to performing adequate and
superior surveillance to have data normalization or data
standardization.
Mr. Hultgren. Thank you.
Ms. Dolly, if I can address to you, this database, as we
are talking about, is going to contain every stock quote and
trade in America. Apart from safeguarding personal information,
what protections are being used to ensure the security of
trading and quoting data?
This information could be firm-specific and theoretically
could be used to reverse engineer broker dealer strategies to
serious detriment of not just the broker dealer but also the
client and ultimately to the markets themselves.
Also, this could all happen without a breach of the CAT.
This is something we recently discussed in the committee when
there were allegations of SEC staff illegally accessing trading
source codes. Thousands of people have access to this data.
Do you and does SIFMA share this concern? What do you
believe should be done to address these concerns?
Ms. Dolly. Our company doesn't really trade on a
proprietary basis, but I do represent 6 million individual
investors and institutions, and I can tell you that it is
critically important and a very large concern of theirs how we
handle their information and how we protect it.
And I believe to date it is not just the chief information
risk officer that hasn't been hired; I don't believe that
proper procedures and policies and actually the Plan around
securing that data has been shared, and so I don't have comfort
around that yet.
Mr. Hultgren. Thank you all.
I yield back.
Chairman Huizenga. Gentleman's time has expired.
With that, the Chair recognizes the gentleman from Georgia,
Mr. Scott, for 5 minutes.
Mr. Scott. Thank you, Mr. Chairman.
Ms. Dolly, I read your testimony and it is very
interesting, and I agree with you. But I would like for you to
highlight, if you could, when you did in your report some
serious data security implementation concerns. Of course,
paramount was the one in which the failure of the CAT system
processor's not having a chief information security officer in
place before the first reporting deadline.
Also, I have been getting some calls from some of our
friends in industry for a further delay of the November 2018
reporting deadline, and I would like for you, if you could
share with us that aside from maybe a full delay, could you
talk about what can be done in the short term, in the next
couple of months, that would make firms like yours and, quite
honestly, all of us in America sleep a little better? Because
there is some struggling as to how far to delay, what to delay.
What can we do right now, what--in order to do this?
Ms. Dolly, as you go through this, we do have people who
may be tuning in on C-SPAN, American people. ``What is CAT,''
they are probably saying. And of course we know it is the
Consolidated Audit Trail, but if you could walk us through
that, too, what we are talking about here and some suggestions
from you as to what is most immediate that we need to do.
Ms. Dolly. If I missed any of those questions just let me
know.
Mr. Scott. Sure.
Ms. Dolly. So I think what we can do immediately is two
things, maybe three. But first we need to work together in
order to finalize the technical specifications for CAT.
So I mentioned that the implementation deadline of November
would be very difficult because firms need at least 12 months
in order to implement. We haven't received the specifications
to date and we are already a month into this now, so I am down
to 11 months to be able to implement. And this is a large
project for most firms, and we absolutely need a year to be
able to design, create, and construct the solution.
So that delay is not really sticking our feet in the mud;
it is just reality that we need at least 12 months in order to
be able to implement once we receive the technical
specifications. So getting those technical specifications out
will hasten our ability to comply and participate in CAT as an
industry.
Mr. Scott. Let me ask you, you also mention in your
testimony a call for a serious cost-benefit analysis. Would
that be helpful? And also with that analysis you wanted to add
the consideration of whether personally identifiable
information, or PII, should even be collected in the first
place. Would you comment on that?
Ms. Dolly. Certainly. I think that there are ways that we
can move forward without PII being collected so that the
regulators and the SROs can perform the surveillance that they
need to perform and should perform to be able to provide for
and promote a healthy and secure capital market for both
institutions and investors. And it might be a more immediate
way forward through the large-trader rule, through the legal
entity identifier.
If we could start there that might be a more immediate way,
but what I would recommend is the collaborative effort on a way
forward between the industry and the SROs and regulators.
Mr. Scott. Yes. And I agree with you on that, and I think
that is a very, very important point.
Mr. Concannon, in your testimony you acknowledge that the
work of CAT is incomplete and you cite data security concerns
as a basis for that delay. Could you share with the committee
today the efforts being done at the CAT operating committee to
implement the data security protocols required by the CAT Plan
before November 15th reporting deadline?
Mr. Concannon. Great question. So the SROs that are
responsible for delivering the CAT have been working diligently
now for years, not only designing but also working with Thesys
to build and implement. We meet not once a week but several
times a week every week for hours on hours, and we have
subcommittees that are meeting.
We have built out a group of our own cybersecurity
specialists to work, so we are in parallel working on the
cybersecurity plan that the CAT will ultimately have while we
are also out looking for a cybersecurity specialist to be
employed by the CAT. So we are not standing still waiting
around for this person to show up. Every SRO sitting at the
table is hard at work and they are putting their highest
professionals into the CAT process to make sure we deliver this
CAT.
Mr. Scott. Thank you very much, Mr. Chairman.
Chairman Huizenga. Gentleman's time has expired.
With that, the Chair recognizes the gentleman from Maine,
Mr. Poliquin, for 5 minutes.
Mr. Poliquin. Thank you, Mr. Chairman, very much.
And thank you all very much for being here today.
This is a very, very important issue. All of us here on the
committee and here in the public sector have a responsibility
to make sure our markets are protected and remain liquid and
secure.
This is still America. People like to invest, like to buy
part of our economy, and they certainly have--should expect
their data to be secure.
And at the same time, I understand that the regulators are
in the business of making sure that we have an opportunity,
have the tools that we need, the data that we need to make sure
you catch bad actors.
I worry about everything. You do that when you come from
rural Maine. I worry about our small investors.
Let's say you are a nurse in Lewiston, Maine. And you are a
single mom; you have a couple kids. You have aging parents and
you see how expensive it is to care or help care for your
parents as they get older.
You are trying to save a little bit of money but you don't
want to keep it under the mattress and you know you are getting
almost nothing in cash, so you say, ``I want to buy 100 shares
of Walmart and I want to buy it through my local broker,
because I like Christmas and I buy my Christmas lights and my
ornaments from Walmart, so that is a great way to invest in
America.''
So I am giving this information to my broker--who I am. He
or she puts the order in. You get a confirmation back that, in
fact, the trade has been executed at a certain price.
Now, my question to you is the following: If something goes
wrong with that mom who is a nurse in Lewiston, Maine with that
trade or with her account, does that represent any disruption
to our capital markets? I would say probably not.
So my question is the following, is that, look, let's just
call a spade a spade. We have a real problem with data security
in America, whether it be the Federal Government, whether it be
Equifax, or whether it be folks like Wells Fargo who have been
misusing very sensitive personal data.
Now, I have a concern that we are building a new system
here to make sure we watch out for bad actors who could
adversely or illegally influence market trends. I understand
that. But you are putting a lot of data in one place--a lot of
data in one place. And that concentration--maybe over-
concentration--of the data concerns me.
Mr. Gellasch, am I pronouncing your name right, or close
enough?
Mr. Gellasch. Close enough.
Mr. Poliquin. Close enough.
How many pieces of data per day would run through the CAT
system when this thing is up and running, roughly? Billions?
Mr. Gellasch. It is close to 60 billion events per day.
Mr. Poliquin. 60 billion events per day. OK.
And could someone tell me--Ms. Dolly, maybe you can--tell
me why all kinds of sensitive personal information, including
Social Security numbers, which are critical to making sure
families can proceed with their lives with financial security--
whether getting on an airplane, or getting a passport, or
getting a job, or getting an interview for a job--why does that
information need to be loaded up in one place where we know we
have a problem everywhere and we are going to continue to have
a problem with data security? Why is that information
necessary?
Mr. Gellasch. So if I can--
Mr. Poliquin. Sure. Who wants to take a shot at it?
Mr. Gellasch. Thank you. So the question is whether or not
you need to know who that is or whether or not you need every
piece of data about that person that is important to do that
traveling along with that information. I would say those two
things are different questions.
Mr. Poliquin. And what is CAT doing now--what is being done
so that the CAT will be up and running when it comes to this
data? Is it necessary? Is it overkill? I am talking about for
the little investor in rural Maine.
Mr. Gellasch. Yes. I will say for the little investor--and
I will also say, our members are also investors who have a lot
of those people investing in them, too, it is their
information, as well. So be it a large pension plan or
something else, it is also a lot of those people.
And I would say I 100 percent agree the information
security is extremely, extremely important. What is equally
important for them is to make sure that the market doesn't do
something like a Flash Crash, because that will get them to
lose their investment; that will also get them to say, ``I am
not--I am going to put the money under the mattress again
instead of buying my 100 shares of Walmart.''
And that is what happened after the Flash Crash, actually.
A lot of money did come out of mutual funds as a result of
that.
So one of the things I think we really need to focus on and
say, look, what is the primary objective? The regulator needs
to know who is doing the trading. That is a simple need. The
regulators have known that now for decades. And they don't have
that information.
At the same time, how are you able to do that without
having Social Security numbers traveling along with order
information?
I would say there actually was a somewhat elegant solution
from legal entity identifiers and basic information and cross-
referencing that. I thought that that would be a solution.
Unfortunately, that is not the way the Plan was developed. That
is not necessarily the way this has moved forward.
I do think that FINRA has incredible capabilities on their
current surveillance right now, but I think their surveillance
team would probably also be the first to tell you that without
knowing who is doing the trading they essentially have to have
a whistleblower or they have to hit a screen and get very, very
lucky.
Mr. Poliquin. Thank you, Mr. Gellasch, very much.
Mr. Chairman, thank you for your indulgement. I appreciate
it. Yield back my time.
Chairman Huizenga. Gentleman's time has expired.
And we are getting some conversations going over here, too,
because I think this is a critical point in this whole
discussion: What is it that moves markets? Is it the individual
investor or is it an institutional investor? And that may be
some area where we need to explore that.
So with that, the Chair recognizes the gentleman from
Illinois, Dr. Foster, at this time.
Mr. Foster. Thank you.
Let's see. I guess this is a question for Mr. Concannon or
Mr. Beller.
I assume that there was a rather detailed cybersecurity
specification as part of the vendor selection process for this.
And did this include things like, the NIST specification for
cyber procedures, and so on?
Mr. Beller. Thank you. The CAT NMS Plan, as published,
contains an enormous amount of prescriptive information on
security. In fact, I would have to say that it is the most
comprehensive information security program that I have ever
seen specified in my life.
It includes background checks and fingerprinting of
employees and contractors; physical security of facilities; a
requirement to encrypt all data in transit and at rest, meaning
when it is moving through the system and when it is on
computers themselves; to segregate personally identifiable
information from all other information; and to ensure that
personally identifiable information is not returned as part of
the normal use of the CAT. In fact, there are special rules to
protect the personally identifiable information so that only
specific users can be empowered to have it, and those users
must have a need to know, and there are further cybersecurity
restrictions there.
So it is a very comprehensive--
Mr. Foster. --Personally identifiable information, that is
at the firm level, the individual level?
Mr. Beller. Individual level.
Mr. Foster. Individual. So this is like one trader inside a
firm, for example.
Mr. Beller. Yes. Or one customer of a firm.
Mr. Foster. Right. OK.
And so I had a question of--your testimony refers to
defense in depth, where you have cloud-based storage. When you
refer to cloud-based operations does that mean there are other
users on the same silicon of this, or do you have a dedicated--
will all the CAT information, where--when it gets aggregated,
be by itself in a room by itself, or are there going to be one
of these things where you are selling computer time to anyone
who is interested when--
Mr. Beller. So some systems of the CAT are completely
segregated. All the ones that involve personally identifiable
information are completely segregated in data centers--tier one
data centers, where the exchanges are located in Illinois and
in New York--New Jersey, excuse me. And that data is all
strictly in private data centers.
Other data of the CAT, when encrypted, can exist in cloud
systems that are inside the United States.
Mr. Foster. OK. And the encryption-in-flight is with
frequently renegotiated session keys and all this stuff?
Mr. Beller. Absolutely.
Mr. Foster. OK.
Now, you also mentioned the query structure, that when you
are querying--looking for abusive trading patterns, or whatever
the data set will be used for, that you had some method of
querying the data without just returning the entire
unencrypted--give me all the trades for Renaissance or someone
like that for the last 6 months. Do you have a way of querying
it and identifying abusive patterns without actually pulling
all the individual data for that?
Mr. Beller. So let me clarify that the--just want to make
sure that it is clear that the regulators, of course, have to
do the querying, not Thesys. Thesys has to provide the system
that permits the querying.
But in answer to your question, as I understand it, yes,
there are extensive query capabilities that allow the regulator
to request a very narrow slice of the data very specifically.
And to reinforce that I am--I repeat that in general queries
against the CAT system will not return PII in any case, that
that would be a separate query that would be specifically for
authorized--
Mr. Foster. A serial number for--that this was an
individual. If you are looking at a correlation between things
that look like market manipulation, where you have two
allegedly separate traders--
Mr. Beller. Yes.
Mr. Foster. --And you are looking for correlations to find
out if you are manipulating a price here and making a
derivative bet there, or something like that.
Mr. Beller. Exactly. So there would be a unique identifier
for--
Mr. Foster. There is a unique identifier, and so and the
personally identifiable stuff is the translation of that to
Social Security numbers and addresses. OK.
Mr. Beller. So presumably that would happen--
Mr. Foster. Identifying the existence of abusive trading
doesn't require knowing who it is, just the pattern.
Mr. Beller. At that point. The issue becomes figuring out a
uniform identifier for the individual requires PII.
Mr. Foster. OK. And then you have to understand if this
person is actually the brother-in-law of that person, and I--
there is no way to not go into addresses and names and other
databases to figure that out.
And so eventually a lot of the querying will actually have
to get access to, I would presume, to the personally--this--
there may be an illusory separation of this, is what I am--for
the queries that actually take place.
Let's see, and could you just quickly walk through how his
query system would have identified the abusive behavior of this
guy in London, whose name I forget, who actually went to jail
over abusive trading around the time of the Flash Crash? What
queries would have led to that?
Mr. Beller. So I am not a regulator and wouldn't want to
explain how a regulator does their job. The important point
that I can state here is that without the ability to identify
an individual then the orders just appear to be coming from a
broker dealer, and how does one separate one person's trading
activity from another?
Mr. Foster. OK. Thank you.
Yield back.
Chairman Huizenga. Gentleman's time has expired.
With that, the gentleman from Ohio, Mr. Davidson, is
recognized for 5 minutes.
Mr. Davidson. Thank you, Mr. Chairman.
And thank you, to our guests. I really appreciate your
expertise in this matter, and thanks.
A couple of you talked about how--painted this as some
draconian delay effort to sabotage CAT. And as the sponsor of
the Market Data Security Act I can assure you that it is not.
Frankly, I can't understand why it wouldn't take a simple
memo, if it is as clean-cut as, Mr. Gellasch, as you say it is,
as, ``Oh, well this has already been done. We have planned for
6 years.''
Great. Just send us a memo that says that. Piece of cake.
Doesn't even take a week.
But if you want to be thorough, in light of the new
director at the SEC coming in and finding after the fact that
there are data breaches in the SEC, as you point out, maybe
they are not the best--someone is going to certify it. Shall we
say that it is the chief information officer at Thesys? No.
Mr. Beller, you have an organization to run, and certainly
many other things to accomplish. In the absence of this
position being filled, who fills the role now?
Mr. Beller. So aspects of the role can be filled by other
individuals. For example, we have security experts working
together to build the security plan, and working
collaboratively with the SROs on that. We have technologists
who are experts in cryptography developing the cryptographic
systems.
But there are parts of the role that have to be fulfilled
according to the Plan by a chief information security officer
who has certain fiduciary duties and responsibilities, and
those we can't--we have no way around.
Mr. Davidson. Does that person somehow mitigate your
responsibility as the CEO for everything that happens or fails
to happen in your organization?
Mr. Beller. Not at all.
Mr. Davidson. Mr. Concannon, has Thesys presented any CISO
candidates?
Mr. Concannon. Yes. We have been evaluating a number of
candidates for a period of time, and it is, as I mentioned
earlier, it is quite a hard role to fill. It is quite a hard
role to find adequate candidates.
Mr. Davidson. What is the wisdom, in your mind, of going
forward without someone who owns the responsibility for the
security? Is the CEO at Thesys adequate accountability for data
security, or should this position be filled?
Mr. Concannon. As much as I will hold Mr. Beller
responsible for anything that breaks in the CAT, we do need a
cyber specialist sitting in the seat.
I want to clarify something. We are very focused on this
individual, but it is an entire process that that individual is
responsible for.
It is really network security; it is--and then it is also
what we call penetration testing. So there has to be a third
party that comes in--a professional third party that comes in
and tries to penetrate the CAT network. And that is done by all
of us--every SRO and hopefully most of the government agencies.
We have these third parties that come in and try to hack our
networks regularly.
We have to get to that level of capability to ensure that
this network that we are building, called the CAT, and all this
proprietary information that we are putting in is protected,
and even from our own hackers.
Mr. Davidson. Thank you very much for that, because it
highlights that it is not as simple as let's--``Yes, we have
already been doing that. Let's just send a memo.'' It is
something that would take a review.
I am reluctant to say how long that review should take,
whether it is a week or I would expect that it would be a
matter of months or weeks, not a matter of months or years, in
terms of making sure we have this well thought out.
Ms. Dolly, you point out one of the critical pieces is, in
most systems when there is a compromise, one of the most
frequent collapses or breaches is inpoint security. There are a
lot of inputs into this, and you pointed out that each entity
that is involved in launching this product should also have
some level of certainty in their data controls.
And Mr. Concannon, you referenced that in a way.
Could you offer your thoughts there, please?
Ms. Dolly. Yes. As I outlined, the more places that this
data resides the more requirements there are and the more
complex the security and protection around it needs to be. The
more users that have access to it and are able to do things
like bulk download creates risk to the folks whose information
is in there, and so it just creates more targets.
Mr. Davidson. Thank you for that. And that is exactly it.
It is risk-based.
And I think my time is expired, so thank you for your
testimony.
Mr. Chairman, I yield.
Chairman Huizenga. Gentleman yields back.
With that, gentleman from North Carolina, Mr. Budd, is
recognized for 5 minutes.
Mr. Budd. I am going to yield to the gentleman from Ohio
for a few moments.
Mr. Davidson. Thank you.
I just had one additional point there, because what we are
asking in market data is that it be a risk-based assessment.
And it is systemic, and maybe that has all been designed in.
But when you have voids at the top, when everyone is
responsible, as is often the case, no one is. And the concern
is that this is going on; the concern is that it has gone on in
the regulator, SEC, so doesn't it make sense?
So what would be the downside of making sure that we get
the product right? And when I think about it and I hear, ``We
don't have the instructions,'' I think about other products
like operating systems.
Part of the reason these devices were so successful, when
the one that I care to carry more wasn't, is they found people
to be able to write apps for it. And so people had to have
access to the code. However, having access to the code creates
some security risks.
So how do you keep that under control? What is the status
of being able to get that and assure us that we have the risk
controls, Mr. Concannon?
Mr. Concannon. Thank you.
Really I want to clarify one fact that we have been
wrestling here and hasn't been mentioned. We have the most
robust surveillance mechanism on the Planet. We have
professional regulators across the country that are surveilling
all of the data, every trade that takes place in our markets.
So we are not--even though some other witnesses mentioned
that--risk and there is manipulation going on, we are catching
manipulation every day. We are catching manipulation across
client accounts; we are catching manipulation across markets
and across products. So we have some of the most robust
surveillance.
So when I think about getting it right I feel very
comfortable that we are very protected. All of our investors
are protected by the professionals that are defending our
market.
Mr. Davidson. Thank you.
I yield back, Mr. Budd.
Mr. Budd. Thank you.
Mr. Concannon, to continue, so given the relatively limited
Flash Crash activity since 2010 and the clearly increasing risk
of cyber incursions that we have seen, it looks to me that the
risk calculation concerning the CAT, or the Consolidated Audit
Trail, truly changed. It looks like what we are trying to
address, the Flash Crash, is less likely, and the problems that
a single point of failure would cause are actually more likely.
So is it your view, as well, and can you talk about the way
that the risk environment has changed for this project and how
that has changed over time?
Mr. Concannon. Sure. First of all, there has been this
misunderstanding that the CAT somehow stops flash crashes. It
has nothing to do with stopping flash crashes. It is a
database. It is a database where we house information.
In fact, we had a mini flash crash in August 2015 and we
were able to replicate the market behavior very quickly and the
SEC was able to issue a report because they actually hired
Thesys to write MIDAS (Market Information Data Analytics
System), which is a database that they use to look at the
market and study the market and analyze it.
As I think about it, the material, the data that is going
into CAT, both in phase one--and eventually PII data, but even
just the phase one--is proprietary trading information of not
only investors but market makers and proprietary trading firms.
And it can be used to manipulate our markets.
So the first phase of CAT is critical data going into a
database that we need to protect. And I would agree with you
that cybersecurity is the number one concern right now, given
all of the evidence that we have seen by some of the most
technically sophisticated operators that they, too, were
hacked. So we need to have that as our first line of defense
while we build this system.
It is OK to take time to get it right because we have the
best surveillance mechanisms today provided by the exchanges,
the other exchanges that don't sit here, and FINRA.
Mr. Budd. Thank you, Mr. Concannon.
Ms. Dolly, in the remaining time I have, you note in your
testimony that the draft CAT specs have been released today.
They don't have a lot of detail on data security and
protection.
So in your opinion, what is missing in regards to what has
been released so far?
Ms. Dolly. Really just about everything. We haven't
received very much around cybersecurity and the protection that
we would demand and need to protect institutional and retail
clients. So I don't believe that has been issued to date, and
it would be a responsibility, I would imagine, of the CISO when
they are hired.
Mr. Budd. Thank you, Ms. Dolly.
I am out of time. Yield back.
Chairman Huizenga. Gentleman's time has expired.
But we are hoping, if it is all right with our panelists,
to do a quick second round, as well, if you have the time and
the ability to stay. There is interest on--I think on our side
as well as the minority's side. We do have one more person, I
believe.
Mr. Gonzalez, are you prepared?
Mr. Gonzalez. Yes.
Chairman Huizenga. You are recognized for 5 minutes.
Mr. Gonzalez. Thank you.
The question is for Mr. Beller, and the question is, the
CAT Plan expressly requires that the CAT include industry
standard data controls, including the cybersecurity framework
established in the National Institute of Standards and
Technology. Can you describe the specifics of the aspects of
the CAT design that provide protections for personally
identifiable information, such as customer data, that will be
reported to the CAT?
Mr. Beller. Thank you for the question. Absolutely.
So first to point out that the--there are extensive
cybersecurity requirements in the Plan. One of them is that the
Plan processor has to build the system in accordance with the
National Institute of Standards and Technology, or NIST,
cybersecurity framework, which explains whole areas of control
groups around many different aspects of security. It is a
comprehensive plan and we are building to that structure.
With respect to personally identifiable information in
particular, there are an extra set of requirements that are
specific to that data as opposed to or as distinguished from
other data in the system. There is a special role-based access
control that a regulatory user of the CAT is not necessarily
permitted to access the PII except on a need-to-know basis. So
that means there are extra access controls in the system that
allow you to--allow an administrator to determine that an
individual can be allocated access to that data or not,
separate from access to the system.
It is stored in separate areas, actually in separate
physical data centers, and not stored in the cloud. It is
encrypted in transit, at rest. There is an audit trail specific
to the access to personally identifiable information over and
above the auditing of everything else that happens. And in
general, record displays in the CAT, they don't display the
personally identifiable information.
I also want to point out that personally identifiable
information won't be collected in the CAT until phase two,
when--not--it will not be collected in the initial deployment
of the CAT, which only, in its initial phase, takes data from
the participants themselves, which are the exchanges and FINRA.
Mr. Gonzalez. Thank you.
I yield back.
Chairman Huizenga. Gentleman yields back.
With that, the gentleman from California, Mr. Sherman is
recognized for 5 minutes.
Mr. Sherman. Ms. Dolly, what would it take for you to be
comfortable resuming implementation of CAT, and what would it
take for those of us whose data is in the hands of your
customers to also be comfortable?
Ms. Dolly. I would be much more comfortable if we
understood what the technical specifications were so that we
could make certain that we could build the house that we are
being asked to build. If we don't know what we are building it
is a little bit difficult to make certain that we meet the
obligations.
The second is that I would like a robust discussion around
whether PII is actually necessary, or can we use patterns and
other data so that we could identify things that may create
uncertain markets or unsecure markets and be a risk to our
markets, yet not create such a large database of personal
information that is subject to cyber risk and other.
And I would certainly be open to figuring out a way--a
collective dialog that would help us to move implementation
forward with insight and influence by all participants. We all
have, quite frankly, a vested interest in a secure and healthy
capital market, but we also have a vested interest and we have
an actual duty to protect clients' and investors' private
information.
Mr. Sherman. Mr. Beller, I wonder if you could shed some
light on how Thesys and the committee are approaching the
hiring of a chief information officer. I assume you are
recruiting someone with world-class experience in
cybersecurity.
Mr. Beller. Absolutely. We have engaged a prominent
recruiter. We have 24 candidates under consideration, if I
recall correctly just from memory. It could be changing day to
day. A number have already been initially interviewed and we
are now in the process of setting up interviews that would
include both Thesys CAT personnel and SRO personnel.
Mr. Sherman. Also, Mr. Beller, we should be focused on
improving the data available to regulators without requiring
market participants to engage in costly duplicative reporting.
How do you tend to construct CAT so that the existing system,
like OATS (Order Audit Trail System), can be retired as soon as
possible after CAT is up and running?
Mr. Beller. So it is our opinion that one of the real
positive aspects of the Consolidated Audit Trail is it allows
the retirement of several existing systems, one of which is
OATS. And as I understand it, FINRA has published an
explanation of the process by which, once the CAT has come up
and is running and has, according to them, measured certain
reporting quality standards, then they would be retiring OATS.
Mr. Sherman. Ms. Dolly, is that a system that works for
your members?
Ms. Dolly. Yes. That would be fantastic if we got to that
point so we didn't have duplicative reporting requirements.
Mr. Sherman. Mr. Beller, could you provide a summary of
Thesys' expertise with respect to management and security of
market data, including expertise in responding to cyber
attacks?
Mr. Beller. Certainly. I personally have been involved with
cybersecurity for an extended time. There is some information
in my prepared testimony.
In fact, as a researcher in the Bell Communications
Research, which was the research organization of the telephone
networks back in the day, I myself did research on the
application of cryptographic protocols to securing
communications.
I have been involved in building such systems over--systems
in the capital markets for quite a long time now. And one
example of that--of course, it is not just me. My company has a
large number of capital markets technology experts with a great
deal of cybersecurity expertise.
We have, for example, deployed the MIDAS system for the
Securities and Exchange Commission starting in 2013. In fact,
we received the contract in August 2012 and within 6 months had
a system up compliant with the National Institute of Standards
and Technology security framework and meeting all requirements
required by that framework, and had authority to operate.
That system has been operating for 5 years and we were
recently renewed, showing renewed confidence in us.
Mr. Sherman. Thank you.
My time is expired. I yield back.
Chairman Huizenga. Gentleman's time has expired, but we are
going to move to a second round.
And I will recognize myself here for 5 minutes to continue
the conversation. A little bit of what Mr. Davidson was talking
about, but certainly what the Ranking Member and I were talking
about up here.
Ms. Dolly, I would like to know, are retail investors
typically involved in market manipulation?
Or maybe, Mr. Concannon, you can address that, as well.
Ms. Dolly. I don't know necessarily how to answer that
question. I am sure they could be, but in the past there--it
has been more of an institutional mechanism. For example,
algorithms and trading platforms that kick off at certain
points in a market movement generally have contributed more and
are able to swing the market more, certainly, than a retail
investor.
Could there be a bad actor that is a retail investor? Of
course. But the average retail investor, as described before,
is not necessarily going to be able to move the market.
Chairman Huizenga. Mr. Concannon?
Mr. Concannon. Yes. In fact, when you look at the data--and
Mr. Gellasch mentioned the large-trader ID--if we were to
implement a large-trader ID we would probably capture the
majority of what I will call the surveillance alerts that our
regulators are seeing day in and day out. So retail investors
generally are not involved in manipulation. There are retail
investors that obviously get caught up in insider trading, and
we capture those quite quickly.
We are seeing an increase of--
Chairman Huizenga. So just on that point, so you don't need
PII at that point, that data, to necessarily catch somebody who
is doing insider trading?
Mr. Concannon. To be clear, we, the market and the
regulators, always get PII. So the PII exists in the regulatory
framework.
Chairman Huizenga. But it wouldn't have to go into a
database--
Mr. Concannon. We don't need it--
Chairman Huizenga. --To catch those inside traders.
Mr. Concannon. --In the surveillance. There is not a
surveillance mechanism in the U.S. that is surveilling Social
Security numbers to look for insider trading.
Chairman Huizenga. So have there been alternatives really
considered? Mr. Gellasch talked a little bit about this large-
trader ID, which has been talked about.
Why could we not just do that--assign a certain threshold
and above has to have this ID, then use that, load that into
the database. It would seem to me that that covers what the SEC
is trying to get at; it covers the tracing of market
manipulation and other things; yet, it doesn't expose
individual retail investors, Bill Huizenga going out and buying
300 shares of, pick it, Gentex or, Steelcase, or whatever it
might be--good West Michigan companies.
A, I am not moving the market. B, I am not using any
manipulation into that, but I am exposed. And information is
the gold--personal information is the gold of the modern era,
as I always say. And if we know that there is a--that the safe
has been cracked and we say, ``cat burglar got away, or maybe
we even caught the cat burglar but let's just load some more
gold into that vault,'' which we know has been breached, why
would we continue to do that?
So--
Mr. Concannon. There was a question in that--
Chairman Huizenga. Yes. Here is the question--
Mr. Concannon. I understand the question.
Chairman Huizenga. OK.
Mr. Concannon. The answer is there are alternatives to the
current design of PII in the CAT, and I was encouraged by
Chairman Clayton's recent statements, and he continues to make
those statements that he is open to looking at alternatives on
PII in particular. Among the industry and some regulators we
have talked about a large-trader ID solution as a fairly--
Chairman Huizenga. Which could be an individual, right? If
it is--
Mr. Concannon. It can be a professional trader--
Chairman Huizenga. --Buying huge, massive blocks as an
individual.
Mr. Concannon. This is a method that is used in the futures
market. There is a concept of large-trader ID. It follows every
order into the surveillance system so you can track the large
trader based on their activity.
So yes, there are solutions that are being kicked around to
avoid having that PII information in the database.
We will always get access. Regulators have ample access to
PII information under the blue-sheeting technology that we
have.
Chairman Huizenga. When it comes to enforcement?
Mr. Concannon. Right.
Chairman Huizenga. I am going to get to you.
But real quickly, Mr. Beller, you are including PII because
you are required to include PII, correct?
Mr. Beller. That is absolutely correct.
Chairman Huizenga. OK. So if we come back and, working with
the SEC, or legislatively we say, ``Hey, let's develop a
separate system,'' you have no problem being able to do that?
Mr. Beller. Absolutely.
Chairman Huizenga. All right.
I am over my--I am going to try to do that. The Ranking
Member, I would--believe would go to Mr. Gellasch here, but I
am--with that, my time is expired.
Mrs. Maloney. OK. If anyone would like to respond to the
Chairman's statements--Mr. Gellasch, why don't you start and
anybody else who wants to respond.
Mr. Gellasch. Thank you for the opportunity. I wanted to
actually echo and agree.
Frankly, the FINRA had proposed using a large-trader ID
reporting system as part of the Consolidated Audit Trail many,
many years ago and actually wrote a white paper on precisely
that point. I think when you convert to a different model like
that two things have changed since that time.
One is, what is the purpose in the abstract? Where do you
set those thresholds, becomes a very, very, very important
question in terms of volume thresholds and those types of
things. I do think that there is significant opportunity there
to reduce risk, perhaps, while still capturing the bulk of
concerning things.
Two, there actually is a system that would be valuable in
the legal entity identifier--again, one that was not included
with the CAT but something that I would argue should be
included in the CAT.
And I will actually make a third point, which Mr. Concannon
brought up, which is that a system similar to that is used in
the futures market, and I would argue remarkably effectively.
Mrs. Maloney. Thank you.
Mr. Beller, you noted in your testimony that the CAT is
subject to very robust cybersecurity standards. Have you
actually completed your work on implementing these
cybersecurity standards yet?
Mr. Beller. The work is not complete, and we have discussed
today some of the key elements that are missing. And one of the
most important is the naming of a chief information security
officer who has very specific roles in the completion of the
process.
Mrs. Maloney. If the exchanges started submitting data to
the CAT today would that information be protected?
Mr. Beller. I believe that the Plan requires us to go
through some steps before we can accept data.
Have we built a technical system that can receive and
secure data? Yes, I believe so.
The Plan requires us to go through a number of steps to
certify that, and those are collaborative steps between us and
the SROs: Naming the CISO, approving all appropriate
cybersecurity policies, and having what is called an
independent third-party audit of both the code--that is to say
the software code--and the third-party penetration testing.
Those things all are steps that are required and they haven't
been done as yet.
Mrs. Maloney. Mr. Gellasch, in your written testimony you
pointed out that the CAT bears many similarities to FINRA's
Order Audit Trail System, or OATS. Can you walk us through some
of those similarities? What are the similarities to OATS?
Mr. Gellasch. Yes. So the Order Audit Trail System actually
itself was a response to a crisis in market surveillance,
actually, and created in the 1990's for that purpose.
And what it does is it is a comprehensive audit trail
system, but it doesn't include beneficial owner information; it
doesn't include the types of precision you need to conduct
modern surveillance. It was a product of the late 1990's.
And it is the--you glue that together. What FINRA does is
they glue that together with the consolidated prop feeds to
really get an understanding. And they do fantastic
surveillance, but without the benefit of the beneficial owner.
So trying to figure out who is doing the trading isn't in
OATS, but it would be in the Consolidated Audit Trail. But
conceptually they are remarkably similar.
They are also remarkably similar in something Ms. Dolly
spoke about earlier, which is how many people access the system
and how many people are inputting into the system. One of the
greatest challenges with the Consolidated Audit Trail, it is
not just the folks who get to access the data; it is actually
one of the greatest challenges is something she has touched
upon, which is the folks putting in the data.
When you have thousands of folks putting data into a system
a lot can go wrong. And that is actually one of the great
challenges.
And again, FINRA has been doing this a very long time, and
actually that--they have learned from that over now several
decades, and that--all of that knowledge has actually gone
into, I think--
Mrs. Maloney. So that is a very important point, so I want
to go back to Mr. Beller.
Who is going to be putting the data in, Mr. Beller, into
your system? Who is going to have--be putting that data in?
Mr. Beller. The broker dealers will each be responsible for
transmitting their data into the CAT on a daily basis.
Mrs. Maloney. And the basic difference between CAT and
OATS, again? What is the basic difference between them?
Mr. Beller. Oh, was this to me?
Mrs. Maloney. I am talking to Gellasch right now, yes.
Mr. Gellasch. Sorry. Most important to me is knowing who is
doing the trading. And as Mr. Concannon referenced, the--
Mrs. Maloney. In other words, you don't know who is doing
the trading in OATS, right?
Mr. Gellasch. You don't know who is doing the trading.
Mrs. Maloney. OK.
Mr. Gellasch. That is right. All they can say is whether or
not it is principal or not, and so they--you don't know who the
beneficial customer is.
Mrs. Maloney. OK. Going back to the point of Ms. Dolly real
quick, she says there is duplication.
So in your view, is the CAT necessary in light of the
similarities to OATS? I am talking to you, Mr. Gellasch. Her
point is there is too much duplication.
Mr. Gellasch. Sorry, I--
Mrs. Maloney. Do you think it is necessary? Is the CAT
necessary?
Mr. Gellasch. One of two things I think is absolutely
necessary. What I thought when people started this process of
building the Consolidated Audit Trail in 2009, before it was
even released, was that you could--the thought was to upgrade
OATS: OATS 2.0. And most of the industry thought that was what
would happen.
We have gone down a very different path now where we are
creating the Consolidated Audit Trail and maybe retiring OATS.
But in either outcome it is a critically important and
necessary step to understand who is doing the trades in an
automated way so that the regulators can actually see, in an
automated way, who that is.
Mrs. Maloney. Thank you.
Chairman Huizenga. Gentlelady's time has expired.
With that, the Vice Chairman, Mr. Hultgren, for 5 minutes.
Mr. Hultgren. Mr. Concannon, just real quick, can't they
already get that information off the blue sheets?
Mr. Concannon. Yes. To be clear, all the client information
is available through blue sheets within 24 hours.
Mr. Hultgren. Yes. That is what I thought.
Mr. Concannon. And there has been a--more of a recent
challenge for the regulators because what they are finding is
certain traders, professional traders, usually sitting outside
this country, are using their family account information to
open up accounts to start manipulating markets. So today our
regulators are already finding cross-market and cross-account
manipulation. Having those identifiers flow through the CAT is
helpful, but the bad actors have already found a way around
that.
Mr. Hultgren. Right.
Mr. Beller, I wonder if I could address to you, your
testimony and discussion generally is focused on preventing
intrusions into the CAT database and also mitigating data loss
in the event of such an intrusion. As you know and as we have
talked about, the SROs and the SEC would be able to download
data from the CAT into their own systems.
I wondered, how can you protect the data once it has left
your database that you have designed? It seems that once it is
on another server that it would be susceptible to all the
vulnerabilities that your cybersecurity efforts were designed
to protect it against once it has left your database there.
Wouldn't preventing the downloading of this information greatly
reduce the risk of a data breach?
Mr. Beller. Certainly we cannot control the data once it
leaves the system. The Plan does call for the chief information
security officer of the Plan processor to review the procedures
that the SROs use to protect the data.
We, in our original vision for the CAT and the vision that
we are executing on, want to build a system that has as much
functionality as possible on the platform so that the SROs can
do their work on the platform and not have a great need to
remove the data. But the Plan does require them to have the
ability to remove the data.
Mr. Hultgren. Seems like there is an obvious risk there
that we need to continue to talk about and figure out.
I am going to wrap up my time with Mr. Concannon and Ms.
Dolly. And you have talked about this; Chairman Huizenga
brought this up, but just maybe a little bit more. How could
unauthorized access of identifiable proprietary transaction
data be used for market manipulation if it even could? And
wouldn't unauthorized access to identifiable proprietary
transaction data run counter to CAT's goal of instilling market
confidence?
Mr. Concannon. So my biggest concern--and you raised it in
your question, and it has nothing to do with PII. It has to do
with the proprietary trading information of our members. These
are firms who have spent millions of dollars developing just
basic market-making code on how their market-making models
perform.
There are going to be people, bad actors that want access
to that. And they can reverse engineer the information from the
data in the database, and then they can trick the market-maker
code to do bad things. And they can profit from that.
And we see it every day. There are people that don't have
access to the data that are trying to make market-makers lose
money, and we are finding that behavior. But if they get access
to that unique information it is much easier.
Mr. Hultgren. Yes.
Ms. Dolly, any last thoughts?
Ms. Dolly. I don't know if this is manipulation of the
market, but it is certainly manipulation of the investor: When
access is penetrated what we have seen is that--what we call
account takeovers, where bad actors come in and they are able
en masse to be able to collect information that is personally
identifiable, and even if it is simply their investing account
they can go in and execute orders that would benefit them from
a profitability perspective.
Mr. Hultgren. Yield back the balance of my time to the
Chairman.
Chairman Huizenga. Gentleman yields back.
With that, the Chair recognizes Mr. Vargas from California
for 5 minutes.
Mr. Vargas. Thank you very much, Mr. Chairman. Appreciate
the opportunity.
A question to Mr. Gellasch. You were saying that you
expected there would be an OATS 2.0 as opposed to a--that we
would go down this different avenue that we now have. So I
would ask you this, then: Why is it so important that we know
who is doing the trading? Is it because of--if you could expand
a little bit on that, is it because of market manipulation, or
because of data breach? Why is that?
Mr. Gellasch. Yes, and I actually--this was something that
Mr. Concannon also briefly touched upon. If you have the
opportunity I encourage you to ask your staff, or you
personally, to go speak with the market surveillance folks at
FINRA. It is an incredibly impressive team that oversees the
markets.
And one of the most disturbing things I learned when I was
a securities defense lawyer and had a number of firms as our
clients, and I focused on trading cases--market manipulation
cases, in fact. And one of the things that was really
disturbing to me when I went to work for the government was I
met with Tom Gira and the FINRA folks who are still there and
they were able to show me how they--the trails went cold.
They could see abusive trading; they could see
manipulations. And the trails disappeared. And increasingly so
if you were to have those conversations or your staff were
today, they would disappear often in China, or Eastern Europe,
or other places outside of the United States.
And one of the things that is very, very, very hard to do
is to track trading across markets. So they have gotten very,
very good at trying to reverse engineer patterns. They have
hundreds of them trying to reverse engineer patterns to
basically solve a problem that would be readily solved and much
more likely and consistently solved if they actually knew who
was doing the trading in the first place.
Mr. Vargas. Would anyone else like to comment on that?
Mr. Concannon. Yes. Just in terms of the trail going cold,
just to clarify--it isn't quite aware of how it works,
unfortunately FINRA doesn't have the jurisdiction nor do the
exchanges and the other SROs against an individual. And so
those cases are passed to the SEC and the SEC then has full
jurisdiction to go after individuals that perform manipulation.
We have jurisdiction over only our members to prosecute our
members.
Trail going cold means there is an individual trader in a
foreign jurisdiction trading in our markets doing bad things
and it is at the hands of the SEC to go and prosecute that
individual. That is very hard for them to do. When they think
about all the resources that they have, there are a lot of
bigger things for them to go after.
And so trails do go cold, but we have rules in place now
that will actually shut off the firm that actually allowed that
individual into our market. So there is more detriment now
because of some of the rules--recent rules that we have passed,
where you lose complete access if you let bad actors into our
market.
Mr. Vargas. Mr. Gellasch, yes, sir?
Mr. Gellasch. I might respond all of that is fantastic, and
the market access rule is the one he is referencing, and
others. I think that those are absolutely fantastic
developments.
The trouble is, again, in order for those things to happen
you have to know that the manipulation is happening, and so
when you look at some firms that may have thousands of
customers all trading at real time, a lot of these
manipulations actually just get lost in the noise, whereas if
you are able to identify the individuals or individual firms
they wouldn't.
Mr. Vargas. OK.
Mr. Gellasch, last to you, there are some people that
believe that because of data breaches that the opponents of CAT
say that things should be slowed down. Could you comment on
that? Because we have known now for a long time there have been
cybersecurity problems since 2010, I believe.
Mr. Gellasch. Yes. Cybersecurity has actually been a
significant concern for the years even before the Consolidated
Audit Trail.
And since then we--most recently we are certainly focused
on Equifax and the SEC's decades-old EDGAR system, but we can
go back in time, right? We can go back in time to things like
Target with credit cards, or we can go back to JPMorgan Chase,
or we can go back to a number of other very large--some of the
most sophisticated firms in the world who, by the way, also
have extremely valuable databases.
Now, let's be clear: Is a database that may be worth
billions of dollars and tens of billions of dollars to someone
who wants to do bad things a bigger target than one that is
worth maybe several billion dollars? The answer is yes.
In both instances however, there is a pretty strong
incentive and a pretty significant data risk associated with
that. I think that those have existed now for years.
Frankly, that is part of the reason why I find it
interesting that I am on the panel defending the standards,
protocols, requirements, and contract requirements that the
SROs built into the Plan when they designed it along with
Thesys and other data security experts, but that is where we
are. They actually were very, very good about this and they
have been for years, and they still are.
What is interesting to me is to understand that they
selected Thesys just a few months ago and it was only over the
last several years--
Chairman Huizenga. Gentleman's time has expired.
Mr. Gellasch. --As this was evolving that those
requirements were being established.
Mr. Vargas. My time is expired.
Thank you, Mr. Chairman.
Chairman Huizenga. Gentleman's time has expired.
With that, gentleman from Ohio is recognized for 5 minutes.
Mr. Davidson. Thank you, Chairman.
And thank you all for continuing to answer some good
questions here so we can solve this problem, or at least be
confident that it is solved.
Mr. Beller, under the CAT NMS Plan, who verifies that
Thesys is complying with all relevant cybersecurity
requirements?
Mr. Beller. The chief information security officer of
Thesys CAT is also a fiduciary of CAT NMS, LLC, which is the
consortium put together by the SROs. That duty, that fiduciary
duty, overrides all other duties of that individual, and his or
her activities are overseen by the operating committee of CAT
NMS, LLC.
Mr. Davidson. Thank you for that.
And so when I look at that piece, one of the other pieces
is--maybe, Mr. Concannon, you could answer--is what
cybersecurity requirements the SEC itself or other users of the
database obligated to implement in order to comply with the
cybersecurity standards for access?
Mr. Concannon. You are putting me in a difficult spot to
suggest that the SEC has to have a higher standard of
cybersecurity access.
I will use Chairman Clayton's statement. He actually
committed to not have anyone at the SEC access the CAT data
until he was comfortable that they had the highest standard of
cybersecurity protection, because under the CAT Plan the SEC
has requested to have almost 1,000 users have access to the
database through portals that will be provided by Thesys.
So when we think about the complexity of this system it is
not just putting data in a database that people have
surveillance access, there are actual people, users, that will
have access to this database sitting in front of a terminal in
an office.
Mr. Davidson. Yes. Thank you for that. And that goes to one
of the inpoint security pieces that is so critical for any
access control.
And so one of the things, aside from great protocols and a
lot of forethought given to it for years, and including in the
specs that were released to even solicit bid references to
cybersecurity, some voids still remain. And a lot of the
question keeps coming back to personally identifiable
information, and I get the tradeoff: If you don't know the
beneficial owner, what is to prevent any one person from
launching a dozen LLCs and, I know a dozen LLCs but you don't
connect the dots.
So you have to know some level of personally identifiable
information. But, Mr. Beller you made reference to the fact
that when this initially launches you don't have that. So I
guess where is that balance supposed to be struck right now? We
have talked around the issue a lot: What are the things that
could be done while you are going live with the system before
you begin to collect PII?
Mr. Beller. Yes. So the reason there isn't PII in the
initial phase of the CAT is because the reporters are just the
exchanges themselves, and they are responsible--they receive
incoming orders on the basis of what member of their exchanger
is sending to them. So that is not--the number of members
involved is very, very small relative to the hundreds of
millions of personally identifiable information that we are
talking about.
In the second phase, where other broker dealers who are
customer-carrying broker dealers come in, that is when the PII
comes in.
Mr. Davidson. Got it.
Mr. Beller. And that does give a little bit--that gives
extra time that is involved in the building of the CAT before
the PII comes in.
Mr. Davidson. So delaying that phase could accomplish a
lot, if necessary. Frankly, it can be happening in parallel,
not just sequentially.
Ms. Dolly, you mentioned we are just now getting the
technical specs. There is a lot of work left to be done.
If there is a change in PII as you are in the process of
doing said work, how big of a deal is that for compliance?
Ms. Dolly. From an implementation perspective?
Mr. Davidson. Correct.
Ms. Dolly. Yes. We haven't actually gotten to the point
where we have the specifications, so getting different
specifications would not further delay it. So if we were able
to figure out a way to remove PII, even if it was to put some
other unique identifier for the client in there so that it was
not exposing us, I don't think it would add anything to the
implementation plan.
And I also wanted to thank you for sponsoring this
consideration of delaying it because we do have to get this
right and I think an open and robust dialog around it will help
us to get there.
Mr. Davidson. Thank you all.
My time has expired. I yield, Mr. Chairman.
Chairman Huizenga. Gentleman's time has expired.
And the gentleman from California, recognized.
Mr. Sherman. Ms. Dolly, I am told that there are 58 billion
records a day that we transfer to CAT. Does that mean there are
58 billion stock and bond transactions every day?
Ms. Dolly. No, those are elements of the transaction. So it
is the order execution, it is the order details, it is quotes,
it is--
Mr. Sherman. So if I order my name, my address, the date,
OK. How many transactions a day are we talking about being
reported? Does any witness know?
Mr. Concannon. So the bigger number is the quote and order
information in our markets. So if you think about an ETF
(exchange-traded fund), a very liquid ETF, there are thousands
of quotes per second in an ETF. These are--
Mr. Sherman. May not be a transaction; may just be an offer
to buy or an offer to sell.
Mr. Concannon. Exactly. No transaction, but many, many
quotes.
Mr. Sherman. So we are only dealing with a few billion
transactions every--
Mr. Concannon. Yes.
Mr. Sherman. Glad our universe is small enough for us to
deal with it.
Let's see. Mr. Gellasch, CAT was created pursuant to the
National Market System, NMS Plan. Could you describe how the
NMS Plan model differs from traditional rulemaking? I know
SIFMA has raised concerns that it allows the SROs and the
exchanges and FINRA to minimize input from other industry
participants.
What do you think of how NMS is structured?
Mr. Gellasch. Yes. Thank you for the question.
I would argue the NMS Plan structure is a vestige of
history that has long since passed its usable life. In the
1970's, it was created with the idea of nonprofit SROs. We now
have for-profit SROs, and when you have a set of for-profit
regulators essentially empowered by the SEC to set the rules
for market participants and set the cost structure for market
participants, some of whom are their direct competitors,
including broker dealers, other execution venues, you have a
problem.
So what we have is essentially, we have created a system
where a handful of market participants--Mr. Concannon being one
of them--essentially are able to dictate the terms of a
significant amount not of just market structure but of costs to
market participants. And if they agree, for example, with the
goals of that--of what they have been tasked to do then they
can execute that. However, they can also frustrate that, and
that is how we see situations like the Tick Pilot or the
Consolidated Audit Trail, I think, drag on for years.
Mr. Sherman. Let me shift your attention a bit.
If we delay we might do a better job and we will delay the
costs. But if we delay we get the system later.
Today the markets are operating. We don't have a CAT. What
is the problem?
Mr. Gellasch. Yes. I think that is--at some point we have
boiled the frog when it comes to the CAT. It has been now 7-1/2
years, and as every major--
Mr. Sherman. What abuses are occurring--
Mr. Gellasch. So this is--
Mr. Sherman. --Because we don't have a CAT?
Mr. Gellasch. Right. So market manipulations are occurring.
I don't know when the next Navinder Sarao is going to cause
the next flash crash, or significantly cause the next flash
crash. But I do know that prior to him causing the next flash
crash he was involved in a number of, what we later found out
were, market manipulations.
So once the whistleblower identified the bad actor and
regulators were able to use the blue sheet process and others,
they were able to reconstruct that he was someone that they
could have identified and stopped a long time earlier.
So the answer is I don't know what we are--we are now in
a--
Mr. Sherman. So it is not that the present system will
catch it--the problem too late to stop it; the present system
may never tell you that you had a problem.
Mr. Gellasch. Both.
Mr. Sherman. Both.
Mr. Concannon?
Mr. Concannon. I would vehemently disagree.
The current system does capture manipulation. We capture it
every day. We have hundreds of alerts, if not thousands of
alerts, across all of the SROs and across FINRA, which is our
not-for-profit regulator that sits at the middle of our
markets.
So we are capturing manipulation every day. We are well
protected while we build a system that needs to be perfect. We
can't make a mistake in building CAT. It has to be perfect.
Mr. Sherman. I know my time is expired. I would just say
that with the rules of the Cayman Islands, Switzerland, some
other places, I would be surprised if you will ever know the
beneficial ownership of some of the entities doing the trades.
I yield back.
Chairman Huizenga. Gentleman's time has expired.
With that, I would like to thank our witnesses for sticking
around, doing two rounds of questioning. I think this was very,
very helpful. I think we made some progress.
The Chair notes that some Members may have additional
questions for this panel, which they may wish to submit in
writing. Without objection, the hearing record will remain open
for 5 legislative days for Members to submit written questions
to these witnesses and to place their responses in the record.
Also, without objection, Members will have 5 legislative days
to submit extraneous materials to the Chair for inclusion in
the record.
And with that, our hearing is adjourned.
[Whereupon, at 12:04 p.m., the subcommittee was adjourned.]
A P P E N D I X
November 30, 2017
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]