[Congressional Record Volume 163, Number 185 (Monday, November 13, 2017)]
[House]
[Pages H9140-H9142]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                   MARKET DATA PROTECTION ACT OF 2017

  Mr. HUIZENGA. Mr. Speaker, I move to suspend the rules and pass the 
bill (H.R. 3973) to amend the Securities Exchange Act of 1934 to 
require certain entities to develop internal risk control mechanisms to 
safeguard and govern the storage of market data.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 3973

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Market Data Protection Act 
     of 2017''.

     SEC. 2. INTERNAL RISK CONTROLS.

       The Securities Exchange Act of 1934 (15 U.S.C. 78a et seq.) 
     is amended--
       (1) by inserting after section 4E the following:

     ``SEC. 4F. INTERNAL RISK CONTROLS.

       ``(a) In General.--Each of the following entities, in 
     consultation with the Chief Economist, shall develop 
     comprehensive internal risk control mechanisms to safeguard 
     and govern the storage of all market data by such entity, all 
     market data sharing agreements of such entity, and all 
     academic research performed at such entity using market data:
       ``(1) The Commission.
       ``(2) Each national securities association registered 
     pursuant to section 15A.
       ``(3) The operator of the consolidated audit trail created 
     by a national market system plan approved pursuant to section 
     242.613 of title 17, Code of Federal Regulations (or any 
     successor regulation).
       ``(b) Consolidated Audit Trail Prohibited From Accepting 
     Market Data Until Mechanisms Developed.--The operator 
     described in paragraph (3) of subsection (a) may not accept 
     market data (or shall cease accepting market data) until the 
     operator has developed the mechanisms required by such 
     subsection. Any requirement for a person to provide market 
     data to the operator shall not apply during any time when the 
     operator is prohibited by this subsection from accepting such 
     data.
       ``(c) Treatment of Previously Developed Mechanisms.--The 
     development of comprehensive internal risk control mechanisms 
     required by subsection (a) may occur, in whole or in part, 
     before the date of the enactment of this section, if such 
     development and such mechanisms meet the requirements of such 
     subsection (including consultation with the Chief 
     Economist).''; and
       (2) in section 3(a)--
       (A) by redesignating the second paragraph (80) (relating to 
     funding portals) as paragraph (81); and
       (B) by adding at the end the following:
       ``(82) Chief economist.--The term `Chief Economist' means 
     the Director of the Division of Economic and Risk Analysis, 
     or an employee of the Commission with comparable authority, 
     as determined by the Commission.''.

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
Michigan (Mr. Huizenga) and the gentleman from California (Mr. Sherman) 
each will control 20 minutes.
  The Chair recognizes the gentleman from Michigan.


                             General Leave

  Mr. HUIZENGA. Mr. Speaker, I ask unanimous consent that all Members 
may have 5 legislative days within which to revise and extend their 
remarks and to include extraneous material on this bill.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Michigan?
  There was no objection.
  Mr. HUIZENGA. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, cybersecurity is critical to consumers, investors, 
market participants and, frankly, the very markets themselves. However, 
in April of 2016, the GAO--the Government Accountability Office--
identified weaknesses regarding information security protocols at the 
Securities and Exchange Commission, and noted that the SEC's failure to 
implement an agencywide data security program had occurred.
  Once confirmed in May of this year, SEC Chairman Jay Clayton 
initiated an assessment of the SEC's internal cybersecurity risk 
profile and their approach to cybersecurity from a regulatory and 
oversight perspective. The SEC's internal assessment found that the 
agency had inadequate controls and that there were serious cyber and 
data risks.
  Unfortunately, in September of this year, Chairman Clayton issued a 
statement on cybersecurity in which he revealed that a cyber breach 
``previously detected in 2016 may have provided illicit gain through 
trading.''
  Specifically, a software vulnerability existed in the test filing 
component of the SEC's Electronic Data Gathering, Analysis, and 
Retrieval--also known as the EDGAR system--which resulted in access to 
nonpublic information. While this breach provided hackers access to 
highly sensitive material, at the time, the SEC believed ``the 
intrusion did not result in unauthorized access to personally 
identifiable information''--or PII, as we commonly refer to it--
therefore, ``jeopardize the operations of the SEC, or result in a 
systemic risk.'' And that was a quote from the SEC's report.
  However, unfortunately, in a follow-up disclosure shortly after that, 
Chairman Clayton revealed that personally identifiable information, 
including names, birth dates, Social Security numbers, were actually 
compromised for two individuals in that particular breach.
  The GAO report and the EDGAR data breach underscore what is now even 
of greater concern, the sufficiency of risk control mechanisms for the 
SEC-approved consolidated audit trail, or also known as the CAT system. 
The CAT will be the most comprehensive repository of market data we 
have seen, and it will collect and identify every order, cancellation, 
and trade execution for all exchange-listed equities and options across 
all U.S. markets. It will also collect personally identifiable 
information beginning 1 year after it begins accepting market data.
  Thesys Technologies, which was selected to be the plan processor for 
the CAT, is scheduled to begin accepting data from self-regulatory 
organizations who must provide data to CAT on Wednesday, November 15, 
just merely days from today.
  Many of my colleagues, as well as market participants, have voiced 
concerns about the cost of building and implementing such a system and 
the amount of PII that will be required to be collected by the CAT.
  Last Congress, several Members wrote to former SEC Chair Mary Jo 
White expressing serious concerns

[[Page H9141]]

about the security of such sensitive information held within that CAT 
system, as well as those who will have access to such information.
  As I mentioned, the deadline for the SROs to begin reporting to this 
CAT system is just 2 days away. It is paramount that the SEC has 
adequate data security controls in place before that implementation.
  Previously, in committee, I had put it this way: That is a repository 
of the information of gold. Gold is the equivalent of information 
today. What they are doing is they are putting more gold into that data 
vault, and we don't have the security to support it.
  So while the CAT may be a helpful resource for the SEC, and even the 
self-regulatory agencies or organizations--SROs--once fully 
implemented, insufficient data security controls will undermine 
confidence in our markets and may very well result in the CAT being 
counterproductive.
  Thus, I joined with Financial Services Committee Chairman Hensarling 
in writing Chairman Clayton to ``encourage the SEC to delay 
implementation of the CAT system until the SEC can implement 
information security safeguards and internal controls to ensure the 
security of confidential and sensitive data.''
  No assurances for a delay in implementing the CAT have been provided, 
and even if they have, it is appropriate for Congress to set baseline 
standards to ensure that controls are in place. In other words, Mr. 
Speaker, we are trying to do our job.
  H.R. 3973, the Market Data Protection Act, introduced by 
Representatives Davidson and Sherman, is necessary to ensure that the 
SEC is properly securing critical data that supports our financial 
markets as well as the personal information of millions of customers 
with broker-dealer accounts.
  Specifically, the bipartisan legislation would mandate that the SEC, 
FINRA, and the operator of the consolidated audit trail, in 
consultation with the SEC's chief economist, develop comprehensive 
internal risk control mechanisms to safeguard and govern the storage of 
market data, all market data-sharing agreements, and all academic 
research using that market data.
  The bill also halts market data reporting to the consolidated audit 
trail until the operator of the CAT system develops such internal risk 
control mechanisms that they are deemed satisfactory.
  The EDGAR security breach and the recent massive Equifax data 
breach--and I might add, Mr. Speaker, we just saw a report of an NSA 
breach that had just happened, our largest database--well, this would 
become the second largest database in the country.

  Those breaches--in which the sensitive information of nearly 150 
million Americans have been compromised, in the Equifax breach--only 
underscore the importance of proactively ensuring that any highly 
sensitive data being collected by the Securities and Exchange 
Commission or at the SEC's discretion, subject to their oversight, is 
protected with appropriate safeguards. We owe that to the American 
people.
  The importance of cybersecurity at the SEC cannot be overstated. The 
SEC's ability to safeguard nonpublic financial information and other 
highly sensitive data instills confidence in the markets.
  SEC Commissioner Michael Piwowar recently commented regarding CAT 
that ``deadlines are important, but the SEC has one chance to get this 
right. We have to make sure that we have everything locked down. We can 
get it done, or we can get it done right. We need to get it done 
right.''
  I couldn't agree more with Commissioner Piwowar. That is why this 
legislation is so urgently needed. I commend the bipartisan work of 
Representatives Davidson and Sherman, and I urge my colleagues to vote 
in favor of this very important bill.
  Mr. Speaker, I reserve the balance of my time.
  Mr. SHERMAN. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I want to commend the sponsor of this legislation, the 
gentleman from Ohio (Mr. Davidson). It was a pleasure working with him, 
and I am pleased that he and I introduced this legislation.
  This legislation deals with a broader issue of cybersecurity. From 
Equifax to Moscow, worldwide, people are concerned with cybersecurity. 
One particular part of cybersecurity that is important is the SEC's 
accumulation of very sensitive data, whether it be about individuals 
and their trading, or about the overall market.
  In September, the SEC disclosed that hackers had breached the SEC 
EDGAR database, which is the home to millions of public and nonpublic 
filings, and that that breach had occurred in 2016. The breach, which 
was not discovered until August of this year, may have led to some 
illicit trading activities.
  This bill requires the SEC to develop and implement cybersecurity 
risk controls to ensure that market data is protected. This will help 
protect our markets from harmful disruptions and manipulative trading.
  In addition, this bill requires that FINRA--the Financial Industry 
Regulatory Authority--and the operator of the new consolidated audit 
trail develop and implement risk controls to protect the data they 
store. The new consolidated audit trail system will not accept data 
until they have the cybersecurity risk controls necessary to protect 
it.
  Once the CAT, or consolidated audit trail, is operational, it will 
serve an important purpose in assisting the SEC in identifying issues 
that deserve investigation. But it will also store a large amount of 
data, and it is important that this data be secure. We must ensure that 
there are proper controls in place.
  Now, this bill passed our committee by a vote of 59-1 in its present 
form. There was an effort after the bill passed committee to try to 
broaden the bill, and it may very well be that other related issues 
need to be dealt with by this House. But I think we made the right 
decision in bringing to the floor today the bill that passed our 
committee 59-1.
  We should then have hearings and perhaps work on additional 
legislation that will add to our ability to provide for cybersecurity 
in this area. I look forward to working with the chairman of the 
subcommittee, and Mr. Davidson, and so many others, on additional 
legislation designed to ensure our cybersecurity is as good as it can 
be, and to make sure that we are not putting information into systems 
unless we are sure that everything has been done so the systems can 
protect that information.
  Mr. Speaker, I call upon all of our colleagues to support this 
legislation that had 59-1 support in our committee, and I reserve the 
balance of my time.
  Mr. HUIZENGA. Mr. Speaker, I yield such time as he may consume to the 
gentleman from Ohio (Mr. Davidson), the sponsor of this legislation and 
a member of the Financial Services Committee.
  Mr. DAVIDSON. Mr. Speaker, I appreciate the opportunity to work with 
Mr. Sherman and the rest of the committee on this bill. It is indeed 
impressive that it was 59-1 in our committee in its present form. It 
does do some really good things, and I think the message that it really 
sends is that it is important for our government agency to lead by 
example.
  The SEC holds people that they oversee accountable for maintaining 
cybersecurity and protecting personally identifiable information.
  What we know: on September 20, Chairman Clayton highlighted that they 
had had a breach of the EDGAR system. This follows on an April 2016 
report by the GAO that highlighted some concerns with their 
cybersecurity program with SEC. The concerning thing is that when 
Chairman Clayton took over the SEC, he found this so much time 
afterwards. It wasn't part of his in-briefing. So there is a real 
concern that there could be some systemic cybersecurity risks there.
  I think it is great that our committee came together to provide SEC a 
mandate to get their own house in order in quick fashion, and to do 
that with not just their existing products, but with products that are 
on the cusp of launching: notably, the consolidated audit trail.

                              {time}  1615

  The consolidated audit trail became the subject of some additional 
concerns because it is so close to launching.

[[Page H9142]]

What we are trusting here is that Chairman Clayton does the right 
thing--takes the message from this vote that we are about to take, and 
then begins to work with our committee to get this cybersecurity risk 
under control to provide the assurances that the American people want 
and that the markets need in order to trust that no more data is 
collected and made vulnerable than is necessary to accomplish the 
mission, but that whatever data is made available is secure.
  Mr. Speaker, I urge all of our colleagues to support the passage of 
this bill.
  Mr. SHERMAN. Mr. Speaker, I urge an ``aye'' vote. Since I have no 
speakers seeking time on my side, I yield back the balance of my time.
  Mr. HUIZENGA. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, as I had said before, when information is the equivalent 
of modern-day gold, we need to make sure that whatever vaults that 
information, that gold, is going into are properly protected--properly 
protected for consumers and their personally identifiable information. 
We have an obligation, as the government, to make sure that their 
information is protected as best as possible, and doubly so when it is 
going into government-run systems. That is the reason why H.R. 3973 is 
so imperative that it be passed.
  Mr. Speaker, I again commend my friend from Ohio (Mr. Davidson) and 
my friend from California (Mr. Sherman) on their bipartisan work on 
that.
  Mr. Speaker, I urge passage, and I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentleman from Michigan (Mr. Huizenga) that the House suspend the rules 
and pass the bill, H.R. 3973.
  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill was passed.
  A motion to reconsider was laid on the table.

                          ____________________