[Federal Register Volume 86, Number 68 (Monday, April 12, 2021)]
[Notices]
[Pages 19054-19061]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-07390]



[[Page 19054]]

-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-91487; File No. 4-698]


Joint Industry Plan; Order Instituting Proceedings To Determine 
Whether To Approve or Disapprove an Amendment to the National Market 
System Plan Governing the Consolidated Audit Trail

April 6, 2021.

I. Introduction

    On December 18, 2020, the Operating Committee for Consolidated 
Audit Trail, LLC (``CAT LLC''), on behalf of the following parties to 
the National Market System Plan Governing the Consolidated Audit Trail 
(the ``CAT NMS Plan'' or ``Plan''): \1\ BOX Exchange LLC; Cboe BYX 
Exchange, Inc., Cboe BZX Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe 
EDGX Exchange, Inc., Cboe C2 Exchange, Inc., Cboe Exchange, Inc., 
Financial Industry Regulatory Authority, Inc. (``FINRA''), Investors 
Exchange LLC, Long-Term Stock Exchange, Inc., Miami International 
Securities Exchange LLC, MEMX, LLC, MIAX Emerald, LLC, MIAX PEARL, LLC, 
Nasdaq BX, Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, 
Nasdaq PHLX LLC, The NASDAQ Stock Market LLC, New York Stock Exchange 
LLC, NYSE American LLC, NYSE Arca, Inc., NYSE Chicago, Inc., and NYSE 
National, Inc. (collectively, the ``Participants,'' ``self-regulatory 
organizations,'' or ``SROs'') filed with the Securities and Exchange 
Commission (``SEC'' or ``Commission'') pursuant to Section 11A(a)(3) of 
the Securities Exchange Act of 1934 (``Exchange Act''),\2\ and Rule 608 
thereunder,\3\ a proposed amendment (``Proposed Amendment'') to the CAT 
NMS Plan that would authorize CAT LLC to revise the Consolidated Audit 
Trail Reporter Agreement (the ``Reporter Agreement'') and the 
Consolidated Audit Trail Reporting Agent Agreement (the ``Reporting 
Agent Agreement'') to insert limitation of liability provisions (the 
``Limitation of Liability Provisions''). The proposed plan amendment 
was published for comment in the Federal Register on January 6, 
2021.\4\
---------------------------------------------------------------------------

    \1\ The CAT NMS Plan is a national market system plan approved 
by the Commission pursuant to Section 11A of the Exchange Act and 
the rules and regulations thereunder. See Securities Exchange Act 
Release No. 79318 (November 15, 2016), 81 FR 84696 (November 23, 
2016).
    \2\ 15 U.S.C 78k-1(a)(3).
    \3\ 17 CFR 242.608.
    \4\ See Notice of Filing of Amendment to the National Market 
System Plan Governing the Consolidated Audit Trail, Release No. 
90826 (December 30, 2020), 86 FR 591 (January 6, 2021) (``Notice''). 
Comments received in response to the Notice can be found on the 
Commission's website at https://www.sec.gov/comments/4-698/4-698.htm.
---------------------------------------------------------------------------

    This order institutes proceedings, under Rule 608(b)(2)(i) of 
Regulation NMS,\5\ to determine whether to disapprove the Proposed 
Amendment or to approve the Proposed Amendment with any changes or 
subject to any conditions the Commission deems necessary or appropriate 
after considering public comment.
---------------------------------------------------------------------------

    \5\ 17 CFR 242.608(b)(2)(i).
---------------------------------------------------------------------------

II. Background

    On July 11, 2012, the Commission adopted Rule 613 of Regulation 
NMS, which required the SROs to submit a national market system 
(``NMS'') plan to create, implement and maintain a consolidated audit 
trail (the ``CAT'' or ``CAT System'') that would capture customer and 
order event information for orders in NMS securities.\6\ The Commission 
approved the CAT NMS Plan in 2016.\7\ On August 29, 2019, the Operating 
Committee for CAT LLC approved a Reporter Agreement that included a 
provision that would limit the total liability of CAT LLC or any of its 
representatives to a CAT Reporter under the Reporter Agreement for any 
calendar year to the lesser of the total of fees paid by the CAT 
Reporter to CAT LLC for the calendar year in which the claim arose or 
five hundred dollars. The Participants also required each Industry 
Member \8\ to execute a CAT Reporter Agreement prior to reporting data 
to CAT. Prior to the commencement of initial equities reporting for 
Industry Members on June 22, 2020, the Securities Industry and 
Financial Markets Association (``SIFMA'') filed pursuant to Sections 
19(d) and 19(f) of the Exchange Act an application for review of 
actions taken by CAT LLC and the Participants (the ``Administrative 
Proceedings''). SIFMA alleged that by requiring Industry Members to 
execute the Reporter Agreement as a prerequisite to submitting data to 
the CAT, the Participants improperly prohibited or limited SIFMA 
members with respect to access to the CAT System in violation of the 
Exchange Act. On May 13, 2020, the Participants and SIFMA reached a 
settlement and terminated the Administrative Proceedings, allowing 
Industry Members to report data to the CAT pursuant to a Reporter 
Agreement that does not contain a limitation of liability provision. 
Since that time, Industry Members have been transmitting data to the 
CAT.\9\
---------------------------------------------------------------------------

    \6\ 17 CFR 242.613.
    \7\ See supra note 1.
    \8\ Industry Member means a member of a national securities 
exchange or a member of a national securities association. See CAT 
NMS Plan at Section 1.1.
    \9\ For a more detailed description of the background for the 
Proposed Amendment, see Notice, supra note 4, at 86 FR 591-93.
---------------------------------------------------------------------------

III. Summary of Proposal

    The Participants now propose to amend the CAT NMS Plan to authorize 
CAT LLC to revise the Reporter Agreement and Reporting Agent Agreement 
with the proposed Limitation of Liability Provisions. As proposed, the 
Limitation of Liability Provisions would: (1) Provide that CAT 
Reporters and CAT Reporting Agents accept sole responsibility for their 
access to and use of the CAT System, and that CAT LLC makes no 
representations or warranties regarding the CAT System or any other 
matter; (2) limit the liability of CAT LLC, the Participants, and their 
respective representatives to any individual CAT Reporter or CAT 
Reporting Agent to the lesser of the fees actually paid to CAT for the 
calendar year or $500; (3) exclude all direct and indirect damages; and 
(4) provide that CAT LLC, the Participants, and their respective 
representatives shall not be liable for the loss or corruption of any 
data submitted by a CAT Reporter or CAT Reporting Agent to the CAT 
System.\10\ The full text of the proposed Limitation of Liability 
Provisions appears in Appendix A to the Notice.\11\
---------------------------------------------------------------------------

    \10\ See Notice, supra note 4, 86 FR at 593.
    \11\ See Notice, supra note 4, 86 FR at 598.
---------------------------------------------------------------------------

    In support of the proposed amendment, the Participants state, among 
other things, that: (1) The proposed Limitation of Liability Provisions 
reflect longstanding principles of allocation of liability between 
industry members and self-regulatory organizations and the Participants 
are unaware of any context in which liability that is usually borne by 
Industry Members is shifted to their regulators; \12\ (2) the proposed 
Limitation of Liability Provisions ``fall squarely within industry 
norms'' and are consistent with exchange rules that limit liability for 
losses that members incur through their use of exchange facilities, 
provisions that FINRA members must agree to in order to comply with 
Order Audit Trail System (``OATS'') reporting, and other provisions in 
the context of regulatory and NMS reporting facilities; \13\ (3) 
previously granted exemptive relief that eliminated the requirement 
that CAT collect certain personally identifiable

[[Page 19055]]

information, including social security numbers, makes the customer data 
stored in the CAT comparable to the data reported to other regulatory 
reporting facilities; \14\ (4) the proposed Limitation of Liability 
Provisions are necessary to ensure the financial stability of CAT 
because even though ``CAT LLC has obtained the maximum extent of cyber-
breach insurance coverage available and has implemented a full 
cybersecurity program to safeguard data stored in the CAT,'' there is 
``the potential for substantial losses that may result from certain 
categories of low probability cyberbreaches.'' \15\
---------------------------------------------------------------------------

    \12\ See Notice, supra note 4, 86 FR at 593-95.
    \13\ See Notice, supra note 4, 86 FR at 593-94.
    \14\ See Notice, supra note 4, 86 FR at 595.
    \15\ See Notice, supra note 4, 86 FR at 595.
---------------------------------------------------------------------------

    In addition, CAT LLC retained Charles River Associates (``Charles 
Rivers'') to conduct an economic analysis of the liability issues 
presented by a potential CAT breach and attached the analysis to the 
Proposed Amendment as Appendix B to the Notice (the ``CRA Paper'').\16\ 
The Participants state that the analyses presented in the CRA Paper 
support the Participants' proposal to adopt a limitation of liability 
provision in the CAT Reporter Agreement and shows the importance of 
limiting CAT LLC's and each Participant's liability.\17\ The CRA Paper 
asserts, among other things, that, based on an examination of potential 
breach scenarios and a consideration of the economic and public policy 
elements of various regulatory and litigation approaches to mitigate 
cyber risk for the CAT, a limitation of liability provision would serve 
the public interest by facilitating the regulation of the U.S. equity 
and option markets at lower overall costs and higher economic efficacy 
than other approaches, and that the proposed limitation on liability 
would not undermine CAT LLC's existing and significant incentives to 
protect the data stored in the CAT System. The CRA Paper asserts that 
regulation by the SEC already properly incentivizes the Participants to 
recognize and address the risks that a CAT cyber breach poses to third 
parties such as Industry Members and that permitting litigation by 
Industry Members will not meaningfully increase CAT's incentives to 
manage its exposure to cyber risk but will significantly increase 
costs, which will ultimately be passed on to retail investors. Because 
of this, the CRA Paper asserts that solely an ``ex-ante regulation'' 
approach leads to the socially optimal outcome, in comparison to an 
``ex post litigation'' approach in which litigation influences 
behaviors before a loss-producing event occurs by assigning liability 
afterwards, or combination of both approaches.
---------------------------------------------------------------------------

    \16\ See Notice, supra note 4, 86 FR at 599-624. The CRA Paper, 
dated December 18, 2020, is titled ``White Paper: Analysis of 
Economic Issues Attending the Cyber Security of the Consolidated 
Audit Trail.''
    \17\ See Notice, supra note 4, at 595-597.
---------------------------------------------------------------------------

IV. Summary of Comments

    The Commission has received twelve comment letters, including a 
letter attaching an economic analysis of the Proposed Amendment.\18\ 
The Commission has received one response letter from the 
Participants.\19\
---------------------------------------------------------------------------

    \18\ See Letter from Ellen Greene, Managing Director, Equity and 
Options Market Structure, SIFMA, to Vanessa Countryman, Secretary, 
dated February 19, 2021, available at https://www.sec.gov/comments/4-698/4698-8394069-229410.pdf, attaching Economic Analysis of 
Proposed Amendment to National Market System Plan Governing the 
Consolidated Audit Trail, Craig M. Lewis, Ph.D., February 2021 
(``Lewis Paper'').
    \19\ See Letter from Michael Simon, CAT NMS Plan Operating 
Committee Chair, to Vanessa Countryman, Secretary, dated April 1, 
2021 (``Response Letter'').
---------------------------------------------------------------------------

A. Comments Critical of Proposed Amendment

    Nine commenters believe that the parties responsible for 
controlling and securing CAT Data should be liable for any failure to 
implement adequate security, generally arguing that it is unfair to 
shift liability to Industry Members for potential harm caused by the 
compromise of CAT Data over which they have no control or 
responsibility for security.\20\ Among other things, these commenters 
state that the SROs are exclusively responsible for maintaining the CAT 
System and for implementing measures to prevent breach or misuse.\21\ 
Four commenters believe that ``[a]ligning control and liability is not 
only fair and equitable; it is also good policy, because it maximizes 
efficiencies in managing data risks inherent in the CAT System.'' \22\ 
However, one commenter argues that the proposal shows that the SROs 
understand that it will be impossible for them to protect CAT Data and 
that a hack of CAT is inevitable.\23\
---------------------------------------------------------------------------

    \20\ See Lewis Paper at 3, 6; Letter from Ellen Greene, Managing 
Director, Equity and Options Market Structure, SIFMA, to Vanessa 
Countryman, Secretary, dated January 27, 2021, available at https://www.sec.gov/comments/4-698/4698-8298026-228278.pdf (``SIFMA 
Letter''), at 4; Letter from Joanna Mallers, Secretary, FIA 
Principal Traders Group, to Vanessa Countryman, Secretary, dated 
February 8, 2021, available at https://www.sec.gov/comments/4-698/4698-8345389-228979.pdf (``FIA PTG Letter''), at 1 (stating it 
``supports the comments previously filed by SIFMA''); Letter from 
Thomas R. Tremaine, Executive Vice President, Chief Operations 
Officer, Raymond James & Associates, Inc., to Vanessa Countryman, 
Secretary, dated February 8, 2021, available at https://www.sec.gov/comments/4-698/4698-8347733-229000.pdf (``Raymond James Letter''), 
at 2 (stating that it ``strongly supports the points raised by SIFMA 
in their letter.''); Letter from Peggy L. Ho, Executive Vice 
President, Government Relations, LPL Financial LLC, to Vanessa 
Countryman, Secretary, dated January 27, 2021, available at https://www.sec.gov/comments/4-698/4698-8298412-228298.pdf (``LPL Financial 
Letter''), at 1 (stating ``[its] support for SIFMA's comments 
submitted on January 27, 2021 in response to the proposed amendments 
to the CAT NMS Plan''); Letter from Christopher A. Iacovella, Chief 
Executive Officer, American Securities Association, to Vanessa 
Countryman, Secretary, dated January 29, 2021, available at https://www.sec.gov/comments/4-698/4698-8311307-228499.pdf (``ASA Letter''), 
at 2; Letter from Thomas M. Merritt, Deputy General Counsel, Virtu 
Financial, Inc., to Vanessa Countryman, Secretary, dated January 27, 
2021, available at https://www.sec.gov/comments/4-698/4698-8298023-228258.pdf (``Virtu Letter''), at 2; Letter from Matthew Price, 
Fidelity Investments, to Vanessa Countryman, Secretary, dated 
February 2, 2021, available at https://www.sec.gov/comments/4-698/4698-8343750-228940.pdf (``Fidelity Letter''), at 2; Letter from 
Daniel Keegan, Managing Director, Head of North America Markets & 
Securities Services, to Vanessa Countryman, Secretary, dated 
February 25, 2021, available at https://www.sec.gov/comments/4-698/4698-8419819-229522.pdf (``Citi Letter''), at 2.
    \21\ See, e.g, SIFMA Letter at 2; Virtu Letter at 3; Fidelity 
Letter at 2.
    \22\ See SIFMA Letter at 4. See also LPL Financial Letter at 1; 
FIA PTG Letter at 2; Raymond James Letter at 2.
    \23\ See ASA Letter at 3.
---------------------------------------------------------------------------

    Nine commenters also express concern that shifting liability from 
CAT LLC to CAT Reporters would reduce the incentive of Participants to 
develop robust data security and risk mitigation mechanisms, and may 
even incentivize the Participants to de-prioritize data security.\24\ 
Two of these commenters characterized the economic structure of the 
Proposed Amendment as creating a ``moral hazard,'' where incentives to 
invest in data security are diminished because Industry Members bear 
the potential litigation costs of a breach or misuse of CAT Data.\25\ 
Another commenter argues that aligning control and liability 
incentivizes the optimal amount of data security and would ultimately 
benefit all investors.\26\
---------------------------------------------------------------------------

    \24\ See Lewis Paper at 5-9, 14; SIFMA Letter at 7, 9; LPL 
Financial Letter at 1; Raymond James Letter at 2; FIA PTG Letter at 
2; Virtu Letter at 3; ASA Letter at 2; Fidelity Letter at 2; Citi 
Letter at 2.
    \25\ See Citi Letter at 2; Lewis Paper at 9.
    \26\ See Lewis Paper at 5-7.
---------------------------------------------------------------------------

    Four commenters criticized the Proposed Amendment for proposed 
limitation of liability provisions that would effectively prohibit 
Industry Members from pursuing claims against CAT LLC and the SROs, 
even if there is ``willful misconduct, gross negligence, bad faith or 
criminal acts of CAT LLC, the SROs or their representatives or 
employees.'' \27\ These commenters

[[Page 19056]]

further assert that the proposal would shield the SROs from liability, 
``not only for a breach of the CAT System by malicious third-party 
actors but even from the theft or other misuse of CAT Data by SRO 
employees'' and would ``effectively extinguish the liability of CAT LLC 
and the SROs even in instances of gross negligence or intentional 
misconduct.'' \28\ Another commenter states that the proposal ``would 
effectively hold brokers responsible for the malfeasance and 
incompetence of the SROs and their contractors'' and that this would be 
``extremely unreasonable.'' \29\ Five commenters assert that the 
proposed Limitation of Liability Provisions are inconsistent with 
industry standards, citing among other things SRO limitation of 
liability rules which exclude protection for willful misconduct, gross 
negligence, bad faith or criminal acts.\30\
---------------------------------------------------------------------------

    \27\ See SIFMA Letter at 5, 7-8. See also LPL Financial at 1; 
FIA PTG Letter at 2; Raymond James Letter at 2; Citadel Letter at 3 
(stating that the provisions would protect Participants and their 
representatives from any and all potential misuse, including 
intentional misuse, of CAT Data).
    \28\ See SIFMA Letter at 5. See also LPL Financial at 1; FIA PTG 
Letter at 2; Raymond James Letter at 2; Citadel Letter at 3.
    \29\ See ASA Letter at 2.
    \30\ See SIFMA Letter at 7; LPL Financial Letter at 1; FIA PTG 
Letter at 2; Raymond James Letter at 2; Fidelity Letter at 2.
---------------------------------------------------------------------------

    Further, six commenters dismiss comparisons made in the Proposed 
Amendment to OATS limitation of liability provisions because CAT 
captures significantly more information than OATS, including personally 
identifiable information, and data reported to OATS is reported to and 
only used by FINRA.\31\ Commenters further state that OATS does not 
have the same account-level data that the CAT will collect, which could 
present the risk of reverse engineering of trading strategies.\32\ One 
commenter stated that the limitation of liability provisions for OATS 
were signed in 1998, and since then the landscape of cybersecurity has 
changed, and the frequency and scale of data breaches has increased 
dramatically.\33\
---------------------------------------------------------------------------

    \31\ See Lewis Paper at 9-10; SIFMA Letter at 8; LPL Financial 
Letter at 2; Raymond James Letter at 2; FIA PTG Letter at 2; Virtu 
Letter at 4.
    \32\ See SIFMA Letter at 10; Virtu Letter at 4; LPL Financial 
Letter at 2; Raymond James Letter at 2; FIA PTG Letter at 2.
    \33\ See Lewis Paper at 10.
---------------------------------------------------------------------------

    Five commenters argue that the SROs have failed to explain why 
limitation of their liability should be imposed by contract because the 
SROs have immunity from liability when acting in a regulatory 
capacity.\34\ Four of these commenters further assert that the effort 
to impose liability limitations by contract ``raises significant 
questions about whether the SROs seek to avoid liability in 
circumstances in which they misuse CAT Data while acting in a 
commercial capacity.'' \35\ Another commenter frames the issue as not 
whether the Participants should be liable for conduct undertaken during 
the course of their regulatory responsibilities, but whether the 
Participants should be insulated from potential liability for 
activities not covered by regulatory immunity.\36\
---------------------------------------------------------------------------

    \34\ See Letter from Stephen John Berger, Managing Director, 
Global Head of Government & Regulatory Policy, Citadel Securities, 
to Vanessa Countryman, Secretary, dated February 23, 2021, available 
at https://www.sec.gov/comments/4-698/4698-8411798-229501.pdf 
(``Citadel Letter''), at 1, 3-5; SIFMA Letter at 8; LPL Financial 
Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2.
    \35\ See SIFMA Letter at 8. See also LPL Financial Letter at 1; 
FIA PTG Letter at 2; Raymond James Letter at 2.
    \36\ See Citadel Letter at 5.
---------------------------------------------------------------------------

    Five commenters state that the Participants contradictorily argue 
that security measures are robust but that a limitation of liability is 
necessary due to risk of a catastrophic loss as a result of a breach or 
misuse of CAT Data.\37\ For example, one of these commenters notes that 
the Participants assert that Industry Members should not be concerned 
about ``breach or misuse'' of CAT Data due to a ``robust regulatory 
regime governing CAT data security,'' but also argue that they need 
limitation of liability provisions because without them the ``risk of a 
catastrophic loss as a result of a data breach or misuse is so 
significant that the financial stability of the CAT would be 
jeopardized in the absence [of the provisions].'' \38\ Additionally, 
eight commenters note that Participants have argued against adopting 
the security measures in the Proposed Amendments to the National Market 
System Plan Governing the Consolidated Audit Trail to Enhance Data 
Security,\39\ on the grounds that CAT security measures already are 
robust, while at the same time attempting to disclaim liability because 
of the high risk of a security breach.\40\
---------------------------------------------------------------------------

    \37\ See SIFMA Letter at 4; LPL Financial Letter at 1; FIA PTG 
Letter at 2; Raymond James Letter at 2; Lewis Paper at 4.
    \38\ See SIFMA Letter at 4. See also LPL Financial Letter at 1; 
FIA PTG Letter at 2; Raymond James Letter at 2.
    \39\ See Securities Exchange Act Release No. 89632 (August 21, 
2020), 85 FR 65990 (October 16, 2020) (proposing to amend the CAT 
NMS Plan to enhance the security of the CAT and the protections 
afforded to CAT Data) (``Data Security Proposal'').
    \40\ See Citadel Letter at 2; Lewis Paper at 4; SIFMA Letter at 
7; LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James 
Letter at 2; Virtu Letter at 5; Fidelity Letter at 2.
---------------------------------------------------------------------------

B. Comments Regarding the CRA Paper

    In addition to comments regarding the Proposed Amendment, 
commenters provided comments regarding the CRA Paper, which is 
summarized above in Section II and attached to the Notice as Appendix 
B.\41\
---------------------------------------------------------------------------

    \41\ See supra note 16.
---------------------------------------------------------------------------

    Two commenters argue that the CRA Paper's conclusion that ex-ante 
regulation is most appropriate is wrong, and that CAT cybersecurity 
would benefit from both ex-ante regulation and ex-post litigation.\42\ 
One commenter states that permitting litigation against Participants 
and their representatives when they are acting outside their regulatory 
capacity is ``crucial'' and would give the Participants strong 
financial incentives to invest to prevent or minimize the likelihood of 
security failures.\43\ One commenter asserts that protecting the 
Participants against liability for litigation shifts liability to 
Industry Members for potential claims from the Industry Members' 
customers, and that the retention of liability for potential litigation 
by CAT LLC would mitigate the moral hazard problem and incent CAT LLC 
to invest in improvements in data security and more quickly react to 
changing trends and threats in cybersecurity.\44\
---------------------------------------------------------------------------

    \42\ See Citadel Letter at 1-2, 7; Lewis Paper at 7-9.
    \43\ See Citadel Letter at 2, 7, 9-10. This commenter also 
asserts that the SEC has only assessed whether the existing 
cybersecurity framework is adequate for CAT databases (in contrast 
to Participants' security) and states that regulation is a slow and 
uncertain process that cannot keep pace with data security issues. 
See id. at 8.
    \44\ See Lewis Paper at 7-9.
---------------------------------------------------------------------------

    Seven commenters argue that the CRA Paper fails to consider the 
costs of a data breach on non-SROs, including broker-dealers and their 
customers.\45\ These commenters state that, while disclaiming liability 
by CAT LLC would reduce its costs, the liability for a potentially 
catastrophic loss or breach would instead be shifted to Industry 
Members, and the CRA Paper fails to take these costs into account. In 
addition, one of these commenters states that if Industry Members could 
not sue CAT LLC, they would have to purchase additional liability 
insurance since they have no ability to mitigate the security risk and 
no recourse to recoup any litigation-related losses from their own 
customers.\46\
---------------------------------------------------------------------------

    \45\ See Lewis Paper at 1, 8-9; SIFMA Letter at 9-10; LPL 
Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 
2; Virtu Letter at 5; ASA Letter at 2. For example, one commenter 
asserts that the CRA Paper fails to consider the costs of a data 
breach on non-SROs (broker-dealers and their customers), including 
``damage to the brand'' and ``trust that broker-dealers have [built] 
up with their retail clients for decades.'' See ASA Letter at 2.
    \46\ See Lewis Paper at 4, 8.
---------------------------------------------------------------------------

    Six commenters state that the CRA Paper only focuses on a breach by

[[Page 19057]]

external actors and fails to address the risk of misuse of CAT data by 
personnel at CAT LLC and the SROs.\47\ In addition, one commenter 
emphasizes that the CRA Paper focuses on databases maintained by CAT 
LLC, not the ``larger concern,'' which is the potential for hackers to 
access CAT Data from Participant databases that have extracted data 
from the CAT.\48\
---------------------------------------------------------------------------

    \47\ See Citadel Letter at 6; SIFMA Letter at 9; LPL Financial 
Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Virtu 
Letter at 5. One commenter states that the CRA Paper does not 
provide any support for the argument that broker-dealers should be 
accountable for the wrongdoing or misuse of data by SRO employees or 
contractors. See ASA Letter at 2.
    \48\ See Citadel Letter at 6-7. One commenter argues that the 
CRA Paper significantly overemphasizes the visibility and input into 
the workings of CAT provided to the industry, and asserts that there 
is no visibility into the security aspects of CAT. See id. at 9.
---------------------------------------------------------------------------

    Four commenters state that the CRA Paper suggests that certain 
mechanisms, such as a third-party compensation program, cyber-related 
industry loss warranties or cyber catastrophe bonds could be used in 
the event of a CAT breach to compensate third parties, but the SROs 
have not actually proposed the adoption of any of them.\49\ These 
commenters assert that the Participants effectively concede that, 
without more, the current regulatory regime is insufficient to protect 
parties that are injured as a result of a CAT breach.\50\ Another 
commenter states that the CRA Paper provides no details regarding the 
insurance that CAT LLC has obtained and does not analyze whether 
Participants should seek insurance or the effect such insurance could 
have on the Participants' incentives to protect data that they extract 
from the CAT and store outside the CAT.\51\ Six commenters believe that 
it would be more appropriate for CAT LLC to purchase insurance instead 
of Industry Members each purchasing the same overlapping policies.\52\ 
One of these commenters argues that CAT LLC is able to insure more 
efficiently than Industry Members because CAT LLC has access to and 
control over CAT Data and systems and can subject itself to monitoring 
by an insurer.\53\
---------------------------------------------------------------------------

    \49\ See SIFMA Letter at 10; LPL Financial Letter at 1; FIA PTG 
Letter at 2; Raymond James Letter at 2.
    \50\ In addition, these commenters believe the Participants 
would not be incented to develop any such compensation mechanisms if 
they are protected against liability. See supra note 49.
    \51\ See Citadel Letter at 7-8. See also Lewis Paper at 13-14 
(arguing that there is no basis for the claim that CAT LLC cannot 
obtain additional insurance). The Lewis Paper states that if 
purchasing additional insurance would be cost prohibitive, then the 
same would apply to Industry Members because the costs of insurance 
to CAT LLC are likely to be lower than the combined cost of Industry 
Members purchasing an equivalent amount of coverage. Id. at 14.
    \52\ See Lewis Paper at 11; SIFMA Letter at 4-5, 8-9, 10-11; 
Virtu Letter at 3. See also LPL Financial Letter at 1; FIA PTG 
Letter at 2; Raymond James Letter at 2. One commenter expresses 
skepticism that Industry Members could even obtain insurance 
policies under the current CAT System construct, because Industry 
Members have no control over the data it is by law required to 
submit, its security or the CAT Systems. See Virtu Letter at 3.
    \53\ See Lewis Paper at 12-13. See also SIFMA Letter at 4-5 
(stating that requiring Industry Members to pay for and implement 
separate and overlapping insurance policies, if available, is 
inefficient and would result in substantially higher costs borne by 
Industry Members and by extension their customers).
---------------------------------------------------------------------------

    Finally, two commenters criticize the breach scenarios discussed in 
the CRA Paper as insufficient to capture the risks. One of these 
commenters suggests that a breach of CAT by foreign actors, or CAT 
being internally compromised could lead to the ``downfall'' of U.S. 
capital markets and that the breach scenarios in the CRA Paper 
``grossly'' underestimate national security threats.\54\ Another 
commenter states that the CRA Paper ``avoids any serious discussion'' 
of the risk posed by ``nation state actors, like China and Russia.'' 
\55\
---------------------------------------------------------------------------

    \54\ See Letter from Kelvin To, Founder and President, Data 
Boiler Technologies, LLC, to Vanessa Countryman, Secretary, dated 
January 27, 2021, at 1 and 6, available at https://www.sec.gov/comments/4-698/_4698-8311309-228460.pdf.
    \55\ See ASA Letter at 2.
---------------------------------------------------------------------------

C. Participants' Response Letter

    On April 1, 2021, the Participants submitted a letter responding to 
comments received regarding the Proposed Amendment.\56\ In their 
response, the Participants argue that following a thorough review and 
consideration of the issues raised by commenters, they continue to 
believe that the Proposed Amendment is consistent with the Exchange 
Act.\57\ The Participants provide further background on discussions 
between Participants and Industry Members, and in particular with 
SIFMA, stating that between August 2019 and April 2020 the Participants 
and SIFMA participated in numerous meetings and exchanged extensive 
correspondence.\58\ The Participants state that they plan to reach out 
to SIFMA, as they ``remain willing to work with Industry Members (and 
any other stakeholders) in good faith to resolve the parties' remaining 
differing perspectives,'' but stated that from August 2019 through 
April 2020, SIFMA's ``only proposal'' was to categorically reject any 
limitation of liability.\59\ The Participants emphasize that settlement 
of the Administrative Proceedings did not resolve the question of 
whether proposed Limitation of Liability Provisions should be included 
in the Reporter Agreement and the Reporting Agent Agreement.\60\
---------------------------------------------------------------------------

    \56\ See, supra note 19.
    \57\ See Response Letter at 2.
    \58\ See id.
    \59\ See id.
    \60\ See Response Letter at 4.
---------------------------------------------------------------------------

    The Participants reassert that the proposed Limitation of Liability 
Provisions are consistent with SRO limitation of liability rules, 
emphasizing that under those rules the SROs generally have the 
discretion, but not obligation, to compensate harmed Industry Members, 
and that this discretion only applies in very limited circumstances--
namely, for system failures that impact the execution of individual 
orders.\61\ The Participants state that no SRO limitation of liability 
rule contemplates SRO liability for ``catastrophic'' damages resulting 
from the theft of Industry Members' proprietary trading algorithms.\62\ 
The Participants also state that the Participants consider the proposed 
Limitation of Liability Provisions to fall squarely within industry 
norms, as demonstrated by a comparison to the allocation of liability 
between Industry Members and SROs in other regulatory contexts, 
including NMS plans, regulatory reporting facilities, SRO rules and 
liability provisions that Industry Members use to protect themselves 
when they possess sensitive customer and transaction data.\63\
---------------------------------------------------------------------------

    \61\ See id. at 5-6. The Participants also note that during 
negotiations, the Participants submitted to SIFMA a term sheet that 
provided for a discretionary compensation mechanism modeled after 
SRO rules, which was rejected by SIFMA. Id. at 6.
    \62\ See id. The Participants also disagree with 
characterizations of the Proposed Amendment as an attempt to 
``shift'' liability from Participants to Industry Members, and 
instead argue that the Industry Members themselves are proposing a 
``shift'' from the longstanding allocation of liability between 
Industry Member and Participants. Id. at 21.
    \63\ See id. at 5-11. The Participants believe that the proposed 
Limitation of Liability Provisions are ``substantively identical'' 
to the liability provisions to which Industry Members regularly 
agree in connection with OATS reporting. Id.
---------------------------------------------------------------------------

    The Participants reject SIFMA's suggestion that any limitation of 
liability provision should exclude liability for willful misconduct, 
gross negligence, bad faith or criminal acts of CAT LLC, the SROs or 
their representatives or employees.\64\ The Participants state that 
existing SRO liability rules approved by the Commission do not 
recognize such exclusions, stating that in the limited instances in 
which SRO liability rules permit claims for gross negligence or willful 
misconduct, Industry Members are often prohibited from suing an SRO

[[Page 19058]]

for damages unless the alleged gross negligence or willful misconduct 
also constituted a securities law violation for which Congress has 
authorized a private right of action.\65\
---------------------------------------------------------------------------

    \64\ See id. at 7 (citing SIFMA Letter at 7-8).
    \65\ See Response Letter at 6-7. Thus, the Participants believe 
that that these provisions would not provide for liability against 
the self-regulatory organizations in the event of a data breach. Id. 
at 7-8. The Participants also note that contractual limitation of 
liability provisions in connection with other NMS plans and 
regulatory reporting facilities, including OATS, do not contain the 
exclusions advocated by SIFMA. Id. at 8.
---------------------------------------------------------------------------

    The Participants also argue that modifying the proposed Limitation 
of Liability provisions is not supported by the CRA Paper, because such 
modifications would likely result in litigation over liability. 
According to the Participants, although they, CAT LLC, and FINRA CAT 
may ultimately be found not liable, such litigation would be expensive, 
time-consuming, distract Participants from their regulatory oversight 
mandate, and may open the doors of discovery to potentially malicious 
actors.\66\ The Participants state that the Commission's regulatory 
enforcement regime and the potential for severe reputational harm 
already sufficiently incentivize the Participants to not engage in bad 
faith, recklessness, gross negligence, and intentional misconduct, and 
so adding exclusions to the proposed Limitation of Liability provisions 
would not result in any meaningful improvement to the CAT's 
cybersecurity.\67\
---------------------------------------------------------------------------

    \66\ See id. at 9. The Participants note that increased costs of 
operating CAT would be borne by the Participants and Industry alike, 
which means that a limitation of liability with any categorical 
exclusions could result in many of the same economic harms that 
would occur in the absence of any limitation of liability at all. 
Id. The Participants also note that certain relief ordered in 
litigation could interfere with the Commission's oversight of the 
CAT. Id.
    \67\ See Response Letter at 9. The Participants note that 
enforcement actions could be brought for cybersecurity-related 
violations (e.g., failure to comply with Regulation SCI) and 
violations of the CAT NMS Plan (e.g., for violating the CAT NMS Plan 
by using CAT Data for non-regulatory purposes). See id. at 25-26. 
The Participants also state that the purpose of the CAT and the 
Participants' mandate under the CAT NMS Plan is the fulfillment of 
regulatory functions, and not operation in connection with business 
activities. Id. at 22.
---------------------------------------------------------------------------

    The Participants reject the argument that the proposed Limitation 
of Liability Provisions are inappropriate because the Participants and 
FINRA CAT control the CAT Data.\68\ The Participants believe that 
securities industry norms do not support the principle that the party 
in possession of data should bear liability in the event of a data 
breach, and in particular where the parties in possession of the data 
are acting in regulatory capacities pursuant to Commission rules.\69\ 
In support, the Participants state that Industry Members ``routinely'' 
disclaim liability to their underlying customers despite controlling 
sensitive data that could be compromised during a data breach, 
including their own retail customers in certain cases.\70\
---------------------------------------------------------------------------

    \68\ See id. at 10.
    \69\ See id.
    \70\ See id.
---------------------------------------------------------------------------

    In response to concerns about the cybersecurity of CAT and concerns 
about the use of CAT Data, including concerns about bulk downloading 
and personally identifiable information, the Participants state that 
they are authorized to bulk download only trading data, and not 
customer data.\71\ The Participants also state that FINRA CAT has 
adopted and implemented policies, procedures, systems, and controls to 
address cybersecurity concerning the bulk downloading of CAT Data by 
the Participants.\72\ In addition, as with FINRA CAT, the Participants' 
cybersecurity protocols are subject to the Commission's regulatory 
oversight regime, including its examination and enforcement 
functions.\73\ The Participants further state that FINRA CAT and 
Participants have robust cybersecurity protocols that are designed to 
prevent and detect both external and internal security threats, and 
only regulatory users with a ``need-to-know'' have a basis for 
accessing CAT Data and are subject to comprehensive background 
checks.\74\ The Participants state that Industry Members have had 
extensive opportunities to provide input regarding the CAT's 
cybersecurity at every stage of the development and operation of the 
CAT.\75\
---------------------------------------------------------------------------

    \71\ See Response Letter at 11-14.
    \72\ See id. at 11-12. In addition, the Participants state that, 
among other things, any SRO that engages in bulk downloading must 
have policies and procedures regarding CAT Data security that are 
comparable to those implemented and maintained by the Plan Processor 
for the Central Repository. Id. at 12.
    \73\ See id. at 12.
    \74\ See id. at 12-13. The Participants reassert that the 
customer data stored in the CAT is comparable to the data reported 
to other regulatory reporting facilities. Id. at 13.
    \75\ See Response Letter at 14. This includes prior to approval 
of the CAT NMS Plan, feedback through the Advisory Committee, and 
the ability of Industry Members to directly petition the Commission 
or provide comments on any proposals offered by the Commission. Id.
---------------------------------------------------------------------------

    The Participants disagree with commenter suggestions that CAT LLC's 
and certain Participants' responses to the Data Security Proposal \76\ 
imply that the proposed Limitation Liability provisions are 
inappropriate or that the Commission's regulatory regime is 
insufficient to properly incentivize the Participants.\77\ The 
Participants state that under the current regulatory regime all 
interested parties, including CAT LLC and the Participants, provide 
feedback to the Commission regarding any proposals to the CAT's 
cybersecurity, allowing the Commission to use its substantive expertise 
and an understanding of stakeholder interests to balance all 
appropriate factors in identifying the CAT's cybersecurity needs.\78\ 
They state that allowing for litigation regarding CAT's cybersecurity 
would compromise the Commission's comprehensive oversight authority, 
and the Commission's willingness to propose potential changes 
highlights the sufficiency and flexibility of the regulatory regime to 
ensure the optimal security of CAT Data.\79\ The Participants also 
believe the Commission did not contemplate that the Participants could 
be liable for extensive monetary damages resulting from a data breach 
or for the costs of protracted litigation with Industry Members.\80\
---------------------------------------------------------------------------

    \76\ See supra note 39.
    \77\ See Response Letter at 18.
    \78\ See id.
    \79\ See id. at 18-19. The Participants note that the 
Commission, in approving the CAT NMS Plan, explicitly considered the 
costs of a potential data breach and concluded that the overall 
benefits of the CAT outweighed any costs. Id.
    \80\ See id. at 19.
---------------------------------------------------------------------------

    The Participants also state that regulatory immunity does not 
preclude the use of contractual limitation of liability provisions and 
the divergent and shifting positions from Industry Members on the 
applicability of regulatory immunity underscores the need for a 
contractual limitation of liability.\81\ The Participants state that 
some comments generally argue that a contractual limitation of 
liability is unnecessary in light of the doctrine of regulatory 
immunity, while other comments state the Participants should not 
receive either regulatory immunity or the protection of a limitation of 
liability provision.\82\ The Participants state that the proposed 
Limitation of Liability Provisions are necessary despite any regulatory 
immunity because even litigation which holds that regulatory immunity 
applies may result in significant disruption and expense (which 
ultimately will be passed along to Industry Members as part of CAT 
LLC's joint funding), and there is no guarantee that all courts would 
agree that the Participants' immunity defense extends to the particular 
claims at issue.\83\ The Participants believe that if

[[Page 19059]]

the Commission agrees that the Participants, CAT LLC, and FINRA CAT 
should not be liable for monetary damages while acting to fulfill an 
important regulatory function in their capacities as self-regulatory 
organizations, the Commission's sole mechanism for ensuring that 
protection is to endorse the contractual proposed Limitation of 
Liability Provisions.\84\
---------------------------------------------------------------------------

    \81\ See Response Letter at 22-25.
    \82\ See id. at 21-23. The Participants state that SIFMA's 
longstanding position is that Congress should abrogate regulatory 
immunity by statute. Id. at 23-24.
    \83\ See id. at 23-25.
    \84\ See id. at 25.
---------------------------------------------------------------------------

    The Participants also state that some comments misunderstand the 
scope of the proposed Limitation of Liability Provisions.\85\ The 
Participants state that the proposed Limitation of Limitation 
Provisions would not extinguish liability and only addresses the 
allocation of liability between Industry Members and the 
Participants.\86\ The Participants state that the Proposed Amendment 
would not impact the rights or obligations of third parties, including 
Industry Members' customers and would not extinguish the broad 
regulatory oversight that the Commission exercises over the CAT or 
potential investigation and potential enforcement action for any 
cybersecurity-related violations.\87\ The Participants believe that no 
commenters have offered any explanation as to why the SEC's regulatory 
regime--which includes cybersecurity protocols developed and refined 
based on feedback from Industry Members--is insufficient to ensure 
adequate cybersecurity for CAT Data, or what deficiencies in the 
Commission's oversight necessitate that Industry Members be afforded an 
unprecedented private right of action against their regulators.\88\ The 
Participants state that commenters are asking that their primary 
regulators bear any and all liability for hypothetical ``black swan'' 
cyber breaches and that such an extraordinary ask is without precedent, 
and that Participants, implementing a regulatory mandate in their 
regulatory capacities, should receive liability protections that they 
are customarily afforded when implementing their regulatory 
responsibilities pursuant to the direction and oversight of the 
Commission.\89\
---------------------------------------------------------------------------

    \85\ See Response Letter at 25-26.
    \86\ See id. at 25.
    \87\ See id. at 25-26.
    \88\ See id. at 26.
    \89\ See id. at 2. The Participants note that both the 
Participants and Industry Members are acting pursuant to Commission 
mandate, but the Participants are also fulfilling a regulatory 
oversight role and there is no basis for the Participants to assume 
liability. Id. at 21.
---------------------------------------------------------------------------

D. Participants' Response to Comments Regarding the CRA Paper

    In the Response Letter, the Participants also provide responses to 
comment letters that addressed the CRA Paper. The Participants explain 
that the CRA Paper contain two principal analyses: (i) A ``scenario 
analysis'' in which it identified specific hypothetical breaches and 
assessed the relative difficulty of implementation, relative frequency, 
and conditional severity of each; and (ii) a consideration whether the 
cyber risk presented by the CAT should be addressed by regulation, 
litigation, or a combination of both approaches.\90\
---------------------------------------------------------------------------

    \90\ See Response Letter at 15.
---------------------------------------------------------------------------

    The Participants state that commenters that believe the CRA Paper 
did not address certain categories of hypothetical data breaches, and 
in particular breaches that originate from within FINRA CAT or 
Participants, misconstrue the CRA Paper's analysis.\91\ The 
Participants state that Charles River did not make any assumptions 
regarding the identity of potential bad actors or where they may work, 
and the CRA Paper was not intended to predict every possible scenario, 
but instead intended to provide an illustrative framework to assess the 
economic exposures that flow from the gathering, storage, and use of 
CAT Data.\92\ The Participants state that the CRA Paper concludes, in 
light of the CAT's extensive cybersecurity and other reasons, most 
potential breaches are relatively low-frequency events because they are 
either difficult to implement, unlikely to be meaningfully profitable, 
or both.\93\ The Participants also believe that the CRA Paper's 
conclusion that allowing Industry Members to litigate against CAT LLC, 
the Participants, and FINRA CAT would provide minimal benefits while 
imposing substantial costs is not undermined to the extent that 
commenters identify potential breaches that were not included in 
Charles River's scenario analysis.\94\
---------------------------------------------------------------------------

    \91\ See id.
    \92\ See id. (citing CRA Paper 2).
    \93\ See Response Letter at 16 (citing CRA Paper at 18-32).
    \94\ See Response Letter at 16.
---------------------------------------------------------------------------

    The Participants believe that comments that criticize the CRA 
Paper's for failing to consider the costs to individual Industry 
Members in the event of a CAT data breach are based on a fundamental 
misunderstanding of the relevant economic principles.\95\ Specifically, 
the CRA Paper's focus was on whether the risks of the use of CAT Data 
for regulatory purposes was best managed through ex ante regulation or 
ex post litigation, or a combination of both, and this analysis largely 
turns on identifying the most effective and efficient mechanisms for 
incentivizing CAT LLC, the Participants and FINRA CAT to take 
appropriate precautions.\96\ The Participants state that the CRA Paper 
demonstrates that the extensive regulatory regime that the SEC has 
enacted creates appropriate and strong incentives for the Participants 
to take sufficient cybersecurity precautions and to ensure that the CAT 
is secure, and that allowing Industry Members to litigate against 
Participants would create substantial costs without any corresponding 
benefit.\97\
---------------------------------------------------------------------------

    \95\ See id.
    \96\ See id.
    \97\ See id. at 16-17. The Participants also dispute an 
assertion that the CRA Paper delivered a ``pre-determined 
conclusion.'' See id. at 17 (citing ASA Letter at 2-3).
---------------------------------------------------------------------------

    The Participants acknowledge that the CRA Paper explains that the 
regulatory regime is generally silent with respect to the most 
efficient method to compensate injured parties and that the CRA Paper 
offered several suggestions to cover potential losses including 
insurance, industry loss warranties, and catastrophe bonds.\98\ The 
Participants state that they are willing discuss any of these 
compensation mechanisms with Industry Members and would welcome a 
discussion with the Commission to address the viability of these 
mechanisms and how they might be funded.\99\ The Participants reiterate 
that CAT LLC has obtained the ``maximum extent of cyber-breach 
insurance coverage available at the time'' and are willing to discuss 
with Industry Members and the Commission how that coverage might be 
used to compensate parties harmed by any potential data breach.\100\ 
The Participants also state that they regularly evaluate CAT LLC's 
insurance and intend to purchase additional coverage to the extent it 
becomes reasonably available.\101\
---------------------------------------------------------------------------

    \98\ See Response Letter at 27 (citing CRA Paper at 50-53).
    \99\ See id. at 27-28. The Participants state that the 
Commission is empowered to bring enforcement actions for violations 
of cybersecurity requirements, and this authority includes the 
ability to order individuals and entities to disgorge ill-gotten 
gains which could be used to compensate harmed parties. The 
Participants also state that creating mechanisms to compensate 
Industry Members in the event of a data breach would not obviate the 
need for the proposed Limitation of Liability Provisions. See id. at 
28.
    \100\ See Response Letter at 17. See also Response Letter at 21 
and 27.
    \101\ See id. at 21. The Participants state that the decision to 
purchase the maximum coverage available is not contingent on whether 
they are protected by a limitation of liability provision. Id. at 
27.
---------------------------------------------------------------------------

    The Participants state that they disagree with the conclusions in 
the

[[Page 19060]]

Lewis Paper and asked Charles River to respond to the issues raised 
within the Lewis Paper.\102\ The Participants state that the Lewis 
Paper appears to advocate that CAT LLC should be strictly liable for 
all costs associated with any CAT data breach, regardless of the facts 
and circumstances, without any economic analysis as to why the 
longstanding allocation of liability between the Participants and 
Industry Members should not apply here.\103\ In addition, the 
Participants state that the proposed Limitation of Liability Provisions 
do not impact the rights of Industry Members' underlying customers, and 
that Industry Members routinely disclaim liability to those underlying 
customers, which the Lewis Paper does not address.\104\ The 
Participants also state that the Lewis Paper does not include a 
scenario analysis like the CRA Paper, and the Participants state that 
the Lewis Paper incorrectly states that a cyber breach would likely be 
a single event that affects all Industry Members simultaneously, 
leading to the erroneous conclusion that CAT LLC is in a better 
position than individual Industry Members to insure against a cyber 
breach.\105\
---------------------------------------------------------------------------

    \102\ See Response Letter at 20.
    \103\ See id.
    \104\ See id.
    \105\ See id. at 20-21.
---------------------------------------------------------------------------

V. Proceedings To Determine Whether To Approve or Disapprove the 
Proposed Amendment

    The Commission is instituting proceedings pursuant to Rule 
608(b)(2)(i) of Regulation NMS,\106\ and Rules 700 and 701 of the 
Commission's Rules of Practice,\107\ to determine whether to disapprove 
the Proposed Amendment or to approve the Proposed Amendment with any 
changes or subject to any conditions the Commission deems necessary or 
appropriate after considering public comment. Institution of 
proceedings does not indicate that the Commission has reached any 
conclusions with respect to any of the issues involved. Rather, the 
Commission seeks and encourages interested persons to provide 
additional comment on the Proposed Amendment to inform the Commission's 
analysis.
---------------------------------------------------------------------------

    \106\ 17 CFR 242.608.
    \107\ 17 CFR 201.700; 17 CFR 201.701.
---------------------------------------------------------------------------

    Rule 608(b)(2) of Regulation NMS provides that the Commission 
``shall approve a national market system plan or proposed amendment to 
an effective national market system plan, with such changes or subject 
to such conditions as the Commission may deem necessary or appropriate, 
if it finds that such plan or amendment is necessary or appropriate in 
the public interest, for the protection of investors and the 
maintenance of fair and orderly markets, to remove impediments to, and 
perfect the mechanisms of, a national market system, or otherwise in 
furtherance of the purposes of the Act.'' \108\ Rule 608(b)(2) further 
provides that the Commission shall disapprove a national market system 
plan or proposed amendment if it does not make such a finding.\109\ In 
the Notice, the Commission sought comment on the Proposed Amendment, 
including whether the amendment is consistent with the Exchange 
Act.\110\ In this order, pursuant to Rule 608(b)(2)(i) of Regulation 
NMS,\111\ the Commission is providing notice of the grounds for 
disapproval under consideration:
---------------------------------------------------------------------------

    \108\ See 17 CFR 242.608(b)(2).
    \109\ See id.
    \110\ See Notice, supra note 4, 86 FR at 598.
    \111\ 17 CFR 242.608(b)(2)(i). See also Commission Rule of 
Practice 700(b)(2), 17 CFR 201.700(b)(2).
---------------------------------------------------------------------------

     Whether, consistent with Rule 608 of Regulation NMS, the 
Proposed Amendment is necessary or appropriate in the public interest, 
for the protection of investors and the maintenance of fair and orderly 
markets, to remove impediments to, and perfect the mechanisms of, a 
national market system, or otherwise in furtherance of the purposes of 
the Act,\112\ specifically regarding:
---------------------------------------------------------------------------

    \112\ See 17 CFR 242.608(b)(2).
---------------------------------------------------------------------------

    [cir] Whether the impact of the proposed Limitation of Liability 
Provisions on the incentives of the Participants to ensure the security 
of the CAT and CAT Data is necessary or appropriate in the public 
interest, for the protection of investors and the maintenance of fair 
and orderly markets, to remove impediments to, and perfect the 
mechanisms of a national market system, or otherwise in furtherance of 
the purposes of the Act;
    [cir] whether the Proposed Amendment is necessary or appropriate in 
the public interest, for the protection of investors and the 
maintenance of fair and orderly markets, to remove impediments to, and 
perfect the mechanisms of a national market system, or otherwise in 
furtherance of the purposes of the Act in light of any regulatory 
immunity applicable to the Participants; and
    [cir] whether the application of the proposed Limitation of 
Liability Provisions to willful misconduct, gross negligence, bad faith 
or criminal acts is necessary or appropriate in the public interest, 
for the protection of investors and the maintenance of fair and orderly 
markets, to remove impediments to, and perfect the mechanisms of a 
national market system, or otherwise in furtherance of the purposes of 
the Act;
     Whether, and if so how, the Proposed Amendment would 
affect efficiency, competition or capital formation;
     Whether modifications to the Proposed Amendment, or 
conditions to its approval, would be necessary or appropriate in the 
public interest, for the protection of investors and the maintenance of 
fair and orderly markets, to remove impediments to, and perfect the 
mechanisms of, a national market system, or otherwise in furtherance of 
the purposes of the Act.\113\
---------------------------------------------------------------------------

    \113\ See 17 CFR 242.608(b)(2).
---------------------------------------------------------------------------

VI. Commission's Solicitation of Comments

    The Commission requests that interested persons provide written 
submissions of their views, data, and arguments with respect to the 
issues identified above, as well as any other concerns they may have 
with the proposals. In particular, the Commission invites the written 
views of interested persons concerning whether the proposals are 
consistent with Section 11A or any other provision of the Act, or the 
rules and regulations thereunder. Although there do not appear to be 
any issues relevant to approval or disapproval that would be 
facilitated by an oral presentation of views, data, and arguments, the 
Commission will consider, pursuant to Rule 608(b)(2)(i) of Regulation 
NMS,\114\ any request for an opportunity to make an oral 
presentation.\115\
---------------------------------------------------------------------------

    \114\ 17 CFR 242.608(b)(2)(i).
    \115\ Rule 700(c)(ii) of the Commission's Rules of Practice 
provides that ``[t]he Commission, in its sole discretion, may 
determine whether any issues relevant to approval or disapproval 
would be facilitated by the opportunity for an oral presentation of 
views.'' 17 CFR 201.700(c)(ii).
---------------------------------------------------------------------------

    Interested persons are invited to submit written data, views, and 
arguments regarding whether the proposals should be approved or 
disapproved by May 3, 2021. Any person who wishes to file a rebuttal to 
any other person's submission must file that rebuttal by May 17, 2021. 
Comments may be submitted by any of the following methods:

Electronic Comments

     Use the Commission's internet comment form (http://www.sec.gov/rules/sro.shtml); or
     Send an email to [email protected]. Please include 
File Number 4-698 on the subject line.

[[Page 19061]]

Paper Comments

     Send paper comments in triplicate to: Secretary, 
Securities and Exchange Commission, 100 F Street NE, Washington, DC 
20549-1090.

All submissions should refer to File Number 4-698. This file number 
should be included on the subject line if email is used. To help the 
Commission process and review your comments more efficiently, please 
use only one method. The Commission will post all comments on the 
Commission's internet website (http://www.sec.gov/rules/sro.shtml). 
Copies of the submission, all subsequent amendments, all written 
statements with respect to the proposed rule change that are filed with 
the Commission, and all written communications relating to the proposed 
rule change between the Commission and any person, other than those 
that may be withheld from the public in accordance with the provisions 
of 5 U.S.C. 552, will be available for website viewing and printing in 
the Commission's Public Reference Room, 100 F Street NE, Washington, DC 
20549 on official business days between the hours of 10:00 a.m. and 
3:00 p.m. Copies of the filing also will be available for inspection 
and copying at the Participants' principal offices. All comments 
received will be posted without change. Persons submitting comments are 
cautioned that we do not redact or edit personal identifying 
information from comment submissions. You should submit only 
information that you wish to make available publicly. All submissions 
should refer to File Number 4-698 and should be submitted on or before 
May 3, 2021.

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\116\
---------------------------------------------------------------------------

    \116\ 17 CFR 200.30-3(a)(85).
---------------------------------------------------------------------------

J. Matthew DeLesDernier,
Assistant Secretary.
[FR Doc. 2021-07390 Filed 4-9-21; 8:45 am]
BILLING CODE 8011-01-P