House Lawmakers Pressure SEC to Postpone CAT

Jeb Hensarling (R-TX), the chair of the powerful House Financial Services Committee, made the demand of Securities and Exchange Commission (SEC) chairman Jay Clayton, following an open hearing on October 4.

The Consolidated Audit Trail (CAT) is a project that aims to provide a single repository of information on market activity and is currently being built by Thesys Technologies after a lengthy competitive bidding process. The system is due to be implemented on November 15, but Hensarling said that the committee had “serious concerns” about this date.

“With the [CAT] serving as a central repository for order and trading activity data, I urge the SEC, again, to delay its implementation date until the Commission can ensure that the appropriate safeguards and internal controls are in place to protect this data,” he said.

The SEC disclosed on September 20 that intruders had managed to gain access to Edgar, its online system for company filings, potentially exposing the market to illicit trading activity off the back of non-public information contained within.

The SEC did not immediately respond to a request for comment. In testimony during the hearing, Clayton said that he had been asking questions of his staff regarding the CAT since arriving as chairman in May 2017.

“From the time I got to the Commission and got briefed on the CAT, the questions I’ve been asking are what information are we taking it in—is it sensitive? Do we need it to fulfill our mission? Can we protect it? I’ve made it clear that I don’t want information unless we need it for our mission,” he said.

Clayton added under further questioning from Hensarling that these questions “have not been answered to my satisfaction,” and that the SEC would not take data from the CAT until they had.

On October 2, the SEC provided a further update, saying it had discovered that social security numbers, dates of birth and other information for at least two persons had been accessed through such material by the intruders.

The agency has drawn fire from the fact that the incident occurred in 2016, but the public was only alerted nearly a year later.

“The committee has serious questions regarding cybersecurity controls at the SEC,” Hensarling said. “The recent announcement that [Edgar] had not only been hacked in 2016, but that non-public information may also have been used to facilitate illicit trading. This is very, very troubling. Even more troubling is that Congress and the public were not informed until September 2017.”

Clayton ruled out a complete stop to the project in a hearing held by the Senate on September 26, saying there was no need for a “time-out” in response to a question from Senator Mike Rounds (R-SD). However, he said that he would consider the possibility of phasing in the CAT.

He has also announced the formation of a new cyber-unit within the SEC, and told senators that he had released additional resources that would be dedicated to hiring cybersecurity experts and to improving the agency’s defenses in this area.