Legislators ponder cybersecurity of market auditing system

Legislators ponder cybersecurity of market auditing system
© Getty Images

Members of the House Financial Services Committee mulled concerns over cybersecurity and the pace of development for a consistently delayed project to bolster Wall Street records collection during a hearing Thursday. 

"We can't make a mistake in building [the Consolidated Audit Trail (CAT) system]," said Chris Concannon, president and chief operating officer for the Chicago Board of Options Exchange at a hearing of the Capital Markets, Securities and Investment Subcommittee.

The panel met to discuss CAT, which will pool financial logs from stock and bond trades into one database easily searchable by regulators. Until now, regulators had to go through a variety of sources to pool together information to discover complex market manipulation schemes.

ADVERTISEMENT

Subcommittee Chairman Bill Huizenga (R-Mich.) worried that such a system would carry a "troubling" amount of personal information on traders, including names, addresses and social security numbers. It could also contain enough trade information for a hacker to reverse engineer proprietary trading strategies.

With a recent breach at the Securities Exchange Commission, he said he was increasingly worried about the ramifications of CAT's cybersecurity plan. Many of the stakeholders in CAT carry similar concerns.

Huizenga is currently circulating a discussion draft of a bill to require greater planning and oversight over the cybersecurity operations for CAT. 

But Tyler Gellasch, the executive director of the Healthy Markets Association, argued that the cybersecurity concerns raised by Huizenga and others are little more than a smokescreen to continue to delay CAT's release.

CAT has been under development since 2010 and has had repeated deadline extensions. It took until this year to finally select a contractor to design the system.

"We are ostensibly here to talk about data security," he said, "but I’ll assert that this hearing is really about whether for-profit market participants — some of whom may have the most to lose by the creation of the CAT — are able to exploit a convenient public fear to continue to deny regulators the basic tools they need to police the markets."

"After years of delays and exemptions, they have simply run out of other excuses," he later added.

Huizenga, Concannon and Lisa Dolly, a representative from the Securities Industry and Financial Markets Association, noted that the CAT project still had not found a chief information security officer (CISO), which they described as critical for the security of the system.

Concannon and Mike Beller, chief executive of Thesys, the company contracted to design CAT, described the process of finding a qualified CISO as arduous due to a talent shortage and the many stakeholders required to sign off on a candidate. 

Thesys, Beller noted, only received the contract for CAT this year. 

Beller emphasized that both his firm's development process and the groundwork conducted by stakeholders before Thesys was employed deeply value security. He mentioned that measures to protect security included segmenting networks to make comprehensive data theft more difficult, encryption of files and multiple factor authentication. 

Gellasch argued that the security processes in place have been well-vetted at this point and delaying the process any further only allows market manipulators to continue. 

Concannon responded that he "vehemently disagree[d]," noting they caught market manipulators "every day." Gellasch passed off the market manipulators captured without integrated systems as low-hanging fruit.

CAT was first proposed in 2010 after regulators struggled to identify the cause of a severe flash stock market crash that wiped out nearly a trillion dollars in market capitalization in a matter of minutes before quickly bouncing back.