Notice2021-24035
Joint Industry Plan; Order Disapproving an Amendment to the National Market System Plan Governing the Consolidated Audit Trail
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
November 4, 2021
Issuing agencies
Securities and Exchange Commission
Full Text
<html>
<head>
<title>Federal Register, Volume 86 Issue 211 (Thursday, November 4, 2021)</title>
</head>
<body><pre>
[Federal Register Volume 86, Number 211 (Thursday, November 4, 2021)]
[Notices]
[Pages 60933-60946]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2021-24035]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-93484; File No. 4-698]
Joint Industry Plan; Order Disapproving an Amendment to the
National Market System Plan Governing the Consolidated Audit Trail
October 29, 2021.
I. Introduction
On December 18, 2020, the Operating Committee for Consolidated
Audit Trail, LLC (``CAT LLC''), on behalf of the following parties to
the National Market System Plan Governing the Consolidated Audit Trail
(the ``CAT NMS Plan'' or ``Plan''):\1\ BOX Exchange LLC; Cboe BYX
Exchange, Inc., Cboe BZX Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe
EDGX Exchange, Inc., Cboe C2 Exchange, Inc., Cboe Exchange, Inc.,
Financial Industry Regulatory Authority, Inc. (``FINRA''), Investors
Exchange LLC, Long-Term Stock Exchange, Inc., Miami International
Securities Exchange LLC, MEMX, LLC, MIAX Emerald, LLC, MIAX PEARL, LLC,
Nasdaq BX, Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC,
Nasdaq PHLX LLC, The NASDAQ Stock Market LLC, New York Stock Exchange
LLC, NYSE American LLC, NYSE Arca, Inc., NYSE Chicago, Inc., and NYSE
National, Inc. (collectively, the ``Participants,'' ``self-regulatory
organizations,'' or ``SROs'') filed with the Securities and Exchange
Commission (``SEC'' or ``Commission'') pursuant to Section 11A(a)(3) of
the Securities Exchange Act of 1934 (``Exchange Act''),\2\ and Rule 608
thereunder,\3\ a proposed amendment (``Proposed Amendment'' or
``Proposal'') to the CAT NMS Plan that would authorize CAT LLC to
revise the
[[Page 60934]]
Consolidated Audit Trail Reporter Agreement (the ``Reporter
Agreement'') and the Consolidated Audit Trail Reporting Agent Agreement
(the ``Reporting Agent Agreement'' and collectively, the ``Reporter
Agreements'') to insert limitation of liability provisions (the
``Limitation of Liability Provisions'').\4\ The proposed plan amendment
was published for comment in the Federal Register on January 6,
2021.\5\
---------------------------------------------------------------------------
\1\ The CAT NMS Plan is a national market system plan approved
by the Commission pursuant to Section 11A of the Exchange Act and
the rules and regulations thereunder. See Securities Exchange Act
Release No. 79318 (November 15, 2016), 81 FR 84696 (November 23,
2016) (``CAT NMS Plan Approval Order'').
\2\ 15 U.S.C 78k-1(a)(3).
\3\ 17 CFR 242.608.
\4\ The Participants are requiring each CAT reporter or CAT
reporting agent that reports order and trade data to the CAT System
to execute a CAT Reporter Agreement or a CAT Reporting Agent
Agreement. See, e.g., CAT FAQ O14, available at: <a href="https://www.catnmsplan.com/faq">https://www.catnmsplan.com/faq</a>.
\5\ See Notice of Filing of Amendment to the National Market
System Plan Governing the Consolidated Audit Trail, Release No.
90826 (December 30, 2020), 86 FR 591 (January 6, 2021) (``Notice'').
---------------------------------------------------------------------------
On April 6, 2021, the Commission instituted proceedings pursuant to
Rule 608(b)(2)(i) of Regulation NMS,\6\ to determine whether to
disapprove the Proposed Amendment or to approve the Proposed Amendment
with any changes or subject to any conditions the Commission deems
necessary or appropriate after considering public comment (the
``OIP'').\7\ On June 25, 2021, the Commission designated a longer
period within which to conclude proceedings regarding the Proposed
Amendment.\8\ On September 2, 2021, the Commission further designated a
longer period within which to conclude proceedings regarding the
Proposed Amendment.\9\ This order disapproves the Proposed Amendment.
---------------------------------------------------------------------------
\6\ 17 CFR 242.608(b)(2)(i).
\7\ See Securities Exchange Act Release No. 91487 (April 6,
2021), 86 FR 19054 (April 12, 2021) (``OIP''). Comments received in
response to the Notice and OIP can be found on the Commission's
website at <a href="https://www.sec.gov/comments/4-698/4-698.htm">https://www.sec.gov/comments/4-698/4-698.htm</a>.
\8\ See Securities Exchange Act Release No. 92266 (June 25,
2021), 86 FR 35142 (July 1, 2021).
\9\ See Securities Exchange Act Release No. 92854 (September 2,
2021), 86 FR 50201 (September 7, 2021).
---------------------------------------------------------------------------
II. Background
On July 11, 2012, the Commission adopted Rule 613 of Regulation
NMS, which required the SROs to submit a national market system
(``NMS'') plan to create, implement and maintain a consolidated audit
trail (the ``CAT'' or ``CAT System'') that would capture customer and
order event information for orders in NMS securities.\10\ The
Commission approved the CAT NMS Plan in 2016.\11\
---------------------------------------------------------------------------
\10\ 17 CFR 242.613.
\11\ See note 1, supra.
---------------------------------------------------------------------------
On August 29, 2019, the Operating Committee for CAT LLC approved a
Reporter Agreement that included a provision that would have limited
the total liability of CAT LLC or any of its representatives to a CAT
Reporter under the Reporter Agreement for any calendar year to the
lesser of the total of fees paid by the CAT Reporter to CAT LLC for the
calendar year in which the claim arose or five hundred dollars. The
Participants required each Industry Member \12\ to execute a CAT
Reporter Agreement before reporting data to CAT. Prior to the
commencement of initial equities reporting for Industry Members, the
Securities Industry and Financial Markets Association (``SIFMA'') filed
on April 22, 2020, pursuant to Sections 19(d) and 19(f) of the Exchange
Act, an application for review of actions taken by CAT LLC and the
Participants (the ``Administrative Proceedings''). SIFMA alleged that
by requiring Industry Members to execute Reporter Agreements as a
prerequisite to submitting data to the CAT, the Participants improperly
prohibited or limited SIFMA members with respect to access to the CAT
System in violation of the Exchange Act. On May 13, 2020, the
Participants and SIFMA reached a settlement and terminated the
Administrative Proceedings, allowing Industry Members to report data to
the CAT pursuant to a Reporter Agreement that does not contain a
limitation of liability provision. Since that time, Industry Members
have been transmitting data to the CAT.\13\
---------------------------------------------------------------------------
\12\ Industry Member means a member of a national securities
exchange or a member of a national securities association. See CAT
NMS Plan at Section 1.1.
\13\ For a more detailed description of the background for the
Proposed Amendment, see Notice, supra note 5, at 591-93.
---------------------------------------------------------------------------
III. Description of the Proposal
The Participants propose to amend the CAT NMS Plan to authorize CAT
LLC to revise the Reporter Agreement and Reporting Agent Agreement with
the proposed Limitation of Liability Provisions. As proposed, the
Limitation of Liability Provisions would: (1) Provide that CAT
Reporters and CAT Reporting Agents accept sole responsibility for their
access to and use of the CAT System, and that CAT LLC makes no
representations or warranties regarding the CAT System or any other
matter; (2) limit the liability of CAT LLC, the Participants, and their
respective representatives to any individual CAT Reporter or CAT
Reporting Agent to the lesser of the fees actually paid to CAT for the
calendar year or $500; (3) provide that CAT LLC, the Participants, and
their respective representatives shall not be liable for all direct and
indirect damages of any kind or nature; and (4) provide that CAT LLC,
the Participants, and their respective representatives shall not be
liable for the loss or corruption of any data submitted by a CAT
Reporter or CAT Reporting Agent to the CAT System.\14\
---------------------------------------------------------------------------
\14\ See Notice, supra note 5, at 593.
---------------------------------------------------------------------------
In support of the Proposed Amendment, the Participants state, among
other things, that: (1) The proposed Limitation of Liability Provisions
reflect longstanding principles of allocation of liability between
Industry Members and SROs; \15\ (2) the proposed Limitation of
Liability Provisions ``fall squarely within industry norms'' and are
consistent with exchange rules that limit liability for losses that
members incur through their use of exchange facilities, provisions that
FINRA members must agree to in order to comply with Order Audit Trail
System (``OATS'') reporting, and other provisions in the context of
regulatory and NMS reporting facilities; \16\ (3) previously granted
exemptive relief that eliminated the requirement that CAT collect
certain personally identifiable information, including social security
numbers, makes the customer data stored in the CAT comparable to the
data reported to other regulatory reporting facilities; \17\ (4) the
proposed Limitation of Liability Provisions are necessary to ensure the
financial stability of CAT because even though ``CAT LLC has obtained
the maximum extent of cyber-breach insurance coverage available and has
implemented a full cybersecurity program to safeguard data stored in
the CAT,'' there is ``the potential for substantial losses that may
result from certain categories of low probability cyberbreaches.'' \18\
---------------------------------------------------------------------------
\15\ See Notice, supra note 5, at 593-95.
\16\ See Notice, supra note 5, at 593-94.
\17\ See Notice, supra note 5, at 595.
\18\ See Notice, supra note 5, at 595.
---------------------------------------------------------------------------
CAT LLC retained Charles River Associates to conduct an economic
analysis of the liability issues presented by a potential CAT breach
(the ``CRA Paper'').\19\ The Participants state that the analyses
presented in the CRA Paper support the Participants' proposal to adopt
a limitation of liability provision in the CAT Reporter Agreement and
shows the importance of limiting CAT LLC's and each Participant's
liability.\20\ The CRA Paper asserts, among other things, that, based
on an examination of potential breach scenarios and a consideration of
the economic and public policy elements of various regulatory and
litigation approaches to mitigate cyber risk for the CAT, a
[[Page 60935]]
limitation of liability provision would serve the public interest by
facilitating the regulation of the U.S. equity and option markets at
lower overall costs and higher economic efficacy than other approaches,
and that the proposed limitation on liability would not undermine CAT
LLC's existing and significant incentives to protect the data stored in
the CAT System. The CRA Paper asserts that regulation by the Commission
already properly incentivizes the Participants to recognize and address
the risks that a CAT cyber breach poses to third parties such as
Industry Members. Thus, according to the Participants, permitting
litigation by Industry Members will not meaningfully increase CAT's
incentives to manage its exposure to cyber risk but will significantly
increase costs, which will ultimately be passed on to retail investors.
Because of this, the CRA Paper asserts that solely an ``ex-ante
regulation'' approach leads to the socially optimal outcome, in
comparison to an ``ex post litigation'' approach in which litigation
influences behaviors before a loss-producing event occurs by assigning
liability afterwards, or combination of both approaches.
---------------------------------------------------------------------------
\19\ See Notice, supra note 5, at 599-624.
\20\ See Notice, supra note 5, at 595-597.
---------------------------------------------------------------------------
IV. Discussion
A. The Applicable Standard of Review
Under Rule 608(b)(2) of Regulation NMS, the Commission shall
approve a national market system plan or proposed amendment to an
effective national market system plan, with such changes or subject to
such conditions as the Commission may deem necessary or appropriate, if
it finds that such plan or amendment is necessary or appropriate in the
public interest, for the protection of investors and the maintenance of
fair and orderly markets, to remove impediments to, and perfect the
mechanisms of, a national market system, or otherwise in furtherance of
the purposes of the Exchange Act.\21\ Under Rule 700(b)(3) of the
Commission's Rules of Practice, the ``burden to demonstrate that a
proposed rule change is consistent with the Exchange Act and the rules
and regulations issued thereunder . . . is on the self-regulatory
organization that proposed the rule change.'' \22\ The Commission shall
disapprove a national market system plan or proposed amendment if it
does not make such a finding.\23\
---------------------------------------------------------------------------
\21\ 17 CFR 242.608(b)(2).
\22\ 17 CFR 201.700(b)(3).
\23\ 17 CFR 242.608(b)(2). Approval or disapproval of a national
market system plan, or an amendment to an effective national market
system plan (other than an amendment initiated by the Commission),
shall be by order. Id. In addition, Rule 700(b)(3)(ii) of the
Commission's Rules of Practice states that ``[t]he burden to
demonstrate that a NMS plan filing is consistent with the Exchange
Act and the rules and regulations issued thereunder that are
applicable to NMS plans is on the plan participants that filed the
NMS plan filing.'' 17 CFR 201.700(b)(3)(ii). ``Any failure of the
plan participants that filed the NMS plan filing to provide such
detail and specificity may result in the Commission not having a
sufficient basis to make an affirmative finding that a NMS plan
filing is consistent with the Exchange Act and the rules and
regulations issued thereunder that are applicable to NMS plans.''
Id.
---------------------------------------------------------------------------
For the reasons described below, the Commission believes that the
Participants have not met their burden to demonstrate that the Proposed
Amendment is consistent with the Exchange Act.\24\ Accordingly, the
Commission cannot make the finding that the Proposed Amendment is
necessary or appropriate in the public interest, for the protection of
investors and the maintenance of fair and orderly markets, to remove
impediments to, and perfect the mechanisms of, a national market
system, or otherwise in furtherance of the purposes of the Exchange
Act.\25\
---------------------------------------------------------------------------
\24\ 17 CFR 201.700(b)(3).
\25\ 17 CFR 242.608(b)(2).
---------------------------------------------------------------------------
B. Impact of Proposed Amendment on Incentives of Participants
Incentives To Invest in Security of the CAT
The Commission received several comments, including a letter from
SIFMA attaching an economic analysis prepared by Craig Lewis (``Lewis
Paper'') of the Proposed Amendment,\26\ expressing concern that
shifting liability through a limitation of liability provision would
reduce the incentives of Participants to develop robust data security
and risk mitigation mechanisms, and may even incentivize the
Participants to de-prioritize data security.\27\ Commenters also state
that it is ``unfair'' for Industry Members to be liable for breaches of
the CAT or CAT Data \28\ because the Participants, through CAT LLC, and
FINRA CAT, the Plan Processor,\29\ are the parties responsible for
controlling and securing CAT Data and Industry Members face potential
harm due to the compromise of CAT Data over which they have no control
and are not responsible for security.\30\ The Lewis Paper argues that
aligning control and liability incentivizes the optimal amount of data
security and would ultimately benefit all investors.\31\ Along the same
lines, another commenter asserts that ``[a]ligning control and
liability is not only fair and equitable; it is also good policy,
because it maximizes efficiencies in managing data risks inherent in
the CAT System.'' \32\
---------------------------------------------------------------------------
\26\ See Letter from Ellen Greene, Managing Director, Equity and
Options Market Structure, SIFMA, to Vanessa Countryman, Secretary,
dated February 19, 2021, available at <a href="https://www.sec.gov/comments/4-698/4698-8394069-229410.pdf">https://www.sec.gov/comments/4-698/4698-8394069-229410.pdf</a>, attaching Economic Analysis of
Proposed Amendment to National Market System Plan Governing the
Consolidated Audit Trail, Craig M. Lewis, Ph.D., February 2021.
\27\ See Lewis Paper at 5-9, 14; Letter from Ellen Greene,
Managing Director, Equity and Options Market Structure, SIFMA, to
Vanessa Countryman, Secretary, dated January 27, 2021, available at
<a href="https://www.sec.gov/comments/4-698/4698-8298026-228278.pdf">https://www.sec.gov/comments/4-698/4698-8298026-228278.pdf</a> (``SIFMA
Letter''), at 7, 9; Letter from Peggy L. Ho, Executive Vice
President, Government Relations, LPL Financial LLC, to Vanessa
Countryman, Secretary, dated January 27, 2021, available at <a href="https://www.sec.gov/comments/4-698/4698-8298412-228298.pdf">https://www.sec.gov/comments/4-698/4698-8298412-228298.pdf</a> (``LPL Financial
Letter''), at 1; Letter from Thomas R. Tremaine, Executive Vice
President, Chief Operations Officer, Raymond James & Associates,
Inc., to Vanessa Countryman, Secretary, dated February 8, 2021,
available at <a href="https://www.sec.gov/comments/4-698/4698-8347733-229000.pdf">https://www.sec.gov/comments/4-698/4698-8347733-229000.pdf</a> (``Raymond James Letter''), at 2; Letter from Joanna
Mallers, Secretary, FIA Principal Traders Group, to Vanessa
Countryman, Secretary, dated February 8, 2021, available at <a href="https://www.sec.gov/comments/4-698/4698-8345389-228979.pdf">https://www.sec.gov/comments/4-698/4698-8345389-228979.pdf</a> (``FIA PTG
Letter''), at 2; Letter from Thomas M. Merritt, Deputy General
Counsel, Virtu Financial, Inc., to Vanessa Countryman, Secretary,
dated January 27, 2021, available at <a href="https://www.sec.gov/comments/4-698/4698-8298023-228258.pdf">https://www.sec.gov/comments/4-698/4698-8298023-228258.pdf</a> (``Virtu Letter''), at 3; Letter from
Christopher A. Iacovella, Chief Executive Officer, American
Securities Association, to Vanessa Countryman, Secretary, dated
January 29, 2021, available at <a href="https://www.sec.gov/comments/4-698/4698-8311307-228499.pdf">https://www.sec.gov/comments/4-698/4698-8311307-228499.pdf</a> (``ASA Letter''), at 2; Letter from Matthew
Price, Fidelity Investments, to Vanessa Countryman, Secretary, dated
February 2, 2021, available at <a href="https://www.sec.gov/comments/4-698/4698-8343750-228940.pdf">https://www.sec.gov/comments/4-698/4698-8343750-228940.pdf</a> (``Fidelity Letter''), at 2; Letter from
Daniel Keegan, Managing Director, Head of North America Markets &
Securities Services, to Vanessa Countryman, Secretary, dated
February 25, 2021, available at <a href="https://www.sec.gov/comments/4-698/4698-8419819-229522.pdf">https://www.sec.gov/comments/4-698/4698-8419819-229522.pdf</a> (``Citi Letter''), at 2.
\28\ ``CAT Data'' means data derived from Participant Data,
Industry Member Data, SIP Data, and such other data as the Operating
Committee may designate as ``CAT Data'' from time to time. See CAT
NMS Plan at Section 1.1.
\29\ ``Plan Processor'' means the Initial Plan Processor or any
other Person selected by the Operating Committee pursuant to SEC
Rule 613 and CAT NMS Plan, Article IV, Section 4.3(b)(i) and Article
VI, Section 6.1, and with regard to the Initial Plan Processor, the
Selection Plan, to perform the CAT processing functions required by
SEC Rule 613 and set forth in this Agreement. See CAT NMS Plan at
Section 1.1.
\30\ See Lewis Paper at 3, 6; SIFMA Letter, at 4; FIA PTG
Letter, at 1 (stating it ``supports the comments previously filed by
SIFMA''); Raymond James Letter, at 2 (stating that it ``strongly
supports the points raised by SIFMA in their letter.''); LPL
Financial Letter, at 1; ASA Letter, at 2; Virtu Letter, at 2;
Fidelity Letter, at 2; Citi Letter, at 2; Letter from Ellen Greene,
Managing Director, Equity and Options Market Structure, SIFMA, to
Vanessa Countryman, Secretary, dated May 3, 2021 (``SIFMA Letter
II'') at 2; 4; Letter from Kelvin To, Founder and President, Data
Boiler Technologies, LLC, to Vanessa Countryman, Secretary, dated
May 3, 2021 (``Data Boiler Letter II'') at 5.
\31\ See Lewis Paper at 5-7; see also SIFMA Letter II at 2-3, 9-
10.
\32\ See SIFMA Letter at 4. One commenter states that the CAT
System is a particularly attractive target for nation states and
other bad actors that have become increasingly sophisticated, which
could lead to significant harm to market participants, serious
competitive harm to Industry Members, and significant legal risk and
potential liability. See SIFMA Letter II at 9.
---------------------------------------------------------------------------
[[Page 60936]]
Commenters argue that the CRA Paper's specific conclusion that ex-
ante regulation is most appropriate is wrong, and that CAT
cybersecurity would benefit from both ex-ante regulation and ex-post
litigation.\33\ Another commenter characterizes shifting liability to
Industry Members who, unlike SROs, have no control over the security of
the CAT as creating a ``moral hazard'' and stated that permitting
litigation against Participants and their representatives when they are
acting outside their regulatory capacity is ``crucial'' as it would
give the Participants very strong financial incentives to invest
heavily to prevent or minimize the likelihood of such failures.\34\
Similarly, the Lewis Paper asserts that liability for potential
litigation would mitigate the moral hazard problem for CAT LLC and make
CAT LLC more willing to invest in improvements in data security and
more quickly react to changing trends and threats in cybersecurity.\35\
---------------------------------------------------------------------------
\33\ See Letter from Stephen John Berger, Managing Director,
Global Head of Government & Regulatory Policy, Citadel Securities,
to Vanessa Countryman, Secretary, dated February 23, 2021, available
at <a href="https://www.sec.gov/comments/4-698/4698-8411798-229501.pdf">https://www.sec.gov/comments/4-698/4698-8411798-229501.pdf</a>
(``Citadel Letter''), at 1-2, 7; Lewis Paper at 7-9. SIFMA states
that the Lewis Paper, submitted by SIFMA, concludes that the
Proposal would reduce investor welfare by: (1) Providing less
incentive to the SROs as the operators of the CAT to invest in data
security to protect investors' personally identifiable information
and trading data in the CAT, which would place investors at greater
risk of having their data compromised; and (2) leading to the
inefficient purchase of insurance with additional costs likely
passed downstream to investors by requiring industry members to
absorb litigation-related expenses for an event over which they have
no direct control. See SIFMA Letter II at 3.
\34\ See Citi Letter at 2, 7, 9-10.
\35\ See Lewis Paper at 7-9.
---------------------------------------------------------------------------
In response to the Lewis Paper's contention that the threat of ex-
post litigation is necessary, the CRA Response asserts that the
``inconsequential and speculative'' benefits of litigation in addition
to the existing regulatory regime do not exceed the likely substantial
costs.\36\ The CRA Response further asserts that there is no asset
reserve on the balance sheet of CAT LLC sufficient to cover a
substantial cyber loss, and thus, adding a threat of litigation may not
provide any additional incentives to invest in preventative care.\37\
---------------------------------------------------------------------------
\36\ See Report from Charles River Associates, ``CRA Response
to: Economic Analysis of Proposed Amendment to the National Market
System Plan Governing the Consolidated Audit Trail by Craig M.
Lewis, Ph.D. and Selected Points in Public Comment Letters,'' dated
April 5, 2021, available at <a href="https://www.sec.gov/comments/4-698/4698-8634778-230925.pdf">https://www.sec.gov/comments/4-698/4698-8634778-230925.pdf</a> (``CRA Response'') at 9. The CRA Response further
states that the Lewis Paper mischaracterized this argument as
meaning that the CRA Paper said there are no benefits to adding the
threat of litigation. Id.
\37\ See CRA Response at 4. See also CRA Response at 9 (stating
that CAT LLC's ``cost-only business model'' provides no mechanism to
establish safety reserves that might allow it to build a cash
reserve to pre-fund catastrophic losses from a cyber breach).
---------------------------------------------------------------------------
The Participants argue that securities industry norms do not
support the principle that the party in possession of data should bear
liability in the event of a data breach, particularly where the parties
in possession of the data are acting in regulatory capacities pursuant
to Commission rules.\38\ In this regard, the Participants state that
Industry Members, despite controlling sensitive data that could be
compromised during a data breach, ``routinely'' disclaim liability to
their underlying customers including their own retail customers in
certain cases.\39\
---------------------------------------------------------------------------
\38\ See Letter from Michael Simon, CAT NMS Plan Operating
Committee Chair, to Vanessa Countryman, Secretary, dated April 1,
2021 (``Response Letter''), at 10.
\39\ See Response Letter at 10; see also id. at 20 (stating that
the Lewis Paper does not address the fact that Industry Members
routinely disclaim liability to those underlying customers).
---------------------------------------------------------------------------
The Participants also assert that the Commission's regulatory
regime, backed by its examination and enforcement functions, provide
valuable incentives for the Participants, CAT LLC and FINRA CAT to take
adequate cyber security precautions.\40\ These incentives include the
Commission's enforcement regime, severe reputational harm, financial
and reputational harm to Amazon Web Services, satisfying underwriting
standards, and the fact that a data breach could compromise the
Participants' ability to use CAT Data.\41\ The Participants believe
that commenters have not offered any explanation as to why the
Commission's regulatory regime--which includes cybersecurity protocols
developed and refined based on feedback from Industry Members--is
insufficient to ensure adequate cybersecurity for CAT Data, or what
deficiencies in the Commission's oversight necessitate that Industry
Members be afforded an unprecedented private right of action against
their regulators.\42\ The Participants further argue that commenters
have not demonstrated that the Commission lacks the ability to
adequately regulate the CAT and the Participants, and that allowing
Industry Member litigation would not result in any meaningful benefit
to the CAT's cybersecurity.\43\ In addition, the CRA Response states
that the Lewis Paper disregards the potential for enforcement action by
the Commission against Participants and does not recognize that
regulatory and reputational considerations motivate appropriate ex-ante
actions to reduce risk.\44\
---------------------------------------------------------------------------
\40\ See, e.g., Letter from Michael Simon, CAT NMS Plan
Operating Committee Chair, to Vanessa Countryman, Secretary, dated
May 18, 2021, available at <a href="https://www.sec.gov/comments/4-698/4698-8811359-238002.pdf">https://www.sec.gov/comments/4-698/4698-8811359-238002.pdf</a> (``Second Response Letter''), at 3, 5-7. The
Participants state that CAT LLC, the Participants and FINRA CAT are
subject to stringent oversight by the Commission. In addition, the
Division of Examinations examines FINRA CAT's and the Participant's
cybersecurity policies, procedures, systems, and controls. See
Second Response Letter at 6-7 (also citing Second Circuit decision
in support).
\41\ See Second Response Letter at 5-6. See also CRA Response at
1, 3-4, 6-7, 10.
\42\ See Response Letter at 26.
\43\ See Second Response Letter at 3.
\44\ See CRA Response at 5-6. The CRA Response states that there
are several weaknesses with the Lewis Paper's and the Citadel
Letter's argument that litigation as well as regulation is necessary
to give CAT LLC an added incentive to stay ahead of the Commission's
regulation since the underlying technology changes come too fast for
the Commission to keep its regulatory apparatus up to date: (1)
Lewis and Citadel ignore that Participants and FINRA CAT are
required to monitor CAT's cyber security and promptly address
vulnerabilities in accordance with Commission regulation; (2)
Industry Members can influence CAT LLC and Commission regarding
cybersecurity as a result of CAT LLC governance and operating
mechanisms; (3) Commission has unique access to highly sophisticated
cyber security and cyber warfare assets, which give them access to
the most up-to-date technology; (4) CAT's technology suppliers
(e.g., AWS) have reputational incentives to maintain CAT cyber
defenses; (5) the ability to litigate might increase CAT cyber risk
by potentially weakening Industry Members' incentives to provide
feedback to the Participants; (6) Participants still face litigation
risk including from Commission enforcement actions. See CRA Response
at 13-14.
---------------------------------------------------------------------------
Commenters also state that the CRA Paper suggests certain
mechanisms, such as a third-party compensation program, cyber-related
industry loss warranties or cyber catastrophe bonds that could be used
in the event of a CAT breach to compensate third parties, but the SROs
have not proposed the adoption of any of these mechanisms.\45\ These
commenters believe that without liability risk, CAT LLC and the SROs
will have no incentive to develop any mechanisms for compensating third
parties injured if the CAT System is breached or CAT Data is misused
while under the control of CAT LLC and the SROs.\46\ These commenters
assert that the Participants, are effectively conceding that without
these other mechanisms described in the CRA Paper, the current
regulatory regime is insufficient to protect parties that are injured
as a result of a CAT breach.\47\
---------------------------------------------------------------------------
\45\ See SIFMA Letter at 10; LPL Financial Letter at 1; FIA PTG
Letter at 2; Raymond James Letter at 2.
\46\ See id.
\47\ See id.
---------------------------------------------------------------------------
[[Page 60937]]
The Participants acknowledge that the CRA Paper explains that the
regulatory regime is generally silent with respect to the most
efficient method to compensate injured parties and that the CRA Paper
offered several suggestions to cover potential losses including
insurance, industry loss warranties, and catastrophe bonds.\48\ The
Participants, however, state that they are willing discuss any of these
compensation mechanisms with Industry Members and they would welcome a
discussion with the Commission to address the viability of these
mechanisms and how they might be funded.\49\
---------------------------------------------------------------------------
\48\ See Response Letter at 27 (citing CRA Paper at 50-53).
\49\ See Response Letter at 27-28. The Participants also state
that creating mechanisms to compensate Industry Members in the event
of a data breach would not obviate the need for the proposed
Limitation of Liability Provisions. See id. at 28.
---------------------------------------------------------------------------
Cyber Insurance
Commenters assert that the proposal would allow CAT LLC to under-
invest in data security and cyber insurance.\50\ Commenters argue that
the Proposed Limitation of Liability Provisions would ultimately result
in higher costs borne by investors.\51\ According to commenters, under
the proposal, every firm submitting data to the CAT System would
effectively be forced, where possible, to obtain its own insurance to
address the same core risks of data breach or misuse within the CAT
System and CAT LLC and the Participants may not be appropriately
incentivized to invest in insurance and other risk mitigation
mechanisms.\52\ Commenters believe that it would be more appropriate
for CAT LLC to purchase insurance instead of Industry Members each
purchasing the same overlapping policies.\53\ One of these commenters
argues that CAT LLC is able to insure more efficiently than Industry
Members because CAT LLC has access to and control over CAT Data and
systems and can subject itself to monitoring by an insurer.\54\ One
commenter states that while the Participants assert that CAT LLC has
obtained the ``maximum extent of cyber-breach insurance coverage,'' the
Participants have not disclosed any information about the extent or
cost of the coverage obtained,\55\ and do not analyze whether
Participants should seek insurance or the effect such insurance could
have on the Participants' incentives to protect data that they extract
from the CAT and store outside the CAT.\56\ The commenter states that
it is not at all clear that CAT LLC could not obtain additional
insurance.\57\
---------------------------------------------------------------------------
\50\ See SIFMA Letter II at 2-3, 9-10; Lewis Paper.
\51\ See SIFMA Letter II at 2-3, 9-10; Lewis Paper.
\52\ See SIFMA Letter II at 10. See also Data Boiler Letter II
at 3 (provisions discourage Participants from advancing the security
and design of CAT and CAT Data).
\53\ See Lewis Paper at 11; SIFMA Letter at 4-5, 8-9, 10-11;
Virtu Letter at 3. See also LPL Financial Letter at 1; FIA PTG
Letter at 2; Raymond James Letter at 2. One commenter expresses
skepticism that Industry Members could even obtain insurance
policies under the current CAT System construct, because Industry
Members have no control over the data they are by law required to
submit, its security or the CAT System. See Virtu Letter at 3.
\54\ See Lewis Paper at 12-13. See also SIFMA Letter at 4-5
(stating that requiring Industry Members to pay for and implement
separate and overlapping insurance policies, if available, is
inefficient and would result in substantially higher costs borne by
Industry Members and by extension their customers).
\55\ See SIFMA Letter II at 9.
\56\ See Citadel Letter at 7-8. See also Lewis Paper at 13-14.
\57\ See SIFMA Letter II at 9. SIFMA also discusses the state of
negotiations with the Participants. See SIFMA Letter II at 11.
---------------------------------------------------------------------------
The Participants reiterate that CAT LLC has purchased the maximum
amount of cyber insurance coverage that the current market will
reasonably provide. The Participants also state that they will
regularly evaluate CAT LLC's insurance and intend to purchase
additional coverage to the extent it becomes reasonably available.\58\
The Participants argue that disclosing the amount of insurance
purchased by CAT LLC could potentially incentivize bad actors to target
the CAT with ransom demands.\59\ The Participants assert that CAT LLC
is not equipped to compensate Industry Members in the event of a data
breach because funding is designed to cover costs only and it is
difficult to imagine how CAT LLC could ensure solvency if substantial
exclusions are included in a limitation of liability.\60\ The CRA
Response states that the Lewis Paper's conclusion that the Participants
should purchase additional cyber-insurance relies on two propositions
for which the Lewis Paper provides no basis: (1) CAT LLC can purchase
additional and more targeted cyber insurance to pre-finance possible
cyber claims from Industry Members and that (2) the decrease in cyber
security risks and insurance rates to Industry Members would outweigh
the increase in CAT LLC's cyber insurance rates.\61\
---------------------------------------------------------------------------
\58\ See Second Response Letter at 17.
\59\ See Second Response Letter at 17. The Participants noted
that they were reviewing a May 3, 2021 term sheet from SIFMA setting
forth terms upon which Industry Members would be willing to resolve
the dispute regarding the allocation of liability in the event of a
CAT data breach. Id.
\60\ See Second Response Letter at 15.
\61\ See CRA Response at 5.
---------------------------------------------------------------------------
The CRA Response asserts that the Lewis Paper's claim that the
Limitation of Liability Provisions will force clients' claims onto
Industry Members and burden Industry Members with purchasing additional
insurance coverage is erroneous.\62\ Specifically, according to the CRA
Response, the Lewis Paper does not explain how Industry Members'
clients can sue Industry Members for a cyberbreach of CAT, does not
consider that many Industry Members have similar provisions in their
customer agreements, and does not explain how an insurer would write
liability coverage for Industry Members paying claims to clients for an
adverse cyber event.\63\ In addition, the CRA Response states that the
Lewis Paper and commenters assume, without support, that Industry
Members will face litigation risk from customers due to a cyberbreach
at the CAT.\64\
---------------------------------------------------------------------------
\62\ See CRA Response at 5-6.
\63\ See CRA Response at 5-6. However, purchasing cyber
liability insurance to protect against potential first-party risk
exposure might be part of a reasonable and sound approach to
managing first-party risk exposure. Id. at 13.
\64\ See CRA Response at 13.
---------------------------------------------------------------------------
Visibility and Input of Industry Members Into the Security of the CAT
One commenter argues that the CRA Paper significantly
overemphasizes the visibility and input into the workings of CAT
provided to the industry, and asserts that there is no visibility into
the security aspects of CAT.\65\ The Participants state that Industry
Members have had extensive opportunities to provide input regarding the
CAT's cybersecurity at every stage of the development and operation of
the CAT.\66\ The CRA Response states that commenters fail to
acknowledge that providing Industry Members a right to litigate may
reduce Industry Members' incentives to undertake their monitoring and
influencing activities in favor of relying upon the threat of
litigation, thereby weakening the overall cyber program of the CAT.\67\
The CRA Response also states that limiting Industry Members' ability to
recover damages provides greater incentives for them to provide
feedback to CAT management through the Advisory Committee.\68\
---------------------------------------------------------------------------
\65\ See Citadel Letter at 9.
\66\ See Response Letter at 14. This includes prior to approval
of the CAT NMS Plan, feedback through the Advisory Committee, and
the ability of Industry Members to directly petition the Commission
or provide comments on any proposals offered by the Commission. Id.
\67\ See CRA Response at 2, 9, and 11.
\68\ See CRA Response at 19. The Participants also assert that
Industry Members have ample opportunities to contribute their
perspectives regarding the CAT's cybersecurity. See Second Response
Letter at 10.
---------------------------------------------------------------------------
[[Page 60938]]
Regulatory Immunity
Commenters argue that the SROs have failed to explain why
limitation of their liability should be imposed by contract because the
SROs have immunity from liability when acting in a regulatory
capacity.\69\ Commenters further assert that the effort to impose
liability limitations by contract ``raises significant questions about
whether the SROs seek to avoid liability in circumstances in which they
misuse CAT Data while acting in a commercial capacity.'' \70\ Another
commenter frames the issue as not whether the Participants should be
liable for conduct undertaken during the course of their regulatory
responsibilities, but whether the Participants should be insulated from
potential liability for activities not covered by regulatory
immunity.\71\ One commenter states that it believes that court
precedent ``strongly indicates that the courts are likely to view any
regulatory activity the SROs conduct through CAT LLCs as being subject
to this judicial immunity even though it is being conducted in a legal
entity that is separate from the SROs.'' \72\
---------------------------------------------------------------------------
\69\ See Citadel Letter at 1, 3-5; SIFMA Letter at 8; LPL
Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at
2; SIFMA Letter II at 5; 6-7.
\70\ See SIFMA Letter at 8. See also LPL Financial Letter at 1;
FIA PTG Letter at 2; Raymond James Letter at 2.
\71\ See Citadel Letter at 5.
\72\ See SIFMA Letter II at 7. See also Data Boiler Letter II at
4.
---------------------------------------------------------------------------
In response to comments about regulatory immunity, the Participants
state that regulatory immunity does not preclude the use of contractual
limitation of liability provisions and the divergent and shifting
positions from Industry Members on the applicability of regulatory
immunity underscores the need for a contractual limitation of
liability.\73\ The Participants state that some comments generally
argue that a contractual limitation of liability is unnecessary in
light of the doctrine of regulatory immunity, while other comments
state the Participants should not receive either regulatory immunity or
the protection of a limitation of liability provision.\74\ The
Participants state that the proposed Limitation of Liability Provisions
are necessary despite any regulatory immunity because even litigation
which holds that regulatory immunity applies may result in significant
disruption and expense (which ultimately will be passed along to
Industry Members as part of CAT LLC's joint funding), and there is no
guarantee that all courts would agree that the Participants' immunity
defense extends to the particular claims at issue.\75\ The Participants
believe that the Proposed Limitation of Liability Provisions are
necessary to avoid the uncertainty inherent in litigation and to avoid
the costs associated with defending against potential lawsuits.\76\ In
addition, litigation would be costly and resource intensive and
ultimately distract the Participants and FINRA CAT from their important
regulatory oversight mandate.\77\ The Participants state that several
commenters misstate the scope of the Proposed Amendment by suggesting
that the Proposed Amendment would extinguish liability.\78\ The
Participants state that the Proposed Amendment only concerns the
allocation of liability between Industry Members and the Participants
and the Proposed Amendment would not impact the rights or obligations
of third parties, including Industry Members' customers and would not
extinguish the broad regulatory oversight that the Commission exercises
over the CAT or potential investigation and potential enforcement
action for any cybersecurity-related violations.\79\
---------------------------------------------------------------------------
\73\ See Response Letter at 22-25; see also Second Response
Letter at 4, 11-12. The Participants also state that SIFMA has not
indicated that it and constituent Industry Members will abandon
their extensive efforts to challenge the regulatory immunity
doctrine in court or cease lobbying Congress to abrogate it by
statute. Id. at 3-4, 11.
\74\ See Response Letter at 21-23. The Participants state that
SIFMA's longstanding position is that Congress should abrogate
regulatory immunity by statute. Id. at 23-24.
\75\ See Response Letter at 23-25. See also Second Response
Letter at 4, 11.
\76\ See Second Response Letter at 11-12.
\77\ See id.
\78\ See Response Letter at 25 (citing Citi Letter at 2 and
SIFMA Letter at 9).
\79\ See Response Letter at 25-26.
---------------------------------------------------------------------------
The Participants believe that commenter concerns that the
regulatory process might not keep pace with emerging and evolving cyber
threats fails to consider Commission regulatory requirements and
oversight, including the CAT NMS Plan requirement that Participants and
FINRA CAT proactively monitor the CAT's cybersecurity and promptly
address any vulnerabilities.\80\ Participants state, in contrast,
litigation would require the Commission to share responsibility with
the courts and is a lengthy process that is unlikely to outpace
regulation.\81\ In addition, the Commission has means other than the
formal rule-making process to address emerging cyber threats.\82\ In
addition, the Participants assert that allowing Industry Member
litigation would undoubtedly result in substantial additional costs and
that the CRA Paper demonstrates that the costs of litigating a
potential CAT Data breach are likely to be both substantial and
unquantifiable on an ex-ante basis.\83\ It would also create additional
costs and distract the Participants from the regulatory mission of CAT,
and these costs would ultimately be passed along to investors.\84\ The
Participants state that commenters are asking that their primary
regulators bear any and all liability for hypothetical ``black swan''
cyber breaches and that such an extraordinary ask is without precedent,
and that Participants, implementing a regulatory mandate in their
regulatory capacities, should receive liability protections that they
are customarily afforded when implementing their regulatory
responsibilities pursuant to the direction and oversight of the
Commission.\85\
---------------------------------------------------------------------------
\80\ See Second Response Letter at 7.
\81\ See Second Response Letter at 8.
\82\ See Second Response Letter at 8. The Participants state
that the Commission and its staff have ``multiple tools at their
disposal to motivate regulated entities'' to ``expeditiously modify
their cybersecurity regimes.'' ``For example, the Division of
Examinations, which has prioritized cybersecurity issues, often
releases risk alerts in response to emerging concerns.'' Id.
\83\ See Second Response Letter at 3-4, 16.
\84\ See Second Response Letter at 4, 16.
\85\ See Second Response Letter at 4; see also Response Letter
at 20 (stating that the Lewis Paper appears to advocate that CAT LLC
should be strictly liable for all costs associated with any CAT data
breach, regardless of the facts and circumstances, without any
economic analysis as to why the longstanding allocation of liability
between the Participants and Industry Members should not apply
here). The Participants note that both the Participants and Industry
Members are acting pursuant to Commission mandate, but the
Participants are also fulfilling a regulatory oversight role and
there is no basis for the Participants to assume liability. See
Response Letter at 21. See also Second Response Letter at 4.
---------------------------------------------------------------------------
CRA Paper Does Not Capture All Data Breach Risks and Costs
Commenters believe that the CRA Paper does not capture all data
breach risks, stating that the CRA Paper only focuses on a breach by
external actors and fails to address the risk of misuse of CAT Data by
personnel at CAT LLC and the SROs.\86\ In addition, one commenter
emphasizes that the CRA Paper focuses on databases maintained by CAT
LLC, not the ``larger concern,'' which is the potential for hackers to
access CAT Data from Participant
[[Page 60939]]
databases that have extracted data from the CAT.\87\ Two commenters
further criticize the breach scenarios discussed in the CRA Paper as
insufficient to capture the risks. One of these commenters suggests
that a breach of CAT by foreign actors, or CAT being internally
compromised could lead to the ``downfall'' of U.S. capital markets and
that the breach scenarios in the CRA Paper ``grossly'' underestimate
national security threats.\88\ Another commenter states that the CRA
Paper ``avoids any serious discussion'' of the risk posed by ``nation
state actors, like China and Russia.'' \89\
---------------------------------------------------------------------------
\86\ See Citadel Letter at 6; SIFMA Letter at 9; LPL Financial
Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Virtu
Letter at 5. One commenter states that the CRA Paper does not
provide any support for the argument that broker-dealers should be
accountable for the wrongdoing or misuse of data by SRO employees or
contractors. See ASA Letter at 2.
\87\ See Citadel Letter, at 6-7.
\88\ See Letter from Kelvin To, Founder and President, Data
Boiler Technologies, LLC, to Vanessa Countryman, Secretary, dated
January 27, 2021, at 1 and 6, available at <a href="https://www.sec.gov/comments/4-698/4698-8311309-228460.pdf">https://www.sec.gov/comments/4-698/4698-8311309-228460.pdf</a>.
\89\ See ASA Letter at 2.
---------------------------------------------------------------------------
Participants and the CRA Response dispute commenters' claims that
the CRA Paper does not include all potential data breaches.\90\ The
Participants argue that certain commenters misconstrue the CRA Paper's
analysis.\91\ Specifically, these commenters assert that the CRA Paper
did not address certain categories of hypothetical data breaches, and
in particular breaches that originate from within FINRA CAT or
Participants. The Participants state that the CRA Paper did not make
any assumptions regarding the identity of potential bad actors or where
they may work, and the CRA Paper was not intended to predict every
possible scenario, but instead intended to provide an illustrative
framework to assess the economic exposures that flow from the
gathering, storage, and use of CAT Data.\92\ The Participants state
that the CRA Paper concludes, in light of the CAT's extensive
cybersecurity and other reasons, most potential breaches are relatively
low-frequency events because they are either difficult to implement,
unlikely to be meaningfully profitable, or both.\93\ The Participants
also believe that the CRA Paper's conclusion that allowing Industry
Members to litigate against CAT LLC, the Participants, and FINRA CAT
would provide minimal benefits while imposing substantial costs is not
undermined to the extent that commenters identify potential breaches
that were not included in the CRA Paper's scenario analysis.\94\
---------------------------------------------------------------------------
\90\ See Response Letter at 15. The Participants explain that
the CRA Paper contain two principal analyses: (i) A ``scenario
analysis'' in which it identified specific hypothetical breaches and
assessed the relative difficulty of implementation, relative
frequency, and conditional severity of each; and (ii) a
consideration whether the cyber risk presented by the CAT should be
addressed by regulation, litigation, or a combination of both
approaches.
\91\ See Response Letter at 15.
\92\ See Response Letter at 15-16 (citing CRA Paper 2).
\93\ See Response Letter at 16 (citing CRA Paper at 18-32).
\94\ See Response Letter at 16.
---------------------------------------------------------------------------
The Participants believe that comments that criticize the CRA Paper
for failing to consider the costs to individual Industry Members in the
event of a CAT Data breach are based on a misunderstanding of the
relevant economic principles.\95\ Specifically, the CRA Paper's focus
was on whether the risks of the use of CAT Data for regulatory purposes
was best managed through ex ante regulation or ex post litigation, or a
combination of both, and this analysis largely turns on identifying the
most effective and efficient mechanisms for incentivizing CAT LLC, the
Participants and FINRA CAT to take appropriate precautions.\96\ The
Participants state that the CRA Paper demonstrates that the extensive
regulatory regime that the Commission has enacted creates appropriate
and strong incentives for the Participants to take sufficient
cybersecurity precautions and to ensure that the CAT is secure, and
that allowing Industry Members to litigate against Participants would
create substantial costs without any corresponding benefit.\97\
---------------------------------------------------------------------------
\95\ See Response Letter at 16.
\96\ See id.
\97\ See Response Letter at 16-17. The Participants also dispute
an assertion that the CRA Paper delivered a ``pre-determined
conclusion.'' See id. at 17 (citing ASA Letter at 2-3).
---------------------------------------------------------------------------
The CRA Response states that allowing Industry Members to litigate
against CAT LLC and Participants entails potentially substantial costs
and uncertainty in the operation of the CAT that, ultimately, could be
borne by Industry Members' underlying customers,\98\ as a result of the
Commission-approved joint funding of CAT LLC by Industry Members and
Participants, a fact the CRA Response believes that the Lewis Paper
ignores. According to the CRA Response, a limitation of liability also
protects Industry Members from the possibility of funding both
catastrophic losses and substantial litigation costs.\99\
---------------------------------------------------------------------------
\98\ See CRA Response at 8.
\99\ See CRA Response at 2, 8.
---------------------------------------------------------------------------
Participants and the CRA Response argue that the Lewis Paper's
argument that CAT LLC is in a better position to insure against a CAT
Data breach fails because, among other reasons, it is based on a
premise that a cyberbreach would impact all Industry Members
simultaneously \100\ and ignores the fact that CAT LLC has already
purchased the maximum insurance coverage that was feasibly
available.\101\ The CRA Response states that the CRA Paper's scenario
analysis does not support the Lewis Paper's assertion that a breach is
likely to be a single event that affects all Industry Members
simultaneously, and the Lewis Paper does not explain why a single event
instead of multiple events affecting subsets of Industry Members might
make a difference.\102\ The Commission acknowledges that a number of
factors impact the Participants' incentives to invest in, or
prioritize, the security of the CAT. These factors include, but are not
limited to (in no specific order): The cost of security; regulatory
requirements, including Commission supervision and enforcement, fines,
penalties and potential loss of their SRO licenses; reputation; the
threat of litigation; and the amount of potential payments to those
impacted by a security breach. Given the sensitivity of CAT Data, as
well as the importance of the CAT for regulatory purposes, the
Commission believes it is important to evaluate the incentives to
invest in, or prioritize, the security of the CAT. The burden is on
Participants to demonstrate that the Proposed Amendment is necessary or
appropriate in the public interest, for the protection of investors and
the maintenance of fair and orderly markets, to remove impediments to,
and perfect the mechanisms of, a national market system, or otherwise
in furtherance of the purposes of the Exchange Act.\103\ Accordingly,
the Commission believes that the Participants must demonstrate that the
Proposed Amendment satisfies this standard in light of its potential
impact on the Participants' incentives to invest in or prioritize the
security of CAT.
---------------------------------------------------------------------------
\100\ The Participants state that the Lewis Paper does not
include a scenario analysis like the CRA Paper. See Response Letter
at 16 at 20-21.
\101\ See CRA Response at 2, 4-5.
\102\ See CRA Response at 16. The CRA Response also states that
the Lewis Paper also implies that a single event is unlike a typical
situation where pooling of risk can reduce the volatility around
claims, but the CRA Response further argues this is a narrow view as
insurers can spread correlated risks through reinsurance contracts
across the global insurance industry ultimately bringing the
benefits of diversification to all who are insured. Id.
\103\ 17 CFR 201.700(b)(3).
---------------------------------------------------------------------------
By essentially eliminating any potential liability to Industry
Members in the event of a security breach, the Participants limit the
risk to themselves should they decide to reduce their investments in
the security of the CAT, and such a reduction could increase the
potential for a breach of CAT or
[[Page 60940]]
unauthorized release of CAT Data. The Participants characterize one of
the potential liabilities that they need to be insulated from as ``the
potential for substantial losses that may result from certain
categories of low probability cyberbreaches,'' \104\ and the CRA Paper
estimates an exposure of at least $100 million per incident as a
``reasonable'' estimate for a data breach scenario in which an
algorithmic trading firm's strategy was reverse engineered, which it
also describes as very difficult to implement and occurring
infrequently.\105\ The Proposed Amendment would almost completely
insulate the Participants from any liability to member firms for those
damages. Due to potentially lower costs should such a breach occur, the
Commission believes the proposed Limitation of Liability Provisions
would have a negative impact on the incentives of Participants to
secure the CAT to prevent breaches, including purportedly low
probability events.\106\ Also, absent the proposed Limitation of
Liability Provisions, the Participants might be incentivized to make
further investments in data security beyond those mandated by the CAT
NMS Plan and Commission rulemakings, such as internal controls designed
to decrease the likelihood of misuse of CAT Data beyond the
requirements of the CAT NMS Plan.
---------------------------------------------------------------------------
\104\ See Notice, supra note 5, at 595.
\105\ See Notice, supra note 5, at 597, 599-600, 603.
\106\ See also Economic Analysis at Section V.A.
---------------------------------------------------------------------------
The CRA Response states that the benefits of litigation in addition
to the existing regulatory regime are ``inconsequential and
speculative'' and do not exceed the likely substantial costs.\107\
However, the CRA Response acknowledges that the threat of liability
does incentivize behavior, arguing that limiting Industry Members'
ability to recover damages provides greater incentives for them to
provide feedback to CAT management through the Advisory Committee.\108\
The Commission believes that although Industry Members do have avenues
to provide feedback such as through the Advisory Committee, Industry
Members do not have access to the information they would need, such as
security audit results and design specifications, to evaluate the
security of CAT and identify meaningful deficiencies. The Commission
also believes that the CRA Response's argument applies to Participants,
in that their behavior would change to the extent there is a decreased
threat of liability. Specifically, with the proposed Limitation of
Liability Provisions, the Participants' potential liability to Industry
Members would decrease and thus reduce Participants' incentives to
ensure robust cybersecurity of CAT and CAT Data in an effort to reduce
or avoid the potential liability.
---------------------------------------------------------------------------
\107\ See CRA Response at 9. Neither the Participants nor the
CRA Paper or CRA Response provides specifics regarding estimated
costs of litigation.
\108\ See CRA Response at 19.
---------------------------------------------------------------------------
Participants argue that security industry norms do not support the
principle that the party in possession of the data should bear
liability in the event of a data breach, especially when acting in a
regulatory capacity pursuant to Commission rules,\109\ and that
Industry Members ``routinely'' disclaim liability to their underlying
customers.\110\ The Commission did not approve provisions in Industry
Member contracts for OATS or Industry Member contracts with underlying
customers. The Participants also refer to limitation of liability
provisions in SROs' rules that were previously approved by the
Commission.\111\ In the case of the SROs' rules, these rules relate to
liability to members with respect to the business operations of
exchanges and were established for different types of systems with
different risks than the CAT.\112\ The Commission believes that given
the amount and sensitivity of the data in the CAT System, it is
important that the Participants' incentives to invest in robust
cybersecurity, including potential liability in the event of a breach,
are not reduced. Based on the record before it, the Commission believes
that the proposed Limitation of Liability Provisions would reduce
Participants' incentives to invest in CAT Data security.
---------------------------------------------------------------------------
\109\ See Response Letter at 10.
\110\ See Response Letter at 10; see also Response Letter at 20
(stating that the Lewis Paper does not address the fact that
Industry Members routinely disclaim liability to those underlying
customers).
\111\ See Response Letter at 5-7.
\112\ CAT Data, unlike an SRO's trading data, includes
comprehensive trading data from all exchange SROs and order and
customer information submitted by Industry Members.
---------------------------------------------------------------------------
The CRA Response also states that providing Industry Members a
right to litigate may reduce Industry Members' incentives to undertake
their monitoring and influencing activities in favor of relying upon
the threat of litigation, thereby weakening the overall cyber program
of the CAT.\113\ The Commission also believes that these comments
suggest that Industry Members can have a significant role in
determining the strength of the overall cyber program of CAT, and if a
reduction in Industry Member ``monitoring and influencing activities''
would weaken the overall cyber program of the CAT, the absence of
essentially any liability to Industry Members would also weaken the
overall cyber program of CAT.\114\ The Participants expressed concern
that CAT LLC is not equipped to compensate Industry Members in the
event of a data breach because funding is designed to cover costs
only.\115\ The Participants further assert that it is difficult to
imagine how CAT LLC could ensure solvency if substantial exclusions are
included in a limitation of liability.\116\ However, these are not
compelling reasons to include the proposed Limitation of Liability
Provisions. The Commission believes that there are mechanisms in place
to ensure CAT LLC will not fail to compensate Industry Members or
become insolvent. Specifically, the Participants are obligated to
maintain a CAT and cannot dissolve CAT LLC without Commission
approval.\117\ Due to its obligation to maintain the CAT, the
Participants would need to fund CAT LLC by recovering any shortfall
from the Participants and/or Industry Members.\118\ To the extent the
Participants seek to recover any shortfall from Industry Members, the
Commission will assess those fees to assure that they are
reasonable.\119\
---------------------------------------------------------------------------
\113\ See CRA Response at 2, 9, and 11.
\114\ The CRA Response emphasizes that Industry Members and
other interested parties are able to monitor and suggest
improvements for CAT's cyber security and ``history is replete with
examples.'' See CRA Response at 3-4.
\115\ See Second Response Letter at 15.
\116\ See Second Response Letter at 15. See also CRA Response at
9 (stating that CAT LLC's ``cost-only business model'' provides no
mechanism to establish safety reserves that might allow it to build
a cash reserve to pre-fund catastrophic losses from a cyber breach).
\117\ See CAT NMS Plan, Article X, Section 10.1.
\118\ See CAT NMS Plan, Article XI, Section 11.1(b) and 11.2.
Specifically, Section 11.1(b) states that subject to Section 11.2,
the Operating Committee shall have discretion to establish funding
for the CAT LLC, including: (i) Establishing fees that the
Participants shall pay; and (ii) establishing fees for Industry
Members that shall be implemented by Participants. Section 11.2 sets
forth funding principles that the Operating Committee should
consider in establishing the funding of the Company. Specifically,
Section 11.2(f) states that the Operating Committee should consider
building financial stability to support the Company as a going
concern.
\119\ See CAT NMS Plan, Article X, Section 11.1(b).
---------------------------------------------------------------------------
Even in the absence of the proposed Limitation of Liability
Provisions, the Participants may have limited liability to Industry
Members through court-established regulatory immunity.\120\ To the
extent it is available, regulatory
[[Page 60941]]
immunity may create the same incentive as the proposed Limitation of
Liability Provisions for Participants to reduce their investment in CAT
cybersecurity. Regulatory immunity, however, is not applicable in all
scenarios (i.e., commercial use or intentional misconduct). The
Commission does not believe that the Participants have adequately
explained why, in cases where regulatory immunity may not be applicable
because Participant use of CAT data is improper (e.g., commercial use
or intentional misconduct), they should be permitted to limit their
liability. The potential consequences of such behavior, however, could
also fall on Industry Members who have no control over the security of
CAT Data they have submitted to the CAT. The Commission believes that
the presence of liability risk would provide Participants an additional
incentive to invest in CAT data security to prevent such behavior from
occurring.\121\ The Commission believes that the Participants have not
met their burden to demonstrate that the Proposed Amendment is
necessary or appropriate in the public interest, for the protection of
investors and the maintenance of fair and orderly markets, to remove
impediments to, and perfect the mechanisms of, a national market
system, or otherwise in furtherance of the purposes of the Exchange
Act.\122\
---------------------------------------------------------------------------
\120\ See Section IV.C.1, supra. The Participants assert that
regulatory immunity applies to their use of CAT. See Response Letter
at 23; Second Response Letter at 4.
\121\ See also Economic Analysis at Section V.A.
\122\ 17 CFR 201.700(b)(3).
---------------------------------------------------------------------------
C. Breadth of the Proposed Limitation of Liability Provisions
Several commenters are critical of the scope of the proposed
Limitation of Liability Provisions and in particular the language that
prohibits Industry Members from pursuing claims against CAT LLC and the
Participants if there is ``willful misconduct, gross negligence, bad
faith or criminal acts of CAT LLC, the SROs or their representatives or
employees.'' \123\ As one commenter states, the proposal would shield
the Participants from liability, ``not only for a breach of the CAT
System by malicious third-party actors but even from the theft or other
misuse of CAT Data by SRO employees'' and would ``effectively
extinguish the liability of CAT LLC and the SROs even in instances of
gross negligence or intentional misconduct.'' \124\ Another commenter
states that the proposal ``would effectively hold brokers responsible
for the malfeasance and incompetence of the SROs and their
contractors'' and that this would be ``extremely unreasonable.'' \125\
---------------------------------------------------------------------------
\123\ See SIFMA Letter at 5, 7-8. See also LPL Financial at 1;
FIA PTG Letter at 2; Raymond James Letter at 2; Citadel Letter, at 3
(stating that the provisions would protect Participants and their
representatives from any and all potential misuse, including
intentional misuse, of CAT Data); SIFMA Letter II at 8-9.
\124\ See SIFMA Letter at 5; see also LPL Financial at 1; FIA
PTG Letter at 2; Raymond James Letter at 2.
\125\ See ASA Letter at 2.
---------------------------------------------------------------------------
A commenter suggests that if the limitation of liability language
was adopted as proposed, ``CAT LLC would only have $500 in liability if
an SRO employee stole CAT Data and posted it on the internet.'' \126\ A
commenter believes that liability cap should only apply when CAT LLC
and the Participants are acting solely in their regulatory capacity,
for which they have proposed a definition, and should exclude willful
misconduct, gross negligence, bad faith, or criminal acts.\127\
---------------------------------------------------------------------------
\126\ See SIFMA Letter II at 8.
\127\ See SIFMA Letter II at 11.
---------------------------------------------------------------------------
The Participants state that the proposed Limitation of Liability
Provisions fall squarely within industry norms, referencing a
comparison to the allocation of liability between Industry Members and
SROs in other regulatory contexts, including NMS plans, regulatory
reporting facilities, SRO rules and liability provisions that Industry
Members use to protect themselves when they possess sensitive customer
and transaction data.\128\ The Participants believe that the proposed
Limitation of Liability Provisions are ``substantively identical'' to
the liability provisions to which Industry Members regularly agree in
connection with OATS reporting.\129\
---------------------------------------------------------------------------
\128\ See Response Letter at 5-11.
\129\ Id. at 6-7. Commenters assert that the proposed Limitation
of Liability Provisions are inconsistent with industry standards,
citing among other things SRO limitation of liability rules which
exclude protection for willful misconduct, gross negligence, bad
faith or criminal acts. See SIFMA Letter at 7; LPL Financial Letter
at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Fidelity
Letter at 2.
---------------------------------------------------------------------------
Commenters, however, dismiss comparisons made in the Proposed
Amendment to OATS limitation of liability provisions because (1) CAT
captures significantly more information than OATS, including personally
identifiable information, and data reported to OATS is reported to and
only used by FINRA; and (2) OATS does not have account-level data,
which the CAT will collect and which could present the risk of reverse
engineering of trading strategies.\130\ One commenter stated that the
limitation of liability provisions for OATS were signed in 1998, and
since then the landscape of cybersecurity has changed, and the
frequency and scale of data breaches has increased dramatically.\131\
---------------------------------------------------------------------------
\130\ See Lewis Paper at 9-10; SIFMA Letter at 8; LPL Financial
Letter at 2; Raymond James Letter at 2; FIA PTG Letter at 2; Virtu
Letter at 4; SIFMA Letter II at 7.
\131\ See Lewis Paper at 10.
---------------------------------------------------------------------------
In response, the Participants reject the suggestion that any
limitation of liability provision should allow liability for willful
misconduct, gross negligence, bad faith or criminal acts of CAT LLC,
the SROs or their representatives or employees.\132\ The Participants
assert that the exclusion of ``gross negligence, willful misconduct,
bad faith, or criminal acts'' is not appropriate and would be
inconsistent with other limitation of liability provisions for other
NMS plans (including OATS) and SRO rules.\133\ The Participants state
that in the limited instances in which SRO liability rules permit
claims for gross negligence or willful misconduct, Industry Members are
often prohibited from suing an SRO for damages unless the alleged gross
negligence or willful misconduct also constituted a securities law
violation for which Congress has authorized a private right of
action.\134\ The Participants further argue that modifying the proposed
Limitation of Liability Provisions is not supported by the CRA Paper,
because such modifications would likely result in
[[Page 60942]]
litigation over liability \135\ and litigation to prove these elements
even if non-existent.\136\
---------------------------------------------------------------------------
\132\ See Response Letter at 7 (citing SIFMA Letter at 7-8);
Second Response Letter at 4; 13-15.
\133\ See Second Response Letter at 4, 13-15. The Participants
assert that the proposed Limitation of Liability Provisions are
consistent with SRO limitation of liability rules, emphasizing that
under those rules the SROs generally have the discretion, but not
obligation, to compensate harmed Industry Members, and that this
discretion only applies in very limited circumstances--namely, for
system failures that impact the execution of individual order. See
Response Letter at 5-6. The Participants also note that during
negotiations, the Participants submitted to SIFMA a term sheet that
provided for a discretionary compensation mechanism modeled after
SRO rules, which was rejected by SIFMA. See Response Letter at 6.
See also Second Response Letter at 13-14. The Participants state
that no SRO limitation of liability rule contemplates SRO liability
for ``catastrophic'' damages resulting from the theft of Industry
Members' proprietary trading algorithms. See Response Letter at 6.
\134\ See Response Letter at 6-7. Thus, the Participants believe
that that these provisions would not provide for liability against
the self-regulatory organizations in the event of a data breach. Id.
at 7-8. See also Second Response Letter at 13-14 (stating that SRO
rules that contain exclusions generally are modified by other rules
that broadly prohibit Industry Members from suing the exchanges or
their representatives, except for violations of the federal
securities laws for which a private right of action exists, and thus
the Participants do not believe these provisions would provide for
liability against the SROs in the event of a data breach).
\135\ See, e.g., Response Letter at 9; CRA Response at 18.
\136\ See Response Letter at 9; Second Response Letter at 4, 14-
15. According to the Participants, although they, CAT LLC, and FINRA
CAT may ultimately be found not liable, such litigation would be
expensive, time-consuming, would distract Participants from their
regulatory oversight mandate, and may open the doors of discovery to
potentially malicious actors. See Response Letter at 9.
---------------------------------------------------------------------------
The CRA Response also states that the comment letters do not
acknowledge that behavior falling in these categories is already
subject to enforcement by the Commission.\137\ The Participants state
that the Commission's regulatory enforcement regime and the potential
for severe reputational harm already sufficiently incentivize the
Participants not to engage in bad faith, recklessness, gross
negligence, and intentional misconduct, and so adding exclusions to the
proposed Limitation of Liability Provisions would not result in any
meaningful improvement to the CAT's cybersecurity.\138\
---------------------------------------------------------------------------
\137\ See CRA Response at 18. The CRA Response also argues that
including commenters' proposed exclusions to the Proposed Limitation
on Liability Provisions would potentially generate substantial
litigation and that reducing expected liability costs may provide
additional resources to enhance CAT's cyber security, purchase more
cyber liability insurance (as it becomes available), or invest in
competing CAT priorities. See CRA Response at 18-19.
\138\ See Response Letter at 9. The Participants note that
enforcement actions could be brought for cybersecurity-related
violations (e.g., failure to comply with Regulation SCI) and
violations of the CAT NMS Plan (e.g., for violating the CAT NMS Plan
by using CAT Data for non-regulatory purposes). See id. at 25-26.
The Participants also state that the purpose of the CAT and the
Participants' mandate under the CAT NMS Plan is the fulfillment of
regulatory functions, and not operation in connection with business
activities. Id. at 22. In addition, the CRA Response states that the
comment letters do not acknowledge that behavior falling to these
categories is already subject to enforcement by the Commission. See
CRA Response at 18.
---------------------------------------------------------------------------
As noted in the previous section,\139\ commenters believe that the
CRA Paper only focuses on a breach by external actors and fails to
address the risk of misuse of CAT Data by personnel at CAT LLC and the
SROs.\140\ The CRA Response argues that the CRA Paper did not
specifically address the misuse of CAT Data by CAT personnel and other
internal sources because whether a perpetrator is external or internal
makes no difference to the scenario analysis.\141\ The CRA Response
also argues that the purported concerns about the threat of
``internal'' breaches are exaggerated and that all Participant users of
CAT Data are subject to comparable cyber security procedures and
protocols, and only trading data, not customer data, can be downloaded
in bulk.\142\
---------------------------------------------------------------------------
\139\ See infra Section IV.A.
\140\ See Citadel Letter at 6; SIFMA Letter at 9; LPL Financial
Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Virtu
Letter at 5. One commenter states that the CRA Paper does not
provide any support for the argument that broker-dealers should be
accountable for the wrongdoing or misuse of data by SRO employees or
contractors. See ASA Letter at 2.
\141\ See CRA Response at 19. As noted earlier, Participants
also state that the CRA Paper did not make any assumptions regarding
the identity of potential bad actors or where they may work, and the
CRA Paper was not intended to predict every possible scenario, but
instead intended to provide an illustrative framework to assess the
economic exposures that flow from the gathering, storage, and use of
CAT Data. See Response Letter at 15-16 (citing CRA Paper 2).
\142\ See CRA Response at 20.
---------------------------------------------------------------------------
The Commission does not believe that the Participants have
demonstrated that it is necessary or appropriate to foreclose all
potential Industry Member claims, including those arising from ``gross
negligence, willful misconduct, bad faith, or criminal acts'' to a
maximum of $500 per Industry Member per calendar year as proposed.\143\
The Commission believes that the damages to Industry Members for
breaches of CAT could potentially far exceed that amount, and
Participants and the CRA Response acknowledge the possibility for low
frequency events with extreme severity.\144\ For example, as discussed
above, the CRA Paper estimates an exposure of at least $100 million per
incident would be reasonable if an algorithmic trading firm's strategy
was reverse engineered, and if the Proposed Amendment were adopted the
Participants would only have $500 in liability to the trading firm even
if the trading strategy was exposed through gross negligence, willful
misconduct, bad faith, or criminal acts. This means that the proposed
Limitation of Liability Provisions would shield the Participants from
liability to Industry Members even if a Participant intentionally used
CAT Data for competitive business purposes, or an employee of CAT LLC
sold CAT Data to a foreign government.
---------------------------------------------------------------------------
\143\ As discussed above, a number of factors impact the
Participants' incentives to invest in, or prioritize, the security
of the CAT. See Section IV.B., supra. The Commission does not
believe that the Participants have met their burden of establishing
that it is appropriate to foreclose liability to Industry Members
for potential claims arising from ``gross negligence, willful
misconduct, bad faith, or criminal acts'' because of the
Commission's regulatory enforcement regime and the potential for
severe reputational harm.
\144\ See notes 104 and 105, supra, and accompanying text.
---------------------------------------------------------------------------
As noted above, Participants can assert regulatory immunity to the
extent that the doctrine applies if there is a security breach that
exposes CAT Data and Industry Members seek damages from the responsible
Participants.\145\ However, the Commission believes that for situations
where regulatory immunity may not be applicable (e.g., commercial use
or intentional misconduct), the Participants have not met their burden
to justify a nearly complete elimination of liability to Industry
Members as consistent with the Exchange Act and the rules and
regulations as required by Rule 608 of Regulation NMS, as discussed
above. The Commission cannot make a finding that the proposed amendment
is consistent with the Exchange Act and the rules and regulations
issued thereunder.\146\
---------------------------------------------------------------------------
\145\ See Section IV.B, supra.
\146\ 17 CFR 201.700(b)(3); 17 CFR 242.608(b)(2).
---------------------------------------------------------------------------
V. Impact on Efficiency, Competition, and Capital Formation
In determining whether to approve a CAT NMS Plan amendment, and
whether such amendment is in the public interest, Rule 613 requires the
Commission to consider the potential effects of the proposed amendment
on efficiency, competition and capital formation.\147\ The Commission
has reviewed the arguments about such effects put forth by the
Participants and commenters and independently analyzed the likely
effects of the Proposed Amendment on efficiency, competition and
capital formation.. Many of those effects hinge on assumptions about
the applicability of the doctrine of regulatory immunity in the case of
litigation related to a breach of CAT Data, the influence of such
immunity on the incentives of the Participants to protect the CAT Data,
and the potential redundancy of a limitation on liability if immunity
applies. Commenters have addressed the applicability of this doctrine
directly in their comments,\148\ many of which relate to two studies:
The CRA Paper submitted by the Participants as part of their filing,
and the Lewis Paper submitted by SIFMA as part of its commentary; \149\
both of these studies make assumptions regarding regulatory immunity
that impact their respective conclusions. In the case of the CRA Paper,
many conclusions stem from an assumption that regulatory immunity would
not apply and thus Participants would be faced with significant risk of
litigation in the case of a CAT data breach that resulted from the
collection of CAT Data into the central repository or the use of that
CAT Data by a
[[Page 60943]]
Participant that was performing its regulatory duties. In the case of
the Lewis Paper, many of the conclusions are based on an assumption
that, if the Proposed Amendment were allowed, Industry Members, as
opposed to Participants, would bear significant liability in the case
of a data breach because the limitation of liability would be absolute,
the Lewis Paper does not address the doctrine of regulatory immunity
\150\ as it might apply to Participants.\151\
---------------------------------------------------------------------------
\147\ 17 CFR 242.613(a)(5).
\148\ See, e.g., Citadel Letter at 1, 3-5; SIFMA Letter at 8;
LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter
at 2.
\149\ See Lewis Paper, supra, note 27.
\150\ The Commission recognizes that the Participants believe
regulatory immunity would apply in the event of a breach concerning
CAT Data (see Response Letter at 23; Second Response Letter at 4),
but the Participants also believe that there is no guarantee that
all courts will agree that the Participants' immunity extends to the
claims at issue. The Commission acknowledges that beliefs about
regulatory immunity may influence the outcomes it describes in this
analysis.
\151\ See, e.g., Lewis Paper at 4.
---------------------------------------------------------------------------
In summary, the Commission believes that, if approved, the Proposed
Amendment would likely have significant negative effects on efficiency,
though minor positive effects that are unlikely to significantly
mitigate the negative effects are also discussed below.\152\ The
Commission believes the Participants are best poised due to information
asymmetry to understand the risks inherent in collecting and using CAT
Data, and, because of moral hazard, to mitigate those risks through
operational measures to promote CAT data security and securing
insurance to mitigate financial risks associated with CAT data
security. Efficiency is likely to be reduced to the extent the Proposed
Amendment disincentivizes the Participants from investing in CAT data
security and thus potentially increases the likelihood of a data
breach. The Commission believes this effect would be only partially
mitigated as discussed below and believes the net effect may remain
significant. The Commission believes that the Proposed Amendment might
have negative effects on competition and capital formation, but
believes these effects would be partially mitigated. These conclusions
are discussed in the analysis which follows.
---------------------------------------------------------------------------
\152\ See Section V.A., infra.
---------------------------------------------------------------------------
A. Efficiency
The Commission believes that the Proposed Amendment would likely
have a significant effect on efficiency, although minor positive
effects that are unlikely to significantly mitigate the negative
effects are also discussed below. These mixed effects would likely be
dominated by the negative effects of reducing the Participants'
incentives to invest in CAT data security. Generally, the Commission
believes that the Proposed Amendment would reduce the Participants'
incentives to invest in CAT data security. The Commission believes that
taking measures that may prevent a data breach is inherently more
efficient than remediating the consequences of a data breach after it
has occurred.\153\ Consequently, liability rules that incentivize
appropriate security measures are likely to increase efficiency while
rules that potentially disincentivize Participants from securing CAT
Data may reduce efficiency. As noted, the magnitude of this effect
hinges on the Participants' beliefs about the applicability of the
doctrine of regulatory immunity. If the Participants do not believe
regulatory immunity applies to all aspects of their collection and use
of CAT Data, or have significant uncertainty that it would apply to
some or all aspects, the Proposed Amendment would represent to the
Participants a shift of liability from the Participants to Industry
Members, the magnitude of which would be a function of the level of
Participant uncertainty about their regulatory immunity.\154\ Absent
the Proposed Amendment, the Participants might make further investments
in data security beyond those mandated by the CAT NMS Plan and
Commission rulemakings such as implementing internal controls designed
to decrease the likelihood of misuse of CAT Data. But the assurance of
limited liability provided by the Proposed Amendment could
disincentivize such actions or even incentivize a reduction in existing
investments in cybersecurity.
---------------------------------------------------------------------------
\153\ See, e.g., Securities Exchange Act Release No. 89632 (Aug.
21, 2020), 85 FR 65990, 66091 (Oct. 16, 2020) (proposing amendments
to the CAT Plan to enhance data security).
\154\ The proposed Limitation of Liability Provisions would
limit liability to $500 per CAT Reporter or CAT Reporting Agent in a
calendar year. See Notice, supra note 5, 86 FR at 593. See Section
V.A, infra, for discussion of liability for Industry Members that do
not carry customer accounts.
---------------------------------------------------------------------------
The CRA Paper maintains that additional investment in security such
as providing additional insurance, may not be efficient. The CRA Paper
states, ``. . . the prospect of litigation arising from the absence of
the limitation on liability provision has the prospect for prompting
overpayment for cyber security on the part of the CAT and the Plan
Processor beyond the economically optimal level of protection, despite
the analysis we present above suggesting that such litigation would
provide no incremental benefit. The prospect of third-party litigation
may prompt CAT LLC to expend resources on cyber security systems that
supplement the detailed (and regularly updated) framework implemented
by the Commission, but that do not reduce the cyber risk commensurate
with the costs.'' \155\ The CRA Paper further argues that the threat of
third-party litigation may result in risk-aversion that prevents the
Participants from adopting policies or technologies that decrease costs
or increase efficiencies.\156\ The Commission agrees with the CRA Paper
that there are likely to exist certain security investments that do not
provide sufficient benefits to warrant their adoption, particularly in
light of the Commission's belief that investors may ultimately bear the
costs of these investments--as well as costs of potential
litigation.\157\ However, the Commission disagrees that litigation risk
provides no incremental benefit because the threat of such litigation
may incentivize the Participants to implement security measures such as
the adoption of internal controls that decrease the likelihood of an
employee or contractor making commercial or other misuse of CAT
Data.\158\ Further, the Commission recognizes that while the
Participants face costs in the event of a CAT data breach, these costs
are likely to fall upon broker-dealers and investors as well, while
these groups have limited ability to participate in decisions related
to investments in CAT security. This partitioning of decision-making
authority from the financial consequences of the decision creates an
agency problem that may limit the Participants' incentives to select
the welfare-maximizing level of security investment. This agency
problem may be partially mitigated by the Participants' perception of
litigation risk in the event of a data breach by better aligning their
incentives regarding security decisions with other parties that are
likely to be harmed if such a breach occurs.
---------------------------------------------------------------------------
\155\ The CRA Paper discusses reasons why the incremental
benefit from litigation from Industry Members may be reduced, but
does not show that there is no incremental benefit. See Notice,
supra note 5, at 616-17.
\156\ See Notice, supra note 5, at 617-18.
\157\ The Commission has the power to disallow fee amendments
that might unfairly pass costs to Industry Members.
\158\ See note 113, supra, and referring text.
---------------------------------------------------------------------------
The Commission recognizes that the risk of the Proposed Amendment
disincentivizing the Participants from taking additional measures to
ensure security is likely to be partially mitigated by other incentives
that are not impacted by the limitation on liability. Independent of
potential regulatory immunity,\159\ Participants
[[Page 60944]]
face significant costs, both direct and indirect, that would result
from a data breach. The potential reputational consequences of a data
breach would likely be severe and such a breach is likely to draw
significant negative publicity, public scrutiny, and attention from
regulatory and other government entities. Further, while contractual
limitation of liability reduces the risk of exposure, it does not
prevent enforcement actions from the Commission or litigation by
parties other than Industry Members. In addition, any breach would
likely cause a significant disruption to Participants' own operations
\160\ and some breach threats are not about compromising data but are
indeed designed to disrupt operations; \161\ Participants are thus
still incentivized to create security measures that mitigate the risk
of such breaches, which likely help mitigate the risk of compromised
data that could directly affect Industry Members. However, the
Commission believes that decreasing the risk of exposure that
Participants face through the Proposed Amendment will likely on balance
disincentivize the Participants from investing in data security,
particularly if the proposed amendments increase the scope of immunity
that might be expected beyond regulatory immunity.\162\
---------------------------------------------------------------------------
\159\ The Commission believes the Participants' views on their
potential regulatory immunity with regard to CAT data collection and
use is immaterial to this second set of incentives because these
consequences of a data breach could occur regardless of whether
there could or would be litigation as a result of that breach.
\160\ A breach of CAT data could occur in a Participant's own
analytic or operational environment.
\161\ See, e.g., Raphael Satter, Up to 1,500 businesses affected
by ransomware attach, U.S. firm's CEO says, Reuters (July 6, 2021),
available at <a href="https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/">https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/</a>.
\162\ See Sections V.B and V.C, supra.
---------------------------------------------------------------------------
The Commission believes that taking measures that may prevent a
data breach is more efficient than remediating the consequences of a
data breach after it has occurred.\163\ Consequently, measures that
incentivize appropriate security measures are likely to increase
efficiency while measures that potentially disincentivize Participants
from securing CAT Data may reduce efficiency.
---------------------------------------------------------------------------
\163\ See, e.g., Securities Exchange Act Release No. 89632 (Aug.
21, 2020), 85 FR 65990, 66091 (Oct. 16, 2020) (proposing amendments
to the CAT Plan to enhance data security).
---------------------------------------------------------------------------
As noted above, several commenters express concern that shifting
liability through the proposed Limitation of Liability Provisions would
reduce the incentives of Participants to develop robust data security
and risk mitigation mechanisms, and may even incentivize the
Participants to de-prioritize data security.\164\ The Commission
believes, however, that the degree to which the proposed amendment
would disincentivize the Participants from appropriate security
measures is dependent upon the Participants' belief in the
applicability of regulatory immunity to the collection and permitted
uses of CAT Data in the absence of the proposed amendment. The
Commission believes that uncertainty regarding liability in case of a
CAT data breach thus serves as an incentive for the Participants to
invest in data security to the extent that Participants believe a court
might not uphold their regulatory immunity or it would be judged not to
apply in a given case that was before the courts. If the Participants
believe that regulatory immunity is likely to apply, the proposed
amendments would serve to reduce their risk of incurring costs of
litigation by reducing the likelihood of litigation by Industry
Members.
---------------------------------------------------------------------------
\164\ See, e.g., Lewis Paper at 5-9, 14; SIFMA Letter at 7, 9;
LPL Financial Letter at 1; Raymond James Letter at 2; FIA PTG Letter
at 2; Virtu Letter at 3; ASA Letter at 2; Fidelity Letter at 2; Citi
Letter at 2.
---------------------------------------------------------------------------
Some commenters addressed the scope of the limitation of liability,
considering whether Participants might be shielded from liability in
commercial use of CAT Data,\165\ even though such use is prohibited by
the CAT NMS Plan.\166\ Another commenter focused on the scope of the
immunity more generally as it would appear to exceed the bounds of
conventional regulatory immunity.\167\ One commenter characterized the
economic structure as creating a ``moral hazard'' and stated that
permitting litigation against Participants and their representatives
when they are acting outside their regulatory capacity is ``crucial''
and would give the Participants very strong financial incentives to
invest heavily to prevent or minimize the likelihood of such
failures.\168\
---------------------------------------------------------------------------
\165\ See, e.g., SIFMA Letter at 8; LPL Financial Letter at 1;
FIA PTG Letter at 2; Raymond James Letter at 2.
\166\ See, e.g., CAT NMS Plan Sections 6.5(f)(i)(A); 6.5(g).
\167\ See Citadel Letter at 5.
\168\ See Citi Letter at 2. In response, the CRA Response argues
that the structure might not be considered a classic ``moral
hazard'' due to Industry Members' ability to monitor and influence
CAT cyber security. See CRA Response at 10-11.
---------------------------------------------------------------------------
To the extent that the scope of limitation of liability in the
Proposed Amendment exceeds what might be expected from the doctrine of
regulatory immunity, an expansion of the scope of activities that could
be shielded from liability would potentially further disincentivize
Participants from activities that promote CAT data security even if
regulatory immunity applies.
The Commission also recognizes that the Proposed Amendment may
reduce the risk of litigation in the event of a breach by resolving the
existing uncertainty about whether the Participants could be liable; in
other words, if Industry Members know they cannot recover due to the
limitation of liability, regardless of the applicability of regulatory
immunity, they may be less likely to sue over a breach. Such litigation
would impose costs, both direct and indirect,\169\ on the Participants
to defend themselves even if they would ultimately prevail due to
regulatory immunity and those direct costs might be passed on to
Industry Members and ultimately investors. The Proposed Amendment would
reduce the likelihood of litigation and thus might avoid costs
associated with litigation that investors would unnecessarily bear,
which could improve efficiency. Additional insurance costs to Industry
Members related to liability risks from the Proposed Amendment are
discussed below.
---------------------------------------------------------------------------
\169\ Indirect costs would include opportunity costs of time and
effort spent dealing with litigation. See, e.g., Notice, supra note
5, 85 FR at 617-618; Response Letter at 8-9.
---------------------------------------------------------------------------
While both the CRA Paper and the Lewis Paper frame their analyses
from a perspective of potential litigation, the Commission notes that
not all potential data breaches are amenable to litigation. The
Commission believes that a data breach could go undetected,
particularly if such a breach were perpetrated by authorized users of
the CAT System such that detection of the breach relied primarily on
the Participants' screening of their employees and contractors before
providing access to CAT Data and then the monitoring of their use of
CAT Data when they became authorized users.\170\ Such a breach could
impose significant costs on Industry Members if their intellectual
property (such as proprietary trading strategies) were revealed to
competitors or bad actors. Consequently, the Commission believes that
reducing the Participants' existing incentives to properly invest in
data security activities might disincentivize
[[Page 60945]]
individual Participants from appropriately investing in the screening
and monitoring of their own employees and contractors that will access
CAT Data. This might reduce efficiency by increasing the likelihood of
a breach either detected or undetected.
---------------------------------------------------------------------------
\170\ Several commenters discussed arguments in the CRA Paper
and Lewis Paper regarding ex-ante regulation versus ex-post
litigation. See Citadel Letter at 1-2, 7; Lewis Paper at 7-9. An
undetected breach cannot be addressed through litigation, but might
be prevented by ex-ante regulation or the proper alignment of
incentives in lieu of regulation. The Commission considers screening
of potential users of CAT Data and monitoring their activities with
CAT Data to be security activities that would be affected by
Participant incentives to prevent data breaches.
---------------------------------------------------------------------------
In addition, the Proposed Amendment might improve efficiency by
promoting the optimal level of usage of CAT Data.\171\ Specifically, if
the Participants believe their regulatory immunity may not be
recognized in litigation in the wake of a data breach, they may be
incentivized to minimize their use of CAT Data to minimize
opportunities for a data breach, particularly one involving their own
employees or contractors. However, the Proposed Amendment might
facilitate increased use levels of CAT Data by Participants by reducing
the risk of exposure to litigation. Consequently, the Commission
believes that the Proposed Amendment might prevent inefficiencies
related to underuse of CAT Data by regulators. By contrast, to the
degree that disapproval of the Proposed Amendment renders regulators
more risk averse in using CAT Data to meet their regulatory obligations
than they would be if the Proposed Amendment were approved, disapproval
may reduce use of CAT Data by regulators. Further effects on efficiency
depend upon the use of insurance by Participants and Industry Members.
The Lewis Paper and the CRA Paper analyze the potential for the use of
insurance by Participants and Industry Members to manage the financial
risks of a potential data breach.\172\ Through the CRA Paper, the
Participants argue that adopting the Proposed Amendment would avoid
inefficiencies such as over investment in insurance beyond what would
be optimal.\173\ The CRA Paper argues that this inefficiency would
result in unnecessary costs being passed to investors without a
corresponding societal benefit.\174\ The Lewis Paper argues that
shifting the financial risks of a CAT data breach to Industry Members
by limiting liability for Participants would cause them to insure
against the financial consequences of a CAT data breach, which would be
inefficient because Industry Members cannot give an insurer access to
the CAT System to monitor or assess the security of the system.
Consequently, according to the Lewis Paper, insurance purchased by
Industry Members to cover the risk would be more expensive, and
investors would ultimately bear this increased expense.\175\ Also,
policies obtained by Industry Members would necessarily overlap,
further increasing the cost of such insurance.\176\ Other commenters
supported the position that the Participants can more efficiently
obtain cyber insurance.\177\
---------------------------------------------------------------------------
\171\ See CAT NMS Plan Approval Order, supra note 1, at 84833-
40.
\172\ See Lewis Paper at 11-14; Notice, supra note 5, at 618-
620.
\173\ See Notice, supra note 5, at 617-18.
\174\ See Notice, supra note 5, at 617-18.
\175\ See Lewis Paper at 11-14.
\176\ See Lewis Paper at 14.
\177\ See SIFMA Letter at 8-9; LPL Financial Letter at 2; FIA
PTG Letter at 2; Raymond James Letter at 2; Virtu Letter at 3-4.
---------------------------------------------------------------------------
The Commission agrees that the Participants are better positioned
to insure against a breach both due to their ability to provide access
and monitoring of the CAT System to an insurer, and because if Industry
Members were to obtain insurance that would apply to a CAT data breach,
such policies would overlap because the same breach event would likely
impact multiple Industry Members and many investors whose data might be
exposed in a breach are customers of multiple Industry Members.
However, as noted by some commenters, the doctrine of regulatory
immunity may already shift significant breach risk to Industry
Members,\178\ and the Participants state that Industry Members may
already shift some of their own risk of data breaches to their own
customers with their own limitation of liability language in customer
agreements.\179\ Further, as discussed above, insurance is unlikely to
provide a remedy in case of breaches that go undetected. However, the
Commission recognizes that if the doctrine of regulatory immunity does
not apply, the Proposed Amendment would shift the financial risks of a
breach to Industry Members. The Commission believes that investors are
likely to bear the costs of providing security to the CAT System as
well as any costs of a breach of CAT Data. However, the Commission
recognizes that inefficiencies in providing security to CAT are likely
to increase the costs that investors bear.
---------------------------------------------------------------------------
\178\ See Section IV.C.1, supra.
\179\ See Response Letter at 10.
---------------------------------------------------------------------------
The Commission believes that, even if the Proposed Amendment were
approved, inefficiencies in the scope and maintenance of Industry
Member insurance policies against a CAT data breach are likely to be
minor for two reasons. First, Industry Members that carry customer
accounts already face risks related to breach of customer information.
The Commission believes these Industry Members actively manage the
security of their environments to prevent a breach of this data within
their systems and acknowledges that they cannot continue to safeguard
this data once this it data is reported to CAT. However, as noted by
commenters, Industry Members also typically indemnify themselves with
agreements that limit their liability in the case of a data breach and
thus would be unlikely to increase their insurance coverage if the
proposed amendments were approved. Second, any additional insurance
burdens would likely to be negligible for Industry Members that carry
no customer accounts because they do not risk litigation from
customers. However to the degree that Industry Members overall would
increase cyber insurance to offset this risk if the Proposed Amendment
is approved, the cost of such insurance would likely to be higher than
it would be if the risk were borne by Participants because Industry
Members cannot facilitate the monitoring of an insurer and the policies
Industry Members would purchase would necessarily be overlapping
policies because investors often have accounts with multiple Industry
Members and a single data breach might expose data from multiple
Industry Members. Those inflated costs would ultimately be passed to
investors, and the security improvements that might be facilitated by
the monitoring of an insurer contracted by the Participants would be
unrealized.
B. Competition
The Commission believes that the Proposed Amendment might have
negative effects upon competition, but believes these effects would be
partially mitigated. In their filing, the Participants state they do
not believe the Proposed Amendment will have any impact on
competition.\180\ However, the Commission believes that the Proposed
Amendment could have negative effects on the competitive positions of
some Industry Members relative to other Industry Members. Industry
Members have diverse business models; some of these models employ
proprietary trading strategies that might be revealed in the wake of a
data breach. If such proprietary strategies were revealed, Industry
Members that employed such strategies might experience loss of
intellectual property that could damage their competitive positions
relative to their peers. The Commission further acknowledges that a
data breach could harm an Industry Member's reputation and damage its
competitive position within the markets in which it competes,
particularly if customer data were released from some but not all
[[Page 60946]]
competitors within those markets. The Commission acknowledges that
robust investment in cyber security does not guarantee breaches will
not occur. The likelihood of a data breach happening however, increases
if Participants reduce potential additional investment in CAT data
security including additional investment in cyber insurance coverage
(should such coverage become available) or additional investment in the
screening and monitoring of employees and contractors that have access
to CAT Data. But the assurance of limited liability provided by the
Proposed Amendment could disincentivize such actions. The Commission
believes that Participants would remain incentivized to invest in CAT
data security to some extent, even if the Proposed Amendment is
approved because of the additional incentives discussed above, such as
reputational damage, which would remain unaffected by the Proposed
Amendment.\181\
---------------------------------------------------------------------------
\180\ See Notice, supra note 5, at 597.
\181\ See Section VI.A., supra.
---------------------------------------------------------------------------
The Commission further believes there might be additional
competitive effects of the Proposed Amendment in the market for trading
services. The Commission recognizes that Industry Members are not just
the customers and members of the Participants, but are sometimes
competitors of the Participants. Exchanges (all of which are
Participants) compete in the market for trading services with off-
exchange venues such as alternative trading systems (all of which are
operated by Industry Members) and Industry Members that provide
liquidity to orders off-exchange.\182\ Consequently, if the Proposed
Amendment were to shift any of the expense of insuring against the risk
of a CAT data breach from Participants to Industry Members, and if such
expenses were more efficiently borne by Participants as discussed
previously, the additional marginal costs incurred by Industry Members
could disadvantage them in this competition to provide trading
services. However, the Commission believes that this effect would be
partially mitigated because, as discussed previously, that even under
the Proposed Amendment, the Participants would remain incentivized to
invest in CAT data security, and that Industry Members' need to invest
in additional insurance would be mitigated by their own use of
limitation of liability agreements with their own customers.\183\
---------------------------------------------------------------------------
\182\ See CAT Plan Approval Order, supra note 1, at 84882-89.
\183\ See Section VI.A., supra.
---------------------------------------------------------------------------
C. Capital Formation
The Commission believes that the Proposed Amendment might have
negative effects on capital formation in markets in which Industry
Members compete, but believes these effects would be partially
mitigated.
The Participants argue that adopting the proposed amendment would
avoid inefficiencies by avoiding the increased costs that would
otherwise arise,\184\ namely over investment in cyber security and
insurance beyond what would be optimal, and underinvestment in adoption
of policies or technologies that decrease costs or increase
efficiencies as described in the CRA Paper. The Participants argue that
avoiding these issues, by limiting liability, would promote capital
formation in the U.S. securities markets. While the Commission
acknowledges that an inappropriate level of risk-aversion might result
in these effects, if the Participants believe, as asserted in their
filing, that they have regulatory immunity, the Commission believes
these effects would be small because the potential shift in liability
from the proposed amendments would be far less significant than
anticipated in the CRA Paper.
---------------------------------------------------------------------------
\184\ See Notice, supra note 5, at 617-18.
---------------------------------------------------------------------------
It is possible that capital formation could be negatively impacted
by an inefficient insurance burden on Industry Members as described in
the Lewis Paper.\185\ However, even in cases in which Participants'
regulatory immunity would not apply, the Commission does not believe
the Proposed Amendment would significantly increase Industry Members'
insurance burden because, as discussed previously, many Industry
Members have agreements limiting their liability with their own
customers, and not all Industry Members have customers that might
initiate litigation.\186\
---------------------------------------------------------------------------
\185\ See Lewis Paper at 11-14.
\186\ See Section VI.A, supra.
---------------------------------------------------------------------------
The Commission recognizes, however, that the risk of a data breach
can impact capital formation through routes other than inefficient
insurance costs and underinvestment. If Industry Members believe that
the proposed amendment would significantly reduce Participants'
incentives to invest in CAT security, Industry Members may be less
incentivized to invest in intellectual property that could be
compromised by a data breach, potentially reducing capital formation in
liquidity provision on exchanges or in proprietary trading activities.
The Commission believes this risk is partially mitigated because the
Participants are still incentivized to secure CAT Data by other
incentives that are not affected by the proposed amendment.\187\
---------------------------------------------------------------------------
\187\ See Section VI.A, supra.
---------------------------------------------------------------------------
VI. Conclusion
For the reasons set forth above, the Commission does not find,
pursuant to Section 11A of the Exchange Act, and Rule 608(b)(2)
thereunder, that the Proposed Amendment is consistent with the
requirements of the Exchange Act and the rules and regulations
thereunder applicable to an NMS plan amendment.
It is therefore ordered, pursuant to Section 11A of the Exchange
Act, and Rule 608(b)(2) thereunder, that the Proposed Amendment (File
No. 4-698) be, and hereby is, disapproved.
By the Commission.
J. Matthew DeLesDernier,
Assistant Secretary.
[FR Doc. 2021-24035 Filed 11-3-21; 8:45 am]
BILLING CODE 8011-01-P
</pre></body>
</html>Indexed from Federal Register on November 4, 2021.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.