By HAL S. SCOTT and JOHN GULLIVER
Originally published by the Wall Street Journal on October 2, 2017.
Is your personal information safe from the Securities and Exchange Commission? The SEC has mandated that U.S. stock exchanges and the Financial Industry Regulatory Authority establish a database by November 2018 that will store the names, birth dates, Social Security numbers and brokerage accounts of tens of millions of U.S. investors as part of the Consolidated Audit Trail.
Like Equifax and the SEC’s database of corporate filings, the CAT will be a prime target for cyberthieves. And a breach of the CAT could be even more consequential. Cybersecurity experts have said hackers could use the personal information it will store to make direct withdrawals from investors’ retirement accounts.
Over the past two weeks, SEC Chairman Walter J. Clayton and representatives of the stock exchanges and Finra have acknowledged that changes to the CAT may be necessary to further protect against cybercriminals. But they did not provide any specific recommendations.
The way forward is clear: The SEC should eliminate the collection of sensitive personal information for the CAT, as it is unnecessary to achieve the SEC’s policy goals.
The CAT was intended as a response to the 2010 flash crash, when U.S. stocks plunged almost 10% in minutes, then rebounded just as quickly. It took regulators almost six months to identify the cause of the crash, so the SEC determined that a single resource with comprehensive market data was necessary to respond to future crashes. The SEC has also stated that the CAT would help identify market manipulators and insider traders.
The SEC therefore requires that broker-dealers and exchanges report their 58 billion daily orders and trades to the CAT, and that broker-dealers report the personal information of all of their customers. But requiring the collection of personal information, including Social Security numbers and brokerage accounts, was a clear mistake.
Regulators can identify the investor responsible for a market event without a centralized resource of personal information. It can identify the broker behind an order or trade, and then request personal information from the broker. That’s how it found the investor behind the 2010 “flash crash.”
Bad actors don’t typically provide accurate Social Security numbers or names anyhow, so collecting the personal information of all investors is a highly ineffective method of identifying market manipulators. Insider traders also try to obscure their identities by using friends, family, or an alias to place trades.
And why require the collection of personal information from tens of millions of U.S. retail investors who trade only a few times a year? The SEC already collects the identities of large traders, who are behind major market events and manipulation.
Even if the SEC does not require the collection of highly sensitive personal information, the CAT would still be a target for hackers. It would store all of the orders and trades of each broker-dealer. That’s information hackers could use to misappropriate broker-dealer trading strategies worth hundreds of millions of dollars. The CAT would still be a lucrative target.
And a breach could still be catastrophic. Broker-dealers would surely pull back from trading in response to the news that their proprietary trading strategies were no longer secure. The resulting volatility could require an indefinite marketwide shut down. That would deal an irreparable reputational blow to our markets.
Another concern is that the SEC cost-benefit analysis for the CAT did not meaningfully weigh the risk and potential cost of a cybersecurity breach against the benefit from the improved ability to discover the cause of a flash crash or identify a market manipulator. Mr. Clayton should promptly remedy this.
While improvements can surely be made to enhance the accuracy of stock-market data and eliminate duplicative requirements, the SEC already has the tools necessary to police the markets under its jurisdiction. Gathering and storing highly sensitive personal information from tens of millions of Americans is not only dangerous but unnecessary.
Mr. Scott is a professor at Harvard Law School and director of the Committee on Capital Markets Regulation, where Mr. Gulliver is the research director.