In the past week, a coordinated effort has been launched, by members of Congress and by the exchanges who wrote the CAT plan in the first place, to delay the deployment of the Consolidated Audit Trail. The stated grounds for a delay are that the SEC—which is neither building nor hosting the CAT—has recently revealed its imperfect track record on cybersecurity with its EDGAR corporate filing system.
These arguments are either wrong or misguided, for several reasons.
First, CAT is being built by a very competent trading technology firm, Thesys Technologies, which has had its eye on the cybersecurity ball since the beginning of the bidding process. Here’s a slide from Thesys’s bid submission in 2014:
While no system is completely hack-proof, the one Thesys is building exceeds the security standards required by the exchanges in writing the RFP. The EDGAR system that was hacked, by contrast, was built in 1992, and extensive modernization efforts are ongoing. Needless to say, a vulnerability in a 1992 system that was exploited in 2015 is in no way indicative that an unrelated system built in 2017 will also be vulnerable.
Second, the first batch of data scheduled to be delivered to CAT next month is not very sensitive. It contains trading records from exchanges that is already publicly available (for a fee) from the exchanges. It does not contain any personally identifiable information, nor does it show which broker customer is responsible for each order. Only the broker for each order is identified. The much more sensitive data will come from the brokers directly—and will contain PII and identify which customer sent which order—but it is not due to be delivered to CAT until November 2018. To the extent there are any real security concerns with CAT, there are still 13 months to address them.
Third, the concerns recently voiced about CAT containing PII are off the mark. Hacking into CAT to steal PII would be like breaking into Fort Knox to steal the security guards’ wallets. It is there, and worth something, but something else is also there that is worth orders of magnitude more. In the case of CAT, it is the customer ID-tagged order messages that are the real treasure. That data is sufficient to reverse engineer the trading strategies of the world’s most lucrative quant funds. Bloomberg has reported that one of these funds alone “has made about $55 billion over the past 29 years, thanks to average returns after fees of an astounding 40 percent.” The right combination of hacker, rogue data scientist, and advanced trading tools could conceivably access all of a successful quant fund’s orders, analyze them, reverse engineer and copy the trading strategy, and replicate the fund’s returns, without anyone even knowing the data was breached.
Finally, concerns about the CAT database getting breached by hackers ignore the possibility of the same data leaving through the front door. All 22 equity and options exchanges will have authorized access to the full CAT database in order to perform market surveillance. Most of those exchanges are owned by the major exchange groups (ICE, Nasdaq, CBOE), which most industry participants trust to use the data as intended (although there is always the possibility of a disloyal employee at one of those exchanges abusing his or her access).
Larry Tabb recently flagged a potentially greater threat. One of the 22 exchanges with full CAT access is the Chicago Stock Exchange, which is the subject of a pending acquisition by a consortium led by Chongqing Casin Enterprise Group. Bloomberg has reported that Casin “has no apparent experience in running an exchange” and instead “invests in real estate and operates sewage treatment plants” in China.
Given China’s track record of stealing the intellectual property of U.S. businesses, it is not crazy to imagine a scenario where, if the Casin-CHX deal is approved, Casin (or others in China with influence over Casin) might use CHX’s authorized access to CAT to obtain and exploit the invaluable trading strategies it contains. This scenario is made more plausible by the fact that Thesys is planning to allow exchanges to “remove” CAT data from the CAT database to run surveillance checks in house.
The fear of unauthorized access to CAT data is thus a good reason to rethink approval of the Casin-CHX deal, and adding restrictions on control of exchange medallions in general, but it is not a good reason to delay the rollout of CAT.