Overview
Title
Joint Industry Plan; Notice of Filing of Amendment to the National Market System Plan Governing the Consolidated Audit Trail by BOX Exchange LLC; Cboe BYX Exchange, Inc., Cboe BZX Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe EDGX Exchange, Inc., Cboe C2 Exchange, Inc. and Cboe Exchange, Inc., Financial Industry Regulatory Authority, Inc., Investors Exchange LLC, Long-Term Stock Exchange, Inc., Miami International Securities Exchange LLC, MEMX, LLC, MIAX Emerald, LLC, MIAX PEARL, LLC, Nasdaq BX, Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, Nasdaq PHLX LLC, The NASDAQ Stock Market LLC; and New York Stock Exchange LLC, NYSE American LLC, NYSE Arca, Inc., NYSE Chicago, Inc., and NYSE National, Inc.
Agencies
ELI5 AI
The big boss of stock trading rules wants to change a rule to stop people from asking for lots of money if a bunch of secret numbers get stolen, making it so they can only get a little money back. They want to make sure everyone talks about this idea first to make sure it's safe and fair.
Summary AI
The document is a notice from the Securities and Exchange Commission (SEC) regarding a proposed amendment to the National Market System Plan governing the Consolidated Audit Trail (CAT). This amendment aims to introduce limitation of liability provisions, which would limit any claims against the CAT LLC to the lesser of $500 or the total fees paid by CAT reporters in the case of a data breach. This move is intended to align with industry standards and prevent potentially high costs and litigation that do not contribute to improved data security. The document invites public comments on whether this proposed amendment is in line with the Exchange Act and appropriately manages the cyber risks involved in maintaining a large, sensitive database like the CAT.
Abstract
Cyber Breach Analysis. The first analysis we present is to identify specific potential breach scenarios and assess the relative difficulty of implementation, relative frequency, and conditional severity of each. As part of this assessment, we identified eight potential scenarios in which bad actors could attempt to unlawfully obtain, utilize, and monetize CAT data. Of course, we recognize that cyber-attacks on the CAT could vary from the scenarios we hypothesize, but we offer them to provide a framework to assess the economic exposures that flow from the gathering, storage, and use of CAT data. Our risk analysis indicates that most of these scenarios are relatively low frequency events because they are either difficult to implement, unlikely to be meaningfully profitable for a bad actor, or both. The scenario analysis also indicates that three types of breaches--reverse engineering of trading algorithms, inserting fake data to wrongfully incriminate individuals or entities, and removing data to conceal misconduct--could result in "extremely" severe economic consequences (which we define as potentially greater than $100 million in damages). We conclude that all three of these types of breaches are relatively low frequency events. Summary: Regulation vs. Litigation to Mitigate Cyber Risk for the CAT. The second analysis we present focuses on whether the cyber risk posed by CAT should be addressed through ex-ante regulation, ex post litigation, or a combination of both approaches. In a prior version of the CAT Reporter Agreement, CAT LLC included a limitation of liability provision, which memorialized the Participants' view that Industry Members should not be able to litigate against CAT LLC or the Participants to recover damages sustained as a result of a cyber breach. Although the current operative version of the Reporter Agreement does not contain a limitation of liability, we understand that CAT LLC is submitting this White Paper in connection with CAT LLC's request that the SEC amend the CAT NMS Plan to authorize such a provision. We understand that the Industry Members have opposed any limitation of liability provision and contend that CAT LLC, as the party holding the CAT data, should be subject to litigation by the Industry Members in the event of a cyber breach. In deciding whether to approve Participants' proposed plan amendment, an important question for the SEC to address is whether, in light of the extensive cyber requirements already imposed on CAT LLC through regulation, the SEC-mandated nature of the CAT, and the ability of the SEC to bring enforcement actions to compel compliance, it is appropriate to also allow Industry Members to sue CAT LLC and the Participants. As part of our analysis, we specifically assess whether including a limitation of liability provision in the CAT Reporter Agreement is appropriate from the perspective of economic theory as applied to the specifics of this situation. By applying the economic principles of liability and regulation as a means of motivating risk-minimizing behavior and considering the crucial role of the SEC's mandates regarding cyber security for the CAT (which already incorporate the concerns of entities involved in the National Market System as a whole), we conclude that the regulatory approach leads to the socially desirable level of investment in cyber security and protection of CAT data. We further conclude that SIFMA's position, which advocates allowing Industry Members to litigate against CAT LLC and the Participants in the event of a cyber breach, would result in increased costs for various economic actors--including CAT LLC, the Participants, Industry Members, and retail investors--without any meaningful benefit to the CAT's cyber security. At a high level (and as discussed in extensive detail below), we therefore conclude that CAT LLC's proposal to limit its liability and the liability of the Participants is well supported by applicable economic principles in the framework of the SEC's mission and its mandates regarding the CAT. As a general matter, economic theory provides that society can motivate economic actors to take appropriate precautions to minimize the likelihood and consequences of accidents and misconduct through: (a) A regulatory approach (i.e., dictating specific precautions, requirements, and standards in advance), (b) a litigation approach (i.e., civil liability for damages caused by failing to adhere to a general standard of care), or (c) a combination of (a) and (b). At the outset, we note that we do not address this question in a vacuum. Rather, we conduct our examination in the context of an extensive regulatory program that the SEC has enacted mandating specific cyber standards, policies, procedures, systems, and controls that CAT LLC and the Plan Processor must implement. This regulatory regime was developed with extensive feedback from the securities industry (e.g., through the Development Advisory Group and the Advisory Committee) and is subject to ongoing review and modification through a public review and comment process. Moreover, CAT LLC's compliance with the requirements of this regulatory regime can be policed by the SEC's Enforcement Division. We also note that in adopting the CAT NMS Plan, the SEC concluded that the regulatory approach to cyber security was sufficient when it stated that "the extensive, robust security requirements in the adopted [CAT NMS] Plan . . . provide appropriate, adequate protection for the CAT Data." \5\ ---------------------------------------------------------------------------
Keywords AI
Sources
AnalysisAI
The document from the Securities and Exchange Commission (SEC) discusses a proposal to amend the National Market System Plan, which governs the Consolidated Audit Trail (CAT). This audit trail is essentially a large database that collects and stores sensitive information on equity and option trades in the U.S. markets, aimed at helping regulators monitor market activities more effectively. The proposed amendment seeks to introduce "limitation of liability" provisions which would cap any claims against the CAT LLC and its Participants to either $500 or the equivalent of the fees paid by the CAT Reporters.
Summary
The proposal aims to protect CAT LLC and its Participants from potential legal claims and high costs in the event of a cyber breach. The effort is also intended to align with what is described as industry-standard practices, seemingly to create financial predictability and stability for CAT operations. By implementing these provisions, the SEC hopes to clarify financial responsibilities and encourage a focus on preventive regulatory measures.
Concerns and Issues
The language within the document is notably technical and dense, which could make understanding its implications challenging for those unfamiliar with securities regulation and cybersecurity. There is significant attention given to various hypothetical breach scenarios, analyzing their frequency, difficulty, and potential economic impact, but the discussions are rather abstract and complex for a general audience.
Another major issue is the perceived imbalance in protections. The proposal could be viewed as overly favorable to CAT LLC and its Participants while possibly leaving Industry Members and their clients at a disadvantage with limited recourse for damages in case of data breaches. Such provisions could be perceived as inequitable, and this might stir opposition among stakeholders like SIFMA, the Securities Industry and Financial Markets Association.
The document discusses economic theories and regulatory frameworks in detail, possibly overshadowing real-world concerns about actual data security risks. Furthermore, the document refers to prior settlements and negotiations without adequately summarizing these developments, creating some ambiguity for readers not wholly familiar with the history of such negotiations.
Impact on the Public and Stakeholders
For the general public, there might be little immediate impact from this amendment unless they are directly involved with securities trading or data security. However, the potential for cyber breaches and the subsequent handling of data security could indirectly affect public confidence in the financial markets.
For stakeholders like Industry Members, this document potentially shifts more risk onto them while limiting their legal options if breaches occur. While CAT LLC and its Participants may benefit from reduced liability and cost predictability, Industry Members may face increased costs and a perception of inequitable treatment.
Conclusion
Overall, while focusing on regulatory compliance and preventive controls might enhance data security, the proposed limitations on liability present a nuanced discussion. It is essential for the SEC and stakeholders to ensure that the amendment adequately balances security, accountability, and fairness for all involved parties. Public commentary invited by this document can be a crucial aspect of determining whether this proposal serves the wider interests of the market and its participants effectively.
Financial Assessment
Commentary on Financial References in the Document
The document under consideration provides numerous financial references connected to the operations and potential liabilities surrounding the Consolidated Audit Trail (CAT). These references encompass both explicit dollar figures and more general financial implications tied to liability, insurance, and costs associated with cyber breaches.
Limitation of Liability
A central financial theme in the document concerns the limitation of liability for CAT LLC, the Participants, and their representatives. The text states that their liability is capped at the lesser of the actual fees paid by the CAT Reporter to CAT LLC for a given calendar year or $500. This provision highlights a significant aspect of financial risk management within the CAT framework, emphasizing minimal direct financial exposure for CAT LLC and its Participants even in the event of a breach.
Potential Cyber Breach Costs
The document assesses various hypothetical cyber breach scenarios and provides a financial framework for understanding the costs associated with these potential events. For example, reverse engineering of trading algorithms, inserting fake data, and removing data to conceal misconduct are presented as breaches with "extremely" severe economic implications, potentially incurring costs greater than $100 million per incident. This threshold figure is a key reference point as it categorizes severe financial impacts that can arise from specific cyber threats.
Cybercrime Costs
The broader financial landscape of cybercrime is referenced with striking figures. The global cost of cybercrime is estimated to escalate from $3 trillion annually in 2015 to $6 trillion by 2021, according to sources cited in the document. Within the United States, a 2016 estimate suggests that malicious cybercrime cost the economy between $57 billion and $109 billion. These figures underscore the pervasive and escalating financial burden that cybercrime places on global and national economies.
Cyber Insurance Premiums
The document indicates that cyber insurance premiums are part of the financial strategy to manage risks, with $4.85 billion paid in premiums in 2018, projected to increase to $28.6 billion by 2026. This increase in insurance premiums reflects growing awareness and requisite financial provision against the potential costs of cyber incidents.
Algorithmic Trading Market
A notable reference is made to the algorithmic trading market, valued at $11.1 billion in 2019 and forecasted to grow to $18.8 billion by 2024. This financial data exemplifies the economic scale of algorithmic trading within the securities market, serving as a backdrop to the potential risks and incentives for securing financial assets in trading algorithms.
Implications and Observations
These financial references relate closely to some identified issues in the document. The precise cap on liability and extensive insurance measures might be seen as heavily favoring CAT LLC and the Participants, potentially leaving Industry Members feeling inadequately protected. The emphasis on substantial potential breach costs points to the significant risks tied to financial exposures; however, the document’s heavy reliance on hypothetical scenarios and economic theories might not fully address the practical concerns of stakeholders.
The mentioned financial allocations, primarily around insurance and liability capping, also speak to risk aversion strategies, balancing cybersecurity with economic prudence. The limited liability provision might suggest a prioritization of minimizing CAT LLC's and the Participants' financial exposure over providing broad compensation to affected parties.
In summary, while the document specifies various financial allocations and references, it raises considerations about the balance between fostering secure trading environments against potentially vast financial risks, and effectively mitigating those risks through clearly defined financial strategies.
Issues
• The language used throughout the document is highly technical and complex, possibly making it difficult for individuals not familiar with securities regulation and cyber security to fully understand the content and implications.
• The document discusses the economic analysis of breach scenarios, but the explanations of frequency, severity, and potential financial consequences are dense and not easily accessible to a general audience.
• The mention of $100 million as a threshold for 'extremely' severe economic consequences lacks context and might be seen as arbitrary by some stakeholders.
• The proposed limitation of liability provisions could be seen as heavily favoring CAT LLC and the Participants, potentially at the expense of Industry Members and their clients, which might be viewed as inequitable.
• The lengthy discussion on the choice between regulation and litigation may be too abstract and theoretical, potentially obscuring practical implications and real-world applications.
• There is significant emphasis on regulatory frameworks and economic theories, which might overshadow or minimize the practical concerns and risks faced by stakeholders in the event of a cyber breach.
• The document references a settlement and ongoing discussions with SIFMA, yet the details of these agreements or proposals are not clearly outlined, leaving room for ambiguity.
• The document places considerable emphasis on the roles and responsibilities of various regulatory bodies and committees, which might seem redundant or overly detailed for some readers.
• References to previous economic literature and legal precedents may be too dense for a general audience, complicating the understanding of the issues at stake.
• While discussing the potential for CAT data breaches, the document heavily relies on hypothetical scenarios that may not address all possible real-world risks and impacts.