What often begins with noble intentions often ends in tragedy. Nowhere is this more true than in data security. After the 2010 Flash Crash in 2012 the US Securities and Exchange Commission (SEC) approved Rule 613, requiring the National Market System (NMS) exchanges to start building a Comprehensive Audit Trail (“CAT”) of market activity. The purpose of the CAT is to capture all equities and options trade data, from all market participants. It also intends to collect the personal identifiable information of every American who has money in the stock market. From a regulatory perspective, having the CAT makes it easier to police the public capital markets. But from a data security angle, the CAT will be a giant honeypot containing the personally identifiable information of a key demographic segment of society: stock market investors. Hackers worldwide will most likely declare open season on the CAT once its launched.

If the SEC intends to create CAT, then it needs to ensure that CAT is designed with robust & proper data security practices in mind. This appears doubtful because the key contractor building the IT framework for CAT was removed in January 2019. It is very bad omen when the lead technology contractor leaves the project unexpectedly. The SEC needs to come up with Plan B.

Fortunately the U.S. Congress noticed this glaring data breach vulnerability in the making. Seven Republican lawmakers sent a warning letter to the SEC raising the likelihood of PRC China state sponsored attacks against CAT. According to a U.S. Senator, the CAT database “is just a sitting duck waiting for the Chinese to infiltrate...the CAT is a vulnerable target full of personal data, which makes it a very attractive target for Chinese hackers. . . . People shouldn’t have to worry about their personal data being hacked when they’re working toward building up a financial portfolio or saving for retirement.”

Hopefully the SEC will heed this advice and proceed with extreme caution.