Data Security, Reporting Augmentation Still Pivotal Issues for CAT

Imagine a platform that can track all the orders, executions and quote lifecycles for equities and options on a daily basis and then store the data in a central repository. That, in a nutshell, is what the Consolidated Audit Trail (CAT) is looking to do.

Unsurprisingly, the process of planning how to build a system that will be required to process an estimated 58 billion records a day has not gone smoothly. Since the inception of the idea in 2012, progress towards building the CAT has moved about as quickly as a snail.

Delays have consistently marred the project. In October, The Wall Street Journal reported the US Securities and Exchange Commission's (SEC's) top choice to oversee the technological development of the CAT reneged on his acceptance of the position. 

At the TabbForum MarketTech 2015 conference held in New York, representatives from four of the six bidders vying for the opportunity to build the CAT — including the entries led by TradeWorx, SunGard, CSC and BuckleySandler — took part in a panel to discuss their plans for the massive system and issues that still remain around building it.

Keep it Safe

"I think we need to get away from thinking that any system that has to be connected really needs an airgap to make it secure. I believe the system can be secure in the public cloud or I believe it can be secure in a private data center if the appropriate approaches are taken, but those approaches have to go a few steps beyond the approaches that are being used so far," Mike Beller, managing partner for Thesys Technology and CEO for Tradeworx.

Cyber security is a topic that seems to crop up everywhere, and the CAT is no different with the type and amount of data it's collecting. Most of the focus has targeted securing the trail's personal identifier information (PII). However, Mike Beller, manager partner for Thesys Technologies and CEO of Tradeworx, believes there has been an insufficient amount of attention put on protecting the data.

Beller said that while there are millions of records of PII being collected, billions of trading records also being reported that have the potential to be just as valuable.

He used Warren Buffet as an example.

"Even if you don't know Warren Buffet's PII, you can watch and see that this big stock was traded and hear a news story that that stock was traded on that day," Beller said. "Now, even by looking at anonymized identifiers, you know where Warren Buffet's trades are. So if you compromise this database, even if you forget PII for a moment, you still have a lot of information."

Beller is also unhappy with the level of data encryption currently required by CAT standards. Originally, data only had to be encrypted in transit or if it had a PII. Upon revision, data now needs to be encrypted in transit and when it's at rest in the public cloud.

For Beller, those security measures aren't enough. He believes data should be encrypted at all times, and there should be no single server that can access all the data.

That's not to say Beller believes the CAT should be completely out of the public domain. With 2,000 firms reporting into the CAT, though, including many small broker-dealers, having everyone connect via a private line isn't a feasible option, according to Beller.

"I think we need to get away from thinking that any system that has to be connected really needs an air gap to make it secure," Beller said. "I believe the system can be secure in the public cloud, or I believe it can be secure in a private data center if the appropriate approaches are taken, but those approaches have to go a few steps beyond the approaches that are being used so far."

Augmentation of Data

Beller was also critical of how reporting into the CAT should be done. Firms are more hesitant to change their front-office systems than back-office platforms, according to Beller, because of the risk a wrong tweak to the system could cause, such as spamming the market or releasing more information than it has to.

The solution, Beller believes, is to allow augmentation of the reported information through a separate channel. Some of the other panelists, however, did not agree.

Neil Palmer, chief technology officer of SunGard's advanced technology business, said allowing potentially every broker-dealer to submit somewhat different reports would put unnecessary strain on the CAT.

"That's the path we go down and then the next thing you know you've got 500 different special case scenarios, and the CAT has to handle them all," Palmer said. "It makes the system brittle and more likely to fail."

Thomas Sporkin, a partner at BuckleySandler, added that the whole point of the CAT is to allow regulators to go back and map out market events, trade by trade, via the data in the reports.

"The SEC said 'no fuzzy logic,'" Sporkin said. "This has to stand up to courts' evidence. You're going to have experts get up and look at these records and say definitively, ‘This went here, this went here and this went here.' They'll be able to say, 'I can see it from the time stamp. I can see it by the unique identifier. I can see it by the daisy-chain methodology.'"

The Bottom Line

• The CAT has faced several hurdles since the concept was first announced in 2012.

• One CAT bidder that spoke at a recent TabbForum was concerned about the level of security around data currently required.

• There was also a debate on the best way to approach reporting data, either through augmenting reports or having a more standardized format.