Bookmark and Share

On May 6, 2010 the U.S. Stock opened lower and began an intraday downtrend with the Dow losing some 300 points until 2:42 p.m. EST. Then it proceeded to drop precipitously another 600 points over the next 5 minutes, temporarily wiping out over a trillion dollars of wealth, before rebounding most of the 600 point drop before market close. Referred to as the 2010 Flash Crash, the Dow temporarily lost 9% of its value, the second largest intraday swing in U.S. market history.

Though generally seen as an anomaly, the flash crash became a major force in the SEC’s decision to create a new system for monitoring the markets called the CAT, or the Consolidated Audit Trail. The United States Securities and Exchange Commission voted on July 11, 2012 to require FINRA, the exchanges and SROs, to create and implement a single unified system to monitor and analyze trading activity across U.S. equity and options markets. The proposed system created under Rule 613 of Regulation National Market System (or Reg NMS) is intended to create a wholesale system to monitor every transaction across U.S. exchanges and “dark pools.”  These dark pool trading volumes are composed of institutional orders executed on private exchanges which are generally unavailable to the public.

The SEC has already implemented circuit breakers to halt trading when an equity moves more than 10% in 5 minutes, but the CAT system is intended to provide regulators with broader oversight of trading activity across U.S. markets. It reportedly took over four months for regulators to piece together what occurred during the flash crash, the CAT is designed to aid the SEC to achieve greater surveillance by better identifying the complex and myriad transactions in our modern markets. The CAT is designed to require sub-second time stamps, all quotes and order executions, along with cancellations and modifications of routing of orders to other markets. If fully implemented the CAT system will need to both produce and archive over 50 billion records every trading day and contain 100 million customer accounts.

A Hacker’s Gold Mine

This is a massive amount of data that would be created by the CAT system and opens up many questions regarding its use. Its value to investors is potentially limitless as this data could be reverse-engineered to develop true data-based trading strategies. Additionally, with this massive data cache of potentially invaluable information all aggregated under one regulatory authority, the potential for cyber-criminals to access and abuse this data becomes near inevitable. 

this treasure trove of information has tremendous commercial value…we are gravely concerned that cybercriminals and others will seek to access and use it for their personal gain to the detriment of funds and their shareholders.Investment Company Institute's David Blass

The CAT plan has so far been repeatedly criticized for having inadequate security protocols. A database of valuable information this massive would naturally be a major target for hackers looking to exploit trading data and personal information. Additionally the dangers of any coordinated attack against the system and the potentially huge disruption this would cause to U.S. and world markets can’t be overstated.

Timeline of Advancement

The CAT system was first proposed in 2012 and met with numerous delays and criticisms for its lack of security and potentially massive cost to implement. By February 27, 2015 the SRO’s amended and replaced the Initial Plan, and the amendment went on to be published and approved by the commission in 2016. However, the original cyber security questions still needed to be answered. The SEC responded by giving the “Plan Processor” the responsibility for securing and keeping all the data confidential. The this meant that the Plan Processor was not only in charge of creating and designing the technology of the CAT but was also liable for the protection of the information. 

On January 17, 2017 the Selection Committee of the plan selected and approved Thesys Technologies’ bid to be the Plan Processor. With the designer and keeper of the database selected, the implementation of the system has begun and should take about 3 years. Thesys has vowed that the system has been build with a “security-first” mindset with two-step authentications and encryption of the data as it is sent between systems. As the execution takes place, time prove if the system is really secure. To learn more on how to become a part of the forefront of data security and protect information like the Consolidated Audit Trail, click here.