[Federal Register Volume 86, Number 3 (Wednesday, January 6, 2021)]
[Notices]
[Pages 591-624]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-29216]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-90826; File No. 4-698]


Joint Industry Plan; Notice of Filing of Amendment to the 
National Market System Plan Governing the Consolidated Audit Trail by 
BOX Exchange LLC; Cboe BYX Exchange, Inc., Cboe BZX Exchange, Inc., 
Cboe EDGA Exchange, Inc., Cboe EDGX Exchange, Inc., Cboe C2 Exchange, 
Inc. and Cboe Exchange, Inc., Financial Industry Regulatory Authority, 
Inc., Investors Exchange LLC, Long-Term Stock Exchange, Inc., Miami 
International Securities Exchange LLC, MEMX, LLC, MIAX Emerald, LLC, 
MIAX PEARL, LLC, Nasdaq BX, Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, 
Nasdaq MRX, LLC, Nasdaq PHLX LLC, The NASDAQ Stock Market LLC; and New 
York Stock Exchange LLC, NYSE American LLC, NYSE Arca, Inc., NYSE 
Chicago, Inc., and NYSE National, Inc.

December 30, 2020.

I. Introduction

    On December 18, 2020, the Operating Committee for Consolidated 
Audit Trail, LLC (``CAT LLC''), on behalf of the following parties to 
the National Market System Plan Governing the Consolidated Audit Trail 
(the ``CAT NMS Plan'' or ``Plan''): \1\ BOX Exchange LLC; Cboe BYX 
Exchange, Inc., Cboe BZX Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe 
EDGX Exchange, Inc., Cboe C2 Exchange, Inc. and Cboe Exchange, Inc., 
Financial Industry Regulatory Authority, Inc., Investors Exchange LLC, 
Long-Term Stock Exchange, Inc., Miami International Securities Exchange 
LLC, MEMX, LLC, MIAX Emerald, LLC, MIAX PEARL, LLC, Nasdaq BX, Inc., 
Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, Nasdaq PHLX LLC, 
The NASDAQ Stock Market LLC; and New York Stock Exchange LLC, NYSE 
American LLC, NYSE Arca, Inc., NYSE Chicago, Inc., and NYSE National, 
Inc. (collectively, the ``Participants,'' ``self-regulatory 
organizations,'' or ``SROs'') filed with the Securities and Exchange 
Commission (``SEC'' or ``Commission'') pursuant to Section 11A(a)(3) of 
the Securities Exchange Act of 1934 (``Exchange Act''),\2\ and Rule 608

[[Page 592]]

thereunder,\3\ a proposed amendment to the CAT NMS Plan that would 
authorize CAT LLC to revise the Consolidated Audit Trail Reporter 
Agreement (the ``Reporter Agreement'') and the Consolidated Audit Trail 
Reporting Agent Agreement (the ``Reporting Agent Agreement'') to insert 
the limitation of liability provisions (the ``Limitation of Liability 
Provisions''), as contained in Appendix A, attached hereto.\4\ The 
Commission is publishing this notice to solicit comments from 
interested persons on the amendment.\5\
---------------------------------------------------------------------------

    \1\ The CAT NMS Plan is a national market system plan approved 
by the Commission pursuant to Section 11A of the Exchange Act and 
the rules and regulations thereunder. See Securities Exchange Act 
Release No. 79318 (November 15, 2016), 81 FR 84696 (November 23, 
2016).
    \2\ 15 U.S.C 78k-1(a)(3).
    \3\ 17 CFR 242.608.
    \4\ See Letter from Michael Simon, Chair, CAT NMS Plan Operating 
Committee, to Ms. Vanessa Countryman, Secretary, Commission, dated 
December 18, 2020. The Participants state that these provisions 
would address the liability of CAT LLC and the Participants in the 
event of a CAT data breach. The Participants further state that in 
conjunction with this proposed amendment (the ``Proposed 
Amendment'') to the CAT NMS Plan, each Participant intends to file 
with the Commission corresponding proposed changes to its individual 
CAT Compliance Rules.
    \5\ 17 CFR 242.608.
---------------------------------------------------------------------------

II. Description of the Plan

    Set forth in this Section II is the statement of the purpose and 
summary of the amendment, along with information required by Rule 
608(a)(4) and (5) under the Exchange Act,\6\ substantially as prepared 
and submitted by the Participants to the Commission.\7\
---------------------------------------------------------------------------

    \6\ See 17 CFR 242.608(a)(4) and (a)(5).
    \7\ See supra note 4. Unless otherwise defined herein, 
capitalized terms used herein are defined as set forth in the CAT 
NMS Plan.
---------------------------------------------------------------------------

A. Statement of Purpose of the Amendment to the CAT NMS Plan

    The Proposed Amendment adds industry-standard Limitation of 
Liability Provisions to the Reporter Agreement and Reporting Agent 
Agreement.\8\ The Limitation of Liability Provisions are appropriately 
tailored, consistent with longstanding principles regarding allocation 
of liability between self-regulatory organizations (``SROs'') and 
Industry Members, and have been agreed to in substance by virtually all 
Industry Members in connection with Order Audit Trail System (``OATS'') 
reporting.
---------------------------------------------------------------------------

    \8\ The Participants believe that the CAT NMS Plan and certain 
individual self-regulatory organization rules already authorize the 
inclusion of the Limitation of Liability Provisions in the Reporter 
Agreement and the Reporting Agent Agreement. See generally, May 6, 
2020 CAT LLC Memo of Law in Opposition to SIFMA'S Motion to Stay, 
Admin. Proc. File No. 3-19766. The Participants nonetheless submit 
this Proposed Amendment to provide industry members (``Industry 
Members'') and other interested constituencies with an opportunity 
to comment on the Limitation of Liability Provisions.
---------------------------------------------------------------------------

    Moreover, CAT LLC has retained Charles River Associates (``Charles 
River'') to conduct a comprehensive economic analysis of the liability 
issues presented by a potential CAT data breach. That analysis, 
attached to this Proposed Amendment as Appendix B, concludes that 
combining ongoing Commission oversight with a limitation on liability 
is the most efficient manner of addressing the complex issues presented 
by such potential breaches. Although Industry Members have advocated 
for an approach that would allow them (and their clients) to sue CAT 
LLC and the Participants in the event of a breach, the Charles River 
analysis demonstrates that this approach would significantly increase 
CAT LLC's costs--potentially without bounds--without any corresponding 
benefit to the Commission, investors, or other stakeholders, and 
likewise would not materially improve the security of the data 
transmitted to and stored within the CAT. Charles River also concludes 
that in light of the CAT's extensive cybersecurity (among other 
reasons), most potential breach scenarios, including the possibility of 
reverse engineering of Industry Members' trading algorithms, are 
relatively low-frequency events. For those reasons, and as discussed in 
detail below, there is no economic basis to deviate from industry norms 
by shifting liability from Industry Members to the Participants.
1. Background
    On July 11, 2012, the Commission adopted Rule 613 of Regulation NMS 
to enhance regulatory oversight of the U.S. securities markets. The 
rule directed the Participants to create a ``Consolidated Audit Trail'' 
(also referred to herein as the ``CAT'') that would strengthen the 
ability of regulators--including the Commission and the SROs--to 
surveil the securities markets.\9\ Following the adoption of Rule 613, 
the Participants prepared and proposed the CAT NMS Plan and then 
implemented the Plan's extensive requirements, including its 
cybersecurity requirements. The Commission approved that Plan in 
November 2016, concluding that it incorporates ``robust security 
requirements'' that ``provide appropriate, adequate protection for the 
CAT Data.'' \10\
---------------------------------------------------------------------------

    \9\ See 17 CFR 242.613 (2012).
    \10\ SEC, Joint Industry Plan; Order Approving the National 
Market System Plan Governing the Consolidated Audit Trail, Release 
No. 34-79318; File No. 4-698, at 715 (Nov. 15, 2016), https://www.sec.gov/rules/sro/nms/2016/34-79318.pdf.
---------------------------------------------------------------------------

    In preparation for the launch of initial CAT equities reporting, in 
August 2019 the Participants shared with CAT LLC's Advisory Committee a 
draft Reporter Agreement.\11\ Among other provisions, the draft 
Reporter Agreement contained an industry-standard limitation of 
liability provision that provided:
---------------------------------------------------------------------------

    \11\ The Advisory Committee is comprised of broker-dealers of 
varying sizes and types of business, a clearing firm, an individual 
who maintains a securities account, an academic, institutional 
investors, an individual with significant and reputable regulatory 
expertise, and a service bureau that provides reporting services to 
one or more CAT Reporters. See CAT NMS Plan, Section 4.13(b). The 
Advisory Committee provides a forum for Industry Members (among 
other constituencies) to stay informed about, and to provide 
feedback to the Participants and the Operating Committee regarding, 
the operation and administration of the CAT. See CAT NMS Plan, 
Section 4.13(d)-(e).

TO THE EXTENT PERMITTED BY LAW, UNDER NO CIRCUMSTANCES SHALL THE 
TOTAL LIABILITY OF CAT LLC OR ANY OF ITS REPRESENTATIVES TO CAT 
REPORTER UNDER THIS AGREEMENT FOR ANY CALENDAR YEAR EXCEED THE 
LESSER OF THE TOTAL OF THE FEES ACTUALLY PAID BY CAT REPORTER TO CAT 
LLC FOR THE CALENDAR YEAR IN WHICH THE CLAIM AROSE OR FIVE HUNDRED 
---------------------------------------------------------------------------
DOLLARS ($500.00). See id. Sec.  5.5.

    On August 29, 2019, CAT LLC's Operating Committee approved the 
then-draft Reporter Agreement--including the limitation of liability--
by unanimous written consent.\12\
---------------------------------------------------------------------------

    \12\ ``[T]he Operating Committee shall make all policy decisions 
on behalf of the Company in furtherance of the functions and 
objectives of the Company under the Exchange Act, any rules 
thereunder, including SEC Rule 613, and under this Agreement.'' CAT 
NMS Plan, Section 4.1.
---------------------------------------------------------------------------

    Following the approval process, the Securities Industry and 
Financial Markets Association (``SIFMA'') objected on behalf of certain 
Industry Members to the Reporter Agreement's limitation of liability 
provisions, particularly in relation to a potential CAT data breach. 
The Participants attempted to engage in a constructive dialogue with 
SIFMA and offered several proposed revisions to the limitation of 
liability provisions to address SIFMA's concerns. Among other 
proposals, the Participants offered: (1) To create a reserve (funded 
jointly by Industry Members and the Participants) to cover damages in 
the event of a data breach and (2) to revise the limitation of 
liability provision to conform with analogous provisions in the 
agreements that Industry Members require their retail customers to 
execute. Throughout those discussions, the Participants repeatedly 
stated that they were willing to consider any proposals offered by 
Industry Members whereby a limitation of liability provision would 
remain in the Reporter Agreement. SIFMA did not offer any substantive 
counterproposals; instead, it maintained its wholesale objection to any 
limitation of liability.

[[Page 593]]

    Notwithstanding SIFMA's objections, between September 2019 and May 
5, 2020, over 1,300 Industry Members executed the then-operative 
Reporter Agreement containing the limitation of liability provision. In 
advance of the initial equities reporting deadline, all CAT Reporters 
were required to test their ability to upload data to the CAT database 
and then complete a certification form. To enable the approximately 60 
Industry Members who did not execute the Reporter Agreement to complete 
the testing and certification process, CAT LLC permitted them to test 
with obfuscated data pursuant to a ``Limited Testing Acknowledgment 
Form.''
    In March and April 2020, 10 of those 60 Industry Members rescinded 
their execution of the Limited Testing Acknowledgement Forms and 
attempted to report production data to the CAT. Because those Industry 
Members had not executed the Reporter Agreement, FINRA CAT (i.e., the 
Plan Processor) refused to permit them to submit production data. On 
April 22, 2020, SIFMA filed an application for review of actions taken 
by CAT LLC and the Participants pursuant to Sections 19(d) and 19(f) of 
the Exchange Act (the ``Administrative Proceeding''). SIFMA's 
application alleged that the Participants improperly required Industry 
Members to execute a Reporter Agreement as a prerequisite to submitting 
data to the CAT and that the agreement's limitation of liability 
provision was ``unfair, inappropriate, and bad policy.'' \13\ 
Contemporaneously with the filing of the Administrative Proceeding, 
SIFMA moved for a stay of the requirement that Industry Members sign a 
Reporter Agreement, or in the alternative, asked the Commission to 
further delay the launch of CAT reporting on June 22, 2020. On May 13, 
SIFMA and the Participants informed the Commission that the parties 
reached a settlement of the Administrative Proceeding and requested 
that the Commission dismiss SIFMA's application. On May 14, the 
Commission granted the parties' dismissal request.
---------------------------------------------------------------------------

    \13\ SIFMA also challenged the Reporter Agreement's provision 
that required Industry Members to indemnify CAT LLC and the 
Participants from third party claims arising from an Industry 
Member's unlawful acts and omissions including a failure: (1) By an 
Industry Member to protect and secure PII under its control, (2) of 
an Industry Member to protect its own systems from misuse, or (3) of 
an Industry Member to comply with its obligations under the Reporter 
Agreement. All CAT Reporters and CAT Reporting Agents (as defined in 
each of the Reporter Agreement and the Reporting Agent Agreement) 
eventually signed an Agreement that contained these industry 
standard indemnification provisions.
---------------------------------------------------------------------------

    The settlement between SIFMA and the Participants did not resolve 
the underlying disagreement regarding the proper allocation of 
liability in the event of a loss due to a breach of the CAT. Rather, 
the settlement provided a path for the minority of Industry Members 
that had not signed the original Reporter Agreement to test data and, 
subsequently, report live production data to the CAT. In particular, 
the settlement permitted Industry Members to report data to the CAT 
pursuant to a revised Reporter Agreement that does not contain a 
limitation of liability provision, while the Participants prepared a 
filing with the Commission to resolve the parties' underlying 
disagreement regarding the proper allocation of liability. CAT LLC's 
and the Participants' decision to resolve the Administrative Proceeding 
was animated by a desire to progress unimpeded toward the CAT's June 22 
compliance date.
    Initial equities reporting commenced as planned on June 22, 2020. 
Since that time, Industry Members have been transmitting data to the 
CAT pursuant to the revised Reporter Agreement, which does not contain 
any limitation of liability provision.
2. The Limitation of Liability Provisions
    The Limitation of Liability Provisions in this Proposed Amendment, 
each of which was included (in substance) in the original Reporter 
Agreement and Reporting Agent Agreement, are contained in Appendix A to 
this Proposed Amendment.\14\ In sum and substance, the Limitation of 
Liability Provisions:
---------------------------------------------------------------------------

    \14\ The modifications in this Proposed Amendment are not 
intended to and do not affect the limitations of liability set forth 
in the agreements between individual Participants and Industry 
Members or SEC-approved rules regarding limitations of liability, or 
those limitations or immunities that bar claims for damages against 
the Participants and CAT LLC as a matter of law.
---------------------------------------------------------------------------

     Provide that CAT Reporters and CAT Reporting Agents accept 
sole responsibility for their access to and use of the CAT System, and 
that CAT LLC makes no representations or warranties regarding the CAT 
system or any other matter;
     Limit the liability of CAT LLC, the Participants, and 
their respective representatives to any individual CAT Reporter or CAT 
Reporting Agent to the lesser of the fees actually paid to CAT for the 
calendar year or $500;
     Exclude all direct and indirect damages; and
     Provide that CAT LLC, the Participants, and their 
respective representatives shall not be liable for the loss or 
corruption of any data submitted by a CAT Reporter or CAT Reporting 
Agent to the CAT System.\15\
---------------------------------------------------------------------------

    \15\ Appendix A also contains language clarifying the entities 
to which the Limitation of Liability Provisions apply. See Appendix 
A at Sec.  5.5.
---------------------------------------------------------------------------

2. The Limitation of Liability Provisions Reflect Longstanding 
Principles of Allocation of Liability Between Industry Members and 
Self-Regulatory Organizations
    Limitations of liability are ubiquitous within the securities 
industry and have long governed the economic relationships between 
self-regulatory organizations and the entities that they regulate. The 
Limitation of Liability Provisions at issue here fall squarely within 
industry norms.
    For over half of a century, U.S. securities exchanges have adopted 
rules to limit their liability for losses that Industry Members incur 
through their use of exchange facilities.\16\ These rules broadly 
disclaim all liability to exchange members. By way of example, NASDAQ 
Equities Rule 4626 provides that the exchange ``shall not be liable for 
any losses, damages, or other claims arising out of the NASDAQ Market 
Center or its use.'' \17\ Every other securities exchange has a similar 
rule, each of which was approved by the Commission as consistent with 
the Exchange Act.\18\
---------------------------------------------------------------------------

    \16\ See, e.g., Securities Exchange Act Release No. 14777 (May 
17, 1978) (SR-CBOE-78-14) (noting that an exchange ``cannot proceed 
with innovative systems and procedures for the execution, clearance, 
and settlement of Exchange transactions . . . unless it is protected 
against losses which might be incurred by members as a result of 
their use of such systems,'' and further that ``[t]o the extent [a 
limitation of liability rule] enables the Exchange to proceed with 
innovative systems, competition should be enhanced.''); Securities 
Exchange Act Release No. 58137 (July 10, 2008), 73 FR 41145 (July 
17, 2008) (SR-NYSE-2008-55) (explaining that exchange's limitation 
of liability rule encourages vendors to provide services to the 
exchange, which results in faster and more innovative products for 
order entry, execution, and dissemination of market information).
    \17\ See Nasdaq Equities Rule 4626 (Limitation of Liability) 
(emphasis added).
    \18\ New York Stock Exchange LLC Rule 17, BOX Exchange LLC, Rule 
7230; Cboe Exchange, Inc., Rule 1.10; Investors Exchange LLC, Rule 
11.260; Long-Term Stock Exchange, Rule 11.260; Miami International 
Securities Exchange, LLC, Rule 527; MEMX Rule 11.14. Although FINRA 
does not operate a securities exchange, the Commission has 
recognized that limiting FINRA's liability to Industry Members is 
consistent with the Exchange Act. See FINRA Rule 14108.
---------------------------------------------------------------------------

    These Commission-approved limitations of liability support a 
foundational aspect of The Exchange Act: The self-regulatory framework. 
This bedrock principle of securities regulation dates back to 1934, 
when Congress initially codified the legal

[[Page 594]]

status of self-regulatory organizations.\19\ The essence of this 
framework is that the Commission regulates the SROs, and, in turn, each 
SRO regulates its members.\20\ To empower the self-regulatory 
organizations to regulate Industry Members, Congress granted the 
securities exchanges with the authority--and the responsibility--to 
enforce compliance with the securities laws among exchange members.\21\ 
It is in this context that the Commission has concluded that rules 
requiring Industry Members to limit the liability of the Participants 
are consistent with the Exchange Act.
---------------------------------------------------------------------------

    \19\ See Exchange Act Section 6(d).
    \20\ Section 6 of Exchange Act requires the SROs to enact rules 
subject to SEC approval and enforce those rules against members. The 
Commission oversees the SROs through its examination authority under 
Section 17 and its enforcement authority pursuant to Sections 
19(h)(1) and 21C.
    \21\ See Exchange Act Section 6(b) (original version) (providing 
that exchanges must have provisions for expelling, suspending, or 
otherwise disciplining members for conduct that is inconsistent with 
just and equitable principles of trade and willful violations of the 
Exchange Act).
---------------------------------------------------------------------------

    Likewise, the Commission has concluded that it is appropriate for 
self-regulatory organizations to adopt agreements with terms of use in 
connection with regulatory reporting facilities. The Commission has 
approved rules requiring Industry Members to agree to terms of use that 
customarily limit the liability of various regulatory reporting 
facilities--and the individual participants that comprise or operate 
those facilities--in connection with the reporting of order and 
execution data. And as with the CAT, those reporting facilities ingest 
substantial volumes of sensitive transaction data. For example, from 
1998 through the present, the OATS has functioned as an integrated 
audit trail of order, quote, and trade data for equity securities. And 
to comply with their OATS reporting requirements, FINRA members must 
acknowledge an agreement that includes a limitation of liability 
provision that is similar in scope to the Limitation of Liability 
Provisions that are the subject of this Proposed Amendment.\22\
---------------------------------------------------------------------------

    \22\ FINRA Rule 1013(a)(1)(R) requires all applicants for FINRA 
Membership to acknowledge the FINRA Entitlement Program Agreement 
and Terms of Use, which applies to OATS. Industry Members click to 
indicate that they agree to its terms--including its limitation of 
liability provision--every time they access FINRA's OATS system to 
report trade information (i.e., repeatedly over the course of a 
trading day for many Industry Members).
---------------------------------------------------------------------------

    Congress and the Commission have recognized that these principles 
also apply to National Market System facilities comprised of self-
regulatory organizations. In 1975, Congress enacted the Securities Act 
Amendments of 1975, which reinforced the importance of the self-
regulatory framework. The 1975 legislation also tasked the exchanges 
with certain responsibilities for the creation of a ``national market 
system'' including the development and maintenance of a consolidated 
market data stream.\23\
---------------------------------------------------------------------------

    \23\ See Exchange Act Section 11A.
---------------------------------------------------------------------------

    Following the adoption of the market data rules of Regulation NMS 
in 2007, various NMS facilities have been formed to execute the 
regulation's mandates. There too, the Commission has concluded that 
limitations of liability are consistent with the Exchange Act. 
Accordingly, NMS facilities that receive transaction and customer data 
uniformly contain broad limitations of liability protecting both the 
actual facility and its constituent self-regulatory organizations. For 
example, the Consolidated Quotation Plan vendor and subscriber 
agreements--approved by the Commission--provide that no disseminating 
party will:

be liable in any way to [Customer/Subscriber] or to any other person 
for (a) any inaccuracy, error or delay in, or omission of, (i) any 
such data, information or message, or (ii) the transmission or 
delivery of any such data, information or message, or (b) any loss 
or damage arising from or occasioned by (i) any such inaccuracy, 
error, delay or omission, (ii) non-performance, or (iii) 
interruption in any such data, information or message, due either to 
any negligent act or omission by any Disseminating Party or to any 
``Force Majeure'' (i.e., any flood, extraordinary weather 
conditions, earthquake or other act of God, fire, war, insurrection, 
riot, labor dispute, accident, action of government, communications 
or power failure, or equipment or software malfunction) or any other 
cause beyond the reasonable control of any Disseminating Party.\24\
---------------------------------------------------------------------------

    \24\ See Consolidated Tape Association/Consolidated Quotation 
Plan, July 1978, as restated December 1995 available at https://www.ctaplan.com/publicdocs/ctaplan/notifications/trader-update/CQ_Plan-9.17.2020.pdf. Other NMS facilities and regulatory reporting 
systems likewise require Industry Members to agree to limit the 
liability of SROs. The Commission has approved multiple NMS Plans 
and rules regarding reporting facilities that condition use of the 
facility on the execution of an agreement. See, e.g., Nasdaq 
Unlisted Trading Privileges Plan, available at http://www.utpplan.com/DOC/Nasdaq-UTPPlan_Composite_as_of_September_17_2020.pdf; Options Price 
Reporting Authority Plan, available at https://assets.website-files.com/5ba40927ac854d8c970;bc92d7/
5d0bd57d87d3ccca102102d7_OPRA%20Plan%20with%20Updated%20Exhibit%20A%2
0-%2006-19-2019.pdf. All such agreements limit liability. See, e.g., 
UTP Plan Subscriber Agreement, available at http://www.utpplan.com/DOC/subagreement.pdf.; Options Price Reporting Authority Vendor 
Agreement, available at https://assets.website-files.com/5ba40927ac854d8c97bc92d7/5c6f058889c3684b7571a552_OPRA%20Vendor%20Agreement%20100118.pdf; 
Options Price Reporting Authority Subscriber Agreement, available at 
https://assets.website-files.com/5ba40927ac854d8c97bc92d7/5bf421d078a39dec23185180_hardcopy_subscriber_agreement.pdf.

    As the Commission has recognized by approving limitations of 
liability in the rules of every self-regulatory organization and in the 
context of regulatory and NMS reporting facilities, limiting the 
liability of self-regulatory organizations to Industry Members is 
consistent with the Exchange Act. There is no reason to depart from the 
principles that served the securities markets well for over half of a 
century and create a different framework for CAT reporting. Indeed, to 
comply with the Administrative Procedure Act, the Commission may not 
depart from this longstanding approach without: (1) Acknowledging the 
change in course and (2) providing a reasoned justification for the 
new, conflicting policy. See F.C.C. v. Fox Television Stations, Inc., 
556 U.S. 502, 514-15 (2009). And because the Participants have invested 
substantial resources into the CAT in reliance on the agency's repeated 
approval of limitations on SRO liability, the Commission must provide 
an even more detailed justification if it opts to depart from that 
longstanding principle of liability here. See Smiley v. Citibank (South 
Dakota) N.A., 517 U.S. 735, 742 (1996) (explaining that ``change that 
does not take account of legitimate reliance on prior interpretation . 
. . may be `arbitrary, capricious, or an abuse of discretion'') (citing 
5 U.S.C. 706(2)(A)); Fox Television Stations, Inc., 556 U.S. at 516 
(``[A] reasoned explanation is needed for disregarding facts and 
circumstances that underlay or were engendered by the prior policy.'').
    The case for a limitation of liability is particularly compelling 
where, as here, the Participants and CAT LLC are implementing the 
requirements of the CAT NMS Plan in their regulatory capacities. Rule 
613 of Regulation NMS tasked the SROs with creating the CAT to achieve 
a core regulatory function--i.e., to ``oversee our securities markets 
on a consolidated basis--and in so doing, better protect these markets 
and investors.'' \25\ During Rule 613's adoption, the Commission made 
clear that the rule imposed regulatory obligations on the 
Participants.\26\ And SIFMA recognized the important

[[Page 595]]

regulatory function of the CAT, expressing its ``belie[f] that a 
centralized and comprehensive audit trail would enable the SEC and 
securities self-regulatory organizations (``SROs'') to perform their 
monitoring, enforcement, and regulatory activities more effectively.'' 
\27\
---------------------------------------------------------------------------

    \25\ Chairman Jay Clayton, SEC, Statement on the Status of the 
Consolidated Audit Trail, Nov. 14, 2017, available at https://www.sec.gov/news/public-statement/statement-status-consolidated-audit-trail-chairman-jay-clayton.
    \26\ SEC Release No. 34-67457; File No. S7-11-10, at 4 (Oct. 1, 
2012) (noting lack of key information in prior audit trails needed 
for regulatory oversight) and 20 (noting that prior to the CAT, SROs 
and the Commission must use a variety of data sources to fulfill 
their regulatory obligations).
    \27\ August 17, 2010 SIFMA Letter at 1-2, available at https://www.sec.gov/comments/s7-11-10/s71110-63.pdf.
---------------------------------------------------------------------------

    Notwithstanding the Commission's repeated conclusion that limiting 
the liability of the Participants and their facilities is consistent 
with the Exchange Act, during prior negotiations and during the 
Administrative Proceeding, SIFMA objected to any limitation of 
liability provision in the Reporter Agreement based on a purported 
``guiding principle'' that the party that controls the data should bear 
the risk. But this ``principle'' is inapplicable to a regulatory 
program with Commission-mandated reporting.\28\ It is also inconsistent 
with how SIFMA members treat their own customers. Despite controlling 
sensitive data that would harm customers if compromised via data 
breach, Industry Members routinely disclaim such liability.\29\ At 
bottom, the Participants are not aware of any context in which 
liability that is usually borne by Industry Members is shifted to their 
regulators, and there is no compelling reason to do so here.
---------------------------------------------------------------------------

    \28\ See, e.g., supra at 7, n. 21 (limitations of liability in 
regulatory reporting facilities).
    \29\ See, e.g., Vanguard Electronic Services Agreement 
(effective Sep. 5, 2017), available at https://personal.vanguard.com/pdf/v718.pdf; E*TRADE Customer Agreement 
(effective June 30, 2020), available at https://us.etrade.com/e/t/estation/contexthelp?id=1209031000); Bank of America Electronic 
Trading Terms and Conditions (Nov. 2020), available at https://www.bofaml.com/content/dam/boamlimages/documents/PDFs/baml_electronic_trading_platform_terms_final_12_03_2015.pdf).
---------------------------------------------------------------------------

3. The Commission's Exemptive Relief Regarding PII Reduces the Risk of 
a Serious Data Breach
    During negotiations regarding liability issues prior to the 
Administrative Proceeding, SIFMA focused on the allocation of liability 
between CAT LLC and Industry Members in the event of a data breach 
involving investors' personally identifiable information (``PII''). For 
example, SIFMA expressed concerns in correspondence dated November 11, 
2019 that focused on inclusion of PII in the CAT, and in a similar 
letter dated January 8, 2020 expressed concerns about bulk downloading 
of data and PII.\30\ The Participants appreciate those concerns and 
remain vigilant in taking all appropriate cybersecurity measures to 
protect customer information (and all CAT data). Further, the 
Commission subsequently granted the Participants' requested relief to 
no longer require that Industry Members report social security numbers, 
dates of birth, and full account numbers for individual retail 
customers.\31\
---------------------------------------------------------------------------

    \30\ In February 2020, SIFMA clarified that, in addition to PII 
concerns, a minority of Industry Members had refused to sign the 
Reporter Agreement due to concerns regarding the ability of third 
parties to reverse engineer their proprietary trading strategies.
    \31\ Order Granting Conditional Exemptive Relief, Pursuant to 
Section 36 and Rule 608(e) of the Securities Exchange Act of 1934, 
from Section 6.4(d)(ii)(C) and Appendix D Sections 4.1.6, 6.2, 
8.1.1, 8.2, 9.1, 9.2, 9.4, 10.1, and 10.3 of the National Market 
System Plan Governing the Consolidated Audit Trail, SEC Release No. 
34-88393 (Mar. 17, 2020).
---------------------------------------------------------------------------

    This plan amendment ``minimizes the risk of theft of SSNs--the most 
sensitive piece of PII--by allowing the elimination of SSNs from the 
CAT, while still facilitating the creation of a reliable and accurate 
Customer-ID.'' \32\ As discussed in detail by Charles River, and as the 
Commission has recognized, the exemptive relief limiting customer 
information to phonebook data (i.e., name, address, and birth year) 
substantially minimizes the risk of a data breach involving sensitive 
customer data.\33\ Due to this exemptive relief, the customer data 
stored in the CAT is comparable to the data reported to other 
regulatory reporting facilities, for which the Commission has 
previously approved limitations of liability.
---------------------------------------------------------------------------

    \32\ Id. at 19.
    \33\ Id. at 20 (``Reduction of these additional sensitive PII 
data elements in the CAT is expected to further reduce both the 
attractiveness of the database as a target for hackers and reduce 
the impact on retail investors in the event of an incident of 
unauthorized access and use.''); Appendix B at 19, 21.
---------------------------------------------------------------------------

4. The Proposed Limitation of Liability Provisions Are Necessary To 
Ensure the Financial Stability of the CAT
    Limiting CAT LLC's and the Participants' liability in the event of 
a potential data breach is critical to ensuring a secure financial 
foundation for the CAT. In approving the CAT NMS Plan, the Commission 
mandated that the Operating Committee ``shall seek . . . to build 
financial stability to support [CAT LLC] as a going concern.'' \34\ To 
that end, CAT LLC has obtained the maximum extent of cyber-breach 
insurance coverage available and has implemented a full cybersecurity 
program to safeguard data stored in the CAT, as required by Rule 613 
and the Plan. Nevertheless, considering the potential for substantial 
losses that may result from certain categories of low probability 
cyberbreaches,\35\ it is difficult to imagine how CAT LLC could ensure 
its solvency--as required by the CAT NMS Plan--without limiting its 
liability to Industry Members. Additionally, because the Commission has 
approved joint funding of CAT LLC by Industry Members and the 
Participants,\36\ the Limitation of Liability Provisions also protect 
the financial industry (and, in turn, the investing public) from the 
possibility of funding catastrophic losses.\37\
---------------------------------------------------------------------------

    \34\ CAT NMS Plan Sec.  11.2(f).
    \35\ See infra at 13; See generally Appendix B.
    \36\ See CAT NMS Plan at Sec. Sec.  11.1-11.2. The Commission 
recently reiterated its support for the CAT NMS Plan's joint-funding 
model, and explicitly rejected the industry's argument that the 
Participants should not be permitted to recover fees, costs, and 
expenses from Industry Members. See May 15, 2020 Amendments to the 
National Market System Plan Governing the Consolidated Audit Trail, 
SEC Release No. 34-88890; File No. S7-13-19, at 39-40.
    \37\ The CAT NMS Plan also mandates that the individual 
Participants shall not have any liability for any debts, 
liabilities, commitments, or any other obligations of CAT LLC or for 
any losses of CAT LLC. See CAT NMS Plan Sec.  3.8(b). Accordingly, 
the Commission has authorized the substance of the Limitation of 
Liability Provisions as to self-regulatory organizations. Notably, 
SIFMA and its constituent Industry Members did not object to this 
provision of the CAT NMS Plan during the extensive notice and 
comment period for the CAT NMS Plan.
---------------------------------------------------------------------------

5. An Economic Analysis Highlights the Importance of Limiting CAT LLC's 
and the Participants' Liability
    CAT LLC retained Charles River to conduct an economic analysis of 
liability issues in relation to a theoretical CAT data breach.\38\ 
There are two principal components to this analysis. First, Charles 
River identified specific potential breach scenarios that could impact 
the CAT, and quantified the likelihood and potential financial 
magnitude of each scenario.\39\ Second, Charles River applied economic 
principles regarding the costs and benefits of litigation to the 
question of whether a limitation of liability should appropriately be 
included in the Reporter Agreement.\40\
---------------------------------------------------------------------------

    \38\ In the Administrative Proceeding, SIFMA asserted that 
``[t]he public has a significant interest in the allocation of risk 
(and resulting incentives) relating to a potential CAT data breach 
to ensure that data is not misused, misappropriated or lost.'' SIFMA 
Br. at 15. The Participants agree and asked Charles River to 
specifically assess whether a limitation of liability provision 
properly incentivizes all economic actors to take appropriate 
precautions against cyber incidents. See Appendix B at 1.
    \39\ Appendix B at Section II.
    \40\ Appendix B at Section III.
---------------------------------------------------------------------------

    Charles River's extensive economic analysis supports CAT LLC's and 
the Participants' decision to limit their liability to Industry 
Members. As

[[Page 596]]

detailed in the Charles River white paper (the ``White Paper''), 
society can create incentives for economic actors--in this case, CAT 
LLC, the Participants, and FINRA CAT--to take precautions to minimize 
the costs of accidents and misconduct. These incentives can take 
various forms, including: (1) Enacting a regulatory regime that 
dictates specific ex ante rules that individuals and entities must 
follow, (2) asking courts to determine the appropriate standard of care 
ex post through litigation, or (3) a combination of both the regulatory 
and litigation approaches.\41\ From an economic perspective, the choice 
between these methods is informed by the goal of maximizing social 
welfare--i.e., ``the benefits [each] party derives from engaging in 
their activities, less the sum of the costs of precautions, the harms 
done, and the administrative expenses associated with the means of 
social control.'' \42\ Charles River applied the well-settled body of 
economic literature regarding the respective benefits and costs of 
regulation and litigation, and concluded that allowing Industry Members 
to litigate against CAT LLC, the Participants, and FINRA CAT would 
provide minimal benefits while imposing substantial costs for all 
participants in the U.S. securities markets, including the Commission, 
Industry Members, the Participants, and the investing public. Under 
these circumstances, the economic analysis weighs heavily against 
permitting litigation and in favor of the Limitation of Liability 
Provisions.\43\
---------------------------------------------------------------------------

    \41\ Appendix B at 3.
    \42\ Appendix B at 33 (citing Steven Shavell, ``Liability for 
Harm Versus Regulation of Safety,'' The Journal of Legal Studies, 
Vol. 13, No. 2 (June 1984), pp. 357-74).
    \43\ Appendix B at 53-54.
---------------------------------------------------------------------------

    As discussed in the White Paper, a critical component of potential 
litigation benefits is the extent to which permitting Industry Members 
to litigate against CAT LLC and the Participants would incentivize CAT 
LLC and the Participants to appropriately invest in cybersecurity 
precautions.\44\ Charles River addresses this question in the context 
of an extensive regulatory regime that the Commission enacted to govern 
CAT LLC's and the Plan Processor's cybersecurity policies, procedures, 
systems, and controls.\45\ After reviewing those measures from an 
economic perspective, Charles River concurs with the Commission's 
assessment ``that the extensive, robust security requirements in the 
adopted Plan . . . provide appropriate, adequate protection for the CAT 
Data'' and concludes that private litigation would not result in 
additional appropriate cybersecurity measures or produce other 
benefits.\46\ In fact, as parties that use the CAT to carry out their 
own regulatory functions, the Participants have a strong incentive 
(beyond the obligation to comply with the Commission rules governing 
the CAT) to ensure that the CAT is secure and operational.
---------------------------------------------------------------------------

    \44\ Appendix B at 38.
    \45\ Appendix B at 3.
    \46\ Order Approving the NMS Plan Governing the CAT, Section 
V.F.4, p. 715; Appendix B at 3, 54.
---------------------------------------------------------------------------

    The Participants note that Charles River's analysis is borne out by 
their extensive discussions with Industry Members regarding the 
cybersecurity of the CAT and liability issues.\47\ During negotiations 
with SIFMA prior to the launch of CAT reporting and the filing of the 
Administrative Proceeding, the Participants repeatedly asked SIFMA to 
identify specific deficiencies in the CAT's cybersecurity program. 
SIFMA was unable to do so, which is not surprising in light of CAT's 
robust cybersecurity.\48\ To the extent that Industry Members conclude 
that CAT LLC should make adjustments to its policies, procedures, 
systems, and controls, Industry Members (and other constituencies) have 
extensive avenues to provide feedback including through the Advisory 
Committee or by directly petitioning the Commission to amend the CAT 
NMS Plan.\49\ Industry Members' inability to identify any meaningful 
deficiencies underscores Charles River's conclusion that CAT LLC is 
already properly incentivized to take necessary cyber precautions. 
Allowing Industry Members to litigate against CAT LLC and the 
Participants would not further improve the CAT's cybersecurity or 
produce any other programmatic benefits.\50\
---------------------------------------------------------------------------

    \47\ As part of the Participants' efforts to give SIFMA and its 
members further comfort as to the security of the CAT system, and as 
suggested by the Commission, the Participants have offered to 
facilitate a meeting with security officials from the SROs and the 
Industry Members to discuss the CAT's extensive cybersecurity and 
respond to questions that might constructively address SIFMA's 
concerns. The Participants remain willing to facilitate this meeting 
and look forward to opportunities to foster an open dialogue 
regarding security issues with Industry Members.
    \48\ See, e.g., CAT NMS Plan, Section 6.6 (noting requirement 
that CAT LLC evaluate its information security program ``to ensure 
that the program is consistent with the highest industry standards 
for the protection of data'').
    \49\ As Charles River highlights, the sufficiency of the 
regulatory regime here is underscored by the ability of the 
Commission--whether in response to concerns from Industry Members or 
on its own initiative--to revise the applicable rules to impose 
additional cybersecurity measures on CAT LLC, the Plan Processor, 
and the Participants. See Appendix B at 43. The Commission has not 
hesitated to propose revisions when necessary, including, most 
recently in August 2020. See SEC Release No. 34-89632; File No. S7-
10-20, Proposed Amendments to the National Market System Plan 
Governing the Consolidated Audit Trail to Enhance Data Security 
(Aug. 21, 2020).
    \50\ Appendix B at 54.
---------------------------------------------------------------------------

    Charles River's analysis also highlights that, as heavily regulated 
entities, CAT LLC and the Participants have a strong incentive to 
comply with the Commission's rules--i.e., another advantage of the ex-
ante regulatory regime already in place.\51\ Moreover, as Charles River 
notes, regulatory systems are particularly appropriate where, as here, 
the regulator (i.e., the Commission) is enacting rules that are 
designed to govern one entity (i.e., CAT LLC).\52\ As a result, ``the 
regulatory system is tailored specifically on an ex-ante basis with 
rules targeted to this particular firm.'' \53\ As part of the 
regulatory regime, CAT LLC's cybersecurity policies, procedures, 
systems, and controls are subject to examination by the Office of 
Compliance Inspections and Examinations (on both a for-cause and 
cyclical basis).\54\ And any cybersecurity deficiencies could, of 
course, be referred to the Division of Enforcement for an investigation 
and potential enforcement action.\55\ As Charles River notes, this 
regulatory enforcement structure creates strong incentives for CAT LLC 
and the Participants to comply with the Commission's extensive cyber 
regulatory regime.\56\
---------------------------------------------------------------------------

    \51\ Appendix B at 39. It is also worth noting that the 
Commission has recently reiterated that ``[t]he security and 
confidentiality of CAT Data has been--and continues to be--a top 
priority of the Commission.'' SEC Release No. 34-89632; File No. S7-
10-20, Proposed Amendments to the National Market System Plan 
Governing the Consolidated Audit Trail to Enhance Data Security 
(Aug. 21, 2020), at 9.
    \52\ Appendix B at 3-4, 43.
    \53\ Appendix B at 43.
    \54\ Appendix B at 43.
    \55\ Appendix B at 3, 37.
    \56\ Appendix B at 3-4, 43.
---------------------------------------------------------------------------

    In assessing the value of permitting Industry Members to sue CAT 
LLC and the Participants, an economic analysis also must consider the 
costs of litigation. Charles River's White Paper addresses this 
question and concludes that the costs of litigating a potential CAT 
data breach are likely to be both substantial and unquantifiable on an 
ex-ante basis.\57\ Charles River also has identified ``several marginal 
operating costs'' that would result from eliminating a limitation of 
liability even in the absence of actual litigation, including costs 
associated with ``extra-marginal defensive investments in cyber risk 
protection, with reduced efficacy of the CAT system due to excess, 
litigation-driven security measures, or a cash build-up scheme that 
would be

[[Page 597]]

borne by the Participants/SROs and Industry Members who would 
ultimately pass those higher costs on to their customers, employees or 
owners.'' \58\ Critically, these added costs--whether resulting from 
litigation, investment in cybersecurity beyond optimal levels, or any 
other source--ultimately would be passed along to investors (including 
retail investors). These added costs will ``likely lead[ ] to reduced 
trading levels, reduced participation in markets by investors, or 
increased costs of raising capital.'' \59\ The White Paper also 
explains that excess cybersecurity measures driven by third-party 
litigation risk could reduce the CAT's effectiveness in serving the 
Commission's and the SROs' regulatory missions, and likewise could 
result in court-ordered security measures that conflict or interfere 
with the security regime adopted by the Commission.\60\ The combination 
here of no articulable benefit of allowing litigation coupled with 
costs that are potentially ``substantial'' and ``unquantifiable'' 
present the quintessential economic case in favor of a limitation of 
liability.
---------------------------------------------------------------------------

    \57\ Appendix B at 46.
    \58\ Appendix B at 46.
    \59\ Appendix B at 47. The Commission has a statutory obligation 
to consider efficiency, competition, and effects on capital 
formation when engaging in rulemaking. See 15 U.S.C. 77b(b); 15 
U.S.C. 78c(f); 15 U.S.C. 80a-2(c).
    \60\ Appendix B at 45.
---------------------------------------------------------------------------

    Charles River's analysis of potential breach scenarios further 
supports the need for CAT LLC, the Participants, and FINRA CAT to limit 
their liability to Industry Members. Charles River identified eight 
potential scenarios in which a bad actor could unlawfully obtain, 
utilize, and monetize CAT data.\61\ The analysis indicates that, in 
light of the CAT's extensive cybersecurity (among other reasons), most 
potential breaches are relatively low-frequency events because they are 
either difficult to implement, unlikely to be meaningfully profitable, 
or both.\62\ Charles River's review supports the Commission's 
conclusion that CAT LLC's cybersecurity program provides ``appropriate, 
adequate protection for the CAT Data.'' \63\ The Participants know of 
no valid basis for challenging that Commission finding.
---------------------------------------------------------------------------

    \61\ Appendix B at 2, 18-32.
    \62\ Appendix B at 18-32.
    \63\ Order Approving the NMS Plan Governing the CAT, Section 
V.F.4, p. 715.
---------------------------------------------------------------------------

    During the negotiations prior to the Administrative Proceeding, 
SIFMA focused extensively on the possibility of a hacker reverse 
engineering certain Industry Members' proprietary trading strategies. 
In that regard, Charles River's scenario analysis indicates that 
reverse engineering of trading algorithms--and two other potential 
breach scenarios--could result in ``extremely'' severe economic 
consequences (i.e., potentially greater than $100 million in 
damages).\64\ In light of CAT LLC's cybersecurity and the attendant 
difficulties that a bad actor would face in monetizing these scenarios, 
Charles River concluded that all three of these potential categories of 
breaches (including reverse engineering of trading algorithms) are 
relatively low-frequency events.\65\
---------------------------------------------------------------------------

    \64\ Appendix B at 2.
    \65\ Appendix B at 25. As Charles River explains, while ``[w]e 
ultimately deem it unlikely that a bad actor would seek to use CAT 
data in this way because of the difficulty in both achieving the 
hack as well as the effort to reverse engineer an algorithm, . . . 
[g]iven the potential value (severity) of this type of information, 
however, bad actors could be so motivated.''
---------------------------------------------------------------------------

    Even if these low probability scenarios occurred, there is no 
economic basis for shifting liability for potential catastrophic losses 
to CAT LLC or the Participants.\66\ Indeed, if CAT LLC or the 
Participants could be required to fund such substantial losses, it 
would need to be reflected in the funding structure for the CAT, and 
the portion of the losses that is funded by the Participants would 
effectively be passed on to all market participants, including retail 
investors. Shifting liability to CAT LLC or the Participants is 
fundamentally inconsistent with the Commission's longstanding views on 
allocation of liability between self-regulatory organizations and 
Industry Members memorialized in the Commission-approved rules of every 
securities exchange, and in agreements for NMS facilities, as well as 
regulatory reporting facilities.\67\
---------------------------------------------------------------------------

    \66\ Appendix B at 50.
    \67\ See supra at Section A3.
---------------------------------------------------------------------------

B. Governing or Constituent Documents

    Not applicable.

C. Implementation of Amendment

    The Participants propose to implement the Limitation of Liability 
Provisions by requiring all CAT Reporters and CAT Reporting Agents to 
execute revised agreements that contain the amended provisions.

D. Development and Implementation Phases

    The Participants propose to require CAT Reporters and CAT Reporting 
Agents to execute the revised agreements upon Commission approval of 
this Proposed Amendment.

E. Analysis of Impact on Competition

    The Participants do not believe the Proposed Amendment will have 
any impact on competition. The Proposed Amendment would require all CAT 
Reporters and CAT Reporting Agents to execute revised agreements that 
contain the amended provisions. Adopting the Proposed Amendment would, 
however, avoid the increased costs that would otherwise arise, and 
therefore would promote efficiency and capital formation in the U.S. 
securities markets. Indeed, the White Paper provides an extensive 
analysis indicating that the Proposed Amendment is the most efficient 
manner of addressing the allocation of liability in the event of a CAT 
data breach, and that other approaches (such as allowing third-party 
litigation) would generate few, if any, benefits while imposing 
significant costs.\68\
---------------------------------------------------------------------------

    \68\ See Appendix B at Sections III(A)-(D).
---------------------------------------------------------------------------

F. Written Understanding or Agreements Relating to Interpretation of, 
or Participation in, Plan

    Not applicable.

G. Approval by Plan Sponsors in Accordance With Plan

    Section 12.3 of the CAT NMS Plan states that, subject to certain 
exceptions, the Plan may be amended from time to time only by a written 
amendment, authorized by the affirmative vote of not less than two-
thirds of all of the Participants, that has been approved by the SEC 
pursuant to Rule 608 or has otherwise become effective under Rule 608. 
The Participants, by a vote of the Operating Committee taken on 
December 15, 2020 have authorized the filing of this Proposed Amendment 
with the SEC in accordance with the Plan.\69\
---------------------------------------------------------------------------

    \69\ The Participants remain willing to work with SIFMA in good 
faith to resolve any remaining differing perspectives on liability. 
Although we believe that the Limitation of Liability Provisions in 
Appendix A are appropriate, we look forward to constructively 
engaging with SIFMA during the comment process to address any 
concerns that Industry Members may have.
---------------------------------------------------------------------------

H. Description of Operation of Facility Contemplated by the Proposed 
Amendment and Any Fees or Charges in Connection Thereto

    Not applicable.

I. Terms and Conditions of Access

    Any CAT Reporter or CAT Reporting Agent that fails to execute a 
revised agreement with the Limitation of Liability Provisions will not 
be permitted to transmit data to the CAT. Pursuant to the court's 
decision in NASDAQ Stock Market, LLC v. SEC, 961 F.3d 421 (D.C. Cir. 
2020), this restriction will not constitute a denial of access to 
services within the meaning of Section 19(d) of the Exchange Act.

[[Page 598]]

J. Method and Frequency of Processor Evaluation

    Not applicable.

K. Dispute Resolution

    Not applicable.

III. Solicitation of Comments

    Interested persons are invited to submit written data, views and 
arguments concerning the foregoing, including whether the amendment is 
consistent with the Exchange Act. Comments may be submitted by any of 
the following methods:

Electronic Comments

     Use the Commission's internet comment form (http://www.sec.gov/rules/sro.shtml); or
     Send an email to rule-comments@sec.gov. Please include 
File Number 4-698 on the subject line.

Paper Comments

     Send paper comments to Secretary, Securities and Exchange 
Commission, 100 F Street NE, Washington, DC 20549-1090.

All submissions should refer to File Number 4-698. This file number 
should be included on the subject line if email is used. To help the 
Commission process and review your comments more efficiently, please 
use only one method. The Commission will post all comments on the 
Commission's internet website (http://www.sec.gov/rules/sro.shtml). 
Copies of the submission, all subsequent amendments, all written 
statements with respect to the proposed plan amendment that are filed 
with the Commission, and all written communications relating to the 
amendment between the Commission and any person, other than those that 
may be withheld from the public in accordance with the provisions of 5 
U.S.C. 552, will be available for website viewing and printing in the 
Commission's Public Reference Room, 100 F Street NE, Washington, DC 
20549, on official business days between the hours of 10:00 a.m. and 
3:00 p.m. Copies of such filing also will be available for inspection 
and copying at the Participants' offices. All comments received will be 
posted without change. Persons submitting comments are cautioned that 
we do not redact or edit personal identifying information from comment 
submissions. You should submit only information that you wish to make 
available publicly. All submissions should refer to File Number 4-698 
and should be submitted on or before January 27, 2021.

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\70\
---------------------------------------------------------------------------

    \70\ 17 CFR 200.30-3(a)(85).
---------------------------------------------------------------------------

J. Matthew DeLesDernier,
Assistant Secretary.

APPENDIX A

Limited Liability Company Agreement of Consolidated Audit Trail, LLC

* * * * *

Article XII

[proposed additions]

* * * * *
    Section 12.15. Limitation of Liability. Each CAT Reporter shall 
be required to execute an amended Consolidated Audit Trail Reporter 
Agreement containing, in substance, the limitation of liability 
provisions in Appendix E to this Agreement. Each Person engaged by a 
CAT Reporter to report CAT Data to the Central Repository on behalf 
of such CAT Reporter shall be required to execute an amended 
Consolidated Audit Trail Reporting Agent Agreement containing, in 
substance, the limitation of liability provisions in Appendix F to 
this Agreement. The Operating Committee shall have authority in its 
sole discretion to make non-substantive amendments to the limitation 
of liability provisions in the Consolidated Audit Trail Reporter 
Agreement and the Consolidated Audit Trail Reporting Agent 
Agreement.
* * * * *

Appendix E

[proposed additions]

* * * * *

Limitation of Liability Provisions in the CAT Reporter Agreement

    5.4. Disclaimer. EXCEPT AS EXPRESSLY SET FORTH IN SECTION 5.1 OF 
THIS AGREEMENT, CATLLC MAKES NO REPRESENTATIONS OR WARRANTIES, ORAL 
OR WRITTEN, EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTY OF 
MERCHANTABILITY, QUALITY, FITNESS FOR A PARTICULAR PURPOSE, 
COMPLIANCE WITH APPLICABLE LAWS, NON-INFRINGEMENT OR TITLE, 
SEQUENCING, TIMELINESS, ACCURACY OR COMPLETENESS OF INFORMATION, OR 
THOSE ARISING BY STATUTE OR OTHERWISE IN LAW, OR FROM A COURSE OF 
DEALING OR USAGE OF TRADE, REGARDING THE CAT SYSTEM OR ANY OTHER 
MATTER PERTAINING TO THIS AGREEMENT. CAT REPORTER ACCEPTS SOLE 
RESPONSIBILITY FOR ITS ACCESS TO AND USE OF THE CAT SYSTEM.
    5.5. Limitation of Liability. TO THE EXTENT PERMITTED BY LAW, 
UNDER NO CIRCUMSTANCES SHALL THE TOTAL LIABILITY OF CATLLC OR ANY OF 
ITS REPRESENTATIVES TO CAT REPORTER UNDER THIS AGREEMENT FOR ANY 
CALENDAR YEAR EXCEED THE LESSER OF THE TOTAL OF THE FEES ACTUALLY 
PAID BY CAT REPORTER TO CATLLC FOR THE CALENDAR YEAR IN WHICH THE 
CLAIM AROSE OR FIVE HUNDRED DOLLARS ($500.00). FOR AVOIDANCE OF 
DOUBT, THE TERM ``REPRESENTATIVES'' IN SECTION 5 AND THROUGHOUT THIS 
AGREEMENT SHALL INCLUDE EACH OF THE PARTICIPANTS, THE PLAN PROCESSOR 
AND ANY OTHER SUBCONTRACTORS OF THE PLAN PROCESSOR OR CATLLC 
PROVIDING SOFTWARE OR SERVICES IN CONNECTION WITH THE CAT SYSTEM, 
AND ANY OF THEIR RESPECTIVE AFFILIATES AND ALL OF THEIR DIRECTORS, 
MANAGERS, OFFICERS, EMPLOYEES, CONTRACTORS, SUBCONTRACTORS, ADVISORS 
AND AGENTS.
    5.6. Damage Exclusion. TO THE EXTENT PERMITTED BY LAW, UNDER NO 
CIRCUMSTANCES SHALL CATLLC OR ANY OF ITS REPRESENTATIVES BE LIABLE 
TO CAT REPORTER OR ANY OTHER PERSON FOR LOST REVENUES, LOST PROFITS, 
LOSS OF BUSINESS, OR ANY INCIDENTAL, CONSEQUENTIAL, SPECIAL, 
EXEMPLARY, PUNITIVE OR OTHER DIRECT OR INDIRECT DAMAGES OF ANY KIND 
OR NATURE, INCLUDING, SUCH DAMAGES ARISING FROM ANY BREACH OF THIS 
AGREEMENT, OR ANY TERMINATION OF THIS AGREEMENT, WHETHER SUCH 
LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT OR OTHERWISE, 
WHETHER OR NOT FORESEEABLE, EVEN IF CAT REPORTER OR ANY OTHER PERSON 
HAS BEEN ADVISED OR WAS AWARE OF THE POSSIBILITY OF SUCH LOSS OR 
DAMAGES.
    5.7. Data Exclusion. TO THE EXTENT PERMITTED BY LAW, UNDER NO 
CIRCUMSTANCES SHALL CATLLC OR ANY OF ITS REPRESENTATIVES BE LIABLE 
FOR ANY INCONVENIENCE CAUSED BY THE LOSS OF ANY DATA, FOR THE LOSS 
OR CORRUPTION OF ANY CAT REPORTER DATA OR FOR ANY DELAYS OR 
INTERRUPTIONS IN THE OPERATION OF THE CAT SYSTEM FROM ANY CAUSE.
* * * * *

Appendix F

[proposed additions]

* * * * *

Limitation of Liability Provisions in the CAT Reporting Agent Agreement

    5.4 Disclaimer. EXCEPT AS EXPRESSLY SET FORTH IN SECTION 5.1 OF 
THIS AGREEMENT, CATLLC MAKES NO REPRESENTATIONS OR WARRANTIES, ORAL 
OR WRITTEN, EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTY OF 
MERCHANTABILITY, QUALITY, FITNESS FOR A PARTICULAR PURPOSE, 
COMPLIANCE WITH APPLICABLE LAWS, NON-INFRINGEMENT OR TITLE, 
SEQUENCING, TIMELINESS, ACCURACY OR COMPLETENESS OF INFORMATION, OR 
THOSE ARISING BY STATUTE OR OTHERWISE IN LAW, OR FROM A COURSE OF 
DEALING OR USAGE OF TRADE, REGARDING THE CAT SYSTEM OR ANY OTHER 
MATTER PERTAINING TO THIS AGREEMENT. CAT REPORTING AGENT ACCEPTS 
SOLE RESPONSIBILITY FOR ITS ACCESS TO AND USE OF THE CAT SYSTEM.

[[Page 599]]

    5.5 Limitation of Liability. TO THE EXTENT PERMITTED BY LAW, 
UNDER NO CIRCUMSTANCES SHALL THE TOTAL LIABILITY OF CATLLC OR ANY OF 
ITS REPRESENTATIVES TO CAT REPORTING AGENT UNDER THIS AGREEMENT FOR 
ANY CALENDAR YEAR EXCEED THE LESSER OF THE TOTAL OF THE FEES 
ACTUALLY PAID TO CATLLC BY THE CAT REPORTER THAT ENGAGED CAT 
REPORTING AGENT FOR THE CALENDAR YEAR IN WHICH THE CLAIM AROSE OR 
FIVE HUNDRED DOLLARS ($500.00). FOR AVOIDANCE OF DOUBT, THE TERM 
``REPRESENTATIVES'' IN SECTION 5 AND THROUGHOUT THIS AGREEMENT SHALL 
INCLUDE EACH OF THE PARTICIPANTS, THE PLAN PROCESSOR AND ANY OTHER 
SUBCONTRACTORS OF THE PLAN PROCESSOR OR CATLLC PROVIDING SOFTWARE OR 
SERVICES IN CONNECTION WITH THE CAT SYSTEM, AND ANY OF THEIR 
RESPECTIVE AFFILIATES AND ALL OF THEIR DIRECTORS, MANAGERS, 
OFFICERS, EMPLOYEES, CONTRACTORS, SUBCONTRACTORS, ADVISORS AND 
AGENTS.
    5.6 Damage Exclusion. TO THE EXTENT PERMITTED BY LAW, UNDER NO 
CIRCUMSTANCES SHALL CATLLC OR ANY OF ITS REPRESENTATIVES BE LIABLE 
TO CAT REPORTING AGENT OR ANY OTHER PERSON FOR LOST REVENUES, LOST 
PROFITS, LOSS OF BUSINESS, OR ANY INCIDENTAL, CONSEQUENTIAL, 
SPECIAL, EXEMPLARY, PUNITIVE OR OTHER DIRECT OR INDIRECT DAMAGES OF 
ANY KIND OR NATURE, INCLUDING, SUCH DAMAGES ARISING FROM ANY BREACH 
OF THIS AGREEMENT, OR ANY TERMINATION OF THIS AGREEMENT, WHETHER 
SUCH LIABILITY IS ASSERTED ON THE BASIS OF CONTRACT, TORT OR 
OTHERWISE, WHETHER OR NOT FORESEEABLE, EVEN IF CAT REPORTING AGENT 
OR ANY OTHER PERSON HAS BEEN ADVISED OR WAS AWARE OF THE POSSIBILITY 
OF SUCH LOSS OR DAMAGES.
    5.7 Data Exclusion. TO THE EXTENT PERMITTED BY LAW, UNDER NO 
CIRCUMSTANCES SHALL CATLLC OR ANY OF ITS REPRESENTATIVES BE LIABLE 
FOR ANY INCONVENIENCE CAUSED BY THE LOSS OF ANY DATA, FOR THE LOSS 
OR CORRUPTION OF ANY DATA SUBMITTED BY CAT REPORTING AGENT OR FOR 
ANY DELAYS OR INTERRUPTIONS IN THE OPERATION OF THE CAT SYSTEM FROM 
ANY CAUSE.
* * * * *

Appendix B

White Paper: Analysis of Economic Issues Attending the Cyber Security 
of the Consolidated Audit Trail

Date: December 18, 2020

Table of Contents

I. Introduction
II. Cyber Security Risk Analysis
    A. Overall Cost of Cybercrime
    B. Parties Harmed by Cybercrime
    C. Types of Bad Actors, Motivations, and Methods
    D. Cyber Breaches Relevant to CAT, LLC Including Frequency, 
Severity, and Relative Difficulty of Implementation
    1. Summary Level Data
    2. Breach Data Specifically Relevant to CAT, LLC
    E. Summary
III. Economic and Public Policy Analysis of Cyber Security for CAT 
LLC
    A. The Choice Between Regulation and Litigation
    B. Economic Determinants of the Relative Attractiveness of 
Regulation or Litigation To Control Risk
    C. Special Considerations Arising for the CAT's Cyber Security
    D. Assessment of Regulation and Litigation Approaches as Applied 
to a Potential CAT LLC Cyber Breach
    1. Recapitulation of CAT's Risks, Standards, Policies, and 
Practices
    2. Alignment of Incentives
    3. Additional Costs of Litigation
    4. Examples of Existing Limitation on Liability Provisions
    E. Initial Thoughts on Funding Compensation Mechanisms
IV. Conclusion
V. Qualifications of Authors/Investigators
VI. Research Program and Bibliography

I. Introduction

    Charles River Associates (``CRA'') \1\ has been asked by a group 
of national securities exchanges \2\ and the Financial Industry 
Regulatory Authority, Inc. (``FINRA'') (collectively 
``Participants'' or ``SROs'') to assess the economic aspects of a 
potential cyber breach as a result of the operation of the 
Consolidated Audit Trail (``CAT''). The CAT is being implemented by 
the Participants in response to Rule 613, which the SEC adopted in 
2012. Rule 613 was adopted to improve the regulation of U.S. equity 
and option markets by requiring the collection, storage, and access 
to a wide range of equity and option transactions and orders. The 
CAT exists so that the SEC and the SROs can more effectively monitor 
and regulate the subject securities markets to improve their 
transparency, robustness, and efficiency for the benefit of the 
investing public and capital markets as a whole.
---------------------------------------------------------------------------

    \1\ The identification and qualifications of CRA's authors/
principal investigators for this White Paper are presented in 
Section V below.
    \2\ As of January 2020, these consisted of: (1) BOX Exchange 
LLC, (2) Cboe BYX Exchange, Inc., (3) Cboe BZX Exchange, Inc., (4) 
Cboe EDGA Exchange, Inc., (5) Cboe EDGX Exchange, Inc., (6) Cboe C2 
Exchange, Inc., (7) Cboe Exchange, Inc., (8) Investors Exchange LLC, 
(9) Long Term Stock Exchange, Inc., (10) Miami International 
Securities Exchange LLC, (11) MIAX Emerald, LLC, (12) MIAX PEARL, 
LLC, (13) NASDAQ BX, Inc., (14) Nasdaq GEMX, LLC, (15) Nasdaq ISE, 
LLC, (16) Nasdaq MRX, LLC, (17) NASDAQ PHLX LLC, (18) The NASDAQ 
Stock Market LLC, (19) New York Stock Exchange LLC, (20) NYSE 
American LLC, (21) NYSE Arca, Inc., (22) NYSE Chicago, Inc., and 
(23) NYSE National, Inc. In addition, a new member-owned equities 
trading platform, Members Exchange (``MEMX LLC'') launched in 
September 2020. These entities plus FINRA have been designated as 
``Participants'' of the CAT NMS Plan and are self-regulatory 
organizations (``SROs'') under the Securities Exchange Act of 1934. 
See Securities and Exchange Commission, Order Granting Conditional 
Exemptive Relief, Pursuant to Section 36 and Rule 608(e) of the 
Securities Exchange Act of 1934, from Section 6.4(d)(ii)(C) and 
Appendix D Sections 4.1.6, 6.2, 8.1.1, 8.2, 9.1, 9.2, 9.4, 10.1, and 
10.3 of the National Market System Plan Governing the Consolidated 
Audit Trail, Release No. 34-88393, March 17, 2020, p. 1, hereafter 
``SEC, March 17, 2020 Order.''
---------------------------------------------------------------------------

    The Participants and the securities industry agree that the CAT 
database contains sensitive information and the SEC has mandated 
extensive security requirements be implemented to protect the data 
from a wide range of cyber breaches. After considering the overall 
costs and benefits of the CAT, the SEC already has concluded that 
the cyber security requirements it imposed on the CAT sufficiently 
serve the public interest.\3\
---------------------------------------------------------------------------

    \3\ Securities and Exchange Commission, Joint Industry Plan; 
Order Approving the National Market System Plan Governing the 
Consolidated Audit Trail, Release No. 34-79318, November 15, 2016, 
hereafter ``SEC, Order Approving CAT,'' Section IV. Discussion and 
Commission Findings, pp. 126-127.
---------------------------------------------------------------------------

    The analyses presented in this paper support the Participants' 
proposal to adopt a limitation of liability provision in the CAT 
Reporter Agreement. Based on (1) an examination of specific 
potential breach scenarios and (2) a consideration of the economic 
and public policy elements of various regulatory and litigation 
approaches to mitigate cyber risk for the CAT, this paper concludes 
that a limitation on liability provision would serve the public 
interest in several ways. First, such a provision would facilitate 
the regulation of the U.S. equity and option markets at lower 
overall costs and higher economic efficacy than other approaches, 
such as allowing Industry Members \4\ to litigate against CAT LLC. 
Second, the proposed limitation on liability would not undermine CAT 
LLC's existing and significant incentives to protect the data stored 
in the CAT system.
---------------------------------------------------------------------------

    \4\ ``Industry Member'' is defined as, ``a member of a national 
securities exchange or a member of a national securities 
association'' in the ``Limited Liability Company Agreement of CAT 
NMS, LLC,'' p.5. The Securities Industry and Financial Markets 
Association (``SIFMA'') has represented their interests in this SEC 
rule-making endeavor.
---------------------------------------------------------------------------

    Summary: Cyber Breach Analysis. The first analysis we present is 
to identify specific potential breach scenarios and assess the 
relative difficulty of implementation, relative frequency, and 
conditional severity of each. As part of this assessment, we 
identified eight potential scenarios in which bad actors could 
attempt to unlawfully obtain, utilize, and monetize CAT data. Of 
course, we recognize that cyber-attacks on the CAT could vary from 
the scenarios we hypothesize, but we offer them to provide a 
framework to assess the economic exposures that flow from the 
gathering, storage, and use of CAT data. Our risk analysis indicates 
that most of these scenarios are relatively low frequency events 
because they are either difficult to implement, unlikely to be 
meaningfully profitable for a bad actor, or both.
    The scenario analysis also indicates that three types of 
breaches--reverse engineering of trading algorithms, inserting fake 
data to

[[Page 600]]

wrongfully incriminate individuals or entities, and removing data to 
conceal misconduct--could result in ``extremely'' severe economic 
consequences (which we define as potentially greater than $100 
million in damages). We conclude that all three of these types of 
breaches are relatively low frequency events.
    Summary: Regulation vs. Litigation to Mitigate Cyber Risk for 
the CAT. The second analysis we present focuses on whether the cyber 
risk posed by CAT should be addressed through ex-ante regulation, ex 
post litigation, or a combination of both approaches. In a prior 
version of the CAT Reporter Agreement, CAT LLC included a limitation 
of liability provision, which memorialized the Participants' view 
that Industry Members should not be able to litigate against CAT LLC 
or the Participants to recover damages sustained as a result of a 
cyber breach. Although the current operative version of the Reporter 
Agreement does not contain a limitation of liability, we understand 
that CAT LLC is submitting this White Paper in connection with CAT 
LLC's request that the SEC amend the CAT NMS Plan to authorize such 
a provision. We understand that the Industry Members have opposed 
any limitation of liability provision and contend that CAT LLC, as 
the party holding the CAT data, should be subject to litigation by 
the Industry Members in the event of a cyber breach.
    In deciding whether to approve Participants' proposed plan 
amendment, an important question for the SEC to address is whether, 
in light of the extensive cyber requirements already imposed on CAT 
LLC through regulation, the SEC-mandated nature of the CAT, and the 
ability of the SEC to bring enforcement actions to compel 
compliance, it is appropriate to also allow Industry Members to sue 
CAT LLC and the Participants. As part of our analysis, we 
specifically assess whether including a limitation of liability 
provision in the CAT Reporter Agreement is appropriate from the 
perspective of economic theory as applied to the specifics of this 
situation.
    By applying the economic principles of liability and regulation 
as a means of motivating risk-minimizing behavior and considering 
the crucial role of the SEC's mandates regarding cyber security for 
the CAT (which already incorporate the concerns of entities involved 
in the National Market System as a whole), we conclude that the 
regulatory approach leads to the socially desirable level of 
investment in cyber security and protection of CAT data. We further 
conclude that SIFMA's position, which advocates allowing Industry 
Members to litigate against CAT LLC and the Participants in the 
event of a cyber breach, would result in increased costs for various 
economic actors--including CAT LLC, the Participants, Industry 
Members, and retail investors--without any meaningful benefit to the 
CAT's cyber security. At a high level (and as discussed in extensive 
detail below), we therefore conclude that CAT LLC's proposal to 
limit its liability and the liability of the Participants is well 
supported by applicable economic principles in the framework of the 
SEC's mission and its mandates regarding the CAT.
    As a general matter, economic theory provides that society can 
motivate economic actors to take appropriate precautions to minimize 
the likelihood and consequences of accidents and misconduct through: 
(a) A regulatory approach (i.e., dictating specific precautions, 
requirements, and standards in advance), (b) a litigation approach 
(i.e., civil liability for damages caused by failing to adhere to a 
general standard of care), or (c) a combination of (a) and (b). At 
the outset, we note that we do not address this question in a 
vacuum. Rather, we conduct our examination in the context of an 
extensive regulatory program that the SEC has enacted mandating 
specific cyber standards, policies, procedures, systems, and 
controls that CAT LLC and the Plan Processor must implement. This 
regulatory regime was developed with extensive feedback from the 
securities industry (e.g., through the Development Advisory Group 
and the Advisory Committee) and is subject to ongoing review and 
modification through a public review and comment process. Moreover, 
CAT LLC's compliance with the requirements of this regulatory regime 
can be policed by the SEC's Enforcement Division. We also note that 
in adopting the CAT NMS Plan, the SEC concluded that the regulatory 
approach to cyber security was sufficient when it stated that ``the 
extensive, robust security requirements in the adopted [CAT NMS] 
Plan . . . provide appropriate, adequate protection for the CAT 
Data.'' \5\
---------------------------------------------------------------------------

    \5\ SEC, Order Approving CAT, Section V.F.4. Economic Analysis, 
Expected Costs of Security Breaches, p. 715.
---------------------------------------------------------------------------

    In light of this existing regulatory regime, the relevant 
question is whether the benefits of allowing Industry Members to 
litigate against their regulators in the event of a CAT data breach 
outweigh the costs. An application of economic principles indicates 
that they do not. As heavily regulated entities, the Participants 
are obligated to comply with all SEC requirements and maintain an 
effective cyber security program. And to the extent that CAT LLC and 
the Participants fail to comply with the SEC's regulatory regime, 
the SEC could compel compliance by bringing enforcement actions. 
Moreover, regulatory systems are particularly appropriate where, as 
here, the regulator (i.e., the Commission) is enacting rules that 
are designed to govern one entity (i.e., CAT LLC). Further, the 
SEC's regulatory process for the CAT permits parties affected by the 
operation of the CAT to stay informed of the operation of the CAT's 
cyber risk program and to advocate for and incorporate any broader 
security concerns that may arise. Indeed, there already exist 
examples where Industry Members have exercised these rights and 
successfully sought changes in the CAT's cyber security program. 
Under these circumstances, allowing Industry Members to further 
litigate against the Participants for damages resulting from cyber 
breaches would not better align the incentives or meaningfully 
increase the motivation of CAT LLC, the Plan Processor, or the 
Participants to pursue additional economically appropriate measures 
to reduce the frequency and severity of cyber breaches. Allowing 
these lawsuits would, however, increase costs to the Participants 
and Industry Members, much of which would be passed on to underlying 
investors. Where, as here, the costs of adding a litigation regime 
to an existing regulatory regime are high, and the expected benefits 
are low, there is no economic justification for allowing additional 
litigation.
    It is also important to note that the CAT has no paying 
customers and is fully funded by Participants and Industry Members 
who, ultimately, pass those costs on to the investing public. CAT 
LLC's funding is designed to cover costs only, and its balance sheet 
is not intended to develop and hold assets available to compensate 
Industry Members or others who may be harmed in the event of a cyber 
breach.
    We conclude, therefore, that the risk presented by a cyber 
breach of the CAT should be addressed through the regulatory 
approach that the SEC has already adopted. The limitation of 
liability provision in CAT LLC's proposed amended Reporter Agreement 
is therefore appropriate. In this regard, we note that limitations 
of liability are ubiquitous in the securities industry and have 
effectively governed the economic relationships between the 
Participants and Industry Members for decades. We also observe that 
although SIFMA has objected to a limitation of liability on behalf 
of Industry Members, Industry Members generally require their 
respective customers--many of whom are retail investors--to agree to 
analogous limitation of liability provisions.
    An unfortunate fact of the cyber world is that the best 
standards, policies, and procedures all executed with perfection may 
not thwart every conceivable breach attempt. A successful cyber-
attack on the CAT could result in injury to Industry Members. Even 
in a purely regulated regime, it is appropriate to consider 
mechanisms that provide compensation to parties injured by a cyber-
attack on the regulated activity. It is worth noting that CAT LLC 
and the Plan Processer purchase insurance designed to provide 
compensation to harmed parties, up to pre-defined economically 
feasible limits. The cyber insurance program also provides the 
benefit of engaging additional third parties (i.e., the insurance 
carriers) who have incentives and abilities to monitor cyber 
security hygiene at the CAT and the Plan Processor.
    CAT LLC, the Participants, and the SEC could consider additional 
mechanisms beyond cyber insurance to compensate potentially harmed 
parties, including mechanisms similar to those used by federal 
vaccine programs or insolvency protections for pension funds or 
financial institutions. However, a careful evaluation of the costs, 
benefits, and incentives among the various parties associated with 
the CAT would need to be conducted to ensure that any new 
arrangement enhances economic welfare before any decision to further 
extend the current compensation scheme (i.e., CAT LLC's insurance) 
is made.
    Section II below examines a list of potential cyber threats, 
identifies those that may apply to the CAT, and provides an initial 
quantification of the harms that may

[[Page 601]]

befall the CAT and others should a cyber threat be successful. 
Section III addresses the economic theory behind liability 
assignment and the roles that markets, contracts, litigation, and 
regulation play. It highlights the duplicative and overall cost-
raising nature of the Industry Members' litigation proposal. It 
explains how the SEC's regulatory approach along with the efforts of 
the CAT, the Plan Processor, and the Advisory Committee, work to 
align the incentives of the CAT and the Plan Processor to mitigate 
the cyber risks and ensure the fairness of the Participants' 
proposed limitation on liability. Section IV contains some 
concluding comments. Section V presents the qualifications of the 
authors/principal investigators of this White Paper. Section VI 
summarizes the research undertaken for this White Paper and contains 
the bibliography.

II. Cyber Security Risk Analysis

    In this section we discuss the economic risk associated with bad 
actors wrongfully accessing the CAT system to monetize the data or 
to disrupt market surveillance. The CAT will store massive 
quantities of data that is unavailable anywhere else on a single 
system, which as Commissioner Pierce recently recognized, will 
``undoubtedly'' be a target for hackers.\6\ The CAT is the only data 
repository that collects and holds Customer and Customer Account 
Information \7\ along with all trading data from the participating 
U.S. securities exchanges.\8\ The compromise of this data, as 
discussed in further detail below, could harm broker/dealers, and 
exchanges, or undermine investor confidence in the markets 
themselves.
---------------------------------------------------------------------------

    \6\ Commissioner Pierce Statement on Proposed Amendments to the 
National Market System Plan Governing the Consolidated Audit Trail 
to Enhance Data Security, Aug. 21, 2020, https://www.sec.gov/news/public-statement/peirce-nms-cat-2020-08-21 accessed September 2020.
    \7\ The SEC proposes to ``delete the term ``PII'' from the CAT 
NMS Plan and replace that term with ``Customer and Account 
Attributes'' as that would more accurately describe the attributes 
that must be reported to the CAT, now that ITINs/SSNs, dates of 
birth and account numbers would no longer be required to be reported 
to the CAT pursuant to the amendments being proposed by the 
Commission.'' Additionally, the SEC proposes to delete the defined 
term ``PII'' from the CAT NMS Plan given the reporting of the most 
sensitive PII will no longer be required. The SEC proposes that 
``Customer and Account Attributes'' refer collectively to all the 
attributes in ``Customer Attributes'' and ``Account Attributes.'' 
The SEC proposes that ``Customer Attributes'' would include name, 
address, year of birth, the individual's role in the account or if a 
legal entity, the name, address, and Employer Identification Number 
and Legal Entity Identifier. The SEC proposes that ``Account 
Attributes'' would include account type, customer type, date account 
opened, and large trader identifier (if applicable). Securities and 
Exchange Commission, Amendments to the National Market System Plan 
Governing the Consolidated Audit Trail to Enhance Data Security, RIN 
3235-AM62, Release No. 34-89632, File No. S7-10-20, August 21, 2020, 
pp. 103-106.
    \8\ See SEC website, ``Rule 613 (Consolidated Audit Trail),'' 
https://www.sec.gov/divisions/marketreg/rule613-info.htm accessed 
September 2020.
---------------------------------------------------------------------------

    Given the importance of the CAT data, there are a variety of 
cyber security breach scenarios that, hypothetically, could occur 
and harm the CAT, the Plan Processor, the Participants, Industry 
Members, the investing public, the SEC's ability to surveil activity 
in the markets, and (conceivably) the functioning of U.S. securities 
markets.
    Below, we posit a range of potential cyber risk scenarios 
attendant to the CAT and derive estimated ranges of potential 
financial consequences arising from these exposures. We recognize 
cyber attacks on the CAT could vary from the scenarios we 
hypothesize, but we offer them to provide a framework to assess the 
economic exposures that flow from the gathering of a massive amount 
of sensitive trading, financial, and identifying data. Some of the 
scenarios present relatively small economic risk, while others 
present significant risk in terms of both financial consequence and 
the potential to undermine faith in the efficiency and fairness of 
U.S. markets.
    Overall, this section is organized as follows:

A. Overall Cost of Cybercrime
B. Parties Harmed by Cybercrime
C. Types of Bad Actors, Motivations, and Methods
D. Cyber Breaches Relevant to CAT, LLC Including Relative Difficulty 
of Implementation, Frequency and Severity
E. Summary

A. Overall Cost of Cybercrime

    ``Cybercrime is a growth industry'' and ``produces high returns 
at low risk and (relatively) low cost for the hackers.'' \9\
---------------------------------------------------------------------------

    \9\ The Center for Strategic and International Studies, ``Net 
Losses: Estimating the Global Cost of Cybercrime,'' June 2014, pp. 2 
and 4.
---------------------------------------------------------------------------

    Estimates of the worldwide cost of cybercrime are in the 
trillions of dollars per year and continuing to grow.
    (a) $3 trillion per year in 2015 and $6 trillion annually by 
2021 according to Cybersecurity Ventures.\10\
---------------------------------------------------------------------------

    \10\ Cybersecurity Ventures, ``Global Cybercrime Damages 
Predicted to Reach $6 Trillion Annually By 2021,'' Copyright 2020, 
https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/ accessed August 2020.
---------------------------------------------------------------------------

    (b) $3 trillion per year in 2019 to $5 trillion by 2024 
according to Juniper Research.\11\
---------------------------------------------------------------------------

    \11\ Juniper Research, ``Business Losses to Cybercrime Data 
Breaches to Exceed $5 Trillion By 2024,'' August 27, 2019, https://www.juniperresearch.com/press/press-releases/business-losses-cybercrime-data-breaches.
---------------------------------------------------------------------------

    In the United States, according to the Council of Economic 
Advisers, malicious cybercrime cost the U.S. economy between $57 
billion and $109 billion in 2016.\12\
---------------------------------------------------------------------------

    \12\ The Council of Economic Advisers, ``The Cost of Malicious 
Cyber Activity to the U.S. Economy, February 2018, p. 1, https://www.whitehouse.gov/wp-content/uploads/2018/03/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf.
---------------------------------------------------------------------------

    The size of the premiums paid for cyber insurance also provides 
a sense of the size of the cybercrime market. A recent report stated 
that $4.85 billion in cyber risk premiums were paid in 2018 and 
projected that figure to reach $28.6 billion by 2026.\13\ A recent 
report from the A.M. Best insurance credit rating agency found that 
``U.S. cyber insurance premiums grew again in 2019, up by 11% . . 
.'' ``Cyber insurance premiums will likely continue to rise . . . 
due to both rising claims costs and heightened risks . . . Over the 
past three years the number of cyber claims has doubled to 18,000 in 
2019, from 9,000 in 2017.'' \14\
---------------------------------------------------------------------------

    \13\ Allied Market Research website, Cyber Insurance Market by 
Company Size and Industry Vertical: Global Opportunity Analysis and 
Industry Forecast, 2019-2026, March 2020, https://www.alliedmarketresearch.com/cyber-insurance-market accessed August 
2020.
    \14\ Erin Ayers, ``US cyber market keeps growing, but pace 
slowed: AM Best,'' Advisen Front Page News, July 22, 2020 accessed 
August 2020.
---------------------------------------------------------------------------

B. Parties Harmed by Cybercrime

    Generally, we think of parties harmed by cybercrime falling into 
two groups. The first group are the parties whose system was 
breached, and the second are the other parties affected by the 
breach--the clients, customers, and vendors of the parties directly 
suffering the breach.\15\ CAT LLC and the Plan Processor, FINRA CAT, 
clearly fall in the first group as they collect and store the 
information subject to cyber breach risk. It is their system that is 
subject to the cyber risk. Industry Members (and their investor 
clients) fall into the second group of affected parties as it is 
information about them and their activities that is supplied to the 
CAT.
---------------------------------------------------------------------------

    \15\ See, for example, Camico website, ``Understanding First-
Party and Third-Party Cyber Exposures,'' https://www.camico.com/blog/understanding-cyber-exposures accessed September 2020.
---------------------------------------------------------------------------

    But that simple delineation does not cover all significant 
parties involved with supplying or accessing information from the 
CAT. The SROs also provide information to the CAT (some of the same 
information that is supplied by the Industry Members). As suppliers 
of information to the CAT, the interests of the SROs in cyber 
security at the CAT align with those of the Industry Members--a 
successful breach would compromise information on the CAT no matter 
if the original source were the Industry Members or the SROs. The 
SROs also, however, own and (through the CAT LLC Operating 
Committee) run the CAT. The SROs, therefore, face two risks arising 
from a cyber breach at the CAT: (1) Directly from the breach of the 
CAT as owners of CAT LLC; and (2) indirectly from the exposure of 
information they supplied to the CAT (similar to the Industry 
Members).
    The SEC is also a major user of the CAT in its efforts to 
regulate U.S. equity and option markets. The SEC's access to and use 
of CAT data is similar to that of the SROs and constitutes another 
source of cyber risk to CAT LLC. While the SEC does not own or 
directly operate the CAT, the CAT would not exist or operate absent 
the SEC's regulatory authority and associated oversight. The CAT, 
therefore, serves the regulatory needs of both the SROs and the SEC 
with the same functionality. In other words, the SEC's access to the 
CAT is every bit as broad as the SROs, who own and operate CAT LLC.
    In the context of the CAT, therefore, a simple delineation of 
two types of affected parties is not adequate to describe and 
understand the parties potentially affected by a cyber breach at the 
CAT. In addition, there are some important atypical economic 
relations and regulatory considerations that

[[Page 602]]

affect the liability decisions associated with the CAT and its 
operations.
    First, given that CAT and its activities are a regulatory 
mandate of the SEC, standard liability and indemnity approaches 
regarding the CAT's and the Plan Processor's scope and scale for 
decision-making cannot be straightforwardly applied. The CAT and the 
Plan Processor are substantially constrained in their cyber security 
program by mandates from the SEC that, in turn, involve significant 
input and advocacy on the part of other parties, including Industry 
Members.
    Second, related parties include the Participants/SROs. While 
these parties are legally distinct from CAT and the Plan Processor, 
their involvement and economic linkage is substantial. For example, 
the Participants have ownership interests in CAT LLC and the 
Operating Committee of CAT LLC, on which the Participants are all 
members, chooses the Plan Processor. In addition, operational 
funding for the CAT (and therefore, the Plan Processor) comes 
entirely from Participants and Industry Members. Although there are 
regulatory users who access CAT, there are no ``customers'' for 
CAT's services in a conventional sense.
    Third, CAT related decisions and actions of Industry Members are 
also mandated by the SEC and constrained by the SEC's oversight. 
There is a level of participation and information flow from and to 
the Industry Members (and other potentially interested groups) 
through the Advisory Committee, and previously the Development 
Advisory Group, and an attendant ability to influence the business 
operation and cyber security investments and practices that is not 
typically found in conventional business relationships.
    The typical economic distinctions between harms to parties with 
standard commercial relationships are much more amorphous with 
respect to the parties involved in the CAT. Any comprehensive 
analysis, therefore, requires careful distinctions and delineations 
between standard commercial relationships and parties involved in 
the CAT to understand the CAT's economic considerations of cyber 
security.

C. Types of Bad Actors, Motivations, and Methods

    Cybercrimes are conducted by both internal and external threat 
actors. According to a 2020 report by Verizon, approximately 70% of 
breaches in 2019 were caused by external actors with the other 30% 
being initiated by internal actors.\16\ The motivations of these 
actors are often financial, but cyber breaches also happen for 
ideological or personal reasons. Nation-states, for example, have 
used cyber breaches to advance regime goals (often focusing on 
impeding the efforts of their geopolitical rivals) and obtaining 
information that might benefit them politically or economically.\17\ 
Cybercriminals steal information to sell or extort payments from 
their targets. ``Hacktivists'' want to cause mayhem and influence 
the public. Sometimes, individuals are out for revenge against an 
entity or just want the bragging rights associated with a 
particularly brazen attack. At times, the malicious actors have 
multiple motivations--for example, ideology or revenge and financial 
remuneration. The 2020 Verizon report estimated that 90% of cyber 
breaches were motivated by financial considerations and 10% were 
initiated for espionage.\18\ The bad actors were 55% organized 
crime, with the next highest type being nation-state or state-
affiliated actors at around 10%. System administrators and end-users 
also comprised around 10% each of the bad actors.\19\
---------------------------------------------------------------------------

    \16\ Verizon, 2020 Data Breach Investigations Report, p. 10, 
Figure 7.
    \17\ See ScienceDirect website, ``Hacktivists,'' https://www.sciencedirect.com/topics/computer-science/hacktivists accessed 
September 2020. Also see, Department of Homeland Security, 
``Commodification of Cyber Capabilities: A Grand Cyber Bazaar,'' 
2019, p. 1 https://www.dhs.gov/sites/default/files/publications/ia/ia_geopolitical-impact-cyber-threats-nation-state-actors.pdf 
accessed August 2020.
    \18\ Verizon, 2020 Data Breach Investigations Report, p. 10, 
Figure 8.
    \19\ Verizon, 2020 Data Breach Investigations Report, p. 11, 
Figure 10.
---------------------------------------------------------------------------

    The methods used by the bad actors to perpetrate cyber breaches 
(alone or in combination) were around 45% hacking (use of stolen 
credentials), 22% error (e.g., mis-delivery), 22% social (e.g., 
phishing), 17% malware (e.g., password dumper), 8% misuse (privilege 
abuse), and 4% physical stealing (e.g., theft).\20\
---------------------------------------------------------------------------

    \20\ The total exceeds 100% because the bad actors could use one 
or more methods for each breach. See Verizon, 2020 Data Breach 
Investigations Report, p. 7, Figure 2.
---------------------------------------------------------------------------

D. Cyber Breaches Relevant to CAT, LLC Including Frequency, 
Severity, and Relative Difficulty of Implementation

    There are several firms that provide summary level data on the 
types of cybercrime events, along with information on how frequently 
they occur and the associated severity of economic losses. One 
entity, Advisen, maintains a database of over 90,000 cyber events, 
and allows subscribers to perform customized searches.\21\ In this 
paper, we have used the Advisen database to research frequency and 
severity for breaches we deemed specifically relevant to the types 
of data held on the CAT (Customer and Account Attributes and trade 
data).\22\ We further refined the types of cyber events we believe 
could potentially affect the CAT by using Advisen data, other 
publicly available sources, and our own experience.
---------------------------------------------------------------------------

    \21\ See Advisen website, https://www.advisenltd.com/data/cyber-loss-data/ accessed August 2020.
    \22\ The PII that exists in the CAT is name, address, and birth 
year. This PII data will be in a ``secure database physically 
separated from the transactional database. . .'' See SEC, March 17, 
2020 Order, pp. 12 and 20.
---------------------------------------------------------------------------

    We have posited scenarios where malicious actors could make use 
of the CAT data should they successfully gain access to the data. 
These scenarios, while not exhaustive of every type of potential 
cyber breach, are the product of our understanding of the data 
available in the CAT and how it might be used to generate wrongful 
benefits for threat actors.\23\ Some of the scenarios we discuss are 
more likely to be attempted, while others are more improbable. By 
their nature, the scenarios are general and therefore it is 
impossible to quantify the exact losses that could be generated by 
an unauthorized attack. As a frame of reference, based on the breach 
related losses experienced by Fortune 250 companies over the past 
decade, the losses range from the thousands of dollars to several 
billion.\24\ Therefore, our approach for each scenario is to 
determine the relative ease of implementing the scenario, the 
relative frequency of how often it could be successfully carried 
out, and the conditional severity of the financial loss that could 
stem from the event (assuming the scenario was carried out 
successfully).
---------------------------------------------------------------------------

    \23\ We believe that the scenarios we have posited are a useful 
way to characterize the economic risks facing the operation of the 
CAT, but we also recognize that any real-world hack could differ 
substantially from our scenarios in substantial ways.
    \24\ The distribution of breach losses for the Fortune 250 
extends from less than $1,000 to above $1 billion. The ``Typical'' 
breach loss is $471,000 while the ``Extreme'' breach loss is $93 
million. See Cyentia Institute, Information Risk Insights Study, A 
Clearer Vision for Assessing the Risk of Cyber Incidents, p. 21, 
Figure 15.
---------------------------------------------------------------------------

    Relative Difficulty of Implementation: With respect to our 
assessment of the relative difficulty of implementation, we begin 
with an assumption that threat actors could breach the system, but 
then consider the number of databases the threat actors would need 
to breach, the extent to which the data would need to be manipulated 
for it to be useful, and the level of difficulty they would face in 
making use of that ill-gotten data to implement the strategy in the 
scenario.
    Relative Frequency: The frequency assessment is based on our 
review of Advisen data for companies in the Fortune 250 for hacks 
similar to the ones we posit. We do not directly opine on the 
likelihood of successful hacks of the CAT, but instead use the 
Advisen data on successful hacks at large corporations to provide a 
subjective assessment of the relative frequency of a successful hack 
for each scenario we posit the CAT could face. We also consider the 
structural design of the CAT and the hurdles it presents to success 
of the strategy, as well as the attractiveness of the strategy 
because it could lead to a significant financial gain or achievement 
of a disruptive goal.
    Conditional Severity: The severity of the financial loss (based 
on our review of Advisen data) that could stem from the event 
assuming the scenario was carried out successfully. We deem the loss 
severity for a particular type of breach to be extreme if we 
consider the exposure to be more than $100 million per event (95th 
percentile loss in the Advisen data), high if we consider the 
exposure to be approximately $5-50 million, medium if we consider 
the exposure to be approximately $500,000, and low if we consider 
the exposure to be approximately $50,000 or less.\25\
---------------------------------------------------------------------------

    \25\ These amounts are based on the distribution of breach 
losses for the Fortune 250 over the past 10 years. See Cyentia 
Institute, Information Risk Insights Study, A Clearer Vision for 
Assessing the Risk of Cyber Incidents, 2020, p. 21, Figure 15.
---------------------------------------------------------------------------

    Below we first discuss summary descriptive statistics regarding 
cyber

[[Page 603]]

breaches and then the types of breaches we believe are specific 
risks faced by the CAT.

1. Summary Level Data

    Our review of available information on various aspects of cyber 
breaches led us to focus on periodic reports prepared by Ponemon 
Institute/IBM Security, Verizon, and Cyentia. While these entities 
do not report the same information in the same way, there appears to 
be a consensus that malicious attacks are the primary reasons for 
cyber breaches, and that the risk of a breach increases with firm 
size. The Fortune 250 are particularly frequent targets.\26\ 
Furthermore, the costs \27\ associated with dealing with large, 
mega, and extreme \28\ breaches, as shown in the table below, run 
from $10 million to $100 million or more. The costs of a breach 
include such items as detection and escalation costs, notification 
costs, post-data-breach response costs, and lost business costs.\29\
---------------------------------------------------------------------------

    \26\ The top 250 firms of the Fortune 1000 are nearly five times 
more likely to have a breach than the bottom 250. See Cyentia 
Institute, Information Risk Insights Study, A Clearer Vision for 
Assessing the Risk of Cyber Incidents, 2020, p. 8.
    \27\ The costs in the IBM Security report include both the 
direct and indirect expenses incurred by the organization. Direct 
expenses include engaging forensic experts, legal fees, outsourcing 
hotline support and providing free credit monitoring subscriptions 
and discounts for future products and services. Indirect costs 
include in-house investigations and communication, as well as the 
extrapolated value of customer loss resulting from turnover or 
diminished customer acquisition rates. See Ponemon Institute and IBM 
Security, Cost of a Data Breach Report 2020, p. 72. The costs in the 
Cyentia/Advisen report include losses related to productivity, 
response, replacement, competitive advantage, fines and judgments 
(including legal fees), and reputation. See Cyentia Institute 
Information Risk Insights Study, A Clearer Vision for Assessing the 
Risk of Cyber Incidents, 2020, p. 16. Also see, Teresa Suarez, ``A 
Crash Course on Capturing Loss Magnitude with the FAIR model,'' Fair 
Institute website, October 20, 2017, https://www.fairinstitute.org/blog/a-crash-course-on-capturing-loss-magnitude-with-the-fair-model 
accessed August 2020.
    \28\ The IBM Security report notes several levels of a mega 
breach, the first is 1 million to 10 million records and the largest 
is 50 million or more records. We refer to the first as a large 
breach (1 million to 10 million records) and the other as a mega 
breach (more than 50 million records). See Ponemon Institute and IBM 
Security, Cost of a Data Breach Report 2020, pp. 10 and 67. The 
Cyentia/Advisen report does not use the term ``mega breach'' but 
does note the cost of a breach of 100 million records. We label this 
as a ``mega breach'' to compare to the data in the IBM Security 
report. In addition, the Cyentia/Advisen also provides an ``extreme 
event'' figure on a cost basis alone, no records mentioned. Thus, we 
provided this information in its own column. See Cyentia Institute 
Information Risk Insights Study, A Clearer Vision for Assessing the 
Risk of Cyber Incidents, 2020, p. 3.
    \29\ See Ponemon Institute and IBM Security, Cost of a Data 
Breach Report 2020, p. 7.
    \30\ See Ponemon Institute and IBM Security, Cost of a Data 
Breach Report 2020, pp. 3, 30, 66-67, Verizon 2020 Data Breach 
Investigations Report, pp. 6-7, Figure 2, and Cyentia Institute 
Information Risk Insights Study, A Clearer Vision for Assessing the 
Risk of Cyber Incidents, 2020, pp. 3, 4, and 8.
[GRAPHIC] [TIFF OMITTED] TN06JA21.005

2. Breach Data Specifically Relevant to CAT, LLC

    The CAT data is unique and valuable because it is the only data 
repository that collects and holds Customer and Account Attribute 
data and all trading data from all the U.S. equity and option 
exchanges.\31\ The compromise of this data, as discussed in further 
detail below, could cause harm in the form of investor losses, 
reputational harm, interference with market surveillance by the SROs 
and the SEC, and loss of investor confidence in the markets 
themselves. For the exchanges, the scale of potential liability 
could significantly financially harm those entities that constitute 
the national market system in the U.S. securities markets.\32\
---------------------------------------------------------------------------

    \31\ See SEC website, ``Rule 613 (Consolidated Audit Trail),'' 
https://www.sec.gov/divisions/marketreg/rule613-info.htm.
    \32\ The Securities Exchange Act of 1934 (Exchange Act) codified 
the legal status of exchanges as self-regulatory entities (SROs) 
under federal law. The Exchange Act vested exchanges with the 
responsibility to oversee trading on their respective markets and to 
regulate conduct of their members, including the responsibility to 
enforce compliance by their members with the Exchange Act. Thus, the 
Exchange Act reflected Congress' determination to rely upon self-
regulation as a fundamental component of the oversight and 
supervision of U.S. securities markets and their members. See 
Memorandum from SEC Division of Trading and Markets to SEC Market 
Structure Advisory Committee dated October 20, 2015 with the subject 
``Current Regulatory Model for Trading Venues and for Market Data 
Dissemination,'' pp. 1-2, https://www.sec.gov/spotlight/emsac/memo-regulatory-model-for-trading-venues.pdf.
---------------------------------------------------------------------------

    More specifically, the CAT Customer and Account Attributes 
database (the CAIS database) is the only database that exists that 
aggregates, across all U.S. stock exchanges, elements of PII (name, 
address, birth year) \33\ for the over 100 million people, 
companies,

[[Page 604]]

and trusts,\34\ that hold accounts trading U.S. equities and 
options. The CAT trade database (the MDS database) \35\ is the only 
database that aggregates, across all U.S. exchanges, all of the 
exchange-based equity and option trades by customer ID for those 
persons and entities. Further, the data in the CAT CAIS database is 
stored and processed in a separate, independent system from the MDS 
database. These systems are operated by different personnel. The 
data in the CAIS and MDS databases are encrypted independently of 
each other using different keys. The trade data (MDS database) is 
anonymized; there is no PII data present. Customer and Account 
Attributes data (CAIS database) is only accessible with limited 
permission and no data extraction is allowed, only interactive 
queries. Queries of any CAT data can only be done by the SEC and 
SROs via private line access; no public internet access.\36\
---------------------------------------------------------------------------

    \33\ The PII that exists in the CAT is name, address, and birth 
year. This PII data will be in a ``secure database physically 
separated from the transactional database. . .'' See SEC, March 17, 
2020 Order, pp. 12 and 20.
    \34\ There are approximately 330 million people in the United 
States. See United States Census Bureau website, the U.S. and World 
Population Clock, https://www.census.gov/popclock/ accessed 
September 2020. According to a FINRA study, around 32% of the 
national population have investments in non-retirement accounts (330 
million times 32% = 105.6 million non-retirement accounts. See FINRA 
Investor Education Foundation, ``Investors in the United States, A 
Report of the National Financial Capability Study,'' FINRA Investor 
Education Foundation, December, 2019, p. 3.
    \35\ See SEC, March 17, 2020 Order, p. 12. SEC., Order Approving 
CAT, The Limited Liability Company Agreement of CAT LLC, Appendix C-
4 and Appendix D-14.
    \36\ All CAT Data must be encrypted at rest and in flight using 
industry standard best practices. See SEC, Order Approving CAT, The 
Limited Liability Company Agreement of CAT LLC, p. 62, Appendix D-
11, and D-14.
[GRAPHIC] [TIFF OMITTED] TN06JA21.006


[[Page 605]]


    Given  the unique nature of the CAT data set, we are unable to 
find cyber breach events that exactly mirror potential CAT data 
breaches. However, we believe review of cyber breach events related 
to Finance and Insurance companies with greater than $1 billion 
revenue can serve as a helpful proxy. We used the Advisen database 
and other public sources to search for information on cyber breach 
events related to such companies.
---------------------------------------------------------------------------

    \37\ Please note this is based on the CAT NMS Plan and 
amendments. See, SEC, Order Approving CAT, pp. 47-48, SEC, Order 
Approving CAT, The Limited Liability Company Agreement of CAT LLC, 
p. 62, Appendix C-7 to C-9, Appendix D-14, and D-33 to D-34, SEC, 
March 17, 2020 Order, pp. 2, 4-5, 12, 15 and 20 and CAT Reporting 
Technical Specifications for Industry Members, Version 3.1.0 r2, 
April 21, 2020, p. 1 and 5-6.
---------------------------------------------------------------------------

    The summary chart below displays the results of filtering the 
Advisen database to obtain cyber breach data over the past 10 years 
associated with companies with $1 billion revenue or greater that 
are classified as Finance and Insurance companies in the North 
American Industry Classification system.\38\
---------------------------------------------------------------------------

    \38\ We deemed application of these filters to be reasonable 
since the CAT will hold more records than most large (>$1 Billion) 
corporations, and because the data the CAT stores is from companies 
that fall into the Finance and Insurance classification.
    \39\ Data pulled from Advisen Cyber OverVue, https://insite20twenty.advisen.com, on September 11, 2020.
---------------------------------------------------------------------------

BILLING CODE 8011-01-P
[GRAPHIC] [TIFF OMITTED] TN06JA21.007

BILLING CODE 8011-01-C
    Malicious breaches are the most common and the most 
expensive.\40\ Correspondingly, the Advisen data shows that for 
Finance and Insurance companies with $1 billion or

[[Page 606]]

greater in revenue that had a malicious cyber breach, those firms 
had 8.8 malicious cyber breaches, on average (median of 2), over the 
past 10 years.\41\ The average cost of these malicious breaches was 
$23.0 million with a median of $3.2 million.\42\
---------------------------------------------------------------------------

    \40\ See Ponemon Institute and IBM Security, Cost of a Data 
Breach Report 2020, pp. 29 and 31.
    \41\ The large difference between the median of 3 and average of 
13.3 breaches for this data set is attributable to the large degree 
of variance in the number of breaches by firm. In other words, a few 
firms experienced a very large number of breaches, increasing the 
average relative to the median.
    \42\ The large difference between the median cost of $3.2 
million and average cost of $23.0 million for a malicious breach in 
this data set is attributable to the large degree of variance in the 
cost per breach by firm. In other words, a few firms experienced a 
very large cost per breach, increasing the average relative to the 
median.
---------------------------------------------------------------------------

    The asset most frequently compromised was personal financial 
information (``PFI'').\43\ We examined the top 10 PFI loss breaches 
from the Advisen database and found that the top 10 losses ranged 
from $11.7 million to $2.5 billion (Equifax).\44\ The second highest 
loss for PFI after Equifax was $188.7 million (Wells Fargo).\45\
---------------------------------------------------------------------------

    \43\ Advisen defines PFI or personal financial information as 
credit/debit card details, social security numbers, banking 
financial records (account numbers, routing numbers, etc.). Advisen 
defines PII or personal identifiable information as data containing 
identifying information, including name, address, email, date of 
birth, gender, etc. See Advisen's Cyber OverVue User Guide, January 
2020, p. 26. Also, ``The compromise of the Confidentiality of 
Personal data leads the pack among attributes affected in 
breaches,'' See Verizon 2020 Data Breach Investigations Report, p. 
29. ``More than half of all cybercrime incidents investigated by 
CyberScout involved financial fraud, one of the most common forms of 
identity theft.'' See Advisen, Quarterly Cyber Risk Trends: Global 
Fraud is Still on the Rise, sponsored by CyberScout, Q2 2019, p. 2.
    \44\ See the PFI Top 10 cyber loss events as of September 11, 
2019 as obtained from Advisen Cyber OverVue, 
insite20twenty.advisen.com. Equifax is coded under NAICS 56 
Administrative and Support and Waste and Management Remediation 
Services in Advisen's Cyber OverVue, but it is coded as NAICS 
522320--Financial Transactions Processing, Reserve, and 
Clearinghouse Activities in Advisen's MSCAd database (see Advisen 
website, www.advisenltd.com). In speaking to Advisen's product 
manager, he stated that in Cyber OverVue, the NAICS code is taken 
directly from Advisen's company information provider, in this case 
S&P. In MSCAd, which is Advisen's legacy system that they are moving 
away from, the NAICS code is a translation of the SIC code. These 
differences in industry classification between the two systems can 
sometimes create misalignments, but rarely. CRA manually added 
Equifax to the NAICS 52 Finance and Insurance peer group based on 
its potential applicability in size and type of assets (PII or PFI) 
compromised.
    \45\ See the PFI Top 10 cyber loss events as of September 11, 
2019 as obtained from Advisen Cyber OverVue, 
insite20twenty.advisen.com.
---------------------------------------------------------------------------

    The data in the table above also includes frequency and losses 
from internal cyber related errors. These events typically include 
things like software errors or a when a human mistake involving a 
computer is made. For example, the top ten largest error-related 
cyber loss events from the events underlying the table above (in the 
corporate losses section) ranged from $472.0 million down to $7.3 
million. The top two were $472.0 million for Knight Capital Group 
and $373.5 million for TSB Bank. Both were caused by IT errors. For 
Knight Capital Group, a glitch in new trading software caused Knight 
Capital Group's order router to send more than four million orders 
into the market when it was supposed to fill in just 212 customer 
orders.\46\ For TSB Bank, customers lost access to their accounts or 
saw information of accounts owned by others after TSB Bank 
transferred the records and accounts of its 5.2 million customers 
from one system to another. All of the top ten error-related cyber 
loss events impacted a company's ability to conduct business and 
generate revenues.\47\ While the CAT does not support a specific 
company's ability to conduct business and generate revenues it does 
affect the ability of the SEC and the SROs to oversee and regulate 
market activities. However, it is our understanding that if the CAT 
has appropriate backups that have not been maliciously encrypted, 
this type of attack can be recovered from.\48\ While regulatory 
oversight could be delayed by the error, the oversight activities 
can be resumed after a relatively brief period devoted to bringing 
up the backup systems. Overall, we note that internal cyber related 
errors can lead to very large losses that represent additional 
liability exposure to the CAT.
---------------------------------------------------------------------------

    \46\ See Corporate Business Income/Services Top 10 cyber event 
losses as of September 11, 2019 as obtained from Advisen Cyber 
OverVue, insite20twenty.advisen.com.
    \47\ See Corporate Business Income/Services Top 10 cyber event 
losses as of September 11, 2020 as obtained from Advisen Cyber 
OverVue, insite20twenty.advisen.com.
    \48\ Interview with William Hardin, VP, Charles River 
Associates, August 11, 2020.
---------------------------------------------------------------------------

    To further refine the types of cyber breaches we believe could 
potentially affect the CAT, we searched public sources and relied 
upon our experience to posit scenarios we believe reflect how data 
from possible cyber breach attacks/events could be misused.
    We believe threat actors could seek to breach the CAT to attempt 
the following:

(1) Hold Data Hostage
(2) Identity Theft
(3) Algorithm Reverse Engineering
(4) Fake Data Insertion to Wrongfully Incriminate
(5) Data Removal or Insertion to Hide Fraud
(6) Trading on Non-Public Information
(7) Competitive Intelligence--Customer Lists
(8) Discovery of Regulatory Investigation that Could be Used to Harm 
Someone's Reputation

    We address the scenarios below and describe our estimation of 
the ease of implementation, frequency and severity risk of each.

(1) Hold Data Hostage

    A bad actor could seek to ransom CAT data in several ways. Many 
of them are derivative of the other scenarios we posit later in this 
report.

(a) Threaten to publicly release confidential Customer and Account 
Attribute data or trade data to harm a firm's or investor's 
reputation
(b) Threaten to keep data encrypted (denial of service) to prevent 
its use by regulators
(c) Threaten to sell trading data regarding an account that could 
allow reverse engineering a trading algorithm
(d) Threaten to make short position data public

    Each of these is discussed in further detail:

(a) Threaten to publicly release confidential Customer and Account 
Attribute data or trade data to harm a firm's or investor's 
reputation

    Under this scenario, if a bad actor obtained either Customer and 
Account Attribute data or trade data from the CAT it would be 
difficult for the bad actor to monetize the information without the 
ability to associate the trade data with the Customer and Account 
Attribute data to identify the parties involved in the trade as bad 
actors historically have done.
    To limit the potential value of the information, the SEC 
mandated that the CAT limit the identifying information it stores. 
Information such as a social security number, brokerage account 
number, and other high value PFI items are not stored by the CAT. 
The CAT stores only less sensitive PII information including name, 
address, and birth year within the CAT Customer and Account 
Attributes database (CAIS).\49\ Also, the trade data stored by the 
CAT does not disclose the name of the person or company behind the 
trade. Rather, the account owner behind the trade is identified by a 
CAT Customer ID (CCID) that is a globally unique CCID for each 
account owner that is unknown to and not shared with the original 
CAT Reporter Industry Member. This CCID is held within the CAT's 
CCID and CAIS databases.\50\ To determine the account owner, one 
would need access to the system that links the CCID to the Customer 
and Account Attributes data, the CAT Customer and Account 
Information System (CAIS). The trade data and the CAIS data are 
stored on separate encrypted systems. Thus, a bad actor would need 
access to the trade data and the CAIS data for each individual/
company in order to find out which trades related to which 
individuals/companies and which brokers were used by these 
individuals/companies. Therefore, we see limited possibility or 
value in a hacker seeking to threaten a brokerage firm or other 
investor with the release of Customer and Account Attributes.
---------------------------------------------------------------------------

    \49\ See SEC, March 17, 2020 Order, pp. 4-5 and SEC, Order 
Approving CAT, The Limited Liability Company Agreement of CAT LLC, 
p. 4, Appendix C-7 to C-9, Appendix D-14, and D-33 to D-34.
    \50\ See SEC, March 17, 2020 Order, pp. 2, 4-5.
---------------------------------------------------------------------------

    With respect to an attempt to hold hacked CAT trade data 
hostage, we note that all the trade data is encrypted with the 
client anonymized, making it unlikely that a hacker could 
successfully identify who to threaten. The bad actor would need to 
have the CAIS data and trade data to determine which clients and 
client trades were associated with a broker or investor. Given that 
the CAT keeps encrypted CAIS data and encrypted trade data in 
separate databases, a data incident to obtain and exploit both sets 
of data would be difficult. We recognize that

[[Page 607]]

crime syndicates are publishing information to their blogs,\51\ and 
if they released even partial information to the public, this could 
damage the reputation of the CAT. The breach would show weaknesses 
in the security of the CAT and translate into potential reputational 
harm to not only the CAT, but also possibly the SEC and the SROs. 
Overall, we believe this scenario would be of average difficulty to 
implement, will occur infrequently (if at all), but have low to 
medium loss severity if successful.
---------------------------------------------------------------------------

    \51\ Per William Hardin, VP Cybersecurity and Incident Response 
Services, Charles River Associates, Inc.
---------------------------------------------------------------------------

(b) Threaten to keep data encrypted (denial of service) to prevent 
its use by regulators

    If a hacker were able to disrupt the CAT and impose another 
level of unauthorized and malicious data encryption in an attempt to 
ransom its decryption, this could affect the SEC's ability to 
conduct investigations as well as the SROs' ability to meet their 
oversight obligations.\52\ A particular concern for a system held by 
ransomware is the inability of the affected firms to access their 
information and maintain operations for their customers. However, it 
is our understanding that if the CAT has appropriate backups that 
have not been maliciously encrypted, this type of attack can be 
recovered from.\53\ While regulatory oversight could be delayed by a 
ransomware attack, the oversight activities can be resumed after a 
relatively brief period devoted to bringing up the backup systems. 
We deem a successful ransomware scenario to be highly unlikely, 
assuming adequate backup systems and protocols, as a hacker is 
likely to perceive that collecting a ransom from the regulators has 
a very low probability. We believe this scenario would be of average 
difficulty to implement, will occur infrequently, and have low to 
medium severity if successful.
---------------------------------------------------------------------------

    \52\ Under the Exchange Act, a variety of SROs, including 
national securities exchanges and FINRA, exercise extensive 
oversight over securities broker-dealers, stock exchange members and 
listed companies, and other market intermediaries. Stock exchanges 
were the original SROs that governed the trading of securities and 
regulated their members well before the creation of the Securities 
and Exchange Commission and the current statutory framework 
formalizing their SRO status. See Commissioner Luis A. Aguilar, U.S. 
Securities and Exchange Commission, ``The Need for Robust SEC 
Oversight of SROs,'' May 8, 2013, footnote 2, https://www.sec.gov/news/public-statement/2013-spch050813laahtm accessed August 2020.
    \53\ Per William Hardin, VP Cybersecurity and Incident Response 
Services, Charles River Associates, Inc.

(c) Threaten to sell trading data regarding an account that could 
---------------------------------------------------------------------------
allow reverse engineering a trading algorithm

    This scenario would be difficult to implement given the bad 
actor would need to access the trade data as well as the CAIS 
(assuming the bad actor could not otherwise determine the who the 
trade data was associated with \54\). Gaining access to multiple 
encrypted CAT databases to retrieve multiple categories of data, 
stored in separately secured areas would be difficult. It would also 
be difficult for the bad actor to figure out who the trade CCID 
account owner was without access to the CAIS. Overall, the bad actor 
would need to access the trade data, analyze the data for 
algorithmic trading, and determine who the CCID account owner is in 
order make the threat real. Next, they would have to credibly 
threaten that firm that their trades would be released or sold to 
someone that could reverse engineer their algorithms, which is a 
complex and difficult task. We think that, at worst, the threatened 
firm might pay a moderate ransom to prevent its trades from being in 
unknown hands. Thus, we believe this scenario would be very 
difficult to implement, will occur infrequently, and have high to 
extreme severity if successful.
---------------------------------------------------------------------------

    \54\ We can envision that a bad actor might be able to deduce 
who the trade data was associated with based on certain 
characteristics of quantity, size, or through other means.

---------------------------------------------------------------------------
(d) Threaten to make short position data public

    If a bad actor were able to use the CAT trading and CAIS data to 
successfully determine that an investor holds a significant short 
position in a particular stock, in theory, that hacker could try to 
threaten that investor that their position information would be made 
public. We deem this scenario as improbable and unlikely. First, as 
discussed above, determining both the investor identity and the 
position held by that investor would be difficult. Second, there is 
a significant risk to the hacker that the investor would not care 
that their short position was made public. Thus, we believe this 
scenario would be of average difficulty to implement, will occur 
infrequently, and have medium severity if successful.

(2) Identity Theft

    We believe that one of the most likely goals of wrong-doers 
seeking to hack the CAT would be to attempt to steal Customer and 
Account Attribute data (within the CAIS database) for the millions 
of account holders in the system. We note that significant effort 
has been made in designing the CAT to reduce this risk. This 
includes encrypting of the Customer and Account Attribute data and 
limiting the underlying PII to less sensitive information: Name, 
address and birth year (no PFI data--no social security numbers, no 
account numbers, and no dates of birth). Importantly, there are 
strict limitations on access to the CAIS database. Access to the 
CAIS is on a ``need to know'' and ``least privileged'' basis and 
cannot be obtained from public internet connectivity.\55\
---------------------------------------------------------------------------

    \55\ See SEC, March 17, 2020 Order, pp. 12 and 20 and SEC, Order 
Approving CAT, The Limited Liability Company Agreement of CAT LLC, 
Appendix D-14.
---------------------------------------------------------------------------

    An example of how a hacker could take advantage of less 
sensitive PII data (name, contact information, and a reservation) 
can be seen in the recent breach at the Ritz Carlton's London hotel. 
In August of 2020, the hotel suffered a cyber breach of its food and 
beverage system. The bad actor used the customer information in this 
system to pose as a Ritz employee to confirm the reservation and 
payment card details with individuals with the upcoming 
reservations. The card details received based on these calls were 
used to spend thousands of pounds of victims' money.\56\ If a hacker 
were able to get CAT Customer and Account Attribute data and 
determine the brokerage firm at which a particular investor held 
their account, the hacker could call that investor posing as an 
employee of the broker and seek to ``confirm account information.'' 
This could lead to substantial investor losses. This scheme could 
then be repeated on large numbers of investors.
---------------------------------------------------------------------------

    \56\ See Julian Hayes, ``Double extortion: An emerging trend in 
ransomware attacks,'' Advisen Front Page News, August 21, 2020, 
https://www.advisen.com/tools/fpnproc/fpns/articles_new_35/P/375350842.html?rid=375350842&list_id=35 accessed August 2020.
---------------------------------------------------------------------------

    Had the CAT Customer and Account Attribute data included social 
security numbers and birth dates, this information could be even 
more easily monetized by either identity/credit theft or selling the 
data in bulk on the dark web. William Hardin, VP and leader of 
Charles River Associates Cybersecurity Incident Response Practice 
stated, ``the most readily available easily monetized form of hacked 
data on the dark web is PII.'' \57\
---------------------------------------------------------------------------

    \57\ Interview with William Hardin, VP, Charles River 
Associates, August 11, 2020.
---------------------------------------------------------------------------

    Verizon reported that the compromise of personal data occurs in 
77% of the Finance and Insurance industry cyber breaches and that 
cyber-attacks are mostly carried out by external actors who are 
financially motivated to get easily monetized data.\58\ According to 
the data in the Advisen database, personal information is the most 
common type of data compromised in a cyber breach. The Advisen 
database shows that Finance and Insurance companies with $1 billion 
or greater in revenue that had a PII breach had an average of 3.4 
breaches (a median of 1) over the past 10 years.\59\ The frequency 
and severity of PII breaches is much lower than PFI breaches. Thus, 
based upon this history, we believe the CAT substantially reduced 
its relative exposure to the frequency and severity of breaches 
related to personal information by not including PFI data in the 
CAT. While this design feature is appropriate, CAT remains a 
tempting target for cybercriminals as it will have one of the 
largest accumulations of personal data ever assembled. The 
possibility of an extreme event should not be ignored.
---------------------------------------------------------------------------

    \58\ Verizon, 2020 Data Breach Investigations Report, p. 52.
    \59\ See Advisen Cyber OverVue, insite20twenty.advisen.com.
---------------------------------------------------------------------------

    We reviewed the top 10 PII cyber breaches underlying these 
figures and summarized them in the table below. We found the lowest 
loss was $9.1 million while the highest was $21.6 million. While an 
imperfect measure, generally the more records exposed,\60\ the

[[Page 608]]

higher the loss amount. We note that Equifax is not included in the 
PII breach data because that breach included access to PFI (social 
security numbers). The Equifax loss was $2.5 billion and is the 
largest publicly disclosed PFI breach. It has been reported that 
this loss resulted from Equifax leaving itself significantly exposed 
to hacking because it failed to implement various software security 
patches in a timely manner. In relation to the Equifax breach, the 
number of records potentially exposed at the CAT could be even 
larger. But since the CAT will only include less sensitive PII 
(name, address, birth year) and not PFI (social security number, 
account numbers), we believe the Equifax loss of $2.5 billion can be 
seen as an upward bound of the exposure a Customer and Account 
Attribute data breach at the CAT could generate.
---------------------------------------------------------------------------

    \60\ The firms working in the cyber risk industry typically use 
the number of records exposed/stolen as a metric to describe the 
relative size and seriousness of a breach. While there is some 
correlation between the number of records exposed and the ultimate 
cost of the breach, this metric is imperfect as it does not consider 
the relative value of the records exposed or how they might be used. 
However, as long as one recognizes those limitations, we believe the 
number of records exposed can be a useful descriptor. We note that 
the CAT will contain massive amounts of data, including information 
on hundreds of millions of accounts, making it much bigger than some 
companies we review for comparison.
---------------------------------------------------------------------------

    Based on the descriptions provided by Advisen, the most similar 
PII breach to what CAT might experience in the list below is the 
E*TRADE hack, where a bad actor accessed their customer database and 
exported stolen customer data including names, residential 
addresses, phone numbers, and email addresses. These addresses were 
allegedly taken so the bad actors could start their own securities 
brokerage. Overall, the hackers compromised customer databases 
containing the personal information of more than 5 million 
customers, leading to a $12.9 million loss.\61\ While there will be 
fewer elements of PII stored at the CAT (name, address, and birth 
year) than at E*TRADE (name, address, phone number, and email 
address), we again note there will be orders of magnitude more 
individuals' records at the CAT.
---------------------------------------------------------------------------

    \61\ See the PII Top 10 cyber loss events as of September 11, 
2019 as obtained from Advisen Cyber OverVue, 
insite20twenty.advisen.com.
[GRAPHIC] [TIFF OMITTED] TN06JA21.008

    As noted  above, the Advisen database showed that for Finance 
and Insurance companies with $1B in revenue or more that had a PII 
breach, these breaches occurred with a frequency of 3.4 times on 
average over a 10-year period (median of 1). The range for the top 
10 PII breaches was $21.6 million to $9.1 million.
---------------------------------------------------------------------------

    \62\ ``Advisen has developed a proprietary loss amount model to 
help users make more informed decisions on cyber risk by enhancing 
how it is being quantified. The resulting analytics, when viewed in 
tandem with our benchmarking analyses, will provide a comprehensive 
picture of an organization's potential cyber loss exposure, as well 
as better guidance on the type and amount of cyber insurance to 
purchase. The model looks at a combination of more than 70 different 
variables across more than 100,000 cyber events in Advisen's 
proprietary cyber loss data to calculate simulated financial loss 
amounts by incorporating quantile regression analyses that look at 
data relationships across different quantiles to establish a range 
of potential impacts. The model is recalibrated on an ongoing basis 
to account for changes in data relationships as Advisen's cyber loss 
database continues to grow.'' See Advisen's Cyber OverVue User 
Guide, January 2020, p. 22. See also the PII Top 10 cyber loss 
events as of September 11, 2019 as obtained from Advisen Cyber 
OverVue, insite20twenty.advisen.com.
---------------------------------------------------------------------------

    The second highest PFI breach, after Equifax, is the $188.7 
million loss suffered by Wells Fargo & Co. (Wells Fargo), which 
resulted from the bank allowing its employees to access customers' 
personal information, and in some cases forging data, to subscribe 
them to products, such as credit cards. Lawyers representing 
aggrieved customers have said the bank may have opened about 3.5 
million unauthorized accounts.\63\
---------------------------------------------------------------------------

    \63\ See the PFI Top 10 cyber loss events as of September 11, 
2019 as obtained from Advisen Cyber OverVue, 
insite20twenty.advisen.com.
---------------------------------------------------------------------------

    If the CAT stored social security numbers and account numbers 
(as was originally planned before the amendments), the exposure on a 
successful hack would be extreme. But, because the CAT Customer and 
Account Attribute data is limited to name, address and birth year, 
we believe that risk is mitigated to some degree. In summary, we 
suggest CAT Customer and Account Attribute data will be of medium 
interest to hackers and conclude this scenario would be relatively 
less difficult to implement, will occur with moderate frequency, and 
likely have medium to high severity if successful. An extreme event 
cannot be ruled out primarily because of the quantity of Customer 
and Account Attribute data being held at the CAT.

(3) Algorithm Reverse Engineering

    Algorithmic trading uses a computer program that follows a 
defined set of instructions (an algorithm) to execute a trade. The 
trades can be executed at a speed and frequency that is impossible 
for a human trader. The algorithmic trading market size was $11.1 
billion in 2019 and expected to grow to $18.8 billion by 
2024.64 65 Algorithmic trading is responsible for 
approximately 60-73% of all U.S. equity

[[Page 609]]

trading.\66\ The two largest firms, Virtu Financial, Inc. 
(``Virtu'') and Citadel ``account for around 40 percent of daily 
U.S. trading flow.'' \67\ Virtu is the largest public algorithmic 
trading firm, with a market cap of $4.56 billion.68 69 
Furthermore, Citadel, the nation's biggest equity and options market 
maker, is responsible for one in every five stock trades in America 
and 40% of the retail volume.\70\
---------------------------------------------------------------------------

    \64\ Research and Markets, Algorithmic Trading Market by Trading 
Type, Component, Deployment Mode, Enterprise Size, and Region--
Global Forecast to 2024, https://www.researchandmarkets.com/reports/4770543/algorithmic-trading-market-by-trading-type#rela0-4833448 
accessed November 2020.
    \65\ We note that high frequency trading (HFT), a major subset 
of algorithmic trading, has experienced higher costs and lower 
profitability in the past few years. See Gregory Meyer, Nicole 
Bullock and Joe Rennison, ``How high-frequency trading hit a speed 
bump,'' Financial Times, January 1, 2018, https://www.ft.com/content/d81f96ea-d43c-11e7-a303-9060cb1e5f44 accessed August 2020.
    \66\ Research and Markets, Algorithmic Trading market--Growth, 
Trends, and Forecast (2020-2025), https://www.researchandmarkets.com/reports/4833448/algorithmic-trading-market-growth-trends-and#rela4-5125563 accessed August 2020.
    \67\ AllAboutAlpha, ``High-Frequency-Trading Firms: Fast, 
Faster, Fastest,'' April 2, 2019, https://www.allaboutalpha.com/blog/2019/04/02/high-frequency-trading-firms-fast-faster-fastest/ 
accessed November 2020.
    \68\ See Capital IQ website, https://www.capitaliq.com/CIQDotNet/Financial/Capitalization.aspx?CompanyId=133624510 accessed 
November 6, 2020.
    \69\ Interestingly, Virtu was the victim of a recent social 
engineering hack. A hacker seized control of the email account of 
one of its executives. The email account was used to send two 
fraudulent wire transfers totaling $10.8 million to bank accounts in 
China. See Alexander Osipovich, ``High Speed Trader Virtu Discloses 
$6.9 Million Hacking Loss,'' Dow Jones News Service, August 11, 2020 
accessed December 2020.
    \70\ Nathan Vardi, ``Finance Billionaire Ken Griffin's Citadel 
Securities Trading Firm Is On A Silicon Valley Hiring Binge,'' June 
3, 2019, Forbes, https://www.forbes.com/sites/nathanvardi/2019/06/03/finance-billionaire-ken-griffins-citadel-securities-trading-firm-is-on-a-silicon-valley-hiring-binge/#34f23c9c6b36 accessed August 
2020.
---------------------------------------------------------------------------

    Algorithmic trading plays an important role in making the U.S. 
markets more efficient. Academic research has shown that algorithmic 
trading significantly reduces bid-ask spreads and speeds price 
discovery.\71\
---------------------------------------------------------------------------

    \71\ Terrance Hendershott, Charles M. Jones, and Albert J. 
Menkveld, Does Algorithmic Trading Improve Liquidity?, The Journal 
of Finance, Volume 66, No. 1, February 2011, http://faculty.haas.berkeley.edu/hender/Algo.pdf.
---------------------------------------------------------------------------

    Assuming the trading data of the CAT LLC was breached and 
decrypted, we assess that, while difficult, that data could be used 
to reverse engineer the proprietary trading algorithms of 
algorithmic trading firms. The loss to a firm whose algorithm was 
compromised in this way would be the cost of developing the 
algorithm plus any forgone profits that could have been expected to 
accrue to the firm over a reasonable period of time.
    For example, as of January 2020, Citadel is suing a rival for 
allegedly taking details of a key Citadel trading strategy which 
Citadel has stated cost more than $100 million to develop and which 
generates many millions of dollars each year.\72\
---------------------------------------------------------------------------

    \72\ Jane Croft, ``Citadel Securities sues rival over alleged 
trading strategy leak,'' Financial Times, January 10, 2020, https://www.ft.com/content/2cbf1738-33cd-11ea-9703-eea0cae3f0de accessed 
December 2020.
---------------------------------------------------------------------------

    Although we assess that using the CAT data to reverse engineer a 
trading algorithm would take significant expertise and time, the 
trading strategies that use these algorithms are highly valuable. In 
addition, the concentration of profitability among a small number of 
players in this space could increase the attractiveness of 
attempting this type of scheme. We ultimately deem it unlikely that 
a bad actor would seek to use CAT data in this way because of the 
difficulty in both achieving the hack as well as the effort to 
reverse engineer an algorithm. The separation and encryption of the 
Customer and Account Attribute data (in the CAIS database) and trade 
data (in the MDS database), the fact that the trade data is 
anonymized, and the limitations on ways in which one can get this 
data (CAT data can only be accessed by the SEC and SROs via private 
line access; there is no public internet access and access to the 
CAIS is on a ``need to know'' and ``least privileged'' basis) would 
make this scenario very difficult to achieve. The hacker would need 
to successfully access all this data, decrypt it, and reverse 
engineer the algorithms under which the trades were made. Given the 
potential value (severity) of this type of information, however, bad 
actors could be so motivated. In particular, a state sponsored 
hacker could have the resources to attempt to reverse engineer 
successful algorithms and steal intellectual property in this way. 
The bad actor could also seek to ransom the algorithm to the 
algorithmic trading firm as discussed above or seek to sell the data 
to a sophisticated trading firm that was able to do the reverse 
engineering.
    An example of a parallel type of scenario can be seen in the 
breach of newswire services by a group of Ukrainian hackers during 
2015. The hackers gained access to corporate earnings releases for 
dozens of companies as much as 12 hours prior to their being made 
public. The hackers knew the information was valuable but did not 
know how to trade based on it. They therefore set up a network of 
traders to whom they fed the data and either sold them the releases 
outright or struck a deal to share in the profits.\73\ More than 
$100 million was allegedly earned on the wrongful trades.\74\
---------------------------------------------------------------------------

    \73\ See SEC website, ``SEC Reaches Settlements with Traders in 
Newswire Hacking and Trading Scheme,'' Litigation Release No. 24833, 
June 10, 2020, https://www.sec.gov/litigation/litreleases/2020/lr24833.htm accessed November 2020. Also see SEC website, ``SEC 
Charges 32 Defendants in Scheme to Trade on Hacked News Releases,'' 
August 11, 2015, https://www.sec.gov/news/pressrelease/2015-163.html 
accessed November 2020.
    \74\ See SEC website, ``SEC Reaches Settlements with Traders in 
Newswire Hacking and Trading Scheme,'' Litigation Release No. 24833, 
June 10, 2020, https://www.sec.gov/litigation/litreleases/2020/lr24833.htm accessed November 2020. Also see SEC website, ``SEC 
Charges 32 Defendants in Scheme to Trade on Hacked News Releases,'' 
August 11, 2015, https://www.sec.gov/news/pressrelease/2015-163.html 
accessed November 2020.
---------------------------------------------------------------------------

    In summary, we believe that while the implementing this type of 
breach would be difficult and the frequency likely low, the severity 
of a breach leading to the reverse engineering of an algorithmic 
trading firm's strategy could be high. An estimate of exposure of at 
least $100 million per incident (based on the cost to develop a 
successful strategy at Citadel) seems reasonable. Given the role 
that algorithmic trading firms play in adding liquidity to the 
markets, we deem this scenario to pose both a risk to algorithmic 
trading firms themselves, as well as to the efficient operation of 
U.S. markets. Therefore, we believe this scenario would be very 
difficult to implement, will occur infrequently, but have extreme 
severity if successful.

(4) Fake Data Insertion To Wrongfully Incriminate

    We posit that if a hacker were able to successfully insert false 
data into the CAT, they could use that ability to wrongfully 
incriminate an individual or company. For example, assume that a 
hacker inserts data into the CAT making it appear that the CEO of a 
company was wrongfully engaging in insider trading of its company's 
stock. Further assume that this data triggered an investigation at 
the SEC into the CEO's trading and that investigation led to a 
preliminary injunction hearing to prevent the CEO from further 
accessing his or her account. This SEC action would be public, and 
both the CEO's and company's reputation and value could be harmed.
    According to a 2010 study, when the SEC announced an 
investigation on a company, the average abnormal return based on 
that announcement was at least negative 8%.\75\ This would equate to 
a reduction in market value of $1.8 billion for the median company 
in the S&P 500.\76\
---------------------------------------------------------------------------

    \75\ Journal of Forensic & Investigative Accounting, ``Market 
Efficiency and Investor Reactions to SEC Fraud Investigations,'' 
Vol. 2, Issue 3, Special Issue, 2010, p. 3.
    \76\ Using the total market value of the S&P 500, $30.24 
trillion, a negative 8% return would be a reduction in market value 
of $1.8 billion for the median company in the S&P 500 (median market 
value of $22.1 billion). See Refinitiv website, a company that 
provides financial data, https://www.refinitiv.com/en/about-us 
accessed October 21, 2020.
---------------------------------------------------------------------------

    The negative return can be significantly larger than 8%. In 
November 2019, the Wall Street Journal announced that the SEC was 
investigating Under Armour. On the day of the announcement, Under 
Armour's stock fell 19%.\77\ Correspondingly, the market 
capitalization of Under Armour fell from $9.04 billion to $7.35 
billion, a drop of $1.69 billion.\78\
---------------------------------------------------------------------------

    \77\ Wharton University of Pennsylvania, ``How Undisclosed SEC 
Investigations Lead to Insider Trading,'' March 2, 2020, https://knowledge.wharton.upenn.edu/article/undisclosed-sec-investigations-lead-insider-trading/ accessed September 2020.
    \78\ This market value drop may not be fully attributable to the 
announcement and would require an event study to test that 
conclusion. See Refinitiv website, https://www.refinitiv.com/en/about-us.
---------------------------------------------------------------------------

    Given the expected negative market reaction to an SEC 
investigation, the hacker could position to benefit from a stock 
price drop. This type of trading would arguably be akin to insider 
trading (trading on material non-public information), where we have 
seen cases that have generally generated illicit profits ranging in 
the hundreds of thousands to tens of millions of dollars. The 
largest insider trading matters to date were

[[Page 610]]

Martoma/SAC \79\ and Galleon/Rajaratnam,\80\ with alleged wrongful 
profits of $275 million and $95 million respectively.
---------------------------------------------------------------------------

    \79\ See Final Judgement as to Defendant CR Intrinsic Investors, 
LLC, United States District Court, Southern District of New York, 12 
Civ. 8466 (VM), filed June 18, 2014, p. 3.
    \80\ See Opinion and Order, SEC v. Raj Rajaratnam, et al., 
United States District Court, Southern District of New York, 09 Civ. 
8811 (JSR), filed November 8, 2011, pp. 1-2.
---------------------------------------------------------------------------

    We recognize that this scenario seems attenuated and unlikely 
because the hacker would need to know information from the 
separately kept and encrypted CAIS and trade databases. The hacker 
would need gain access to the CAIS to obtain which CCID went with 
the person/company to be wrongfully incriminated. The hacker would 
then be able to search the trade data for trades related to that 
CCID. Other potential hacker impediments include CAT data only being 
accessed by the SEC and SROs via private line access; there is no 
public internet access and access to the CAIS is on a ``need to 
know'' and ``least privileged'' basis. Additionally, we believe that 
this false accusation would be relatively easy for the accused CEO 
to disprove based on simply producing his own account statements. 
However, this could potentially occur at or after the public 
injunction hearing, and the associated initial effects on stock 
price. We conclude that this scenario would be very difficult to 
implement, will occur infrequently, but have high to extreme 
severity if successful. The severity level is based on the potential 
to profit from wrongful accusations about a company and/or its 
management.

(5) Data Removal or Insertion To Hide Fraud

    The SROs and the SEC monitor the securities markets for a range 
of wrongful activities, such as trading in a way that manipulates 
the market prices of securities and trading on inside information 
(material non-public information). If a hacker were to access the 
CAT and remove data relating to wrongful acts (or insert data to 
obfuscate their bad acts) and the wrongful acts were not detected by 
SRO monitoring, the hacker could successfully hide illegal trading 
activity from regulatory scrutiny. This has the potential to enable 
illegal activity to continue (and its related profits) and 
ultimately undermine the efficiency of the markets and public trust 
therein. Ultimately the investing public is harmed as they may 
overpay for a purchase or receive less for the sale of a security.
    If a bad actor can continue to make millions of dollars on 
illegal activity due to the insertion of fake data or deletion of 
data in the CAT, those activities essentially cause those millions 
to come out of the accounts of investors who are following the 
rules. To the extent the illegal activity becomes widespread, 
investors could lose confidence in the market and ultimately take 
out their money and potentially invest it in foreign markets. This 
would essentially increase capital costs for all companies seeking 
to raise funds to grow, translating into a smaller economy.\81\
---------------------------------------------------------------------------

    \81\ ``America's historical approach to our capital markets--an 
approach focused on transparency, materiality, fairness and 
accountability--has produced a remarkably deep pool of capital with 
unprecedented participation. It is our Main Street investors and 
their willingness to entrust their hard-earned money to our capital 
markets for the long term that have provided the seeds for the 
deepest, most dynamic and most liquid capital markets in the world. 
Their capital provides businesses and municipalities with the 
opportunity to invest, grow and create jobs with an organic dynamism 
that stands apart both today and since the Commission was formed 85 
years ago.'' See Chairman Jay Clayton, Testimony on ``Oversight of 
the Securities and Exchange Commission'' Before the U.S. Senate 
Committee on Banking, Housing, and Urban Affairs, December 10, 2019, 
https://www.sec.gov/news/testimony/testimony-clayton-2019-12-10 
accessed November 2020.
---------------------------------------------------------------------------

    To execute such a scheme, the bad actor would need to know how 
to hack into the encrypted and anonymized CAT trade data or hire 
someone to do so. The bad actor would also have to override or 
bypass the existence of two separate data feeds into CAT (one from 
the execution venue and one from the CAT Industry Member reporter) 
to delete or add fake data or access the final corrected 
database.\82\ Given the potential payoff (severity), such an 
arrangement between a hacker and a bad actor could occur. For 
example, and as mentioned above, the SEC charged 32 defendants 
(primarily based in Ukraine) in a scheme where hackers obtained data 
from press releases prior to their public release and conspired with 
experienced traders to trade on earnings announcements based on the 
hacked data. These acts allegedly occurred over a five-year period 
and the information from the yet-to-be issued news releases was used 
to generate more than $100 million in illegal profits.\83\ If the 
trading data relating to these wrongful trades had been deleted, it 
is likely this scheme would never have been detected and stopped.
---------------------------------------------------------------------------

    \82\ Data can be accessed by regulators via a query on day one 
after initial data validation as well as on day 5 when all data has 
been corrected. See SEC, Order Approving CAT, pp. 100 and 538.
    \83\ SEC website, ``SEC Charges 32 Defendants in Scheme to Trade 
on Hacked News Releases,'' August 11, 2015, https://www.sec.gov/news/pressrelease/2015-163.html accessed November 2020.
---------------------------------------------------------------------------

    This type of criminal trading undermines both market efficiency 
and public confidence in the markets. The effects may be pernicious 
and, if left unchecked, could lead to catastrophic loss of investor 
confidence.
    Given the nature of this scheme, including avoiding detection by 
SRO monitoring, we believe this scenario would be very difficult to 
implement, will occur infrequently, but have high to extreme 
severity if successful.

(6) Trading on Non-Public Information

    We posit that the non-public trading data in the CAT could be 
used to determine if a company or individual might be making large 
multi-day purchases or sales of securities of various companies. 
This information could indicate a potential takeover, or, in the 
case of a high-profile investor, a significant new position is being 
taken.
    For example, it is not unusual for Berkshire Hathaway 
(``Berkshire'') to purchase large amounts of stock of a company, and 
for the stock of that company to go up in value both because of 
share demand increase based on the size of the purchases made by 
Berkshire, as well as the perceived value of having Berkshire as an 
investor once that position is public. Once the position exceeds 5% 
of the target company, Berkshire (or any investor for that matter) 
has ten days to report its holding to the SEC.\84\ If someone with 
access to CAT trading data were to see that a significant position 
was being bought in a particular stock, they could use that 
information to take a long position in that stock in anticipation of 
a stock price rise that would occur once that information was made 
public.
---------------------------------------------------------------------------

    \84\ Fintel website, Berkshire Hathaway Inc--Warren Buffet--
Activist 13D/13G Filings, https://fintel.io/i13d/berkshire-hathaway. 
This website contains a list of Berkshire Hathaway SEC 13D/13G 
filings accessed November 2020.
---------------------------------------------------------------------------

    On November 14, 2016, Berkshire reported to the SEC, with the 
SEC making it public at 4:05 p.m. ET, a new investment in American 
Airlines \85\ amounting to 4.2% of the stock, or 21,770,555 
shares.\86\ At this time, American Airlines' stock price was trading 
around $43.40 per share \87\ making the position worth around $945 
million. Hypothetically, if someone had been able to front run 10% 
of these shares and net $1.36 per share (which represents the one 
day increase in share price post the announcement), the gain would 
have been $3.0 million.\88\
---------------------------------------------------------------------------

    \85\ Berkshire's SEC Form 13F filing shows that Berkshire 
acquired 21,770,555 (13,355,099 plus 8,415,456) shares of American 
Airlines stock. See SEC's Edgar website, Berkshire Hathaway Inc 
filings, https://www.sec.gov/Archives/edgar/data/1067983/000095012316022377/0000950123-16-022377-index.htm, SEC's Edgar 
website, Berkshire Hathaway Inc filings, https://www.sec.gov/Archives/edgar/data/1067983/000095012316022377/xslForm13F_X01/primary_doc.xml and SEC's Edgar website, Berkshire Hathaway Inc 
filings, https://www.sec.gov/Archives/edgar/data/1067983/000095012316022377/xslForm13F_X01/form13fInfoTable.xml accessed 
November 2020.
    \86\ American Airlines had 518,130,000 shares of stock 
outstanding as of November 14, 2016. See Refinitiv website, https://www.refinitiv.com/en/about-us. 21,770,555/518,130,000 = 4.2%.
    \87\ American Airlines stock price closed at $43.40 on November 
14, 2016, just prior to the SEC making Berkshire's American Airlines 
stock acquisition public. See Refinitiv website, https://www.refinitiv.com/en/about-us.
    \88\ 21,770,555 shares times 10% times $1.36 = $2,960,795. 
American Airlines stock price close prior to the announcement was 
$43.40 (November 14, 2016) and $44.76 after the announcement 
(November 15, 2016). $44.76-$43.40 = $1.36. This is an illustration, 
and we did not perform an event study to determine whether the full 
price increase is attributable to the announcement.
---------------------------------------------------------------------------

    The hacker also could access the CAT trade data to look for new 
stock positions being taken in an account in a particular company 
that approaches 5%. This is referred to as a ``toehold'' position 
and could be an indicator that a takeover bid is likely.\89\ The 
hacker could then take a long position in the stock of the target 
firm to benefit from the takeover announcement, after which stock 
prices of the target can jump substantially.\90\ The

[[Page 611]]

hacker would not know with certainty that the entity building the 
position will continue to make purchases but by pursuing this 
strategy across multiple examples, they have a high likelihood of 
success.
---------------------------------------------------------------------------

    \89\ Investopedia website, Toehold Purchase definition, https://www.investopedia.com/terms/t/toeholdpurchase.asp accessed November 
2020.
    \90\ Jensen and Ruback (1983) review several empirical papers 
that empirically estimate the abnormal returns that accrued to the 
shareholders of the target firms around the announcement dates 
associated with unexpected tender offers to be approximately 30%. 
See Jensen and Ruback, ``The Market for Corporate Control,'' Journal 
of Financial Economics, 11, (1983).
---------------------------------------------------------------------------

    As discussed above, we know hackers are motivated to find and 
monetize non-public information (earnings announcements hacked from 
press release services). Such non-public information has also been 
obtained by hackers on the SEC's company filing website, Edgar. In 
2016, bad actors hacked into the SEC's Edgar company filing system 
to access the data in company filings before the SEC made then 
public.\91\ Such filings include earnings releases and the filings 
related to stock positions that exceeds 5% of the stock of the 
company being purchased (discussed above).\92\
---------------------------------------------------------------------------

    \91\ See NPR website, Barbara Campbell, ``SEC Says 
Cybercriminals Hacked Its Files, May Have Used Secret Data for 
Trading,'' September 20, 2017, https://www.npr.org/sections/thetwo-way/2017/09/20/552500948/sec-says-cybercriminals-hacked-its-files-may-have-used-secret-data-for-trading accessed September 2020.
    \92\ See SEC website, https://www.sec.gov/forms accessed 
September 2020.
---------------------------------------------------------------------------

    In summary, we believe that a hacker could use CAT trade data to 
successfully trade on non-public information. The payoffs could be 
high enough to motivate a bad actor. Of course, the hacker would 
need to gain access to the encrypted and anonymized CAT trade data. 
If the trade data was obtained, it would be relatively easy to 
determine if an account was building a position in a particular 
stock. Thus, we believe this scenario would be relatively less 
difficult to implement, could occur relatively frequently across 
multiple stocks, and have medium to high severity if successful.

(7) Competitive Intelligence--Customer Lists

    Another possible use of hacked CAT data would be to gather 
competitive information. A bad actor could hack into the CAT trade 
data and CAT CAIS data to determine which brokerage firms had which 
clients. For example, it could be useful to firm A to know that most 
of a particular pension fund's trading activity is being done at 
firm B, and how much trading that comprises. With that information, 
trading firm A could target the most profitable clients and avoid 
spending time on others. Access to CAT information could notably 
increase the scope and precision of competitive intelligence above 
that already available from other, more standard sources.
    While this information could provide an advantage, we deem this 
scenario unlikely. First, as discussed above, there is difficulty in 
hacking two sources of encrypted and separately kept data, the CAIS 
(for the account owner associated with the CCID used in the trade 
database) and trade data as well as associating all of this to learn 
who the best customers are. Second, merely knowing who is working 
with whom does not, in and of itself, generate profits; therefore, 
the incentive to pursue this activity is low. In addition, taking 
advantage of this information would need to be undertaken by a 
regulated firm, and if the hacking was uncovered it would lead to 
severe consequences for that firm. Therefore, the combination of low 
value of the information and high risk for the user leads us to 
conclude this scenario is very unlikely. What seems a little more 
plausible is a bad actor asking the brokerage firm for a ransom and, 
if not received, the bad actor releasing the information into a 
public forum. Thus, we believe this scenario would be very difficult 
to implement, will occur infrequently, and have medium to high 
severity if successful.

(8) Discovery of Regulatory Investigation That Could be Used To Harm 
Someone's Reputation

    It is our understanding that queries made by regulators on the 
CAT system will be saved, and that the party (e.g., the SEC) making 
the query will be associated with the query.\93\ If a hacker were 
able to view those queries and also had the Customer and Account 
Attribute data to identify the firm that is the subject of the 
query, he or she would be able to determine which firms were under 
regulatory scrutiny.
---------------------------------------------------------------------------

    \93\ See SEC, Order Approving CAT, The Limited Liability Company 
Agreement of CAT LLC, Appendix D-25 to D-27.
---------------------------------------------------------------------------

    This information could be used to ransom the firm as well as 
purchase or sell securities to take advantage of a potential 
announcement of an investigation (or a resolution of an 
investigation) later in time. To accomplish this scheme, the hacker 
would need to gain access to the queries as well as the encrypted 
CAIS database (Customer and Account Attribute data). Importantly, 
access to the CAIS is on a ``need to know'' and ``least privileged'' 
basis and cannot be obtained from public internet connectivity. 
Additionally, the hacker would not know with certainty that the 
queries would turn into a publicly announced SEC investigation, but 
by pursuing this strategy across multiple examples, they have a 
higher likelihood of success. A hacker with access to the queries 
would likely need to implement a trading strategy across multiple 
companies to ensure at least one or more investigations were 
ultimately disclosed. We conclude this scenario will be of average 
difficulty to implement, will be of average frequency, and have 
medium to high severity.

[[Page 612]]

[GRAPHIC] [TIFF OMITTED] TN06JA21.009

III. Economic and Public Policy Analysis of Cyber Security for CAT LLC
---------------------------------------------------------------------------

    \94\ See discussion in Section D for an explanation of each 
column.
---------------------------------------------------------------------------

    In this section, we review the law and economics literature that 
provides normative analysis of whether the preferred method to 
influence the management of risky activities is via regulation or 
litigation. Our goal is to apply the lessons from this literature to 
address the question of whether it is economically optimal to 
mitigate CAT LLC's cyber risk exposure (and the potential resulting 
harm to third parties) through regulation or through litigation, or 
through some combination of the two methods. We start by providing a 
rationale for why one would want to influence the loss-producing 
behavior of economic agents. We then characterize the differences 
between regulation as an ex-ante method of exercising control versus 
litigation as a method that influences behaviors before the loss-
producing event occurs by assigning liability ex post. The 
discussion proceeds by comparing the relative advantages of 
disadvantages of each method, contrasting one relative to the other.
    In reviewing CAT LLC's proposed plan amendment for a limitation 
of liability, the Commission is faced with the choice of whether to 
supplement the cyber regulatory regime that the Commission has 
already imposed by affording Industry Members the ability to bring 
private litigation against CAT LLC and the Participants. Based on 
our application of the economic literature, we conclude that 
regulation alone is preferable to regulation plus litigation. As 
discussed below, the approach that relies largely on regulation 
alone would be an improvement in economic efficiency and a benefit 
to the investing public over a regulation plus litigation approach 
as proposed by Industry Members. Accordingly, the limitation on 
liability proposed by the Participants is appropriate from the 
perspective of economic theory.

A. The Choice Between Regulation and Litigation

    The standard (legal, economic, and moral) reason for seeking to 
control the actions of economic agents who engage in risky 
activities is to maximize the social welfare of the activity. Steven 
Shavell, the Samuel R. Rosenthal Professor of Law and Economics at 
Harvard Law School, provides a useful definition of social welfare 
as ``the benefits [each] party derives from engaging in their 
activities, less the sum of the costs of precautions, the harms 
done, and the administrative expenses associated with the means of 
social control.'' \95\
---------------------------------------------------------------------------

    \95\ Steven Shavell, ``Liability for Harm Versus Regulation of 
Safety,'' The Journal of Legal Studies, Vol. 13, No. 2 (June 1984), 
pp. 357-374.
---------------------------------------------------------------------------

    Regulation is one of the primary ``means of social control'' 
referenced in Shavell's definition. Regulatory control is 
characterized by its reliance upon rules designed to reduce to some 
acceptable level the likelihood of occurrence of a loss, or to 
minimize the size of the loss, should one occur. These rules are 
most often defined by professionals who are experts in the 
underlying risk exposure, and they are promulgated before the 
economic activity commences. Each party to the activity is required 
to follow the rules and enforcement is typically conducted using 
publicly observable mechanisms.
    Litigation is a second ``means of social control.'' Economists 
(and others) have long recognized that the prospect of being held 
legally liable for harm ex post provides incentives for the relevant 
parties to take care ex-ante, thereby reducing the likelihood or the 
expected severity of an adverse event injuring either the first 
party or third parties. Litigation is characterized by the use of 
legal

[[Page 613]]

standards to assign liability after the loss producing event has 
occurred that are applied and adjudicated by non-experts in the 
underlying risk using private enforcement mechanisms (e.g., civil 
lawsuits involving private lawyers, judges and jurors) that may 
involve informing the non-experts using testimony provided by 
experts (i.e., by expert witnesses, professionals, etc.).
    One-way economists examine which method of social control may be 
preferable is in the context of ``incentive alignment'' among the 
parties to the economic activity. That is, how do you get each party 
to recognize and address not only the damages they might suffer, but 
the damages that other parties (customers, vendors, employees, etc.) 
might incur because the first party suffered an adverse event?
    We focus on comparing regulation vs. litigation and on systems 
of social control that employ the joint use of each tool for the 
purposes of this White Paper.

B. Economic Determinants of the Relative Attractiveness of 
Regulation or Litigation To Control Risk

    A well-established literature has developed over several decades 
that discusses the circumstances when regulation or litigation will 
be the preferred means of control to minimize the social cost of 
loss producing events.\96\ This subsection examines general economic 
considerations underlying a mix of regulation and litigation that 
minimizes the overall expected costs of adverse events such as cyber 
breaches. Subsequently, we apply the insights of this literature to 
the issue at hand--the optimal control of cyber risk for CAT LLC, 
and whether the Commission should supplement the existing regulatory 
regime by allowing Industry Members to sue CAT LLC and the 
Participants in the event of a breach.
---------------------------------------------------------------------------

    \96\ In addition to the 1984 Shavell article referenced in the 
prior footnote, the following articles are of particular note: 
Ronald H. Coase, ``The Problem of Social Cost,'' Journal of Law and 
Economics, Vol 3 (1960), pp. 1-44; Harold Demsetz, ``When Does the 
Rule of Liability Matter?'' Journal of Legal Studies, Vol. 1, No. 1, 
(January 1972) pp. 13-28; and Steven Shavell, ``Liability for 
Accidents,'' Chapter 2 in Handbook of Law and Economics, Vol. 1, 
Mitchell Polinsky and Steven Shavell, eds., Elsevier, 2007. There 
are many additional references in the latter chapter.
---------------------------------------------------------------------------

    A first consideration relates to the rules-based nature of 
regulation. Regulation relies upon each party having a clear 
understanding of the legal obligation they must perform before they 
conduct the economic activity. Regulation tends to be preferred to 
litigation in circumstances where the rules can be written with 
precision, when the marginal compliance costs associated with the 
rules are low, and when compliance can be transparently verified by 
all parties, including the first party, all third parties, and by 
the regulator.\97\
---------------------------------------------------------------------------

    \97\ The compliance transparency condition is complicated in the 
case of cyber security by the need to prevent cyber criminals from 
understanding and evading cyber defenses and by the fact that cyber 
criminals themselves operate with great secrecy to avoid detection. 
A litigation approach, however, offers no advantage over regulation 
in compliance transparency and may actually increase the risk of 
cybercrime elsewhere by inadvertently disclosing information on 
cyber defenses. It is also germane to note that Industry Members sit 
on the Advisory Committee and SEC representatives have substantial 
visibility into the operations of the CAT and the Plan Processor. We 
discuss this latter point in detail later in the White Paper.
---------------------------------------------------------------------------

    One way that the reliance upon rules becomes problematic is when 
it is difficult to write a precise ex-ante rule that considers all 
possible circumstances that might be associated with the context of 
the loss. In such cases, it is likely the resulting standard will 
either be vague, highly complex, or will not consider every possible 
situation that might arise when the loss producing event occurs. Ex 
post litigation may be preferred in these situations so that 
judgement regarding the circumstances of the loss can be more easily 
considered as part of the adjudication process.
    Regulatory rules that cannot be precisely written are also 
problematic to the extent they cause the parties to the activity to 
inadvertently not follow the rule or to have different 
interpretations of the rule. In either circumstance, it may be 
possible that all parties incur the administrative costs of 
designing the rule and of attempting to comply with the vague rule, 
and then also incur the administrative costs associated with 
interpreting the application of the vague rule once the loss has 
occurred. This duplication of administrative costs, both ex-ante and 
ex post, reduces the attractiveness of regulation in favor of 
litigation where the administrative costs are borne only once.
    Regulatory systems tend to dominate when compliance with the 
rule(s) can be monitored by the regulator with low marginal cost and 
there is high transparency regarding the effort taken to comply with 
the rules. Litigation dominates in situations when there are 
significant informational asymmetries between the parties or between 
the parties and the regulator to determine compliance. The 
adversarial nature of proceedings where courts can compel the 
parties to reveal private case-specific information that has already 
taken place leads to more accurate liability assignment ex post and, 
therefore, incentives to mitigate the risk ex-ante. As a result, a 
litigation regime provides stronger incentives for each party to 
internalize the private information they have about the effort they 
take to minimize losses about the damages they might suffer, or 
about the damages they might impose on the third party relative in 
situations where it is costly for the parties to become informed 
about each other's actions ex-ante or in real-time.
    Regulatory systems are preferable when the activity can result 
in so-called ``judgment proof problems.'' A judgment proof problem 
is synonymous with the classic externality where the actions of a 
responsible party imposes costs on a third party (or parties) that 
the responsible party is unable or unlikely to pay despite being the 
source of those costs. Agents can be judgement proof for several 
reasons. A responsible party may be judgment proof if the losses it 
produces are spread amongst many third parties and no single entity 
has a large enough incentive to hold the first party accountable for 
the damages it produced--the so-called ``disappearing defendant'' 
problem. A responsible party may also be judgment proof when the 
adverse event produces a catastrophic loss that exceeds the first 
party's available assets to provide compensation. Litigation 
systems, by definition, allow for the possibility that the 
catastrophic loss may happen and thereby permit the prospect that 
full recovery by the injured party may not be possible. Knowing the 
effects of a possible catastrophic event will not be fully realized 
by the first party reduces the first party's up-front incentives to 
take care.
    The ex-ante approach of regulation mitigates judgement proof 
problems by seeking to avoid the loss itself. Appropriately 
designed, regulations can compel the first party to internalize 
expected social costs of losses suffered by third parties, 
incorporating those third-party costs into the first-party's 
decision making.
    It is also important to consider the joint use of each policy 
tool. For example, drug manufacturers are subject to testing regimes 
(ex-ante regulation) before a new drug can be licensed and sold on 
the market and can be held liable for damages (ex post litigation) 
for drugs that cause injury to consumers, sometimes even in cases 
where the manufacturer followed all the up-front testing regimes.
    From an economic perspective, the joint use of both regulation 
and litigation should be considered only when there is sufficient 
incremental efficiency that can be gained by using both methods of 
social control collectively. In these situations, one method--either 
or regulation or litigation--will be the primary method, and the 
relevant question is whether adding the other method will improve 
incremental efficiency. For example, an article in the leading 
economics journal argues litigation supplemented by regulation can 
resolve a form a judgment proof problem that arises when it is 
possible a third party may be unable to recover damages because 
courts can make errors by incorrectly applying a negligence 
standard. Adding regulation, ex-ante, to the ex post liability 
regime can help mitigate the litigation uncertainty by ensuring the 
negligence standard established by the court is not too low.\98\
---------------------------------------------------------------------------

    \98\ Kolstad, Charles D., Thomas S. Ulen, and Gary V. Johnson, 
``Ex Post Liability for Harm vs. Ex Ante Safety Regulation: 
Substitutes or Complements?'' The American Economic Review Vol. 80, 
No. 4 (Sep. 1990), pp. 888-901.
---------------------------------------------------------------------------

    Similarly, there are circumstances where it is advantageous to 
add litigation to mitigate the informational limitations of the 
regulatory policy tool. For example, the efficacy of regulation 
declines when a regulator monitoring a firm can observe compliance 
with certain rules but not others. In this case, adding liability 
through litigation to the regulatory regime can increase the 
efficiency of the entire system because ex post litigation is better 
suited to consider context-specific information after the loss has 
occurred focused on the rules for which compliance cannot easily be 
verified ex-ante.\99\ A second area where regulatory

[[Page 614]]

systems suffer is when the regulator faces differential ability to 
monitor the firms in the industry it is overseeing or the firms have 
heterogenous assets such that it is difficult to write precise rules 
and standards. Both circumstances can create ex post judgement proof 
problems. In this case, using a regulation approach with relatively 
low compliance standards helps to avoid some of the losses while 
adding the liability regime can serve to provide additional 
incentives to mitigate the risks that are tailored to the specific 
circumstances of the individual loss-producing entity.\100\
---------------------------------------------------------------------------

    \99\ Bhole, Bharat, and Jeffrey Wagner, ``The Joint Use of 
Regulation and Strict Liability with Multidimensional Care and 
Uncertain Conviction,'' International Review of Law and Economics 
Vol. 28 (2008) pp. 123-132.
    \100\ De Geest, Gerrit, Giusseppe Dari-Mattiacci, ``Soft 
Regulators, Tough Judges,'' Supreme Court Economic Review Vol. 15 
(2007) pp. 119-140.
---------------------------------------------------------------------------

    Financial services and health and safety are two areas where the 
informational limitations and differential ability to monitor has 
corroborated the co-existence of regulation and litigation as means 
of ex-ante risk control. Financial institutions, for example, are 
regulated regarding the risk they might pose in the areas of 
solvency and consumer disclosure. But they are still subject to 
litigation over specific transactions where the information 
requirements to make certain decisions are high. We see similar 
strategies employed in the food and drug industries. There exist 
baseline regulatory requirements, but harmed parties are still 
permitted to sue based on specific circumstances giving rise to 
their harm.
    The CAT is different from the examples cited here that support 
the co-existence of regulation and litigation to control risky 
behavior. The CAT does not face numerous customers with different 
fact-specific conditions. There are a relatively small handful of 
parties involved, all of whom are already regulated by the SEC. In 
the situation faced by the CAT, the SEC has already concluded that 
the existing cyber security framework is adequate and they can amend 
the regulatory scheme to require additional cyber security measures 
to enhance the ex-ante protection against cyber breaches, to the 
extent permitted by applicable laws and regulations. Indeed, the SEC 
has pursued this path on multiple occasions.\101\ The Industry 
Members, even though they do not run the day-to-day operations of 
CAT, have the opportunity to comment on this proposal (as they do 
with all proposed CAT NMS Plan amendments). Similarly, in May 2020 
the SEC amended the CAT NMS Plan with the goal of increasing 
operational transparency and financial accountability.\102\
---------------------------------------------------------------------------

    \101\ For a recent proposal, see SEC, Amendments to the National 
Market System Plan Governing the Consolidated Audit Trail to Enhance 
Data Security, RIN 3235-AM62, Release No. 34-89632, File No. S7-10-
20, August 21, 2020.
    \102\ SEC, Amendments to the National Market System Plan 
Governing the Consolidated Audit Trail, RIN 3235-AM60, Release No. 
34-88890, File No. S7-13-19, May 15, 2020.
---------------------------------------------------------------------------

    The SEC can also file enforcement actions to compel compliance 
with the extensive cyber security requirements for the CAT. 
Enforcement action brought by the SEC against the CAT would be 
highly informed by the SEC's pre-existing regulatory supervision and 
is potentially informed by Industry Members through their ability to 
monitor CAT via their role on the Advisory Committee. The SEC, 
therefore, is uniquely positioned to consider the costs and benefits 
of taking enforcement action, and to tailor the scope and nature of 
enforcement proceedings in a way that best balances the competing 
stakeholder and public interests the CAT is designed to serve. The 
SEC is also able to use information that it acquires through 
multiple sources including its own examinations and, potentially, 
investigations of the CAT in conducting that cost-benefit analysis.
    The litigation ability sought by Industry Members, however, is 
of a substantially different nature than that held by the SEC. The 
possibility of the CAT being forced by Industry Member initiated 
litigation to take actions either in conflict with or uncoordinated 
with the SEC's regulatory requirements is not trivial.\103\ 
Furthermore, adding litigation to regulation does not resolve 
judgement proof problems, and in fact, for some judgment proof 
problems, it may not be the preferred solution.
---------------------------------------------------------------------------

    \103\ Litigation on the part of Industry Members, if successful, 
could result in a court decision that addresses one type of risk but 
then distorts cyber hygiene for the CAT away from other, now more 
pressing risks. The court decision, by its nature, remediates past 
problems with little, or no, regard to the problems arising in the 
future. A litigated solution could address a particular risk, but 
then inhibit the adoption of newer cyber hygiene methods.
---------------------------------------------------------------------------

    Shavell suggests compulsory insurance is a potential solution to 
the judgment proof problem of inadequate assets as a way to 
compensate injured victims.\104\ He cautions, however, the problem 
of inadequate assets that leads to inadequate incentives to take 
care will not be ameliorated if the insurer is unable to design an 
insurance contract where the insurance premium reflects the 
insurer's ability to monitor the insured's readiness (the premium 
recognizes investments by the policyholder to reduce the likelihood 
of loss), if the insurance is only available at limits well below 
the potential loss, or if the insurance is priced above the 
actuarially fair premium.
---------------------------------------------------------------------------

    \104\ Shavell, Steven, ``The Judgement Proof Problem,'' 
International Review of Law and Economics Vol. 6, No. 1 (June 1 
1986), pp. 45-48.
---------------------------------------------------------------------------

C. Special Considerations Arising for the CAT's Cyber Security

    There are certain special considerations when examining the 
roles of regulation and litigation in aligning incentives 
appropriately for CAT's cyber risk. While regulation has a long 
history in public policy towards economic activity, cyber risk 
presents features that transcend prior regulatory endeavors. Much of 
regulation, for example, addresses relations between regulated 
entities and their customers or vendors--parties that enter into 
legal transactions willingly. Health and safety regulation, as 
another example, focuses on decisions and actions that are solely 
under the control of the regulated entities. Safety regulation of 
nuclear power plants, for example, is designed to avoid accidents 
that would create considerable harm to those living within the 
vicinity of the plant but for which there does not exist a 
contractual relationship between the parties.
    The question of how best to encourage investment in protection 
against cybercrime is challenging because the parties harmed are 
varied, there exist circumstances where it may not immediately be 
known that a loss has occurred, and holding the perpetrators liable 
for their actions, even if they can be identified, is often not 
possible. On a very general level, entities that may be targets of 
cybercriminals have incentives to invest in cyber security measures 
up to the point where the last dollar of expenditures is expected to 
prevent at least that level of cyber loss to the entity. Cyber 
losses consist of direct costs to the breached entity and the costs 
that the entity expects it would pay to other parties harmed by the 
entity's cyber breach. The concern, therefore, is that entities may 
choose to not invest at a socially optimal level of protection if 
they do not internalize the expected direct costs of the potentially 
breached entity as well as the costs of all other affected parties. 
System administrators who have the responsibility to maintain and 
enhance the integrity of information assets and the systems that 
protect them may face situations where the benefits that might 
accrue from an investment in security may accrue to others outside 
the firm but may not be fully internalized to the firm. In these 
cases, markets do not provide sufficient incentive for the optimal 
investment in protection. Without an intervention of some sort to 
correct the externality, such as the cyber security regulatory 
regime mandated by the SEC, there may be insufficient incentive to 
invest in security at the economically optimal level.
    Regulation of cyber security adds an additional dimension that 
is novel and difficult to manage--protection against malicious 
actors that have incentives and abilities to wreak havoc against 
parties with whom they have no consensual relationship while 
simultaneously avoiding legal sanction. Importantly, litigation 
against the first-party breach victims by third-party victims of 
cybercrime adds little, if any, incentive or ability to mitigate the 
frequency or severity of cybercrime when the first party is subject 
to an extensive, transparent, and well-functioning regulatory 
approach to overseeing cyber security.
    For the reasons discussed in Section II, possible cyber breaches 
of the CAT can cause the CAT, the Plan Processor, and the 
Participants themselves to all experience significant harm (e.g., 
loss of data or access to regulatory capabilities). The adverse 
effects on this group as first-party operators are already 
incorporated into the decisions the CAT and the Plan Processor 
regarding cyber security. Moreover given the fact that: The SEC is 
another party affected by the CAT's cyber risk, the Plan Processor 
is required to comply with the SEC's cyber mandates, and the 
Industry Member's role on the Advisory Committee,\105\ there is 
little, if

[[Page 615]]

any, additional harm to third parties that is not already 
incorporated into the decision making of the CAT and the Plan 
Processor. In economic terms, adding the threat of litigation would 
do nothing to further internalize into the CAT's decision making the 
possible losses suffered by the Industry Members. Indeed, it is 
possible that efforts to reduce the cyber risks that most concern 
Industry Members in an effort to avoid litigation may take resources 
from the CAT that would be better used to improve overall cyber 
hygiene.
---------------------------------------------------------------------------

    \105\ ``Members of the Advisory Committee shall have the right 
to attend meetings of the Operating Committee or any Subcommittee, 
to receive information concerning the operation of the Central 
Repository (subject to Section 4.13(e)), and to submit their views 
to the Operating Committee or any Subcommittee on matters pursuant 
to this Agreement prior to a decision by the Operating Committee on 
such matters. . . .'' See SEC, Order Approving CAT, The Limited 
Liability Company Agreement of CAT LLC, Section 4.13(d).
---------------------------------------------------------------------------

    Another notable information asymmetry in the cyber security 
arena is the ability of perpetrators to hide methods, intentions, 
and targets from scrutiny. Even with diligent cyber security efforts 
on the part of potential targets, cyber breaches may not be detected 
promptly enough, and first-party breach victims may not know they 
have been breached. Even though there are now extensive breach 
notification requirements (including in the CAT NMS Plan), it takes 
time and effort to understand the scope of the breach and the scale 
of the required notifications. Relatedly, breached entities may have 
incentives to not reveal they have been hacked. Cyber breaches occur 
often because of weaknesses in software design and implementation 
that are then exploited by the bad actors. Relevant software is most 
often purchased from non-parties and affected parties rely on the 
integrity of the purchased software. There is also a public goods 
nature for information about cyber breaches. Knowledge of a 
particular cyber breach at one victim can help other targets avoid 
becoming victims. The incentive to disclose a breach to support 
others for no private gain is a classic common goods problem.
    The concerns about disclosing a cyber breach with the CAT are 
substantially, if not completely, mitigated. CAT LLC exists only 
because of an SEC mandate that a centralized database is essential 
to improving the monitoring and supervision of U.S. securities 
trading activity. The SEC has closely supervised the formation and 
operation of the CAT, and there are no other entities similar to the 
CAT to diffuse the SEC's attention. The SEC has imposed extensive 
and specific requirements on the CAT regarding its cyber security 
operations. ``The security and confidentiality of CAT Data has 
been--and continues to be--a top priority of the Commission. The CAT 
NMS Plan approved by the Commission already sets forth a number of 
requirements regarding the security and confidentiality of CAT 
Data.'' \106\ Numerous SEC personnel and regulatory personnel at the 
Participants will access the CAT's Central Repository on a daily 
basis. The SEC's knowledge of the CAT's cyber security standards and 
operations is extensive and precise. Finally, CAT is a not a for-
profit entity and its fundamental mission is to serve the public 
good as defined by the SEC. As a result, its incentives to withhold 
information are minimized relative to for-profit entities.
---------------------------------------------------------------------------

    \106\ SEC, Amendments to the National Market System Plan 
Governing the Consolidated Audit Trail to Enhance Data Security, RIN 
3235-AM62, Release No. 34-89632, File No. S7-10-20, August 21, 2020, 
I. Background, pp. 9-10.
---------------------------------------------------------------------------

    These considerations present challenging obstacles to an 
effective litigation approach to cyber security for the CAT. An 
advantage of the regulatory approach to the CAT's cyber security is 
the ability of the SEC to require the CAT and the Plan Processor to 
implement cyber security initiatives, standards, policies, and 
procedures promulgated by entities with deep knowledge and 
experience in cyber matters--thereby internalizing the social 
benefits of investing in cyber security into their decision making. 
The SEC can also require CAT LLC and the Participants to amend their 
cyber policies, procedures, systems and controls in response to 
subsequent developments or newly identified vulnerabilities, to the 
extent consistent with applicable laws and regulations. In addition, 
it is important to recognize that the SEC may bring enforcement 
actions against Participants and the CAT should they fail to comply 
with best practices embodied in the CAT NMS Plan or SEC regulations, 
including Regulation SCI.\107\ An SEC enforcement action 
(litigation) would likely be settled with the non-complying 
party(ies). This has the benefit of penalizing non-compliance 
without the added cost of protracted litigation. Adding a third-
party litigation approach as proposed by Industry Members on top of 
existing regulation and potential enforcement action runs the risk 
of incurring marginal costs without adding any incremental benefit. 
We elaborate on this point in Section D.2 below.
---------------------------------------------------------------------------

    \107\ Regulation SCI (Regulation Systems Compliance and 
Integrity and Form SCI) was adopted by the SEC in November 2014 ``to 
strengthen the technology infrastructure of the U.S. securities 
markets.'' Regulation SCI applies to the Participants and is 
designed to ``Reduce the occurrence of systems issues; Improve 
resiliency when systems problems do occur; [and] Enhance the 
Commission's oversight and enforcement of securities market 
technology infrastructure.'' See SEC website, ``Spotlight on 
Regulation SCI,'' https://www.sec.gov/spotlight/regulation-sci.shtml 
accessed November 2020.
---------------------------------------------------------------------------

D. Assessment of Regulation and Litigation Approaches as Applied to 
a Potential CAT LLC Cyber Breach

    In this section, we apply the economic considerations discussed 
in Sections A through C above to analyze whether CAT's cyber 
security risk should be addressed through regulation, litigation, or 
a combination of both methods. We conclude that affording Industry 
Members the ability to sue CAT LLC and the Participants for damages 
suffered as a result of a potential CAT data breach would not 
meaningfully increase the incentives for CAT LLC to take appropriate 
cyber precautions but would increase the costs to various market 
participants, including the Participants, Industry Members, and 
individual investors. Under these circumstances, the Participants' 
proposed limitation of liability amendment to the CAT Reporter 
Agreement would serve important policy goals.

1. Recapitulation of CAT's Risks, Standards, Policies, and Practices

    The potential for cyber breaches at the CAT exists and can 
result in harm to some parties is acknowledged by all, including the 
SEC. ``The Commission acknowledges that the costs of a breach, 
including breach management, could be quite high, especially during 
periods of market stress. Furthermore, the Commission understands 
that a breach could seriously harm not only investors and 
institutions but also the broader financial markets.'' \108\ In its 
Order Approving CAT, the SEC ``explained its belief that it is 
difficult to form reliable economic expectations for the costs of 
security breaches'' \109\ and that ``the form of the direct costs 
resulting from a security breach will vary across market 
participants and could be significant.'' \110\ The SEC continued, 
``The Commission is unable to provide quantitative estimates of 
those costs because there are few examples of security breaches 
analogous to the type that could occur under the Plan and because 
the Plan Processor has some discretion in developing its breach 
management plan.'' \111\
---------------------------------------------------------------------------

    \108\ SEC, Order Approving CAT, Section V.F.4. Economic 
Analysis, Expected Costs of Security Breaches, p. 708.
    \109\ SEC, Order Approving CAT, Section V.F.4. Economic 
Analysis, Expected Costs of Security Breaches, p. 704.
    \110\ SEC, Order Approving CAT, Section V.F.4. Economic 
Analysis, Expected Costs of Security Breaches, p. 705.
    \111\ SEC, Order Approving CAT, Section V.F.4. Economic 
Analysis, Expected Costs of Security Breaches, p. 708.
---------------------------------------------------------------------------

    The SEC has mandated that the CAT and the Plan Processor (FINRA 
CAT) implement a number of specific cyber security protocols.\112\ 
The SEC's regulation of the CAT, therefore, focuses appropriately on 
ex-ante risk reduction requiring a variety of cyber best practices 
by the CAT and its users.
---------------------------------------------------------------------------

    \112\ Consolidated Audit Trail website, Security: FAQs, https://www.catnmsplan.com/faq. Response to questions S1, S10, and S11 
accessed August 2020.
---------------------------------------------------------------------------

    The SEC can employ a variety of regulatory enforcement measures 
to compel the CAT (and other market participants) to establish and 
maintain a high level of cyber security. With these and other 
protocols, practices, and procedures in place, ``[t]he Commission 
discussed . . . its belief that the risks of a security breach may 
not be significant because certain provisions of Rule 613 and the 
CAT NMS Plan appear reasonably designed to mitigate these risks.'' 
\113\ In its Order Approving CAT, the SEC anticipated and resolved 
many of SIFMA's concerns regarding the public interest aspect of the 
proposed CAT Report Agreement amendment.\114\ It is worth quoting

[[Page 616]]

extensively from the SEC's Discussion and Commission Findings 
section in the Order Approving CAT to understand the approach 
adopted by the SEC.
---------------------------------------------------------------------------

    \113\ SEC, Order Approving CAT, Section V.F.4. Economic 
Analysis, Expected Costs of Security Breaches, p. 708.
    \114\ The Commission notes that the Participants' proposed 
governance structure--with both an Operating Committee and an 
Advisory Committee--is similar to the governance structure used 
today by other NMS plans, and the Commission believes that this 
general structure is reasonably designed to allow the Participants 
to fulfill their regulatory obligations and, at the same time, 
provide an opportunity for meaningful input from the industry and 
other stakeholders.
    SEC, Order Approving CAT, Section IV.B.1, pp. 139-140, emphasis 
added.

    Rule 613 tasks the Participants with the responsibility to 
develop a CAT NMS Plan that achieves the goals set forth by the 
Commission. Because the Participants will be more directly 
responsible for the implementation of the CAT NMS Plan, in the 
Commission's view, it is appropriate that they make the judgment as 
to how to obtain the benefits of a consolidated audit trail in a way 
that is practicable and cost-effective in the first instance. The 
Commission's review of an NMS plan is governed by Rule 608 and, 
under that rule, approval is conditioned upon a finding that the 
proposed plan is ``necessary or appropriate in the public interest, 
for the protection of investors and the maintenance of fair and 
orderly markets, to remove impediments to, and perfect the mechanism 
of, a national market system, or otherwise in furtherance of the 
purposes of the Act.'' Further, Rule 608 provides the Commission 
with the authority to approve an NMS plan, ``with such changes or 
subject to such conditions as the Commission may deem necessary or 
appropriate.'' In reviewing the policy choices made by the 
Participants in developing the CAT NMS Plan, the Commission has 
sought to ensure that they are supported by an adequate rationale, 
do not call into question the Plan's satisfaction of the approval 
standard in Rule 608, and reasonably achieve the benefits of a 
consolidated audit trail without imposing unnecessary burdens. In 
addition, because of the evolving nature of the data captured by the 
CAT and the technology used, as well as the number of decisions 
still to be made in the process of implementing the CAT NMS Plan, 
the Commission has paid particular attention to the structures in 
place to guide decision-making going forward. These include the 
governance of the Company, the provisions made for Commission and 
other oversight, the standards established, and the development 
milestones provided for in the Plan.\115\
---------------------------------------------------------------------------

    \115\ SEC, Order Approving CAT, Section IV., Discussion and 
Commission Findings, pp. 126-127, emphasis added, internal footnotes 
omitted.

    The SEC, therefore, after an extensive consideration of the 
overall costs and benefits of the CAT, already has expressed its 
judgment that the cyber security requirements it imposed on the CAT 
sufficiently serve the public interest. In its November 15, 2016 
Joint Industry Plan; Order Approving the National Market System Plan 
Governing the Consolidated Audit Trail, Supplementary Information, 
the SEC concluded, ``[T]hat the [CAT NMS] Plan, as amended, is 
necessary and appropriate in the public interest, for the protection 
of investors and the maintenance of fair and orderly markets, to 
remove impediments to, and perfect the mechanism of a national 
market system, or is otherwise in furtherance of the purposes of the 
[Securities Exchange] Act [of 1934].'' \116\
---------------------------------------------------------------------------

    \116\ SEC, Order Approving CAT, Section I. Introduction, p. 8, 
emphasis added. Nearly identical wording was repeated in Section IV. 
Discussion and Commission Findings, p. 129 and Section VII. 
Conclusion, p. 979.
---------------------------------------------------------------------------

2. Alignment of Incentives

    As explained in Sections A through C above, and mentioned in 
SIFMA's Memorandum of Law, the issue here is the ``allocation of 
risk (and resulting incentives) relating to a potential CAT data 
breach to ensure that data is not misused, misappropriated or 
lost.'' \117\ Industry Members, through SIFMA, assert that the 
Participants' proposed limitation on liability would impose 
significant burdens on them. In essence, by advocating against the 
inclusion of a limitation of liability provision in the Reporter 
Agreement, Industry Members have argued that the risks associated 
with a CAT cyber breach are best addressed through litigation they 
can initiate as opposed to regulation and, if necessary, enforcement 
action by the SEC. But an application of the economic principles 
discussed above to an examination of the CAT fundamentally 
challenges Industry Members' interpretation.
---------------------------------------------------------------------------

    \117\ Memorandum of Law in Support of SIFMA's Motion to Stay SRO 
Action Pending Commission Review of SIFMA's Application Pursuant to 
Exchange Act Sections 19(d) and 19(f), April 22, 2020, p. 15.
---------------------------------------------------------------------------

    Relying primarily upon a regulatory regime, as proposed by 
Participants, is reasonable based upon our analysis for several 
reasons.
     CAT LLC is a legal entity jointly owned by the 
Participants. The Participants, as SROs, are already overseen by the 
SEC and are therefore subject to significant regulatory requirements 
to limit their exposure to cyber risk. The SROs also use the CAT to 
fulfill their regulatory functions under supervision of the SEC. A 
cyber breach at the CAT would affect the SROs' ability to perform 
their regulatory function--meaning that the SROs, as users of the 
CAT, have a strong interest in the CAT's cyber security. As 
discussed above, the SEC can impose--and has in fact imposed--
additional cyber regulations in response to subsequent developments 
or to address newly identified threats. As meaningfully regulated 
entities, the Participants are obligated to comply with regulatory 
requirements or face consequences. The Participants have already 
implemented cyber security standards, policies and procedures to 
protect their information from successful attack. Further, similar 
to the CAT, SROs have in place liability limitations with Industry 
Members for cyber loss.\118\ If Industry Members have already 
accepted limitations on liability for cyber loss with individual 
SROs, imposing limitations on liability for cyber loss applied to an 
SEC-mandated consortium composed of those individual SROs 
substantially works to negate the pre-existing individual 
limitations on liability.
---------------------------------------------------------------------------

    \118\ See the discussion in Section 4 for some useful examples.
---------------------------------------------------------------------------

     CAT LLC's funding principles seek to cover the annual 
operating costs of the company, and the financial assets are 
designed to be minimal and substantially lower than the maximum 
possible loss due to several extreme possible cyber breach 
scenarios. There is presently no asset reserve, and no plans to 
build one, on the balance sheet of CAT LLC that could cover a 
substantial cyber loss. Dispensing with the liability exposure will, 
therefore, not likely change CAT LLC's incentive to avoid losses 
beyond its existing minimal asset base.
     The efficiency of regulatory systems to achieve 
economically optimal outcomes declines when the monitor is required 
to oversee an industry consisting of heterogeneous firms where it is 
difficult to promulgate rules that apply with equal precision to all 
firms. As discussed in Section B above, efficiency gains may be 
possible in such an industry by supplementing the regulatory system 
with a liability system that can add context-specific information 
should a loss occur. In this case, however, CAT LLC is the only firm 
being overseen. As a result, the regulatory system is tailored 
specifically on an ex-ante basis with rules targeted to this 
particular firm. Thus, adding litigation initiated by Industry 
Members in this case, where context specific information can be 
considered ex post, is difficult to justify as there is an ongoing 
dialogue where the regulatory rules can be revised and tailored as 
circumstances change over time through the monitoring mechanisms 
available to the Industry Members and to the SEC through its 
examination of the CAT by the Office of Compliance Inspections and 
Examinations.
     Regulatory arrangements can also be enhanced in 
situations where the monitoring costs associated with compliance are 
high and when the regulated activity is composed of heterogenous 
firms. Again, this circumstance is unique, however, as CAT LLC is 
the only firm being monitored. Importantly, representatives of the 
SEC attend all Operating Committee meetings, participate in the 
Security Working Group and Interpretations Working Group, and 
receive updates regarding various aspects of the project and system 
on a daily basis. In addition, the Industry Members are designated 
members of the Advisory Committee, which gives them access to 
substantial information about the cyber security circumstances at 
the CAT and the Plan Processor. The Industry Members' role on the 
Advisory Committee also provides them an ability to attend all 
Operating Committee meetings as well as meetings of other 
subcommittees and working groups and, therefore, the ability to 
advocate for their interests on the cyber security policy and 
procedures and other issues related to CAT LLC. While the Industry 
Members' role is advisory in nature, there is no restriction that 
prevents any Industry Member from raising specific concerns 
regarding CAT LLC's cyber security directly with the SEC. In 
addition, Industry Members transfer large amounts of data into the 
CAT, thereby contributing to the risk of a breach (e.g.,

[[Page 617]]

malicious data could be inserted, knowingly or not, through an 
Industry Member data upload). Thus, Industry Members are active 
participants in the cyber mitigation activities of CAT LLC and 
active enforcement monitors of the Plan Processor and the 
Participants.
    The SEC has required that CAT LLC and the Plan Processor 
implement and maintain an extensive cyber security regimen. 
Importantly, both the SEC and Industry Members can monitor and 
provide input on the cyber security hygiene of the CAT and the Plan 
Processor, and the SEC can bring enforcement actions against the 
Participants if they fail to meet the standards in the regulatory 
regime. Under these conditions, adding an ability for Industry 
Members to sue CAT LLC or the Plan Processor in the event of a cyber 
breach will not meaningfully improve the incentives to implement and 
maintain the security of the data residing at CAT. Those incentives 
already exist based on ex-ante regulation. Consequently, our 
analysis suggests removing the limitation of liability provision 
will not lead to increases in the safety of the cyber security 
program or reductions in expected losses due to successful cyber-
attacks.

3. Additional Costs of Litigation

    In addition to considering the potential benefits of litigation 
(which appear to be minimal for the reasons discussed above), an 
economic analysis must also consider costs of allowing litigation by 
Industry Members.
    At a minimum, any means of social control of a risky activity 
comes with administrative expense. It is important, therefore, to 
determine if the incremental control that comes with the associated 
set of benefits justifies the additional expense. The additional 
costs of cyber security protection or remediation (or of 
compensation paid to adversely affected parties who successfully 
litigate should a loss occur) that would be funded by CAT LLC need 
to be examined relative to the expected marginal benefits.
    More substantively, the threat of litigation without concomitant 
benefits can lead to significant extra-marginal costs that reduce 
social welfare. For example, the threat of medical malpractice 
litigation has been cited as a motivation for excess medical 
testing.\119\ In this case, the prospect of litigation arising from 
the absence of the limitation on liability provision has the 
prospect for prompting overpayment for cyber security on the part of 
the CAT and the Plan Processor beyond the economically optimal level 
of protection, despite the analysis we present above suggesting that 
such litigation would provide no incremental benefit. The prospect 
of third-party litigation may prompt CAT LLC to expend resources on 
cyber security systems that supplement the detailed (and regularly 
updated) framework implemented by the Commission, but that do not 
reduce the cyber risk commensurate with the costs. The threat of 
litigation from Industry Members arising from a cyber breach at the 
CAT could also affect decisions on the implementation of new 
protocols at CAT. One can easily imagine the Plan Processor, 
responding to perceived concerns from Industry Members, might adopt 
an overly risk averse posture and not pursue new opportunities to 
decrease costs or increase efficiencies at the CAT as new 
technologies become available given an overemphasis on certain 
courses of action and underinvestment in others. It could actually 
result in an overinvestment in cyber security and an underinvestment 
in productivity-enhancing projects where the costs of these 
decisions would ultimately be passed on to the investors in the form 
of higher costs of trading, higher costs of securing capital, etc.
---------------------------------------------------------------------------

    \119\ By one estimate, Mello, Chandra, Gawande, and Studdert 
(2010) suggest between 2-3 percent of health care spending in the 
United States, or $55.6 billion (in 2008), is related to the costs 
of defensive medicine. See Mello, Michelle M., Amitabh Chandra, Atul 
A. Gawande, and David M. Studdert, ``National Costs of the Medical 
Liability System,'' Health Affairs Vol. 8, No. 29 (Sep. 2010) pp. 
1569-1577.
---------------------------------------------------------------------------

    An over-investment in cyber security, moreover, could make the 
CAT less effective in achieving the Commission's goals. A CAT system 
burdened by excess security measures could slow down database 
searches, surveillance programs, and other essential functions. 
Security measures added to hedge against litigation risk, for 
example, might limit the number of records that could be returned in 
a single query, restrict access to a less-than-optimal pool of 
regulatory personnel (at the SEC and the SROs), or require 
importation of outside data into CAT environments that would expand 
the CAT's overall attack surface. Indeed, as noted above, allowing 
third-party litigation would run the risk that a court would mandate 
security protocols that conflict or interfere with those adopted by 
the SEC.
    Extending the CAT's asset base (i.e., increasing CAT LLC's 
assets or broadening the number of firms potentially liable in the 
event of a loss) may have the theoretical advantages of reducing the 
judgment proof problem discussed earlier and provide compensation to 
those negatively impacted by a cyber event. However, as conceived, 
CAT LLC is run on a cost-only basis, so there is currently no 
mechanism to establish safety reserves that might allow the it to 
build up a cash to pre-fund losses from a cyber breach. One could 
imagine adopting an alternative funding principle that would permit 
those harmed by a cyber loss to seek compensation from a fund that 
could be established on the CAT's balance sheet. Policies and 
procedures could be developed that would prescribe the source that 
would finance the fund, that would describe how those funds would be 
invested, that would define a covered loss, that promulgate how 
approved claims would be settled, etc.
    Although building a pool of capital in this manner might provide 
some level of compensation to a few entities who could suffer a loss 
supplying the CAT with the required information, we caution that 
this course of action has notable possible disadvantages. Beyond the 
administrative expenses associated with establishing such a business 
function within CAT, there are well known challenges associated with 
creating a largely unencumbered pool of capital within organizations 
as there is considerable evidence doing so can lead to substantially 
misaligned incentives between managers and the providers of that 
capital that ultimately lead to significant costs.\120\ We provide 
several alternative ways that would allow the CAT to pre-fund cyber 
losses in Section E below that we judge would lead to substantially 
better outcomes than establishing a cyber loss pool on CAT LLC's own 
balance sheet.
---------------------------------------------------------------------------

    \120\ See Jensen, Michael, ``Agency Costs of Free Cash Flow, 
Corporate Finance, and Takeovers,'' American Economic Review, Vol. 
76, No. 2 (May 1986) pp. 323-329. If the capital pool exists within 
regulated entities, that, at least potentially, raises additional 
complications. See, for example, the regulation of insurance company 
general accounts.
---------------------------------------------------------------------------

    It is well-understood that litigation in general is an expensive 
and highly uncertain process. This holds with particular 
persuasiveness for the new, highly technical, and rapidly changing 
area of cyber security. The level of expertise required to establish 
what went wrong, who was responsible, and then the calculation of 
relevant losses is extremely high, placing large information burdens 
on the triers-of-fact. In the case of CAT LLC, there would be an 
additional burden of demonstrating either that the SEC's cyber 
security mandates were inadequately implemented or were insufficient 
to the task. Discovery in such litigation also runs the risk of 
revealing crucial cyber security information to malicious actors. 
There are, therefore, substantial unquantifiable direct costs 
associated with litigating cyber security breaches at the CAT.
    We identified several marginal operating costs that would likely 
emanate (with no corresponding marginal benefits) if the limitation 
of liability provision were eliminated. These extra costs are either 
associated with inefficient litigation, with extra-marginal 
defensive investments in cyber risk protection, with reduced 
efficacy of the CAT system due to excess, litigation-driven security 
measures, or a cash build-up scheme that would be borne by the 
Participants/SROs and Industry Members who would ultimately pass 
those higher costs on to their customers, employees or owners. 
Research on the incidence of extra-marginal costs and taxes on 
organizations generally shows that these higher costs tend to fall 
on employees and customers rather than the owners of the 
organization.\121\ The Industry

[[Page 618]]

Members' desire to dispense with the limitation of liability 
provision may, at best, result in avoiding some losses or, possibly, 
providing compensation for cyber breaches to a handful of Industry 
Members and their clients. But our analysis suggests the costs will 
likely be far higher and spread throughout the system as a whole, 
likely leading to reduced trading levels, reduced participation in 
markets by investors, or increased costs of raising capital. 
Moreover, since any benefits, if they exist at all, will be 
negligible, the lifting the limitation on liability will likely lead 
to less socially desirable outcomes.
---------------------------------------------------------------------------

    \121\ There is an extensive literature on the incidence of the 
corporate income tax supporting this proposition. In this 
literature, owners have a greater ability to adjust their decisions 
(especially how they invest their capital) than employees or 
customers. See, for example, William M. Gentry, ``A Review of the 
Evidence on the Incidence of the Corporate Income Tax,'' U.S. 
Department of the Treasury OTA Paper 101, December 2007 (https://www.treasury.gov/resource-center/tax-policy/tax-analysis/Documents/WP-101.pdf accessed August 2020); Jennifer C. Gravelle, ``Corporate 
Tax Incidence: A Review of Empirical Estimates and Analysis,'' 
Congressional Budget Office Working Paper 2011-01, June 2001 
(https://www.cbo.gov/sites/default/files/cbofiles/ftpdocs/122xx/doc12239/06-14-2011-corporatetaxincidence.pdf accessed August 2020); 
and Stephen Entin, ``Labor Bears Much of the Cost of the Corporate 
Tax,'' Tax Foundation Special Report No. 238, October 2017 (https://files.taxfoundation.org/20181107145034/Tax-Foundation-SR2382.pdf 
accessed August 2020). For a more comprehensive treatment of tax 
incidence, see Don Fullerton and Gilbert E. Metcalf, ``Tax 
Incidence,'' Chapter 26 (pp. 1787-1872) in Alan Auerbach and Martin 
Feldstein, Handbook of Public Economics, 2002. A working paper 
version of this chapter can be found at https://www.nber.org/papers/w8829.pdf accessed August 2020.
    We contend that this literature is applicable to adding 
litigation exposure from cyber breaches to CAT and the Plan 
Processor with minor modifications in the analysis. As noted above, 
litigation is an additional expense for CAT and the Plan Processor. 
For CAT and the Plan Processor to operate, expenses must be paid. By 
CAT's funding principles, the extra funds will be passed along as 
higher fees to the Participants and the Industry Members.
---------------------------------------------------------------------------

4. Examples of Existing Limitation on Liability Provisions

    Limitations on liability provisions are ubiquitous in commercial 
relations and in the securities and finance businesses. While the 
SEC-regulated relationship between the SROs and the Industry Members 
limit the applicability of general commercial contractual 
considerations to limitations on liability regarding cyber security 
at CAT, there are multiple examples where public (and private) 
interests have been served by limitations on liability provisions 
imposed by regulation. Some of these instances are common in the 
investment business while others are in areas remote from investment 
but exhibit informative parallels.
    Perhaps most relevant are the limitations of liability provision 
imposed by existing trade reporting facilities, regulatory reporting 
systems, and Industry Member agreements with their customers. Here, 
the Industry Members routinely (and unremarkably) specifically limit 
their liability to their respective customers, even though Industry 
Members hold important and sensitive customer information in their 
systems. The May 6, 2020 Consolidated Audit Trail, LLC's and 
Participants' Memorandum of Law in Opposition to SIFMA's Motion to 
Stay documents,

[T]he Limitation of Liability Provision is similar in substance and 
scope to provisions that Industry Members routinely use when they 
are in possession of customer data (including order and trade data). 
Finally, each exchange has rules, approved by the Commission, that 
broadly provide that the Participants shall not be liable to 
Industry Members.\122\
---------------------------------------------------------------------------

    \122\ Consolidated Audit Trail, LLC's and Participants' 
Memorandum of Law in Opposition to SIFMA's Motion to Stay, May 6, 
2020, pp. 6-7. Also see, pp. 16-17 and Appendix A: Limitation of 
Liability Provisions. Internal references to Exhibit A containing 
the specific examples are omitted.
---------------------------------------------------------------------------

    One finds limitations of liability elsewhere in the U.S. economy 
where the threat of litigation would raise costs and regulation 
exists. The examples presented below limit liability while 
simultaneously providing another mechanism to compensate injured 
parties.
    The federal government, for example, has established a 
limitation of liability for vaccine producers. The National 
Childhood Vaccine Injury Act of 1986 \123\ established the National 
Vaccine Injury Compensation Program ``after lawsuits against vaccine 
manufacturers and healthcare providers threatened to cause vaccine 
shortages and reduce vaccination rates.'' \124\ This legislation 
limited the liability of vaccine manufacturers for unavoidable 
adverse side effects and for failure to provide direct 
warnings.\125\ The liability limitation was intended ``[t]o ensure a 
stable vaccine supply by limiting liability for vaccine 
manufacturers and vaccine administrators.'' \126\
---------------------------------------------------------------------------

    \123\ Public Health Service Act, January 5, 2017, As Amended 
Through Public Law 114-255, Enacted December 13, 2016, https://www.hrsa.gov/sites/default/files/hrsa/vaccine-compensation/about/title-xxi-phs-vaccines-1517.pdf accessed July 2020.
    \124\ Health Resources & Services Administration, About the 
National Vaccine Injury Compensation Program, https://www.hrsa.gov/vaccine-compensation/about/index.html accessed July 2020.
    \125\ No vaccine manufacturer shall be liable in a civil action 
for damages arising from a vaccine-related injury or death 
associated with the administration of a vaccine after October 1, 
1988, if the injury or death resulted from side effects that were 
unavoidable even though the vaccine was properly prepared and was 
accompanied by proper directions and warnings.
    No vaccine manufacturer shall be liable in a civil action for 
damages arising from a vaccine-related injury or death associated 
with the administration of a vaccine after October 1, 1988, solely 
due to the manufacturer's failure to provide direct warnings to the 
injured party (or the injured party's legal representative) of the 
potential dangers resulting from the administration of the vaccine 
manufactured by the manufacturer.
    42 U.S. Code Sec.  300aa-22, https://www.law.cornell.edu/uscode/text/42/300aa-22 accessed November 2020.
    \126\ Health Resources & Services Administration, The National 
Vaccine Injury Compensation Program (VICP), https://www.hrsa.gov/sites/default/files/hrsa/vaccine-compensation/vaccine-injury-infographic-2017.pdf accessed August 2020.
---------------------------------------------------------------------------

    In 2005, Congress passed the ``Public Readiness and Emergency 
Preparedness Act'' (``PREP Act'').\127\ This act extended targeted 
liability protections for pandemic and epidemic products and 
security countermeasures:
---------------------------------------------------------------------------

    \127\ 42 U.S. Code Sec.  247d-6d at Health Resources & Services 
Administration, https://www.hrsa.gov/sites/default/files/gethealthcare/conditions/countermeasurescomp/covered_countermeasures_and_prep_act.pdf accessed July 2020.

Subject to the other provisions of this section, a covered person 
shall be immune from suit and liability under Federal and State law 
with respect to all claims for loss caused by, arising out of, 
relating to, or resulting from the administration to or the use by 
an individual of a covered countermeasure if a declaration under 
subsection (b) has been issued with respect to such 
countermeasure.\128\
---------------------------------------------------------------------------

    \128\ 42 U.S. Code Sec.  247d-6d at Health Resources & Services 
Administration, https://www.hrsa.gov/sites/default/files/gethealthcare/conditions/countermeasurescomp/covered_countermeasures_and_prep_act.pdf accessed July 2020.

    In a declaration effective February 4, 2020, the Secretary of 
Health and Human Services ``invoked the PREP Act and declared 
Coronavirus Disease 2019 (COVID-19) to be a public health emergency 
warranting liability protections for covered countermeasures.'' 
\129\ There is currently substantial discussion regarding a 
legislative proposal to limit the liability of entities recommencing 
operations in the face of the COVID-19 pandemic.\130\
---------------------------------------------------------------------------

    \129\ Congressional Research Service, The PREP Act and COVID-19: 
Limiting Liability for Medical Countermeasures, at https://crsreports.congress.gov/product/pdf/LSB/LSB10443 accessed July 2020.
    \130\ See, for example, Andrew Duehren, ``Senate GOP Aims to 
Funnel Covid Liability Cases to Federal Courts,'' The Wall Street 
Journal, July 16, 2020, https://www.wsj.com/articles/gop-senators-move-ahead-with-coronavirus-liability-plan-11594929198?mod=searchresults&page=1&pos=3 (accessed December 2020) 
and a version of this article on page A4 of the July 17, 2020 print.
    The proposal, which the White House is reviewing, temporarily 
offers schools, businesses, health-care providers and nonprofit 
organizations legal protections when people allegedly exposed to the 
coronavirus sue them, according to a summary seen by The Wall Street 
Journal.
    Under the proposal, defendants in those cases would only be held 
liable if they didn't make reasonable efforts to comply with public-
health guidelines and instead demonstrated gross negligence or 
intentional misconduct, according to the summary. The defendants 
would have the right to move the case to federal court if they so 
choose, offering a potentially more favorable alternative to state 
courts.
    For coronavirus-related personal injury and medical liability 
cases, the plan also sets a clear-and-convincing-evidence burden of 
proof, places a cap on damages and heightens pleading standards. . . 
.
    The legislation from Messrs. McConnell and Cornyn also shields 
employers from lawsuits arising from coronavirus testing in the 
workplace and from agency probes for steps they took to comply with 
stay-at-home orders. The Republicans also want to limit liability 
for new types of personal protective equipment if the equipment 
meets certain federal standards.
---------------------------------------------------------------------------

    The parallel between the public policy for vaccines and the role 
of CAT LLC to improve investor protection and promote market 
integrity, particularly during times of market stress, while not 
exact, is useful. In this metaphor, cyber criminals play the role of 
viruses. Society has an interest to promote the development of a 
vaccine to combat the pandemic or to use the CAT to help regulate 
financial markets to promote the public good. Limiting liability is 
one way to do so.
    There is a third, simultaneously more expansive and more focused 
example--financial solvency regulation. This is again ubiquitous and 
multifaceted--deposit insurance, pension guaranty coverage, 
insurance guaranty associations, etc. working across many types of 
financial institutions and products. These programs provide various 
customers and other stakeholders the

[[Page 619]]

ability to seek compensation for claims they have against the assets 
of a financial institution that is declared insolvent by the 
regulator overseeing the firm. Bank deposit insurance is a pre-
funded plan financed through fees paid by regulated entity. State 
insurance guaranty funds are generally financed by ex post 
assessments required of insurers still solvent in a state after 
another insurer is declared insolvent by the regulator. Several 
other programs exist with varying details. It is possible a 
mechanism could be established that would create a pool of funds 
that could be used to compensate those who suffer losses due to a 
cyber breach of CAT. While developing a specific recommendation is 
beyond the scope of this assignment, we present several initial 
ideas in the next section of this White Paper.
    Finally, there are risks that are just part of doing business 
that cannot be avoided or transferred to other parties through 
contract or insurance. The mere act of investing entails risk, for 
example, and the SEC is charged with managing and mitigating this 
risk for investors and the economy while simultaneously obtaining 
the benefits of the capital markets. Industry Members, for example, 
assume risks associated with transacting with their customers. While 
most are legal and legitimate, malicious parties do transact in the 
securities markets. The SEC has mandated that broker-dealers ``know 
their customer'' and although broker-dealers make extensive efforts 
to comply with this mandate, bad actors slip through. Industry 
Members also assume counterparty risk. There are mechanisms in place 
to mitigate and remediate this risk, but it can never be completely 
eliminated. There are also other legislative, regulatory, and 
political risks associated with the securities markets.
    A certain level of cyber risk is already present in the normal 
business operations of the Industry Members. They accept (and 
manage) these risks in the expectation that they will obtain a 
profit from the activities that embed the risks. They have expressed 
concern over a possible expansion of those cyber risks to themselves 
and their clients as a result of the mandated transmission of 
information to the CAT. This transmission was mandated, and is 
governed, by the primary federal regulator of the Industry Members' 
activities. The CAT does not exist to serve customers and obtain a 
profit, but to help the SEC and the SROs in their regulation of the 
U.S. equity and option markets. While the Industry Members' concern 
over a possible increase in cyber risk exposure may be 
understandable in certain contexts, their position that the CAT and 
the Plan Processor be denied a limitation on liability essentially 
shifts the burden of cyber risk onto the regulators and regulatory 
process. As explained above, the SEC has already implemented 
standards, policies, and practices to mitigate cyber risk in the 
system as a whole.

E. Initial Thoughts on Funding Compensation Mechanisms

    While we have concluded above that the regulatory approach to 
the CAT's cyber security is preferred over a litigation approach 
because overall social costs of control would be lower and there is 
no meaningful benefit from adding a litigation option as proposed by 
Industry Members, there is still a risk that Industry Members or 
their customers could be harmed in the case of a significant cyber 
breach. The current regulatory approach is generally silent on the 
possibility of compensating third parties in the case of a CAT cyber 
breach. Of concern here is the possibility of a previously unseen 
cyber event that results in a high damage/severity ``black swan'' 
type event.
    There are, however, several approaches to designing and funding 
potential compensation mechanisms.
    The use of cyber insurance, for example, could be advantageous. 
Cyber coverage can be purchased as part of a package of business 
insurance (property-casualty and liability) or as a stand-alone 
policy. According to information supplied to state regulatory 
authorities in the U.S., in 2019 stand-alone cyber policies 
exhibited somewhat higher premium receipts than cyber coverage 
included in broader packages--$1.26 billion and $1 billion, 
respectively.\131\ This was an 11 percent increase from 2018, with 
192 insurers reporting direct cyber written premium in 2019.\132\ 
Between 2017 and 2019, the number of cyber claims doubled to 
18,000.\133\ Over the 2015 through 2019 period, paid losses plus 
defense costs ranged from just under 30% to just above 50% of 
premiums.\134\ The reported 2019 expense ratio for cyber coverage 
averaged just under 30% of premiums.\135\ In 2019, almost two-thirds 
of the cyber claims were for first-party losses with the remaining 
being for third-party losses.\136\
---------------------------------------------------------------------------

    \131\ Aon plc, US Cyber Market Update: 2019 US Cyber Insurance 
Profits and Performance, June 2020, p. 3, Exhibit 2, http://thoughtleadership.aon.com/Documents/202006-us-cyber-market-update.pdf accessed July 2020. Very similar figures were reported by 
A.M Best--$1.26 billion for stand-alone and $988 million for package 
policies. Erin Ayers, ``US cyber market keeps growing, but pace 
slowed: AM Best,'' Advisen Front Page News, July 22, 2020 accesed 
August 2020.
    \132\ Aon plc, US Cyber Market Update: 2019 US Cyber Insurance 
Profits and Performance, June 2020, p. 3, Exhibit 1, http://thoughtleadership.aon.com/Documents/202006-us-cyber-market-update.pdf accessed July 2020.
    \133\ Erin Ayers, ``US cyber market keeps growing, but pace 
slowed: AM Best,'' Advisen Front Page News, July 22, 2020 accessed 
August 2020.
    \134\ Aon plc, US Cyber Market Update: 2019 US Cyber Insurance 
Profits and Performance, June 2020, pp. 4-5, Exhibits 3 and 4, 
http://thoughtleadership.aon.com/Documents/202006-us-cyber-market-update.pdf accessed July 2020.
    \135\ Aon plc, US Cyber Market Update: 2019 US Cyber Insurance 
Profits and Performance, June 2020, p. 7, Exhibit 7, http://thoughtleadership.aon.com/Documents/202006-us-cyber-market-update.pdf accessed July 2020. The expense ratio combines the 
selling and underwriting costs of a coverage and divides that by the 
premium receipts associated with that coverage.
    \136\ Aon plc, US Cyber Market Update: 2019 US Cyber Insurance 
Profits and Performance, June 2020, p. 9, Exhibit 10, http://thoughtleadership.aon.com/Documents/202006-us-cyber-market-update.pdf accessed July 2020. The expense ratio combines the 
selling and underwriting costs of a coverage and divides that by the 
premium receipts associated with that coverage.
---------------------------------------------------------------------------

    The use of cyber insurance extends the assets available to 
compensate injured parties and therefore mitigates some of the 
judgement-proof problem discussed above. While the cyber insurance 
market is relatively new and undeveloped compared to a number of 
other coverages,\137\ it focuses on understanding and quantifying 
the frequency and severity of cyber breaches along with efforts to 
identify and promote methods to mitigate those risks. Reinsurance 
companies, in particular, ``can help to develop products and share 
underwriting know-how, including modeling experience. . . Reinsurers 
can also play a role in establishing cyber ecosystems by offering 
holistic cyber solutions through services and relationships with 
cybersecurity companies, specialized managing general agents, or 
insurtech companies.'' \138\ Assuming that an insurer's cyber 
coverage premium to the CAT and the Plan Processor is related to an 
informed evaluation of the risks posed, cyber premiums can provide 
additional incentives to the CAT and the Plan Processor to 
internalize the cost of its security decisions and actions.\139\ If 
cyber insurance rates reflect anticipated costs of the cyber risks, 
and CAT LLC and FINRA CAT pay the premiums, then the CAT's costs 
incorporate (internalize) the expected costs of a cyber breach under 
the terms of the coverage.
---------------------------------------------------------------------------

    \137\ ``Insured cyber losses remain a fraction of total economic 
cyber losses caused by cybercrime, with about $6 billion of insured 
losses in total (affirmative and nonaffirmative [e.g., ``silent''] 
cyber losses), versus $600 billion of economic losses in 2018.'' S&P 
Global Ratings, Global Reinsurance Highlights 2019, p. 29. See also, 
Sasha Romanosky, Lillian Ablon, Andreas Kuehn and Therese Jones, 
``Content Analysis of Cyber Insurance Policies: How Do Carriers 
Price Cyber Risk?'' Journal of Cybersecurity, 2019, pp. 1-19.
    \138\ S&P Global Ratings, Global Reinsurance Highlights 2019, p. 
31.
    \139\ Romanosky et al (2019) report that while some insurers 
currently employ sophisticated pricing algorithms and incorporate 
specific security information to determine the premiums they charge 
for cyber insurance, at present the majority of the market uses 
relatively simple rate forms and generic self-assessed risk 
vulnerability categorizations (e.g., low, medium, high). As recent 
demand growth has been high and profitability strong, we expect more 
insurers will continue to enter this market that will then attract 
additional industry vendors, capital markets risk intermediaries, 
risk modeling firms, reinsurers, and brokers, etc., to also enter 
the market. The increased competition will bring increasing levels 
of sophistication and with it we expect insurance premiums will 
become more and more risk sensitive over time. See Sasha Romanosky, 
Lillian Ablon, Andreas Kuehn and Therese Jones, ``Content Analysis 
of Cyber Insurance Policies: How Do Carriers Price Cyber Risk?'' 
Journal of Cybersecurity, 2019, pp. 1-19.
---------------------------------------------------------------------------

    For many insurers, cyber coverage entails a relatively high 
degree of monitoring of the insureds. The insurers also have on 
retainer cyber mitigation and remediation experts that are 
independent of the insureds and focused on reducing the risk of 
cyber incursion. A 2017 publication by the Organisation for Economic 
Co-operation and Development (``OECD'') noted the following:

In addition to providing insurance coverage for the expenses 
incurred as a result of a cyber incident, many insurance companies

[[Page 620]]

provide additional services with their policies, either as risk 
management advice during the underwriting process, as a means to 
reduce vulnerability to cyber incidents during the period of 
coverage or in order to reduce the impact of cyber incidents that 
occur. The first two types of services are often referred to as pre-
breach services or risk mitigation services while the latter type is 
identified as post-breach or response services. Some insurance 
companies have developed significant internal expertise and offer 
these types of services directly, while others have developed 
networks and/or partnerships with a variety of service providers, 
often involving some form of discounted pricing for its 
policyholders (e.g. information technology security consultants, 
legal firms, public relations firms, etc.)

. . . [S]ome insurance companies provide specific risk assessment 
services as part of the underwriting process (sometimes even if no 
insurance coverage is entered into) ranging from online or onsite 
security assessments to advice on security policies and practices, 
to vulnerability scans and penetration testing which should benefit 
both the insurance company and the company's risk management 
(omitted internal cites). Insurance companies are also offering an 
assortment of risk mitigation services during the coverage period, 
including threat and intelligence warnings and detection, access to 
specialised protection technologies, preparation and testing of 
contingency plans, helplines or information portals and employee 
training (omitted internal cites).

A range of services for managing the impact of a cyber incident are 
also being offered, including forensic investigative services 
necessary to identify the source of any breach, legal assistance to 
help manage legal and regulatory requirements and potential 
liability, providers of call centre capacity, notification services, 
credit monitoring and/or identity theft protection to support 
interaction with affected clients, and public relations companies to 
minimise the reputational impact of cyber incidents (omitted 
internal cites).
According to one survey, 70% of insurers provide (or plan to 
provide) cyber risk mitigation or response services . . . . 
Seventeen of the 23 policies reviewed by the OECD advertised access 
to risk mitigation and/or response services. . . .\140\
---------------------------------------------------------------------------

    \140\ Organisation for Economic Co-operation and Development, 
Enhancing the Role of Insurance in Cyber Risk Management, (2017), 
Chapter 3, ``The cyber insurance market,'' pp. 75-76, https://www.oecd-ilibrary.org/docserver/9789264282148-5-en.pdf?expires=1595620895&id=id&accname=guest&checksum=84A71DC31B31AD5ADA3B29E4BCA3BD62 accessed July 2020.

    A manuscripted (i.e., customized), stand-alone cyber insurance 
policy for CAT could be combined with other approaches. If the SEC 
were to approve such an arrangement, the CAT and/or the Plan 
Processor could issue insurance linked securities, such as industry 
loss warranties or catastrophe bonds that could attract capital 
market investors to underwrite the losses in addition to insurers 
and reinsurers. Industry loss warranties are insurance or 
reinsurance contracts in which coverage is triggered by an industry-
wide loss or by an index exceeding some pre-specified amount. 
Catastrophe bonds are fixed income instruments where the ``debtor'' 
(the CAT or the Plan Processor) pays ``interest'' (similar to 
premiums) to the ``creditor'' (the ``insurer'' or the ``capital 
market investor''), who does not lend the money but promises to pay 
the funds should a specified cyber event happen.\141\
---------------------------------------------------------------------------

    \141\ ``The Singaporean government's plans to introduce a 
commercial cyber pool with re/insurers and insurance-linked security 
(ILS) backing capacity is a recent example. However, before ILS 
investors will accept cyber risk as a potential investment 
opportunity, the market will need to enhance its ability to model 
this risk as well as have a longer track record.'' S&P Global 
Ratings, Global Reinsurance Highlights 2019, p. 31.
---------------------------------------------------------------------------

    At present, we are aware of a few cyber-related industry loss 
warranties that have been issued.\142\ No cyber catastrophe bond has 
yet been issued, but industry observers suggest now may be the time 
to see such an advance. Commenting on the state of the cyber 
insurance market, the enormous potential size of the economic losses 
due to cyber events, and the recent growth of cyber-related 
insurance premiums, Standard & Poor's believes it is only a matter 
of time before industry capacity will be insufficient alone to 
satisfy demand and that governments and capital markets will come 
together with the industry to create markets that can meet the 
capacity requirements for cyber coverage.\143\
---------------------------------------------------------------------------

    \142\ Shah, Syed Salman, and Ben Dyson, ``Cyber insurance-linked 
securities have arrived, but market still in infancy,'' S&P Global 
Market Intelligence, https://www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/cyber-insurance-linked-securities-have-arrived-but-market-still-in-infancy-46915334 
accessed September 2020.
    \143\ Bender, Johannes, Manuel Adam, Robert J Greensted, Jean 
Paul Huby Klein, Milan Kakkad, and Tracy Dolin, ``Global Reinsurers 
Face the Iceberg Threat Of Cyber Risk,'' Global Reinsurance 
Highlights 2019 (2019) pp. 28-31.
---------------------------------------------------------------------------

    We mentioned earlier in the White Paper that several funding 
mechanisms exist to compensate the customers of financial 
intermediaries, subject to limits, including banks, credit unions, 
and insurance companies. Under the auspices of the SEC, one could 
also imagine self-funding a third-party compensation program. Some 
combination of any of these approaches, and others, might be 
considered. The goal here is to mitigate the damages of a cyber 
breach and compensate affected third parties in the lowest cost 
fashion. Industry Members should recognize that, ultimately, it is 
they, the SROs, and especially their customers that will pay all the 
costs of the CAT.

IV. Conclusion

    This White Paper investigates the SEC's regulatory approach to 
the CAT's cyber security and conducts an economic analysis to 
examine whether adding an ability for Industry Members to litigate 
in the event of a CAT cyber breach creates socially optimal 
incentives for controlling the cyber risk exposures faced by CAT 
over a regulation alone approach.
    As explained in this White Paper, the economic role of 
litigation is to provide meaningful ex-ante incentives for first 
parties to internalize the harms potentially caused to third parties 
by their economic activities through the threat they may face ex 
post litigation filed by the injured third parties. Regulation, 
however, also provides meaningful incentives for first parties to 
internalize the harms they may potentially cause to third parties by 
compelling first parties to follow a set of rules and procedures 
proscribed by a regulator before the economic activity commences.
    An economic analysis of the circumstances attending the CAT 
shows that regulation by the SEC already properly incentivizes the 
Participants to recognize and address the risks that a CAT cyber 
breach poses to third parties such as Industry Members. We further 
show that the possibility of permitting litigation by Industry 
Members in addition to the regulatory regime will not meaningfully 
increase CAT's incentives to manage its exposure to cyber risk, yet 
it will significantly increase the costs (which will ultimately be 
passed on to retail investors) that it bears to do so. Our analysis 
suggests that the ex-ante regulation approach alone leads to the 
socially optimal outcome.
    Accordingly, our analysis of the respective benefits of ex-ante 
regulation compared with ex post litigation indicate that the 
limitation of liability in the proposed CAT Reporter Agreement will 
serve the public interest.
    The authors of this paper are employed by, or affiliated with, 
Charles River Associates (CRA). The conclusions set forth herein are 
based on independent research and publicly available material. The 
views expressed herein are the views and opinions of the authors 
only and do not reflect or represent the views of Charles River 
Associates or any of the organizations with which the authors are 
affiliated. Any opinion expressed herein shall not amount to any 
form of guarantee that the authors or Charles River Associates has 
determined or predicted future events or circumstances and no such 
reliance may be inferred or implied. The authors and Charles River 
Associates accept no duty of care or liability of any kind 
whatsoever to any party, and no responsibility for damages, if any, 
suffered by any party as a result of decisions made, or not made, or 
actions taken, or not taken, based on this paper. Detailed 
information about Charles River Associates, a registered tradename 
of CRA International, Inc., is available at www.crai.com.

V. Qualifications of Authors/Investigators

Michael G. Mayer, CFA, CFE
Vice President, Charles River Associates
M.B.A. Finance and Management Policy, Kellogg Graduate School of 
Management, Northwestern University
B.S. Marketing and Management Policy, Indiana University School of 
Business

    Michael G. Mayer is a Vice President of Charles River 
Associates. He has performed numerous business valuation assignments 
and has evaluated numerous claims for economic loss in a range of 
business, banking, securities, derivatives and insurance disputes. 
He has also performed financial investigations of brokerage firms, 
hedge

[[Page 621]]

funds, savings & loans, banks, and insurance companies as well as in 
whistleblower, insider trading, and FCPA matters. He has testified 
as an expert in International Arbitration forums, US Federal and 
State Courts, AAA and FINRA arbitrations, and the Bahamian Supreme 
Court. Mr. Mayer's testimony has addressed financial and economic 
issues including investment suitability and trading, portfolio 
management, valuation, lost profits, loss of principal and 
prejudgment interest.
    In litigation matters, Mr. Mayer has been most actively involved 
in the determination of damages in securities fraud and breach of 
fiduciary duty cases, broker/dealer litigation, failed mergers/
acquisitions, bankruptcy, lender liability, and shareholder 
disputes. He is regularly called upon to analyze complex securities 
and explain their structures. Additionally, he has significant 
experience in other areas of commercial litigation including 
antitrust, accountant's liability, breach of contract, business 
interruption, and insurance. He has assisted counsel with respect to 
discovery and document management, deposition and cross-examination 
assistance and trial exhibit preparation.
    Outside of litigation, Mr. Mayer regularly consults on financial 
issues relating to mergers, acquisitions, joint ventures, and 
licensing. He has analyzed and negotiated deal structures on behalf 
of clients in a broad range of industries ranging from 
pharmaceuticals to industrial rubber products. Additionally, he has 
performed business and intangible asset valuations for some of the 
largest companies in the country. Mr. Mayer has been widely quoted 
in the press including the Wall Street Journal, CFO Magazine, Inside 
Counsel Magazine, Securities Law360, and the Chicago Tribune, among 
others.

Mark F. Meyer
Vice President, Charles River Associates
PhD, Economics, University of Michigan
BSFS, International Economics, Georgetown University

    Dr. Mark F. Meyer is a vice president and the co-leader of the 
Insurance Economics Practice of CRA. He has over 30 years of 
experience applying economic theory and quantitative methods to a 
range of complex business litigation and regulatory matters. Dr. 
Meyer's experience includes assessing liability and damages for 
litigations involving firms engaged in financial markets, especially 
insurance; investigations of insurer insolvencies; antitrust 
analysis of monopolization, mergers, and price discrimination in a 
wide range of industries; work in the economics of product 
distribution and marketing; analysis of regulatory initiatives 
involving insurance and other industries; and statistical and 
econometric applications to liability determination, market 
definition, class certification, and economic damages.
    Prior to joining CRA, Dr. Meyer was a senior economist at the 
Princeton Economics Group, Inc.; senior managing economist and a 
director in the New York office of the Law & Economics Consulting 
Group, Inc.; and an economist at the law firm of Skadden, Arps, 
Slate, Meagher & Flom in New York.

Prof. Richard D. Phillips
Senior Consultant to Charles River Associates
Dean, J. Mack Robinson College of Business, C.V. Starr Professor of 
Risk Management and Insurance, Georgia State University
PhD, Insurance and Finance, University of Pennsylvania
MA, Insurance and Finance, University of Pennsylvania
BS, Mathematics, University of Minnesota

    Richard D. Phillips is the dean of the J. Mack Robinson College 
of Business, Georgia State University, and the C.V. Starr Professor 
of Risk Management and Insurance. He has served as a Senior 
Consultant to CRA since 2010.
    Dr. Phillips was the associate dean for academic initiatives and 
innovations from 2012 until 2014 and from 2006 to 2012 he was the 
Kenneth Black Jr. Chair of the Department of Risk Management and 
Insurance. From 1997 until 2014 he held the appointment of Fellow of 
the Wharton Financial Institutions Center at the University of 
Pennsylvania. He has held visiting appointments at the Federal 
Reserve Bank of Atlanta (1996-1997), at the Wharton School (2003), 
at the Federal Reserve Bank of New York (2007-2008), and he was the 
Swiss Re Visiting Scholar at the University of Munich in 2008. Dr. 
Phillips joined Georgia State University after completing his 
doctoral studies at the University of Pennsylvania in 1994.
    Professor Phillips' research interests lie at the intersection 
of corporate finance and insurance economics with specific focus on 
the effect of risk on corporate decision-making, and the functioning 
of insurance markets. He has published in academic and policy 
journals including the Journal of Financial Economics, the Journal 
of Risk and Insurance, the Journal of Banking and Finance, Journal 
of Financial Services Research, the Journal of Law and Economics, 
the Journal of Insurance Regulation, and the North American 
Actuarial Journal, among others. He has contributed scholarly 
articles to books published by Risk Publications, the University of 
Chicago Press, Kluwer Academic Publishers, and the Brookings 
Institute. Professor Phillips has received several awards for his 
research including the Robert I. Mehr Research Award (2008, 2009), 
the Robert C. Witt Research Award (1999), the ARIA/CAS Best Paper 
Award three times (1998, 1999, and 2006), and the James S. Kemper 
Best Paper Award (2003) among others. He served on the board of 
directors and is a Past President of the American Risk and Insurance 
Association, he is a Past President of the Risk Theory Society and 
is a Past Co-editor of the Journal of Risk and Insurance. He serves 
as an ad hoc referee for several academic journals.
    Beyond the university, Professor Phillips has served as a 
consultant to numerous commercial and governmental organizations 
throughout his career including AIG, Allstate, ING, AXA, Deutsche 
Bank, Goldman Sachs, Tillinghast, Aon Capital Markets, the Casualty 
Actuarial Society, the Society of Actuaries, and the U.S. Office of 
Management and Budget. He is a member of the board of directors for 
the Munich American Reassurance Company. Within the non-profit 
sector, Professor Phillips was the Executive Director of Georgia 
State University's Risk Management Foundation from 2006-2012, he is 
a board member on the S.S. Huebner Foundation for Insurance 
Education Foundation, he is a board member of the World Affairs 
Council of Atlanta, and he is Chairman Emeritus of the Board of 
Trustees for the Swift School, one of the largest private-
independent schools serving dyslexic students grades 1-8 in Georgia.

Rona T. Seams
Principal, Charles River Associates
M.B.A. Finance, Management and Strategy, Marketing, Kellogg Graduate 
School of Management, Northwestern University
B.B.A. Finance, University of Texas-Austin

    Ms. Seams is a Principal at CRA and has testified as an economic 
damages expert in federal court and has been involved in and managed 
numerous other engagements involving financial investigations, 
economic damages, and business valuations.
    Ms. Seams has performed financial investigation activities in 
many matters including the alleged mismanagement of bank investments 
by its management, the alleged breach of fiduciary duty of FNMA for 
not detecting fraud perpetrated on an entity selling mortgages to 
FNMA, the alleged acquisition of life settlement policies through 
bid rigging, and the alleged profit made by trading on inside 
information.
    Ms. Seams' economic damages work includes the determination of 
damages related to the breach of a non-compete agreement in the 
equipment leasing industry, the assessment of damages related to the 
raiding of employees in the securities industry, the calculation of 
damages related to fraud perpetrated on a temporary staffing 
company, the damages analysis for the creditors of a large bankrupt 
energy trading company, the valuation of damages associated with 
securities fraud, the determination of early contract termination 
damages in the securities clearing industry, and the calculation of 
intellectual property damages across many industries.
    Ms. Seams' business valuation work includes the net worth 
analysis of a company to pay an award of punitive damages, the 
solvency analysis of a regional acute care hospital, the solvency 
analysis of a temporary staffing company, and the valuation of an 
energy storage and distribution company.
    Prior to joining Charles River Associates, Ms. Seams operated 
her own consulting firm specializing in project finance, contract 
analysis, and sales and risk management. Additionally, she worked in 
the energy industry in various roles ranging from rate analyst, 
market analyst, sales representative, and management consultant.

VI. Research Program and Bibliography

    The authors of this White Paper have thoroughly reviewed 
extensive publicly available documents and obtained information from 
CAT LLC and FINRA CAT personnel to understand the circumstances 
surrounding the CAT and develop their findings. We also rely on 
longstanding bodies of economic literature regarding cyber breaches 
and creating socially optimal incentives to control risk (including 
risk of

[[Page 622]]

cyber breaches). The following documents in the Securities and 
Exchange Commission record for the Consolidated Audit Trail, which 
we reviewed closely, were particularly informative on CAT LLC and 
the considerations and concerns of various interested parties.
     Securities and Exchange Commission, Consolidated Audit 
Trail, Release No. 34-67457.
     Securities and Exchange Commission, Joint Industry 
Plan; Order Approving the National Market System Plan Governing the 
Consolidated Audit Trail, Release No. 34-79318, November 15, 2016. 
Attachments to this document included:
    [cir] The March 3, 2014 CAT NMS Plan Request for Proposal,
    [cir] The Limited Liability Company Agreement of CAT LLC,
    [cir] The Participants' Discussion of Considerations, and
    [cir] The CAT NMS Plan Processor Requirements.
     Securities and Exchange Commission, Order Granting 
Conditional Exemptive Relief, Pursuant to Section 36 and Rule 608(e) 
of the Securities Exchange Act of 1934, from Section 6.4(d)(ii)(C) 
and Appendix D Sections 4.1.6, 6.2, 8.1.1, 8.2, 9.1, 9.2, 9.4, 10.1, 
and 10.3 of the National Market System Plan Governing the 
Consolidated Audit Trail, Release No. 34-88393, March 17, 2020.
     Securities and Exchange Commission, Amendments to the 
National Market System Plan Governing the Consolidated Audit Trail, 
RIN 3235-AM60, Release No. 34-88890, File No. S7-13-19, May 15, 
2020.
     Securities and Exchange Commission, Amendments to the 
National Market System Plan Governing the Consolidated Audit Trail 
to Enhance Data Security, RIN 3235-AM62, Release No. 34-89632, File 
No. S7-10-20, August 21, 2020.
     Memorandum of Law in Support of SIFMA's Motion to Stay 
SRO Action Pending Commission Review of SIFMA's Application Pursuant 
to Exchange Act Sections 19(d) and 19(f), April 22, 2020.
    In addition to the documents listed above, the authors 
investigated the implementation of cyber security at the CAT by 
thoroughly reviewing the extensive document record listed below and 
by obtaining information from personnel at FINRA CAT responsible for 
compliance and cyber security.
     Consolidated Audit Trail, LLC and FINRA CAT, LLC, 
Industry Webinar--Security of CAT Data, April 1, 2020, at https://www.catnmsplan.com/events/industry-webinar-security-cat-data-412020, 
accessed September 2020.
     Amazon Web Services website, ``Cloud computing with 
AWS,'' at https://aws.amazon.com/what-is-aws/?sc_ 
icampaign=aware_what_is_ aws≻_ icontent=awssm-evergreen-prospects 
≻_iplace=hero&trk=ha_awssm-evergreen-prospects ≻_ ichannel=ha, 
visited September 2020.
     Amazon Web Services website, ``Cloud computing with 
AWS, Most secure'' at https://aws.amazon.com/what-is-aws/?sc_icampaign =aware_ what_is_ aws≻_ icontent=awssm-evergreen-
prospects ≻_iplace= hero&trk=ha_ awssm-evergreen-prospects 
≻_ichannel=ha, visited September 2020.
    The other sources the authors relied upon to form their opinions 
are:

Cyber Security Risk Analysis

1. Advisen Cyber OverVue, https://insite20twenty.advisen.com.
2. Advisen's Cyber OverVue User Guide, January 2020.
3. Advisen, Quarterly Cyber Risk Trends: Global Fraud is Still on 
the Rise, sponsored by CyberScout, Q2 2019.
4. Advisen website, https://www.advisenltd.com/data/cyber-loss-data/.
5. Advisen website, www.advisenltd.com.
6. AllAboutAlpha, ``High-Frequency-Trading Firms: Fast, Faster, 
Fastest,'' April 2, 2019, https://www.allaboutalpha.com/blog/2019/04/02/high-frequency-trading-firms-fast-faster-fastest/.
7. Alexander Osipovich, ``High Speed Trader Virtu Discloses $6.9 
Million Hacking Loss,'' Dow Jones News Service, August 11, 2020.
8. Allied Market Research website, Cyber Insurance Market by Company 
Size and Industry Vertical: Global Opportunity Analysis and Industry 
Forecast, 2019-2026, March 2020, https://www.alliedmarketresearch.com/cyber-insurance-market.
9. Camico website, ``Understanding First-Party and Third-Party Cyber 
Exposures,'' https://www.camico.com/blog/understanding-cyber-exposures.
10. Capital IQ website, https://www.capitaliq.com/CIQDotNet/Financial/Capitalization.aspx?CompanyId=133624510.
11. CAT Reporting Technical Specifications for Industry Members, 
Version 3.1.0 r2, April 21, 2020.
12. The Center for Strategic and International Studies, ``Net 
Losses: Estimating the Global Cost of Cybercrime,'' June 2014.
13. Chairman Jay Clayton, Testimony on ``Oversight of the Securities 
and Exchange Commission'' Before the U.S. Senate Committee on 
Banking, Housing, and Urban Affairs, December 10, 2019, https://www.sec.gov/news/testimony/testimony-clayton-2019-12-10.
14. Commissioner Luis A. Aguilar, U.S. Securities and Exchange 
Commission, ``The Need for Robust SEC Oversight of SROs,'' May 8, 
2013, https://www.sec.gov/news/public-statement/2013-spch050813laahtm.
15. Commissioner Pierce Statement on Proposed Amendments to the 
National Market System Plan Governing the Consolidated Audit Trail 
to Enhance Data Security, Aug. 21, 2020, https://www.sec.gov/news/public-statement/peirce-nms-cat-2020-08-21.
16. The Council of Economic Advisers, ``The Cost of Malicious Cyber 
Activity to the U.S. Economy,'' February 2018, https://www.whitehouse.gov/wp-content/uploads/2018/03/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf.
17. Cybersecurity Ventures, ``Global Cybercrime Damages Predicted to 
Reach $6 Trillion Annually By 2021,'' Copyright 2020, https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/.
18. Cyentia Institute, Information Risk Insights Study, A Clearer 
Vision for Assessing the Risk of Cyber Incidents, 2020.
19. Department of Homeland Security, ``Commodification of Cyber 
Capabilities: A Grand Cyber Arms Bazaar,'' 2019, https://www.dhs.gov/sites/default/files/publications/ia/ia_geopolitical-impact-cyber-threats-nation-state-actors.pdf.
20. Erin Ayers, ``US cyber market keeps growing, but pace slowed: AM 
Best,'' Advisen Front Page News, July 22, 2020.
21. Final Judgement as to Defendant CR Intrinsic Investors, LLC, 
United States District Court, Southern District of New York, 12 Civ. 
8466 (VM), filed June 18, 2014.
22. FINRA Investor Education Foundation, ``Investors in the United 
States, A Report of the National Financial Capability Study'' 
December 2019.
23. Fintel website, Berkshire Hathaway Inc--Warren Buffett--Activist 
13D/13G Filings, https://fintel.io/i13d/berkshire-hathaway.
24. Gregory Meyer, Nicole Bullock and Joe Rennison, ``How high-
frequency trading hit a speed bump,'' Financial Times, January 1, 
2018, https://www.ft.com/content/d81f96ea-d43c-11e7-a303-9060cb1e5f44.
25. Interview with William Hardin, VP, Charles River Associates, 
August 11, 2020.
26. Investopedia website, Toehold Purchase definition, https://www.investopedia.com/terms/t/toeholdpurchase.asp.
27. Jane Croft, ``Citadel Securities sues rival over alleged trading 
strategy leak,'' Financial Times, January 10, 2020, https://www.ft.com/content/2cbf1738-33cd-11ea-9703-eea0cae3f0de.
28. Jensen and Ruback, ``The Market for Corporate Control,'' Journal 
of Financial Economics, 11, (1983).
29. Journal of Forensic & Investigative Accounting, ``Market 
Efficiency and Investor Reactions to SEC Fraud Investigations,'' 
Vol. 2, Issue 3, Special Issue, 2010.
30. Julian Hayes, ``Double extortion: An emerging trend in 
ransomware attacks,'' Advisen Front Page News, August 21, 2020, 
https://www.advisen.com/tools/fpnproc/fpns/articles_new _35/P/
375350842.html?rid= 375350842&list_id=35.
31. Juniper Research, ``Business Losses to Cybercrime Data Breaches 
to Exceed $5 Trillion By 2024,'' August 27, 2019, https://www.juniperresearch.com/press/press-releases/business-losses-cybercrime-data-breaches.
32. Memorandum from SEC Division of Trading and Markets to SEC 
Market Structure Advisory Committee dated October 20, 2015 with the 
subject ``Current Regulatory Model for Trading Venues and for Market 
Data Dissemination,'' https://www.sec.gov/spotlight/emsac/memo-regulatory-model-for-trading-venues.pdf.

[[Page 623]]

33. Nathan Vardi, ``Finance Billionaire Ken Griffin's Citadel 
Securities Trading Firm Is On A Silicon Valley Hiring Binge,'' 
Forbes, June 3, 2019, https://www.forbes.com/sites/nathanvardi/2019/06/03/finance-billionaire-ken-griffins-citadel-securities-trading-firm-is-on-a-silicon-valley-hiring-binge/#34f23c9c6b36.
34. NPR website, Barbara Campbell, ``SEC Says Cybercriminals Hacked 
Its Files, May Have Used Secret Data for Trading,'' September 20, 
2017, https://www.npr.org/sections/thetwo-way/2017/09/20/552500948/sec-says-cybercriminals-hacked-its-files-may-have-used-secret-data-for-trading.
35. Opinion and Order, SEC v. Raj Rajaratnam, et al., United States 
District Court, Southern District of New York, 09 Civ. 8811 (JSR), 
filed November 8, 2011.
36. Ponemon Institute and IBM Security, Cost of a Data Breach Report 
2020.
37. Refinitiv website, https://www.refinitiv.com/en/about-us.
38. Research and Markets, Algorithmic Trading Market by Trading 
Type, Component, Deployment Mode, Enterprise Size, and Region--
Global Forecast to 2024, https://www.researchandmarkets.com/reports/4770543/algorithmic-trading-market-by-trading-type#rela0-4833448.
39. Research and Markets, Algorithmic Trading market--Growth, 
Trends, and Forecast (2020-2025), https://www.researchandmarkets.com/reports/4833448/algorithmic-trading-market-growth-trends-and#rela4-5125563.
40. ScienceDirect website, ``Hacktivists,'' https://www.sciencedirect.com/topics/computer-science/hacktivists.
41. SEC's Edgar website, Berkshire Hathaway Inc. filings, https://www.sec.gov/Archives/edgar/data/1067983/000095012316022377/0000950123-16-022377-index.htm.
42. SEC's Edgar website, Berkshire Hathaway Inc. filings, https://www.sec.gov/Archives/edgar/data/1067983/000095012316022377/xslForm13F_X01/primary_doc.xml.
43. SEC's Edgar website, Berkshire Hathaway Inc. filings, https://www.sec.gov/Archives/edgar/data/1067983/000095012316022377/xslForm13F_X01/form13fInfoTable.xml.
44. SEC website, https://www.sec.gov/forms.
45. SEC website, ``SEC Charges 32 Defendants in Scheme to Trade on 
Hacked News Releases,'' Press Release 2015-163, August 11, 2015, 
https://www.sec.gov/news/pressrelease/2015-163.html.
46. SEC website, ``SEC Reaches Settlements with Traders in Newswire 
Hacking and Trading Scheme,'' Litigation Release No. 24833, June 10, 
2020, https://www.sec.gov/litigation/litreleases/2020/lr24833.htm.
47. SEC website, ``Rule 613 (Consolidated Audit Trail),'' https://www.sec.gov/divisions/marketreg/rule613-info.htm.
48. Teresa Suarez, ``A Crash Course on Capturing Loss Magnitude with 
the FAIR Model,'' Fair Institute website, October 20, 2017, https://www.fairinstitute.org/blog/a-crash-course-on-capturing-loss-magnitude-with-the-fair-model.
49. Terrence Hendershott, Charles M. Jones, and Albert J. Menkveld, 
Does Algorithmic Trading Improve Liquidity?, The Journal of Finance, 
Volume 66, No. 1, February 2011, http://faculty.haas.berkeley.edu/hender/Algo.pdf.
50. United States Census Bureau website, the U.S. and World 
Population Clock, https://www.census.gov/popclock/.
51. Verizon, 2020 Data Breach Investigations Report.
52. Wharton University of Pennsylvania, ``How Undisclosed SEC 
Investigations Lead to Insider Trading,'' March 2, 2020, https://knowledge.wharton.upenn.edu/article/undisclosed-sec-investigations-lead-insider-trading/.

Economic and Public Policy Analysis of Cyber Security for CAT LLC

1. 42 U.S. Code Sec.  247d-6d at Health Resources & Services 
Administration, https://www.hrsa.gov/sites/default/files/gethealthcare/conditions/countermeasurescomp/covered_countermeasures_and_prep_act.pdf.
2. 42 U.S. Code Sec.  300aa-22, https://www.law.cornell.edu/uscode/text/42/300aa-22.
3. Andrew Duehren, ``Senate GOP Aims to Funnel Covid Liability Cases 
to Federal Courts,'' The Wall Street Journal, July 16, 2020, https://www.wsj.com/articles/gop-senators-move-ahead-with-coronavirus-liability-plan-11594929198?mod=searchresults&page=1&pos=3.
4. Aon plc, US Cyber Market Update: 2019 US Cyber Insurance Profits 
and Performance, June 2020, http://thoughtleadership.aon.com/Documents/202006-us-cyber-market-update.pdf.
5. Bhole, Bharat, and Jeffrey Wagner, ``The Joint Use of Regulation 
and Strict Liability with Multidimensional Care and Uncertain 
Conviction,'' International Review of Law and Economics Vol. 28 
(2008).
6. Congressional Research Service, The PREP Act and COVID-19: 
Limiting Liability for Medical Countermeasures, https://crsreports.congress.gov/product/pdf/LSB/LSB10443.
7. Consolidated Audit Trail, LLC's and Participants Memorandum of 
Law in Opposition to SIFMA's Motion to Stay, May 6, 2020.
8. Consolidated Audit Trail website, FAQs, https://www.catnmsplan.com/faq.
9. Consolidated Audit Trail website, Security: FAQs, https://www.catnmsplan.com/faq.
10. De Geest, Gerrit, Giusseppe Dari-Mattiacci, ``Soft Regulators, 
Tough Judges,'' Supreme Court Economic Review, Vol. 15 (2007).
11. Don Fullerton and Gilbert E. Metcalf, ``Tax Incidence,'' Chapter 
26 in Alan Auerbach and Martin Feldstein, Handbook of Public 
Economics, 2002. https://www.nber.org/papers/w8829.pdf.
12. Erin Ayers, ``US cyber market keeps growing, but pace slowed: AM 
Best,'' Advisen Front Page News, July 22, 2020.
13. Harold Demsetz, ``When Does the Rule of Liability Matter?'' 
Journal of Legal Studies, Vol. 1, No. 1, (January 1972).
14. Health Resources & Services Administration, About the National 
Vaccine Injury Compensation Program, https://www.hrsa.gov/vaccine-compensation/about/index.html.
15. Health Resources & Services Administration, The National Vaccine 
Injury Compensation Program (VICP), https://www.hrsa.gov/sites/default/files/hrsa/vaccine-compensation/vaccine-injury-infographic-2017.pdf.
16. Jennifer C. Gravelle, ``Corporate Tax Incidence: A Review of 
Empirical Estimates and Analysis,'' Congressional Budget Office 
Working Paper 2011-01, June 2001. https://www.cbo.gov/sites/default/files/cbofiles/ftpdocs/122xx/doc12239/06-14-2011-corporatetaxincidence.pdf.
17. Jensen, Michael, ``Agency Costs of Free Cash Flow, Corporate 
Finance, and Takeovers,'' American Economic Review, Vol. 76, No. 2 
(May 1986).
18. Kolstad, Charles D., Thomas S. Ulen, and Gary V. Johnson, ``Ex 
Post Liability for Harm vs. Ex Ante Safety Regulation: Substitutes 
or Complements?'' The American Economic Review Vol. 80, No. 4 (Sep. 
1990).
19. Mello, Michelle M., Amitabh Chandra, Atul A. Gawande, and David 
M. Studdert, ``National Costs of the Medical Liability System,'' 
Health Affairs, Vol. 8, No. 9 (Sep. 2010).
20. Organisation for Economic Co-operation and Development, 
Enhancing the Role of Insurance in Cyber Risk Management, (2017), 
https://www.oecd-ilibrary.org/docserver/9789264282148-5-en.pdf?expires=1595620895&id=id&accname=guest&checksum=84A71DC31B31AD5ADA3B29E4BCA3BD62.
21. Public Health Service Act, January 5, 2017, As Amended Through 
Public Law 114-255, Enacted December 13, 2016, https://www.hrsa.gov/sites/default/files/hrsa/vaccine-compensation/about/title-xxi-phs-vaccines-1517.pdf.
22. Ronald H. Coase, ``The Problem of Social Cost,'' Journal of Law 
and Economics, Vol 3 (1960).
23. S&P Global Ratings, Global Reinsurance Highlights 2019.
24. Sasha Romanosky, Lillian Ablon, Andreas Kuehn and Therese Jones, 
``Content Analysis of Cyber Insurance Policies: How Do Carriers 
Price Cyber Risk?'' Journal of Cybersecurity, 2019.
25. SEC Office of Compliance Inspections and Examinations, 
Cybersecurity: Ransomware Alert, July 10, 2020, https://www.sec.gov/files/Risk%20Alert%20-%20Ransomware.pdf.
26. SEC website, ``About the Office of Compliance Inspections and 
Examinations,'' https://www.sec.gov/ocie/Article/ocie-about.html.
27. SEC website, ``Spotlight on Cybersecurity, the SEC and You,'' 
https://www.sec.gov/spotlight/cybersecurity.
28. SEC website, ``Spotlight on Regulation

[[Page 624]]

SCI,'' https://www.sec.gov/spotlight/regulation-sci.shtml.
29. Shah, Syed Salman, and Ben Dyson, ``Cyber insurance-linked 
securities have arrived, but market still in its infancy,'' S&P 
Global Market Intelligence, https://www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/cyber-insurance-linked-securities-have-arrived-but-market-still-in-infancy-46915334.
30. SIFMA website, About. https://www.sifma.org/about/.
31. Stephen Entin, ``Labor Bears Much of the Cost of the Corporate 
Tax,'' Tax Foundation Special Report No. 238, October 2017. https://files.taxfoundation.org/20181107145034/Tax-Foundation-SR2382.pdf.
32. Steven Shavell, ``Liability for Accidents,'' Chapter 2 in 
Handbook of Law and Economics, Vol. 1, Mitchell Polinsky and Steven 
Shavell, eds., Elsevier, 2007.
33. Steven Shavell, ``Liability for Harm Versus Regulation of 
Safety,'' The Journal of Legal Studies, Vol. 13, No. 2 (June 1984).
34. Steven Shavell, ``The Judgement Proof Problem,'' International 
Review of Law and Economics Vol. 6, No. 1 (June 1 1986).
35. U.S. Court of Appeals, 2nd Circuit, Standard Investment 
Chartered, Inc. v. National Association of Securities Dealers, et 
al., https://caselaw.findlaw.com/us-2nd-circuit/1556297.html.
36. William M. Gentry, ``A Review of the Evidence on the Incidence 
of the Corporate Income Tax,'' U.S. Department of the Treasury OTA 
Paper 101, December 2007, https://www.treasury.gov/resource-center/tax-policy/tax-analysis/Documents/WP-101.pdf.

[FR Doc. 2020-29216 Filed 1-5-21; 8:45 am]
BILLING CODE 8011-01-P


