Joint Industry Plan; Order Instituting Proceedings To Determine Whether To Approve or Disapprove an Amendment to the National Market System Plan Governing the Consolidated Audit Trail, 19054-19061 [2021-07390]

Download as PDF 19054 Federal Register / Vol. 86, No. 68 / Monday, April 12, 2021 / Notices SECURITIES AND EXCHANGE COMMISSION [Release No. 34–91487; File No. 4–698] Joint Industry Plan; Order Instituting Proceedings To Determine Whether To Approve or Disapprove an Amendment to the National Market System Plan Governing the Consolidated Audit Trail II. Background April 6, 2021. On December 18, 2020, the Operating Committee for Consolidated Audit Trail, LLC (‘‘CAT LLC’’), on behalf of the following parties to the National Market System Plan Governing the Consolidated Audit Trail (the ‘‘CAT NMS Plan’’ or ‘‘Plan’’): 1 BOX Exchange LLC; Cboe BYX Exchange, Inc., Cboe BZX Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe EDGX Exchange, Inc., Cboe C2 Exchange, Inc., Cboe Exchange, Inc., Financial Industry Regulatory Authority, Inc. (‘‘FINRA’’), Investors Exchange LLC, Long-Term Stock Exchange, Inc., Miami International Securities Exchange LLC, MEMX, LLC, MIAX Emerald, LLC, MIAX PEARL, LLC, Nasdaq BX, Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, Nasdaq PHLX LLC, The NASDAQ Stock Market LLC, New York Stock Exchange LLC, NYSE American LLC, NYSE Arca, Inc., NYSE Chicago, Inc., and NYSE National, Inc. (collectively, the ‘‘Participants,’’ ‘‘selfregulatory organizations,’’ or ‘‘SROs’’) filed with the Securities and Exchange Commission (‘‘SEC’’ or ‘‘Commission’’) pursuant to Section 11A(a)(3) of the Securities Exchange Act of 1934 (‘‘Exchange Act’’),2 and Rule 608 thereunder,3 a proposed amendment (‘‘Proposed Amendment’’) to the CAT NMS Plan that would authorize CAT LLC to revise the Consolidated Audit Trail Reporter Agreement (the ‘‘Reporter Agreement’’) and the Consolidated Audit Trail Reporting Agent Agreement (the ‘‘Reporting Agent Agreement’’) to insert limitation of liability provisions (the ‘‘Limitation of Liability Provisions’’). The proposed plan amendment was published for comment in the Federal Register on January 6, 2021.4 On July 11, 2012, the Commission adopted Rule 613 of Regulation NMS, which required the SROs to submit a national market system (‘‘NMS’’) plan to create, implement and maintain a consolidated audit trail (the ‘‘CAT’’ or ‘‘CAT System’’) that would capture customer and order event information for orders in NMS securities.6 The Commission approved the CAT NMS Plan in 2016.7 On August 29, 2019, the Operating Committee for CAT LLC approved a Reporter Agreement that included a provision that would limit the total liability of CAT LLC or any of its representatives to a CAT Reporter under the Reporter Agreement for any calendar year to the lesser of the total of fees paid by the CAT Reporter to CAT LLC for the calendar year in which the claim arose or five hundred dollars. The Participants also required each Industry Member 8 to execute a CAT Reporter Agreement prior to reporting data to CAT. Prior to the commencement of initial equities reporting for Industry Members on June 22, 2020, the Securities Industry and Financial Markets Association (‘‘SIFMA’’) filed pursuant to Sections 19(d) and 19(f) of the Exchange Act an application for review of actions taken by CAT LLC and the Participants (the ‘‘Administrative Proceedings’’). SIFMA alleged that by requiring Industry Members to execute the Reporter Agreement as a prerequisite to submitting data to the CAT, the Participants improperly prohibited or limited SIFMA members with respect to access to the CAT System in violation of the Exchange Act. On May 13, 2020, the Participants and SIFMA reached a settlement and terminated the Administrative Proceedings, allowing Industry Members to report data to the CAT pursuant to a Reporter Agreement that 1 The CAT NMS Plan is a national market system plan approved by the Commission pursuant to Section 11A of the Exchange Act and the rules and regulations thereunder. See Securities Exchange Act Release No. 79318 (November 15, 2016), 81 FR 84696 (November 23, 2016). 2 15 U.S.C 78k–1(a)(3). 3 17 CFR 242.608. 4 See Notice of Filing of Amendment to the National Market System Plan Governing the Consolidated Audit Trail, Release No. 90826 (December 30, 2020), 86 FR 591 (January 6, 2021) (‘‘Notice’’). Comments received in response to the Notice can be found on the Commission’s website at https://www.sec.gov/comments/4-698/4-698.htm. 5 17 CFR 242.608(b)(2)(i). 6 17 CFR 242.613. 7 See supra note 1. 8 Industry Member means a member of a national securities exchange or a member of a national securities association. See CAT NMS Plan at Section 1.1. I. Introduction khammond on DSKJM1Z7X2PROD with NOTICES This order institutes proceedings, under Rule 608(b)(2)(i) of Regulation NMS,5 to determine whether to disapprove the Proposed Amendment or to approve the Proposed Amendment with any changes or subject to any conditions the Commission deems necessary or appropriate after considering public comment. VerDate Sep<11>2014 21:37 Apr 09, 2021 Jkt 253001 PO 00000 Frm 00119 Fmt 4703 Sfmt 4703 does not contain a limitation of liability provision. Since that time, Industry Members have been transmitting data to the CAT.9 III. Summary of Proposal The Participants now propose to amend the CAT NMS Plan to authorize CAT LLC to revise the Reporter Agreement and Reporting Agent Agreement with the proposed Limitation of Liability Provisions. As proposed, the Limitation of Liability Provisions would: (1) Provide that CAT Reporters and CAT Reporting Agents accept sole responsibility for their access to and use of the CAT System, and that CAT LLC makes no representations or warranties regarding the CAT System or any other matter; (2) limit the liability of CAT LLC, the Participants, and their respective representatives to any individual CAT Reporter or CAT Reporting Agent to the lesser of the fees actually paid to CAT for the calendar year or $500; (3) exclude all direct and indirect damages; and (4) provide that CAT LLC, the Participants, and their respective representatives shall not be liable for the loss or corruption of any data submitted by a CAT Reporter or CAT Reporting Agent to the CAT System.10 The full text of the proposed Limitation of Liability Provisions appears in Appendix A to the Notice.11 In support of the proposed amendment, the Participants state, among other things, that: (1) The proposed Limitation of Liability Provisions reflect longstanding principles of allocation of liability between industry members and selfregulatory organizations and the Participants are unaware of any context in which liability that is usually borne by Industry Members is shifted to their regulators; 12 (2) the proposed Limitation of Liability Provisions ‘‘fall squarely within industry norms’’ and are consistent with exchange rules that limit liability for losses that members incur through their use of exchange facilities, provisions that FINRA members must agree to in order to comply with Order Audit Trail System (‘‘OATS’’) reporting, and other provisions in the context of regulatory and NMS reporting facilities; 13 (3) previously granted exemptive relief that eliminated the requirement that CAT collect certain personally identifiable 9 For a more detailed description of the background for the Proposed Amendment, see Notice, supra note 4, at 86 FR 591–93. 10 See Notice, supra note 4, 86 FR at 593. 11 See Notice, supra note 4, 86 FR at 598. 12 See Notice, supra note 4, 86 FR at 593–95. 13 See Notice, supra note 4, 86 FR at 593–94. E:\FR\FM\12APN1.SGM 12APN1 khammond on DSKJM1Z7X2PROD with NOTICES Federal Register / Vol. 86, No. 68 / Monday, April 12, 2021 / Notices information, including social security numbers, makes the customer data stored in the CAT comparable to the data reported to other regulatory reporting facilities; 14 (4) the proposed Limitation of Liability Provisions are necessary to ensure the financial stability of CAT because even though ‘‘CAT LLC has obtained the maximum extent of cyber-breach insurance coverage available and has implemented a full cybersecurity program to safeguard data stored in the CAT,’’ there is ‘‘the potential for substantial losses that may result from certain categories of low probability cyberbreaches.’’ 15 In addition, CAT LLC retained Charles River Associates (‘‘Charles Rivers’’) to conduct an economic analysis of the liability issues presented by a potential CAT breach and attached the analysis to the Proposed Amendment as Appendix B to the Notice (the ‘‘CRA Paper’’).16 The Participants state that the analyses presented in the CRA Paper support the Participants’ proposal to adopt a limitation of liability provision in the CAT Reporter Agreement and shows the importance of limiting CAT LLC’s and each Participant’s liability.17 The CRA Paper asserts, among other things, that, based on an examination of potential breach scenarios and a consideration of the economic and public policy elements of various regulatory and litigation approaches to mitigate cyber risk for the CAT, a limitation of liability provision would serve the public interest by facilitating the regulation of the U.S. equity and option markets at lower overall costs and higher economic efficacy than other approaches, and that the proposed limitation on liability would not undermine CAT LLC’s existing and significant incentives to protect the data stored in the CAT System. The CRA Paper asserts that regulation by the SEC already properly incentivizes the Participants to recognize and address the risks that a CAT cyber breach poses to third parties such as Industry Members and that permitting litigation by Industry Members will not meaningfully increase CAT’s incentives to manage its exposure to cyber risk but will significantly increase costs, which will ultimately be passed on to retail investors. Because of this, the CRA Paper asserts that solely an ‘‘ex-ante regulation’’ approach leads 14 See Notice, supra note 4, 86 FR at 595. Notice, supra note 4, 86 FR at 595. 16 See Notice, supra note 4, 86 FR at 599–624. The CRA Paper, dated December 18, 2020, is titled ‘‘White Paper: Analysis of Economic Issues Attending the Cyber Security of the Consolidated Audit Trail.’’ 17 See Notice, supra note 4, at 595–597. 15 See VerDate Sep<11>2014 21:37 Apr 09, 2021 Jkt 253001 to the socially optimal outcome, in comparison to an ‘‘ex post litigation’’ approach in which litigation influences behaviors before a loss-producing event occurs by assigning liability afterwards, or combination of both approaches. IV. Summary of Comments The Commission has received twelve comment letters, including a letter attaching an economic analysis of the Proposed Amendment.18 The Commission has received one response letter from the Participants.19 A. Comments Critical of Proposed Amendment Nine commenters believe that the parties responsible for controlling and securing CAT Data should be liable for any failure to implement adequate security, generally arguing that it is unfair to shift liability to Industry Members for potential harm caused by the compromise of CAT Data over which they have no control or responsibility for security.20 Among 18 See Letter from Ellen Greene, Managing Director, Equity and Options Market Structure, SIFMA, to Vanessa Countryman, Secretary, dated February 19, 2021, available at https:// www.sec.gov/comments/4-698/4698-8394069229410.pdf, attaching Economic Analysis of Proposed Amendment to National Market System Plan Governing the Consolidated Audit Trail, Craig M. Lewis, Ph.D., February 2021 (‘‘Lewis Paper’’). 19 See Letter from Michael Simon, CAT NMS Plan Operating Committee Chair, to Vanessa Countryman, Secretary, dated April 1, 2021 (‘‘Response Letter’’). 20 See Lewis Paper at 3, 6; Letter from Ellen Greene, Managing Director, Equity and Options Market Structure, SIFMA, to Vanessa Countryman, Secretary, dated January 27, 2021, available at https://www.sec.gov/comments/4-698/46988298026-228278.pdf (‘‘SIFMA Letter’’), at 4; Letter from Joanna Mallers, Secretary, FIA Principal Traders Group, to Vanessa Countryman, Secretary, dated February 8, 2021, available at https:// www.sec.gov/comments/4-698/4698-8345389228979.pdf (‘‘FIA PTG Letter’’), at 1 (stating it ‘‘supports the comments previously filed by SIFMA’’); Letter from Thomas R. Tremaine, Executive Vice President, Chief Operations Officer, Raymond James & Associates, Inc., to Vanessa Countryman, Secretary, dated February 8, 2021, available at https://www.sec.gov/comments/4-698/ 4698-8347733-229000.pdf (‘‘Raymond James Letter’’), at 2 (stating that it ‘‘strongly supports the points raised by SIFMA in their letter.’’); Letter from Peggy L. Ho, Executive Vice President, Government Relations, LPL Financial LLC, to Vanessa Countryman, Secretary, dated January 27, 2021, available at https://www.sec.gov/comments/ 4-698/4698-8298412-228298.pdf (‘‘LPL Financial Letter’’), at 1 (stating ‘‘[its] support for SIFMA’s comments submitted on January 27, 2021 in response to the proposed amendments to the CAT NMS Plan’’); Letter from Christopher A. Iacovella, Chief Executive Officer, American Securities Association, to Vanessa Countryman, Secretary, dated January 29, 2021, available at https:// www.sec.gov/comments/4-698/4698-8311307228499.pdf (‘‘ASA Letter’’), at 2; Letter from Thomas M. Merritt, Deputy General Counsel, Virtu Financial, Inc., to Vanessa Countryman, Secretary, dated January 27, 2021, available at https:// www.sec.gov/comments/4-698/4698-8298023- PO 00000 Frm 00120 Fmt 4703 Sfmt 4703 19055 other things, these commenters state that the SROs are exclusively responsible for maintaining the CAT System and for implementing measures to prevent breach or misuse.21 Four commenters believe that ‘‘[a]ligning control and liability is not only fair and equitable; it is also good policy, because it maximizes efficiencies in managing data risks inherent in the CAT System.’’ 22 However, one commenter argues that the proposal shows that the SROs understand that it will be impossible for them to protect CAT Data and that a hack of CAT is inevitable.23 Nine commenters also express concern that shifting liability from CAT LLC to CAT Reporters would reduce the incentive of Participants to develop robust data security and risk mitigation mechanisms, and may even incentivize the Participants to de-prioritize data security.24 Two of these commenters characterized the economic structure of the Proposed Amendment as creating a ‘‘moral hazard,’’ where incentives to invest in data security are diminished because Industry Members bear the potential litigation costs of a breach or misuse of CAT Data.25 Another commenter argues that aligning control and liability incentivizes the optimal amount of data security and would ultimately benefit all investors.26 Four commenters criticized the Proposed Amendment for proposed limitation of liability provisions that would effectively prohibit Industry Members from pursuing claims against CAT LLC and the SROs, even if there is ‘‘willful misconduct, gross negligence, bad faith or criminal acts of CAT LLC, the SROs or their representatives or employees.’’ 27 These commenters 228258.pdf (‘‘Virtu Letter’’), at 2; Letter from Matthew Price, Fidelity Investments, to Vanessa Countryman, Secretary, dated February 2, 2021, available at https://www.sec.gov/comments/4-698/ 4698-8343750-228940.pdf (‘‘Fidelity Letter’’), at 2; Letter from Daniel Keegan, Managing Director, Head of North America Markets & Securities Services, to Vanessa Countryman, Secretary, dated February 25, 2021, available at https://www.sec.gov/comments/ 4-698/4698-8419819-229522.pdf (‘‘Citi Letter’’), at 2. 21 See, e.g, SIFMA Letter at 2; Virtu Letter at 3; Fidelity Letter at 2. 22 See SIFMA Letter at 4. See also LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2. 23 See ASA Letter at 3. 24 See Lewis Paper at 5–9, 14; SIFMA Letter at 7, 9; LPL Financial Letter at 1; Raymond James Letter at 2; FIA PTG Letter at 2; Virtu Letter at 3; ASA Letter at 2; Fidelity Letter at 2; Citi Letter at 2. 25 See Citi Letter at 2; Lewis Paper at 9. 26 See Lewis Paper at 5–7. 27 See SIFMA Letter at 5, 7–8. See also LPL Financial at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Citadel Letter at 3 (stating that the provisions would protect Participants and their E:\FR\FM\12APN1.SGM Continued 12APN1 19056 Federal Register / Vol. 86, No. 68 / Monday, April 12, 2021 / Notices khammond on DSKJM1Z7X2PROD with NOTICES further assert that the proposal would shield the SROs from liability, ‘‘not only for a breach of the CAT System by malicious third-party actors but even from the theft or other misuse of CAT Data by SRO employees’’ and would ‘‘effectively extinguish the liability of CAT LLC and the SROs even in instances of gross negligence or intentional misconduct.’’ 28 Another commenter states that the proposal ‘‘would effectively hold brokers responsible for the malfeasance and incompetence of the SROs and their contractors’’ and that this would be ‘‘extremely unreasonable.’’ 29 Five commenters assert that the proposed Limitation of Liability Provisions are inconsistent with industry standards, citing among other things SRO limitation of liability rules which exclude protection for willful misconduct, gross negligence, bad faith or criminal acts.30 Further, six commenters dismiss comparisons made in the Proposed Amendment to OATS limitation of liability provisions because CAT captures significantly more information than OATS, including personally identifiable information, and data reported to OATS is reported to and only used by FINRA.31 Commenters further state that OATS does not have the same account-level data that the CAT will collect, which could present the risk of reverse engineering of trading strategies.32 One commenter stated that the limitation of liability provisions for OATS were signed in 1998, and since then the landscape of cybersecurity has changed, and the frequency and scale of data breaches has increased dramatically.33 Five commenters argue that the SROs have failed to explain why limitation of their liability should be imposed by contract because the SROs have immunity from liability when acting in a regulatory capacity.34 Four of these representatives from any and all potential misuse, including intentional misuse, of CAT Data). 28 See SIFMA Letter at 5. See also LPL Financial at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Citadel Letter at 3. 29 See ASA Letter at 2. 30 See SIFMA Letter at 7; LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Fidelity Letter at 2. 31 See Lewis Paper at 9–10; SIFMA Letter at 8; LPL Financial Letter at 2; Raymond James Letter at 2; FIA PTG Letter at 2; Virtu Letter at 4. 32 See SIFMA Letter at 10; Virtu Letter at 4; LPL Financial Letter at 2; Raymond James Letter at 2; FIA PTG Letter at 2. 33 See Lewis Paper at 10. 34 See Letter from Stephen John Berger, Managing Director, Global Head of Government & Regulatory Policy, Citadel Securities, to Vanessa Countryman, Secretary, dated February 23, 2021, available at https://www.sec.gov/comments/4-698/4698- VerDate Sep<11>2014 21:37 Apr 09, 2021 Jkt 253001 commenters further assert that the effort to impose liability limitations by contract ‘‘raises significant questions about whether the SROs seek to avoid liability in circumstances in which they misuse CAT Data while acting in a commercial capacity.’’ 35 Another commenter frames the issue as not whether the Participants should be liable for conduct undertaken during the course of their regulatory responsibilities, but whether the Participants should be insulated from potential liability for activities not covered by regulatory immunity.36 Five commenters state that the Participants contradictorily argue that security measures are robust but that a limitation of liability is necessary due to risk of a catastrophic loss as a result of a breach or misuse of CAT Data.37 For example, one of these commenters notes that the Participants assert that Industry Members should not be concerned about ‘‘breach or misuse’’ of CAT Data due to a ‘‘robust regulatory regime governing CAT data security,’’ but also argue that they need limitation of liability provisions because without them the ‘‘risk of a catastrophic loss as a result of a data breach or misuse is so significant that the financial stability of the CAT would be jeopardized in the absence [of the provisions].’’ 38 Additionally, eight commenters note that Participants have argued against adopting the security measures in the Proposed Amendments to the National Market System Plan Governing the Consolidated Audit Trail to Enhance Data Security,39 on the grounds that CAT security measures already are robust, while at the same time attempting to disclaim liability because of the high risk of a security breach.40 B. Comments Regarding the CRA Paper In addition to comments regarding the Proposed Amendment, commenters 8411798-229501.pdf (‘‘Citadel Letter’’), at 1, 3–5; SIFMA Letter at 8; LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2. 35 See SIFMA Letter at 8. See also LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2. 36 See Citadel Letter at 5. 37 See SIFMA Letter at 4; LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Lewis Paper at 4. 38 See SIFMA Letter at 4. See also LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2. 39 See Securities Exchange Act Release No. 89632 (August 21, 2020), 85 FR 65990 (October 16, 2020) (proposing to amend the CAT NMS Plan to enhance the security of the CAT and the protections afforded to CAT Data) (‘‘Data Security Proposal’’). 40 See Citadel Letter at 2; Lewis Paper at 4; SIFMA Letter at 7; LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Virtu Letter at 5; Fidelity Letter at 2. PO 00000 Frm 00121 Fmt 4703 Sfmt 4703 provided comments regarding the CRA Paper, which is summarized above in Section II and attached to the Notice as Appendix B.41 Two commenters argue that the CRA Paper’s conclusion that ex-ante regulation is most appropriate is wrong, and that CAT cybersecurity would benefit from both ex-ante regulation and ex-post litigation.42 One commenter states that permitting litigation against Participants and their representatives when they are acting outside their regulatory capacity is ‘‘crucial’’ and would give the Participants strong financial incentives to invest to prevent or minimize the likelihood of security failures.43 One commenter asserts that protecting the Participants against liability for litigation shifts liability to Industry Members for potential claims from the Industry Members’ customers, and that the retention of liability for potential litigation by CAT LLC would mitigate the moral hazard problem and incent CAT LLC to invest in improvements in data security and more quickly react to changing trends and threats in cybersecurity.44 Seven commenters argue that the CRA Paper fails to consider the costs of a data breach on non-SROs, including brokerdealers and their customers.45 These commenters state that, while disclaiming liability by CAT LLC would reduce its costs, the liability for a potentially catastrophic loss or breach would instead be shifted to Industry Members, and the CRA Paper fails to take these costs into account. In addition, one of these commenters states that if Industry Members could not sue CAT LLC, they would have to purchase additional liability insurance since they have no ability to mitigate the security risk and no recourse to recoup any litigation-related losses from their own customers.46 Six commenters state that the CRA Paper only focuses on a breach by 41 See 42 See supra note 16. Citadel Letter at 1–2, 7; Lewis Paper at 7– 9. 43 See Citadel Letter at 2, 7, 9–10. This commenter also asserts that the SEC has only assessed whether the existing cybersecurity framework is adequate for CAT databases (in contrast to Participants’ security) and states that regulation is a slow and uncertain process that cannot keep pace with data security issues. See id. at 8. 44 See Lewis Paper at 7–9. 45 See Lewis Paper at 1, 8–9; SIFMA Letter at 9– 10; LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Virtu Letter at 5; ASA Letter at 2. For example, one commenter asserts that the CRA Paper fails to consider the costs of a data breach on non-SROs (broker-dealers and their customers), including ‘‘damage to the brand’’ and ‘‘trust that broker-dealers have [built] up with their retail clients for decades.’’ See ASA Letter at 2. 46 See Lewis Paper at 4, 8. E:\FR\FM\12APN1.SGM 12APN1 Federal Register / Vol. 86, No. 68 / Monday, April 12, 2021 / Notices khammond on DSKJM1Z7X2PROD with NOTICES external actors and fails to address the risk of misuse of CAT data by personnel at CAT LLC and the SROs.47 In addition, one commenter emphasizes that the CRA Paper focuses on databases maintained by CAT LLC, not the ‘‘larger concern,’’ which is the potential for hackers to access CAT Data from Participant databases that have extracted data from the CAT.48 Four commenters state that the CRA Paper suggests that certain mechanisms, such as a third-party compensation program, cyber-related industry loss warranties or cyber catastrophe bonds could be used in the event of a CAT breach to compensate third parties, but the SROs have not actually proposed the adoption of any of them.49 These commenters assert that the Participants effectively concede that, without more, the current regulatory regime is insufficient to protect parties that are injured as a result of a CAT breach.50 Another commenter states that the CRA Paper provides no details regarding the insurance that CAT LLC has obtained and does not analyze whether Participants should seek insurance or the effect such insurance could have on the Participants’ incentives to protect data that they extract from the CAT and store outside the CAT.51 Six commenters believe that it would be more appropriate for CAT LLC to purchase insurance instead of Industry Members each purchasing the same overlapping policies.52 One of these 47 See Citadel Letter at 6; SIFMA Letter at 9; LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Virtu Letter at 5. One commenter states that the CRA Paper does not provide any support for the argument that broker-dealers should be accountable for the wrongdoing or misuse of data by SRO employees or contractors. See ASA Letter at 2. 48 See Citadel Letter at 6–7. One commenter argues that the CRA Paper significantly overemphasizes the visibility and input into the workings of CAT provided to the industry, and asserts that there is no visibility into the security aspects of CAT. See id. at 9. 49 See SIFMA Letter at 10; LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2. 50 In addition, these commenters believe the Participants would not be incented to develop any such compensation mechanisms if they are protected against liability. See supra note 49. 51 See Citadel Letter at 7–8. See also Lewis Paper at 13–14 (arguing that there is no basis for the claim that CAT LLC cannot obtain additional insurance). The Lewis Paper states that if purchasing additional insurance would be cost prohibitive, then the same would apply to Industry Members because the costs of insurance to CAT LLC are likely to be lower than the combined cost of Industry Members purchasing an equivalent amount of coverage. Id. at 14. 52 See Lewis Paper at 11; SIFMA Letter at 4–5, 8– 9, 10–11; Virtu Letter at 3. See also LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2. One commenter expresses skepticism that Industry Members could even obtain insurance policies under the current CAT System construct, VerDate Sep<11>2014 21:37 Apr 09, 2021 Jkt 253001 commenters argues that CAT LLC is able to insure more efficiently than Industry Members because CAT LLC has access to and control over CAT Data and systems and can subject itself to monitoring by an insurer.53 Finally, two commenters criticize the breach scenarios discussed in the CRA Paper as insufficient to capture the risks. One of these commenters suggests that a breach of CAT by foreign actors, or CAT being internally compromised could lead to the ‘‘downfall’’ of U.S. capital markets and that the breach scenarios in the CRA Paper ‘‘grossly’’ underestimate national security threats.54 Another commenter states that the CRA Paper ‘‘avoids any serious discussion’’ of the risk posed by ‘‘nation state actors, like China and Russia.’’ 55 C. Participants’ Response Letter On April 1, 2021, the Participants submitted a letter responding to comments received regarding the Proposed Amendment.56 In their response, the Participants argue that following a thorough review and consideration of the issues raised by commenters, they continue to believe that the Proposed Amendment is consistent with the Exchange Act.57 The Participants provide further background on discussions between Participants and Industry Members, and in particular with SIFMA, stating that between August 2019 and April 2020 the Participants and SIFMA participated in numerous meetings and exchanged extensive correspondence.58 The Participants state that they plan to reach out to SIFMA, as they ‘‘remain willing to work with Industry Members (and any other stakeholders) in good faith to resolve the parties’ remaining differing perspectives,’’ but stated that from August 2019 through April 2020, SIFMA’s ‘‘only proposal’’ was to categorically reject any limitation of liability.59 The Participants emphasize that settlement of the Administrative because Industry Members have no control over the data it is by law required to submit, its security or the CAT Systems. See Virtu Letter at 3. 53 See Lewis Paper at 12–13. See also SIFMA Letter at 4–5 (stating that requiring Industry Members to pay for and implement separate and overlapping insurance policies, if available, is inefficient and would result in substantially higher costs borne by Industry Members and by extension their customers). 54 See Letter from Kelvin To, Founder and President, Data Boiler Technologies, LLC, to Vanessa Countryman, Secretary, dated January 27, 2021, at 1 and 6, available at https://www.sec.gov/ comments/4-698/l4698-8311309-228460.pdf. 55 See ASA Letter at 2. 56 See, supra note 19. 57 See Response Letter at 2. 58 See id. 59 See id. PO 00000 Frm 00122 Fmt 4703 Sfmt 4703 19057 Proceedings did not resolve the question of whether proposed Limitation of Liability Provisions should be included in the Reporter Agreement and the Reporting Agent Agreement.60 The Participants reassert that the proposed Limitation of Liability Provisions are consistent with SRO limitation of liability rules, emphasizing that under those rules the SROs generally have the discretion, but not obligation, to compensate harmed Industry Members, and that this discretion only applies in very limited circumstances—namely, for system failures that impact the execution of individual orders.61 The Participants state that no SRO limitation of liability rule contemplates SRO liability for ‘‘catastrophic’’ damages resulting from the theft of Industry Members’ proprietary trading algorithms.62 The Participants also state that the Participants consider the proposed Limitation of Liability Provisions to fall squarely within industry norms, as demonstrated by a comparison to the allocation of liability between Industry Members and SROs in other regulatory contexts, including NMS plans, regulatory reporting facilities, SRO rules and liability provisions that Industry Members use to protect themselves when they possess sensitive customer and transaction data.63 The Participants reject SIFMA’s suggestion that any limitation of liability provision should exclude liability for willful misconduct, gross negligence, bad faith or criminal acts of CAT LLC, the SROs or their representatives or employees.64 The Participants state that existing SRO liability rules approved by the Commission do not recognize such exclusions, stating that in the limited instances in which SRO liability rules permit claims for gross negligence or willful misconduct, Industry Members are often prohibited from suing an SRO 60 See Response Letter at 4. id. at 5–6. The Participants also note that during negotiations, the Participants submitted to SIFMA a term sheet that provided for a discretionary compensation mechanism modeled after SRO rules, which was rejected by SIFMA. Id. at 6. 62 See id. The Participants also disagree with characterizations of the Proposed Amendment as an attempt to ‘‘shift’’ liability from Participants to Industry Members, and instead argue that the Industry Members themselves are proposing a ‘‘shift’’ from the longstanding allocation of liability between Industry Member and Participants. Id. at 21. 63 See id. at 5–11. The Participants believe that the proposed Limitation of Liability Provisions are ‘‘substantively identical’’ to the liability provisions to which Industry Members regularly agree in connection with OATS reporting. Id. 64 See id. at 7 (citing SIFMA Letter at 7–8). 61 See E:\FR\FM\12APN1.SGM 12APN1 19058 Federal Register / Vol. 86, No. 68 / Monday, April 12, 2021 / Notices khammond on DSKJM1Z7X2PROD with NOTICES for damages unless the alleged gross negligence or willful misconduct also constituted a securities law violation for which Congress has authorized a private right of action.65 The Participants also argue that modifying the proposed Limitation of Liability provisions is not supported by the CRA Paper, because such modifications would likely result in litigation over liability. According to the Participants, although they, CAT LLC, and FINRA CAT may ultimately be found not liable, such litigation would be expensive, time-consuming, distract Participants from their regulatory oversight mandate, and may open the doors of discovery to potentially malicious actors.66 The Participants state that the Commission’s regulatory enforcement regime and the potential for severe reputational harm already sufficiently incentivize the Participants to not engage in bad faith, recklessness, gross negligence, and intentional misconduct, and so adding exclusions to the proposed Limitation of Liability provisions would not result in any meaningful improvement to the CAT’s cybersecurity.67 The Participants reject the argument that the proposed Limitation of Liability Provisions are inappropriate because the Participants and FINRA CAT control the CAT Data.68 The Participants believe that securities industry norms do not support the principle that the party in possession of data should bear liability in the event of a data breach, and in particular where the parties in possession of the data are acting in regulatory capacities pursuant to 65 See Response Letter at 6–7. Thus, the Participants believe that that these provisions would not provide for liability against the selfregulatory organizations in the event of a data breach. Id. at 7–8. The Participants also note that contractual limitation of liability provisions in connection with other NMS plans and regulatory reporting facilities, including OATS, do not contain the exclusions advocated by SIFMA. Id. at 8. 66 See id. at 9. The Participants note that increased costs of operating CAT would be borne by the Participants and Industry alike, which means that a limitation of liability with any categorical exclusions could result in many of the same economic harms that would occur in the absence of any limitation of liability at all. Id. The Participants also note that certain relief ordered in litigation could interfere with the Commission’s oversight of the CAT. Id. 67 See Response Letter at 9. The Participants note that enforcement actions could be brought for cybersecurity-related violations (e.g., failure to comply with Regulation SCI) and violations of the CAT NMS Plan (e.g., for violating the CAT NMS Plan by using CAT Data for non-regulatory purposes). See id. at 25–26. The Participants also state that the purpose of the CAT and the Participants’ mandate under the CAT NMS Plan is the fulfillment of regulatory functions, and not operation in connection with business activities. Id. at 22. 68 See id. at 10. VerDate Sep<11>2014 21:37 Apr 09, 2021 Jkt 253001 Commission rules.69 In support, the Participants state that Industry Members ‘‘routinely’’ disclaim liability to their underlying customers despite controlling sensitive data that could be compromised during a data breach, including their own retail customers in certain cases.70 In response to concerns about the cybersecurity of CAT and concerns about the use of CAT Data, including concerns about bulk downloading and personally identifiable information, the Participants state that they are authorized to bulk download only trading data, and not customer data.71 The Participants also state that FINRA CAT has adopted and implemented policies, procedures, systems, and controls to address cybersecurity concerning the bulk downloading of CAT Data by the Participants.72 In addition, as with FINRA CAT, the Participants’ cybersecurity protocols are subject to the Commission’s regulatory oversight regime, including its examination and enforcement functions.73 The Participants further state that FINRA CAT and Participants have robust cybersecurity protocols that are designed to prevent and detect both external and internal security threats, and only regulatory users with a ‘‘needto-know’’ have a basis for accessing CAT Data and are subject to comprehensive background checks.74 The Participants state that Industry Members have had extensive opportunities to provide input regarding the CAT’s cybersecurity at every stage of the development and operation of the CAT.75 The Participants disagree with commenter suggestions that CAT LLC’s and certain Participants’ responses to the Data Security Proposal 76 imply that the proposed Limitation Liability provisions are inappropriate or that the Commission’s regulatory regime is insufficient to properly incentivize the 69 See id. id. 71 See Response Letter at 11–14. 72 See id. at 11–12. In addition, the Participants state that, among other things, any SRO that engages in bulk downloading must have policies and procedures regarding CAT Data security that are comparable to those implemented and maintained by the Plan Processor for the Central Repository. Id. at 12. 73 See id. at 12. 74 See id. at 12–13. The Participants reassert that the customer data stored in the CAT is comparable to the data reported to other regulatory reporting facilities. Id. at 13. 75 See Response Letter at 14. This includes prior to approval of the CAT NMS Plan, feedback through the Advisory Committee, and the ability of Industry Members to directly petition the Commission or provide comments on any proposals offered by the Commission. Id. 76 See supra note 39. 70 See PO 00000 Frm 00123 Fmt 4703 Sfmt 4703 Participants.77 The Participants state that under the current regulatory regime all interested parties, including CAT LLC and the Participants, provide feedback to the Commission regarding any proposals to the CAT’s cybersecurity, allowing the Commission to use its substantive expertise and an understanding of stakeholder interests to balance all appropriate factors in identifying the CAT’s cybersecurity needs.78 They state that allowing for litigation regarding CAT’s cybersecurity would compromise the Commission’s comprehensive oversight authority, and the Commission’s willingness to propose potential changes highlights the sufficiency and flexibility of the regulatory regime to ensure the optimal security of CAT Data.79 The Participants also believe the Commission did not contemplate that the Participants could be liable for extensive monetary damages resulting from a data breach or for the costs of protracted litigation with Industry Members.80 The Participants also state that regulatory immunity does not preclude the use of contractual limitation of liability provisions and the divergent and shifting positions from Industry Members on the applicability of regulatory immunity underscores the need for a contractual limitation of liability.81 The Participants state that some comments generally argue that a contractual limitation of liability is unnecessary in light of the doctrine of regulatory immunity, while other comments state the Participants should not receive either regulatory immunity or the protection of a limitation of liability provision.82 The Participants state that the proposed Limitation of Liability Provisions are necessary despite any regulatory immunity because even litigation which holds that regulatory immunity applies may result in significant disruption and expense (which ultimately will be passed along to Industry Members as part of CAT LLC’s joint funding), and there is no guarantee that all courts would agree that the Participants’ immunity defense extends to the particular claims at issue.83 The Participants believe that if 77 See Response Letter at 18. id. 79 See id. at 18–19. The Participants note that the Commission, in approving the CAT NMS Plan, explicitly considered the costs of a potential data breach and concluded that the overall benefits of the CAT outweighed any costs. Id. 80 See id. at 19. 81 See Response Letter at 22–25. 82 See id. at 21–23. The Participants state that SIFMA’s longstanding position is that Congress should abrogate regulatory immunity by statute. Id. at 23–24. 83 See id. at 23–25. 78 See E:\FR\FM\12APN1.SGM 12APN1 Federal Register / Vol. 86, No. 68 / Monday, April 12, 2021 / Notices the Commission agrees that the Participants, CAT LLC, and FINRA CAT should not be liable for monetary damages while acting to fulfill an important regulatory function in their capacities as self-regulatory organizations, the Commission’s sole mechanism for ensuring that protection is to endorse the contractual proposed Limitation of Liability Provisions.84 The Participants also state that some comments misunderstand the scope of the proposed Limitation of Liability Provisions.85 The Participants state that the proposed Limitation of Limitation Provisions would not extinguish liability and only addresses the allocation of liability between Industry Members and the Participants.86 The Participants state that the Proposed Amendment would not impact the rights or obligations of third parties, including Industry Members’ customers and would not extinguish the broad regulatory oversight that the Commission exercises over the CAT or potential investigation and potential enforcement action for any cybersecurity-related violations.87 The Participants believe that no commenters have offered any explanation as to why the SEC’s regulatory regime—which includes cybersecurity protocols developed and refined based on feedback from Industry Members—is insufficient to ensure adequate cybersecurity for CAT Data, or what deficiencies in the Commission’s oversight necessitate that Industry Members be afforded an unprecedented private right of action against their regulators.88 The Participants state that commenters are asking that their primary regulators bear any and all liability for hypothetical ‘‘black swan’’ cyber breaches and that such an extraordinary ask is without precedent, and that Participants, implementing a regulatory mandate in their regulatory capacities, should receive liability protections that they are customarily afforded when implementing their regulatory responsibilities pursuant to the direction and oversight of the Commission.89 khammond on DSKJM1Z7X2PROD with NOTICES 84 See id. at 25. Response Letter at 25–26. 86 See id. at 25. 87 See id. at 25–26. 88 See id. at 26. 89 See id. at 2. The Participants note that both the Participants and Industry Members are acting pursuant to Commission mandate, but the Participants are also fulfilling a regulatory oversight role and there is no basis for the Participants to assume liability. Id. at 21. 85 See VerDate Sep<11>2014 21:37 Apr 09, 2021 Jkt 253001 D. Participants’ Response to Comments Regarding the CRA Paper In the Response Letter, the Participants also provide responses to comment letters that addressed the CRA Paper. The Participants explain that the CRA Paper contain two principal analyses: (i) A ‘‘scenario analysis’’ in which it identified specific hypothetical breaches and assessed the relative difficulty of implementation, relative frequency, and conditional severity of each; and (ii) a consideration whether the cyber risk presented by the CAT should be addressed by regulation, litigation, or a combination of both approaches.90 The Participants state that commenters that believe the CRA Paper did not address certain categories of hypothetical data breaches, and in particular breaches that originate from within FINRA CAT or Participants, misconstrue the CRA Paper’s analysis.91 The Participants state that Charles River did not make any assumptions regarding the identity of potential bad actors or where they may work, and the CRA Paper was not intended to predict every possible scenario, but instead intended to provide an illustrative framework to assess the economic exposures that flow from the gathering, storage, and use of CAT Data.92 The Participants state that the CRA Paper concludes, in light of the CAT’s extensive cybersecurity and other reasons, most potential breaches are relatively low-frequency events because they are either difficult to implement, unlikely to be meaningfully profitable, or both.93 The Participants also believe that the CRA Paper’s conclusion that allowing Industry Members to litigate against CAT LLC, the Participants, and FINRA CAT would provide minimal benefits while imposing substantial costs is not undermined to the extent that commenters identify potential breaches that were not included in Charles River’s scenario analysis.94 The Participants believe that comments that criticize the CRA Paper’s for failing to consider the costs to individual Industry Members in the event of a CAT data breach are based on a fundamental misunderstanding of the relevant economic principles.95 Specifically, the CRA Paper’s focus was on whether the risks of the use of CAT Data for regulatory purposes was best managed through ex ante regulation or 90 See Response Letter at 15. id. 92 See id. (citing CRA Paper 2). 93 See Response Letter at 16 (citing CRA Paper at 18–32). 94 See Response Letter at 16. 95 See id. 91 See PO 00000 Frm 00124 Fmt 4703 Sfmt 4703 19059 ex post litigation, or a combination of both, and this analysis largely turns on identifying the most effective and efficient mechanisms for incentivizing CAT LLC, the Participants and FINRA CAT to take appropriate precautions.96 The Participants state that the CRA Paper demonstrates that the extensive regulatory regime that the SEC has enacted creates appropriate and strong incentives for the Participants to take sufficient cybersecurity precautions and to ensure that the CAT is secure, and that allowing Industry Members to litigate against Participants would create substantial costs without any corresponding benefit.97 The Participants acknowledge that the CRA Paper explains that the regulatory regime is generally silent with respect to the most efficient method to compensate injured parties and that the CRA Paper offered several suggestions to cover potential losses including insurance, industry loss warranties, and catastrophe bonds.98 The Participants state that they are willing discuss any of these compensation mechanisms with Industry Members and would welcome a discussion with the Commission to address the viability of these mechanisms and how they might be funded.99 The Participants reiterate that CAT LLC has obtained the ‘‘maximum extent of cyber-breach insurance coverage available at the time’’ and are willing to discuss with Industry Members and the Commission how that coverage might be used to compensate parties harmed by any potential data breach.100 The Participants also state that they regularly evaluate CAT LLC’s insurance and intend to purchase additional coverage to the extent it becomes reasonably available.101 The Participants state that they disagree with the conclusions in the 96 See id. id. at 16–17. The Participants also dispute an assertion that the CRA Paper delivered a ‘‘predetermined conclusion.’’ See id. at 17 (citing ASA Letter at 2–3). 98 See Response Letter at 27 (citing CRA Paper at 50–53). 99 See id. at 27–28. The Participants state that the Commission is empowered to bring enforcement actions for violations of cybersecurity requirements, and this authority includes the ability to order individuals and entities to disgorge ill-gotten gains which could be used to compensate harmed parties. The Participants also state that creating mechanisms to compensate Industry Members in the event of a data breach would not obviate the need for the proposed Limitation of Liability Provisions. See id. at 28. 100 See Response Letter at 17. See also Response Letter at 21 and 27. 101 See id. at 21. The Participants state that the decision to purchase the maximum coverage available is not contingent on whether they are protected by a limitation of liability provision. Id. at 27. 97 See E:\FR\FM\12APN1.SGM 12APN1 19060 Federal Register / Vol. 86, No. 68 / Monday, April 12, 2021 / Notices khammond on DSKJM1Z7X2PROD with NOTICES Lewis Paper and asked Charles River to respond to the issues raised within the Lewis Paper.102 The Participants state that the Lewis Paper appears to advocate that CAT LLC should be strictly liable for all costs associated with any CAT data breach, regardless of the facts and circumstances, without any economic analysis as to why the longstanding allocation of liability between the Participants and Industry Members should not apply here.103 In addition, the Participants state that the proposed Limitation of Liability Provisions do not impact the rights of Industry Members’ underlying customers, and that Industry Members routinely disclaim liability to those underlying customers, which the Lewis Paper does not address.104 The Participants also state that the Lewis Paper does not include a scenario analysis like the CRA Paper, and the Participants state that the Lewis Paper incorrectly states that a cyber breach would likely be a single event that affects all Industry Members simultaneously, leading to the erroneous conclusion that CAT LLC is in a better position than individual Industry Members to insure against a cyber breach.105 V. Proceedings To Determine Whether To Approve or Disapprove the Proposed Amendment The Commission is instituting proceedings pursuant to Rule 608(b)(2)(i) of Regulation NMS,106 and Rules 700 and 701 of the Commission’s Rules of Practice,107 to determine whether to disapprove the Proposed Amendment or to approve the Proposed Amendment with any changes or subject to any conditions the Commission deems necessary or appropriate after considering public comment. Institution of proceedings does not indicate that the Commission has reached any conclusions with respect to any of the issues involved. Rather, the Commission seeks and encourages interested persons to provide additional comment on the Proposed Amendment to inform the Commission’s analysis. Rule 608(b)(2) of Regulation NMS provides that the Commission ‘‘shall approve a national market system plan or proposed amendment to an effective national market system plan, with such changes or subject to such conditions as 102 See Response Letter at 20. 103 See id. 104 See id. 105 See id. at 20–21. 106 17 CFR 242.608. 107 17 CFR 201.700; 17 CFR 201.701. VerDate Sep<11>2014 21:37 Apr 09, 2021 Jkt 253001 the Commission may deem necessary or appropriate, if it finds that such plan or amendment is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Act.’’ 108 Rule 608(b)(2) further provides that the Commission shall disapprove a national market system plan or proposed amendment if it does not make such a finding.109 In the Notice, the Commission sought comment on the Proposed Amendment, including whether the amendment is consistent with the Exchange Act.110 In this order, pursuant to Rule 608(b)(2)(i) of Regulation NMS,111 the Commission is providing notice of the grounds for disapproval under consideration: • Whether, consistent with Rule 608 of Regulation NMS, the Proposed Amendment is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Act,112 specifically regarding: Æ Whether the impact of the proposed Limitation of Liability Provisions on the incentives of the Participants to ensure the security of the CAT and CAT Data is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of a national market system, or otherwise in furtherance of the purposes of the Act; Æ whether the Proposed Amendment is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of a national market system, or otherwise in furtherance of the purposes of the Act in light of any regulatory immunity applicable to the Participants; and Æ whether the application of the proposed Limitation of Liability Provisions to willful misconduct, gross negligence, bad faith or criminal acts is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly 108 See 17 CFR 242.608(b)(2). 109 See id. 110 See Notice, supra note 4, 86 FR at 598. 111 17 CFR 242.608(b)(2)(i). See also Commission Rule of Practice 700(b)(2), 17 CFR 201.700(b)(2). 112 See 17 CFR 242.608(b)(2). PO 00000 Frm 00125 Fmt 4703 Sfmt 4703 markets, to remove impediments to, and perfect the mechanisms of a national market system, or otherwise in furtherance of the purposes of the Act; • Whether, and if so how, the Proposed Amendment would affect efficiency, competition or capital formation; • Whether modifications to the Proposed Amendment, or conditions to its approval, would be necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Act.113 VI. Commission’s Solicitation of Comments The Commission requests that interested persons provide written submissions of their views, data, and arguments with respect to the issues identified above, as well as any other concerns they may have with the proposals. In particular, the Commission invites the written views of interested persons concerning whether the proposals are consistent with Section 11A or any other provision of the Act, or the rules and regulations thereunder. Although there do not appear to be any issues relevant to approval or disapproval that would be facilitated by an oral presentation of views, data, and arguments, the Commission will consider, pursuant to Rule 608(b)(2)(i) of Regulation NMS,114 any request for an opportunity to make an oral presentation.115 Interested persons are invited to submit written data, views, and arguments regarding whether the proposals should be approved or disapproved by May 3, 2021. Any person who wishes to file a rebuttal to any other person’s submission must file that rebuttal by May 17, 2021. Comments may be submitted by any of the following methods: Electronic Comments • Use the Commission’s internet comment form (http://www.sec.gov/ rules/sro.shtml); or • Send an email to rule-comments@ sec.gov. Please include File Number 4– 698 on the subject line. 113 See 17 CFR 242.608(b)(2). CFR 242.608(b)(2)(i). 115 Rule 700(c)(ii) of the Commission’s Rules of Practice provides that ‘‘[t]he Commission, in its sole discretion, may determine whether any issues relevant to approval or disapproval would be facilitated by the opportunity for an oral presentation of views.’’ 17 CFR 201.700(c)(ii). 114 17 E:\FR\FM\12APN1.SGM 12APN1 Federal Register / Vol. 86, No. 68 / Monday, April 12, 2021 / Notices Paper Comments • Send paper comments in triplicate to: Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549–1090. All submissions should refer to File Number 4–698. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission’s internet website (http://www.sec.gov/rules/ sro.shtml). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission’s Public Reference Room, 100 F Street NE, Washington, DC 20549 on official business days between the hours of 10:00 a.m. and 3:00 p.m. Copies of the filing also will be available for inspection and copying at the Participants’ principal offices. All comments received will be posted without change. Persons submitting comments are cautioned that we do not redact or edit personal identifying information from comment submissions. You should submit only information that you wish to make available publicly. All submissions should refer to File Number 4–698 and should be submitted on or before May 3, 2021. For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.116 J. Matthew DeLesDernier, Assistant Secretary. [FR Doc. 2021–07390 Filed 4–9–21; 8:45 am] khammond on DSKJM1Z7X2PROD with NOTICES BILLING CODE 8011–01–P 116 17 CFR 200.30–3(a)(85). VerDate Sep<11>2014 21:37 Apr 09, 2021 Jkt 253001 SECURITIES AND EXCHANGE COMMISSION [Release No. 34–91491; File No. SR–OCC– 2021–801] Self-Regulatory Organizations; The Options Clearing Corporation; Notice of No Objection To Advance Notice Relating to OCC’s Establishment of Persistent Minimum Skin-in-the-Game April 7, 2021. I. Introduction On February 10, 2021, the Options Clearing Corporation (‘‘OCC’’) filed with the Securities and Exchange Commission (‘‘Commission’’) advance notice SR–OCC–2021–801 (‘‘Advance Notice’’) pursuant to Section 806(e)(1) of Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act, entitled Payment, Clearing and Settlement Supervision Act of 2010 (‘‘Clearing Supervision Act’’) 1 and Rule 19b–4(n)(1)(i) 2 under the Securities Exchange Act of 1934 (‘‘Exchange Act’’) 3 to establish a persistent minimum level of skin-in-the-game that OCC would contribute to cover default losses or liquidity shortfalls.4 The Advance Notice was published for public comment in the Federal Register on March 1, 2021,5 and the Commission has received comments regarding the changes proposed in the Advance Notice.6 The Commission is hereby providing notice of no objection to the Advance Notice. 1 12 U.S.C. 5465(e)(1). CFR 240.19b–4(n)(1)(i). 3 15 U.S.C. 78a et seq. 4 See Notice of Filing infra note 5, at 86 FR 12057. 5 Securities Exchange Act Release No. 91184 (Feb. 23, 2021), 86 FR 12057 (Mar. 1, 2021) (File No. SR– OCC–2021–801) (‘‘Notice of Filing’’). On February 10, 2021, OCC also filed a related proposed rule change (SR–OCC–2021–003) with the Commission pursuant to Section 19(b)(1) of the Exchange Act and Rule 19b–4 thereunder (‘‘Proposed Rule Change’’). 15 U.S.C. 78s(b)(1) and 17 CFR 240.19b– 4, respectively. In the Proposed Rule Change, which was published in the Federal Register on March 2, 2021, OCC seeks approval of proposed changes to its rules necessary to implement the Advance Notice. Securities Exchange Act Release No. 91199 (Feb. 24, 2021), 86 FR 12237 (Mar. 2, 2021) (File No. SR–OCC–2021–003). The comment period for the related Proposed Rule Change filing closed on March 23, 2021. 6 Comments on the Advance Notice are available at https://www.sec.gov/comments/sr-occ-2021-801/ occ2021801.htm. Since the proposal contained in the Advance Notice was also filed as a proposed rule change, all public comments received on the proposal are considered regardless of whether the comments are submitted on the Proposed Rule Change or the Advance Notice. Comments on the Proposed Rule Change are available at https://www.sec.gov/ comments/sr-occ-2021-003/srocc2021003.htm. 2 17 PO 00000 Frm 00126 Fmt 4703 Sfmt 4703 19061 II. Background 7 ‘‘Skin-in-the-game,’’ as a component of financial risk management, entails a covered clearing agency choosing, upon the occurrence of a default or series of defaults and application of all available assets of the defaulting participant(s), to apply its own capital contribution to the relevant clearing or guaranty fund in full to satisfy any remaining losses prior to the application of any (a) contributions by non-defaulting members to the clearing or guaranty fund, or (b) assessments that the covered clearing agency require non-defaulting participants to contribute following the exhaustion of such participant’s funded contributions to the relevant clearing or guaranty fund.8 OCC’s skin-in-the-game component of its financial risk management regime is described in its current rules, which provide for the use of OCC’s own capital to mitigate losses arising out of a Clearing Member default.9 Specifically, OCC’s rules provide for the offsetting of default losses remaining after the application of a defaulted Clearing Member’s margin deposits and Clearing Fund contributions with OCC’s capital in excess of 110 percent of the Target Capital Requirement at the time of the default.10 OCC’s rules also provide for charging losses remaining after the application of OCC’s excess capital to OCC senior management’s deferred compensation 11 as well as nondefaulting Clearing Members.12 OCC reviewed feedback received in connection with the initial filing of its current rules, relevant papers from 7 Capitalized terms used but not defined herein have the meanings specified in OCC’s Rules and ByLaws, available at https://www.theocc.com/about/ publications/bylaws.jsp. 8 See Securities Exchange Act Release No. 78961 (Sep. 28, 2016), 81 FR 70786, 70806 (Oct. 13, 2016) (S7–03–14) (‘‘Covered Clearing Agency Standards’’). 9 See Securities Exchange Release No. 88029 (Jan. 24, 2020), 85 FR 5500, 5502 (Jan. 30, 2020) (File No. SR–OCC–2019–007) (‘‘CMP Approval Order’’). 10 See OCC Rule 1006(e), available at https:// www.theocc.com/getmedia/9d3854cd-b782-450fbcf7-33169b0576ce/occ_rules.pdf (last visited Mar. 16, 2021). See also CMP Approval Order at 5502. 11 Such deferred compensation is in trust with respect to OCC’s Executive Deferred Compensation Plan (‘‘EDCP’’). See OCC Rule 101(e)(1), available at available at https://www.theocc.com/getmedia/ 9d3854cd-b782-450f-bcf7-33169b0576ce/occ_ rules.pdf (last visited Mar. 16, 2021). The specific EDCP funds that comprise a portion of OCC’s skinin-the-game are referred to in OCC’s rules as the ‘‘EDCP Unvested Balance.’’ See id. 12 See OCC Rule 1006(b), available at https:// www.theocc.com/getmedia/9d3854cd-b782-450fbcf7-33169b0576ce/occ_rules.pdf (last visited Mar. 16, 2021). See also CMP Approval Order at 5502. The application the EDCP Unvested Balance in parallel with non-defaulting Clearing Members’ Clearing Fund contributions would necessarily occur before assessments related to the exhaustion of OCC’s Clearing Fund. E:\FR\FM\12APN1.SGM 12APN1

Agencies

[Federal Register Volume 86, Number 68 (Monday, April 12, 2021)]
[Notices]
[Pages 19054-19061]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-07390]



[[Page 19054]]

-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-91487; File No. 4-698]


Joint Industry Plan; Order Instituting Proceedings To Determine 
Whether To Approve or Disapprove an Amendment to the National Market 
System Plan Governing the Consolidated Audit Trail

April 6, 2021.

I. Introduction

    On December 18, 2020, the Operating Committee for Consolidated 
Audit Trail, LLC (``CAT LLC''), on behalf of the following parties to 
the National Market System Plan Governing the Consolidated Audit Trail 
(the ``CAT NMS Plan'' or ``Plan''): \1\ BOX Exchange LLC; Cboe BYX 
Exchange, Inc., Cboe BZX Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe 
EDGX Exchange, Inc., Cboe C2 Exchange, Inc., Cboe Exchange, Inc., 
Financial Industry Regulatory Authority, Inc. (``FINRA''), Investors 
Exchange LLC, Long-Term Stock Exchange, Inc., Miami International 
Securities Exchange LLC, MEMX, LLC, MIAX Emerald, LLC, MIAX PEARL, LLC, 
Nasdaq BX, Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, 
Nasdaq PHLX LLC, The NASDAQ Stock Market LLC, New York Stock Exchange 
LLC, NYSE American LLC, NYSE Arca, Inc., NYSE Chicago, Inc., and NYSE 
National, Inc. (collectively, the ``Participants,'' ``self-regulatory 
organizations,'' or ``SROs'') filed with the Securities and Exchange 
Commission (``SEC'' or ``Commission'') pursuant to Section 11A(a)(3) of 
the Securities Exchange Act of 1934 (``Exchange Act''),\2\ and Rule 608 
thereunder,\3\ a proposed amendment (``Proposed Amendment'') to the CAT 
NMS Plan that would authorize CAT LLC to revise the Consolidated Audit 
Trail Reporter Agreement (the ``Reporter Agreement'') and the 
Consolidated Audit Trail Reporting Agent Agreement (the ``Reporting 
Agent Agreement'') to insert limitation of liability provisions (the 
``Limitation of Liability Provisions''). The proposed plan amendment 
was published for comment in the Federal Register on January 6, 
2021.\4\
---------------------------------------------------------------------------

    \1\ The CAT NMS Plan is a national market system plan approved 
by the Commission pursuant to Section 11A of the Exchange Act and 
the rules and regulations thereunder. See Securities Exchange Act 
Release No. 79318 (November 15, 2016), 81 FR 84696 (November 23, 
2016).
    \2\ 15 U.S.C 78k-1(a)(3).
    \3\ 17 CFR 242.608.
    \4\ See Notice of Filing of Amendment to the National Market 
System Plan Governing the Consolidated Audit Trail, Release No. 
90826 (December 30, 2020), 86 FR 591 (January 6, 2021) (``Notice''). 
Comments received in response to the Notice can be found on the 
Commission's website at https://www.sec.gov/comments/4-698/4-698.htm.
---------------------------------------------------------------------------

    This order institutes proceedings, under Rule 608(b)(2)(i) of 
Regulation NMS,\5\ to determine whether to disapprove the Proposed 
Amendment or to approve the Proposed Amendment with any changes or 
subject to any conditions the Commission deems necessary or appropriate 
after considering public comment.
---------------------------------------------------------------------------

    \5\ 17 CFR 242.608(b)(2)(i).
---------------------------------------------------------------------------

II. Background

    On July 11, 2012, the Commission adopted Rule 613 of Regulation 
NMS, which required the SROs to submit a national market system 
(``NMS'') plan to create, implement and maintain a consolidated audit 
trail (the ``CAT'' or ``CAT System'') that would capture customer and 
order event information for orders in NMS securities.\6\ The Commission 
approved the CAT NMS Plan in 2016.\7\ On August 29, 2019, the Operating 
Committee for CAT LLC approved a Reporter Agreement that included a 
provision that would limit the total liability of CAT LLC or any of its 
representatives to a CAT Reporter under the Reporter Agreement for any 
calendar year to the lesser of the total of fees paid by the CAT 
Reporter to CAT LLC for the calendar year in which the claim arose or 
five hundred dollars. The Participants also required each Industry 
Member \8\ to execute a CAT Reporter Agreement prior to reporting data 
to CAT. Prior to the commencement of initial equities reporting for 
Industry Members on June 22, 2020, the Securities Industry and 
Financial Markets Association (``SIFMA'') filed pursuant to Sections 
19(d) and 19(f) of the Exchange Act an application for review of 
actions taken by CAT LLC and the Participants (the ``Administrative 
Proceedings''). SIFMA alleged that by requiring Industry Members to 
execute the Reporter Agreement as a prerequisite to submitting data to 
the CAT, the Participants improperly prohibited or limited SIFMA 
members with respect to access to the CAT System in violation of the 
Exchange Act. On May 13, 2020, the Participants and SIFMA reached a 
settlement and terminated the Administrative Proceedings, allowing 
Industry Members to report data to the CAT pursuant to a Reporter 
Agreement that does not contain a limitation of liability provision. 
Since that time, Industry Members have been transmitting data to the 
CAT.\9\
---------------------------------------------------------------------------

    \6\ 17 CFR 242.613.
    \7\ See supra note 1.
    \8\ Industry Member means a member of a national securities 
exchange or a member of a national securities association. See CAT 
NMS Plan at Section 1.1.
    \9\ For a more detailed description of the background for the 
Proposed Amendment, see Notice, supra note 4, at 86 FR 591-93.
---------------------------------------------------------------------------

III. Summary of Proposal

    The Participants now propose to amend the CAT NMS Plan to authorize 
CAT LLC to revise the Reporter Agreement and Reporting Agent Agreement 
with the proposed Limitation of Liability Provisions. As proposed, the 
Limitation of Liability Provisions would: (1) Provide that CAT 
Reporters and CAT Reporting Agents accept sole responsibility for their 
access to and use of the CAT System, and that CAT LLC makes no 
representations or warranties regarding the CAT System or any other 
matter; (2) limit the liability of CAT LLC, the Participants, and their 
respective representatives to any individual CAT Reporter or CAT 
Reporting Agent to the lesser of the fees actually paid to CAT for the 
calendar year or $500; (3) exclude all direct and indirect damages; and 
(4) provide that CAT LLC, the Participants, and their respective 
representatives shall not be liable for the loss or corruption of any 
data submitted by a CAT Reporter or CAT Reporting Agent to the CAT 
System.\10\ The full text of the proposed Limitation of Liability 
Provisions appears in Appendix A to the Notice.\11\
---------------------------------------------------------------------------

    \10\ See Notice, supra note 4, 86 FR at 593.
    \11\ See Notice, supra note 4, 86 FR at 598.
---------------------------------------------------------------------------

    In support of the proposed amendment, the Participants state, among 
other things, that: (1) The proposed Limitation of Liability Provisions 
reflect longstanding principles of allocation of liability between 
industry members and self-regulatory organizations and the Participants 
are unaware of any context in which liability that is usually borne by 
Industry Members is shifted to their regulators; \12\ (2) the proposed 
Limitation of Liability Provisions ``fall squarely within industry 
norms'' and are consistent with exchange rules that limit liability for 
losses that members incur through their use of exchange facilities, 
provisions that FINRA members must agree to in order to comply with 
Order Audit Trail System (``OATS'') reporting, and other provisions in 
the context of regulatory and NMS reporting facilities; \13\ (3) 
previously granted exemptive relief that eliminated the requirement 
that CAT collect certain personally identifiable

[[Page 19055]]

information, including social security numbers, makes the customer data 
stored in the CAT comparable to the data reported to other regulatory 
reporting facilities; \14\ (4) the proposed Limitation of Liability 
Provisions are necessary to ensure the financial stability of CAT 
because even though ``CAT LLC has obtained the maximum extent of cyber-
breach insurance coverage available and has implemented a full 
cybersecurity program to safeguard data stored in the CAT,'' there is 
``the potential for substantial losses that may result from certain 
categories of low probability cyberbreaches.'' \15\
---------------------------------------------------------------------------

    \12\ See Notice, supra note 4, 86 FR at 593-95.
    \13\ See Notice, supra note 4, 86 FR at 593-94.
    \14\ See Notice, supra note 4, 86 FR at 595.
    \15\ See Notice, supra note 4, 86 FR at 595.
---------------------------------------------------------------------------

    In addition, CAT LLC retained Charles River Associates (``Charles 
Rivers'') to conduct an economic analysis of the liability issues 
presented by a potential CAT breach and attached the analysis to the 
Proposed Amendment as Appendix B to the Notice (the ``CRA Paper'').\16\ 
The Participants state that the analyses presented in the CRA Paper 
support the Participants' proposal to adopt a limitation of liability 
provision in the CAT Reporter Agreement and shows the importance of 
limiting CAT LLC's and each Participant's liability.\17\ The CRA Paper 
asserts, among other things, that, based on an examination of potential 
breach scenarios and a consideration of the economic and public policy 
elements of various regulatory and litigation approaches to mitigate 
cyber risk for the CAT, a limitation of liability provision would serve 
the public interest by facilitating the regulation of the U.S. equity 
and option markets at lower overall costs and higher economic efficacy 
than other approaches, and that the proposed limitation on liability 
would not undermine CAT LLC's existing and significant incentives to 
protect the data stored in the CAT System. The CRA Paper asserts that 
regulation by the SEC already properly incentivizes the Participants to 
recognize and address the risks that a CAT cyber breach poses to third 
parties such as Industry Members and that permitting litigation by 
Industry Members will not meaningfully increase CAT's incentives to 
manage its exposure to cyber risk but will significantly increase 
costs, which will ultimately be passed on to retail investors. Because 
of this, the CRA Paper asserts that solely an ``ex-ante regulation'' 
approach leads to the socially optimal outcome, in comparison to an 
``ex post litigation'' approach in which litigation influences 
behaviors before a loss-producing event occurs by assigning liability 
afterwards, or combination of both approaches.
---------------------------------------------------------------------------

    \16\ See Notice, supra note 4, 86 FR at 599-624. The CRA Paper, 
dated December 18, 2020, is titled ``White Paper: Analysis of 
Economic Issues Attending the Cyber Security of the Consolidated 
Audit Trail.''
    \17\ See Notice, supra note 4, at 595-597.
---------------------------------------------------------------------------

IV. Summary of Comments

    The Commission has received twelve comment letters, including a 
letter attaching an economic analysis of the Proposed Amendment.\18\ 
The Commission has received one response letter from the 
Participants.\19\
---------------------------------------------------------------------------

    \18\ See Letter from Ellen Greene, Managing Director, Equity and 
Options Market Structure, SIFMA, to Vanessa Countryman, Secretary, 
dated February 19, 2021, available at https://www.sec.gov/comments/4-698/4698-8394069-229410.pdf, attaching Economic Analysis of 
Proposed Amendment to National Market System Plan Governing the 
Consolidated Audit Trail, Craig M. Lewis, Ph.D., February 2021 
(``Lewis Paper'').
    \19\ See Letter from Michael Simon, CAT NMS Plan Operating 
Committee Chair, to Vanessa Countryman, Secretary, dated April 1, 
2021 (``Response Letter'').
---------------------------------------------------------------------------

A. Comments Critical of Proposed Amendment

    Nine commenters believe that the parties responsible for 
controlling and securing CAT Data should be liable for any failure to 
implement adequate security, generally arguing that it is unfair to 
shift liability to Industry Members for potential harm caused by the 
compromise of CAT Data over which they have no control or 
responsibility for security.\20\ Among other things, these commenters 
state that the SROs are exclusively responsible for maintaining the CAT 
System and for implementing measures to prevent breach or misuse.\21\ 
Four commenters believe that ``[a]ligning control and liability is not 
only fair and equitable; it is also good policy, because it maximizes 
efficiencies in managing data risks inherent in the CAT System.'' \22\ 
However, one commenter argues that the proposal shows that the SROs 
understand that it will be impossible for them to protect CAT Data and 
that a hack of CAT is inevitable.\23\
---------------------------------------------------------------------------

    \20\ See Lewis Paper at 3, 6; Letter from Ellen Greene, Managing 
Director, Equity and Options Market Structure, SIFMA, to Vanessa 
Countryman, Secretary, dated January 27, 2021, available at https://www.sec.gov/comments/4-698/4698-8298026-228278.pdf (``SIFMA 
Letter''), at 4; Letter from Joanna Mallers, Secretary, FIA 
Principal Traders Group, to Vanessa Countryman, Secretary, dated 
February 8, 2021, available at https://www.sec.gov/comments/4-698/4698-8345389-228979.pdf (``FIA PTG Letter''), at 1 (stating it 
``supports the comments previously filed by SIFMA''); Letter from 
Thomas R. Tremaine, Executive Vice President, Chief Operations 
Officer, Raymond James & Associates, Inc., to Vanessa Countryman, 
Secretary, dated February 8, 2021, available at https://www.sec.gov/comments/4-698/4698-8347733-229000.pdf (``Raymond James Letter''), 
at 2 (stating that it ``strongly supports the points raised by SIFMA 
in their letter.''); Letter from Peggy L. Ho, Executive Vice 
President, Government Relations, LPL Financial LLC, to Vanessa 
Countryman, Secretary, dated January 27, 2021, available at https://www.sec.gov/comments/4-698/4698-8298412-228298.pdf (``LPL Financial 
Letter''), at 1 (stating ``[its] support for SIFMA's comments 
submitted on January 27, 2021 in response to the proposed amendments 
to the CAT NMS Plan''); Letter from Christopher A. Iacovella, Chief 
Executive Officer, American Securities Association, to Vanessa 
Countryman, Secretary, dated January 29, 2021, available at https://www.sec.gov/comments/4-698/4698-8311307-228499.pdf (``ASA Letter''), 
at 2; Letter from Thomas M. Merritt, Deputy General Counsel, Virtu 
Financial, Inc., to Vanessa Countryman, Secretary, dated January 27, 
2021, available at https://www.sec.gov/comments/4-698/4698-8298023-228258.pdf (``Virtu Letter''), at 2; Letter from Matthew Price, 
Fidelity Investments, to Vanessa Countryman, Secretary, dated 
February 2, 2021, available at https://www.sec.gov/comments/4-698/4698-8343750-228940.pdf (``Fidelity Letter''), at 2; Letter from 
Daniel Keegan, Managing Director, Head of North America Markets & 
Securities Services, to Vanessa Countryman, Secretary, dated 
February 25, 2021, available at https://www.sec.gov/comments/4-698/4698-8419819-229522.pdf (``Citi Letter''), at 2.
    \21\ See, e.g, SIFMA Letter at 2; Virtu Letter at 3; Fidelity 
Letter at 2.
    \22\ See SIFMA Letter at 4. See also LPL Financial Letter at 1; 
FIA PTG Letter at 2; Raymond James Letter at 2.
    \23\ See ASA Letter at 3.
---------------------------------------------------------------------------

    Nine commenters also express concern that shifting liability from 
CAT LLC to CAT Reporters would reduce the incentive of Participants to 
develop robust data security and risk mitigation mechanisms, and may 
even incentivize the Participants to de-prioritize data security.\24\ 
Two of these commenters characterized the economic structure of the 
Proposed Amendment as creating a ``moral hazard,'' where incentives to 
invest in data security are diminished because Industry Members bear 
the potential litigation costs of a breach or misuse of CAT Data.\25\ 
Another commenter argues that aligning control and liability 
incentivizes the optimal amount of data security and would ultimately 
benefit all investors.\26\
---------------------------------------------------------------------------

    \24\ See Lewis Paper at 5-9, 14; SIFMA Letter at 7, 9; LPL 
Financial Letter at 1; Raymond James Letter at 2; FIA PTG Letter at 
2; Virtu Letter at 3; ASA Letter at 2; Fidelity Letter at 2; Citi 
Letter at 2.
    \25\ See Citi Letter at 2; Lewis Paper at 9.
    \26\ See Lewis Paper at 5-7.
---------------------------------------------------------------------------

    Four commenters criticized the Proposed Amendment for proposed 
limitation of liability provisions that would effectively prohibit 
Industry Members from pursuing claims against CAT LLC and the SROs, 
even if there is ``willful misconduct, gross negligence, bad faith or 
criminal acts of CAT LLC, the SROs or their representatives or 
employees.'' \27\ These commenters

[[Page 19056]]

further assert that the proposal would shield the SROs from liability, 
``not only for a breach of the CAT System by malicious third-party 
actors but even from the theft or other misuse of CAT Data by SRO 
employees'' and would ``effectively extinguish the liability of CAT LLC 
and the SROs even in instances of gross negligence or intentional 
misconduct.'' \28\ Another commenter states that the proposal ``would 
effectively hold brokers responsible for the malfeasance and 
incompetence of the SROs and their contractors'' and that this would be 
``extremely unreasonable.'' \29\ Five commenters assert that the 
proposed Limitation of Liability Provisions are inconsistent with 
industry standards, citing among other things SRO limitation of 
liability rules which exclude protection for willful misconduct, gross 
negligence, bad faith or criminal acts.\30\
---------------------------------------------------------------------------

    \27\ See SIFMA Letter at 5, 7-8. See also LPL Financial at 1; 
FIA PTG Letter at 2; Raymond James Letter at 2; Citadel Letter at 3 
(stating that the provisions would protect Participants and their 
representatives from any and all potential misuse, including 
intentional misuse, of CAT Data).
    \28\ See SIFMA Letter at 5. See also LPL Financial at 1; FIA PTG 
Letter at 2; Raymond James Letter at 2; Citadel Letter at 3.
    \29\ See ASA Letter at 2.
    \30\ See SIFMA Letter at 7; LPL Financial Letter at 1; FIA PTG 
Letter at 2; Raymond James Letter at 2; Fidelity Letter at 2.
---------------------------------------------------------------------------

    Further, six commenters dismiss comparisons made in the Proposed 
Amendment to OATS limitation of liability provisions because CAT 
captures significantly more information than OATS, including personally 
identifiable information, and data reported to OATS is reported to and 
only used by FINRA.\31\ Commenters further state that OATS does not 
have the same account-level data that the CAT will collect, which could 
present the risk of reverse engineering of trading strategies.\32\ One 
commenter stated that the limitation of liability provisions for OATS 
were signed in 1998, and since then the landscape of cybersecurity has 
changed, and the frequency and scale of data breaches has increased 
dramatically.\33\
---------------------------------------------------------------------------

    \31\ See Lewis Paper at 9-10; SIFMA Letter at 8; LPL Financial 
Letter at 2; Raymond James Letter at 2; FIA PTG Letter at 2; Virtu 
Letter at 4.
    \32\ See SIFMA Letter at 10; Virtu Letter at 4; LPL Financial 
Letter at 2; Raymond James Letter at 2; FIA PTG Letter at 2.
    \33\ See Lewis Paper at 10.
---------------------------------------------------------------------------

    Five commenters argue that the SROs have failed to explain why 
limitation of their liability should be imposed by contract because the 
SROs have immunity from liability when acting in a regulatory 
capacity.\34\ Four of these commenters further assert that the effort 
to impose liability limitations by contract ``raises significant 
questions about whether the SROs seek to avoid liability in 
circumstances in which they misuse CAT Data while acting in a 
commercial capacity.'' \35\ Another commenter frames the issue as not 
whether the Participants should be liable for conduct undertaken during 
the course of their regulatory responsibilities, but whether the 
Participants should be insulated from potential liability for 
activities not covered by regulatory immunity.\36\
---------------------------------------------------------------------------

    \34\ See Letter from Stephen John Berger, Managing Director, 
Global Head of Government & Regulatory Policy, Citadel Securities, 
to Vanessa Countryman, Secretary, dated February 23, 2021, available 
at https://www.sec.gov/comments/4-698/4698-8411798-229501.pdf 
(``Citadel Letter''), at 1, 3-5; SIFMA Letter at 8; LPL Financial 
Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2.
    \35\ See SIFMA Letter at 8. See also LPL Financial Letter at 1; 
FIA PTG Letter at 2; Raymond James Letter at 2.
    \36\ See Citadel Letter at 5.
---------------------------------------------------------------------------

    Five commenters state that the Participants contradictorily argue 
that security measures are robust but that a limitation of liability is 
necessary due to risk of a catastrophic loss as a result of a breach or 
misuse of CAT Data.\37\ For example, one of these commenters notes that 
the Participants assert that Industry Members should not be concerned 
about ``breach or misuse'' of CAT Data due to a ``robust regulatory 
regime governing CAT data security,'' but also argue that they need 
limitation of liability provisions because without them the ``risk of a 
catastrophic loss as a result of a data breach or misuse is so 
significant that the financial stability of the CAT would be 
jeopardized in the absence [of the provisions].'' \38\ Additionally, 
eight commenters note that Participants have argued against adopting 
the security measures in the Proposed Amendments to the National Market 
System Plan Governing the Consolidated Audit Trail to Enhance Data 
Security,\39\ on the grounds that CAT security measures already are 
robust, while at the same time attempting to disclaim liability because 
of the high risk of a security breach.\40\
---------------------------------------------------------------------------

    \37\ See SIFMA Letter at 4; LPL Financial Letter at 1; FIA PTG 
Letter at 2; Raymond James Letter at 2; Lewis Paper at 4.
    \38\ See SIFMA Letter at 4. See also LPL Financial Letter at 1; 
FIA PTG Letter at 2; Raymond James Letter at 2.
    \39\ See Securities Exchange Act Release No. 89632 (August 21, 
2020), 85 FR 65990 (October 16, 2020) (proposing to amend the CAT 
NMS Plan to enhance the security of the CAT and the protections 
afforded to CAT Data) (``Data Security Proposal'').
    \40\ See Citadel Letter at 2; Lewis Paper at 4; SIFMA Letter at 
7; LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James 
Letter at 2; Virtu Letter at 5; Fidelity Letter at 2.
---------------------------------------------------------------------------

B. Comments Regarding the CRA Paper

    In addition to comments regarding the Proposed Amendment, 
commenters provided comments regarding the CRA Paper, which is 
summarized above in Section II and attached to the Notice as Appendix 
B.\41\
---------------------------------------------------------------------------

    \41\ See supra note 16.
---------------------------------------------------------------------------

    Two commenters argue that the CRA Paper's conclusion that ex-ante 
regulation is most appropriate is wrong, and that CAT cybersecurity 
would benefit from both ex-ante regulation and ex-post litigation.\42\ 
One commenter states that permitting litigation against Participants 
and their representatives when they are acting outside their regulatory 
capacity is ``crucial'' and would give the Participants strong 
financial incentives to invest to prevent or minimize the likelihood of 
security failures.\43\ One commenter asserts that protecting the 
Participants against liability for litigation shifts liability to 
Industry Members for potential claims from the Industry Members' 
customers, and that the retention of liability for potential litigation 
by CAT LLC would mitigate the moral hazard problem and incent CAT LLC 
to invest in improvements in data security and more quickly react to 
changing trends and threats in cybersecurity.\44\
---------------------------------------------------------------------------

    \42\ See Citadel Letter at 1-2, 7; Lewis Paper at 7-9.
    \43\ See Citadel Letter at 2, 7, 9-10. This commenter also 
asserts that the SEC has only assessed whether the existing 
cybersecurity framework is adequate for CAT databases (in contrast 
to Participants' security) and states that regulation is a slow and 
uncertain process that cannot keep pace with data security issues. 
See id. at 8.
    \44\ See Lewis Paper at 7-9.
---------------------------------------------------------------------------

    Seven commenters argue that the CRA Paper fails to consider the 
costs of a data breach on non-SROs, including broker-dealers and their 
customers.\45\ These commenters state that, while disclaiming liability 
by CAT LLC would reduce its costs, the liability for a potentially 
catastrophic loss or breach would instead be shifted to Industry 
Members, and the CRA Paper fails to take these costs into account. In 
addition, one of these commenters states that if Industry Members could 
not sue CAT LLC, they would have to purchase additional liability 
insurance since they have no ability to mitigate the security risk and 
no recourse to recoup any litigation-related losses from their own 
customers.\46\
---------------------------------------------------------------------------

    \45\ See Lewis Paper at 1, 8-9; SIFMA Letter at 9-10; LPL 
Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 
2; Virtu Letter at 5; ASA Letter at 2. For example, one commenter 
asserts that the CRA Paper fails to consider the costs of a data 
breach on non-SROs (broker-dealers and their customers), including 
``damage to the brand'' and ``trust that broker-dealers have [built] 
up with their retail clients for decades.'' See ASA Letter at 2.
    \46\ See Lewis Paper at 4, 8.
---------------------------------------------------------------------------

    Six commenters state that the CRA Paper only focuses on a breach by

[[Page 19057]]

external actors and fails to address the risk of misuse of CAT data by 
personnel at CAT LLC and the SROs.\47\ In addition, one commenter 
emphasizes that the CRA Paper focuses on databases maintained by CAT 
LLC, not the ``larger concern,'' which is the potential for hackers to 
access CAT Data from Participant databases that have extracted data 
from the CAT.\48\
---------------------------------------------------------------------------

    \47\ See Citadel Letter at 6; SIFMA Letter at 9; LPL Financial 
Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Virtu 
Letter at 5. One commenter states that the CRA Paper does not 
provide any support for the argument that broker-dealers should be 
accountable for the wrongdoing or misuse of data by SRO employees or 
contractors. See ASA Letter at 2.
    \48\ See Citadel Letter at 6-7. One commenter argues that the 
CRA Paper significantly overemphasizes the visibility and input into 
the workings of CAT provided to the industry, and asserts that there 
is no visibility into the security aspects of CAT. See id. at 9.
---------------------------------------------------------------------------

    Four commenters state that the CRA Paper suggests that certain 
mechanisms, such as a third-party compensation program, cyber-related 
industry loss warranties or cyber catastrophe bonds could be used in 
the event of a CAT breach to compensate third parties, but the SROs 
have not actually proposed the adoption of any of them.\49\ These 
commenters assert that the Participants effectively concede that, 
without more, the current regulatory regime is insufficient to protect 
parties that are injured as a result of a CAT breach.\50\ Another 
commenter states that the CRA Paper provides no details regarding the 
insurance that CAT LLC has obtained and does not analyze whether 
Participants should seek insurance or the effect such insurance could 
have on the Participants' incentives to protect data that they extract 
from the CAT and store outside the CAT.\51\ Six commenters believe that 
it would be more appropriate for CAT LLC to purchase insurance instead 
of Industry Members each purchasing the same overlapping policies.\52\ 
One of these commenters argues that CAT LLC is able to insure more 
efficiently than Industry Members because CAT LLC has access to and 
control over CAT Data and systems and can subject itself to monitoring 
by an insurer.\53\
---------------------------------------------------------------------------

    \49\ See SIFMA Letter at 10; LPL Financial Letter at 1; FIA PTG 
Letter at 2; Raymond James Letter at 2.
    \50\ In addition, these commenters believe the Participants 
would not be incented to develop any such compensation mechanisms if 
they are protected against liability. See supra note 49.
    \51\ See Citadel Letter at 7-8. See also Lewis Paper at 13-14 
(arguing that there is no basis for the claim that CAT LLC cannot 
obtain additional insurance). The Lewis Paper states that if 
purchasing additional insurance would be cost prohibitive, then the 
same would apply to Industry Members because the costs of insurance 
to CAT LLC are likely to be lower than the combined cost of Industry 
Members purchasing an equivalent amount of coverage. Id. at 14.
    \52\ See Lewis Paper at 11; SIFMA Letter at 4-5, 8-9, 10-11; 
Virtu Letter at 3. See also LPL Financial Letter at 1; FIA PTG 
Letter at 2; Raymond James Letter at 2. One commenter expresses 
skepticism that Industry Members could even obtain insurance 
policies under the current CAT System construct, because Industry 
Members have no control over the data it is by law required to 
submit, its security or the CAT Systems. See Virtu Letter at 3.
    \53\ See Lewis Paper at 12-13. See also SIFMA Letter at 4-5 
(stating that requiring Industry Members to pay for and implement 
separate and overlapping insurance policies, if available, is 
inefficient and would result in substantially higher costs borne by 
Industry Members and by extension their customers).
---------------------------------------------------------------------------

    Finally, two commenters criticize the breach scenarios discussed in 
the CRA Paper as insufficient to capture the risks. One of these 
commenters suggests that a breach of CAT by foreign actors, or CAT 
being internally compromised could lead to the ``downfall'' of U.S. 
capital markets and that the breach scenarios in the CRA Paper 
``grossly'' underestimate national security threats.\54\ Another 
commenter states that the CRA Paper ``avoids any serious discussion'' 
of the risk posed by ``nation state actors, like China and Russia.'' 
\55\
---------------------------------------------------------------------------

    \54\ See Letter from Kelvin To, Founder and President, Data 
Boiler Technologies, LLC, to Vanessa Countryman, Secretary, dated 
January 27, 2021, at 1 and 6, available at https://www.sec.gov/comments/4-698/_4698-8311309-228460.pdf.
    \55\ See ASA Letter at 2.
---------------------------------------------------------------------------

C. Participants' Response Letter

    On April 1, 2021, the Participants submitted a letter responding to 
comments received regarding the Proposed Amendment.\56\ In their 
response, the Participants argue that following a thorough review and 
consideration of the issues raised by commenters, they continue to 
believe that the Proposed Amendment is consistent with the Exchange 
Act.\57\ The Participants provide further background on discussions 
between Participants and Industry Members, and in particular with 
SIFMA, stating that between August 2019 and April 2020 the Participants 
and SIFMA participated in numerous meetings and exchanged extensive 
correspondence.\58\ The Participants state that they plan to reach out 
to SIFMA, as they ``remain willing to work with Industry Members (and 
any other stakeholders) in good faith to resolve the parties' remaining 
differing perspectives,'' but stated that from August 2019 through 
April 2020, SIFMA's ``only proposal'' was to categorically reject any 
limitation of liability.\59\ The Participants emphasize that settlement 
of the Administrative Proceedings did not resolve the question of 
whether proposed Limitation of Liability Provisions should be included 
in the Reporter Agreement and the Reporting Agent Agreement.\60\
---------------------------------------------------------------------------

    \56\ See, supra note 19.
    \57\ See Response Letter at 2.
    \58\ See id.
    \59\ See id.
    \60\ See Response Letter at 4.
---------------------------------------------------------------------------

    The Participants reassert that the proposed Limitation of Liability 
Provisions are consistent with SRO limitation of liability rules, 
emphasizing that under those rules the SROs generally have the 
discretion, but not obligation, to compensate harmed Industry Members, 
and that this discretion only applies in very limited circumstances--
namely, for system failures that impact the execution of individual 
orders.\61\ The Participants state that no SRO limitation of liability 
rule contemplates SRO liability for ``catastrophic'' damages resulting 
from the theft of Industry Members' proprietary trading algorithms.\62\ 
The Participants also state that the Participants consider the proposed 
Limitation of Liability Provisions to fall squarely within industry 
norms, as demonstrated by a comparison to the allocation of liability 
between Industry Members and SROs in other regulatory contexts, 
including NMS plans, regulatory reporting facilities, SRO rules and 
liability provisions that Industry Members use to protect themselves 
when they possess sensitive customer and transaction data.\63\
---------------------------------------------------------------------------

    \61\ See id. at 5-6. The Participants also note that during 
negotiations, the Participants submitted to SIFMA a term sheet that 
provided for a discretionary compensation mechanism modeled after 
SRO rules, which was rejected by SIFMA. Id. at 6.
    \62\ See id. The Participants also disagree with 
characterizations of the Proposed Amendment as an attempt to 
``shift'' liability from Participants to Industry Members, and 
instead argue that the Industry Members themselves are proposing a 
``shift'' from the longstanding allocation of liability between 
Industry Member and Participants. Id. at 21.
    \63\ See id. at 5-11. The Participants believe that the proposed 
Limitation of Liability Provisions are ``substantively identical'' 
to the liability provisions to which Industry Members regularly 
agree in connection with OATS reporting. Id.
---------------------------------------------------------------------------

    The Participants reject SIFMA's suggestion that any limitation of 
liability provision should exclude liability for willful misconduct, 
gross negligence, bad faith or criminal acts of CAT LLC, the SROs or 
their representatives or employees.\64\ The Participants state that 
existing SRO liability rules approved by the Commission do not 
recognize such exclusions, stating that in the limited instances in 
which SRO liability rules permit claims for gross negligence or willful 
misconduct, Industry Members are often prohibited from suing an SRO

[[Page 19058]]

for damages unless the alleged gross negligence or willful misconduct 
also constituted a securities law violation for which Congress has 
authorized a private right of action.\65\
---------------------------------------------------------------------------

    \64\ See id. at 7 (citing SIFMA Letter at 7-8).
    \65\ See Response Letter at 6-7. Thus, the Participants believe 
that that these provisions would not provide for liability against 
the self-regulatory organizations in the event of a data breach. Id. 
at 7-8. The Participants also note that contractual limitation of 
liability provisions in connection with other NMS plans and 
regulatory reporting facilities, including OATS, do not contain the 
exclusions advocated by SIFMA. Id. at 8.
---------------------------------------------------------------------------

    The Participants also argue that modifying the proposed Limitation 
of Liability provisions is not supported by the CRA Paper, because such 
modifications would likely result in litigation over liability. 
According to the Participants, although they, CAT LLC, and FINRA CAT 
may ultimately be found not liable, such litigation would be expensive, 
time-consuming, distract Participants from their regulatory oversight 
mandate, and may open the doors of discovery to potentially malicious 
actors.\66\ The Participants state that the Commission's regulatory 
enforcement regime and the potential for severe reputational harm 
already sufficiently incentivize the Participants to not engage in bad 
faith, recklessness, gross negligence, and intentional misconduct, and 
so adding exclusions to the proposed Limitation of Liability provisions 
would not result in any meaningful improvement to the CAT's 
cybersecurity.\67\
---------------------------------------------------------------------------

    \66\ See id. at 9. The Participants note that increased costs of 
operating CAT would be borne by the Participants and Industry alike, 
which means that a limitation of liability with any categorical 
exclusions could result in many of the same economic harms that 
would occur in the absence of any limitation of liability at all. 
Id. The Participants also note that certain relief ordered in 
litigation could interfere with the Commission's oversight of the 
CAT. Id.
    \67\ See Response Letter at 9. The Participants note that 
enforcement actions could be brought for cybersecurity-related 
violations (e.g., failure to comply with Regulation SCI) and 
violations of the CAT NMS Plan (e.g., for violating the CAT NMS Plan 
by using CAT Data for non-regulatory purposes). See id. at 25-26. 
The Participants also state that the purpose of the CAT and the 
Participants' mandate under the CAT NMS Plan is the fulfillment of 
regulatory functions, and not operation in connection with business 
activities. Id. at 22.
---------------------------------------------------------------------------

    The Participants reject the argument that the proposed Limitation 
of Liability Provisions are inappropriate because the Participants and 
FINRA CAT control the CAT Data.\68\ The Participants believe that 
securities industry norms do not support the principle that the party 
in possession of data should bear liability in the event of a data 
breach, and in particular where the parties in possession of the data 
are acting in regulatory capacities pursuant to Commission rules.\69\ 
In support, the Participants state that Industry Members ``routinely'' 
disclaim liability to their underlying customers despite controlling 
sensitive data that could be compromised during a data breach, 
including their own retail customers in certain cases.\70\
---------------------------------------------------------------------------

    \68\ See id. at 10.
    \69\ See id.
    \70\ See id.
---------------------------------------------------------------------------

    In response to concerns about the cybersecurity of CAT and concerns 
about the use of CAT Data, including concerns about bulk downloading 
and personally identifiable information, the Participants state that 
they are authorized to bulk download only trading data, and not 
customer data.\71\ The Participants also state that FINRA CAT has 
adopted and implemented policies, procedures, systems, and controls to 
address cybersecurity concerning the bulk downloading of CAT Data by 
the Participants.\72\ In addition, as with FINRA CAT, the Participants' 
cybersecurity protocols are subject to the Commission's regulatory 
oversight regime, including its examination and enforcement 
functions.\73\ The Participants further state that FINRA CAT and 
Participants have robust cybersecurity protocols that are designed to 
prevent and detect both external and internal security threats, and 
only regulatory users with a ``need-to-know'' have a basis for 
accessing CAT Data and are subject to comprehensive background 
checks.\74\ The Participants state that Industry Members have had 
extensive opportunities to provide input regarding the CAT's 
cybersecurity at every stage of the development and operation of the 
CAT.\75\
---------------------------------------------------------------------------

    \71\ See Response Letter at 11-14.
    \72\ See id. at 11-12. In addition, the Participants state that, 
among other things, any SRO that engages in bulk downloading must 
have policies and procedures regarding CAT Data security that are 
comparable to those implemented and maintained by the Plan Processor 
for the Central Repository. Id. at 12.
    \73\ See id. at 12.
    \74\ See id. at 12-13. The Participants reassert that the 
customer data stored in the CAT is comparable to the data reported 
to other regulatory reporting facilities. Id. at 13.
    \75\ See Response Letter at 14. This includes prior to approval 
of the CAT NMS Plan, feedback through the Advisory Committee, and 
the ability of Industry Members to directly petition the Commission 
or provide comments on any proposals offered by the Commission. Id.
---------------------------------------------------------------------------

    The Participants disagree with commenter suggestions that CAT LLC's 
and certain Participants' responses to the Data Security Proposal \76\ 
imply that the proposed Limitation Liability provisions are 
inappropriate or that the Commission's regulatory regime is 
insufficient to properly incentivize the Participants.\77\ The 
Participants state that under the current regulatory regime all 
interested parties, including CAT LLC and the Participants, provide 
feedback to the Commission regarding any proposals to the CAT's 
cybersecurity, allowing the Commission to use its substantive expertise 
and an understanding of stakeholder interests to balance all 
appropriate factors in identifying the CAT's cybersecurity needs.\78\ 
They state that allowing for litigation regarding CAT's cybersecurity 
would compromise the Commission's comprehensive oversight authority, 
and the Commission's willingness to propose potential changes 
highlights the sufficiency and flexibility of the regulatory regime to 
ensure the optimal security of CAT Data.\79\ The Participants also 
believe the Commission did not contemplate that the Participants could 
be liable for extensive monetary damages resulting from a data breach 
or for the costs of protracted litigation with Industry Members.\80\
---------------------------------------------------------------------------

    \76\ See supra note 39.
    \77\ See Response Letter at 18.
    \78\ See id.
    \79\ See id. at 18-19. The Participants note that the 
Commission, in approving the CAT NMS Plan, explicitly considered the 
costs of a potential data breach and concluded that the overall 
benefits of the CAT outweighed any costs. Id.
    \80\ See id. at 19.
---------------------------------------------------------------------------

    The Participants also state that regulatory immunity does not 
preclude the use of contractual limitation of liability provisions and 
the divergent and shifting positions from Industry Members on the 
applicability of regulatory immunity underscores the need for a 
contractual limitation of liability.\81\ The Participants state that 
some comments generally argue that a contractual limitation of 
liability is unnecessary in light of the doctrine of regulatory 
immunity, while other comments state the Participants should not 
receive either regulatory immunity or the protection of a limitation of 
liability provision.\82\ The Participants state that the proposed 
Limitation of Liability Provisions are necessary despite any regulatory 
immunity because even litigation which holds that regulatory immunity 
applies may result in significant disruption and expense (which 
ultimately will be passed along to Industry Members as part of CAT 
LLC's joint funding), and there is no guarantee that all courts would 
agree that the Participants' immunity defense extends to the particular 
claims at issue.\83\ The Participants believe that if

[[Page 19059]]

the Commission agrees that the Participants, CAT LLC, and FINRA CAT 
should not be liable for monetary damages while acting to fulfill an 
important regulatory function in their capacities as self-regulatory 
organizations, the Commission's sole mechanism for ensuring that 
protection is to endorse the contractual proposed Limitation of 
Liability Provisions.\84\
---------------------------------------------------------------------------

    \81\ See Response Letter at 22-25.
    \82\ See id. at 21-23. The Participants state that SIFMA's 
longstanding position is that Congress should abrogate regulatory 
immunity by statute. Id. at 23-24.
    \83\ See id. at 23-25.
    \84\ See id. at 25.
---------------------------------------------------------------------------

    The Participants also state that some comments misunderstand the 
scope of the proposed Limitation of Liability Provisions.\85\ The 
Participants state that the proposed Limitation of Limitation 
Provisions would not extinguish liability and only addresses the 
allocation of liability between Industry Members and the 
Participants.\86\ The Participants state that the Proposed Amendment 
would not impact the rights or obligations of third parties, including 
Industry Members' customers and would not extinguish the broad 
regulatory oversight that the Commission exercises over the CAT or 
potential investigation and potential enforcement action for any 
cybersecurity-related violations.\87\ The Participants believe that no 
commenters have offered any explanation as to why the SEC's regulatory 
regime--which includes cybersecurity protocols developed and refined 
based on feedback from Industry Members--is insufficient to ensure 
adequate cybersecurity for CAT Data, or what deficiencies in the 
Commission's oversight necessitate that Industry Members be afforded an 
unprecedented private right of action against their regulators.\88\ The 
Participants state that commenters are asking that their primary 
regulators bear any and all liability for hypothetical ``black swan'' 
cyber breaches and that such an extraordinary ask is without precedent, 
and that Participants, implementing a regulatory mandate in their 
regulatory capacities, should receive liability protections that they 
are customarily afforded when implementing their regulatory 
responsibilities pursuant to the direction and oversight of the 
Commission.\89\
---------------------------------------------------------------------------

    \85\ See Response Letter at 25-26.
    \86\ See id. at 25.
    \87\ See id. at 25-26.
    \88\ See id. at 26.
    \89\ See id. at 2. The Participants note that both the 
Participants and Industry Members are acting pursuant to Commission 
mandate, but the Participants are also fulfilling a regulatory 
oversight role and there is no basis for the Participants to assume 
liability. Id. at 21.
---------------------------------------------------------------------------

D. Participants' Response to Comments Regarding the CRA Paper

    In the Response Letter, the Participants also provide responses to 
comment letters that addressed the CRA Paper. The Participants explain 
that the CRA Paper contain two principal analyses: (i) A ``scenario 
analysis'' in which it identified specific hypothetical breaches and 
assessed the relative difficulty of implementation, relative frequency, 
and conditional severity of each; and (ii) a consideration whether the 
cyber risk presented by the CAT should be addressed by regulation, 
litigation, or a combination of both approaches.\90\
---------------------------------------------------------------------------

    \90\ See Response Letter at 15.
---------------------------------------------------------------------------

    The Participants state that commenters that believe the CRA Paper 
did not address certain categories of hypothetical data breaches, and 
in particular breaches that originate from within FINRA CAT or 
Participants, misconstrue the CRA Paper's analysis.\91\ The 
Participants state that Charles River did not make any assumptions 
regarding the identity of potential bad actors or where they may work, 
and the CRA Paper was not intended to predict every possible scenario, 
but instead intended to provide an illustrative framework to assess the 
economic exposures that flow from the gathering, storage, and use of 
CAT Data.\92\ The Participants state that the CRA Paper concludes, in 
light of the CAT's extensive cybersecurity and other reasons, most 
potential breaches are relatively low-frequency events because they are 
either difficult to implement, unlikely to be meaningfully profitable, 
or both.\93\ The Participants also believe that the CRA Paper's 
conclusion that allowing Industry Members to litigate against CAT LLC, 
the Participants, and FINRA CAT would provide minimal benefits while 
imposing substantial costs is not undermined to the extent that 
commenters identify potential breaches that were not included in 
Charles River's scenario analysis.\94\
---------------------------------------------------------------------------

    \91\ See id.
    \92\ See id. (citing CRA Paper 2).
    \93\ See Response Letter at 16 (citing CRA Paper at 18-32).
    \94\ See Response Letter at 16.
---------------------------------------------------------------------------

    The Participants believe that comments that criticize the CRA 
Paper's for failing to consider the costs to individual Industry 
Members in the event of a CAT data breach are based on a fundamental 
misunderstanding of the relevant economic principles.\95\ Specifically, 
the CRA Paper's focus was on whether the risks of the use of CAT Data 
for regulatory purposes was best managed through ex ante regulation or 
ex post litigation, or a combination of both, and this analysis largely 
turns on identifying the most effective and efficient mechanisms for 
incentivizing CAT LLC, the Participants and FINRA CAT to take 
appropriate precautions.\96\ The Participants state that the CRA Paper 
demonstrates that the extensive regulatory regime that the SEC has 
enacted creates appropriate and strong incentives for the Participants 
to take sufficient cybersecurity precautions and to ensure that the CAT 
is secure, and that allowing Industry Members to litigate against 
Participants would create substantial costs without any corresponding 
benefit.\97\
---------------------------------------------------------------------------

    \95\ See id.
    \96\ See id.
    \97\ See id. at 16-17. The Participants also dispute an 
assertion that the CRA Paper delivered a ``pre-determined 
conclusion.'' See id. at 17 (citing ASA Letter at 2-3).
---------------------------------------------------------------------------

    The Participants acknowledge that the CRA Paper explains that the 
regulatory regime is generally silent with respect to the most 
efficient method to compensate injured parties and that the CRA Paper 
offered several suggestions to cover potential losses including 
insurance, industry loss warranties, and catastrophe bonds.\98\ The 
Participants state that they are willing discuss any of these 
compensation mechanisms with Industry Members and would welcome a 
discussion with the Commission to address the viability of these 
mechanisms and how they might be funded.\99\ The Participants reiterate 
that CAT LLC has obtained the ``maximum extent of cyber-breach 
insurance coverage available at the time'' and are willing to discuss 
with Industry Members and the Commission how that coverage might be 
used to compensate parties harmed by any potential data breach.\100\ 
The Participants also state that they regularly evaluate CAT LLC's 
insurance and intend to purchase additional coverage to the extent it 
becomes reasonably available.\101\
---------------------------------------------------------------------------

    \98\ See Response Letter at 27 (citing CRA Paper at 50-53).
    \99\ See id. at 27-28. The Participants state that the 
Commission is empowered to bring enforcement actions for violations 
of cybersecurity requirements, and this authority includes the 
ability to order individuals and entities to disgorge ill-gotten 
gains which could be used to compensate harmed parties. The 
Participants also state that creating mechanisms to compensate 
Industry Members in the event of a data breach would not obviate the 
need for the proposed Limitation of Liability Provisions. See id. at 
28.
    \100\ See Response Letter at 17. See also Response Letter at 21 
and 27.
    \101\ See id. at 21. The Participants state that the decision to 
purchase the maximum coverage available is not contingent on whether 
they are protected by a limitation of liability provision. Id. at 
27.
---------------------------------------------------------------------------

    The Participants state that they disagree with the conclusions in 
the

[[Page 19060]]

Lewis Paper and asked Charles River to respond to the issues raised 
within the Lewis Paper.\102\ The Participants state that the Lewis 
Paper appears to advocate that CAT LLC should be strictly liable for 
all costs associated with any CAT data breach, regardless of the facts 
and circumstances, without any economic analysis as to why the 
longstanding allocation of liability between the Participants and 
Industry Members should not apply here.\103\ In addition, the 
Participants state that the proposed Limitation of Liability Provisions 
do not impact the rights of Industry Members' underlying customers, and 
that Industry Members routinely disclaim liability to those underlying 
customers, which the Lewis Paper does not address.\104\ The 
Participants also state that the Lewis Paper does not include a 
scenario analysis like the CRA Paper, and the Participants state that 
the Lewis Paper incorrectly states that a cyber breach would likely be 
a single event that affects all Industry Members simultaneously, 
leading to the erroneous conclusion that CAT LLC is in a better 
position than individual Industry Members to insure against a cyber 
breach.\105\
---------------------------------------------------------------------------

    \102\ See Response Letter at 20.
    \103\ See id.
    \104\ See id.
    \105\ See id. at 20-21.
---------------------------------------------------------------------------

V. Proceedings To Determine Whether To Approve or Disapprove the 
Proposed Amendment

    The Commission is instituting proceedings pursuant to Rule 
608(b)(2)(i) of Regulation NMS,\106\ and Rules 700 and 701 of the 
Commission's Rules of Practice,\107\ to determine whether to disapprove 
the Proposed Amendment or to approve the Proposed Amendment with any 
changes or subject to any conditions the Commission deems necessary or 
appropriate after considering public comment. Institution of 
proceedings does not indicate that the Commission has reached any 
conclusions with respect to any of the issues involved. Rather, the 
Commission seeks and encourages interested persons to provide 
additional comment on the Proposed Amendment to inform the Commission's 
analysis.
---------------------------------------------------------------------------

    \106\ 17 CFR 242.608.
    \107\ 17 CFR 201.700; 17 CFR 201.701.
---------------------------------------------------------------------------

    Rule 608(b)(2) of Regulation NMS provides that the Commission 
``shall approve a national market system plan or proposed amendment to 
an effective national market system plan, with such changes or subject 
to such conditions as the Commission may deem necessary or appropriate, 
if it finds that such plan or amendment is necessary or appropriate in 
the public interest, for the protection of investors and the 
maintenance of fair and orderly markets, to remove impediments to, and 
perfect the mechanisms of, a national market system, or otherwise in 
furtherance of the purposes of the Act.'' \108\ Rule 608(b)(2) further 
provides that the Commission shall disapprove a national market system 
plan or proposed amendment if it does not make such a finding.\109\ In 
the Notice, the Commission sought comment on the Proposed Amendment, 
including whether the amendment is consistent with the Exchange 
Act.\110\ In this order, pursuant to Rule 608(b)(2)(i) of Regulation 
NMS,\111\ the Commission is providing notice of the grounds for 
disapproval under consideration:
---------------------------------------------------------------------------

    \108\ See 17 CFR 242.608(b)(2).
    \109\ See id.
    \110\ See Notice, supra note 4, 86 FR at 598.
    \111\ 17 CFR 242.608(b)(2)(i). See also Commission Rule of 
Practice 700(b)(2), 17 CFR 201.700(b)(2).
---------------------------------------------------------------------------

     Whether, consistent with Rule 608 of Regulation NMS, the 
Proposed Amendment is necessary or appropriate in the public interest, 
for the protection of investors and the maintenance of fair and orderly 
markets, to remove impediments to, and perfect the mechanisms of, a 
national market system, or otherwise in furtherance of the purposes of 
the Act,\112\ specifically regarding:
---------------------------------------------------------------------------

    \112\ See 17 CFR 242.608(b)(2).
---------------------------------------------------------------------------

    [cir] Whether the impact of the proposed Limitation of Liability 
Provisions on the incentives of the Participants to ensure the security 
of the CAT and CAT Data is necessary or appropriate in the public 
interest, for the protection of investors and the maintenance of fair 
and orderly markets, to remove impediments to, and perfect the 
mechanisms of a national market system, or otherwise in furtherance of 
the purposes of the Act;
    [cir] whether the Proposed Amendment is necessary or appropriate in 
the public interest, for the protection of investors and the 
maintenance of fair and orderly markets, to remove impediments to, and 
perfect the mechanisms of a national market system, or otherwise in 
furtherance of the purposes of the Act in light of any regulatory 
immunity applicable to the Participants; and
    [cir] whether the application of the proposed Limitation of 
Liability Provisions to willful misconduct, gross negligence, bad faith 
or criminal acts is necessary or appropriate in the public interest, 
for the protection of investors and the maintenance of fair and orderly 
markets, to remove impediments to, and perfect the mechanisms of a 
national market system, or otherwise in furtherance of the purposes of 
the Act;
     Whether, and if so how, the Proposed Amendment would 
affect efficiency, competition or capital formation;
     Whether modifications to the Proposed Amendment, or 
conditions to its approval, would be necessary or appropriate in the 
public interest, for the protection of investors and the maintenance of 
fair and orderly markets, to remove impediments to, and perfect the 
mechanisms of, a national market system, or otherwise in furtherance of 
the purposes of the Act.\113\
---------------------------------------------------------------------------

    \113\ See 17 CFR 242.608(b)(2).
---------------------------------------------------------------------------

VI. Commission's Solicitation of Comments

    The Commission requests that interested persons provide written 
submissions of their views, data, and arguments with respect to the 
issues identified above, as well as any other concerns they may have 
with the proposals. In particular, the Commission invites the written 
views of interested persons concerning whether the proposals are 
consistent with Section 11A or any other provision of the Act, or the 
rules and regulations thereunder. Although there do not appear to be 
any issues relevant to approval or disapproval that would be 
facilitated by an oral presentation of views, data, and arguments, the 
Commission will consider, pursuant to Rule 608(b)(2)(i) of Regulation 
NMS,\114\ any request for an opportunity to make an oral 
presentation.\115\
---------------------------------------------------------------------------

    \114\ 17 CFR 242.608(b)(2)(i).
    \115\ Rule 700(c)(ii) of the Commission's Rules of Practice 
provides that ``[t]he Commission, in its sole discretion, may 
determine whether any issues relevant to approval or disapproval 
would be facilitated by the opportunity for an oral presentation of 
views.'' 17 CFR 201.700(c)(ii).
---------------------------------------------------------------------------

    Interested persons are invited to submit written data, views, and 
arguments regarding whether the proposals should be approved or 
disapproved by May 3, 2021. Any person who wishes to file a rebuttal to 
any other person's submission must file that rebuttal by May 17, 2021. 
Comments may be submitted by any of the following methods:

Electronic Comments

     Use the Commission's internet comment form (http://www.sec.gov/rules/sro.shtml); or
     Send an email to [email protected]. Please include 
File Number 4-698 on the subject line.

[[Page 19061]]

Paper Comments

     Send paper comments in triplicate to: Secretary, 
Securities and Exchange Commission, 100 F Street NE, Washington, DC 
20549-1090.

All submissions should refer to File Number 4-698. This file number 
should be included on the subject line if email is used. To help the 
Commission process and review your comments more efficiently, please 
use only one method. The Commission will post all comments on the 
Commission's internet website (http://www.sec.gov/rules/sro.shtml). 
Copies of the submission, all subsequent amendments, all written 
statements with respect to the proposed rule change that are filed with 
the Commission, and all written communications relating to the proposed 
rule change between the Commission and any person, other than those 
that may be withheld from the public in accordance with the provisions 
of 5 U.S.C. 552, will be available for website viewing and printing in 
the Commission's Public Reference Room, 100 F Street NE, Washington, DC 
20549 on official business days between the hours of 10:00 a.m. and 
3:00 p.m. Copies of the filing also will be available for inspection 
and copying at the Participants' principal offices. All comments 
received will be posted without change. Persons submitting comments are 
cautioned that we do not redact or edit personal identifying 
information from comment submissions. You should submit only 
information that you wish to make available publicly. All submissions 
should refer to File Number 4-698 and should be submitted on or before 
May 3, 2021.

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\116\
---------------------------------------------------------------------------

    \116\ 17 CFR 200.30-3(a)(85).
---------------------------------------------------------------------------

J. Matthew DeLesDernier,
Assistant Secretary.
[FR Doc. 2021-07390 Filed 4-9-21; 8:45 am]
BILLING CODE 8011-01-P