Joint Industry Plan; Order Disapproving an Amendment to the National Market System Plan Governing the Consolidated Audit Trail, 60933-60946 [2021-24035]

Download as PDF Federal Register / Vol. 86, No. 211 / Thursday, November 4, 2021 / Notices protection of investors or the public interest; (ii) impose any significant burden on competition; and (iii) become operative prior to 30 days from the date on which it was filed, or such shorter time as the Commission may designate, if consistent with the protection of investors and the public interest, the proposed rule change has become effective pursuant to Section 19(b)(3)(A) of the Act 20 and Rule 19b–4(f)(6) thereunder.21 A proposed rule change filed under Rule 19b–4(f)(6) 22 normally does not become operative prior to 30 days after the date of the filing. However, pursuant to Rule 19b–4(f)(6)(iii),23 the Commission may designate a shorter time if such action is consistent with the protection of investors and the public interest. The Exchange has asked the Commission to waive the 30-day operative delay so that the proposal may become operative immediately upon filing. The Exchange states that waiver of the operative delay will provide certain investment companies registered under the 1940 Act immediate relief from certain shareholder approval requirements if the conditions of the rule as described above are met. The Commission previously approved a substantively similar rule change for Arca and found it consistent with the Section 6(b)(5) of the Act.24 For these reasons, the Commission believes that the proposed rule change presents no novel issues and that waiver of the 30day operative delay is consistent with the protection of investors and the public interest. Accordingly, the Commission hereby waives the 30-day operative delay and designates the proposal operative upon filing.25 At any time within 60 days of the filing of such proposed rule change, the Commission summarily may temporarily suspend such rule change if it appears to the Commission that such action is necessary or appropriate in the public interest, for the protection of investors, or otherwise in furtherance of the purposes of the Act. If the 20 15 U.S.C. 78s(b)(3)(A). CFR 240.19b–4(f)(6). In addition, Rule 19b– 4(f)(6)(iii) requires the Exchange to give the Commission written notice of the Exchange’s intent to file the proposed rule change, along with a brief description and text of the proposed rule change, at least five business days prior to the date of filing of the proposed rule change, or such shorter time as designated by the Commission. The Exchange has complied with this requirement. 22 17 CFR 240.19b–4(f)(6). 23 17 CFR 240.19b–4(f)(6)(iii). 24 See supra note 5Error! Bookmark not defined.. 25 For purposes only of waiving the 30-day operative delay, the Commission has considered the proposed rule change’s impact on efficiency, competition, and capital formation. See 15 U.S.C. 78c(f). lotter on DSK11XQN23PROD with NOTICES1 21 17 VerDate Sep<11>2014 17:57 Nov 03, 2021 Jkt 256001 Commission takes such action, the Commission shall institute proceedings under Section 19(b)(2)(B) 26 of the Act to determine whether the proposed rule change should be approved or disapproved. IV. Solicitation of Comments Interested persons are invited to submit written data, views, and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Comments may be submitted by any of the following methods: Electronic Comments • Use the Commission’s internet comment form (https://www.sec.gov/ rules/sro.shtml); or • Send an email to rule-comments@ sec.gov. Please include File Number SR– NASDAQ–2021–083 on the subject line. Paper Comments • Send paper comments in triplicate to Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549–1090. All submissions should refer to File Number SR–NASDAQ–2021–083. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission’s internet website (https://www.sec.gov/ rules/sro.shtml). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission’s Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10:00 a.m. and 3:00 p.m. Copies of the filing also will be available for inspection and copying at the principal office of the Exchange. All comments received will be posted without change. Persons submitting comments are cautioned that we do not redact or edit personal identifying information from comment submissions. You should submit only information that you wish to make available publicly. All submissions should refer to File 26 15 PO 00000 U.S.C. 78s(b)(2)(B). Frm 00143 Fmt 4703 Sfmt 4703 60933 Number SR–NASDAQ–2021–083, and should be submitted on or before November 26, 2021. For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.27 J. Matthew DeLesDernier, Assistant Secretary. [FR Doc. 2021–24015 Filed 11–3–21; 8:45 am] BILLING CODE 8011–01–P SECURITIES AND EXCHANGE COMMISSION [Release No. 34–93484; File No. 4–698] Joint Industry Plan; Order Disapproving an Amendment to the National Market System Plan Governing the Consolidated Audit Trail October 29, 2021. I. Introduction On December 18, 2020, the Operating Committee for Consolidated Audit Trail, LLC (‘‘CAT LLC’’), on behalf of the following parties to the National Market System Plan Governing the Consolidated Audit Trail (the ‘‘CAT NMS Plan’’ or ‘‘Plan’’):1 BOX Exchange LLC; Cboe BYX Exchange, Inc., Cboe BZX Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe EDGX Exchange, Inc., Cboe C2 Exchange, Inc., Cboe Exchange, Inc., Financial Industry Regulatory Authority, Inc. (‘‘FINRA’’), Investors Exchange LLC, Long-Term Stock Exchange, Inc., Miami International Securities Exchange LLC, MEMX, LLC, MIAX Emerald, LLC, MIAX PEARL, LLC, Nasdaq BX, Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, Nasdaq PHLX LLC, The NASDAQ Stock Market LLC, New York Stock Exchange LLC, NYSE American LLC, NYSE Arca, Inc., NYSE Chicago, Inc., and NYSE National, Inc. (collectively, the ‘‘Participants,’’ ‘‘selfregulatory organizations,’’ or ‘‘SROs’’) filed with the Securities and Exchange Commission (‘‘SEC’’ or ‘‘Commission’’) pursuant to Section 11A(a)(3) of the Securities Exchange Act of 1934 (‘‘Exchange Act’’),2 and Rule 608 thereunder,3 a proposed amendment (‘‘Proposed Amendment’’ or ‘‘Proposal’’) to the CAT NMS Plan that would authorize CAT LLC to revise the 27 17 CFR 200.30–3(a)(12). CAT NMS Plan is a national market system plan approved by the Commission pursuant to Section 11A of the Exchange Act and the rules and regulations thereunder. See Securities Exchange Act Release No. 79318 (November 15, 2016), 81 FR 84696 (November 23, 2016) (‘‘CAT NMS Plan Approval Order’’). 2 15 U.S.C 78k–1(a)(3). 3 17 CFR 242.608. 1 The E:\FR\FM\04NON1.SGM 04NON1 60934 Federal Register / Vol. 86, No. 211 / Thursday, November 4, 2021 / Notices Consolidated Audit Trail Reporter Agreement (the ‘‘Reporter Agreement’’) and the Consolidated Audit Trail Reporting Agent Agreement (the ‘‘Reporting Agent Agreement’’ and collectively, the ‘‘Reporter Agreements’’) to insert limitation of liability provisions (the ‘‘Limitation of Liability Provisions’’).4 The proposed plan amendment was published for comment in the Federal Register on January 6, 2021.5 On April 6, 2021, the Commission instituted proceedings pursuant to Rule 608(b)(2)(i) of Regulation NMS,6 to determine whether to disapprove the Proposed Amendment or to approve the Proposed Amendment with any changes or subject to any conditions the Commission deems necessary or appropriate after considering public comment (the ‘‘OIP’’).7 On June 25, 2021, the Commission designated a longer period within which to conclude proceedings regarding the Proposed Amendment.8 On September 2, 2021, the Commission further designated a longer period within which to conclude proceedings regarding the Proposed Amendment.9 This order disapproves the Proposed Amendment. lotter on DSK11XQN23PROD with NOTICES1 II. Background On July 11, 2012, the Commission adopted Rule 613 of Regulation NMS, which required the SROs to submit a national market system (‘‘NMS’’) plan to create, implement and maintain a consolidated audit trail (the ‘‘CAT’’ or ‘‘CAT System’’) that would capture customer and order event information for orders in NMS securities.10 The Commission approved the CAT NMS Plan in 2016.11 On August 29, 2019, the Operating Committee for CAT LLC approved a Reporter Agreement that included a 4 The Participants are requiring each CAT reporter or CAT reporting agent that reports order and trade data to the CAT System to execute a CAT Reporter Agreement or a CAT Reporting Agent Agreement. See, e.g., CAT FAQ O14, available at: https://www.catnmsplan.com/faq. 5 See Notice of Filing of Amendment to the National Market System Plan Governing the Consolidated Audit Trail, Release No. 90826 (December 30, 2020), 86 FR 591 (January 6, 2021) (‘‘Notice’’). 6 17 CFR 242.608(b)(2)(i). 7 See Securities Exchange Act Release No. 91487 (April 6, 2021), 86 FR 19054 (April 12, 2021) (‘‘OIP’’). Comments received in response to the Notice and OIP can be found on the Commission’s website at https://www.sec.gov/comments/4-698/4698.htm. 8 See Securities Exchange Act Release No. 92266 (June 25, 2021), 86 FR 35142 (July 1, 2021). 9 See Securities Exchange Act Release No. 92854 (September 2, 2021), 86 FR 50201 (September 7, 2021). 10 17 CFR 242.613. 11 See note 1, supra. VerDate Sep<11>2014 17:57 Nov 03, 2021 Jkt 256001 provision that would have limited the total liability of CAT LLC or any of its representatives to a CAT Reporter under the Reporter Agreement for any calendar year to the lesser of the total of fees paid by the CAT Reporter to CAT LLC for the calendar year in which the claim arose or five hundred dollars. The Participants required each Industry Member 12 to execute a CAT Reporter Agreement before reporting data to CAT. Prior to the commencement of initial equities reporting for Industry Members, the Securities Industry and Financial Markets Association (‘‘SIFMA’’) filed on April 22, 2020, pursuant to Sections 19(d) and 19(f) of the Exchange Act, an application for review of actions taken by CAT LLC and the Participants (the ‘‘Administrative Proceedings’’). SIFMA alleged that by requiring Industry Members to execute Reporter Agreements as a prerequisite to submitting data to the CAT, the Participants improperly prohibited or limited SIFMA members with respect to access to the CAT System in violation of the Exchange Act. On May 13, 2020, the Participants and SIFMA reached a settlement and terminated the Administrative Proceedings, allowing Industry Members to report data to the CAT pursuant to a Reporter Agreement that does not contain a limitation of liability provision. Since that time, Industry Members have been transmitting data to the CAT.13 III. Description of the Proposal The Participants propose to amend the CAT NMS Plan to authorize CAT LLC to revise the Reporter Agreement and Reporting Agent Agreement with the proposed Limitation of Liability Provisions. As proposed, the Limitation of Liability Provisions would: (1) Provide that CAT Reporters and CAT Reporting Agents accept sole responsibility for their access to and use of the CAT System, and that CAT LLC makes no representations or warranties regarding the CAT System or any other matter; (2) limit the liability of CAT LLC, the Participants, and their respective representatives to any individual CAT Reporter or CAT Reporting Agent to the lesser of the fees actually paid to CAT for the calendar year or $500; (3) provide that CAT LLC, the Participants, and their respective representatives shall not be liable for all direct and indirect damages of any kind 12 Industry Member means a member of a national securities exchange or a member of a national securities association. See CAT NMS Plan at Section 1.1. 13 For a more detailed description of the background for the Proposed Amendment, see Notice, supra note 5, at 591–93. PO 00000 Frm 00144 Fmt 4703 Sfmt 4703 or nature; and (4) provide that CAT LLC, the Participants, and their respective representatives shall not be liable for the loss or corruption of any data submitted by a CAT Reporter or CAT Reporting Agent to the CAT System.14 In support of the Proposed Amendment, the Participants state, among other things, that: (1) The proposed Limitation of Liability Provisions reflect longstanding principles of allocation of liability between Industry Members and SROs; 15 (2) the proposed Limitation of Liability Provisions ‘‘fall squarely within industry norms’’ and are consistent with exchange rules that limit liability for losses that members incur through their use of exchange facilities, provisions that FINRA members must agree to in order to comply with Order Audit Trail System (‘‘OATS’’) reporting, and other provisions in the context of regulatory and NMS reporting facilities; 16 (3) previously granted exemptive relief that eliminated the requirement that CAT collect certain personally identifiable information, including social security numbers, makes the customer data stored in the CAT comparable to the data reported to other regulatory reporting facilities; 17 (4) the proposed Limitation of Liability Provisions are necessary to ensure the financial stability of CAT because even though ‘‘CAT LLC has obtained the maximum extent of cyber-breach insurance coverage available and has implemented a full cybersecurity program to safeguard data stored in the CAT,’’ there is ‘‘the potential for substantial losses that may result from certain categories of low probability cyberbreaches.’’ 18 CAT LLC retained Charles River Associates to conduct an economic analysis of the liability issues presented by a potential CAT breach (the ‘‘CRA Paper’’).19 The Participants state that the analyses presented in the CRA Paper support the Participants’ proposal to adopt a limitation of liability provision in the CAT Reporter Agreement and shows the importance of limiting CAT LLC’s and each Participant’s liability.20 The CRA Paper asserts, among other things, that, based on an examination of potential breach scenarios and a consideration of the economic and public policy elements of various regulatory and litigation approaches to mitigate cyber risk for the CAT, a 14 See Notice, supra note 5, at 593. Notice, supra note 5, at 593–95. 16 See Notice, supra note 5, at 593–94. 17 See Notice, supra note 5, at 595. 18 See Notice, supra note 5, at 595. 19 See Notice, supra note 5, at 599–624. 20 See Notice, supra note 5, at 595–597. 15 See E:\FR\FM\04NON1.SGM 04NON1 Federal Register / Vol. 86, No. 211 / Thursday, November 4, 2021 / Notices limitation of liability provision would serve the public interest by facilitating the regulation of the U.S. equity and option markets at lower overall costs and higher economic efficacy than other approaches, and that the proposed limitation on liability would not undermine CAT LLC’s existing and significant incentives to protect the data stored in the CAT System. The CRA Paper asserts that regulation by the Commission already properly incentivizes the Participants to recognize and address the risks that a CAT cyber breach poses to third parties such as Industry Members. Thus, according to the Participants, permitting litigation by Industry Members will not meaningfully increase CAT’s incentives to manage its exposure to cyber risk but will significantly increase costs, which will ultimately be passed on to retail investors. Because of this, the CRA Paper asserts that solely an ‘‘ex-ante regulation’’ approach leads to the socially optimal outcome, in comparison to an ‘‘ex post litigation’’ approach in which litigation influences behaviors before a loss-producing event occurs by assigning liability afterwards, or combination of both approaches. lotter on DSK11XQN23PROD with NOTICES1 IV. Discussion A. The Applicable Standard of Review Under Rule 608(b)(2) of Regulation NMS, the Commission shall approve a national market system plan or proposed amendment to an effective national market system plan, with such changes or subject to such conditions as the Commission may deem necessary or appropriate, if it finds that such plan or amendment is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Exchange Act.21 Under Rule 700(b)(3) of the Commission’s Rules of Practice, the ‘‘burden to demonstrate that a proposed rule change is consistent with the Exchange Act and the rules and regulations issued thereunder . . . is on the self-regulatory organization that proposed the rule change.’’ 22 The Commission shall disapprove a national market system plan or proposed amendment if it does not make such a finding.23 21 17 CFR 242.608(b)(2). CFR 201.700(b)(3). 23 17 CFR 242.608(b)(2). Approval or disapproval of a national market system plan, or an amendment to an effective national market system plan (other than an amendment initiated by the Commission), 22 17 VerDate Sep<11>2014 17:57 Nov 03, 2021 Jkt 256001 For the reasons described below, the Commission believes that the Participants have not met their burden to demonstrate that the Proposed Amendment is consistent with the Exchange Act.24 Accordingly, the Commission cannot make the finding that the Proposed Amendment is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Exchange Act.25 B. Impact of Proposed Amendment on Incentives of Participants Incentives To Invest in Security of the CAT The Commission received several comments, including a letter from SIFMA attaching an economic analysis prepared by Craig Lewis (‘‘Lewis Paper’’) of the Proposed Amendment,26 expressing concern that shifting liability through a limitation of liability provision would reduce the incentives of Participants to develop robust data security and risk mitigation mechanisms, and may even incentivize the Participants to de-prioritize data security.27 Commenters also state that it shall be by order. Id. In addition, Rule 700(b)(3)(ii) of the Commission’s Rules of Practice states that ‘‘[t]he burden to demonstrate that a NMS plan filing is consistent with the Exchange Act and the rules and regulations issued thereunder that are applicable to NMS plans is on the plan participants that filed the NMS plan filing.’’ 17 CFR 201.700(b)(3)(ii). ‘‘Any failure of the plan participants that filed the NMS plan filing to provide such detail and specificity may result in the Commission not having a sufficient basis to make an affirmative finding that a NMS plan filing is consistent with the Exchange Act and the rules and regulations issued thereunder that are applicable to NMS plans.’’ Id. 24 17 CFR 201.700(b)(3). 25 17 CFR 242.608(b)(2). 26 See Letter from Ellen Greene, Managing Director, Equity and Options Market Structure, SIFMA, to Vanessa Countryman, Secretary, dated February 19, 2021, available at https:// www.sec.gov/comments/4-698/4698-8394069229410.pdf, attaching Economic Analysis of Proposed Amendment to National Market System Plan Governing the Consolidated Audit Trail, Craig M. Lewis, Ph.D., February 2021. 27 See Lewis Paper at 5–9, 14; Letter from Ellen Greene, Managing Director, Equity and Options Market Structure, SIFMA, to Vanessa Countryman, Secretary, dated January 27, 2021, available at https://www.sec.gov/comments/4-698/46988298026-228278.pdf (‘‘SIFMA Letter’’), at 7, 9; Letter from Peggy L. Ho, Executive Vice President, Government Relations, LPL Financial LLC, to Vanessa Countryman, Secretary, dated January 27, 2021, available at https://www.sec.gov/comments/ 4-698/4698-8298412-228298.pdf (‘‘LPL Financial Letter’’), at 1; Letter from Thomas R. Tremaine, Executive Vice President, Chief Operations Officer, Raymond James & Associates, Inc., to Vanessa Countryman, Secretary, dated February 8, 2021, available at https://www.sec.gov/comments/4-698/ 4698-8347733-229000.pdf (‘‘Raymond James PO 00000 Frm 00145 Fmt 4703 Sfmt 4703 60935 is ‘‘unfair’’ for Industry Members to be liable for breaches of the CAT or CAT Data 28 because the Participants, through CAT LLC, and FINRA CAT, the Plan Processor,29 are the parties responsible for controlling and securing CAT Data and Industry Members face potential harm due to the compromise of CAT Data over which they have no control and are not responsible for security.30 The Lewis Paper argues that aligning control and liability incentivizes the optimal amount of data security and would ultimately benefit all investors.31 Along the same lines, another commenter asserts that ‘‘[a]ligning control and liability is not only fair and equitable; it is also good policy, because it maximizes efficiencies in managing data risks inherent in the CAT System.’’ 32 Letter’’), at 2; Letter from Joanna Mallers, Secretary, FIA Principal Traders Group, to Vanessa Countryman, Secretary, dated February 8, 2021, available at https://www.sec.gov/comments/4-698/ 4698-8345389-228979.pdf (‘‘FIA PTG Letter’’), at 2; Letter from Thomas M. Merritt, Deputy General Counsel, Virtu Financial, Inc., to Vanessa Countryman, Secretary, dated January 27, 2021, available at https://www.sec.gov/comments/4-698/ 4698-8298023-228258.pdf (‘‘Virtu Letter’’), at 3; Letter from Christopher A. Iacovella, Chief Executive Officer, American Securities Association, to Vanessa Countryman, Secretary, dated January 29, 2021, available at https://www.sec.gov/ comments/4-698/4698-8311307-228499.pdf (‘‘ASA Letter’’), at 2; Letter from Matthew Price, Fidelity Investments, to Vanessa Countryman, Secretary, dated February 2, 2021, available at https:// www.sec.gov/comments/4-698/4698-8343750228940.pdf (‘‘Fidelity Letter’’), at 2; Letter from Daniel Keegan, Managing Director, Head of North America Markets & Securities Services, to Vanessa Countryman, Secretary, dated February 25, 2021, available at https://www.sec.gov/comments/4-698/ 4698-8419819-229522.pdf (‘‘Citi Letter’’), at 2. 28 ‘‘CAT Data’’ means data derived from Participant Data, Industry Member Data, SIP Data, and such other data as the Operating Committee may designate as ‘‘CAT Data’’ from time to time. See CAT NMS Plan at Section 1.1. 29 ‘‘Plan Processor’’ means the Initial Plan Processor or any other Person selected by the Operating Committee pursuant to SEC Rule 613 and CAT NMS Plan, Article IV, Section 4.3(b)(i) and Article VI, Section 6.1, and with regard to the Initial Plan Processor, the Selection Plan, to perform the CAT processing functions required by SEC Rule 613 and set forth in this Agreement. See CAT NMS Plan at Section 1.1. 30 See Lewis Paper at 3, 6; SIFMA Letter, at 4; FIA PTG Letter, at 1 (stating it ‘‘supports the comments previously filed by SIFMA’’); Raymond James Letter, at 2 (stating that it ‘‘strongly supports the points raised by SIFMA in their letter.’’); LPL Financial Letter, at 1; ASA Letter, at 2; Virtu Letter, at 2; Fidelity Letter, at 2; Citi Letter, at 2; Letter from Ellen Greene, Managing Director, Equity and Options Market Structure, SIFMA, to Vanessa Countryman, Secretary, dated May 3, 2021 (‘‘SIFMA Letter II’’) at 2; 4; Letter from Kelvin To, Founder and President, Data Boiler Technologies, LLC, to Vanessa Countryman, Secretary, dated May 3, 2021 (‘‘Data Boiler Letter II’’) at 5. 31 See Lewis Paper at 5–7; see also SIFMA Letter II at 2–3, 9–10. 32 See SIFMA Letter at 4. One commenter states that the CAT System is a particularly attractive E:\FR\FM\04NON1.SGM Continued 04NON1 60936 Federal Register / Vol. 86, No. 211 / Thursday, November 4, 2021 / Notices lotter on DSK11XQN23PROD with NOTICES1 Commenters argue that the CRA Paper’s specific conclusion that ex-ante regulation is most appropriate is wrong, and that CAT cybersecurity would benefit from both ex-ante regulation and ex-post litigation.33 Another commenter characterizes shifting liability to Industry Members who, unlike SROs, have no control over the security of the CAT as creating a ‘‘moral hazard’’ and stated that permitting litigation against Participants and their representatives when they are acting outside their regulatory capacity is ‘‘crucial’’ as it would give the Participants very strong financial incentives to invest heavily to prevent or minimize the likelihood of such failures.34 Similarly, the Lewis Paper asserts that liability for potential litigation would mitigate the moral hazard problem for CAT LLC and make CAT LLC more willing to invest in improvements in data security and more quickly react to changing trends and threats in cybersecurity.35 In response to the Lewis Paper’s contention that the threat of ex-post litigation is necessary, the CRA Response asserts that the ‘‘inconsequential and speculative’’ benefits of litigation in addition to the existing regulatory regime do not exceed the likely substantial costs.36 The CRA Response further asserts that there is no asset reserve on the balance sheet of target for nation states and other bad actors that have become increasingly sophisticated, which could lead to significant harm to market participants, serious competitive harm to Industry Members, and significant legal risk and potential liability. See SIFMA Letter II at 9. 33 See Letter from Stephen John Berger, Managing Director, Global Head of Government & Regulatory Policy, Citadel Securities, to Vanessa Countryman, Secretary, dated February 23, 2021, available at https://www.sec.gov/comments/4-698/46988411798-229501.pdf (‘‘Citadel Letter’’), at 1–2, 7; Lewis Paper at 7–9. SIFMA states that the Lewis Paper, submitted by SIFMA, concludes that the Proposal would reduce investor welfare by: (1) Providing less incentive to the SROs as the operators of the CAT to invest in data security to protect investors’ personally identifiable information and trading data in the CAT, which would place investors at greater risk of having their data compromised; and (2) leading to the inefficient purchase of insurance with additional costs likely passed downstream to investors by requiring industry members to absorb litigation-related expenses for an event over which they have no direct control. See SIFMA Letter II at 3. 34 See Citi Letter at 2, 7, 9–10. 35 See Lewis Paper at 7–9. 36 See Report from Charles River Associates, ‘‘CRA Response to: Economic Analysis of Proposed Amendment to the National Market System Plan Governing the Consolidated Audit Trail by Craig M. Lewis, Ph.D. and Selected Points in Public Comment Letters,’’ dated April 5, 2021, available at https://www.sec.gov/comments/4-698/46988634778-230925.pdf (‘‘CRA Response’’) at 9. The CRA Response further states that the Lewis Paper mischaracterized this argument as meaning that the CRA Paper said there are no benefits to adding the threat of litigation. Id. VerDate Sep<11>2014 17:57 Nov 03, 2021 Jkt 256001 CAT LLC sufficient to cover a substantial cyber loss, and thus, adding a threat of litigation may not provide any additional incentives to invest in preventative care.37 The Participants argue that securities industry norms do not support the principle that the party in possession of data should bear liability in the event of a data breach, particularly where the parties in possession of the data are acting in regulatory capacities pursuant to Commission rules.38 In this regard, the Participants state that Industry Members, despite controlling sensitive data that could be compromised during a data breach, ‘‘routinely’’ disclaim liability to their underlying customers including their own retail customers in certain cases.39 The Participants also assert that the Commission’s regulatory regime, backed by its examination and enforcement functions, provide valuable incentives for the Participants, CAT LLC and FINRA CAT to take adequate cyber security precautions.40 These incentives include the Commission’s enforcement regime, severe reputational harm, financial and reputational harm to Amazon Web Services, satisfying underwriting standards, and the fact that a data breach could compromise the Participants’ ability to use CAT Data.41 The Participants believe that commenters have not offered any explanation as to why the Commission’s regulatory regime—which includes cybersecurity protocols developed and refined based on feedback from Industry Members—is insufficient to ensure adequate cybersecurity for CAT Data, or what deficiencies in the Commission’s oversight necessitate that Industry Members be afforded an unprecedented 37 See CRA Response at 4. See also CRA Response at 9 (stating that CAT LLC’s ‘‘cost-only business model’’ provides no mechanism to establish safety reserves that might allow it to build a cash reserve to pre-fund catastrophic losses from a cyber breach). 38 See Letter from Michael Simon, CAT NMS Plan Operating Committee Chair, to Vanessa Countryman, Secretary, dated April 1, 2021 (‘‘Response Letter’’), at 10. 39 See Response Letter at 10; see also id. at 20 (stating that the Lewis Paper does not address the fact that Industry Members routinely disclaim liability to those underlying customers). 40 See, e.g., Letter from Michael Simon, CAT NMS Plan Operating Committee Chair, to Vanessa Countryman, Secretary, dated May 18, 2021, available at https://www.sec.gov/comments/4-698/ 4698-8811359-238002.pdf (‘‘Second Response Letter’’), at 3, 5–7. The Participants state that CAT LLC, the Participants and FINRA CAT are subject to stringent oversight by the Commission. In addition, the Division of Examinations examines FINRA CAT’s and the Participant’s cybersecurity policies, procedures, systems, and controls. See Second Response Letter at 6–7 (also citing Second Circuit decision in support). 41 See Second Response Letter at 5–6. See also CRA Response at 1, 3–4, 6–7, 10. PO 00000 Frm 00146 Fmt 4703 Sfmt 4703 private right of action against their regulators.42 The Participants further argue that commenters have not demonstrated that the Commission lacks the ability to adequately regulate the CAT and the Participants, and that allowing Industry Member litigation would not result in any meaningful benefit to the CAT’s cybersecurity.43 In addition, the CRA Response states that the Lewis Paper disregards the potential for enforcement action by the Commission against Participants and does not recognize that regulatory and reputational considerations motivate appropriate ex-ante actions to reduce risk.44 Commenters also state that the CRA Paper suggests certain mechanisms, such as a third-party compensation program, cyber-related industry loss warranties or cyber catastrophe bonds that could be used in the event of a CAT breach to compensate third parties, but the SROs have not proposed the adoption of any of these mechanisms.45 These commenters believe that without liability risk, CAT LLC and the SROs will have no incentive to develop any mechanisms for compensating third parties injured if the CAT System is breached or CAT Data is misused while under the control of CAT LLC and the SROs.46 These commenters assert that the Participants, are effectively conceding that without these other mechanisms described in the CRA Paper, the current regulatory regime is insufficient to protect parties that are injured as a result of a CAT breach.47 42 See Response Letter at 26. Second Response Letter at 3. 44 See CRA Response at 5–6. The CRA Response states that there are several weaknesses with the Lewis Paper’s and the Citadel Letter’s argument that litigation as well as regulation is necessary to give CAT LLC an added incentive to stay ahead of the Commission’s regulation since the underlying technology changes come too fast for the Commission to keep its regulatory apparatus up to date: (1) Lewis and Citadel ignore that Participants and FINRA CAT are required to monitor CAT’s cyber security and promptly address vulnerabilities in accordance with Commission regulation; (2) Industry Members can influence CAT LLC and Commission regarding cybersecurity as a result of CAT LLC governance and operating mechanisms; (3) Commission has unique access to highly sophisticated cyber security and cyber warfare assets, which give them access to the most up-todate technology; (4) CAT’s technology suppliers (e.g., AWS) have reputational incentives to maintain CAT cyber defenses; (5) the ability to litigate might increase CAT cyber risk by potentially weakening Industry Members’ incentives to provide feedback to the Participants; (6) Participants still face litigation risk including from Commission enforcement actions. See CRA Response at 13–14. 45 See SIFMA Letter at 10; LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2. 46 See id. 47 See id. 43 See E:\FR\FM\04NON1.SGM 04NON1 Federal Register / Vol. 86, No. 211 / Thursday, November 4, 2021 / Notices The Participants acknowledge that the CRA Paper explains that the regulatory regime is generally silent with respect to the most efficient method to compensate injured parties and that the CRA Paper offered several suggestions to cover potential losses including insurance, industry loss warranties, and catastrophe bonds.48 The Participants, however, state that they are willing discuss any of these compensation mechanisms with Industry Members and they would welcome a discussion with the Commission to address the viability of these mechanisms and how they might be funded.49 lotter on DSK11XQN23PROD with NOTICES1 Cyber Insurance Commenters assert that the proposal would allow CAT LLC to under-invest in data security and cyber insurance.50 Commenters argue that the Proposed Limitation of Liability Provisions would ultimately result in higher costs borne by investors.51 According to commenters, under the proposal, every firm submitting data to the CAT System would effectively be forced, where possible, to obtain its own insurance to address the same core risks of data breach or misuse within the CAT System and CAT LLC and the Participants may not be appropriately incentivized to invest in insurance and other risk mitigation mechanisms.52 Commenters believe that it would be more appropriate for CAT LLC to purchase insurance instead of Industry Members each purchasing the same overlapping policies.53 One of these commenters argues that CAT LLC is able to insure more efficiently than Industry Members because CAT LLC has access to and control over CAT Data and systems and can subject itself to monitoring by an insurer.54 One 48 See Response Letter at 27 (citing CRA Paper at 50–53). 49 See Response Letter at 27–28. The Participants also state that creating mechanisms to compensate Industry Members in the event of a data breach would not obviate the need for the proposed Limitation of Liability Provisions. See id. at 28. 50 See SIFMA Letter II at 2–3, 9–10; Lewis Paper. 51 See SIFMA Letter II at 2–3, 9–10; Lewis Paper. 52 See SIFMA Letter II at 10. See also Data Boiler Letter II at 3 (provisions discourage Participants from advancing the security and design of CAT and CAT Data). 53 See Lewis Paper at 11; SIFMA Letter at 4–5, 8– 9, 10–11; Virtu Letter at 3. See also LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2. One commenter expresses skepticism that Industry Members could even obtain insurance policies under the current CAT System construct, because Industry Members have no control over the data they are by law required to submit, its security or the CAT System. See Virtu Letter at 3. 54 See Lewis Paper at 12–13. See also SIFMA Letter at 4–5 (stating that requiring Industry Members to pay for and implement separate and overlapping insurance policies, if available, is VerDate Sep<11>2014 17:57 Nov 03, 2021 Jkt 256001 commenter states that while the Participants assert that CAT LLC has obtained the ‘‘maximum extent of cyberbreach insurance coverage,’’ the Participants have not disclosed any information about the extent or cost of the coverage obtained,55 and do not analyze whether Participants should seek insurance or the effect such insurance could have on the Participants’ incentives to protect data that they extract from the CAT and store outside the CAT.56 The commenter states that it is not at all clear that CAT LLC could not obtain additional insurance.57 The Participants reiterate that CAT LLC has purchased the maximum amount of cyber insurance coverage that the current market will reasonably provide. The Participants also state that they will regularly evaluate CAT LLC’s insurance and intend to purchase additional coverage to the extent it becomes reasonably available.58 The Participants argue that disclosing the amount of insurance purchased by CAT LLC could potentially incentivize bad actors to target the CAT with ransom demands.59 The Participants assert that CAT LLC is not equipped to compensate Industry Members in the event of a data breach because funding is designed to cover costs only and it is difficult to imagine how CAT LLC could ensure solvency if substantial exclusions are included in a limitation of liability.60 The CRA Response states that the Lewis Paper’s conclusion that the Participants should purchase additional cyberinsurance relies on two propositions for which the Lewis Paper provides no basis: (1) CAT LLC can purchase additional and more targeted cyber insurance to pre-finance possible cyber claims from Industry Members and that (2) the decrease in cyber security risks and insurance rates to Industry Members would outweigh the increase in CAT LLC’s cyber insurance rates.61 The CRA Response asserts that the Lewis Paper’s claim that the Limitation 60937 of Liability Provisions will force clients’ claims onto Industry Members and burden Industry Members with purchasing additional insurance coverage is erroneous.62 Specifically, according to the CRA Response, the Lewis Paper does not explain how Industry Members’ clients can sue Industry Members for a cyberbreach of CAT, does not consider that many Industry Members have similar provisions in their customer agreements, and does not explain how an insurer would write liability coverage for Industry Members paying claims to clients for an adverse cyber event.63 In addition, the CRA Response states that the Lewis Paper and commenters assume, without support, that Industry Members will face litigation risk from customers due to a cyberbreach at the CAT.64 Visibility and Input of Industry Members Into the Security of the CAT One commenter argues that the CRA Paper significantly overemphasizes the visibility and input into the workings of CAT provided to the industry, and asserts that there is no visibility into the security aspects of CAT.65 The Participants state that Industry Members have had extensive opportunities to provide input regarding the CAT’s cybersecurity at every stage of the development and operation of the CAT.66 The CRA Response states that commenters fail to acknowledge that providing Industry Members a right to litigate may reduce Industry Members’ incentives to undertake their monitoring and influencing activities in favor of relying upon the threat of litigation, thereby weakening the overall cyber program of the CAT.67 The CRA Response also states that limiting Industry Members’ ability to recover damages provides greater incentives for them to provide feedback to CAT management through the Advisory Committee.68 62 See inefficient and would result in substantially higher costs borne by Industry Members and by extension their customers). 55 See SIFMA Letter II at 9. 56 See Citadel Letter at 7–8. See also Lewis Paper at 13–14. 57 See SIFMA Letter II at 9. SIFMA also discusses the state of negotiations with the Participants. See SIFMA Letter II at 11. 58 See Second Response Letter at 17. 59 See Second Response Letter at 17. The Participants noted that they were reviewing a May 3, 2021 term sheet from SIFMA setting forth terms upon which Industry Members would be willing to resolve the dispute regarding the allocation of liability in the event of a CAT data breach. Id. 60 See Second Response Letter at 15. 61 See CRA Response at 5. PO 00000 Frm 00147 Fmt 4703 Sfmt 4703 CRA Response at 5–6. CRA Response at 5–6. However, purchasing cyber liability insurance to protect against potential first-party risk exposure might be part of a reasonable and sound approach to managing first-party risk exposure. Id. at 13. 64 See CRA Response at 13. 65 See Citadel Letter at 9. 66 See Response Letter at 14. This includes prior to approval of the CAT NMS Plan, feedback through the Advisory Committee, and the ability of Industry Members to directly petition the Commission or provide comments on any proposals offered by the Commission. Id. 67 See CRA Response at 2, 9, and 11. 68 See CRA Response at 19. The Participants also assert that Industry Members have ample opportunities to contribute their perspectives 63 See E:\FR\FM\04NON1.SGM Continued 04NON1 60938 Federal Register / Vol. 86, No. 211 / Thursday, November 4, 2021 / Notices lotter on DSK11XQN23PROD with NOTICES1 Regulatory Immunity Commenters argue that the SROs have failed to explain why limitation of their liability should be imposed by contract because the SROs have immunity from liability when acting in a regulatory capacity.69 Commenters further assert that the effort to impose liability limitations by contract ‘‘raises significant questions about whether the SROs seek to avoid liability in circumstances in which they misuse CAT Data while acting in a commercial capacity.’’ 70 Another commenter frames the issue as not whether the Participants should be liable for conduct undertaken during the course of their regulatory responsibilities, but whether the Participants should be insulated from potential liability for activities not covered by regulatory immunity.71 One commenter states that it believes that court precedent ‘‘strongly indicates that the courts are likely to view any regulatory activity the SROs conduct through CAT LLCs as being subject to this judicial immunity even though it is being conducted in a legal entity that is separate from the SROs.’’ 72 In response to comments about regulatory immunity, the Participants state that regulatory immunity does not preclude the use of contractual limitation of liability provisions and the divergent and shifting positions from Industry Members on the applicability of regulatory immunity underscores the need for a contractual limitation of liability.73 The Participants state that some comments generally argue that a contractual limitation of liability is unnecessary in light of the doctrine of regulatory immunity, while other comments state the Participants should not receive either regulatory immunity or the protection of a limitation of liability provision.74 The Participants state that the proposed Limitation of regarding the CAT’s cybersecurity. See Second Response Letter at 10. 69 See Citadel Letter at 1, 3–5; SIFMA Letter at 8; LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2; SIFMA Letter II at 5; 6–7. 70 See SIFMA Letter at 8. See also LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2. 71 See Citadel Letter at 5. 72 See SIFMA Letter II at 7. See also Data Boiler Letter II at 4. 73 See Response Letter at 22–25; see also Second Response Letter at 4, 11–12. The Participants also state that SIFMA has not indicated that it and constituent Industry Members will abandon their extensive efforts to challenge the regulatory immunity doctrine in court or cease lobbying Congress to abrogate it by statute. Id. at 3–4, 11. 74 See Response Letter at 21–23. The Participants state that SIFMA’s longstanding position is that Congress should abrogate regulatory immunity by statute. Id. at 23–24. VerDate Sep<11>2014 17:57 Nov 03, 2021 Jkt 256001 Liability Provisions are necessary despite any regulatory immunity because even litigation which holds that regulatory immunity applies may result in significant disruption and expense (which ultimately will be passed along to Industry Members as part of CAT LLC’s joint funding), and there is no guarantee that all courts would agree that the Participants’ immunity defense extends to the particular claims at issue.75 The Participants believe that the Proposed Limitation of Liability Provisions are necessary to avoid the uncertainty inherent in litigation and to avoid the costs associated with defending against potential lawsuits.76 In addition, litigation would be costly and resource intensive and ultimately distract the Participants and FINRA CAT from their important regulatory oversight mandate.77 The Participants state that several commenters misstate the scope of the Proposed Amendment by suggesting that the Proposed Amendment would extinguish liability.78 The Participants state that the Proposed Amendment only concerns the allocation of liability between Industry Members and the Participants and the Proposed Amendment would not impact the rights or obligations of third parties, including Industry Members’ customers and would not extinguish the broad regulatory oversight that the Commission exercises over the CAT or potential investigation and potential enforcement action for any cybersecurity-related violations.79 The Participants believe that commenter concerns that the regulatory process might not keep pace with emerging and evolving cyber threats fails to consider Commission regulatory requirements and oversight, including the CAT NMS Plan requirement that Participants and FINRA CAT proactively monitor the CAT’s cybersecurity and promptly address any vulnerabilities.80 Participants state, in contrast, litigation would require the Commission to share responsibility with the courts and is a lengthy process that is unlikely to outpace regulation.81 In addition, the Commission has means other than the formal rule-making process to address emerging cyber 75 See Response Letter at 23–25. See also Second Response Letter at 4, 11. 76 See Second Response Letter at 11–12. 77 See id. 78 See Response Letter at 25 (citing Citi Letter at 2 and SIFMA Letter at 9). 79 See Response Letter at 25–26. 80 See Second Response Letter at 7. 81 See Second Response Letter at 8. PO 00000 Frm 00148 Fmt 4703 Sfmt 4703 threats.82 In addition, the Participants assert that allowing Industry Member litigation would undoubtedly result in substantial additional costs and that the CRA Paper demonstrates that the costs of litigating a potential CAT Data breach are likely to be both substantial and unquantifiable on an ex-ante basis.83 It would also create additional costs and distract the Participants from the regulatory mission of CAT, and these costs would ultimately be passed along to investors.84 The Participants state that commenters are asking that their primary regulators bear any and all liability for hypothetical ‘‘black swan’’ cyber breaches and that such an extraordinary ask is without precedent, and that Participants, implementing a regulatory mandate in their regulatory capacities, should receive liability protections that they are customarily afforded when implementing their regulatory responsibilities pursuant to the direction and oversight of the Commission.85 CRA Paper Does Not Capture All Data Breach Risks and Costs Commenters believe that the CRA Paper does not capture all data breach risks, stating that the CRA Paper only focuses on a breach by external actors and fails to address the risk of misuse of CAT Data by personnel at CAT LLC and the SROs.86 In addition, one commenter emphasizes that the CRA Paper focuses on databases maintained by CAT LLC, not the ‘‘larger concern,’’ which is the potential for hackers to access CAT Data from Participant 82 See Second Response Letter at 8. The Participants state that the Commission and its staff have ‘‘multiple tools at their disposal to motivate regulated entities’’ to ‘‘expeditiously modify their cybersecurity regimes.’’ ‘‘For example, the Division of Examinations, which has prioritized cybersecurity issues, often releases risk alerts in response to emerging concerns.’’ Id. 83 See Second Response Letter at 3–4, 16. 84 See Second Response Letter at 4, 16. 85 See Second Response Letter at 4; see also Response Letter at 20 (stating that the Lewis Paper appears to advocate that CAT LLC should be strictly liable for all costs associated with any CAT data breach, regardless of the facts and circumstances, without any economic analysis as to why the longstanding allocation of liability between the Participants and Industry Members should not apply here). The Participants note that both the Participants and Industry Members are acting pursuant to Commission mandate, but the Participants are also fulfilling a regulatory oversight role and there is no basis for the Participants to assume liability. See Response Letter at 21. See also Second Response Letter at 4. 86 See Citadel Letter at 6; SIFMA Letter at 9; LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Virtu Letter at 5. One commenter states that the CRA Paper does not provide any support for the argument that broker-dealers should be accountable for the wrongdoing or misuse of data by SRO employees or contractors. See ASA Letter at 2. E:\FR\FM\04NON1.SGM 04NON1 Federal Register / Vol. 86, No. 211 / Thursday, November 4, 2021 / Notices databases that have extracted data from the CAT.87 Two commenters further criticize the breach scenarios discussed in the CRA Paper as insufficient to capture the risks. One of these commenters suggests that a breach of CAT by foreign actors, or CAT being internally compromised could lead to the ‘‘downfall’’ of U.S. capital markets and that the breach scenarios in the CRA Paper ‘‘grossly’’ underestimate national security threats.88 Another commenter states that the CRA Paper ‘‘avoids any serious discussion’’ of the risk posed by ‘‘nation state actors, like China and Russia.’’ 89 Participants and the CRA Response dispute commenters’ claims that the CRA Paper does not include all potential data breaches.90 The Participants argue that certain commenters misconstrue the CRA Paper’s analysis.91 Specifically, these commenters assert that the CRA Paper did not address certain categories of hypothetical data breaches, and in particular breaches that originate from within FINRA CAT or Participants. The Participants state that the CRA Paper did not make any assumptions regarding the identity of potential bad actors or where they may work, and the CRA Paper was not intended to predict every possible scenario, but instead intended to provide an illustrative framework to assess the economic exposures that flow from the gathering, storage, and use of CAT Data.92 The Participants state that the CRA Paper concludes, in light of the CAT’s extensive cybersecurity and other reasons, most potential breaches are relatively low-frequency events because they are either difficult to implement, unlikely to be meaningfully profitable, or both.93 The Participants also believe that the CRA Paper’s conclusion that allowing Industry Members to litigate against CAT LLC, the Participants, and FINRA CAT would provide minimal 87 See Citadel Letter, at 6–7. Letter from Kelvin To, Founder and President, Data Boiler Technologies, LLC, to Vanessa Countryman, Secretary, dated January 27, 2021, at 1 and 6, available at https://www.sec.gov/ comments/4-698/4698-8311309-228460.pdf. 89 See ASA Letter at 2. 90 See Response Letter at 15. The Participants explain that the CRA Paper contain two principal analyses: (i) A ‘‘scenario analysis’’ in which it identified specific hypothetical breaches and assessed the relative difficulty of implementation, relative frequency, and conditional severity of each; and (ii) a consideration whether the cyber risk presented by the CAT should be addressed by regulation, litigation, or a combination of both approaches. 91 See Response Letter at 15. 92 See Response Letter at 15–16 (citing CRA Paper 2). 93 See Response Letter at 16 (citing CRA Paper at 18–32). lotter on DSK11XQN23PROD with NOTICES1 88 See VerDate Sep<11>2014 17:57 Nov 03, 2021 Jkt 256001 benefits while imposing substantial costs is not undermined to the extent that commenters identify potential breaches that were not included in the CRA Paper’s scenario analysis.94 The Participants believe that comments that criticize the CRA Paper for failing to consider the costs to individual Industry Members in the event of a CAT Data breach are based on a misunderstanding of the relevant economic principles.95 Specifically, the CRA Paper’s focus was on whether the risks of the use of CAT Data for regulatory purposes was best managed through ex ante regulation or ex post litigation, or a combination of both, and this analysis largely turns on identifying the most effective and efficient mechanisms for incentivizing CAT LLC, the Participants and FINRA CAT to take appropriate precautions.96 The Participants state that the CRA Paper demonstrates that the extensive regulatory regime that the Commission has enacted creates appropriate and strong incentives for the Participants to take sufficient cybersecurity precautions and to ensure that the CAT is secure, and that allowing Industry Members to litigate against Participants would create substantial costs without any corresponding benefit.97 The CRA Response states that allowing Industry Members to litigate against CAT LLC and Participants entails potentially substantial costs and uncertainty in the operation of the CAT that, ultimately, could be borne by Industry Members’ underlying customers,98 as a result of the Commission-approved joint funding of CAT LLC by Industry Members and Participants, a fact the CRA Response believes that the Lewis Paper ignores. According to the CRA Response, a limitation of liability also protects Industry Members from the possibility of funding both catastrophic losses and substantial litigation costs.99 Participants and the CRA Response argue that the Lewis Paper’s argument that CAT LLC is in a better position to insure against a CAT Data breach fails because, among other reasons, it is based on a premise that a cyberbreach would impact all Industry Members 94 See Response Letter at 16. Response Letter at 16. 96 See id. 97 See Response Letter at 16–17. The Participants also dispute an assertion that the CRA Paper delivered a ‘‘pre-determined conclusion.’’ See id. at 17 (citing ASA Letter at 2–3). 98 See CRA Response at 8. 99 See CRA Response at 2, 8. 95 See PO 00000 Frm 00149 Fmt 4703 Sfmt 4703 60939 simultaneously 100 and ignores the fact that CAT LLC has already purchased the maximum insurance coverage that was feasibly available.101 The CRA Response states that the CRA Paper’s scenario analysis does not support the Lewis Paper’s assertion that a breach is likely to be a single event that affects all Industry Members simultaneously, and the Lewis Paper does not explain why a single event instead of multiple events affecting subsets of Industry Members might make a difference.102 The Commission acknowledges that a number of factors impact the Participants’ incentives to invest in, or prioritize, the security of the CAT. These factors include, but are not limited to (in no specific order): The cost of security; regulatory requirements, including Commission supervision and enforcement, fines, penalties and potential loss of their SRO licenses; reputation; the threat of litigation; and the amount of potential payments to those impacted by a security breach. Given the sensitivity of CAT Data, as well as the importance of the CAT for regulatory purposes, the Commission believes it is important to evaluate the incentives to invest in, or prioritize, the security of the CAT. The burden is on Participants to demonstrate that the Proposed Amendment is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Exchange Act.103 Accordingly, the Commission believes that the Participants must demonstrate that the Proposed Amendment satisfies this standard in light of its potential impact on the Participants’ incentives to invest in or prioritize the security of CAT. By essentially eliminating any potential liability to Industry Members in the event of a security breach, the Participants limit the risk to themselves should they decide to reduce their investments in the security of the CAT, and such a reduction could increase the potential for a breach of CAT or 100 The Participants state that the Lewis Paper does not include a scenario analysis like the CRA Paper. See Response Letter at 16 at 20–21. 101 See CRA Response at 2, 4–5. 102 See CRA Response at 16. The CRA Response also states that the Lewis Paper also implies that a single event is unlike a typical situation where pooling of risk can reduce the volatility around claims, but the CRA Response further argues this is a narrow view as insurers can spread correlated risks through reinsurance contracts across the global insurance industry ultimately bringing the benefits of diversification to all who are insured. Id. 103 17 CFR 201.700(b)(3). E:\FR\FM\04NON1.SGM 04NON1 60940 Federal Register / Vol. 86, No. 211 / Thursday, November 4, 2021 / Notices lotter on DSK11XQN23PROD with NOTICES1 unauthorized release of CAT Data. The Participants characterize one of the potential liabilities that they need to be insulated from as ‘‘the potential for substantial losses that may result from certain categories of low probability cyberbreaches,’’ 104 and the CRA Paper estimates an exposure of at least $100 million per incident as a ‘‘reasonable’’ estimate for a data breach scenario in which an algorithmic trading firm’s strategy was reverse engineered, which it also describes as very difficult to implement and occurring infrequently.105 The Proposed Amendment would almost completely insulate the Participants from any liability to member firms for those damages. Due to potentially lower costs should such a breach occur, the Commission believes the proposed Limitation of Liability Provisions would have a negative impact on the incentives of Participants to secure the CAT to prevent breaches, including purportedly low probability events.106 Also, absent the proposed Limitation of Liability Provisions, the Participants might be incentivized to make further investments in data security beyond those mandated by the CAT NMS Plan and Commission rulemakings, such as internal controls designed to decrease the likelihood of misuse of CAT Data beyond the requirements of the CAT NMS Plan. The CRA Response states that the benefits of litigation in addition to the existing regulatory regime are ‘‘inconsequential and speculative’’ and do not exceed the likely substantial costs.107 However, the CRA Response acknowledges that the threat of liability does incentivize behavior, arguing that limiting Industry Members’ ability to recover damages provides greater incentives for them to provide feedback to CAT management through the Advisory Committee.108 The Commission believes that although Industry Members do have avenues to provide feedback such as through the Advisory Committee, Industry Members do not have access to the information they would need, such as security audit results and design specifications, to evaluate the security of CAT and identify meaningful deficiencies. The Commission also believes that the CRA Response’s argument applies to Participants, in that their behavior 104 See Notice, supra note 5, at 595. Notice, supra note 5, at 597, 599–600, 603. 106 See also Economic Analysis at Section V.A. 107 See CRA Response at 9. Neither the Participants nor the CRA Paper or CRA Response provides specifics regarding estimated costs of litigation. 108 See CRA Response at 19. 105 See VerDate Sep<11>2014 17:57 Nov 03, 2021 Jkt 256001 would change to the extent there is a decreased threat of liability. Specifically, with the proposed Limitation of Liability Provisions, the Participants’ potential liability to Industry Members would decrease and thus reduce Participants’ incentives to ensure robust cybersecurity of CAT and CAT Data in an effort to reduce or avoid the potential liability. Participants argue that security industry norms do not support the principle that the party in possession of the data should bear liability in the event of a data breach, especially when acting in a regulatory capacity pursuant to Commission rules,109 and that Industry Members ‘‘routinely’’ disclaim liability to their underlying customers.110 The Commission did not approve provisions in Industry Member contracts for OATS or Industry Member contracts with underlying customers. The Participants also refer to limitation of liability provisions in SROs’ rules that were previously approved by the Commission.111 In the case of the SROs’ rules, these rules relate to liability to members with respect to the business operations of exchanges and were established for different types of systems with different risks than the CAT.112 The Commission believes that given the amount and sensitivity of the data in the CAT System, it is important that the Participants’ incentives to invest in robust cybersecurity, including potential liability in the event of a breach, are not reduced. Based on the record before it, the Commission believes that the proposed Limitation of Liability Provisions would reduce Participants’ incentives to invest in CAT Data security. The CRA Response also states that providing Industry Members a right to litigate may reduce Industry Members’ incentives to undertake their monitoring and influencing activities in favor of relying upon the threat of litigation, thereby weakening the overall cyber program of the CAT.113 The Commission also believes that these comments suggest that Industry Members can have a significant role in determining the strength of the overall cyber program of CAT, and if a reduction in Industry Member 109 See Response Letter at 10. Response Letter at 10; see also Response Letter at 20 (stating that the Lewis Paper does not address the fact that Industry Members routinely disclaim liability to those underlying customers). 111 See Response Letter at 5–7. 112 CAT Data, unlike an SRO’s trading data, includes comprehensive trading data from all exchange SROs and order and customer information submitted by Industry Members. 113 See CRA Response at 2, 9, and 11. 110 See PO 00000 Frm 00150 Fmt 4703 Sfmt 4703 ‘‘monitoring and influencing activities’’ would weaken the overall cyber program of the CAT, the absence of essentially any liability to Industry Members would also weaken the overall cyber program of CAT.114 The Participants expressed concern that CAT LLC is not equipped to compensate Industry Members in the event of a data breach because funding is designed to cover costs only.115 The Participants further assert that it is difficult to imagine how CAT LLC could ensure solvency if substantial exclusions are included in a limitation of liability.116 However, these are not compelling reasons to include the proposed Limitation of Liability Provisions. The Commission believes that there are mechanisms in place to ensure CAT LLC will not fail to compensate Industry Members or become insolvent. Specifically, the Participants are obligated to maintain a CAT and cannot dissolve CAT LLC without Commission approval.117 Due to its obligation to maintain the CAT, the Participants would need to fund CAT LLC by recovering any shortfall from the Participants and/or Industry Members.118 To the extent the Participants seek to recover any shortfall from Industry Members, the Commission will assess those fees to assure that they are reasonable.119 Even in the absence of the proposed Limitation of Liability Provisions, the Participants may have limited liability to Industry Members through courtestablished regulatory immunity.120 To the extent it is available, regulatory 114 The CRA Response emphasizes that Industry Members and other interested parties are able to monitor and suggest improvements for CAT’s cyber security and ‘‘history is replete with examples.’’ See CRA Response at 3–4. 115 See Second Response Letter at 15. 116 See Second Response Letter at 15. See also CRA Response at 9 (stating that CAT LLC’s ‘‘costonly business model’’ provides no mechanism to establish safety reserves that might allow it to build a cash reserve to pre-fund catastrophic losses from a cyber breach). 117 See CAT NMS Plan, Article X, Section 10.1. 118 See CAT NMS Plan, Article XI, Section 11.1(b) and 11.2. Specifically, Section 11.1(b) states that subject to Section 11.2, the Operating Committee shall have discretion to establish funding for the CAT LLC, including: (i) Establishing fees that the Participants shall pay; and (ii) establishing fees for Industry Members that shall be implemented by Participants. Section 11.2 sets forth funding principles that the Operating Committee should consider in establishing the funding of the Company. Specifically, Section 11.2(f) states that the Operating Committee should consider building financial stability to support the Company as a going concern. 119 See CAT NMS Plan, Article X, Section 11.1(b). 120 See Section IV.C.1, supra. The Participants assert that regulatory immunity applies to their use of CAT. See Response Letter at 23; Second Response Letter at 4. E:\FR\FM\04NON1.SGM 04NON1 Federal Register / Vol. 86, No. 211 / Thursday, November 4, 2021 / Notices immunity may create the same incentive as the proposed Limitation of Liability Provisions for Participants to reduce their investment in CAT cybersecurity. Regulatory immunity, however, is not applicable in all scenarios (i.e., commercial use or intentional misconduct). The Commission does not believe that the Participants have adequately explained why, in cases where regulatory immunity may not be applicable because Participant use of CAT data is improper (e.g., commercial use or intentional misconduct), they should be permitted to limit their liability. The potential consequences of such behavior, however, could also fall on Industry Members who have no control over the security of CAT Data they have submitted to the CAT. The Commission believes that the presence of liability risk would provide Participants an additional incentive to invest in CAT data security to prevent such behavior from occurring.121 The Commission believes that the Participants have not met their burden to demonstrate that the Proposed Amendment is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Exchange Act.122 C. Breadth of the Proposed Limitation of Liability Provisions lotter on DSK11XQN23PROD with NOTICES1 Several commenters are critical of the scope of the proposed Limitation of Liability Provisions and in particular the language that prohibits Industry Members from pursuing claims against CAT LLC and the Participants if there is ‘‘willful misconduct, gross negligence, bad faith or criminal acts of CAT LLC, the SROs or their representatives or employees.’’ 123 As one commenter states, the proposal would shield the Participants from liability, ‘‘not only for a breach of the CAT System by malicious third-party actors but even from the theft or other misuse of CAT Data by SRO employees’’ and would ‘‘effectively extinguish the liability of CAT LLC and the SROs even in instances of gross negligence or 121 See also Economic Analysis at Section V.A. CFR 201.700(b)(3). 123 See SIFMA Letter at 5, 7–8. See also LPL Financial at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Citadel Letter, at 3 (stating that the provisions would protect Participants and their representatives from any and all potential misuse, including intentional misuse, of CAT Data); SIFMA Letter II at 8–9. 122 17 VerDate Sep<11>2014 17:57 Nov 03, 2021 Jkt 256001 intentional misconduct.’’ 124 Another commenter states that the proposal ‘‘would effectively hold brokers responsible for the malfeasance and incompetence of the SROs and their contractors’’ and that this would be ‘‘extremely unreasonable.’’ 125 A commenter suggests that if the limitation of liability language was adopted as proposed, ‘‘CAT LLC would only have $500 in liability if an SRO employee stole CAT Data and posted it on the internet.’’ 126 A commenter believes that liability cap should only apply when CAT LLC and the Participants are acting solely in their regulatory capacity, for which they have proposed a definition, and should exclude willful misconduct, gross negligence, bad faith, or criminal acts.127 The Participants state that the proposed Limitation of Liability Provisions fall squarely within industry norms, referencing a comparison to the allocation of liability between Industry Members and SROs in other regulatory contexts, including NMS plans, regulatory reporting facilities, SRO rules and liability provisions that Industry Members use to protect themselves when they possess sensitive customer and transaction data.128 The Participants believe that the proposed Limitation of Liability Provisions are ‘‘substantively identical’’ to the liability provisions to which Industry Members regularly agree in connection with OATS reporting.129 Commenters, however, dismiss comparisons made in the Proposed Amendment to OATS limitation of liability provisions because (1) CAT captures significantly more information than OATS, including personally identifiable information, and data reported to OATS is reported to and only used by FINRA; and (2) OATS does not have account-level data, which the CAT will collect and which could present the risk of reverse engineering of trading strategies.130 One commenter 124 See SIFMA Letter at 5; see also LPL Financial at 1; FIA PTG Letter at 2; Raymond James Letter at 2. 125 See ASA Letter at 2. 126 See SIFMA Letter II at 8. 127 See SIFMA Letter II at 11. 128 See Response Letter at 5–11. 129 Id. at 6–7. Commenters assert that the proposed Limitation of Liability Provisions are inconsistent with industry standards, citing among other things SRO limitation of liability rules which exclude protection for willful misconduct, gross negligence, bad faith or criminal acts. See SIFMA Letter at 7; LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Fidelity Letter at 2. 130 See Lewis Paper at 9–10; SIFMA Letter at 8; LPL Financial Letter at 2; Raymond James Letter at PO 00000 Frm 00151 Fmt 4703 Sfmt 4703 60941 stated that the limitation of liability provisions for OATS were signed in 1998, and since then the landscape of cybersecurity has changed, and the frequency and scale of data breaches has increased dramatically.131 In response, the Participants reject the suggestion that any limitation of liability provision should allow liability for willful misconduct, gross negligence, bad faith or criminal acts of CAT LLC, the SROs or their representatives or employees.132 The Participants assert that the exclusion of ‘‘gross negligence, willful misconduct, bad faith, or criminal acts’’ is not appropriate and would be inconsistent with other limitation of liability provisions for other NMS plans (including OATS) and SRO rules.133 The Participants state that in the limited instances in which SRO liability rules permit claims for gross negligence or willful misconduct, Industry Members are often prohibited from suing an SRO for damages unless the alleged gross negligence or willful misconduct also constituted a securities law violation for which Congress has authorized a private right of action.134 The Participants further argue that modifying the proposed Limitation of Liability Provisions is not supported by the CRA Paper, because such modifications would likely result in 2; FIA PTG Letter at 2; Virtu Letter at 4; SIFMA Letter II at 7. 131 See Lewis Paper at 10. 132 See Response Letter at 7 (citing SIFMA Letter at 7–8); Second Response Letter at 4; 13–15. 133 See Second Response Letter at 4, 13–15. The Participants assert that the proposed Limitation of Liability Provisions are consistent with SRO limitation of liability rules, emphasizing that under those rules the SROs generally have the discretion, but not obligation, to compensate harmed Industry Members, and that this discretion only applies in very limited circumstances—namely, for system failures that impact the execution of individual order. See Response Letter at 5–6. The Participants also note that during negotiations, the Participants submitted to SIFMA a term sheet that provided for a discretionary compensation mechanism modeled after SRO rules, which was rejected by SIFMA. See Response Letter at 6. See also Second Response Letter at 13–14. The Participants state that no SRO limitation of liability rule contemplates SRO liability for ‘‘catastrophic’’ damages resulting from the theft of Industry Members’ proprietary trading algorithms. See Response Letter at 6. 134 See Response Letter at 6–7. Thus, the Participants believe that that these provisions would not provide for liability against the selfregulatory organizations in the event of a data breach. Id. at 7–8. See also Second Response Letter at 13–14 (stating that SRO rules that contain exclusions generally are modified by other rules that broadly prohibit Industry Members from suing the exchanges or their representatives, except for violations of the federal securities laws for which a private right of action exists, and thus the Participants do not believe these provisions would provide for liability against the SROs in the event of a data breach). E:\FR\FM\04NON1.SGM 04NON1 60942 Federal Register / Vol. 86, No. 211 / Thursday, November 4, 2021 / Notices lotter on DSK11XQN23PROD with NOTICES1 litigation over liability 135 and litigation to prove these elements even if nonexistent.136 The CRA Response also states that the comment letters do not acknowledge that behavior falling in these categories is already subject to enforcement by the Commission.137 The Participants state that the Commission’s regulatory enforcement regime and the potential for severe reputational harm already sufficiently incentivize the Participants not to engage in bad faith, recklessness, gross negligence, and intentional misconduct, and so adding exclusions to the proposed Limitation of Liability Provisions would not result in any meaningful improvement to the CAT’s cybersecurity.138 As noted in the previous section,139 commenters believe that the CRA Paper only focuses on a breach by external actors and fails to address the risk of misuse of CAT Data by personnel at CAT LLC and the SROs.140 The CRA Response argues that the CRA Paper did not specifically address the misuse of CAT Data by CAT personnel and other internal sources because whether a perpetrator is external or internal makes 135 See, e.g., Response Letter at 9; CRA Response at 18. 136 See Response Letter at 9; Second Response Letter at 4, 14–15. According to the Participants, although they, CAT LLC, and FINRA CAT may ultimately be found not liable, such litigation would be expensive, time-consuming, would distract Participants from their regulatory oversight mandate, and may open the doors of discovery to potentially malicious actors. See Response Letter at 9. 137 See CRA Response at 18. The CRA Response also argues that including commenters’ proposed exclusions to the Proposed Limitation on Liability Provisions would potentially generate substantial litigation and that reducing expected liability costs may provide additional resources to enhance CAT’s cyber security, purchase more cyber liability insurance (as it becomes available), or invest in competing CAT priorities. See CRA Response at 18– 19. 138 See Response Letter at 9. The Participants note that enforcement actions could be brought for cybersecurity-related violations (e.g., failure to comply with Regulation SCI) and violations of the CAT NMS Plan (e.g., for violating the CAT NMS Plan by using CAT Data for non-regulatory purposes). See id. at 25–26. The Participants also state that the purpose of the CAT and the Participants’ mandate under the CAT NMS Plan is the fulfillment of regulatory functions, and not operation in connection with business activities. Id. at 22. In addition, the CRA Response states that the comment letters do not acknowledge that behavior falling to these categories is already subject to enforcement by the Commission. See CRA Response at 18. 139 See infra Section IV.A. 140 See Citadel Letter at 6; SIFMA Letter at 9; LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Virtu Letter at 5. One commenter states that the CRA Paper does not provide any support for the argument that broker-dealers should be accountable for the wrongdoing or misuse of data by SRO employees or contractors. See ASA Letter at 2. VerDate Sep<11>2014 17:57 Nov 03, 2021 Jkt 256001 no difference to the scenario analysis.141 The CRA Response also argues that the purported concerns about the threat of ‘‘internal’’ breaches are exaggerated and that all Participant users of CAT Data are subject to comparable cyber security procedures and protocols, and only trading data, not customer data, can be downloaded in bulk.142 The Commission does not believe that the Participants have demonstrated that it is necessary or appropriate to foreclose all potential Industry Member claims, including those arising from ‘‘gross negligence, willful misconduct, bad faith, or criminal acts’’ to a maximum of $500 per Industry Member per calendar year as proposed.143 The Commission believes that the damages to Industry Members for breaches of CAT could potentially far exceed that amount, and Participants and the CRA Response acknowledge the possibility for low frequency events with extreme severity.144 For example, as discussed above, the CRA Paper estimates an exposure of at least $100 million per incident would be reasonable if an algorithmic trading firm’s strategy was reverse engineered, and if the Proposed Amendment were adopted the Participants would only have $500 in liability to the trading firm even if the trading strategy was exposed through gross negligence, willful misconduct, bad faith, or criminal acts. This means that the proposed Limitation of Liability Provisions would shield the Participants from liability to Industry Members even if a Participant intentionally used CAT Data for competitive business purposes, or an employee of CAT LLC sold CAT Data to a foreign government. As noted above, Participants can assert regulatory immunity to the extent that the doctrine applies if there is a security breach that exposes CAT Data and Industry Members seek damages 141 See CRA Response at 19. As noted earlier, Participants also state that the CRA Paper did not make any assumptions regarding the identity of potential bad actors or where they may work, and the CRA Paper was not intended to predict every possible scenario, but instead intended to provide an illustrative framework to assess the economic exposures that flow from the gathering, storage, and use of CAT Data. See Response Letter at 15–16 (citing CRA Paper 2). 142 See CRA Response at 20. 143 As discussed above, a number of factors impact the Participants’ incentives to invest in, or prioritize, the security of the CAT. See Section IV.B., supra. The Commission does not believe that the Participants have met their burden of establishing that it is appropriate to foreclose liability to Industry Members for potential claims arising from ‘‘gross negligence, willful misconduct, bad faith, or criminal acts’’ because of the Commission’s regulatory enforcement regime and the potential for severe reputational harm. 144 See notes 104 and 105, supra, and accompanying text. PO 00000 Frm 00152 Fmt 4703 Sfmt 4703 from the responsible Participants.145 However, the Commission believes that for situations where regulatory immunity may not be applicable (e.g., commercial use or intentional misconduct), the Participants have not met their burden to justify a nearly complete elimination of liability to Industry Members as consistent with the Exchange Act and the rules and regulations as required by Rule 608 of Regulation NMS, as discussed above. The Commission cannot make a finding that the proposed amendment is consistent with the Exchange Act and the rules and regulations issued thereunder.146 V. Impact on Efficiency, Competition, and Capital Formation In determining whether to approve a CAT NMS Plan amendment, and whether such amendment is in the public interest, Rule 613 requires the Commission to consider the potential effects of the proposed amendment on efficiency, competition and capital formation.147 The Commission has reviewed the arguments about such effects put forth by the Participants and commenters and independently analyzed the likely effects of the Proposed Amendment on efficiency, competition and capital formation.. Many of those effects hinge on assumptions about the applicability of the doctrine of regulatory immunity in the case of litigation related to a breach of CAT Data, the influence of such immunity on the incentives of the Participants to protect the CAT Data, and the potential redundancy of a limitation on liability if immunity applies. Commenters have addressed the applicability of this doctrine directly in their comments,148 many of which relate to two studies: The CRA Paper submitted by the Participants as part of their filing, and the Lewis Paper submitted by SIFMA as part of its commentary; 149 both of these studies make assumptions regarding regulatory immunity that impact their respective conclusions. In the case of the CRA Paper, many conclusions stem from an assumption that regulatory immunity would not apply and thus Participants would be faced with significant risk of litigation in the case of a CAT data breach that resulted from the collection of CAT Data into the central repository or the use of that CAT Data by a 145 See Section IV.B, supra. CFR 201.700(b)(3); 17 CFR 242.608(b)(2). CFR 242.613(a)(5). 148 See, e.g., Citadel Letter at 1, 3–5; SIFMA Letter at 8; LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2. 149 See Lewis Paper, supra, note 27. 146 17 147 17 E:\FR\FM\04NON1.SGM 04NON1 Federal Register / Vol. 86, No. 211 / Thursday, November 4, 2021 / Notices Participant that was performing its regulatory duties. In the case of the Lewis Paper, many of the conclusions are based on an assumption that, if the Proposed Amendment were allowed, Industry Members, as opposed to Participants, would bear significant liability in the case of a data breach because the limitation of liability would be absolute, the Lewis Paper does not address the doctrine of regulatory immunity 150 as it might apply to Participants.151 In summary, the Commission believes that, if approved, the Proposed Amendment would likely have significant negative effects on efficiency, though minor positive effects that are unlikely to significantly mitigate the negative effects are also discussed below.152 The Commission believes the Participants are best poised due to information asymmetry to understand the risks inherent in collecting and using CAT Data, and, because of moral hazard, to mitigate those risks through operational measures to promote CAT data security and securing insurance to mitigate financial risks associated with CAT data security. Efficiency is likely to be reduced to the extent the Proposed Amendment disincentivizes the Participants from investing in CAT data security and thus potentially increases the likelihood of a data breach. The Commission believes this effect would be only partially mitigated as discussed below and believes the net effect may remain significant. The Commission believes that the Proposed Amendment might have negative effects on competition and capital formation, but believes these effects would be partially mitigated. These conclusions are discussed in the analysis which follows. A. Efficiency The Commission believes that the Proposed Amendment would likely have a significant effect on efficiency, although minor positive effects that are unlikely to significantly mitigate the negative effects are also discussed below. These mixed effects would likely be dominated by the negative effects of reducing the Participants’ incentives to invest in CAT data security. Generally, the Commission believes that the 150 The lotter on DSK11XQN23PROD with NOTICES1 Commission recognizes that the Participants believe regulatory immunity would apply in the event of a breach concerning CAT Data (see Response Letter at 23; Second Response Letter at 4), but the Participants also believe that there is no guarantee that all courts will agree that the Participants’ immunity extends to the claims at issue. The Commission acknowledges that beliefs about regulatory immunity may influence the outcomes it describes in this analysis. 151 See, e.g., Lewis Paper at 4. 152 See Section V.A., infra. Proposed Amendment would reduce the Participants’ incentives to invest in CAT data security. The Commission believes that taking measures that may prevent a data breach is inherently more efficient than remediating the consequences of a data breach after it has occurred.153 Consequently, liability rules that incentivize appropriate security measures are likely to increase efficiency while rules that potentially disincentivize Participants from securing CAT Data may reduce efficiency. As noted, the magnitude of this effect hinges on the Participants’ beliefs about the applicability of the doctrine of regulatory immunity. If the Participants do not believe regulatory immunity applies to all aspects of their collection and use of CAT Data, or have significant uncertainty that it would apply to some or all aspects, the Proposed Amendment would represent to the Participants a shift of liability from the Participants to Industry Members, the magnitude of which would be a function of the level of Participant uncertainty about their regulatory immunity.154 Absent the Proposed Amendment, the Participants might make further investments in data security beyond those mandated by the CAT NMS Plan and Commission rulemakings such as implementing internal controls designed to decrease the likelihood of misuse of CAT Data. But the assurance of limited liability provided by the Proposed Amendment could disincentivize such actions or even incentivize a reduction in existing investments in cybersecurity. The CRA Paper maintains that additional investment in security such as providing additional insurance, may not be efficient. The CRA Paper states, ‘‘. . . the prospect of litigation arising from the absence of the limitation on liability provision has the prospect for prompting overpayment for cyber security on the part of the CAT and the Plan Processor beyond the economically optimal level of protection, despite the analysis we present above suggesting that such litigation would provide no incremental benefit. The prospect of third-party litigation may prompt CAT LLC to expend resources on cyber security systems that supplement the detailed (and regularly updated) VerDate Sep<11>2014 17:57 Nov 03, 2021 Jkt 256001 153 See, e.g., Securities Exchange Act Release No. 89632 (Aug. 21, 2020), 85 FR 65990, 66091 (Oct. 16, 2020) (proposing amendments to the CAT Plan to enhance data security). 154 The proposed Limitation of Liability Provisions would limit liability to $500 per CAT Reporter or CAT Reporting Agent in a calendar year. See Notice, supra note 5, 86 FR at 593. See Section V.A, infra, for discussion of liability for Industry Members that do not carry customer accounts. PO 00000 Frm 00153 Fmt 4703 Sfmt 4703 60943 framework implemented by the Commission, but that do not reduce the cyber risk commensurate with the costs.’’ 155 The CRA Paper further argues that the threat of third-party litigation may result in risk-aversion that prevents the Participants from adopting policies or technologies that decrease costs or increase efficiencies.156 The Commission agrees with the CRA Paper that there are likely to exist certain security investments that do not provide sufficient benefits to warrant their adoption, particularly in light of the Commission’s belief that investors may ultimately bear the costs of these investments—as well as costs of potential litigation.157 However, the Commission disagrees that litigation risk provides no incremental benefit because the threat of such litigation may incentivize the Participants to implement security measures such as the adoption of internal controls that decrease the likelihood of an employee or contractor making commercial or other misuse of CAT Data.158 Further, the Commission recognizes that while the Participants face costs in the event of a CAT data breach, these costs are likely to fall upon broker-dealers and investors as well, while these groups have limited ability to participate in decisions related to investments in CAT security. This partitioning of decisionmaking authority from the financial consequences of the decision creates an agency problem that may limit the Participants’ incentives to select the welfare-maximizing level of security investment. This agency problem may be partially mitigated by the Participants’ perception of litigation risk in the event of a data breach by better aligning their incentives regarding security decisions with other parties that are likely to be harmed if such a breach occurs. The Commission recognizes that the risk of the Proposed Amendment disincentivizing the Participants from taking additional measures to ensure security is likely to be partially mitigated by other incentives that are not impacted by the limitation on liability. Independent of potential regulatory immunity,159 Participants 155 The CRA Paper discusses reasons why the incremental benefit from litigation from Industry Members may be reduced, but does not show that there is no incremental benefit. See Notice, supra note 5, at 616–17. 156 See Notice, supra note 5, at 617–18. 157 The Commission has the power to disallow fee amendments that might unfairly pass costs to Industry Members. 158 See note 113, supra, and referring text. 159 The Commission believes the Participants’ views on their potential regulatory immunity with E:\FR\FM\04NON1.SGM Continued 04NON1 60944 Federal Register / Vol. 86, No. 211 / Thursday, November 4, 2021 / Notices lotter on DSK11XQN23PROD with NOTICES1 face significant costs, both direct and indirect, that would result from a data breach. The potential reputational consequences of a data breach would likely be severe and such a breach is likely to draw significant negative publicity, public scrutiny, and attention from regulatory and other government entities. Further, while contractual limitation of liability reduces the risk of exposure, it does not prevent enforcement actions from the Commission or litigation by parties other than Industry Members. In addition, any breach would likely cause a significant disruption to Participants’ own operations 160 and some breach threats are not about compromising data but are indeed designed to disrupt operations; 161 Participants are thus still incentivized to create security measures that mitigate the risk of such breaches, which likely help mitigate the risk of compromised data that could directly affect Industry Members. However, the Commission believes that decreasing the risk of exposure that Participants face through the Proposed Amendment will likely on balance disincentivize the Participants from investing in data security, particularly if the proposed amendments increase the scope of immunity that might be expected beyond regulatory immunity.162 The Commission believes that taking measures that may prevent a data breach is more efficient than remediating the consequences of a data breach after it has occurred.163 Consequently, measures that incentivize appropriate security measures are likely to increase efficiency while measures that potentially disincentivize Participants from securing CAT Data may reduce efficiency. As noted above, several commenters express concern that shifting liability through the proposed Limitation of Liability Provisions would reduce the incentives of Participants to develop robust data security and risk mitigation mechanisms, and may even incentivize regard to CAT data collection and use is immaterial to this second set of incentives because these consequences of a data breach could occur regardless of whether there could or would be litigation as a result of that breach. 160 A breach of CAT data could occur in a Participant’s own analytic or operational environment. 161 See, e.g., Raphael Satter, Up to 1,500 businesses affected by ransomware attach, U.S. firm’s CEO says, Reuters (July 6, 2021), available at https://www.reuters.com/technology/hackersdemand-70-million-liberate-data-held-bycompanies-hit-mass-cyberattack-2021-07-05/. 162 See Sections V.B and V.C, supra. 163 See, e.g., Securities Exchange Act Release No. 89632 (Aug. 21, 2020), 85 FR 65990, 66091 (Oct. 16, 2020) (proposing amendments to the CAT Plan to enhance data security). VerDate Sep<11>2014 17:57 Nov 03, 2021 Jkt 256001 the Participants to de-prioritize data security.164 The Commission believes, however, that the degree to which the proposed amendment would disincentivize the Participants from appropriate security measures is dependent upon the Participants’ belief in the applicability of regulatory immunity to the collection and permitted uses of CAT Data in the absence of the proposed amendment. The Commission believes that uncertainty regarding liability in case of a CAT data breach thus serves as an incentive for the Participants to invest in data security to the extent that Participants believe a court might not uphold their regulatory immunity or it would be judged not to apply in a given case that was before the courts. If the Participants believe that regulatory immunity is likely to apply, the proposed amendments would serve to reduce their risk of incurring costs of litigation by reducing the likelihood of litigation by Industry Members. Some commenters addressed the scope of the limitation of liability, considering whether Participants might be shielded from liability in commercial use of CAT Data,165 even though such use is prohibited by the CAT NMS Plan.166 Another commenter focused on the scope of the immunity more generally as it would appear to exceed the bounds of conventional regulatory immunity.167 One commenter characterized the economic structure as creating a ‘‘moral hazard’’ and stated that permitting litigation against Participants and their representatives when they are acting outside their regulatory capacity is ‘‘crucial’’ and would give the Participants very strong financial incentives to invest heavily to prevent or minimize the likelihood of such failures.168 To the extent that the scope of limitation of liability in the Proposed Amendment exceeds what might be expected from the doctrine of regulatory immunity, an expansion of the scope of activities that could be shielded from liability would potentially further 164 See, e.g., Lewis Paper at 5–9, 14; SIFMA Letter at 7, 9; LPL Financial Letter at 1; Raymond James Letter at 2; FIA PTG Letter at 2; Virtu Letter at 3; ASA Letter at 2; Fidelity Letter at 2; Citi Letter at 2. 165 See, e.g., SIFMA Letter at 8; LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2. 166 See, e.g., CAT NMS Plan Sections 6.5(f)(i)(A); 6.5(g). 167 See Citadel Letter at 5. 168 See Citi Letter at 2. In response, the CRA Response argues that the structure might not be considered a classic ‘‘moral hazard’’ due to Industry Members’ ability to monitor and influence CAT cyber security. See CRA Response at 10–11. PO 00000 Frm 00154 Fmt 4703 Sfmt 4703 disincentivize Participants from activities that promote CAT data security even if regulatory immunity applies. The Commission also recognizes that the Proposed Amendment may reduce the risk of litigation in the event of a breach by resolving the existing uncertainty about whether the Participants could be liable; in other words, if Industry Members know they cannot recover due to the limitation of liability, regardless of the applicability of regulatory immunity, they may be less likely to sue over a breach. Such litigation would impose costs, both direct and indirect,169 on the Participants to defend themselves even if they would ultimately prevail due to regulatory immunity and those direct costs might be passed on to Industry Members and ultimately investors. The Proposed Amendment would reduce the likelihood of litigation and thus might avoid costs associated with litigation that investors would unnecessarily bear, which could improve efficiency. Additional insurance costs to Industry Members related to liability risks from the Proposed Amendment are discussed below. While both the CRA Paper and the Lewis Paper frame their analyses from a perspective of potential litigation, the Commission notes that not all potential data breaches are amenable to litigation. The Commission believes that a data breach could go undetected, particularly if such a breach were perpetrated by authorized users of the CAT System such that detection of the breach relied primarily on the Participants’ screening of their employees and contractors before providing access to CAT Data and then the monitoring of their use of CAT Data when they became authorized users.170 Such a breach could impose significant costs on Industry Members if their intellectual property (such as proprietary trading strategies) were revealed to competitors or bad actors. Consequently, the Commission believes that reducing the Participants’ existing incentives to properly invest in data security activities might disincentivize 169 Indirect costs would include opportunity costs of time and effort spent dealing with litigation. See, e.g., Notice, supra note 5, 85 FR at 617–618; Response Letter at 8–9. 170 Several commenters discussed arguments in the CRA Paper and Lewis Paper regarding ex-ante regulation versus ex-post litigation. See Citadel Letter at 1–2, 7; Lewis Paper at 7–9. An undetected breach cannot be addressed through litigation, but might be prevented by ex-ante regulation or the proper alignment of incentives in lieu of regulation. The Commission considers screening of potential users of CAT Data and monitoring their activities with CAT Data to be security activities that would be affected by Participant incentives to prevent data breaches. E:\FR\FM\04NON1.SGM 04NON1 lotter on DSK11XQN23PROD with NOTICES1 Federal Register / Vol. 86, No. 211 / Thursday, November 4, 2021 / Notices individual Participants from appropriately investing in the screening and monitoring of their own employees and contractors that will access CAT Data. This might reduce efficiency by increasing the likelihood of a breach either detected or undetected. In addition, the Proposed Amendment might improve efficiency by promoting the optimal level of usage of CAT Data.171 Specifically, if the Participants believe their regulatory immunity may not be recognized in litigation in the wake of a data breach, they may be incentivized to minimize their use of CAT Data to minimize opportunities for a data breach, particularly one involving their own employees or contractors. However, the Proposed Amendment might facilitate increased use levels of CAT Data by Participants by reducing the risk of exposure to litigation. Consequently, the Commission believes that the Proposed Amendment might prevent inefficiencies related to underuse of CAT Data by regulators. By contrast, to the degree that disapproval of the Proposed Amendment renders regulators more risk averse in using CAT Data to meet their regulatory obligations than they would be if the Proposed Amendment were approved, disapproval may reduce use of CAT Data by regulators. Further effects on efficiency depend upon the use of insurance by Participants and Industry Members. The Lewis Paper and the CRA Paper analyze the potential for the use of insurance by Participants and Industry Members to manage the financial risks of a potential data breach.172 Through the CRA Paper, the Participants argue that adopting the Proposed Amendment would avoid inefficiencies such as over investment in insurance beyond what would be optimal.173 The CRA Paper argues that this inefficiency would result in unnecessary costs being passed to investors without a corresponding societal benefit.174 The Lewis Paper argues that shifting the financial risks of a CAT data breach to Industry Members by limiting liability for Participants would cause them to insure against the financial consequences of a CAT data breach, which would be inefficient because Industry Members cannot give an insurer access to the CAT System to monitor or assess the security of the system. Consequently, according to the Lewis Paper, insurance purchased by Industry Members to cover the risk would be more expensive, and investors would ultimately bear this increased expense.175 Also, policies obtained by Industry Members would necessarily overlap, further increasing the cost of such insurance.176 Other commenters supported the position that the Participants can more efficiently obtain cyber insurance.177 The Commission agrees that the Participants are better positioned to insure against a breach both due to their ability to provide access and monitoring of the CAT System to an insurer, and because if Industry Members were to obtain insurance that would apply to a CAT data breach, such policies would overlap because the same breach event would likely impact multiple Industry Members and many investors whose data might be exposed in a breach are customers of multiple Industry Members. However, as noted by some commenters, the doctrine of regulatory immunity may already shift significant breach risk to Industry Members,178 and the Participants state that Industry Members may already shift some of their own risk of data breaches to their own customers with their own limitation of liability language in customer agreements.179 Further, as discussed above, insurance is unlikely to provide a remedy in case of breaches that go undetected. However, the Commission recognizes that if the doctrine of regulatory immunity does not apply, the Proposed Amendment would shift the financial risks of a breach to Industry Members. The Commission believes that investors are likely to bear the costs of providing security to the CAT System as well as any costs of a breach of CAT Data. However, the Commission recognizes that inefficiencies in providing security to CAT are likely to increase the costs that investors bear. The Commission believes that, even if the Proposed Amendment were approved, inefficiencies in the scope and maintenance of Industry Member insurance policies against a CAT data breach are likely to be minor for two reasons. First, Industry Members that carry customer accounts already face risks related to breach of customer information. The Commission believes these Industry Members actively manage the security of their environments to prevent a breach of this 175 See 171 See CAT NMS Plan Approval Order, supra note 1, at 84833–40. 172 See Lewis Paper at 11–14; Notice, supra note 5, at 618–620. 173 See Notice, supra note 5, at 617–18. 174 See Notice, supra note 5, at 617–18. VerDate Sep<11>2014 17:57 Nov 03, 2021 Jkt 256001 Lewis Paper at 11–14. Lewis Paper at 14. SIFMA Letter at 8–9; LPL Financial Letter at 2; FIA PTG Letter at 2; Raymond James Letter at 2; Virtu Letter at 3–4. 178 See Section IV.C.1, supra. 179 See Response Letter at 10. 176 See 177 See PO 00000 Frm 00155 Fmt 4703 Sfmt 4703 60945 data within their systems and acknowledges that they cannot continue to safeguard this data once this it data is reported to CAT. However, as noted by commenters, Industry Members also typically indemnify themselves with agreements that limit their liability in the case of a data breach and thus would be unlikely to increase their insurance coverage if the proposed amendments were approved. Second, any additional insurance burdens would likely to be negligible for Industry Members that carry no customer accounts because they do not risk litigation from customers. However to the degree that Industry Members overall would increase cyber insurance to offset this risk if the Proposed Amendment is approved, the cost of such insurance would likely to be higher than it would be if the risk were borne by Participants because Industry Members cannot facilitate the monitoring of an insurer and the policies Industry Members would purchase would necessarily be overlapping policies because investors often have accounts with multiple Industry Members and a single data breach might expose data from multiple Industry Members. Those inflated costs would ultimately be passed to investors, and the security improvements that might be facilitated by the monitoring of an insurer contracted by the Participants would be unrealized. B. Competition The Commission believes that the Proposed Amendment might have negative effects upon competition, but believes these effects would be partially mitigated. In their filing, the Participants state they do not believe the Proposed Amendment will have any impact on competition.180 However, the Commission believes that the Proposed Amendment could have negative effects on the competitive positions of some Industry Members relative to other Industry Members. Industry Members have diverse business models; some of these models employ proprietary trading strategies that might be revealed in the wake of a data breach. If such proprietary strategies were revealed, Industry Members that employed such strategies might experience loss of intellectual property that could damage their competitive positions relative to their peers. The Commission further acknowledges that a data breach could harm an Industry Member’s reputation and damage its competitive position within the markets in which it competes, particularly if customer data were released from some but not all 180 See E:\FR\FM\04NON1.SGM Notice, supra note 5, at 597. 04NON1 lotter on DSK11XQN23PROD with NOTICES1 60946 Federal Register / Vol. 86, No. 211 / Thursday, November 4, 2021 / Notices competitors within those markets. The Commission acknowledges that robust investment in cyber security does not guarantee breaches will not occur. The likelihood of a data breach happening however, increases if Participants reduce potential additional investment in CAT data security including additional investment in cyber insurance coverage (should such coverage become available) or additional investment in the screening and monitoring of employees and contractors that have access to CAT Data. But the assurance of limited liability provided by the Proposed Amendment could disincentivize such actions. The Commission believes that Participants would remain incentivized to invest in CAT data security to some extent, even if the Proposed Amendment is approved because of the additional incentives discussed above, such as reputational damage, which would remain unaffected by the Proposed Amendment.181 The Commission further believes there might be additional competitive effects of the Proposed Amendment in the market for trading services. The Commission recognizes that Industry Members are not just the customers and members of the Participants, but are sometimes competitors of the Participants. Exchanges (all of which are Participants) compete in the market for trading services with off-exchange venues such as alternative trading systems (all of which are operated by Industry Members) and Industry Members that provide liquidity to orders off-exchange.182 Consequently, if the Proposed Amendment were to shift any of the expense of insuring against the risk of a CAT data breach from Participants to Industry Members, and if such expenses were more efficiently borne by Participants as discussed previously, the additional marginal costs incurred by Industry Members could disadvantage them in this competition to provide trading services. However, the Commission believes that this effect would be partially mitigated because, as discussed previously, that even under the Proposed Amendment, the Participants would remain incentivized to invest in CAT data security, and that Industry Members’ need to invest in additional insurance would be mitigated by their own use of limitation of liability agreements with their own customers.183 Section VI.A., supra. CAT Plan Approval Order, supra note 1, at 84882–89. 183 See Section VI.A., supra. C. Capital Formation The Commission believes that the Proposed Amendment might have negative effects on capital formation in markets in which Industry Members compete, but believes these effects would be partially mitigated. The Participants argue that adopting the proposed amendment would avoid inefficiencies by avoiding the increased costs that would otherwise arise,184 namely over investment in cyber security and insurance beyond what would be optimal, and underinvestment in adoption of policies or technologies that decrease costs or increase efficiencies as described in the CRA Paper. The Participants argue that avoiding these issues, by limiting liability, would promote capital formation in the U.S. securities markets. While the Commission acknowledges that an inappropriate level of riskaversion might result in these effects, if the Participants believe, as asserted in their filing, that they have regulatory immunity, the Commission believes these effects would be small because the potential shift in liability from the proposed amendments would be far less significant than anticipated in the CRA Paper. It is possible that capital formation could be negatively impacted by an inefficient insurance burden on Industry Members as described in the Lewis Paper.185 However, even in cases in which Participants’ regulatory immunity would not apply, the Commission does not believe the Proposed Amendment would significantly increase Industry Members’ insurance burden because, as discussed previously, many Industry Members have agreements limiting their liability with their own customers, and not all Industry Members have customers that might initiate litigation.186 The Commission recognizes, however, that the risk of a data breach can impact capital formation through routes other than inefficient insurance costs and underinvestment. If Industry Members believe that the proposed amendment would significantly reduce Participants’ incentives to invest in CAT security, Industry Members may be less incentivized to invest in intellectual property that could be compromised by a data breach, potentially reducing capital formation in liquidity provision on exchanges or in proprietary trading activities. The Commission believes this risk is partially mitigated because the 181 See 182 See VerDate Sep<11>2014 17:57 Nov 03, 2021 Jkt 256001 184 See Notice, supra note 5, at 617–18. Lewis Paper at 11–14. 186 See Section VI.A, supra. Participants are still incentivized to secure CAT Data by other incentives that are not affected by the proposed amendment.187 VI. Conclusion For the reasons set forth above, the Commission does not find, pursuant to Section 11A of the Exchange Act, and Rule 608(b)(2) thereunder, that the Proposed Amendment is consistent with the requirements of the Exchange Act and the rules and regulations thereunder applicable to an NMS plan amendment. It is therefore ordered, pursuant to Section 11A of the Exchange Act, and Rule 608(b)(2) thereunder, that the Proposed Amendment (File No. 4–698) be, and hereby is, disapproved. By the Commission. J. Matthew DeLesDernier, Assistant Secretary. [FR Doc. 2021–24035 Filed 11–3–21; 8:45 am] BILLING CODE 8011–01–P SECURITIES AND EXCHANGE COMMISSION [Investment Company Act Release No. 34411] Notice of Applications for Deregistration Under Section 8(f) of the Investment Company Act of 1940 October 29, 2021. The following is a notice of applications for deregistration under section 8(f) of the Investment Company Act of 1940 for the month of October 2021. A copy of each application may be obtained via the Commission’s website by searching for the file number, or for an applicant using the Company name box, at https://www.sec.gov/search/ search.htm or by calling (202) 551–8090. An order granting each application will be issued unless the SEC orders a hearing. Interested persons may request a hearing on any application by emailing the SEC’s Secretary at Secretarys-Office@sec.gov and serving the relevant applicant with a copy of the request by email, if an email address is listed for the relevant applicant below, or personally or by mail, if a physical address is listed for the relevant applicant below. Hearing requests should be received by the SEC by 5:30 p.m. on November 23, 2021, and should be accompanied by proof of service on applicants, in the form of an affidavit or, for lawyers, a certificate of service. Pursuant to Rule 0–5 under the Act, hearing requests should state the nature 185 See PO 00000 Frm 00156 Fmt 4703 Sfmt 4703 187 See E:\FR\FM\04NON1.SGM Section VI.A, supra. 04NON1

Agencies

[Federal Register Volume 86, Number 211 (Thursday, November 4, 2021)]
[Notices]
[Pages 60933-60946]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-24035]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-93484; File No. 4-698]


Joint Industry Plan; Order Disapproving an Amendment to the 
National Market System Plan Governing the Consolidated Audit Trail

October 29, 2021.

I. Introduction

    On December 18, 2020, the Operating Committee for Consolidated 
Audit Trail, LLC (``CAT LLC''), on behalf of the following parties to 
the National Market System Plan Governing the Consolidated Audit Trail 
(the ``CAT NMS Plan'' or ``Plan''):\1\ BOX Exchange LLC; Cboe BYX 
Exchange, Inc., Cboe BZX Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe 
EDGX Exchange, Inc., Cboe C2 Exchange, Inc., Cboe Exchange, Inc., 
Financial Industry Regulatory Authority, Inc. (``FINRA''), Investors 
Exchange LLC, Long-Term Stock Exchange, Inc., Miami International 
Securities Exchange LLC, MEMX, LLC, MIAX Emerald, LLC, MIAX PEARL, LLC, 
Nasdaq BX, Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, 
Nasdaq PHLX LLC, The NASDAQ Stock Market LLC, New York Stock Exchange 
LLC, NYSE American LLC, NYSE Arca, Inc., NYSE Chicago, Inc., and NYSE 
National, Inc. (collectively, the ``Participants,'' ``self-regulatory 
organizations,'' or ``SROs'') filed with the Securities and Exchange 
Commission (``SEC'' or ``Commission'') pursuant to Section 11A(a)(3) of 
the Securities Exchange Act of 1934 (``Exchange Act''),\2\ and Rule 608 
thereunder,\3\ a proposed amendment (``Proposed Amendment'' or 
``Proposal'') to the CAT NMS Plan that would authorize CAT LLC to 
revise the

[[Page 60934]]

Consolidated Audit Trail Reporter Agreement (the ``Reporter 
Agreement'') and the Consolidated Audit Trail Reporting Agent Agreement 
(the ``Reporting Agent Agreement'' and collectively, the ``Reporter 
Agreements'') to insert limitation of liability provisions (the 
``Limitation of Liability Provisions'').\4\ The proposed plan amendment 
was published for comment in the Federal Register on January 6, 
2021.\5\
---------------------------------------------------------------------------

    \1\ The CAT NMS Plan is a national market system plan approved 
by the Commission pursuant to Section 11A of the Exchange Act and 
the rules and regulations thereunder. See Securities Exchange Act 
Release No. 79318 (November 15, 2016), 81 FR 84696 (November 23, 
2016) (``CAT NMS Plan Approval Order'').
    \2\ 15 U.S.C 78k-1(a)(3).
    \3\ 17 CFR 242.608.
    \4\ The Participants are requiring each CAT reporter or CAT 
reporting agent that reports order and trade data to the CAT System 
to execute a CAT Reporter Agreement or a CAT Reporting Agent 
Agreement. See, e.g., CAT FAQ O14, available at: https://www.catnmsplan.com/faq.
    \5\ See Notice of Filing of Amendment to the National Market 
System Plan Governing the Consolidated Audit Trail, Release No. 
90826 (December 30, 2020), 86 FR 591 (January 6, 2021) (``Notice'').
---------------------------------------------------------------------------

    On April 6, 2021, the Commission instituted proceedings pursuant to 
Rule 608(b)(2)(i) of Regulation NMS,\6\ to determine whether to 
disapprove the Proposed Amendment or to approve the Proposed Amendment 
with any changes or subject to any conditions the Commission deems 
necessary or appropriate after considering public comment (the 
``OIP'').\7\ On June 25, 2021, the Commission designated a longer 
period within which to conclude proceedings regarding the Proposed 
Amendment.\8\ On September 2, 2021, the Commission further designated a 
longer period within which to conclude proceedings regarding the 
Proposed Amendment.\9\ This order disapproves the Proposed Amendment.
---------------------------------------------------------------------------

    \6\ 17 CFR 242.608(b)(2)(i).
    \7\ See Securities Exchange Act Release No. 91487 (April 6, 
2021), 86 FR 19054 (April 12, 2021) (``OIP''). Comments received in 
response to the Notice and OIP can be found on the Commission's 
website at https://www.sec.gov/comments/4-698/4-698.htm.
    \8\ See Securities Exchange Act Release No. 92266 (June 25, 
2021), 86 FR 35142 (July 1, 2021).
    \9\ See Securities Exchange Act Release No. 92854 (September 2, 
2021), 86 FR 50201 (September 7, 2021).
---------------------------------------------------------------------------

II. Background

    On July 11, 2012, the Commission adopted Rule 613 of Regulation 
NMS, which required the SROs to submit a national market system 
(``NMS'') plan to create, implement and maintain a consolidated audit 
trail (the ``CAT'' or ``CAT System'') that would capture customer and 
order event information for orders in NMS securities.\10\ The 
Commission approved the CAT NMS Plan in 2016.\11\
---------------------------------------------------------------------------

    \10\ 17 CFR 242.613.
    \11\ See note 1, supra.
---------------------------------------------------------------------------

    On August 29, 2019, the Operating Committee for CAT LLC approved a 
Reporter Agreement that included a provision that would have limited 
the total liability of CAT LLC or any of its representatives to a CAT 
Reporter under the Reporter Agreement for any calendar year to the 
lesser of the total of fees paid by the CAT Reporter to CAT LLC for the 
calendar year in which the claim arose or five hundred dollars. The 
Participants required each Industry Member \12\ to execute a CAT 
Reporter Agreement before reporting data to CAT. Prior to the 
commencement of initial equities reporting for Industry Members, the 
Securities Industry and Financial Markets Association (``SIFMA'') filed 
on April 22, 2020, pursuant to Sections 19(d) and 19(f) of the Exchange 
Act, an application for review of actions taken by CAT LLC and the 
Participants (the ``Administrative Proceedings''). SIFMA alleged that 
by requiring Industry Members to execute Reporter Agreements as a 
prerequisite to submitting data to the CAT, the Participants improperly 
prohibited or limited SIFMA members with respect to access to the CAT 
System in violation of the Exchange Act. On May 13, 2020, the 
Participants and SIFMA reached a settlement and terminated the 
Administrative Proceedings, allowing Industry Members to report data to 
the CAT pursuant to a Reporter Agreement that does not contain a 
limitation of liability provision. Since that time, Industry Members 
have been transmitting data to the CAT.\13\
---------------------------------------------------------------------------

    \12\ Industry Member means a member of a national securities 
exchange or a member of a national securities association. See CAT 
NMS Plan at Section 1.1.
    \13\ For a more detailed description of the background for the 
Proposed Amendment, see Notice, supra note 5, at 591-93.
---------------------------------------------------------------------------

III. Description of the Proposal

    The Participants propose to amend the CAT NMS Plan to authorize CAT 
LLC to revise the Reporter Agreement and Reporting Agent Agreement with 
the proposed Limitation of Liability Provisions. As proposed, the 
Limitation of Liability Provisions would: (1) Provide that CAT 
Reporters and CAT Reporting Agents accept sole responsibility for their 
access to and use of the CAT System, and that CAT LLC makes no 
representations or warranties regarding the CAT System or any other 
matter; (2) limit the liability of CAT LLC, the Participants, and their 
respective representatives to any individual CAT Reporter or CAT 
Reporting Agent to the lesser of the fees actually paid to CAT for the 
calendar year or $500; (3) provide that CAT LLC, the Participants, and 
their respective representatives shall not be liable for all direct and 
indirect damages of any kind or nature; and (4) provide that CAT LLC, 
the Participants, and their respective representatives shall not be 
liable for the loss or corruption of any data submitted by a CAT 
Reporter or CAT Reporting Agent to the CAT System.\14\
---------------------------------------------------------------------------

    \14\ See Notice, supra note 5, at 593.
---------------------------------------------------------------------------

    In support of the Proposed Amendment, the Participants state, among 
other things, that: (1) The proposed Limitation of Liability Provisions 
reflect longstanding principles of allocation of liability between 
Industry Members and SROs; \15\ (2) the proposed Limitation of 
Liability Provisions ``fall squarely within industry norms'' and are 
consistent with exchange rules that limit liability for losses that 
members incur through their use of exchange facilities, provisions that 
FINRA members must agree to in order to comply with Order Audit Trail 
System (``OATS'') reporting, and other provisions in the context of 
regulatory and NMS reporting facilities; \16\ (3) previously granted 
exemptive relief that eliminated the requirement that CAT collect 
certain personally identifiable information, including social security 
numbers, makes the customer data stored in the CAT comparable to the 
data reported to other regulatory reporting facilities; \17\ (4) the 
proposed Limitation of Liability Provisions are necessary to ensure the 
financial stability of CAT because even though ``CAT LLC has obtained 
the maximum extent of cyber-breach insurance coverage available and has 
implemented a full cybersecurity program to safeguard data stored in 
the CAT,'' there is ``the potential for substantial losses that may 
result from certain categories of low probability cyberbreaches.'' \18\
---------------------------------------------------------------------------

    \15\ See Notice, supra note 5, at 593-95.
    \16\ See Notice, supra note 5, at 593-94.
    \17\ See Notice, supra note 5, at 595.
    \18\ See Notice, supra note 5, at 595.
---------------------------------------------------------------------------

    CAT LLC retained Charles River Associates to conduct an economic 
analysis of the liability issues presented by a potential CAT breach 
(the ``CRA Paper'').\19\ The Participants state that the analyses 
presented in the CRA Paper support the Participants' proposal to adopt 
a limitation of liability provision in the CAT Reporter Agreement and 
shows the importance of limiting CAT LLC's and each Participant's 
liability.\20\ The CRA Paper asserts, among other things, that, based 
on an examination of potential breach scenarios and a consideration of 
the economic and public policy elements of various regulatory and 
litigation approaches to mitigate cyber risk for the CAT, a

[[Page 60935]]

limitation of liability provision would serve the public interest by 
facilitating the regulation of the U.S. equity and option markets at 
lower overall costs and higher economic efficacy than other approaches, 
and that the proposed limitation on liability would not undermine CAT 
LLC's existing and significant incentives to protect the data stored in 
the CAT System. The CRA Paper asserts that regulation by the Commission 
already properly incentivizes the Participants to recognize and address 
the risks that a CAT cyber breach poses to third parties such as 
Industry Members. Thus, according to the Participants, permitting 
litigation by Industry Members will not meaningfully increase CAT's 
incentives to manage its exposure to cyber risk but will significantly 
increase costs, which will ultimately be passed on to retail investors. 
Because of this, the CRA Paper asserts that solely an ``ex-ante 
regulation'' approach leads to the socially optimal outcome, in 
comparison to an ``ex post litigation'' approach in which litigation 
influences behaviors before a loss-producing event occurs by assigning 
liability afterwards, or combination of both approaches.
---------------------------------------------------------------------------

    \19\ See Notice, supra note 5, at 599-624.
    \20\ See Notice, supra note 5, at 595-597.
---------------------------------------------------------------------------

IV. Discussion

A. The Applicable Standard of Review

    Under Rule 608(b)(2) of Regulation NMS, the Commission shall 
approve a national market system plan or proposed amendment to an 
effective national market system plan, with such changes or subject to 
such conditions as the Commission may deem necessary or appropriate, if 
it finds that such plan or amendment is necessary or appropriate in the 
public interest, for the protection of investors and the maintenance of 
fair and orderly markets, to remove impediments to, and perfect the 
mechanisms of, a national market system, or otherwise in furtherance of 
the purposes of the Exchange Act.\21\ Under Rule 700(b)(3) of the 
Commission's Rules of Practice, the ``burden to demonstrate that a 
proposed rule change is consistent with the Exchange Act and the rules 
and regulations issued thereunder . . . is on the self-regulatory 
organization that proposed the rule change.'' \22\ The Commission shall 
disapprove a national market system plan or proposed amendment if it 
does not make such a finding.\23\
---------------------------------------------------------------------------

    \21\ 17 CFR 242.608(b)(2).
    \22\ 17 CFR 201.700(b)(3).
    \23\ 17 CFR 242.608(b)(2). Approval or disapproval of a national 
market system plan, or an amendment to an effective national market 
system plan (other than an amendment initiated by the Commission), 
shall be by order. Id. In addition, Rule 700(b)(3)(ii) of the 
Commission's Rules of Practice states that ``[t]he burden to 
demonstrate that a NMS plan filing is consistent with the Exchange 
Act and the rules and regulations issued thereunder that are 
applicable to NMS plans is on the plan participants that filed the 
NMS plan filing.'' 17 CFR 201.700(b)(3)(ii). ``Any failure of the 
plan participants that filed the NMS plan filing to provide such 
detail and specificity may result in the Commission not having a 
sufficient basis to make an affirmative finding that a NMS plan 
filing is consistent with the Exchange Act and the rules and 
regulations issued thereunder that are applicable to NMS plans.'' 
Id.
---------------------------------------------------------------------------

    For the reasons described below, the Commission believes that the 
Participants have not met their burden to demonstrate that the Proposed 
Amendment is consistent with the Exchange Act.\24\ Accordingly, the 
Commission cannot make the finding that the Proposed Amendment is 
necessary or appropriate in the public interest, for the protection of 
investors and the maintenance of fair and orderly markets, to remove 
impediments to, and perfect the mechanisms of, a national market 
system, or otherwise in furtherance of the purposes of the Exchange 
Act.\25\
---------------------------------------------------------------------------

    \24\ 17 CFR 201.700(b)(3).
    \25\ 17 CFR 242.608(b)(2).
---------------------------------------------------------------------------

B. Impact of Proposed Amendment on Incentives of Participants 
Incentives To Invest in Security of the CAT

    The Commission received several comments, including a letter from 
SIFMA attaching an economic analysis prepared by Craig Lewis (``Lewis 
Paper'') of the Proposed Amendment,\26\ expressing concern that 
shifting liability through a limitation of liability provision would 
reduce the incentives of Participants to develop robust data security 
and risk mitigation mechanisms, and may even incentivize the 
Participants to de-prioritize data security.\27\ Commenters also state 
that it is ``unfair'' for Industry Members to be liable for breaches of 
the CAT or CAT Data \28\ because the Participants, through CAT LLC, and 
FINRA CAT, the Plan Processor,\29\ are the parties responsible for 
controlling and securing CAT Data and Industry Members face potential 
harm due to the compromise of CAT Data over which they have no control 
and are not responsible for security.\30\ The Lewis Paper argues that 
aligning control and liability incentivizes the optimal amount of data 
security and would ultimately benefit all investors.\31\ Along the same 
lines, another commenter asserts that ``[a]ligning control and 
liability is not only fair and equitable; it is also good policy, 
because it maximizes efficiencies in managing data risks inherent in 
the CAT System.'' \32\
---------------------------------------------------------------------------

    \26\ See Letter from Ellen Greene, Managing Director, Equity and 
Options Market Structure, SIFMA, to Vanessa Countryman, Secretary, 
dated February 19, 2021, available at https://www.sec.gov/comments/4-698/4698-8394069-229410.pdf, attaching Economic Analysis of 
Proposed Amendment to National Market System Plan Governing the 
Consolidated Audit Trail, Craig M. Lewis, Ph.D., February 2021.
    \27\ See Lewis Paper at 5-9, 14; Letter from Ellen Greene, 
Managing Director, Equity and Options Market Structure, SIFMA, to 
Vanessa Countryman, Secretary, dated January 27, 2021, available at 
https://www.sec.gov/comments/4-698/4698-8298026-228278.pdf (``SIFMA 
Letter''), at 7, 9; Letter from Peggy L. Ho, Executive Vice 
President, Government Relations, LPL Financial LLC, to Vanessa 
Countryman, Secretary, dated January 27, 2021, available at https://www.sec.gov/comments/4-698/4698-8298412-228298.pdf (``LPL Financial 
Letter''), at 1; Letter from Thomas R. Tremaine, Executive Vice 
President, Chief Operations Officer, Raymond James & Associates, 
Inc., to Vanessa Countryman, Secretary, dated February 8, 2021, 
available at https://www.sec.gov/comments/4-698/4698-8347733-229000.pdf (``Raymond James Letter''), at 2; Letter from Joanna 
Mallers, Secretary, FIA Principal Traders Group, to Vanessa 
Countryman, Secretary, dated February 8, 2021, available at https://www.sec.gov/comments/4-698/4698-8345389-228979.pdf (``FIA PTG 
Letter''), at 2; Letter from Thomas M. Merritt, Deputy General 
Counsel, Virtu Financial, Inc., to Vanessa Countryman, Secretary, 
dated January 27, 2021, available at https://www.sec.gov/comments/4-698/4698-8298023-228258.pdf (``Virtu Letter''), at 3; Letter from 
Christopher A. Iacovella, Chief Executive Officer, American 
Securities Association, to Vanessa Countryman, Secretary, dated 
January 29, 2021, available at https://www.sec.gov/comments/4-698/4698-8311307-228499.pdf (``ASA Letter''), at 2; Letter from Matthew 
Price, Fidelity Investments, to Vanessa Countryman, Secretary, dated 
February 2, 2021, available at https://www.sec.gov/comments/4-698/4698-8343750-228940.pdf (``Fidelity Letter''), at 2; Letter from 
Daniel Keegan, Managing Director, Head of North America Markets & 
Securities Services, to Vanessa Countryman, Secretary, dated 
February 25, 2021, available at https://www.sec.gov/comments/4-698/4698-8419819-229522.pdf (``Citi Letter''), at 2.
    \28\ ``CAT Data'' means data derived from Participant Data, 
Industry Member Data, SIP Data, and such other data as the Operating 
Committee may designate as ``CAT Data'' from time to time. See CAT 
NMS Plan at Section 1.1.
    \29\ ``Plan Processor'' means the Initial Plan Processor or any 
other Person selected by the Operating Committee pursuant to SEC 
Rule 613 and CAT NMS Plan, Article IV, Section 4.3(b)(i) and Article 
VI, Section 6.1, and with regard to the Initial Plan Processor, the 
Selection Plan, to perform the CAT processing functions required by 
SEC Rule 613 and set forth in this Agreement. See CAT NMS Plan at 
Section 1.1.
    \30\ See Lewis Paper at 3, 6; SIFMA Letter, at 4; FIA PTG 
Letter, at 1 (stating it ``supports the comments previously filed by 
SIFMA''); Raymond James Letter, at 2 (stating that it ``strongly 
supports the points raised by SIFMA in their letter.''); LPL 
Financial Letter, at 1; ASA Letter, at 2; Virtu Letter, at 2; 
Fidelity Letter, at 2; Citi Letter, at 2; Letter from Ellen Greene, 
Managing Director, Equity and Options Market Structure, SIFMA, to 
Vanessa Countryman, Secretary, dated May 3, 2021 (``SIFMA Letter 
II'') at 2; 4; Letter from Kelvin To, Founder and President, Data 
Boiler Technologies, LLC, to Vanessa Countryman, Secretary, dated 
May 3, 2021 (``Data Boiler Letter II'') at 5.
    \31\ See Lewis Paper at 5-7; see also SIFMA Letter II at 2-3, 9-
10.
    \32\ See SIFMA Letter at 4. One commenter states that the CAT 
System is a particularly attractive target for nation states and 
other bad actors that have become increasingly sophisticated, which 
could lead to significant harm to market participants, serious 
competitive harm to Industry Members, and significant legal risk and 
potential liability. See SIFMA Letter II at 9.

---------------------------------------------------------------------------

[[Page 60936]]

    Commenters argue that the CRA Paper's specific conclusion that ex-
ante regulation is most appropriate is wrong, and that CAT 
cybersecurity would benefit from both ex-ante regulation and ex-post 
litigation.\33\ Another commenter characterizes shifting liability to 
Industry Members who, unlike SROs, have no control over the security of 
the CAT as creating a ``moral hazard'' and stated that permitting 
litigation against Participants and their representatives when they are 
acting outside their regulatory capacity is ``crucial'' as it would 
give the Participants very strong financial incentives to invest 
heavily to prevent or minimize the likelihood of such failures.\34\ 
Similarly, the Lewis Paper asserts that liability for potential 
litigation would mitigate the moral hazard problem for CAT LLC and make 
CAT LLC more willing to invest in improvements in data security and 
more quickly react to changing trends and threats in cybersecurity.\35\
---------------------------------------------------------------------------

    \33\ See Letter from Stephen John Berger, Managing Director, 
Global Head of Government & Regulatory Policy, Citadel Securities, 
to Vanessa Countryman, Secretary, dated February 23, 2021, available 
at https://www.sec.gov/comments/4-698/4698-8411798-229501.pdf 
(``Citadel Letter''), at 1-2, 7; Lewis Paper at 7-9. SIFMA states 
that the Lewis Paper, submitted by SIFMA, concludes that the 
Proposal would reduce investor welfare by: (1) Providing less 
incentive to the SROs as the operators of the CAT to invest in data 
security to protect investors' personally identifiable information 
and trading data in the CAT, which would place investors at greater 
risk of having their data compromised; and (2) leading to the 
inefficient purchase of insurance with additional costs likely 
passed downstream to investors by requiring industry members to 
absorb litigation-related expenses for an event over which they have 
no direct control. See SIFMA Letter II at 3.
    \34\ See Citi Letter at 2, 7, 9-10.
    \35\ See Lewis Paper at 7-9.
---------------------------------------------------------------------------

    In response to the Lewis Paper's contention that the threat of ex-
post litigation is necessary, the CRA Response asserts that the 
``inconsequential and speculative'' benefits of litigation in addition 
to the existing regulatory regime do not exceed the likely substantial 
costs.\36\ The CRA Response further asserts that there is no asset 
reserve on the balance sheet of CAT LLC sufficient to cover a 
substantial cyber loss, and thus, adding a threat of litigation may not 
provide any additional incentives to invest in preventative care.\37\
---------------------------------------------------------------------------

    \36\ See Report from Charles River Associates, ``CRA Response 
to: Economic Analysis of Proposed Amendment to the National Market 
System Plan Governing the Consolidated Audit Trail by Craig M. 
Lewis, Ph.D. and Selected Points in Public Comment Letters,'' dated 
April 5, 2021, available at https://www.sec.gov/comments/4-698/4698-8634778-230925.pdf (``CRA Response'') at 9. The CRA Response further 
states that the Lewis Paper mischaracterized this argument as 
meaning that the CRA Paper said there are no benefits to adding the 
threat of litigation. Id.
    \37\ See CRA Response at 4. See also CRA Response at 9 (stating 
that CAT LLC's ``cost-only business model'' provides no mechanism to 
establish safety reserves that might allow it to build a cash 
reserve to pre-fund catastrophic losses from a cyber breach).
---------------------------------------------------------------------------

    The Participants argue that securities industry norms do not 
support the principle that the party in possession of data should bear 
liability in the event of a data breach, particularly where the parties 
in possession of the data are acting in regulatory capacities pursuant 
to Commission rules.\38\ In this regard, the Participants state that 
Industry Members, despite controlling sensitive data that could be 
compromised during a data breach, ``routinely'' disclaim liability to 
their underlying customers including their own retail customers in 
certain cases.\39\
---------------------------------------------------------------------------

    \38\ See Letter from Michael Simon, CAT NMS Plan Operating 
Committee Chair, to Vanessa Countryman, Secretary, dated April 1, 
2021 (``Response Letter''), at 10.
    \39\ See Response Letter at 10; see also id. at 20 (stating that 
the Lewis Paper does not address the fact that Industry Members 
routinely disclaim liability to those underlying customers).
---------------------------------------------------------------------------

    The Participants also assert that the Commission's regulatory 
regime, backed by its examination and enforcement functions, provide 
valuable incentives for the Participants, CAT LLC and FINRA CAT to take 
adequate cyber security precautions.\40\ These incentives include the 
Commission's enforcement regime, severe reputational harm, financial 
and reputational harm to Amazon Web Services, satisfying underwriting 
standards, and the fact that a data breach could compromise the 
Participants' ability to use CAT Data.\41\ The Participants believe 
that commenters have not offered any explanation as to why the 
Commission's regulatory regime--which includes cybersecurity protocols 
developed and refined based on feedback from Industry Members--is 
insufficient to ensure adequate cybersecurity for CAT Data, or what 
deficiencies in the Commission's oversight necessitate that Industry 
Members be afforded an unprecedented private right of action against 
their regulators.\42\ The Participants further argue that commenters 
have not demonstrated that the Commission lacks the ability to 
adequately regulate the CAT and the Participants, and that allowing 
Industry Member litigation would not result in any meaningful benefit 
to the CAT's cybersecurity.\43\ In addition, the CRA Response states 
that the Lewis Paper disregards the potential for enforcement action by 
the Commission against Participants and does not recognize that 
regulatory and reputational considerations motivate appropriate ex-ante 
actions to reduce risk.\44\
---------------------------------------------------------------------------

    \40\ See, e.g., Letter from Michael Simon, CAT NMS Plan 
Operating Committee Chair, to Vanessa Countryman, Secretary, dated 
May 18, 2021, available at https://www.sec.gov/comments/4-698/4698-8811359-238002.pdf (``Second Response Letter''), at 3, 5-7. The 
Participants state that CAT LLC, the Participants and FINRA CAT are 
subject to stringent oversight by the Commission. In addition, the 
Division of Examinations examines FINRA CAT's and the Participant's 
cybersecurity policies, procedures, systems, and controls. See 
Second Response Letter at 6-7 (also citing Second Circuit decision 
in support).
    \41\ See Second Response Letter at 5-6. See also CRA Response at 
1, 3-4, 6-7, 10.
    \42\ See Response Letter at 26.
    \43\ See Second Response Letter at 3.
    \44\ See CRA Response at 5-6. The CRA Response states that there 
are several weaknesses with the Lewis Paper's and the Citadel 
Letter's argument that litigation as well as regulation is necessary 
to give CAT LLC an added incentive to stay ahead of the Commission's 
regulation since the underlying technology changes come too fast for 
the Commission to keep its regulatory apparatus up to date: (1) 
Lewis and Citadel ignore that Participants and FINRA CAT are 
required to monitor CAT's cyber security and promptly address 
vulnerabilities in accordance with Commission regulation; (2) 
Industry Members can influence CAT LLC and Commission regarding 
cybersecurity as a result of CAT LLC governance and operating 
mechanisms; (3) Commission has unique access to highly sophisticated 
cyber security and cyber warfare assets, which give them access to 
the most up-to-date technology; (4) CAT's technology suppliers 
(e.g., AWS) have reputational incentives to maintain CAT cyber 
defenses; (5) the ability to litigate might increase CAT cyber risk 
by potentially weakening Industry Members' incentives to provide 
feedback to the Participants; (6) Participants still face litigation 
risk including from Commission enforcement actions. See CRA Response 
at 13-14.
---------------------------------------------------------------------------

    Commenters also state that the CRA Paper suggests certain 
mechanisms, such as a third-party compensation program, cyber-related 
industry loss warranties or cyber catastrophe bonds that could be used 
in the event of a CAT breach to compensate third parties, but the SROs 
have not proposed the adoption of any of these mechanisms.\45\ These 
commenters believe that without liability risk, CAT LLC and the SROs 
will have no incentive to develop any mechanisms for compensating third 
parties injured if the CAT System is breached or CAT Data is misused 
while under the control of CAT LLC and the SROs.\46\ These commenters 
assert that the Participants, are effectively conceding that without 
these other mechanisms described in the CRA Paper, the current 
regulatory regime is insufficient to protect parties that are injured 
as a result of a CAT breach.\47\
---------------------------------------------------------------------------

    \45\ See SIFMA Letter at 10; LPL Financial Letter at 1; FIA PTG 
Letter at 2; Raymond James Letter at 2.
    \46\ See id.
    \47\ See id.

---------------------------------------------------------------------------

[[Page 60937]]

    The Participants acknowledge that the CRA Paper explains that the 
regulatory regime is generally silent with respect to the most 
efficient method to compensate injured parties and that the CRA Paper 
offered several suggestions to cover potential losses including 
insurance, industry loss warranties, and catastrophe bonds.\48\ The 
Participants, however, state that they are willing discuss any of these 
compensation mechanisms with Industry Members and they would welcome a 
discussion with the Commission to address the viability of these 
mechanisms and how they might be funded.\49\
---------------------------------------------------------------------------

    \48\ See Response Letter at 27 (citing CRA Paper at 50-53).
    \49\ See Response Letter at 27-28. The Participants also state 
that creating mechanisms to compensate Industry Members in the event 
of a data breach would not obviate the need for the proposed 
Limitation of Liability Provisions. See id. at 28.
---------------------------------------------------------------------------

Cyber Insurance
    Commenters assert that the proposal would allow CAT LLC to under-
invest in data security and cyber insurance.\50\ Commenters argue that 
the Proposed Limitation of Liability Provisions would ultimately result 
in higher costs borne by investors.\51\ According to commenters, under 
the proposal, every firm submitting data to the CAT System would 
effectively be forced, where possible, to obtain its own insurance to 
address the same core risks of data breach or misuse within the CAT 
System and CAT LLC and the Participants may not be appropriately 
incentivized to invest in insurance and other risk mitigation 
mechanisms.\52\ Commenters believe that it would be more appropriate 
for CAT LLC to purchase insurance instead of Industry Members each 
purchasing the same overlapping policies.\53\ One of these commenters 
argues that CAT LLC is able to insure more efficiently than Industry 
Members because CAT LLC has access to and control over CAT Data and 
systems and can subject itself to monitoring by an insurer.\54\ One 
commenter states that while the Participants assert that CAT LLC has 
obtained the ``maximum extent of cyber-breach insurance coverage,'' the 
Participants have not disclosed any information about the extent or 
cost of the coverage obtained,\55\ and do not analyze whether 
Participants should seek insurance or the effect such insurance could 
have on the Participants' incentives to protect data that they extract 
from the CAT and store outside the CAT.\56\ The commenter states that 
it is not at all clear that CAT LLC could not obtain additional 
insurance.\57\
---------------------------------------------------------------------------

    \50\ See SIFMA Letter II at 2-3, 9-10; Lewis Paper.
    \51\ See SIFMA Letter II at 2-3, 9-10; Lewis Paper.
    \52\ See SIFMA Letter II at 10. See also Data Boiler Letter II 
at 3 (provisions discourage Participants from advancing the security 
and design of CAT and CAT Data).
    \53\ See Lewis Paper at 11; SIFMA Letter at 4-5, 8-9, 10-11; 
Virtu Letter at 3. See also LPL Financial Letter at 1; FIA PTG 
Letter at 2; Raymond James Letter at 2. One commenter expresses 
skepticism that Industry Members could even obtain insurance 
policies under the current CAT System construct, because Industry 
Members have no control over the data they are by law required to 
submit, its security or the CAT System. See Virtu Letter at 3.
    \54\ See Lewis Paper at 12-13. See also SIFMA Letter at 4-5 
(stating that requiring Industry Members to pay for and implement 
separate and overlapping insurance policies, if available, is 
inefficient and would result in substantially higher costs borne by 
Industry Members and by extension their customers).
    \55\ See SIFMA Letter II at 9.
    \56\ See Citadel Letter at 7-8. See also Lewis Paper at 13-14.
    \57\ See SIFMA Letter II at 9. SIFMA also discusses the state of 
negotiations with the Participants. See SIFMA Letter II at 11.
---------------------------------------------------------------------------

    The Participants reiterate that CAT LLC has purchased the maximum 
amount of cyber insurance coverage that the current market will 
reasonably provide. The Participants also state that they will 
regularly evaluate CAT LLC's insurance and intend to purchase 
additional coverage to the extent it becomes reasonably available.\58\ 
The Participants argue that disclosing the amount of insurance 
purchased by CAT LLC could potentially incentivize bad actors to target 
the CAT with ransom demands.\59\ The Participants assert that CAT LLC 
is not equipped to compensate Industry Members in the event of a data 
breach because funding is designed to cover costs only and it is 
difficult to imagine how CAT LLC could ensure solvency if substantial 
exclusions are included in a limitation of liability.\60\ The CRA 
Response states that the Lewis Paper's conclusion that the Participants 
should purchase additional cyber-insurance relies on two propositions 
for which the Lewis Paper provides no basis: (1) CAT LLC can purchase 
additional and more targeted cyber insurance to pre-finance possible 
cyber claims from Industry Members and that (2) the decrease in cyber 
security risks and insurance rates to Industry Members would outweigh 
the increase in CAT LLC's cyber insurance rates.\61\
---------------------------------------------------------------------------

    \58\ See Second Response Letter at 17.
    \59\ See Second Response Letter at 17. The Participants noted 
that they were reviewing a May 3, 2021 term sheet from SIFMA setting 
forth terms upon which Industry Members would be willing to resolve 
the dispute regarding the allocation of liability in the event of a 
CAT data breach. Id.
    \60\ See Second Response Letter at 15.
    \61\ See CRA Response at 5.
---------------------------------------------------------------------------

    The CRA Response asserts that the Lewis Paper's claim that the 
Limitation of Liability Provisions will force clients' claims onto 
Industry Members and burden Industry Members with purchasing additional 
insurance coverage is erroneous.\62\ Specifically, according to the CRA 
Response, the Lewis Paper does not explain how Industry Members' 
clients can sue Industry Members for a cyberbreach of CAT, does not 
consider that many Industry Members have similar provisions in their 
customer agreements, and does not explain how an insurer would write 
liability coverage for Industry Members paying claims to clients for an 
adverse cyber event.\63\ In addition, the CRA Response states that the 
Lewis Paper and commenters assume, without support, that Industry 
Members will face litigation risk from customers due to a cyberbreach 
at the CAT.\64\
---------------------------------------------------------------------------

    \62\ See CRA Response at 5-6.
    \63\ See CRA Response at 5-6. However, purchasing cyber 
liability insurance to protect against potential first-party risk 
exposure might be part of a reasonable and sound approach to 
managing first-party risk exposure. Id. at 13.
    \64\ See CRA Response at 13.
---------------------------------------------------------------------------

Visibility and Input of Industry Members Into the Security of the CAT
    One commenter argues that the CRA Paper significantly 
overemphasizes the visibility and input into the workings of CAT 
provided to the industry, and asserts that there is no visibility into 
the security aspects of CAT.\65\ The Participants state that Industry 
Members have had extensive opportunities to provide input regarding the 
CAT's cybersecurity at every stage of the development and operation of 
the CAT.\66\ The CRA Response states that commenters fail to 
acknowledge that providing Industry Members a right to litigate may 
reduce Industry Members' incentives to undertake their monitoring and 
influencing activities in favor of relying upon the threat of 
litigation, thereby weakening the overall cyber program of the CAT.\67\ 
The CRA Response also states that limiting Industry Members' ability to 
recover damages provides greater incentives for them to provide 
feedback to CAT management through the Advisory Committee.\68\
---------------------------------------------------------------------------

    \65\ See Citadel Letter at 9.
    \66\ See Response Letter at 14. This includes prior to approval 
of the CAT NMS Plan, feedback through the Advisory Committee, and 
the ability of Industry Members to directly petition the Commission 
or provide comments on any proposals offered by the Commission. Id.
    \67\ See CRA Response at 2, 9, and 11.
    \68\ See CRA Response at 19. The Participants also assert that 
Industry Members have ample opportunities to contribute their 
perspectives regarding the CAT's cybersecurity. See Second Response 
Letter at 10.

---------------------------------------------------------------------------

[[Page 60938]]

Regulatory Immunity
    Commenters argue that the SROs have failed to explain why 
limitation of their liability should be imposed by contract because the 
SROs have immunity from liability when acting in a regulatory 
capacity.\69\ Commenters further assert that the effort to impose 
liability limitations by contract ``raises significant questions about 
whether the SROs seek to avoid liability in circumstances in which they 
misuse CAT Data while acting in a commercial capacity.'' \70\ Another 
commenter frames the issue as not whether the Participants should be 
liable for conduct undertaken during the course of their regulatory 
responsibilities, but whether the Participants should be insulated from 
potential liability for activities not covered by regulatory 
immunity.\71\ One commenter states that it believes that court 
precedent ``strongly indicates that the courts are likely to view any 
regulatory activity the SROs conduct through CAT LLCs as being subject 
to this judicial immunity even though it is being conducted in a legal 
entity that is separate from the SROs.'' \72\
---------------------------------------------------------------------------

    \69\ See Citadel Letter at 1, 3-5; SIFMA Letter at 8; LPL 
Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 
2; SIFMA Letter II at 5; 6-7.
    \70\ See SIFMA Letter at 8. See also LPL Financial Letter at 1; 
FIA PTG Letter at 2; Raymond James Letter at 2.
    \71\ See Citadel Letter at 5.
    \72\ See SIFMA Letter II at 7. See also Data Boiler Letter II at 
4.
---------------------------------------------------------------------------

    In response to comments about regulatory immunity, the Participants 
state that regulatory immunity does not preclude the use of contractual 
limitation of liability provisions and the divergent and shifting 
positions from Industry Members on the applicability of regulatory 
immunity underscores the need for a contractual limitation of 
liability.\73\ The Participants state that some comments generally 
argue that a contractual limitation of liability is unnecessary in 
light of the doctrine of regulatory immunity, while other comments 
state the Participants should not receive either regulatory immunity or 
the protection of a limitation of liability provision.\74\ The 
Participants state that the proposed Limitation of Liability Provisions 
are necessary despite any regulatory immunity because even litigation 
which holds that regulatory immunity applies may result in significant 
disruption and expense (which ultimately will be passed along to 
Industry Members as part of CAT LLC's joint funding), and there is no 
guarantee that all courts would agree that the Participants' immunity 
defense extends to the particular claims at issue.\75\ The Participants 
believe that the Proposed Limitation of Liability Provisions are 
necessary to avoid the uncertainty inherent in litigation and to avoid 
the costs associated with defending against potential lawsuits.\76\ In 
addition, litigation would be costly and resource intensive and 
ultimately distract the Participants and FINRA CAT from their important 
regulatory oversight mandate.\77\ The Participants state that several 
commenters misstate the scope of the Proposed Amendment by suggesting 
that the Proposed Amendment would extinguish liability.\78\ The 
Participants state that the Proposed Amendment only concerns the 
allocation of liability between Industry Members and the Participants 
and the Proposed Amendment would not impact the rights or obligations 
of third parties, including Industry Members' customers and would not 
extinguish the broad regulatory oversight that the Commission exercises 
over the CAT or potential investigation and potential enforcement 
action for any cybersecurity-related violations.\79\
---------------------------------------------------------------------------

    \73\ See Response Letter at 22-25; see also Second Response 
Letter at 4, 11-12. The Participants also state that SIFMA has not 
indicated that it and constituent Industry Members will abandon 
their extensive efforts to challenge the regulatory immunity 
doctrine in court or cease lobbying Congress to abrogate it by 
statute. Id. at 3-4, 11.
    \74\ See Response Letter at 21-23. The Participants state that 
SIFMA's longstanding position is that Congress should abrogate 
regulatory immunity by statute. Id. at 23-24.
    \75\ See Response Letter at 23-25. See also Second Response 
Letter at 4, 11.
    \76\ See Second Response Letter at 11-12.
    \77\ See id.
    \78\ See Response Letter at 25 (citing Citi Letter at 2 and 
SIFMA Letter at 9).
    \79\ See Response Letter at 25-26.
---------------------------------------------------------------------------

    The Participants believe that commenter concerns that the 
regulatory process might not keep pace with emerging and evolving cyber 
threats fails to consider Commission regulatory requirements and 
oversight, including the CAT NMS Plan requirement that Participants and 
FINRA CAT proactively monitor the CAT's cybersecurity and promptly 
address any vulnerabilities.\80\ Participants state, in contrast, 
litigation would require the Commission to share responsibility with 
the courts and is a lengthy process that is unlikely to outpace 
regulation.\81\ In addition, the Commission has means other than the 
formal rule-making process to address emerging cyber threats.\82\ In 
addition, the Participants assert that allowing Industry Member 
litigation would undoubtedly result in substantial additional costs and 
that the CRA Paper demonstrates that the costs of litigating a 
potential CAT Data breach are likely to be both substantial and 
unquantifiable on an ex-ante basis.\83\ It would also create additional 
costs and distract the Participants from the regulatory mission of CAT, 
and these costs would ultimately be passed along to investors.\84\ The 
Participants state that commenters are asking that their primary 
regulators bear any and all liability for hypothetical ``black swan'' 
cyber breaches and that such an extraordinary ask is without precedent, 
and that Participants, implementing a regulatory mandate in their 
regulatory capacities, should receive liability protections that they 
are customarily afforded when implementing their regulatory 
responsibilities pursuant to the direction and oversight of the 
Commission.\85\
---------------------------------------------------------------------------

    \80\ See Second Response Letter at 7.
    \81\ See Second Response Letter at 8.
    \82\ See Second Response Letter at 8. The Participants state 
that the Commission and its staff have ``multiple tools at their 
disposal to motivate regulated entities'' to ``expeditiously modify 
their cybersecurity regimes.'' ``For example, the Division of 
Examinations, which has prioritized cybersecurity issues, often 
releases risk alerts in response to emerging concerns.'' Id.
    \83\ See Second Response Letter at 3-4, 16.
    \84\ See Second Response Letter at 4, 16.
    \85\ See Second Response Letter at 4; see also Response Letter 
at 20 (stating that the Lewis Paper appears to advocate that CAT LLC 
should be strictly liable for all costs associated with any CAT data 
breach, regardless of the facts and circumstances, without any 
economic analysis as to why the longstanding allocation of liability 
between the Participants and Industry Members should not apply 
here). The Participants note that both the Participants and Industry 
Members are acting pursuant to Commission mandate, but the 
Participants are also fulfilling a regulatory oversight role and 
there is no basis for the Participants to assume liability. See 
Response Letter at 21. See also Second Response Letter at 4.
---------------------------------------------------------------------------

CRA Paper Does Not Capture All Data Breach Risks and Costs
    Commenters believe that the CRA Paper does not capture all data 
breach risks, stating that the CRA Paper only focuses on a breach by 
external actors and fails to address the risk of misuse of CAT Data by 
personnel at CAT LLC and the SROs.\86\ In addition, one commenter 
emphasizes that the CRA Paper focuses on databases maintained by CAT 
LLC, not the ``larger concern,'' which is the potential for hackers to 
access CAT Data from Participant

[[Page 60939]]

databases that have extracted data from the CAT.\87\ Two commenters 
further criticize the breach scenarios discussed in the CRA Paper as 
insufficient to capture the risks. One of these commenters suggests 
that a breach of CAT by foreign actors, or CAT being internally 
compromised could lead to the ``downfall'' of U.S. capital markets and 
that the breach scenarios in the CRA Paper ``grossly'' underestimate 
national security threats.\88\ Another commenter states that the CRA 
Paper ``avoids any serious discussion'' of the risk posed by ``nation 
state actors, like China and Russia.'' \89\
---------------------------------------------------------------------------

    \86\ See Citadel Letter at 6; SIFMA Letter at 9; LPL Financial 
Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Virtu 
Letter at 5. One commenter states that the CRA Paper does not 
provide any support for the argument that broker-dealers should be 
accountable for the wrongdoing or misuse of data by SRO employees or 
contractors. See ASA Letter at 2.
    \87\ See Citadel Letter, at 6-7.
    \88\ See Letter from Kelvin To, Founder and President, Data 
Boiler Technologies, LLC, to Vanessa Countryman, Secretary, dated 
January 27, 2021, at 1 and 6, available at https://www.sec.gov/comments/4-698/4698-8311309-228460.pdf.
    \89\ See ASA Letter at 2.
---------------------------------------------------------------------------

    Participants and the CRA Response dispute commenters' claims that 
the CRA Paper does not include all potential data breaches.\90\ The 
Participants argue that certain commenters misconstrue the CRA Paper's 
analysis.\91\ Specifically, these commenters assert that the CRA Paper 
did not address certain categories of hypothetical data breaches, and 
in particular breaches that originate from within FINRA CAT or 
Participants. The Participants state that the CRA Paper did not make 
any assumptions regarding the identity of potential bad actors or where 
they may work, and the CRA Paper was not intended to predict every 
possible scenario, but instead intended to provide an illustrative 
framework to assess the economic exposures that flow from the 
gathering, storage, and use of CAT Data.\92\ The Participants state 
that the CRA Paper concludes, in light of the CAT's extensive 
cybersecurity and other reasons, most potential breaches are relatively 
low-frequency events because they are either difficult to implement, 
unlikely to be meaningfully profitable, or both.\93\ The Participants 
also believe that the CRA Paper's conclusion that allowing Industry 
Members to litigate against CAT LLC, the Participants, and FINRA CAT 
would provide minimal benefits while imposing substantial costs is not 
undermined to the extent that commenters identify potential breaches 
that were not included in the CRA Paper's scenario analysis.\94\
---------------------------------------------------------------------------

    \90\ See Response Letter at 15. The Participants explain that 
the CRA Paper contain two principal analyses: (i) A ``scenario 
analysis'' in which it identified specific hypothetical breaches and 
assessed the relative difficulty of implementation, relative 
frequency, and conditional severity of each; and (ii) a 
consideration whether the cyber risk presented by the CAT should be 
addressed by regulation, litigation, or a combination of both 
approaches.
    \91\ See Response Letter at 15.
    \92\ See Response Letter at 15-16 (citing CRA Paper 2).
    \93\ See Response Letter at 16 (citing CRA Paper at 18-32).
    \94\ See Response Letter at 16.
---------------------------------------------------------------------------

    The Participants believe that comments that criticize the CRA Paper 
for failing to consider the costs to individual Industry Members in the 
event of a CAT Data breach are based on a misunderstanding of the 
relevant economic principles.\95\ Specifically, the CRA Paper's focus 
was on whether the risks of the use of CAT Data for regulatory purposes 
was best managed through ex ante regulation or ex post litigation, or a 
combination of both, and this analysis largely turns on identifying the 
most effective and efficient mechanisms for incentivizing CAT LLC, the 
Participants and FINRA CAT to take appropriate precautions.\96\ The 
Participants state that the CRA Paper demonstrates that the extensive 
regulatory regime that the Commission has enacted creates appropriate 
and strong incentives for the Participants to take sufficient 
cybersecurity precautions and to ensure that the CAT is secure, and 
that allowing Industry Members to litigate against Participants would 
create substantial costs without any corresponding benefit.\97\
---------------------------------------------------------------------------

    \95\ See Response Letter at 16.
    \96\ See id.
    \97\ See Response Letter at 16-17. The Participants also dispute 
an assertion that the CRA Paper delivered a ``pre-determined 
conclusion.'' See id. at 17 (citing ASA Letter at 2-3).
---------------------------------------------------------------------------

    The CRA Response states that allowing Industry Members to litigate 
against CAT LLC and Participants entails potentially substantial costs 
and uncertainty in the operation of the CAT that, ultimately, could be 
borne by Industry Members' underlying customers,\98\ as a result of the 
Commission-approved joint funding of CAT LLC by Industry Members and 
Participants, a fact the CRA Response believes that the Lewis Paper 
ignores. According to the CRA Response, a limitation of liability also 
protects Industry Members from the possibility of funding both 
catastrophic losses and substantial litigation costs.\99\
---------------------------------------------------------------------------

    \98\ See CRA Response at 8.
    \99\ See CRA Response at 2, 8.
---------------------------------------------------------------------------

    Participants and the CRA Response argue that the Lewis Paper's 
argument that CAT LLC is in a better position to insure against a CAT 
Data breach fails because, among other reasons, it is based on a 
premise that a cyberbreach would impact all Industry Members 
simultaneously \100\ and ignores the fact that CAT LLC has already 
purchased the maximum insurance coverage that was feasibly 
available.\101\ The CRA Response states that the CRA Paper's scenario 
analysis does not support the Lewis Paper's assertion that a breach is 
likely to be a single event that affects all Industry Members 
simultaneously, and the Lewis Paper does not explain why a single event 
instead of multiple events affecting subsets of Industry Members might 
make a difference.\102\ The Commission acknowledges that a number of 
factors impact the Participants' incentives to invest in, or 
prioritize, the security of the CAT. These factors include, but are not 
limited to (in no specific order): The cost of security; regulatory 
requirements, including Commission supervision and enforcement, fines, 
penalties and potential loss of their SRO licenses; reputation; the 
threat of litigation; and the amount of potential payments to those 
impacted by a security breach. Given the sensitivity of CAT Data, as 
well as the importance of the CAT for regulatory purposes, the 
Commission believes it is important to evaluate the incentives to 
invest in, or prioritize, the security of the CAT. The burden is on 
Participants to demonstrate that the Proposed Amendment is necessary or 
appropriate in the public interest, for the protection of investors and 
the maintenance of fair and orderly markets, to remove impediments to, 
and perfect the mechanisms of, a national market system, or otherwise 
in furtherance of the purposes of the Exchange Act.\103\ Accordingly, 
the Commission believes that the Participants must demonstrate that the 
Proposed Amendment satisfies this standard in light of its potential 
impact on the Participants' incentives to invest in or prioritize the 
security of CAT.
---------------------------------------------------------------------------

    \100\ The Participants state that the Lewis Paper does not 
include a scenario analysis like the CRA Paper. See Response Letter 
at 16 at 20-21.
    \101\ See CRA Response at 2, 4-5.
    \102\ See CRA Response at 16. The CRA Response also states that 
the Lewis Paper also implies that a single event is unlike a typical 
situation where pooling of risk can reduce the volatility around 
claims, but the CRA Response further argues this is a narrow view as 
insurers can spread correlated risks through reinsurance contracts 
across the global insurance industry ultimately bringing the 
benefits of diversification to all who are insured. Id.
    \103\ 17 CFR 201.700(b)(3).
---------------------------------------------------------------------------

    By essentially eliminating any potential liability to Industry 
Members in the event of a security breach, the Participants limit the 
risk to themselves should they decide to reduce their investments in 
the security of the CAT, and such a reduction could increase the 
potential for a breach of CAT or

[[Page 60940]]

unauthorized release of CAT Data. The Participants characterize one of 
the potential liabilities that they need to be insulated from as ``the 
potential for substantial losses that may result from certain 
categories of low probability cyberbreaches,'' \104\ and the CRA Paper 
estimates an exposure of at least $100 million per incident as a 
``reasonable'' estimate for a data breach scenario in which an 
algorithmic trading firm's strategy was reverse engineered, which it 
also describes as very difficult to implement and occurring 
infrequently.\105\ The Proposed Amendment would almost completely 
insulate the Participants from any liability to member firms for those 
damages. Due to potentially lower costs should such a breach occur, the 
Commission believes the proposed Limitation of Liability Provisions 
would have a negative impact on the incentives of Participants to 
secure the CAT to prevent breaches, including purportedly low 
probability events.\106\ Also, absent the proposed Limitation of 
Liability Provisions, the Participants might be incentivized to make 
further investments in data security beyond those mandated by the CAT 
NMS Plan and Commission rulemakings, such as internal controls designed 
to decrease the likelihood of misuse of CAT Data beyond the 
requirements of the CAT NMS Plan.
---------------------------------------------------------------------------

    \104\ See Notice, supra note 5, at 595.
    \105\ See Notice, supra note 5, at 597, 599-600, 603.
    \106\ See also Economic Analysis at Section V.A.
---------------------------------------------------------------------------

    The CRA Response states that the benefits of litigation in addition 
to the existing regulatory regime are ``inconsequential and 
speculative'' and do not exceed the likely substantial costs.\107\ 
However, the CRA Response acknowledges that the threat of liability 
does incentivize behavior, arguing that limiting Industry Members' 
ability to recover damages provides greater incentives for them to 
provide feedback to CAT management through the Advisory Committee.\108\ 
The Commission believes that although Industry Members do have avenues 
to provide feedback such as through the Advisory Committee, Industry 
Members do not have access to the information they would need, such as 
security audit results and design specifications, to evaluate the 
security of CAT and identify meaningful deficiencies. The Commission 
also believes that the CRA Response's argument applies to Participants, 
in that their behavior would change to the extent there is a decreased 
threat of liability. Specifically, with the proposed Limitation of 
Liability Provisions, the Participants' potential liability to Industry 
Members would decrease and thus reduce Participants' incentives to 
ensure robust cybersecurity of CAT and CAT Data in an effort to reduce 
or avoid the potential liability.
---------------------------------------------------------------------------

    \107\ See CRA Response at 9. Neither the Participants nor the 
CRA Paper or CRA Response provides specifics regarding estimated 
costs of litigation.
    \108\ See CRA Response at 19.
---------------------------------------------------------------------------

    Participants argue that security industry norms do not support the 
principle that the party in possession of the data should bear 
liability in the event of a data breach, especially when acting in a 
regulatory capacity pursuant to Commission rules,\109\ and that 
Industry Members ``routinely'' disclaim liability to their underlying 
customers.\110\ The Commission did not approve provisions in Industry 
Member contracts for OATS or Industry Member contracts with underlying 
customers. The Participants also refer to limitation of liability 
provisions in SROs' rules that were previously approved by the 
Commission.\111\ In the case of the SROs' rules, these rules relate to 
liability to members with respect to the business operations of 
exchanges and were established for different types of systems with 
different risks than the CAT.\112\ The Commission believes that given 
the amount and sensitivity of the data in the CAT System, it is 
important that the Participants' incentives to invest in robust 
cybersecurity, including potential liability in the event of a breach, 
are not reduced. Based on the record before it, the Commission believes 
that the proposed Limitation of Liability Provisions would reduce 
Participants' incentives to invest in CAT Data security.
---------------------------------------------------------------------------

    \109\ See Response Letter at 10.
    \110\ See Response Letter at 10; see also Response Letter at 20 
(stating that the Lewis Paper does not address the fact that 
Industry Members routinely disclaim liability to those underlying 
customers).
    \111\ See Response Letter at 5-7.
    \112\ CAT Data, unlike an SRO's trading data, includes 
comprehensive trading data from all exchange SROs and order and 
customer information submitted by Industry Members.
---------------------------------------------------------------------------

    The CRA Response also states that providing Industry Members a 
right to litigate may reduce Industry Members' incentives to undertake 
their monitoring and influencing activities in favor of relying upon 
the threat of litigation, thereby weakening the overall cyber program 
of the CAT.\113\ The Commission also believes that these comments 
suggest that Industry Members can have a significant role in 
determining the strength of the overall cyber program of CAT, and if a 
reduction in Industry Member ``monitoring and influencing activities'' 
would weaken the overall cyber program of the CAT, the absence of 
essentially any liability to Industry Members would also weaken the 
overall cyber program of CAT.\114\ The Participants expressed concern 
that CAT LLC is not equipped to compensate Industry Members in the 
event of a data breach because funding is designed to cover costs 
only.\115\ The Participants further assert that it is difficult to 
imagine how CAT LLC could ensure solvency if substantial exclusions are 
included in a limitation of liability.\116\ However, these are not 
compelling reasons to include the proposed Limitation of Liability 
Provisions. The Commission believes that there are mechanisms in place 
to ensure CAT LLC will not fail to compensate Industry Members or 
become insolvent. Specifically, the Participants are obligated to 
maintain a CAT and cannot dissolve CAT LLC without Commission 
approval.\117\ Due to its obligation to maintain the CAT, the 
Participants would need to fund CAT LLC by recovering any shortfall 
from the Participants and/or Industry Members.\118\ To the extent the 
Participants seek to recover any shortfall from Industry Members, the 
Commission will assess those fees to assure that they are 
reasonable.\119\
---------------------------------------------------------------------------

    \113\ See CRA Response at 2, 9, and 11.
    \114\ The CRA Response emphasizes that Industry Members and 
other interested parties are able to monitor and suggest 
improvements for CAT's cyber security and ``history is replete with 
examples.'' See CRA Response at 3-4.
    \115\ See Second Response Letter at 15.
    \116\ See Second Response Letter at 15. See also CRA Response at 
9 (stating that CAT LLC's ``cost-only business model'' provides no 
mechanism to establish safety reserves that might allow it to build 
a cash reserve to pre-fund catastrophic losses from a cyber breach).
    \117\ See CAT NMS Plan, Article X, Section 10.1.
    \118\ See CAT NMS Plan, Article XI, Section 11.1(b) and 11.2. 
Specifically, Section 11.1(b) states that subject to Section 11.2, 
the Operating Committee shall have discretion to establish funding 
for the CAT LLC, including: (i) Establishing fees that the 
Participants shall pay; and (ii) establishing fees for Industry 
Members that shall be implemented by Participants. Section 11.2 sets 
forth funding principles that the Operating Committee should 
consider in establishing the funding of the Company. Specifically, 
Section 11.2(f) states that the Operating Committee should consider 
building financial stability to support the Company as a going 
concern.
    \119\ See CAT NMS Plan, Article X, Section 11.1(b).
---------------------------------------------------------------------------

    Even in the absence of the proposed Limitation of Liability 
Provisions, the Participants may have limited liability to Industry 
Members through court-established regulatory immunity.\120\ To the 
extent it is available, regulatory

[[Page 60941]]

immunity may create the same incentive as the proposed Limitation of 
Liability Provisions for Participants to reduce their investment in CAT 
cybersecurity. Regulatory immunity, however, is not applicable in all 
scenarios (i.e., commercial use or intentional misconduct). The 
Commission does not believe that the Participants have adequately 
explained why, in cases where regulatory immunity may not be applicable 
because Participant use of CAT data is improper (e.g., commercial use 
or intentional misconduct), they should be permitted to limit their 
liability. The potential consequences of such behavior, however, could 
also fall on Industry Members who have no control over the security of 
CAT Data they have submitted to the CAT. The Commission believes that 
the presence of liability risk would provide Participants an additional 
incentive to invest in CAT data security to prevent such behavior from 
occurring.\121\ The Commission believes that the Participants have not 
met their burden to demonstrate that the Proposed Amendment is 
necessary or appropriate in the public interest, for the protection of 
investors and the maintenance of fair and orderly markets, to remove 
impediments to, and perfect the mechanisms of, a national market 
system, or otherwise in furtherance of the purposes of the Exchange 
Act.\122\
---------------------------------------------------------------------------

    \120\ See Section IV.C.1, supra. The Participants assert that 
regulatory immunity applies to their use of CAT. See Response Letter 
at 23; Second Response Letter at 4.
    \121\ See also Economic Analysis at Section V.A.
    \122\ 17 CFR 201.700(b)(3).
---------------------------------------------------------------------------

C. Breadth of the Proposed Limitation of Liability Provisions

    Several commenters are critical of the scope of the proposed 
Limitation of Liability Provisions and in particular the language that 
prohibits Industry Members from pursuing claims against CAT LLC and the 
Participants if there is ``willful misconduct, gross negligence, bad 
faith or criminal acts of CAT LLC, the SROs or their representatives or 
employees.'' \123\ As one commenter states, the proposal would shield 
the Participants from liability, ``not only for a breach of the CAT 
System by malicious third-party actors but even from the theft or other 
misuse of CAT Data by SRO employees'' and would ``effectively 
extinguish the liability of CAT LLC and the SROs even in instances of 
gross negligence or intentional misconduct.'' \124\ Another commenter 
states that the proposal ``would effectively hold brokers responsible 
for the malfeasance and incompetence of the SROs and their 
contractors'' and that this would be ``extremely unreasonable.'' \125\
---------------------------------------------------------------------------

    \123\ See SIFMA Letter at 5, 7-8. See also LPL Financial at 1; 
FIA PTG Letter at 2; Raymond James Letter at 2; Citadel Letter, at 3 
(stating that the provisions would protect Participants and their 
representatives from any and all potential misuse, including 
intentional misuse, of CAT Data); SIFMA Letter II at 8-9.
    \124\ See SIFMA Letter at 5; see also LPL Financial at 1; FIA 
PTG Letter at 2; Raymond James Letter at 2.
    \125\ See ASA Letter at 2.
---------------------------------------------------------------------------

    A commenter suggests that if the limitation of liability language 
was adopted as proposed, ``CAT LLC would only have $500 in liability if 
an SRO employee stole CAT Data and posted it on the internet.'' \126\ A 
commenter believes that liability cap should only apply when CAT LLC 
and the Participants are acting solely in their regulatory capacity, 
for which they have proposed a definition, and should exclude willful 
misconduct, gross negligence, bad faith, or criminal acts.\127\
---------------------------------------------------------------------------

    \126\ See SIFMA Letter II at 8.
    \127\ See SIFMA Letter II at 11.
---------------------------------------------------------------------------

    The Participants state that the proposed Limitation of Liability 
Provisions fall squarely within industry norms, referencing a 
comparison to the allocation of liability between Industry Members and 
SROs in other regulatory contexts, including NMS plans, regulatory 
reporting facilities, SRO rules and liability provisions that Industry 
Members use to protect themselves when they possess sensitive customer 
and transaction data.\128\ The Participants believe that the proposed 
Limitation of Liability Provisions are ``substantively identical'' to 
the liability provisions to which Industry Members regularly agree in 
connection with OATS reporting.\129\
---------------------------------------------------------------------------

    \128\ See Response Letter at 5-11.
    \129\ Id. at 6-7. Commenters assert that the proposed Limitation 
of Liability Provisions are inconsistent with industry standards, 
citing among other things SRO limitation of liability rules which 
exclude protection for willful misconduct, gross negligence, bad 
faith or criminal acts. See SIFMA Letter at 7; LPL Financial Letter 
at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Fidelity 
Letter at 2.
---------------------------------------------------------------------------

    Commenters, however, dismiss comparisons made in the Proposed 
Amendment to OATS limitation of liability provisions because (1) CAT 
captures significantly more information than OATS, including personally 
identifiable information, and data reported to OATS is reported to and 
only used by FINRA; and (2) OATS does not have account-level data, 
which the CAT will collect and which could present the risk of reverse 
engineering of trading strategies.\130\ One commenter stated that the 
limitation of liability provisions for OATS were signed in 1998, and 
since then the landscape of cybersecurity has changed, and the 
frequency and scale of data breaches has increased dramatically.\131\
---------------------------------------------------------------------------

    \130\ See Lewis Paper at 9-10; SIFMA Letter at 8; LPL Financial 
Letter at 2; Raymond James Letter at 2; FIA PTG Letter at 2; Virtu 
Letter at 4; SIFMA Letter II at 7.
    \131\ See Lewis Paper at 10.
---------------------------------------------------------------------------

    In response, the Participants reject the suggestion that any 
limitation of liability provision should allow liability for willful 
misconduct, gross negligence, bad faith or criminal acts of CAT LLC, 
the SROs or their representatives or employees.\132\ The Participants 
assert that the exclusion of ``gross negligence, willful misconduct, 
bad faith, or criminal acts'' is not appropriate and would be 
inconsistent with other limitation of liability provisions for other 
NMS plans (including OATS) and SRO rules.\133\ The Participants state 
that in the limited instances in which SRO liability rules permit 
claims for gross negligence or willful misconduct, Industry Members are 
often prohibited from suing an SRO for damages unless the alleged gross 
negligence or willful misconduct also constituted a securities law 
violation for which Congress has authorized a private right of 
action.\134\ The Participants further argue that modifying the proposed 
Limitation of Liability Provisions is not supported by the CRA Paper, 
because such modifications would likely result in

[[Page 60942]]

litigation over liability \135\ and litigation to prove these elements 
even if non-existent.\136\
---------------------------------------------------------------------------

    \132\ See Response Letter at 7 (citing SIFMA Letter at 7-8); 
Second Response Letter at 4; 13-15.
    \133\ See Second Response Letter at 4, 13-15. The Participants 
assert that the proposed Limitation of Liability Provisions are 
consistent with SRO limitation of liability rules, emphasizing that 
under those rules the SROs generally have the discretion, but not 
obligation, to compensate harmed Industry Members, and that this 
discretion only applies in very limited circumstances--namely, for 
system failures that impact the execution of individual order. See 
Response Letter at 5-6. The Participants also note that during 
negotiations, the Participants submitted to SIFMA a term sheet that 
provided for a discretionary compensation mechanism modeled after 
SRO rules, which was rejected by SIFMA. See Response Letter at 6. 
See also Second Response Letter at 13-14. The Participants state 
that no SRO limitation of liability rule contemplates SRO liability 
for ``catastrophic'' damages resulting from the theft of Industry 
Members' proprietary trading algorithms. See Response Letter at 6.
    \134\ See Response Letter at 6-7. Thus, the Participants believe 
that that these provisions would not provide for liability against 
the self-regulatory organizations in the event of a data breach. Id. 
at 7-8. See also Second Response Letter at 13-14 (stating that SRO 
rules that contain exclusions generally are modified by other rules 
that broadly prohibit Industry Members from suing the exchanges or 
their representatives, except for violations of the federal 
securities laws for which a private right of action exists, and thus 
the Participants do not believe these provisions would provide for 
liability against the SROs in the event of a data breach).
    \135\ See, e.g., Response Letter at 9; CRA Response at 18.
    \136\ See Response Letter at 9; Second Response Letter at 4, 14-
15. According to the Participants, although they, CAT LLC, and FINRA 
CAT may ultimately be found not liable, such litigation would be 
expensive, time-consuming, would distract Participants from their 
regulatory oversight mandate, and may open the doors of discovery to 
potentially malicious actors. See Response Letter at 9.
---------------------------------------------------------------------------

    The CRA Response also states that the comment letters do not 
acknowledge that behavior falling in these categories is already 
subject to enforcement by the Commission.\137\ The Participants state 
that the Commission's regulatory enforcement regime and the potential 
for severe reputational harm already sufficiently incentivize the 
Participants not to engage in bad faith, recklessness, gross 
negligence, and intentional misconduct, and so adding exclusions to the 
proposed Limitation of Liability Provisions would not result in any 
meaningful improvement to the CAT's cybersecurity.\138\
---------------------------------------------------------------------------

    \137\ See CRA Response at 18. The CRA Response also argues that 
including commenters' proposed exclusions to the Proposed Limitation 
on Liability Provisions would potentially generate substantial 
litigation and that reducing expected liability costs may provide 
additional resources to enhance CAT's cyber security, purchase more 
cyber liability insurance (as it becomes available), or invest in 
competing CAT priorities. See CRA Response at 18-19.
    \138\ See Response Letter at 9. The Participants note that 
enforcement actions could be brought for cybersecurity-related 
violations (e.g., failure to comply with Regulation SCI) and 
violations of the CAT NMS Plan (e.g., for violating the CAT NMS Plan 
by using CAT Data for non-regulatory purposes). See id. at 25-26. 
The Participants also state that the purpose of the CAT and the 
Participants' mandate under the CAT NMS Plan is the fulfillment of 
regulatory functions, and not operation in connection with business 
activities. Id. at 22. In addition, the CRA Response states that the 
comment letters do not acknowledge that behavior falling to these 
categories is already subject to enforcement by the Commission. See 
CRA Response at 18.
---------------------------------------------------------------------------

    As noted in the previous section,\139\ commenters believe that the 
CRA Paper only focuses on a breach by external actors and fails to 
address the risk of misuse of CAT Data by personnel at CAT LLC and the 
SROs.\140\ The CRA Response argues that the CRA Paper did not 
specifically address the misuse of CAT Data by CAT personnel and other 
internal sources because whether a perpetrator is external or internal 
makes no difference to the scenario analysis.\141\ The CRA Response 
also argues that the purported concerns about the threat of 
``internal'' breaches are exaggerated and that all Participant users of 
CAT Data are subject to comparable cyber security procedures and 
protocols, and only trading data, not customer data, can be downloaded 
in bulk.\142\
---------------------------------------------------------------------------

    \139\ See infra Section IV.A.
    \140\ See Citadel Letter at 6; SIFMA Letter at 9; LPL Financial 
Letter at 1; FIA PTG Letter at 2; Raymond James Letter at 2; Virtu 
Letter at 5. One commenter states that the CRA Paper does not 
provide any support for the argument that broker-dealers should be 
accountable for the wrongdoing or misuse of data by SRO employees or 
contractors. See ASA Letter at 2.
    \141\ See CRA Response at 19. As noted earlier, Participants 
also state that the CRA Paper did not make any assumptions regarding 
the identity of potential bad actors or where they may work, and the 
CRA Paper was not intended to predict every possible scenario, but 
instead intended to provide an illustrative framework to assess the 
economic exposures that flow from the gathering, storage, and use of 
CAT Data. See Response Letter at 15-16 (citing CRA Paper 2).
    \142\ See CRA Response at 20.
---------------------------------------------------------------------------

    The Commission does not believe that the Participants have 
demonstrated that it is necessary or appropriate to foreclose all 
potential Industry Member claims, including those arising from ``gross 
negligence, willful misconduct, bad faith, or criminal acts'' to a 
maximum of $500 per Industry Member per calendar year as proposed.\143\ 
The Commission believes that the damages to Industry Members for 
breaches of CAT could potentially far exceed that amount, and 
Participants and the CRA Response acknowledge the possibility for low 
frequency events with extreme severity.\144\ For example, as discussed 
above, the CRA Paper estimates an exposure of at least $100 million per 
incident would be reasonable if an algorithmic trading firm's strategy 
was reverse engineered, and if the Proposed Amendment were adopted the 
Participants would only have $500 in liability to the trading firm even 
if the trading strategy was exposed through gross negligence, willful 
misconduct, bad faith, or criminal acts. This means that the proposed 
Limitation of Liability Provisions would shield the Participants from 
liability to Industry Members even if a Participant intentionally used 
CAT Data for competitive business purposes, or an employee of CAT LLC 
sold CAT Data to a foreign government.
---------------------------------------------------------------------------

    \143\ As discussed above, a number of factors impact the 
Participants' incentives to invest in, or prioritize, the security 
of the CAT. See Section IV.B., supra. The Commission does not 
believe that the Participants have met their burden of establishing 
that it is appropriate to foreclose liability to Industry Members 
for potential claims arising from ``gross negligence, willful 
misconduct, bad faith, or criminal acts'' because of the 
Commission's regulatory enforcement regime and the potential for 
severe reputational harm.
    \144\ See notes 104 and 105, supra, and accompanying text.
---------------------------------------------------------------------------

    As noted above, Participants can assert regulatory immunity to the 
extent that the doctrine applies if there is a security breach that 
exposes CAT Data and Industry Members seek damages from the responsible 
Participants.\145\ However, the Commission believes that for situations 
where regulatory immunity may not be applicable (e.g., commercial use 
or intentional misconduct), the Participants have not met their burden 
to justify a nearly complete elimination of liability to Industry 
Members as consistent with the Exchange Act and the rules and 
regulations as required by Rule 608 of Regulation NMS, as discussed 
above. The Commission cannot make a finding that the proposed amendment 
is consistent with the Exchange Act and the rules and regulations 
issued thereunder.\146\
---------------------------------------------------------------------------

    \145\ See Section IV.B, supra.
    \146\ 17 CFR 201.700(b)(3); 17 CFR 242.608(b)(2).
---------------------------------------------------------------------------

V. Impact on Efficiency, Competition, and Capital Formation

    In determining whether to approve a CAT NMS Plan amendment, and 
whether such amendment is in the public interest, Rule 613 requires the 
Commission to consider the potential effects of the proposed amendment 
on efficiency, competition and capital formation.\147\ The Commission 
has reviewed the arguments about such effects put forth by the 
Participants and commenters and independently analyzed the likely 
effects of the Proposed Amendment on efficiency, competition and 
capital formation.. Many of those effects hinge on assumptions about 
the applicability of the doctrine of regulatory immunity in the case of 
litigation related to a breach of CAT Data, the influence of such 
immunity on the incentives of the Participants to protect the CAT Data, 
and the potential redundancy of a limitation on liability if immunity 
applies. Commenters have addressed the applicability of this doctrine 
directly in their comments,\148\ many of which relate to two studies: 
The CRA Paper submitted by the Participants as part of their filing, 
and the Lewis Paper submitted by SIFMA as part of its commentary; \149\ 
both of these studies make assumptions regarding regulatory immunity 
that impact their respective conclusions. In the case of the CRA Paper, 
many conclusions stem from an assumption that regulatory immunity would 
not apply and thus Participants would be faced with significant risk of 
litigation in the case of a CAT data breach that resulted from the 
collection of CAT Data into the central repository or the use of that 
CAT Data by a

[[Page 60943]]

Participant that was performing its regulatory duties. In the case of 
the Lewis Paper, many of the conclusions are based on an assumption 
that, if the Proposed Amendment were allowed, Industry Members, as 
opposed to Participants, would bear significant liability in the case 
of a data breach because the limitation of liability would be absolute, 
the Lewis Paper does not address the doctrine of regulatory immunity 
\150\ as it might apply to Participants.\151\
---------------------------------------------------------------------------

    \147\ 17 CFR 242.613(a)(5).
    \148\ See, e.g., Citadel Letter at 1, 3-5; SIFMA Letter at 8; 
LPL Financial Letter at 1; FIA PTG Letter at 2; Raymond James Letter 
at 2.
    \149\ See Lewis Paper, supra, note 27.
    \150\ The Commission recognizes that the Participants believe 
regulatory immunity would apply in the event of a breach concerning 
CAT Data (see Response Letter at 23; Second Response Letter at 4), 
but the Participants also believe that there is no guarantee that 
all courts will agree that the Participants' immunity extends to the 
claims at issue. The Commission acknowledges that beliefs about 
regulatory immunity may influence the outcomes it describes in this 
analysis.
    \151\ See, e.g., Lewis Paper at 4.
---------------------------------------------------------------------------

    In summary, the Commission believes that, if approved, the Proposed 
Amendment would likely have significant negative effects on efficiency, 
though minor positive effects that are unlikely to significantly 
mitigate the negative effects are also discussed below.\152\ The 
Commission believes the Participants are best poised due to information 
asymmetry to understand the risks inherent in collecting and using CAT 
Data, and, because of moral hazard, to mitigate those risks through 
operational measures to promote CAT data security and securing 
insurance to mitigate financial risks associated with CAT data 
security. Efficiency is likely to be reduced to the extent the Proposed 
Amendment disincentivizes the Participants from investing in CAT data 
security and thus potentially increases the likelihood of a data 
breach. The Commission believes this effect would be only partially 
mitigated as discussed below and believes the net effect may remain 
significant. The Commission believes that the Proposed Amendment might 
have negative effects on competition and capital formation, but 
believes these effects would be partially mitigated. These conclusions 
are discussed in the analysis which follows.
---------------------------------------------------------------------------

    \152\ See Section V.A., infra.
---------------------------------------------------------------------------

A. Efficiency

    The Commission believes that the Proposed Amendment would likely 
have a significant effect on efficiency, although minor positive 
effects that are unlikely to significantly mitigate the negative 
effects are also discussed below. These mixed effects would likely be 
dominated by the negative effects of reducing the Participants' 
incentives to invest in CAT data security. Generally, the Commission 
believes that the Proposed Amendment would reduce the Participants' 
incentives to invest in CAT data security. The Commission believes that 
taking measures that may prevent a data breach is inherently more 
efficient than remediating the consequences of a data breach after it 
has occurred.\153\ Consequently, liability rules that incentivize 
appropriate security measures are likely to increase efficiency while 
rules that potentially disincentivize Participants from securing CAT 
Data may reduce efficiency. As noted, the magnitude of this effect 
hinges on the Participants' beliefs about the applicability of the 
doctrine of regulatory immunity. If the Participants do not believe 
regulatory immunity applies to all aspects of their collection and use 
of CAT Data, or have significant uncertainty that it would apply to 
some or all aspects, the Proposed Amendment would represent to the 
Participants a shift of liability from the Participants to Industry 
Members, the magnitude of which would be a function of the level of 
Participant uncertainty about their regulatory immunity.\154\ Absent 
the Proposed Amendment, the Participants might make further investments 
in data security beyond those mandated by the CAT NMS Plan and 
Commission rulemakings such as implementing internal controls designed 
to decrease the likelihood of misuse of CAT Data. But the assurance of 
limited liability provided by the Proposed Amendment could 
disincentivize such actions or even incentivize a reduction in existing 
investments in cybersecurity.
---------------------------------------------------------------------------

    \153\ See, e.g., Securities Exchange Act Release No. 89632 (Aug. 
21, 2020), 85 FR 65990, 66091 (Oct. 16, 2020) (proposing amendments 
to the CAT Plan to enhance data security).
    \154\ The proposed Limitation of Liability Provisions would 
limit liability to $500 per CAT Reporter or CAT Reporting Agent in a 
calendar year. See Notice, supra note 5, 86 FR at 593. See Section 
V.A, infra, for discussion of liability for Industry Members that do 
not carry customer accounts.
---------------------------------------------------------------------------

    The CRA Paper maintains that additional investment in security such 
as providing additional insurance, may not be efficient. The CRA Paper 
states, ``. . . the prospect of litigation arising from the absence of 
the limitation on liability provision has the prospect for prompting 
overpayment for cyber security on the part of the CAT and the Plan 
Processor beyond the economically optimal level of protection, despite 
the analysis we present above suggesting that such litigation would 
provide no incremental benefit. The prospect of third-party litigation 
may prompt CAT LLC to expend resources on cyber security systems that 
supplement the detailed (and regularly updated) framework implemented 
by the Commission, but that do not reduce the cyber risk commensurate 
with the costs.'' \155\ The CRA Paper further argues that the threat of 
third-party litigation may result in risk-aversion that prevents the 
Participants from adopting policies or technologies that decrease costs 
or increase efficiencies.\156\ The Commission agrees with the CRA Paper 
that there are likely to exist certain security investments that do not 
provide sufficient benefits to warrant their adoption, particularly in 
light of the Commission's belief that investors may ultimately bear the 
costs of these investments--as well as costs of potential 
litigation.\157\ However, the Commission disagrees that litigation risk 
provides no incremental benefit because the threat of such litigation 
may incentivize the Participants to implement security measures such as 
the adoption of internal controls that decrease the likelihood of an 
employee or contractor making commercial or other misuse of CAT 
Data.\158\ Further, the Commission recognizes that while the 
Participants face costs in the event of a CAT data breach, these costs 
are likely to fall upon broker-dealers and investors as well, while 
these groups have limited ability to participate in decisions related 
to investments in CAT security. This partitioning of decision-making 
authority from the financial consequences of the decision creates an 
agency problem that may limit the Participants' incentives to select 
the welfare-maximizing level of security investment. This agency 
problem may be partially mitigated by the Participants' perception of 
litigation risk in the event of a data breach by better aligning their 
incentives regarding security decisions with other parties that are 
likely to be harmed if such a breach occurs.
---------------------------------------------------------------------------

    \155\ The CRA Paper discusses reasons why the incremental 
benefit from litigation from Industry Members may be reduced, but 
does not show that there is no incremental benefit. See Notice, 
supra note 5, at 616-17.
    \156\ See Notice, supra note 5, at 617-18.
    \157\ The Commission has the power to disallow fee amendments 
that might unfairly pass costs to Industry Members.
    \158\ See note 113, supra, and referring text.
---------------------------------------------------------------------------

    The Commission recognizes that the risk of the Proposed Amendment 
disincentivizing the Participants from taking additional measures to 
ensure security is likely to be partially mitigated by other incentives 
that are not impacted by the limitation on liability. Independent of 
potential regulatory immunity,\159\ Participants

[[Page 60944]]

face significant costs, both direct and indirect, that would result 
from a data breach. The potential reputational consequences of a data 
breach would likely be severe and such a breach is likely to draw 
significant negative publicity, public scrutiny, and attention from 
regulatory and other government entities. Further, while contractual 
limitation of liability reduces the risk of exposure, it does not 
prevent enforcement actions from the Commission or litigation by 
parties other than Industry Members. In addition, any breach would 
likely cause a significant disruption to Participants' own operations 
\160\ and some breach threats are not about compromising data but are 
indeed designed to disrupt operations; \161\ Participants are thus 
still incentivized to create security measures that mitigate the risk 
of such breaches, which likely help mitigate the risk of compromised 
data that could directly affect Industry Members. However, the 
Commission believes that decreasing the risk of exposure that 
Participants face through the Proposed Amendment will likely on balance 
disincentivize the Participants from investing in data security, 
particularly if the proposed amendments increase the scope of immunity 
that might be expected beyond regulatory immunity.\162\
---------------------------------------------------------------------------

    \159\ The Commission believes the Participants' views on their 
potential regulatory immunity with regard to CAT data collection and 
use is immaterial to this second set of incentives because these 
consequences of a data breach could occur regardless of whether 
there could or would be litigation as a result of that breach.
    \160\ A breach of CAT data could occur in a Participant's own 
analytic or operational environment.
    \161\ See, e.g., Raphael Satter, Up to 1,500 businesses affected 
by ransomware attach, U.S. firm's CEO says, Reuters (July 6, 2021), 
available at https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/.
    \162\ See Sections V.B and V.C, supra.
---------------------------------------------------------------------------

    The Commission believes that taking measures that may prevent a 
data breach is more efficient than remediating the consequences of a 
data breach after it has occurred.\163\ Consequently, measures that 
incentivize appropriate security measures are likely to increase 
efficiency while measures that potentially disincentivize Participants 
from securing CAT Data may reduce efficiency.
---------------------------------------------------------------------------

    \163\ See, e.g., Securities Exchange Act Release No. 89632 (Aug. 
21, 2020), 85 FR 65990, 66091 (Oct. 16, 2020) (proposing amendments 
to the CAT Plan to enhance data security).
---------------------------------------------------------------------------

    As noted above, several commenters express concern that shifting 
liability through the proposed Limitation of Liability Provisions would 
reduce the incentives of Participants to develop robust data security 
and risk mitigation mechanisms, and may even incentivize the 
Participants to de-prioritize data security.\164\ The Commission 
believes, however, that the degree to which the proposed amendment 
would disincentivize the Participants from appropriate security 
measures is dependent upon the Participants' belief in the 
applicability of regulatory immunity to the collection and permitted 
uses of CAT Data in the absence of the proposed amendment. The 
Commission believes that uncertainty regarding liability in case of a 
CAT data breach thus serves as an incentive for the Participants to 
invest in data security to the extent that Participants believe a court 
might not uphold their regulatory immunity or it would be judged not to 
apply in a given case that was before the courts. If the Participants 
believe that regulatory immunity is likely to apply, the proposed 
amendments would serve to reduce their risk of incurring costs of 
litigation by reducing the likelihood of litigation by Industry 
Members.
---------------------------------------------------------------------------

    \164\ See, e.g., Lewis Paper at 5-9, 14; SIFMA Letter at 7, 9; 
LPL Financial Letter at 1; Raymond James Letter at 2; FIA PTG Letter 
at 2; Virtu Letter at 3; ASA Letter at 2; Fidelity Letter at 2; Citi 
Letter at 2.
---------------------------------------------------------------------------

    Some commenters addressed the scope of the limitation of liability, 
considering whether Participants might be shielded from liability in 
commercial use of CAT Data,\165\ even though such use is prohibited by 
the CAT NMS Plan.\166\ Another commenter focused on the scope of the 
immunity more generally as it would appear to exceed the bounds of 
conventional regulatory immunity.\167\ One commenter characterized the 
economic structure as creating a ``moral hazard'' and stated that 
permitting litigation against Participants and their representatives 
when they are acting outside their regulatory capacity is ``crucial'' 
and would give the Participants very strong financial incentives to 
invest heavily to prevent or minimize the likelihood of such 
failures.\168\
---------------------------------------------------------------------------

    \165\ See, e.g., SIFMA Letter at 8; LPL Financial Letter at 1; 
FIA PTG Letter at 2; Raymond James Letter at 2.
    \166\ See, e.g., CAT NMS Plan Sections 6.5(f)(i)(A); 6.5(g).
    \167\ See Citadel Letter at 5.
    \168\ See Citi Letter at 2. In response, the CRA Response argues 
that the structure might not be considered a classic ``moral 
hazard'' due to Industry Members' ability to monitor and influence 
CAT cyber security. See CRA Response at 10-11.
---------------------------------------------------------------------------

    To the extent that the scope of limitation of liability in the 
Proposed Amendment exceeds what might be expected from the doctrine of 
regulatory immunity, an expansion of the scope of activities that could 
be shielded from liability would potentially further disincentivize 
Participants from activities that promote CAT data security even if 
regulatory immunity applies.
    The Commission also recognizes that the Proposed Amendment may 
reduce the risk of litigation in the event of a breach by resolving the 
existing uncertainty about whether the Participants could be liable; in 
other words, if Industry Members know they cannot recover due to the 
limitation of liability, regardless of the applicability of regulatory 
immunity, they may be less likely to sue over a breach. Such litigation 
would impose costs, both direct and indirect,\169\ on the Participants 
to defend themselves even if they would ultimately prevail due to 
regulatory immunity and those direct costs might be passed on to 
Industry Members and ultimately investors. The Proposed Amendment would 
reduce the likelihood of litigation and thus might avoid costs 
associated with litigation that investors would unnecessarily bear, 
which could improve efficiency. Additional insurance costs to Industry 
Members related to liability risks from the Proposed Amendment are 
discussed below.
---------------------------------------------------------------------------

    \169\ Indirect costs would include opportunity costs of time and 
effort spent dealing with litigation. See, e.g., Notice, supra note 
5, 85 FR at 617-618; Response Letter at 8-9.
---------------------------------------------------------------------------

    While both the CRA Paper and the Lewis Paper frame their analyses 
from a perspective of potential litigation, the Commission notes that 
not all potential data breaches are amenable to litigation. The 
Commission believes that a data breach could go undetected, 
particularly if such a breach were perpetrated by authorized users of 
the CAT System such that detection of the breach relied primarily on 
the Participants' screening of their employees and contractors before 
providing access to CAT Data and then the monitoring of their use of 
CAT Data when they became authorized users.\170\ Such a breach could 
impose significant costs on Industry Members if their intellectual 
property (such as proprietary trading strategies) were revealed to 
competitors or bad actors. Consequently, the Commission believes that 
reducing the Participants' existing incentives to properly invest in 
data security activities might disincentivize

[[Page 60945]]

individual Participants from appropriately investing in the screening 
and monitoring of their own employees and contractors that will access 
CAT Data. This might reduce efficiency by increasing the likelihood of 
a breach either detected or undetected.
---------------------------------------------------------------------------

    \170\ Several commenters discussed arguments in the CRA Paper 
and Lewis Paper regarding ex-ante regulation versus ex-post 
litigation. See Citadel Letter at 1-2, 7; Lewis Paper at 7-9. An 
undetected breach cannot be addressed through litigation, but might 
be prevented by ex-ante regulation or the proper alignment of 
incentives in lieu of regulation. The Commission considers screening 
of potential users of CAT Data and monitoring their activities with 
CAT Data to be security activities that would be affected by 
Participant incentives to prevent data breaches.
---------------------------------------------------------------------------

    In addition, the Proposed Amendment might improve efficiency by 
promoting the optimal level of usage of CAT Data.\171\ Specifically, if 
the Participants believe their regulatory immunity may not be 
recognized in litigation in the wake of a data breach, they may be 
incentivized to minimize their use of CAT Data to minimize 
opportunities for a data breach, particularly one involving their own 
employees or contractors. However, the Proposed Amendment might 
facilitate increased use levels of CAT Data by Participants by reducing 
the risk of exposure to litigation. Consequently, the Commission 
believes that the Proposed Amendment might prevent inefficiencies 
related to underuse of CAT Data by regulators. By contrast, to the 
degree that disapproval of the Proposed Amendment renders regulators 
more risk averse in using CAT Data to meet their regulatory obligations 
than they would be if the Proposed Amendment were approved, disapproval 
may reduce use of CAT Data by regulators. Further effects on efficiency 
depend upon the use of insurance by Participants and Industry Members. 
The Lewis Paper and the CRA Paper analyze the potential for the use of 
insurance by Participants and Industry Members to manage the financial 
risks of a potential data breach.\172\ Through the CRA Paper, the 
Participants argue that adopting the Proposed Amendment would avoid 
inefficiencies such as over investment in insurance beyond what would 
be optimal.\173\ The CRA Paper argues that this inefficiency would 
result in unnecessary costs being passed to investors without a 
corresponding societal benefit.\174\ The Lewis Paper argues that 
shifting the financial risks of a CAT data breach to Industry Members 
by limiting liability for Participants would cause them to insure 
against the financial consequences of a CAT data breach, which would be 
inefficient because Industry Members cannot give an insurer access to 
the CAT System to monitor or assess the security of the system. 
Consequently, according to the Lewis Paper, insurance purchased by 
Industry Members to cover the risk would be more expensive, and 
investors would ultimately bear this increased expense.\175\ Also, 
policies obtained by Industry Members would necessarily overlap, 
further increasing the cost of such insurance.\176\ Other commenters 
supported the position that the Participants can more efficiently 
obtain cyber insurance.\177\
---------------------------------------------------------------------------

    \171\ See CAT NMS Plan Approval Order, supra note 1, at 84833-
40.
    \172\ See Lewis Paper at 11-14; Notice, supra note 5, at 618-
620.
    \173\ See Notice, supra note 5, at 617-18.
    \174\ See Notice, supra note 5, at 617-18.
    \175\ See Lewis Paper at 11-14.
    \176\ See Lewis Paper at 14.
    \177\ See SIFMA Letter at 8-9; LPL Financial Letter at 2; FIA 
PTG Letter at 2; Raymond James Letter at 2; Virtu Letter at 3-4.
---------------------------------------------------------------------------

    The Commission agrees that the Participants are better positioned 
to insure against a breach both due to their ability to provide access 
and monitoring of the CAT System to an insurer, and because if Industry 
Members were to obtain insurance that would apply to a CAT data breach, 
such policies would overlap because the same breach event would likely 
impact multiple Industry Members and many investors whose data might be 
exposed in a breach are customers of multiple Industry Members. 
However, as noted by some commenters, the doctrine of regulatory 
immunity may already shift significant breach risk to Industry 
Members,\178\ and the Participants state that Industry Members may 
already shift some of their own risk of data breaches to their own 
customers with their own limitation of liability language in customer 
agreements.\179\ Further, as discussed above, insurance is unlikely to 
provide a remedy in case of breaches that go undetected. However, the 
Commission recognizes that if the doctrine of regulatory immunity does 
not apply, the Proposed Amendment would shift the financial risks of a 
breach to Industry Members. The Commission believes that investors are 
likely to bear the costs of providing security to the CAT System as 
well as any costs of a breach of CAT Data. However, the Commission 
recognizes that inefficiencies in providing security to CAT are likely 
to increase the costs that investors bear.
---------------------------------------------------------------------------

    \178\ See Section IV.C.1, supra.
    \179\ See Response Letter at 10.
---------------------------------------------------------------------------

    The Commission believes that, even if the Proposed Amendment were 
approved, inefficiencies in the scope and maintenance of Industry 
Member insurance policies against a CAT data breach are likely to be 
minor for two reasons. First, Industry Members that carry customer 
accounts already face risks related to breach of customer information. 
The Commission believes these Industry Members actively manage the 
security of their environments to prevent a breach of this data within 
their systems and acknowledges that they cannot continue to safeguard 
this data once this it data is reported to CAT. However, as noted by 
commenters, Industry Members also typically indemnify themselves with 
agreements that limit their liability in the case of a data breach and 
thus would be unlikely to increase their insurance coverage if the 
proposed amendments were approved. Second, any additional insurance 
burdens would likely to be negligible for Industry Members that carry 
no customer accounts because they do not risk litigation from 
customers. However to the degree that Industry Members overall would 
increase cyber insurance to offset this risk if the Proposed Amendment 
is approved, the cost of such insurance would likely to be higher than 
it would be if the risk were borne by Participants because Industry 
Members cannot facilitate the monitoring of an insurer and the policies 
Industry Members would purchase would necessarily be overlapping 
policies because investors often have accounts with multiple Industry 
Members and a single data breach might expose data from multiple 
Industry Members. Those inflated costs would ultimately be passed to 
investors, and the security improvements that might be facilitated by 
the monitoring of an insurer contracted by the Participants would be 
unrealized.

B. Competition

    The Commission believes that the Proposed Amendment might have 
negative effects upon competition, but believes these effects would be 
partially mitigated. In their filing, the Participants state they do 
not believe the Proposed Amendment will have any impact on 
competition.\180\ However, the Commission believes that the Proposed 
Amendment could have negative effects on the competitive positions of 
some Industry Members relative to other Industry Members. Industry 
Members have diverse business models; some of these models employ 
proprietary trading strategies that might be revealed in the wake of a 
data breach. If such proprietary strategies were revealed, Industry 
Members that employed such strategies might experience loss of 
intellectual property that could damage their competitive positions 
relative to their peers. The Commission further acknowledges that a 
data breach could harm an Industry Member's reputation and damage its 
competitive position within the markets in which it competes, 
particularly if customer data were released from some but not all

[[Page 60946]]

competitors within those markets. The Commission acknowledges that 
robust investment in cyber security does not guarantee breaches will 
not occur. The likelihood of a data breach happening however, increases 
if Participants reduce potential additional investment in CAT data 
security including additional investment in cyber insurance coverage 
(should such coverage become available) or additional investment in the 
screening and monitoring of employees and contractors that have access 
to CAT Data. But the assurance of limited liability provided by the 
Proposed Amendment could disincentivize such actions. The Commission 
believes that Participants would remain incentivized to invest in CAT 
data security to some extent, even if the Proposed Amendment is 
approved because of the additional incentives discussed above, such as 
reputational damage, which would remain unaffected by the Proposed 
Amendment.\181\
---------------------------------------------------------------------------

    \180\ See Notice, supra note 5, at 597.
    \181\ See Section VI.A., supra.
---------------------------------------------------------------------------

    The Commission further believes there might be additional 
competitive effects of the Proposed Amendment in the market for trading 
services. The Commission recognizes that Industry Members are not just 
the customers and members of the Participants, but are sometimes 
competitors of the Participants. Exchanges (all of which are 
Participants) compete in the market for trading services with off-
exchange venues such as alternative trading systems (all of which are 
operated by Industry Members) and Industry Members that provide 
liquidity to orders off-exchange.\182\ Consequently, if the Proposed 
Amendment were to shift any of the expense of insuring against the risk 
of a CAT data breach from Participants to Industry Members, and if such 
expenses were more efficiently borne by Participants as discussed 
previously, the additional marginal costs incurred by Industry Members 
could disadvantage them in this competition to provide trading 
services. However, the Commission believes that this effect would be 
partially mitigated because, as discussed previously, that even under 
the Proposed Amendment, the Participants would remain incentivized to 
invest in CAT data security, and that Industry Members' need to invest 
in additional insurance would be mitigated by their own use of 
limitation of liability agreements with their own customers.\183\
---------------------------------------------------------------------------

    \182\ See CAT Plan Approval Order, supra note 1, at 84882-89.
    \183\ See Section VI.A., supra.
---------------------------------------------------------------------------

C. Capital Formation

    The Commission believes that the Proposed Amendment might have 
negative effects on capital formation in markets in which Industry 
Members compete, but believes these effects would be partially 
mitigated.
    The Participants argue that adopting the proposed amendment would 
avoid inefficiencies by avoiding the increased costs that would 
otherwise arise,\184\ namely over investment in cyber security and 
insurance beyond what would be optimal, and underinvestment in adoption 
of policies or technologies that decrease costs or increase 
efficiencies as described in the CRA Paper. The Participants argue that 
avoiding these issues, by limiting liability, would promote capital 
formation in the U.S. securities markets. While the Commission 
acknowledges that an inappropriate level of risk-aversion might result 
in these effects, if the Participants believe, as asserted in their 
filing, that they have regulatory immunity, the Commission believes 
these effects would be small because the potential shift in liability 
from the proposed amendments would be far less significant than 
anticipated in the CRA Paper.
---------------------------------------------------------------------------

    \184\ See Notice, supra note 5, at 617-18.
---------------------------------------------------------------------------

    It is possible that capital formation could be negatively impacted 
by an inefficient insurance burden on Industry Members as described in 
the Lewis Paper.\185\ However, even in cases in which Participants' 
regulatory immunity would not apply, the Commission does not believe 
the Proposed Amendment would significantly increase Industry Members' 
insurance burden because, as discussed previously, many Industry 
Members have agreements limiting their liability with their own 
customers, and not all Industry Members have customers that might 
initiate litigation.\186\
---------------------------------------------------------------------------

    \185\ See Lewis Paper at 11-14.
    \186\ See Section VI.A, supra.
---------------------------------------------------------------------------

    The Commission recognizes, however, that the risk of a data breach 
can impact capital formation through routes other than inefficient 
insurance costs and underinvestment. If Industry Members believe that 
the proposed amendment would significantly reduce Participants' 
incentives to invest in CAT security, Industry Members may be less 
incentivized to invest in intellectual property that could be 
compromised by a data breach, potentially reducing capital formation in 
liquidity provision on exchanges or in proprietary trading activities. 
The Commission believes this risk is partially mitigated because the 
Participants are still incentivized to secure CAT Data by other 
incentives that are not affected by the proposed amendment.\187\
---------------------------------------------------------------------------

    \187\ See Section VI.A, supra.
---------------------------------------------------------------------------

VI. Conclusion

    For the reasons set forth above, the Commission does not find, 
pursuant to Section 11A of the Exchange Act, and Rule 608(b)(2) 
thereunder, that the Proposed Amendment is consistent with the 
requirements of the Exchange Act and the rules and regulations 
thereunder applicable to an NMS plan amendment.
    It is therefore ordered, pursuant to Section 11A of the Exchange 
Act, and Rule 608(b)(2) thereunder, that the Proposed Amendment (File 
No. 4-698) be, and hereby is, disapproved.

    By the Commission.
J. Matthew DeLesDernier,
Assistant Secretary.
[FR Doc. 2021-24035 Filed 11-3-21; 8:45 am]
BILLING CODE 8011-01-P
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.