Securities and Exchange Commission January 6, 2021 – Federal Register Recent Federal Regulation Documents

Cyber Breach Analysis. The first analysis we present is to identify specific potential breach scenarios and assess the relative difficulty of implementation, relative frequency, and conditional severity of each. As part of this assessment, we identified eight potential scenarios in which bad actors could attempt to unlawfully obtain, utilize, and monetize CAT data. Of course, we recognize that cyber-attacks on the CAT could vary from the scenarios we hypothesize, but we offer them to provide a framework to assess the economic exposures that flow from the gathering, storage, and use of CAT data. Our risk analysis indicates that most of these scenarios are relatively low frequency events because they are either difficult to implement, unlikely to be meaningfully profitable for a bad actor, or both. The scenario analysis also indicates that three types of breachesreverse engineering of trading algorithms, inserting fake data to wrongfully incriminate individuals or entities, and removing data to conceal misconductcould result in ``extremely'' severe economic consequences (which we define as potentially greater than $100 million in damages). We conclude that all three of these types of breaches are relatively low frequency events. Summary: Regulation vs. Litigation to Mitigate Cyber Risk for the CAT. The second analysis we present focuses on whether the cyber risk posed by CAT should be addressed through ex-ante regulation, ex post litigation, or a combination of both approaches. In a prior version of the CAT Reporter Agreement, CAT LLC included a limitation of liability provision, which memorialized the Participants' view that Industry Members should not be able to litigate against CAT LLC or the Participants to recover damages sustained as a result of a cyber breach. Although the current operative version of the Reporter Agreement does not contain a limitation of liability, we understand that CAT LLC is submitting this White Paper in connection with CAT LLC's request that the SEC amend the CAT NMS Plan to authorize such a provision. We understand that the Industry Members have opposed any limitation of liability provision and contend that CAT LLC, as the party holding the CAT data, should be subject to litigation by the Industry Members in the event of a cyber breach. In deciding whether to approve Participants' proposed plan amendment, an important question for the SEC to address is whether, in light of the extensive cyber requirements already imposed on CAT LLC through regulation, the SEC-mandated nature of the CAT, and the ability of the SEC to bring enforcement actions to compel compliance, it is appropriate to also allow Industry Members to sue CAT LLC and the Participants. As part of our analysis, we specifically assess whether including a limitation of liability provision in the CAT Reporter Agreement is appropriate from the perspective of economic theory as applied to the specifics of this situation. By applying the economic principles of liability and regulation as a means of motivating risk-minimizing behavior and considering the crucial role of the SEC's mandates regarding cyber security for the CAT (which already incorporate the concerns of entities involved in the National Market System as a whole), we conclude that the regulatory approach leads to the socially desirable level of investment in cyber security and protection of CAT data. We further conclude that SIFMA's position, which advocates allowing Industry Members to litigate against CAT LLC and the Participants in the event of a cyber breach, would result in increased costs for various economic actorsincluding CAT LLC, the Participants, Industry Members, and retail investorswithout any meaningful benefit to the CAT's cyber security. At a high level (and as discussed in extensive detail below), we therefore conclude that CAT LLC's proposal to limit its liability and the liability of the Participants is well supported by applicable economic principles in the framework of the SEC's mission and its mandates regarding the CAT. As a general matter, economic theory provides that society can motivate economic actors to take appropriate precautions to minimize the likelihood and consequences of accidents and misconduct through: (a) A regulatory approach (i.e., dictating specific precautions, requirements, and standards in advance), (b) a litigation approach (i.e., civil liability for damages caused by failing to adhere to a general standard of care), or (c) a combination of (a) and (b). At the outset, we note that we do not address this question in a vacuum. Rather, we conduct our examination in the context of an extensive regulatory program that the SEC has enacted mandating specific cyber standards, policies, procedures, systems, and controls that CAT LLC and the Plan Processor must implement. This regulatory regime was developed with extensive feedback from the securities industry (e.g., through the Development Advisory Group and the Advisory Committee) and is subject to ongoing review and modification through a public review and comment process. Moreover, CAT LLC's compliance with the requirements of this regulatory regime can be policed by the SEC's Enforcement Division. We also note that in adopting the CAT NMS Plan, the SEC concluded that the regulatory approach to cyber security was sufficient when it stated that ``the extensive, robust security requirements in the adopted [CAT NMS] Plan . . . provide appropriate, adequate protection for the CAT Data.'' \5\

The Securities and Exchange Commission (``Commission'') is adopting a new rule under the Investment Company Act of 1940 (``Investment Company Act'' or the ``Act'') that will address valuation practices and the role of the board of directors with respect to the fair value of the investments of a registered investment company or business development company (``fund''). The rule will provide requirements for determining fair value in good faith for purposes of the Act. This determination will involve assessing and managing material risks associated with fair value determinations; selecting, applying, and testing fair value methodologies; and overseeing and evaluating any pricing services used. The rule will permit a fund's board of directors to designate certain parties to perform the fair value determinations, who will then carry out these functions for some or all of the fund's investments. This designation will be subject to board oversight and certain reporting and other requirements designed to facilitate the board's ability effectively to oversee this party's fair value determinations. The rule will include a specific provision related to the determination of the fair value of investments held by unit investment trusts, which do not have boards of directors. The rule will also define when market quotations are readily available under the Act. The Commission is also adopting a separate rule providing the recordkeeping requirements that will be associated with fair value determinations and is rescinding previously issued guidance on the role of the board of directors in determining fair value and the accounting and auditing of fund investments.