Joint Industry Plan; Order Disapproving an Amendment to the National Market System Plan Governing the Consolidated Audit Trail
Citation: "86 FR 60933"
Document Number: "Release No. 34-93484; File No. 4-698"
Page Number: "60933"
"Notices"
I. Introduction
On
FOOTNOTE 1 The CAT NMS Plan is a national market system plan approved by the Commission pursuant to Section 11A of the Exchange Act and the rules and regulations thereunder. See Securities Exchange Act Release No. 79318 (
FOOTNOTE 2 15 U.S.C 78k-1(a)(3). END FOOTNOTE
FOOTNOTE 3 17 CFR 242.608. END FOOTNOTE
FOOTNOTE 4 The Participants are requiring each CAT reporter or CAT reporting agent that reports order and trade data to the CAT System to execute a CAT Reporter Agreement or a CAT Reporting Agent Agreement. See, e.g., CAT FAQ O14, available at: https://www.catnmsplan.com/faq. END FOOTNOTE
FOOTNOTE 5 See Notice of Filing of Amendment to the National Market System Plan Governing the Consolidated Audit Trail, Release No. 90826 (
On
FOOTNOTE 6 17 CFR 242.608(b)(2)(i). END FOOTNOTE
FOOTNOTE 7 See Securities Exchange Act Release No. 91487 (
FOOTNOTE 8 See Securities Exchange Act Release No. 92266 (
FOOTNOTE 9 See Securities Exchange Act Release No. 92854 (
II. Background
On
FOOTNOTE 10 17 CFR 242.613. END FOOTNOTE
FOOTNOTE 11 See note 1, supra. END FOOTNOTE
On
FOOTNOTE 12 Industry Member means a member of a national securities exchange or a member of a national securities association. See CAT NMS Plan at Section 1.1. END FOOTNOTE
FOOTNOTE 13 For a more detailed description of the background for the Proposed Amendment, see Notice, supra note 5, at 591-93. END FOOTNOTE
III. Description of the Proposal
The Participants propose to amend the CAT NMS Plan to authorize
FOOTNOTE 14 See Notice, supra note 5, at 593. END FOOTNOTE
In support of the Proposed Amendment, the Participants state, among other things, that: (1) The proposed Limitation of Liability Provisions reflect longstanding principles of allocation of liability between Industry Members and SROs; /15/ (2) the proposed Limitation of Liability Provisions "fall squarely within industry norms" and are consistent with exchange rules that limit liability for losses that members incur through their use of exchange facilities, provisions that
FOOTNOTE 15 See Notice, supra note 5, at 593-95. END FOOTNOTE
FOOTNOTE 16 See Notice, supra note 5, at 593-94. END FOOTNOTE
FOOTNOTE 17 See Notice, supra note 5, at 595. END FOOTNOTE
FOOTNOTE 18 See Notice, supra note 5, at 595. END FOOTNOTE
FOOTNOTE 19 See Notice, supra note 5, at 599-624. END FOOTNOTE
FOOTNOTE 20 See Notice, supra note 5, at 595-597. END FOOTNOTE
IV. Discussion
A. The Applicable Standard of Review
Under Rule 608(b)(2) of Regulation NMS, the Commission shall approve a national market system plan or proposed amendment to an effective national market system plan, with such changes or subject to such conditions as the Commission may deem necessary or appropriate, if it finds that such plan or amendment is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Exchange Act. /21/ Under Rule 700(b)(3) of the Commission's Rules of Practice, the "burden to demonstrate that a proposed rule change is consistent with the Exchange Act and the rules and regulations issued thereunder . . . is on the self-regulatory organization that proposed the rule change." /22/ The Commission shall disapprove a national market system plan or proposed amendment if it does not make such a finding. /23/
FOOTNOTE 21 17 CFR 242.608(b)(2). END FOOTNOTE
FOOTNOTE 22 17 CFR 201.700(b)(3). END FOOTNOTE
FOOTNOTE 23 17 CFR 242.608(b)(2). Approval or disapproval of a national market system plan, or an amendment to an effective national market system plan (other than an amendment initiated by the Commission), shall be by order. Id. In addition, Rule 700(b)(3)(ii) of the Commission's Rules of Practice states that "[t]he burden to demonstrate that a NMS plan filing is consistent with the Exchange Act and the rules and regulations issued thereunder that are applicable to NMS plans is on the plan participants that filed the NMS plan filing." 17 CFR 201.700(b)(3)(ii). "Any failure of the plan participants that filed the NMS plan filing to provide such detail and specificity may result in the Commission not having a sufficient basis to make an affirmative finding that a NMS plan filing is consistent with the Exchange Act and the rules and regulations issued thereunder that are applicable to NMS plans." Id. END FOOTNOTE
For the reasons described below, the Commission believes that the Participants have not met their burden to demonstrate that the Proposed Amendment is consistent with the Exchange Act. /24/ Accordingly, the Commission cannot make the finding that the Proposed Amendment is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Exchange Act. /25/
FOOTNOTE 24 17 CFR 201.700(b)(3). END FOOTNOTE
FOOTNOTE 25 17 CFR 242.608(b)(2). END FOOTNOTE
B. Impact of Proposed Amendment on Incentives of Participants Incentives To Invest in Security of the CAT
The Commission received several comments, including a letter from
FOOTNOTE 26 See Letter from
FOOTNOTE 27 See
FOOTNOTE 28 "CAT Data" means data derived from Participant Data, Industry Member Data, SIP Data, and such other data as the Operating Committee may designate as "CAT Data" from time to time. See CAT NMS Plan at Section 1.1. END FOOTNOTE
FOOTNOTE 29 "Plan Processor" means the Initial Plan Processor or any other Person selected by the Operating Committee pursuant to SEC Rule 613 and CAT NMS Plan, Article IV, Section 4.3(b)(i) and Article VI, Section 6.1, and with regard to the Initial Plan Processor, the Selection Plan, to perform the CAT processing functions required by SEC Rule 613 and set forth in this Agreement. See CAT NMS Plan at Section 1.1. END FOOTNOTE
FOOTNOTE 30 See
FOOTNOTE 31 See
FOOTNOTE 32 See SIFMA Letter at 4. One commenter states that the CAT System is a particularly attractive target for nation states and other bad actors that have become increasingly sophisticated, which could lead to significant harm to market participants, serious competitive harm to Industry Members, and significant legal risk and potential liability. See SIFMA Letter II at 9. END FOOTNOTE
Commenters argue that the CRA Paper's specific conclusion that ex-ante regulation is most appropriate is wrong, and that CAT cybersecurity would benefit from both ex-ante regulation and ex-post litigation. /33/ Another commenter characterizes shifting liability to Industry Members who, unlike SROs, have no control over the security of the CAT as creating a "moral hazard" and stated that permitting litigation against Participants and their representatives when they are acting outside their regulatory capacity is "crucial" as it would give the Participants very strong financial incentives to invest heavily to prevent or minimize the likelihood of such failures. /34/ Similarly, the Lewis Paper asserts that liability for potential litigation would mitigate the moral hazard problem for
FOOTNOTE 33 See Letter from
FOOTNOTE 34 See
FOOTNOTE 35 See
In response to the Lewis Paper's contention that the threat of ex-post litigation is necessary, the CRA Response asserts that the "inconsequential and speculative" benefits of litigation in addition to the existing regulatory regime do not exceed the likely substantial costs. /36/ The CRA Response further asserts that there is no asset reserve on the balance sheet of
FOOTNOTE 36 See Report from
FOOTNOTE 37 See
The Participants argue that securities industry norms do not support the principle that the party in possession of data should bear liability in the event of a data breach, particularly where the parties in possession of the data are acting in regulatory capacities pursuant to Commission rules. /38/ In this regard, the Participants state that Industry Members, despite controlling sensitive data that could be compromised during a data breach, "routinely" disclaim liability to their underlying customers including their own retail customers in certain cases. /39/
FOOTNOTE 38 See Letter from
FOOTNOTE 39 See Response Letter at 10; see alsoid. at 20 (stating that the Lewis Paper does not address the fact that Industry Members routinely disclaim liability to those underlying customers). END FOOTNOTE
The Participants also assert that the Commission's regulatory regime, backed by its examination and enforcement functions, provide valuable incentives for the Participants,
FOOTNOTE 40 See, e.g., Letter from
FOOTNOTE 41 See Second Response Letter at 5-6. See also CRA Response at 1, 3-4, 6-7, 10. END FOOTNOTE
FOOTNOTE 42 See Response Letter at 26. END FOOTNOTE
FOOTNOTE 43 See Second Response Letter at 3. END FOOTNOTE
FOOTNOTE 44 See
Commenters also state that the CRA Paper suggests certain mechanisms, such as a third-party compensation program, cyber-related industry loss warranties or cyber catastrophe bonds that could be used in the event of a CAT breach to compensate third parties, but the SROs have not proposed the adoption of any of these mechanisms. /45/ These commenters believe that without liability risk,
FOOTNOTE 45 See SIFMA Letter at 10; LPL Financial Letter at 1; FIA PTG Letter at 2;
FOOTNOTE 46 See id. END FOOTNOTE
FOOTNOTE 47 See id. END FOOTNOTE
The Participants acknowledge that the CRA Paper explains that the regulatory regime is generally silent with respect to the most efficient method to compensate injured parties and that the CRA Paper offered several suggestions to cover potential losses including insurance, industry loss warranties, and catastrophe bonds. /48/ The Participants, however, state that they are willing discuss any of these compensation mechanisms with Industry Members and they would welcome a discussion with the Commission to address the viability of these mechanisms and how they might be funded. /49/
FOOTNOTE 48 See Response Letter at 27 (citing CRA Paper at 50-53). END FOOTNOTE
FOOTNOTE 49 See Response Letter at 27-28. The Participants also state that creating mechanisms to compensate Industry Members in the event of a data breach would not obviate the need for the proposed Limitation of Liability Provisions. See id. at 28. END FOOTNOTE
Commenters assert that the proposal would allow
FOOTNOTE 50 See SIFMA Letter II at 2-3, 9-10;
FOOTNOTE 51 See SIFMA Letter II at 2-3, 9-10;
FOOTNOTE 52 See SIFMA Letter II at 10. See also Data Boiler Letter II at 3 (provisions discourage Participants from advancing the security and design of CAT and CAT Data). END FOOTNOTE
FOOTNOTE 53 See
FOOTNOTE 54 See
FOOTNOTE 55 See SIFMA Letter II at 9. END FOOTNOTE
FOOTNOTE 56 See Citadel Letter at 7-8. See also
FOOTNOTE 57 See SIFMA Letter II at 9.
The Participants reiterate that
FOOTNOTE 58 See Second Response Letter at 17. END FOOTNOTE
FOOTNOTE 59 See Second Response Letter at 17. The Participants noted that they were reviewing a
FOOTNOTE 60 See Second Response Letter at 15. END FOOTNOTE
FOOTNOTE 61 See
The CRA Response asserts that the Lewis Paper's claim that the Limitation of Liability Provisions will force clients' claims onto Industry Members and burden Industry Members with purchasing additional insurance coverage is erroneous. /62/ Specifically, according to the CRA Response, the Lewis Paper does not explain how Industry Members' clients can sue Industry Members for a cyberbreach of CAT, does not consider that many Industry Members have similar provisions in their customer agreements, and does not explain how an insurer would write liability coverage for Industry Members paying claims to clients for an adverse cyber event. /63/ In addition, the CRA Response states that the Lewis Paper and commenters assume, without support, that Industry Members will face litigation risk from customers due to a cyberbreach at the CAT. /64/
FOOTNOTE 62 See
FOOTNOTE 63 See
FOOTNOTE 64 See
Visibility and Input of Industry Members Into the Security of the CAT
One commenter argues that the CRA Paper significantly overemphasizes the visibility and input into the workings of CAT provided to the industry, and asserts that there is no visibility into the security aspects of CAT. /65/ The Participants state that Industry Members have had extensive opportunities to provide input regarding the CAT's cybersecurity at every stage of the development and operation of the CAT. /66/ The CRA Response states that commenters fail to acknowledge that providing Industry Members a right to litigate may reduce Industry Members' incentives to undertake their monitoring and influencing activities in favor of relying upon the threat of litigation, thereby weakening the overall cyber program of the CAT. /67/ The CRA Response also states that limiting Industry Members' ability to recover damages provides greater incentives for them to provide feedback to CAT management through the Advisory Committee. /68/
FOOTNOTE 65 See Citadel Letter at 9. END FOOTNOTE
FOOTNOTE 66 See Response Letter at 14. This includes prior to approval of the CAT NMS Plan, feedback through the Advisory Committee, and the ability of Industry Members to directly petition the Commission or provide comments on any proposals offered by the Commission. Id. END FOOTNOTE
FOOTNOTE 67 See
FOOTNOTE 68 See
Regulatory Immunity
Commenters argue that the SROs have failed to explain why limitation of their liability should be imposed by contract because the SROs have immunity from liability when acting in a regulatory capacity. /69/ Commenters further assert that the effort to impose liability limitations by contract "raises significant questions about whether the SROs seek to avoid liability in circumstances in which they misuse CAT Data while acting in a commercial capacity." /70/ Another commenter frames the issue as not whether the Participants should be liable for conduct undertaken during the course of their regulatory responsibilities, but whether the Participants should be insulated from potential liability for activities not covered by regulatory immunity. /71/ One commenter states that it believes that court precedent "strongly indicates that the courts are likely to view any regulatory activity the SROs conduct through CAT LLCs as being subject to this judicial immunity even though it is being conducted in a legal entity that is separate from the SROs." /72/
FOOTNOTE 69 See Citadel Letter at 1, 3-5; SIFMA Letter at 8; LPL Financial Letter at 1; FIA PTG Letter at 2;
FOOTNOTE 70 See SIFMA Letter at 8. See also LPL Financial Letter at 1; FIA PTG Letter at 2;
FOOTNOTE 71 See Citadel Letter at 5. END FOOTNOTE
FOOTNOTE 72 See SIFMA Letter II at 7. See also Data Boiler Letter II at 4. END FOOTNOTE
In response to comments about regulatory immunity, the Participants state that regulatory immunity does not preclude the use of contractual limitation of liability provisions and the divergent and shifting positions from Industry Members on the applicability of regulatory immunity underscores the need for a contractual limitation of liability. /73/ The Participants state that some comments generally argue that a contractual limitation of liability is unnecessary in light of the doctrine of regulatory immunity, while other comments state the Participants should not receive either regulatory immunity or the protection of a limitation of liability provision. /74/ The Participants state that the proposed Limitation of Liability Provisions are necessary despite any regulatory immunity because even litigation which holds that regulatory immunity applies may result in significant disruption and expense (which ultimately will be passed along to Industry Members as part of
FOOTNOTE 73 See Response Letter at 22-25; see also Second Response Letter at 4, 11-12. The Participants also state that
FOOTNOTE 74 See Response Letter at 21-23. The Participants state that
FOOTNOTE 75 See Response Letter at 23-25. See also Second Response Letter at 4, 11. END FOOTNOTE
FOOTNOTE 76 See Second Response Letter at 11-12. END FOOTNOTE
FOOTNOTE 77 See id. END FOOTNOTE
FOOTNOTE 78 See Response Letter at 25 (citing
FOOTNOTE 79 See Response Letter at 25-26. END FOOTNOTE
The Participants believe that commenter concerns that the regulatory process might not keep pace with emerging and evolving cyber threats fails to consider Commission regulatory requirements and oversight, including the CAT NMS Plan requirement that Participants and FINRA CAT proactively monitor the CAT's cybersecurity and promptly address any vulnerabilities. /80/ Participants state, in contrast, litigation would require the Commission to share responsibility with the courts and is a lengthy process that is unlikely to outpace regulation. /81/ In addition, the Commission has means other than the formal rule-making process to address emerging cyber threats. /82/ In addition, the Participants assert that allowing Industry Member litigation would undoubtedly result in substantial additional costs and that the CRA Paper demonstrates that the costs of litigating a potential CAT Data breach are likely to be both substantial and unquantifiable on an ex-ante basis. /83/ It would also create additional costs and distract the Participants from the regulatory mission of CAT, and these costs would ultimately be passed along to investors. /84/ The Participants state that commenters are asking that their primary regulators bear any and all liability for hypothetical "black swan" cyber breaches and that such an extraordinary ask is without precedent, and that Participants, implementing a regulatory mandate in their regulatory capacities, should receive liability protections that they are customarily afforded when implementing their regulatory responsibilities pursuant to the direction and oversight of the Commission. /85/
FOOTNOTE 80 See Second Response Letter at 7. END FOOTNOTE
FOOTNOTE 81 See Second Response Letter at 8. END FOOTNOTE
FOOTNOTE 82 See Second Response Letter at 8. The Participants state that the Commission and its staff have "multiple tools at their disposal to motivate regulated entities" to "expeditiously modify their cybersecurity regimes." "For example, the
FOOTNOTE 83 See Second Response Letter at 3-4, 16. END FOOTNOTE
FOOTNOTE 84 See Second Response Letter at 4, 16. END FOOTNOTE
FOOTNOTE 85 See Second Response Letter at 4; see also Response Letter at 20 (stating that the Lewis Paper appears to advocate that
CRA Paper Does Not Capture All Data Breach Risks and Costs
Commenters believe that the CRA Paper does not capture all data breach risks, stating that the CRA Paper only focuses on a breach by external actors and fails to address the risk of misuse of CAT Data by personnel at
FOOTNOTE 86 See Citadel Letter at 6; SIFMA Letter at 9; LPL Financial Letter at 1; FIA PTG Letter at 2;
FOOTNOTE 87 See Citadel Letter, at 6-7. END FOOTNOTE
FOOTNOTE 88 See Letter from Kelvin To, Founder and President,
FOOTNOTE 89 See ASA Letter at 2. END FOOTNOTE
Participants and the CRA Response dispute commenters' claims that the CRA Paper does not include all potential data breaches. /90/ The Participants argue that certain commenters misconstrue the CRA Paper's analysis. /91/ Specifically, these commenters assert that the CRA Paper did not address certain categories of hypothetical data breaches, and in particular breaches that originate from within FINRA CAT or Participants. The Participants state that the CRA Paper did not make any assumptions regarding the identity of potential bad actors or where they may work, and the CRA Paper was not intended to predict every possible scenario, but instead intended to provide an illustrative framework to assess the economic exposures that flow from the gathering, storage, and use of CAT Data. /92/ The Participants state that the CRA Paper concludes, in light of the CAT's extensive cybersecurity and other reasons, most potential breaches are relatively low-frequency events because they are either difficult to implement, unlikely to be meaningfully profitable, or both. /93/ The Participants also believe that the CRA Paper's conclusion that allowing Industry Members to litigate against
FOOTNOTE 90 See Response Letter at 15. The Participants explain that the CRA Paper contain two principal analyses: (i) A "scenario analysis" in which it identified specific hypothetical breaches and assessed the relative difficulty of implementation, relative frequency, and conditional severity of each; and (ii) a consideration whether the cyber risk presented by the CAT should be addressed by regulation, litigation, or a combination of both approaches. END FOOTNOTE
FOOTNOTE 91 See Response Letter at 15. END FOOTNOTE
FOOTNOTE 92 See Response Letter at 15-16 (citing CRA Paper 2). END FOOTNOTE
FOOTNOTE 93 See Response Letter at 16 (citing CRA Paper at 18-32). END FOOTNOTE
FOOTNOTE 94 See Response Letter at 16. END FOOTNOTE
The Participants believe that comments that criticize the CRA Paper for failing to consider the costs to individual Industry Members in the event of a CAT Data breach are based on a misunderstanding of the relevant economic principles. /95/ Specifically, the CRA Paper's focus was on whether the risks of the use of CAT Data for regulatory purposes was best managed through ex ante regulation or ex post litigation, or a combination of both, and this analysis largely turns on identifying the most effective and efficient mechanisms for incentivizing
FOOTNOTE 95 See Response Letter at 16. END FOOTNOTE
FOOTNOTE 96 See id. END FOOTNOTE
FOOTNOTE 97 See Response Letter at 16-17. The Participants also dispute an assertion that the CRA Paper delivered a "pre-determined conclusion." See id. at 17 (citing ASA Letter at 2-3). END FOOTNOTE
The CRA Response states that allowing Industry Members to litigate against
FOOTNOTE 98 See
FOOTNOTE 99 See
Participants and the CRA Response argue that the Lewis Paper's argument that
FOOTNOTE 100 The Participants state that the Lewis Paper does not include a scenario analysis like the CRA Paper. See Response Letter at 16 at 20-21. END FOOTNOTE
FOOTNOTE 101 See
FOOTNOTE 102 See
FOOTNOTE 103 17 CFR 201.700(b)(3). END FOOTNOTE
By essentially eliminating any potential liability to Industry Members in the event of a security breach, the Participants limit the risk to themselves should they decide to reduce their investments in the security of the CAT, and such a reduction could increase the potential for a breach of CAT or unauthorized release of CAT Data. The Participants characterize one of the potential liabilities that they need to be insulated from as "the potential for substantial losses that may result from certain categories of low probability cyberbreaches," /104/ and the CRA Paper estimates an exposure of at least
FOOTNOTE 104 See Notice, supra note 5, at 595. END FOOTNOTE
FOOTNOTE 105 See Notice, supra note 5, at 597, 599-600, 603. END FOOTNOTE
FOOTNOTE 106 See also Economic Analysis at Section V.A. END FOOTNOTE
The CRA Response states that the benefits of litigation in addition to the existing regulatory regime are "inconsequential and speculative" and do not exceed the likely substantial costs. /107/ However, the CRA Response acknowledges that the threat of liability does incentivize behavior, arguing that limiting Industry Members' ability to recover damages provides greater incentives for them to provide feedback to CAT management through the Advisory Committee. /108/ The Commission believes that although Industry Members do have avenues to provide feedback such as through the Advisory Committee, Industry Members do not have access to the information they would need, such as security audit results and design specifications, to evaluate the security of CAT and identify meaningful deficiencies. The Commission also believes that the CRA Response's argument applies to Participants, in that their behavior would change to the extent there is a decreased threat of liability. Specifically, with the proposed Limitation of Liability Provisions, the Participants' potential liability to Industry Members would decrease and thus reduce Participants' incentives to ensure robust cybersecurity of CAT and CAT Data in an effort to reduce or avoid the potential liability.
FOOTNOTE 107 See
FOOTNOTE 108 See
Participants argue that security industry norms do not support the principle that the party in possession of the data should bear liability in the event of a data breach, especially when acting in a regulatory capacity pursuant to Commission rules, /109/ and that Industry Members "routinely" disclaim liability to their underlying customers. /110/ The Commission did not approve provisions in Industry Member contracts for OATS or Industry Member contracts with underlying customers. The Participants also refer to limitation of liability provisions in SROs' rules that were previously approved by the Commission. /111/ In the case of the SROs' rules, these rules relate to liability to members with respect to the business operations of exchanges and were established for different types of systems with different risks than the CAT. /112/ The Commission believes that given the amount and sensitivity of the data in the CAT System, it is important that the Participants' incentives to invest in robust cybersecurity, including potential liability in the event of a breach, are not reduced. Based on the record before it, the Commission believes that the proposed Limitation of Liability Provisions would reduce Participants' incentives to invest in CAT Data security.
FOOTNOTE 109 See Response Letter at 10. END FOOTNOTE
FOOTNOTE 110 See Response Letter at 10; see also Response Letter at 20 (stating that the Lewis Paper does not address the fact that Industry Members routinely disclaim liability to those underlying customers). END FOOTNOTE
FOOTNOTE 111 See Response Letter at 5-7. END FOOTNOTE
FOOTNOTE 112 CAT Data, unlike an SRO's trading data, includes comprehensive trading data from all exchange SROs and order and customer information submitted by Industry Members. END FOOTNOTE
The CRA Response also states that providing Industry Members a right to litigate may reduce Industry Members' incentives to undertake their monitoring and influencing activities in favor of relying upon the threat of litigation, thereby weakening the overall cyber program of the CAT. /113/ The Commission also believes that these comments suggest that Industry Members can have a significant role in determining the strength of the overall cyber program of CAT, and if a reduction in Industry Member "monitoring and influencing activities" would weaken the overall cyber program of the CAT, the absence of essentially any liability to Industry Members would also weaken the overall cyber program of CAT. /114/ The Participants expressed concern that
FOOTNOTE 113 See
FOOTNOTE 114 The CRA Response emphasizes that Industry Members and other interested parties are able to monitor and suggest improvements for CAT's cyber security and "history is replete with examples." See
FOOTNOTE 115 See Second Response Letter at 15. END FOOTNOTE
FOOTNOTE 116 See Second Response Letter at 15. See also CRA Response at 9 (stating that
FOOTNOTE 117 See CAT NMS Plan, Article X, Section 10.1. END FOOTNOTE
FOOTNOTE 118 See CAT NMS Plan, Article XI, Section 11.1(b) and 11.2. Specifically, Section 11.1(b) states that subject to Section 11.2, the Operating Committee shall have discretion to establish funding for the
FOOTNOTE 119 See CAT NMS Plan, Article X, Section 11.1(b). END FOOTNOTE
Even in the absence of the proposed Limitation of Liability Provisions, the Participants may have limited liability to Industry Members through court-established regulatory immunity. /120/ To the extent it is available, regulatory immunity may create the same incentive as the proposed Limitation of Liability Provisions for Participants to reduce their investment in CAT cybersecurity. Regulatory immunity, however, is not applicable in all scenarios (i.e., commercial use or intentional misconduct). The Commission does not believe that the Participants have adequately explained why, in cases where regulatory immunity may not be applicable because Participant use of CAT data is improper (e.g., commercial use or intentional misconduct), they should be permitted to limit their liability. The potential consequences of such behavior, however, could also fall on Industry Members who have no control over the security of CAT Data they have submitted to the CAT. The Commission believes that the presence of liability risk would provide Participants an additional incentive to invest in CAT data security to prevent such behavior from occurring. /121/ The Commission believes that the Participants have not met their burden to demonstrate that the Proposed Amendment is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Exchange Act. /122/
FOOTNOTE 120 See Section IV.C.1, supra. The Participants assert that regulatory immunity applies to their use of CAT. See Response Letter at 23; Second Response Letter at 4. END FOOTNOTE
FOOTNOTE 121 See also Economic Analysis at Section V.A. END FOOTNOTE
FOOTNOTE 122 17 CFR 201.700(b)(3). END FOOTNOTE
C. Breadth of the Proposed Limitation of Liability Provisions
Several commenters are critical of the scope of the proposed Limitation of Liability Provisions and in particular the language that prohibits Industry Members from pursuing claims against
FOOTNOTE 123 See SIFMA Letter at 5, 7-8. See also
FOOTNOTE 124 See SIFMA Letter at 5; see also
FOOTNOTE 125 See ASA Letter at 2. END FOOTNOTE
A commenter suggests that if the limitation of liability language was adopted as proposed, "
FOOTNOTE 126 See SIFMA Letter II at 8. END FOOTNOTE
FOOTNOTE 127 See SIFMA Letter II at 11. END FOOTNOTE
The Participants state that the proposed Limitation of Liability Provisions fall squarely within industry norms, referencing a comparison to the allocation of liability between Industry Members and SROs in other regulatory contexts, including NMS plans, regulatory reporting facilities, SRO rules and liability provisions that Industry Members use to protect themselves when they possess sensitive customer and transaction data. /128/ The Participants believe that the proposed Limitation of Liability Provisions are "substantively identical" to the liability provisions to which Industry Members regularly agree in connection with OATS reporting. /129/
FOOTNOTE 128 See Response Letter at 5-11. END FOOTNOTE
FOOTNOTE 129 Id. at 6-7. Commenters assert that the proposed Limitation of Liability Provisions are inconsistent with industry standards, citing among other things SRO limitation of liability rules which exclude protection for willful misconduct, gross negligence, bad faith or criminal acts. See SIFMA Letter at 7; LPL Financial Letter at 1; FIA PTG Letter at 2;
Commenters, however, dismiss comparisons made in the Proposed Amendment to OATS limitation of liability provisions because (1) CAT captures significantly more information than OATS, including personally identifiable information, and data reported to OATS is reported to and only used by
FOOTNOTE 130 See
FOOTNOTE 131 See
In response, the Participants reject the suggestion that any limitation of liability provision should allow liability for willful misconduct, gross negligence, bad faith or criminal acts of
FOOTNOTE 132 See Response Letter at 7 (citing SIFMA Letter at 7-8); Second Response Letter at 4; 13-15. END FOOTNOTE
FOOTNOTE 133 See Second Response Letter at 4, 13-15. The Participants assert that the proposed Limitation of Liability Provisions are consistent with SRO limitation of liability rules, emphasizing that under those rules the SROs generally have the discretion, but not obligation, to compensate harmed Industry Members, and that this discretion only applies in very limited circumstances--namely, for system failures that impact the execution of individual order. See Response Letter at 5-6. The Participants also note that during negotiations, the Participants submitted to
FOOTNOTE 134 See Response Letter at 6-7. Thus, the Participants believe that that these provisions would not provide for liability against the self-regulatory organizations in the event of a data breach. Id. at 7-8. See also Second Response Letter at 13-14 (stating that SRO rules that contain exclusions generally are modified by other rules that broadly prohibit Industry Members from suing the exchanges or their representatives, except for violations of the federal securities laws for which a private right of action exists, and thus the Participants do not believe these provisions would provide for liability against the SROs in the event of a data breach). END FOOTNOTE
FOOTNOTE 135 See, e.g., Response Letter at 9; CRA Response at 18. END FOOTNOTE
FOOTNOTE 136 See Response Letter at 9; Second Response Letter at 4, 14-15. According to the Participants, although they,
The CRA Response also states that the comment letters do not acknowledge that behavior falling in these categories is already subject to enforcement by the Commission. /137/ The Participants state that the Commission's regulatory enforcement regime and the potential for severe reputational harm already sufficiently incentivize the Participants not to engage in bad faith, recklessness, gross negligence, and intentional misconduct, and so adding exclusions to the proposed Limitation of Liability Provisions would not result in any meaningful improvement to the CAT's cybersecurity. /138/
FOOTNOTE 137 See
FOOTNOTE 138 See Response Letter at 9. The Participants note that enforcement actions could be brought for cybersecurity-related violations (e.g., failure to comply with Regulation SCI) and violations of the CAT NMS Plan (e.g., for violating the CAT NMS Plan by using CAT Data for non-regulatory purposes). See id. at 25-26. The Participants also state that the purpose of the CAT and the Participants' mandate under the CAT NMS Plan is the fulfillment of regulatory functions, and not operation in connection with business activities. Id. at 22. In addition, the CRA Response states that the comment letters do not acknowledge that behavior falling to these categories is already subject to enforcement by the Commission. See
As noted in the previous section, /139/ commenters believe that the CRA Paper only focuses on a breach by external actors and fails to address the risk of misuse of CAT Data by personnel at
FOOTNOTE 139 See infra Section IV.A. END FOOTNOTE
FOOTNOTE 140 See Citadel Letter at 6; SIFMA Letter at 9; LPL Financial Letter at 1; FIA PTG Letter at 2;
FOOTNOTE 141 See
FOOTNOTE 142 See
The Commission does not believe that the Participants have demonstrated that it is necessary or appropriate to foreclose all potential Industry Member claims, including those arising from "gross negligence, willful misconduct, bad faith, or criminal acts" to a maximum of
FOOTNOTE 143 As discussed above, a number of factors impact the Participants' incentives to invest in, or prioritize, the security of the CAT. See Section IV.B., supra. The Commission does not believe that the Participants have met their burden of establishing that it is appropriate to foreclose liability to Industry Members for potential claims arising from "gross negligence, willful misconduct, bad faith, or criminal acts" because of the Commission's regulatory enforcement regime and the potential for severe reputational harm. END FOOTNOTE
FOOTNOTE 144 See notes 104 and 105, supra, and accompanying text. END FOOTNOTE
As noted above, Participants can assert regulatory immunity to the extent that the doctrine applies if there is a security breach that exposes CAT Data and Industry Members seek damages from the responsible Participants. /145/ However, the Commission believes that for situations where regulatory immunity may not be applicable (e.g., commercial use or intentional misconduct), the Participants have not met their burden to justify a nearly complete elimination of liability to Industry Members as consistent with the Exchange Act and the rules and regulations as required by Rule 608 of Regulation NMS, as discussed above. The Commission cannot make a finding that the proposed amendment is consistent with the Exchange Act and the rules and regulations issued thereunder. /146/
FOOTNOTE 145 See Section IV.B, supra. END FOOTNOTE
FOOTNOTE 146 17 CFR 201.700(b)(3); 17 CFR 242.608(b)(2). END FOOTNOTE
V. Impact on Efficiency, Competition, and Capital Formation
In determining whether to approve a CAT NMS Plan amendment, and whether such amendment is in the public interest, Rule 613 requires the Commission to consider the potential effects of the proposed amendment on efficiency, competition and capital formation. /147/ The Commission has reviewed the arguments about such effects put forth by the Participants and commenters and independently analyzed the likely effects of the Proposed Amendment on efficiency, competition and capital formation.. Many of those effects hinge on assumptions about the applicability of the doctrine of regulatory immunity in the case of litigation related to a breach of CAT Data, the influence of such immunity on the incentives of the Participants to protect the CAT Data, and the potential redundancy of a limitation on liability if immunity applies. Commenters have addressed the applicability of this doctrine directly in their comments, /148/ many of which relate to two studies: The CRA Paper submitted by the Participants as part of their filing, and the Lewis Paper submitted by
FOOTNOTE 147 17 CFR 242.613(a)(5). END FOOTNOTE
FOOTNOTE 148 See, e.g., Citadel Letter at 1, 3-5; SIFMA Letter at 8; LPL Financial Letter at 1; FIA PTG Letter at 2;
FOOTNOTE 149 See
FOOTNOTE 150 The Commission recognizes that the Participants believe regulatory immunity would apply in the event of a breach concerning CAT Data (see Response Letter at 23; Second Response Letter at 4), but the Participants also believe that there is no guarantee that all courts will agree that the Participants' immunity extends to the claims at issue. The Commission acknowledges that beliefs about regulatory immunity may influence the outcomes it describes in this analysis. END FOOTNOTE
FOOTNOTE 151 See, e.g.,
In summary, the Commission believes that, if approved, the Proposed Amendment would likely have significant negative effects on efficiency, though minor positive effects that are unlikely to significantly mitigate the negative effects are also discussed below. /152/ The Commission believes the Participants are best poised due to information asymmetry to understand the risks inherent in collecting and using CAT Data, and, because of moral hazard, to mitigate those risks through operational measures to promote CAT data security and securing insurance to mitigate financial risks associated with CAT data security. Efficiency is likely to be reduced to the extent the Proposed Amendment disincentivizes the Participants from investing in CAT data security and thus potentially increases the likelihood of a data breach. The Commission believes this effect would be only partially mitigated as discussed below and believes the net effect may remain significant. The Commission believes that the Proposed Amendment might have negative effects on competition and capital formation, but believes these effects would be partially mitigated. These conclusions are discussed in the analysis which follows.
FOOTNOTE 152 See Section V.A., infra. END FOOTNOTE
A. Efficiency
The Commission believes that the Proposed Amendment would likely have a significant effect on efficiency, although minor positive effects that are unlikely to significantly mitigate the negative effects are also discussed below. These mixed effects would likely be dominated by the negative effects of reducing the Participants' incentives to invest in CAT data security. Generally, the Commission believes that the Proposed Amendment would reduce the Participants' incentives to invest in CAT data security. The Commission believes that taking measures that may prevent a data breach is inherently more efficient than remediating the consequences of a data breach after it has occurred. /153/ Consequently, liability rules that incentivize appropriate security measures are likely to increase efficiency while rules that potentially disincentivize Participants from securing CAT Data may reduce efficiency. As noted, the magnitude of this effect hinges on the Participants' beliefs about the applicability of the doctrine of regulatory immunity. If the Participants do not believe regulatory immunity applies to all aspects of their collection and use of CAT Data, or have significant uncertainty that it would apply to some or all aspects, the Proposed Amendment would represent to the Participants a shift of liability from the Participants to Industry Members, the magnitude of which would be a function of the level of Participant uncertainty about their regulatory immunity. /154/ Absent the Proposed Amendment, the Participants might make further investments in data security beyond those mandated by the
FOOTNOTE 153 See, e.g., Securities Exchange Act Release No. 89632 (
FOOTNOTE 154 The proposed Limitation of Liability Provisions would limit liability to
The CRA Paper maintains that additional investment in security such as providing additional insurance, may not be efficient. The CRA Paper states, ". . . the prospect of litigation arising from the absence of the limitation on liability provision has the prospect for prompting overpayment for cyber security on the part of the CAT and the Plan Processor beyond the economically optimal level of protection, despite the analysis we present above suggesting that such litigation would provide no incremental benefit. The prospect of third-party litigation may prompt
FOOTNOTE 155 The CRA Paper discusses reasons why the incremental benefit from litigation from Industry Members may be reduced, but does not show that there is no incremental benefit. See Notice, supra note 5, at 616-17. END FOOTNOTE
FOOTNOTE 156 See Notice, supra note 5, at 617-18. END FOOTNOTE
FOOTNOTE 157 The Commission has the power to disallow fee amendments that might unfairly pass costs to Industry Members. END FOOTNOTE
FOOTNOTE 158 See note 113, supra, and referring text. END FOOTNOTE
The Commission recognizes that the risk of the Proposed Amendment disincentivizing the Participants from taking additional measures to ensure security is likely to be partially mitigated by other incentives that are not impacted by the limitation on liability. Independent of potential regulatory immunity, /159/ Participants face significant costs, both direct and indirect, that would result from a data breach. The potential reputational consequences of a data breach would likely be severe and such a breach is likely to draw significant negative publicity, public scrutiny, and attention from regulatory and other government entities. Further, while contractual limitation of liability reduces the risk of exposure, it does not prevent enforcement actions from the Commission or litigation by parties other than Industry Members. In addition, any breach would likely cause a significant disruption to Participants' own operations /160/ and some breach threats are not about compromising data but are indeed designed to disrupt operations; /161/ Participants are thus still incentivized to create security measures that mitigate the risk of such breaches, which likely help mitigate the risk of compromised data that could directly affect Industry Members. However, the Commission believes that decreasing the risk of exposure that Participants face through the Proposed Amendment will likely on balance disincentivize the Participants from investing in data security, particularly if the proposed amendments increase the scope of immunity that might be expected beyond regulatory immunity. /162/
FOOTNOTE 159 The Commission believes the Participants' views on their potential regulatory immunity with regard to CAT data collection and use is immaterial to this second set of incentives because these consequences of a data breach could occur regardless of whether there could or would be litigation as a result of that breach. END FOOTNOTE
FOOTNOTE 160 A breach of CAT data could occur in a Participant's own analytic or operational environment. END FOOTNOTE
FOOTNOTE 161 See, e.g.,
FOOTNOTE 162 See Sections V.B and V.C, supra. END FOOTNOTE
The Commission believes that taking measures that may prevent a data breach is more efficient than remediating the consequences of a data breach after it has occurred. /163/ Consequently, measures that incentivize appropriate security measures are likely to increase efficiency while measures that potentially disincentivize Participants from securing CAT Data may reduce efficiency.
FOOTNOTE 163 See, e.g., Securities Exchange Act Release No. 89632 (
As noted above, several commenters express concern that shifting liability through the proposed Limitation of Liability Provisions would reduce the incentives of Participants to develop robust data security and risk mitigation mechanisms, and may even incentivize the Participants to de-prioritize data security. /164/ The Commission believes, however, that the degree to which the proposed amendment would disincentivize the Participants from appropriate security measures is dependent upon the Participants' belief in the applicability of regulatory immunity to the collection and permitted uses of CAT Data in the absence of the proposed amendment. The Commission believes that uncertainty regarding liability in case of a CAT data breach thus serves as an incentive for the Participants to invest in data security to the extent that Participants believe a court might not uphold their regulatory immunity or it would be judged not to apply in a given case that was before the courts. If the Participants believe that regulatory immunity is likely to apply, the proposed amendments would serve to reduce their risk of incurring costs of litigation by reducing the likelihood of litigation by Industry Members.
FOOTNOTE 164 See, e.g.,
Some commenters addressed the scope of the limitation of liability, considering whether Participants might be shielded from liability in commercial use of CAT Data, /165/ even though such use is prohibited by the CAT NMS Plan. /166/ Another commenter focused on the scope of the immunity more generally as it would appear to exceed the bounds of conventional regulatory immunity. /167/ One commenter characterized the economic structure as creating a "moral hazard" and stated that permitting litigation against Participants and their representatives when they are acting outside their regulatory capacity is "crucial" and would give the Participants very strong financial incentives to invest heavily to prevent or minimize the likelihood of such failures. /168/
FOOTNOTE 165 See, e.g., SIFMA Letter at 8; LPL Financial Letter at 1; FIA PTG Letter at 2;
FOOTNOTE 166 See, e.g., CAT NMS Plan Sections 6.5(f)(i)(A); 6.5(g). END FOOTNOTE
FOOTNOTE 167 See Citadel Letter at 5. END FOOTNOTE
FOOTNOTE 168 See
To the extent that the scope of limitation of liability in the Proposed Amendment exceeds what might be expected from the doctrine of regulatory immunity, an expansion of the scope of activities that could be shielded from liability would potentially further disincentivize Participants from activities that promote CAT data security even if regulatory immunity applies.
The Commission also recognizes that the Proposed Amendment may reduce the risk of litigation in the event of a breach by resolving the existing uncertainty about whether the Participants could be liable; in other words, if Industry Members know they cannot recover due to the limitation of liability, regardless of the applicability of regulatory immunity, they may be less likely to sue over a breach. Such litigation would impose costs, both direct and indirect, /169/ on the Participants to defend themselves even if they would ultimately prevail due to regulatory immunity and those direct costs might be passed on to Industry Members and ultimately investors. The Proposed Amendment would reduce the likelihood of litigation and thus might avoid costs associated with litigation that investors would unnecessarily bear, which could improve efficiency. Additional insurance costs to Industry Members related to liability risks from the Proposed Amendment are discussed below.
FOOTNOTE 169 Indirect costs would include opportunity costs of time and effort spent dealing with litigation. See, e.g., Notice, supra note 5, 85 FR at 617-618; Response Letter at 8-9. END FOOTNOTE
While both the CRA Paper and the Lewis Paper frame their analyses from a perspective of potential litigation, the Commission notes that not all potential data breaches are amenable to litigation. The Commission believes that a data breach could go undetected, particularly if such a breach were perpetrated by authorized users of the CAT System such that detection of the breach relied primarily on the Participants' screening of their employees and contractors before providing access to CAT Data and then the monitoring of their use of CAT Data when they became authorized users. /170/ Such a breach could impose significant costs on Industry Members if their intellectual property (such as proprietary trading strategies) were revealed to competitors or bad actors. Consequently, the Commission believes that reducing the Participants' existing incentives to properly invest in data security activities might disincentivize individual Participants from appropriately investing in the screening and monitoring of their own employees and contractors that will access CAT Data. This might reduce efficiency by increasing the likelihood of a breach either detected or undetected.
FOOTNOTE 170 Several commenters discussed arguments in the CRA Paper and
In addition, the Proposed Amendment might improve efficiency by promoting the optimal level of usage of CAT Data. /171/ Specifically, if the Participants believe their regulatory immunity may not be recognized in litigation in the wake of a data breach, they may be incentivized to minimize their use of CAT Data to minimize opportunities for a data breach, particularly one involving their own employees or contractors. However, the Proposed Amendment might facilitate increased use levels of CAT Data by Participants by reducing the risk of exposure to litigation. Consequently, the Commission believes that the Proposed Amendment might prevent inefficiencies related to underuse of CAT Data by regulators. By contrast, to the degree that disapproval of the Proposed Amendment renders regulators more risk averse in using CAT Data to meet their regulatory obligations than they would be if the Proposed Amendment were approved, disapproval may reduce use of CAT Data by regulators. Further effects on efficiency depend upon the use of insurance by Participants and Industry Members. The Lewis Paper and the CRA Paper analyze the potential for the use of insurance by Participants and Industry Members to manage the financial risks of a potential data breach. /172/ Through the CRA Paper, the Participants argue that adopting the Proposed Amendment would avoid inefficiencies such as over investment in insurance beyond what would be optimal. /173/ The CRA Paper argues that this inefficiency would result in unnecessary costs being passed to investors without a corresponding societal benefit. /174/ The Lewis Paper argues that shifting the financial risks of a CAT data breach to Industry Members by limiting liability for Participants would cause them to insure against the financial consequences of a CAT data breach, which would be inefficient because Industry Members cannot give an insurer access to the CAT System to monitor or assess the security of the system. Consequently, according to the Lewis Paper, insurance purchased by Industry Members to cover the risk would be more expensive, and investors would ultimately bear this increased expense. /175/ Also, policies obtained by Industry Members would necessarily overlap, further increasing the cost of such insurance. /176/ Other commenters supported the position that the Participants can more efficiently obtain cyber insurance. /177/
FOOTNOTE 171 See CAT NMS Plan Approval Order, supra note 1, at 84833-40. END FOOTNOTE
FOOTNOTE 172 See
FOOTNOTE 173 See Notice, supra note 5, at 617-18. END FOOTNOTE
FOOTNOTE 174 See Notice, supra note 5, at 617-18. END FOOTNOTE
FOOTNOTE 175 See
FOOTNOTE 176 See
FOOTNOTE 177 See SIFMA Letter at 8-9; LPL Financial Letter at 2; FIA PTG Letter at 2;
The Commission agrees that the Participants are better positioned to insure against a breach both due to their ability to provide access and monitoring of the CAT System to an insurer, and because if Industry Members were to obtain insurance that would apply to a CAT data breach, such policies would overlap because the same breach event would likely impact multiple Industry Members and many investors whose data might be exposed in a breach are customers of multiple Industry Members. However, as noted by some commenters, the doctrine of regulatory immunity may already shift significant breach risk to Industry Members, /178/ and the Participants state that Industry Members may already shift some of their own risk of data breaches to their own customers with their own limitation of liability language in customer agreements. /179/ Further, as discussed above, insurance is unlikely to provide a remedy in case of breaches that go undetected. However, the Commission recognizes that if the doctrine of regulatory immunity does not apply, the Proposed Amendment would shift the financial risks of a breach to Industry Members. The Commission believes that investors are likely to bear the costs of providing security to the CAT System as well as any costs of a breach of CAT Data. However, the Commission recognizes that inefficiencies in providing security to CAT are likely to increase the costs that investors bear.
FOOTNOTE 178 See Section IV.C.1, supra. END FOOTNOTE
FOOTNOTE 179 See Response Letter at 10. END FOOTNOTE
The Commission believes that, even if the Proposed Amendment were approved, inefficiencies in the scope and maintenance of Industry Member insurance policies against a CAT data breach are likely to be minor for two reasons. First, Industry Members that carry customer accounts already face risks related to breach of customer information. The Commission believes these Industry Members actively manage the security of their environments to prevent a breach of this data within their systems and acknowledges that they cannot continue to safeguard this data once this it data is reported to CAT. However, as noted by commenters, Industry Members also typically indemnify themselves with agreements that limit their liability in the case of a data breach and thus would be unlikely to increase their insurance coverage if the proposed amendments were approved. Second, any additional insurance burdens would likely to be negligible for Industry Members that carry no customer accounts because they do not risk litigation from customers. However to the degree that Industry Members overall would increase cyber insurance to offset this risk if the Proposed Amendment is approved, the cost of such insurance would likely to be higher than it would be if the risk were borne by Participants because Industry Members cannot facilitate the monitoring of an insurer and the policies Industry Members would purchase would necessarily be overlapping policies because investors often have accounts with multiple Industry Members and a single data breach might expose data from multiple Industry Members. Those inflated costs would ultimately be passed to investors, and the security improvements that might be facilitated by the monitoring of an insurer contracted by the Participants would be unrealized.
B. Competition
The Commission believes that the Proposed Amendment might have negative effects upon competition, but believes these effects would be partially mitigated. In their filing, the Participants state they do not believe the Proposed Amendment will have any impact on competition. /180/ However, the Commission believes that the Proposed Amendment could have negative effects on the competitive positions of some Industry Members relative to other Industry Members. Industry Members have diverse business models; some of these models employ proprietary trading strategies that might be revealed in the wake of a data breach. If such proprietary strategies were revealed, Industry Members that employed such strategies might experience loss of intellectual property that could damage their competitive positions relative to their peers. The Commission further acknowledges that a data breach could harm an Industry Member's reputation and damage its competitive position within the markets in which it competes, particularly if customer data were released from some but not all competitors within those markets. The Commission acknowledges that robust investment in cyber security does not guarantee breaches will not occur. The likelihood of a data breach happening however, increases if Participants reduce potential additional investment in CAT data security including additional investment in cyber insurance coverage (should such coverage become available) or additional investment in the screening and monitoring of employees and contractors that have access to CAT Data. But the assurance of limited liability provided by the Proposed Amendment could disincentivize such actions. The Commission believes that Participants would remain incentivized to invest in CAT data security to some extent, even if the Proposed Amendment is approved because of the additional incentives discussed above, such as reputational damage, which would remain unaffected by the Proposed Amendment. /181/
FOOTNOTE 180 See Notice, supra note 5, at 597. END FOOTNOTE
FOOTNOTE 181 See Section VI.A., supra. END FOOTNOTE
The Commission further believes there might be additional competitive effects of the Proposed Amendment in the market for trading services. The Commission recognizes that Industry Members are not just the customers and members of the Participants, but are sometimes competitors of the Participants. Exchanges (all of which are Participants) compete in the market for trading services with off-exchange venues such as alternative trading systems (all of which are operated by Industry Members) and Industry Members that provide liquidity to orders off-exchange. /182/ Consequently, if the Proposed Amendment were to shift any of the expense of insuring against the risk of a CAT data breach from Participants to Industry Members, and if such expenses were more efficiently borne by Participants as discussed previously, the additional marginal costs incurred by Industry Members could disadvantage them in this competition to provide trading services. However, the Commission believes that this effect would be partially mitigated because, as discussed previously, that even under the Proposed Amendment, the Participants would remain incentivized to invest in CAT data security, and that Industry Members' need to invest in additional insurance would be mitigated by their own use of limitation of liability agreements with their own customers. /183/
FOOTNOTE 182 See CAT Plan Approval Order, supra note 1, at 84882-89. END FOOTNOTE
FOOTNOTE 183 See Section VI.A., supra. END FOOTNOTE
C. Capital Formation
The Commission believes that the Proposed Amendment might have negative effects on capital formation in markets in which Industry Members compete, but believes these effects would be partially mitigated.
The Participants argue that adopting the proposed amendment would avoid inefficiencies by avoiding the increased costs that would otherwise arise, /184/ namely over investment in cyber security and insurance beyond what would be optimal, and underinvestment in adoption of policies or technologies that decrease costs or increase efficiencies as described in the CRA Paper. The Participants argue that avoiding these issues, by limiting liability, would promote capital formation in the
FOOTNOTE 184 See Notice, supra note 5, at 617-18. END FOOTNOTE
It is possible that capital formation could be negatively impacted by an inefficient insurance burden on Industry Members as described in the Lewis Paper. /185/ However, even in cases in which Participants' regulatory immunity would not apply, the Commission does not believe the Proposed Amendment would significantly increase Industry Members' insurance burden because, as discussed previously, many Industry Members have agreements limiting their liability with their own customers, and not all Industry Members have customers that might initiate litigation. /186/
FOOTNOTE 185 See
FOOTNOTE 186 See Section VI.A, supra. END FOOTNOTE
The Commission recognizes, however, that the risk of a data breach can impact capital formation through routes other than inefficient insurance costs and underinvestment. If Industry Members believe that the proposed amendment would significantly reduce Participants' incentives to invest in CAT security, Industry Members may be less incentivized to invest in intellectual property that could be compromised by a data breach, potentially reducing capital formation in liquidity provision on exchanges or in proprietary trading activities. The Commission believes this risk is partially mitigated because the Participants are still incentivized to secure CAT Data by other incentives that are not affected by the proposed amendment. /187/
FOOTNOTE 187 See Section VI.A, supra. END FOOTNOTE
VI. Conclusion
For the reasons set forth above, the Commission does not find, pursuant to Section 11A of the Exchange Act, and Rule 608(b)(2) thereunder, that the Proposed Amendment is consistent with the requirements of the Exchange Act and the rules and regulations thereunder applicable to an NMS plan amendment.
It is therefore ordered, pursuant to Section 11A of the Exchange Act, and Rule 608(b)(2) thereunder, that the Proposed Amendment (File No. 4-698) be, and hereby is, disapproved.
By the Commission.
Assistant Secretary.
[FR Doc. 2021-24035 Filed 11-3-21;
BILLING CODE 8011-01-P
Agency Information Collection Activities; Submission for OMB Review; Comment Request
CNO FINANCIAL GROUP, INC. – 10-Q – MANAGEMENT'S DISCUSSION AND ANALYSIS OF CONSOLIDATED FINANCIAL CONDITION AND RESULTS OF OPERATIONS.
Advisor News
- FPA announces passing of CEO, succession plan
- Study: Do most affluent investors prefer a single financial services provider?
- Why haven’t some friends asked to become clients?
- Is a Roth IRA conversion key to strategic tax planning?
- Regulator group aims for reinsurance asset testing guideline by June
More Advisor NewsAnnuity News
Health/Employee Benefits News
- Where DOGE And The Tax Bill Should Intersect – OpEd
- A new mental health crisis center in Lynnwood lacks operator, can't open
- Researchers from Northwestern University Provide Details of New Studies and Findings in the Area of Managed Care (Quantifying Health Insurance Eligibility Impact On Interhospital Transfers of Injured Patients: Evidence From the Affordable Care …): Managed Care
- Findings from Harvard Medical School Broaden Understanding of Mental Health Diseases and Conditions (Association of Medicaid Accountable Care Organizations and Postpartum Mental Health Care Utilization): Mental Health Diseases and Conditions
- Health coverage redefined through innovative self-funded solutions
More Health/Employee Benefits NewsLife Insurance News
- Globe Life: 2024 data breach far more extensive than initially reported
- Fourth Quarter 2024 Q4 2024 Statistical Supplement and Notes
- Symetra Enhances Workforce Benefits Offerings with Refreshed Group Accident Insurance
- Axcelus Financial Names Kimberly Gibson and Henry Komansky to Executive Roles in International Life and Annuity Insurance Companies
- Exemption Application under Investment Company Act (Form 40-APP/A)
More Life Insurance News