Seven Republican senators, led by John Neely Kennedy (La.), sent a letter Wednesday to SEC Chairman Jay Clayton objecting to plans for the new database — called the Consolidated Audit Trail (CAT) — designed to collect the personal identifiable information of every American who has money in the stock market. Following through on those plans would create a target that hackers from China or any other country would find too attractive to ignore, they argue.
The database “is just a sitting duck waiting for the Chinese to infiltrate,” Kennedy told me. “The CAT is a vulnerable target full of personal data, which makes it a very attractive target for Chinese hackers. . . . People shouldn’t have to worry about their personal data being hacked when they’re working toward building up a financial portfolio or saving for retirement.”
The CAT database is a troubled project that was originally initiated in 2008 but gained traction after the 2010 Wall Street “flash crash,” when the market lost over $1 trillion in minutes. By contrast, it took years for investigators to figure out a trader in his parents’ basement had played a major role.
The idea is to create one massive database to which brokerages and exchanges send all data on all equity and options trades. The troubled project has faced long delays, and the lead contractor was dismissed earlier this year. The project is now managed by the Financial Industry Regulatory Authority (FINRA), a little-known private organization under the SEC.
The senators’ letter proposes keeping the CAT database, but also advises that it should not be filled with the personal information of millions of American retail investors. In the years since the database was conceived, they argue, the whole issue of protecting personal data has changed. And that’s not even to mention that the U.S. government has now shown it can’t protect Americans’ sensitive data from Chinese hackers.
Chinese hackers stole 22 million sensitive personal records from the Office of Personnel Management in 2015. Chinese hackers stole the data of over 100,000 Navy personnel last year. The Chinese People’s Liberation Army cyber-command is “fully institutionalized” inside the Chinese Communist Party and is able to leverage Chinese companies to aid its offensive and illegal operations, according to a recent research report.
“Chinese hackers could use this information to manipulate or disrupt our equity markets, trade stocks based on material, nonpublic information, steal entire portfolios and sell them on the dark web, or blackmail American citizens,” the letter from the senators states.
Christopher A. Iacovella, CEO of the American Securities Association, said that if the CAT has every investor’s private information, it’s the equivalent of an “all-you-can-steal database.” His group argues that even without this information, regulators and investigators would still be able to do their jobs.
“Removing retail investor [personal data] protects investors while balancing regulatory and national security concerns,” he said.
Peter J. Wallison, a senior fellow at the American Enterprise Institute, told me that although concerns about Chinese hacking are legitimate, there are also domestic reasons many oppose building the CAT database in its currently proposed form.
“The industry has always been unhappy about the CAT. It’s a gigantically expensive thing for them,” he said. “The CAT will make things easier for the enforcement division, but at the same time, it will create more liabilities and risks for people trading in the markets.”
While oversight and regulation of Wall Street transactions are important, they must be balanced with national security concerns. Beijing’s strategy to use all means available to collect sensitive data on Americans must be confronted on a policy and defense level. Until that happens, though, there’s no reason to make it easier for them. Those seven Republican senators are on the right track.