SIFMA Wins SEC Order in High-Stakes Liability Dispute With National Securities Exchanges

Representing the U.S. broker-dealer industry and its industry organization Securities Industry and Financial Markets Association (SIFMA), Paul, Weiss secured a favorable order by the Securities and Exchange Commission in a high-stakes liability dispute with the national securities exchanges.

The dispute concerns which party—the exchanges or SIFMA members—should bear liability for a potential data security breach related to the transmission of securities transaction data by SIFMA members as part of a massive SEC-mandated data reporting effort known as the Consolidated Audit Trail (CAT).

In 2012, following the “flash crash” of 2010 in which U.S. stock markets temporarily lost approximately $1 trillion in market value, the SEC directed the securities exchanges and their associated self-regulatory organizations (SROs) to develop and implement CAT so that regulators can efficiently and accurately track all U.S. trading activity for equities and listed options. Once completed, the CAT system is likely to be the most extensive collection of order and trade data ever assembled and will include highly sensitive and proprietary information relating to securities broker-dealers and their customers; an estimated 58 billion data points will be collected each day when it is in full operation. It therefore poses serious data security, privacy and proprietary trading concerns.

In December 2020, the exchanges filed public notice to the SEC of a proposed amendment to the plan governing the CAT regulatory reporting tool that would have all but eliminated the exchanges’ liability over potential breaches, even in cases of gross negligence or willful misconduct by SRO employees. In response, SIFMA, looking to Paul, Weiss, filed a comment letter and an expert report by a former SEC economist, Craig Lewis. In its papers, SIFMA argued that the amendment is fundamentally unfair and inefficient, and created a public hazard, because it would impose all the data breach risk on the parties that don’t control the data—the broker-dealers—rather than the exchanges and their SROs, which under the plan have the exclusive responsibility for maintaining the CAT and implementing data protection measures.

In its order on October 29, the SEC rejected the exchanges’ attempts to foist liability on the reporting members, citing the SIFMA comment letter and expert report scores of times. “The Commission believes that the [SRO] Participants have not met their burden to demonstrate that the Proposed Amendment is consistent with the Exchange Act. Accordingly, the Commission cannot make the finding that the Proposed Amendment is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Exchange Act.”

The order follows an earlier, highly favorable settlement Paul, Weiss and SIFMA struck with the SROs in July 2020 over the SROs’ attempt to impose this new liability shift outside the SEC’s official rulemaking process. At the time, SIFMA argued that the SROs had not filed the agreement for notice and comment, as required by the Exchange Act, and so the agreement had not been properly approved by the SEC. The exchanges agreed to withdraw all the liability language from the agreement with the reporting members. The exchanges subsequently went through the SEC rulemaking process in a second attempt to accomplish the same transfer of liability via an amendment to the CAT reporting plan, leading to the SEC’s recent order.

The Paul, Weiss team includes partners Lorin Reisner, David Huntington and Jeffrey Recher.

» read the SEC order here