SEC – Proposed Rules on Data Security Enhancements for CAT NMS Plan

August 22, 2020 – SEC is taking action to limit the scope of sensitive information required to be collected by CAT and enhance the security of the CAT and the protections afforded to CAT data. Significantly reduce the amount of sensitive data collected without affecting the operational effectiveness of CAT, provide participants with certainty how CAT data protected, and how data is ultimately used.

Proposed Amendments

Explicitly define the information security program by adding the Comprehensive Information Security Program (CISP) to set forth all elements of the information security program. Require permanent establishment security working group with CAT’s Chief Information Security Officer (CAT CISO), CISO (or deputy) of each SRO that participant to the Plan.

Define Secure Analytical Workspace (SAW) as an analytic environment account part of the CAT system, subject to the CISP, where CAT data is accessed and analyzed. Amendments further require CISP to establish data access and extraction policies; however, each Participant can provide, use their own software/hardware configurations, and additional data within its SAW, if activities otherwise comply with the CISP.

Require participants to use their SAWs for analyzing CAT data accessed through user-defined direct query and bulk extract tools and for any customer and account data. The process by which Participants may be granted an exception from using the SAW related to data accessed via user-defined direct query and bulk extract tools.

Limit the maximum amount of records regulators download using an online targeted query tool. Modify the Customer-ID creation process and reporting requirements in accordance with the exemptive order. Define workflow for accessing customer, account attributes, and restrictions on access. Access to Customer Identifying Systems limited to two types: manual and programmatic.

Participants establish, maintain, enforce, publish identical written data confidentiality policies; each Participant establishes, maintains, enforces procedures, and usage restrictions. Define Regulatory Staff, data confidentiality policies adopted required to limit access to CAT data to Regulatory Staff, technology, operations staff, except if regulatory need.

Require CAT data accessed only for surveillance and regulatory purposes, forbid use of data where use serve both surveillance or regulatory purpose, or commercial purpose. Modify requirements on breach management to explicitly require corrective actions, breach notifications to CAT Reporters be in Processor’s cyber incident response plan.


The comment period on amendments open for 45 days.

For more information, visit

We use cookies in order to give you the best possible experience on our website. By continuing to use this site, you agree to our use of cookies.