Joint Industry Plan; Order Instituting Proceedings To Determine Whether To Approve or Disapprove an Amendment to the National Market System Plan Governing the Consolidated Audit Trail

I. Introduction

On December 18, 2020, the Operating Committee for Consolidated Audit Trail, LLC (“CAT LLC”), on behalf of the following parties to the National Market System Plan Governing the Consolidated Audit Trail (the “CAT NMS Plan” or “Plan”): BOX Exchange LLC; Cboe BYX Exchange, Inc., Cboe BZX Exchange, Inc., Cboe EDGA Exchange, Inc., Cboe EDGX Exchange, Inc., Cboe C2 Exchange, Inc., Cboe Exchange, Inc., Financial Industry Regulatory Authority, Inc. (“FINRA”), Investors Exchange LLC, Long-Term Stock Exchange, Inc., Miami International Securities Exchange LLC, MEMX, LLC, MIAX Emerald, LLC, MIAX PEARL, LLC, Nasdaq BX, Inc., Nasdaq GEMX, LLC, Nasdaq ISE, LLC, Nasdaq MRX, LLC, Nasdaq PHLX LLC, The NASDAQ Stock Market LLC, New York Stock Exchange LLC, NYSE American LLC, NYSE Arca, Inc., NYSE Chicago, Inc., and NYSE National, Inc. (collectively, the “Participants,” “self-regulatory organizations,” or “SROs”) filed with the Securities and Exchange Commission (“SEC” or “Commission”) pursuant to Section 11A(a)(3) of the Securities Exchange Act of 1934 (“Exchange Act”), and Rule 608 thereunder, a proposed amendment (“Proposed Amendment”) to the CAT NMS Plan that would authorize CAT LLC to revise the Consolidated Audit Trail Reporter Agreement (the “Reporter Agreement”) and the Consolidated Audit Trail Reporting Agent Agreement (the “Reporting Agent Agreement”) to insert limitation of liability provisions (the “Limitation of Liability Provisions”). The proposed plan amendment was published for comment in the Federal Register on January 6, 2021.

This order institutes proceedings, under Rule 608(b)(2)(i) of Regulation NMS, to determine whether to disapprove the Proposed Amendment or to approve the Proposed Amendment with any changes or subject to any conditions the Commission deems necessary or appropriate after considering public comment.

II. Background

On July 11, 2012, the Commission adopted Rule 613 of Regulation NMS, which required the SROs to submit a national market system (“NMS”) plan to create, implement and maintain a consolidated audit trail (the “CAT” or “CAT System”) that would capture customer and order event information for orders in NMS securities. The Commission approved the CAT NMS Plan in 2016. On August 29, 2019, the Operating Committee for CAT LLC approved a Reporter Agreement that included a provision that would limit the total liability of CAT LLC or any of its representatives to a CAT Reporter under the Reporter Agreement for any calendar year to the lesser of the total of fees paid by the CAT Reporter to CAT LLC for the calendar year in which the claim arose or five hundred dollars. The Participants also required each Industry Member to execute a CAT Reporter Agreement prior to reporting data to CAT. Prior to the commencement of initial equities reporting for Industry Members on June 22, 2020, the Securities Industry and Financial Markets Association (“SIFMA”) filed pursuant to Sections 19(d) and 19(f) of the Exchange Act an application for review of actions taken by CAT LLC and the Participants (the “Administrative Proceedings”). SIFMA alleged that by requiring Industry Members to execute the Reporter Agreement as a prerequisite to submitting data to the CAT, the Participants improperly prohibited or limited SIFMA members with respect to access to the CAT System in violation of the Exchange Act. On May 13, 2020, the Participants and SIFMA reached a settlement and terminated the Administrative Proceedings, allowing Industry Members to report data to the CAT pursuant to a Reporter Agreement that does not contain a limitation of liability provision. Since that time, Industry Members have been transmitting data to the CAT.

III. Summary of Proposal

The Participants now propose to amend the CAT NMS Plan to authorize CAT LLC to revise the Reporter Agreement and Reporting Agent Agreement with the proposed Limitation of Liability Provisions. As proposed, the Limitation of Liability Provisions would: (1) Provide that CAT Reporters and CAT Reporting Agents accept sole responsibility for their access to and use of the CAT System, and that CAT LLC makes no representations or warranties regarding the CAT System or any other matter; (2) limit the liability of CAT LLC, the Participants, and their respective representatives to any individual CAT Reporter or CAT Reporting Agent to the lesser of the fees actually paid to CAT for the calendar year or $500; (3) exclude all direct and indirect damages; and (4) provide that CAT LLC, the Participants, and their respective representatives shall not be liable for the loss or corruption of any data submitted by a CAT Reporter or CAT Reporting Agent to the CAT System. The full text of the proposed Limitation of Liability Provisions appears in Appendix A to the Notice.

In support of the proposed amendment, the Participants state, among other things, that: (1) The proposed Limitation of Liability Provisions reflect longstanding principles of allocation of liability between industry members and self-regulatory organizations and the Participants are unaware of any context in which liability that is usually borne by Industry Members is shifted to their regulators; (2) the proposed Limitation of Liability Provisions “fall squarely within industry norms” and are consistent with exchange rules that limit liability for losses that members incur through their use of exchange facilities, provisions that FINRA members must agree to in order to comply with Order Audit Trail System (“OATS”) reporting, and other provisions in the context of regulatory and NMS reporting facilities; (3) previously granted exemptive relief that eliminated the requirement that CAT collect certain personally identifiable information, including social security numbers, makes the customer data stored in the CAT comparable to the data reported to other regulatory reporting facilities; (4) the proposed Limitation of Liability Provisions are necessary to ensure the financial stability of CAT because even though “CAT LLC has obtained the maximum extent of cyber-breach insurance coverage available and has implemented a full cybersecurity program to safeguard data stored in the CAT,” there is “the potential for substantial losses that may result from certain categories of low probability cyberbreaches.”

In addition, CAT LLC retained Charles River Associates (“Charles Rivers”) to conduct an economic analysis of the liability issues presented by a potential CAT breach and attached the analysis to the Proposed Amendment as Appendix B to the Notice (the “CRA Paper”). The Participants state that the analyses presented in the CRA Paper support the Participants' proposal to adopt a limitation of liability provision in the CAT Reporter Agreement and shows the importance of limiting CAT LLC's and each Participant's liability. The CRA Paper asserts, among other things, that, based on an examination of potential breach scenarios and a consideration of the economic and public policy elements of various regulatory and litigation approaches to mitigate cyber risk for the CAT, a limitation of liability provision would serve the public interest by facilitating the regulation of the U.S. equity and option markets at lower overall costs and higher economic efficacy than other approaches, and that the proposed limitation on liability would not undermine CAT LLC's existing and significant incentives to protect the data stored in the CAT System. The CRA Paper asserts that regulation by the SEC already properly incentivizes the Participants to recognize and address the risks that a CAT cyber breach poses to third parties such as Industry Members and that permitting litigation by Industry Members will not meaningfully increase CAT's incentives to manage its exposure to cyber risk but will significantly increase costs, which will ultimately be passed on to retail investors. Because of this, the CRA Paper asserts that solely an “ex-ante regulation” approach leads to the socially optimal outcome, in comparison to an “ex post litigation” approach in which litigation influences behaviors before a loss-producing event occurs by assigning liability afterwards, or combination of both approaches.

IV. Summary of Comments

The Commission has received twelve comment letters, including a letter attaching an economic analysis of the Proposed Amendment. The Commission has received one response letter from the Participants.

A. Comments Critical of Proposed Amendment

Nine commenters believe that the parties responsible for controlling and securing CAT Data should be liable for any failure to implement adequate security, generally arguing that it is unfair to shift liability to Industry Members for potential harm caused by the compromise of CAT Data over which they have no control or responsibility for security. Among other things, these commenters state that the SROs are exclusively responsible for maintaining the CAT System and for implementing measures to prevent breach or misuse. Four commenters believe that “[a]ligning control and liability is not only fair and equitable; it is also good policy, because it maximizes efficiencies in managing data risks inherent in the CAT System.” However, one commenter argues that the proposal shows that the SROs understand that it will be impossible for them to protect CAT Data and that a hack of CAT is inevitable.

Nine commenters also express concern that shifting liability from CAT LLC to CAT Reporters would reduce the incentive of Participants to develop robust data security and risk mitigation mechanisms, and may even incentivize the Participants to de-prioritize data security. Two of these commenters characterized the economic structure of the Proposed Amendment as creating a “moral hazard,” where incentives to invest in data security are diminished because Industry Members bear the potential litigation costs of a breach or misuse of CAT Data. Another commenter argues that aligning control and liability incentivizes the optimal amount of data security and would ultimately benefit all investors.

Four commenters criticized the Proposed Amendment for proposed limitation of liability provisions that would effectively prohibit Industry Members from pursuing claims against CAT LLC and the SROs, even if there is “willful misconduct, gross negligence, bad faith or criminal acts of CAT LLC, the SROs or their representatives or employees.” These commenters further assert that the proposal would shield the SROs from liability, “not only for a breach of the CAT System by malicious third-party actors but even from the theft or other misuse of CAT Data by SRO employees” and would “effectively extinguish the liability of CAT LLC and the SROs even in instances of gross negligence or intentional misconduct.” Another commenter states that the proposal “would effectively hold brokers responsible for the malfeasance and incompetence of the SROs and their contractors” and that this would be “extremely unreasonable.” Five commenters assert that the proposed Limitation of Liability Provisions are inconsistent with industry standards, citing among other things SRO limitation of liability rules which exclude protection for willful misconduct, gross negligence, bad faith or criminal acts.

Further, six commenters dismiss comparisons made in the Proposed Amendment to OATS limitation of liability provisions because CAT captures significantly more information than OATS, including personally identifiable information, and data reported to OATS is reported to and only used by FINRA. Commenters further state that OATS does not have the same account-level data that the CAT will collect, which could present the risk of reverse engineering of trading strategies. One commenter stated that the limitation of liability provisions for OATS were signed in 1998, and since then the landscape of cybersecurity has changed, and the frequency and scale of data breaches has increased dramatically.

Five commenters argue that the SROs have failed to explain why limitation of their liability should be imposed by contract because the SROs have immunity from liability when acting in a regulatory capacity. Four of these commenters further assert that the effort to impose liability limitations by contract “raises significant questions about whether the SROs seek to avoid liability in circumstances in which they misuse CAT Data while acting in a commercial capacity.” Another commenter frames the issue as not whether the Participants should be liable for conduct undertaken during the course of their regulatory responsibilities, but whether the Participants should be insulated from potential liability for activities not covered by regulatory immunity.

Five commenters state that the Participants contradictorily argue that security measures are robust but that a limitation of liability is necessary due to risk of a catastrophic loss as a result of a breach or misuse of CAT Data. For example, one of these commenters notes that the Participants assert that Industry Members should not be concerned about “breach or misuse” of CAT Data due to a “robust regulatory regime governing CAT data security,” but also argue that they need limitation of liability provisions because without them the “risk of a catastrophic loss as a result of a data breach or misuse is so significant that the financial stability of the CAT would be jeopardized in the absence [of the provisions].” Additionally, eight commenters note that Participants have argued against adopting the security measures in the Proposed Amendments to the National Market System Plan Governing the Consolidated Audit Trail to Enhance Data Security, on the grounds that CAT security measures already are robust, while at the same time attempting to disclaim liability because of the high risk of a security breach.

B. Comments Regarding the CRA Paper

In addition to comments regarding the Proposed Amendment, commenters provided comments regarding the CRA Paper, which is summarized above in Section II and attached to the Notice as Appendix B.

Two commenters argue that the CRA Paper's conclusion that ex-ante regulation is most appropriate is wrong, and that CAT cybersecurity would benefit from both ex-ante regulation and ex-post litigation. One commenter states that permitting litigation against Participants and their representatives when they are acting outside their regulatory capacity is “crucial” and would give the Participants strong financial incentives to invest to prevent or minimize the likelihood of security failures. One commenter asserts that protecting the Participants against liability for litigation shifts liability to Industry Members for potential claims from the Industry Members' customers, and that the retention of liability for potential litigation by CAT LLC would mitigate the moral hazard problem and incent CAT LLC to invest in improvements in data security and more quickly react to changing trends and threats in cybersecurity.

Seven commenters argue that the CRA Paper fails to consider the costs of a data breach on non-SROs, including broker-dealers and their customers. These commenters state that, while disclaiming liability by CAT LLC would reduce its costs, the liability for a potentially catastrophic loss or breach would instead be shifted to Industry Members, and the CRA Paper fails to take these costs into account. In addition, one of these commenters states that if Industry Members could not sue CAT LLC, they would have to purchase additional liability insurance since they have no ability to mitigate the security risk and no recourse to recoup any litigation-related losses from their own customers.

Six commenters state that the CRA Paper only focuses on a breach by external actors and fails to address the risk of misuse of CAT data by personnel at CAT LLC and the SROs. In addition, one commenter emphasizes that the CRA Paper focuses on databases maintained by CAT LLC, not the “larger concern,” which is the potential for hackers to access CAT Data from Participant databases that have extracted data from the CAT.

Four commenters state that the CRA Paper suggests that certain mechanisms, such as a third-party compensation program, cyber-related industry loss warranties or cyber catastrophe bonds could be used in the event of a CAT breach to compensate third parties, but the SROs have not actually proposed the adoption of any of them. These commenters assert that the Participants effectively concede that, without more, the current regulatory regime is insufficient to protect parties that are injured as a result of a CAT breach. Another commenter states that the CRA Paper provides no details regarding the insurance that CAT LLC has obtained and does not analyze whether Participants should seek insurance or the effect such insurance could have on the Participants' incentives to protect data that they extract from the CAT and store outside the CAT. Six commenters believe that it would be more appropriate for CAT LLC to purchase insurance instead of Industry Members each purchasing the same overlapping policies. One of these commenters argues that CAT LLC is able to insure more efficiently than Industry Members because CAT LLC has access to and control over CAT Data and systems and can subject itself to monitoring by an insurer.

Finally, two commenters criticize the breach scenarios discussed in the CRA Paper as insufficient to capture the risks. One of these commenters suggests that a breach of CAT by foreign actors, or CAT being internally compromised could lead to the “downfall” of U.S. capital markets and that the breach scenarios in the CRA Paper “grossly” underestimate national security threats. Another commenter states that the CRA Paper “avoids any serious discussion” of the risk posed by “nation state actors, like China and Russia.”

C. Participants' Response Letter

On April 1, 2021, the Participants submitted a letter responding to comments received regarding the Proposed Amendment. In their response, the Participants argue that following a thorough review and consideration of the issues raised by commenters, they continue to believe that the Proposed Amendment is consistent with the Exchange Act. The Participants provide further background on discussions between Participants and Industry Members, and in particular with SIFMA, stating that between August 2019 and April 2020 the Participants and SIFMA participated in numerous meetings and exchanged extensive correspondence. The Participants state that they plan to reach out to SIFMA, as they “remain willing to work with Industry Members (and any other stakeholders) in good faith to resolve the parties' remaining differing perspectives,” but stated that from August 2019 through April 2020, SIFMA's “only proposal” was to categorically reject any limitation of liability. The Participants emphasize that settlement of the Administrative Proceedings did not resolve the question of whether proposed Limitation of Liability Provisions should be included in the Reporter Agreement and the Reporting Agent Agreement.

The Participants reassert that the proposed Limitation of Liability Provisions are consistent with SRO limitation of liability rules, emphasizing that under those rules the SROs generally have the discretion, but not obligation, to compensate harmed Industry Members, and that this discretion only applies in very limited circumstances—namely, for system failures that impact the execution of individual orders. The Participants state that no SRO limitation of liability rule contemplates SRO liability for “catastrophic” damages resulting from the theft of Industry Members' proprietary trading algorithms. The Participants also state that the Participants consider the proposed Limitation of Liability Provisions to fall squarely within industry norms, as demonstrated by a comparison to the allocation of liability between Industry Members and SROs in other regulatory contexts, including NMS plans, regulatory reporting facilities, SRO rules and liability provisions that Industry Members use to protect themselves when they possess sensitive customer and transaction data.

The Participants reject SIFMA's suggestion that any limitation of liability provision should exclude liability for willful misconduct, gross negligence, bad faith or criminal acts of CAT LLC, the SROs or their representatives or employees. The Participants state that existing SRO liability rules approved by the Commission do not recognize such exclusions, stating that in the limited instances in which SRO liability rules permit claims for gross negligence or willful misconduct, Industry Members are often prohibited from suing an SRO for damages unless the alleged gross negligence or willful misconduct also constituted a securities law violation for which Congress has authorized a private right of action.

The Participants also argue that modifying the proposed Limitation of Liability provisions is not supported by the CRA Paper, because such modifications would likely result in litigation over liability. According to the Participants, although they, CAT LLC, and FINRA CAT may ultimately be found not liable, such litigation would be expensive, time-consuming, distract Participants from their regulatory oversight mandate, and may open the doors of discovery to potentially malicious actors. The Participants state that the Commission's regulatory enforcement regime and the potential for severe reputational harm already sufficiently incentivize the Participants to not engage in bad faith, recklessness, gross negligence, and intentional misconduct, and so adding exclusions to the proposed Limitation of Liability provisions would not result in any meaningful improvement to the CAT's cybersecurity.

The Participants reject the argument that the proposed Limitation of Liability Provisions are inappropriate because the Participants and FINRA CAT control the CAT Data. The Participants believe that securities industry norms do not support the principle that the party in possession of data should bear liability in the event of a data breach, and in particular where the parties in possession of the data are acting in regulatory capacities pursuant to Commission rules. In support, the Participants state that Industry Members “routinely” disclaim liability to their underlying customers despite controlling sensitive data that could be compromised during a data breach, including their own retail customers in certain cases.

In response to concerns about the cybersecurity of CAT and concerns about the use of CAT Data, including concerns about bulk downloading and personally identifiable information, the Participants state that they are authorized to bulk download only trading data, and not customer data. The Participants also state that FINRA CAT has adopted and implemented policies, procedures, systems, and controls to address cybersecurity concerning the bulk downloading of CAT Data by the Participants. In addition, as with FINRA CAT, the Participants' cybersecurity protocols are subject to the Commission's regulatory oversight regime, including its examination and enforcement functions. The Participants further state that FINRA CAT and Participants have robust cybersecurity protocols that are designed to prevent and detect both external and internal security threats, and only regulatory users with a “need-to-know” have a basis for accessing CAT Data and are subject to comprehensive background checks. The Participants state that Industry Members have had extensive opportunities to provide input regarding the CAT's cybersecurity at every stage of the development and operation of the CAT.

The Participants disagree with commenter suggestions that CAT LLC's and certain Participants' responses to the Data Security Proposal imply that the proposed Limitation Liability provisions are inappropriate or that the Commission's regulatory regime is insufficient to properly incentivize the Participants. The Participants state that under the current regulatory regime all interested parties, including CAT LLC and the Participants, provide feedback to the Commission regarding any proposals to the CAT's cybersecurity, allowing the Commission to use its substantive expertise and an understanding of stakeholder interests to balance all appropriate factors in identifying the CAT's cybersecurity needs. They state that allowing for litigation regarding CAT's cybersecurity would compromise the Commission's comprehensive oversight authority, and the Commission's willingness to propose potential changes highlights the sufficiency and flexibility of the regulatory regime to ensure the optimal security of CAT Data. The Participants also believe the Commission did not contemplate that the Participants could be liable for extensive monetary damages resulting from a data breach or for the costs of protracted litigation with Industry Members.

The Participants also state that regulatory immunity does not preclude the use of contractual limitation of liability provisions and the divergent and shifting positions from Industry Members on the applicability of regulatory immunity underscores the need for a contractual limitation of liability. The Participants state that some comments generally argue that a contractual limitation of liability is unnecessary in light of the doctrine of regulatory immunity, while other comments state the Participants should not receive either regulatory immunity or the protection of a limitation of liability provision. The Participants state that the proposed Limitation of Liability Provisions are necessary despite any regulatory immunity because even litigation which holds that regulatory immunity applies may result in significant disruption and expense (which ultimately will be passed along to Industry Members as part of CAT LLC's joint funding), and there is no guarantee that all courts would agree that the Participants' immunity defense extends to the particular claims at issue. The Participants believe that if the Commission agrees that the Participants, CAT LLC, and FINRA CAT should not be liable for monetary damages while acting to fulfill an important regulatory function in their capacities as self-regulatory organizations, the Commission's sole mechanism for ensuring that protection is to endorse the contractual proposed Limitation of Liability Provisions.

The Participants also state that some comments misunderstand the scope of the proposed Limitation of Liability Provisions. The Participants state that the proposed Limitation of Limitation Provisions would not extinguish liability and only addresses the allocation of liability between Industry Members and the Participants. The Participants state that the Proposed Amendment would not impact the rights or obligations of third parties, including Industry Members' customers and would not extinguish the broad regulatory oversight that the Commission exercises over the CAT or potential investigation and potential enforcement action for any cybersecurity-related violations. The Participants believe that no commenters have offered any explanation as to why the SEC's regulatory regime—which includes cybersecurity protocols developed and refined based on feedback from Industry Members—is insufficient to ensure adequate cybersecurity for CAT Data, or what deficiencies in the Commission's oversight necessitate that Industry Members be afforded an unprecedented private right of action against their regulators. The Participants state that commenters are asking that their primary regulators bear any and all liability for hypothetical “black swan” cyber breaches and that such an extraordinary ask is without precedent, and that Participants, implementing a regulatory mandate in their regulatory capacities, should receive liability protections that they are customarily afforded when implementing their regulatory responsibilities pursuant to the direction and oversight of the Commission.

D. Participants' Response to Comments Regarding the CRA Paper

In the Response Letter, the Participants also provide responses to comment letters that addressed the CRA Paper. The Participants explain that the CRA Paper contain two principal analyses: (i) A “scenario analysis” in which it identified specific hypothetical breaches and assessed the relative difficulty of implementation, relative frequency, and conditional severity of each; and (ii) a consideration whether the cyber risk presented by the CAT should be addressed by regulation, litigation, or a combination of both approaches.

The Participants state that commenters that believe the CRA Paper did not address certain categories of hypothetical data breaches, and in particular breaches that originate from within FINRA CAT or Participants, misconstrue the CRA Paper's analysis. The Participants state that Charles River did not make any assumptions regarding the identity of potential bad actors or where they may work, and the CRA Paper was not intended to predict every possible scenario, but instead intended to provide an illustrative framework to assess the economic exposures that flow from the gathering, storage, and use of CAT Data. The Participants state that the CRA Paper concludes, in light of the CAT's extensive cybersecurity and other reasons, most potential breaches are relatively low-frequency events because they are either difficult to implement, unlikely to be meaningfully profitable, or both. The Participants also believe that the CRA Paper's conclusion that allowing Industry Members to litigate against CAT LLC, the Participants, and FINRA CAT would provide minimal benefits while imposing substantial costs is not undermined to the extent that commenters identify potential breaches that were not included in Charles River's scenario analysis.

The Participants believe that comments that criticize the CRA Paper's for failing to consider the costs to individual Industry Members in the event of a CAT data breach are based on a fundamental misunderstanding of the relevant economic principles. Specifically, the CRA Paper's focus was on whether the risks of the use of CAT Data for regulatory purposes was best managed through ex ante regulation or ex post litigation, or a combination of both, and this analysis largely turns on identifying the most effective and efficient mechanisms for incentivizing CAT LLC, the Participants and FINRA CAT to take appropriate precautions. The Participants state that the CRA Paper demonstrates that the extensive regulatory regime that the SEC has enacted creates appropriate and strong incentives for the Participants to take sufficient cybersecurity precautions and to ensure that the CAT is secure, and that allowing Industry Members to litigate against Participants would create substantial costs without any corresponding benefit.

The Participants acknowledge that the CRA Paper explains that the regulatory regime is generally silent with respect to the most efficient method to compensate injured parties and that the CRA Paper offered several suggestions to cover potential losses including insurance, industry loss warranties, and catastrophe bonds. The Participants state that they are willing discuss any of these compensation mechanisms with Industry Members and would welcome a discussion with the Commission to address the viability of these mechanisms and how they might be funded. The Participants reiterate that CAT LLC has obtained the “maximum extent of cyber-breach insurance coverage available at the time” and are willing to discuss with Industry Members and the Commission how that coverage might be used to compensate parties harmed by any potential data breach. The Participants also state that they regularly evaluate CAT LLC's insurance and intend to purchase additional coverage to the extent it becomes reasonably available.

The Participants state that they disagree with the conclusions in the Lewis Paper and asked Charles River to respond to the issues raised within the Lewis Paper. The Participants state that the Lewis Paper appears to advocate that CAT LLC should be strictly liable for all costs associated with any CAT data breach, regardless of the facts and circumstances, without any economic analysis as to why the longstanding allocation of liability between the Participants and Industry Members should not apply here. In addition, the Participants state that the proposed Limitation of Liability Provisions do not impact the rights of Industry Members' underlying customers, and that Industry Members routinely disclaim liability to those underlying customers, which the Lewis Paper does not address. The Participants also state that the Lewis Paper does not include a scenario analysis like the CRA Paper, and the Participants state that the Lewis Paper incorrectly states that a cyber breach would likely be a single event that affects all Industry Members simultaneously, leading to the erroneous conclusion that CAT LLC is in a better position than individual Industry Members to insure against a cyber breach.

V. Proceedings To Determine Whether To Approve or Disapprove the Proposed Amendment

The Commission is instituting proceedings pursuant to Rule 608(b)(2)(i) of Regulation NMS, and Rules 700 and 701 of the Commission's Rules of Practice, to determine whether to disapprove the Proposed Amendment or to approve the Proposed Amendment with any changes or subject to any conditions the Commission deems necessary or appropriate after considering public comment. Institution of proceedings does not indicate that the Commission has reached any conclusions with respect to any of the issues involved. Rather, the Commission seeks and encourages interested persons to provide additional comment on the Proposed Amendment to inform the Commission's analysis.

Rule 608(b)(2) of Regulation NMS provides that the Commission “shall approve a national market system plan or proposed amendment to an effective national market system plan, with such changes or subject to such conditions as the Commission may deem necessary or appropriate, if it finds that such plan or amendment is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Act.” Rule 608(b)(2) further provides that the Commission shall disapprove a national market system plan or proposed amendment if it does not make such a finding. In the Notice, the Commission sought comment on the Proposed Amendment, including whether the amendment is consistent with the Exchange Act. In this order, pursuant to Rule 608(b)(2)(i) of Regulation NMS, the Commission is providing notice of the grounds for disapproval under consideration:

• Whether, consistent with Rule 608 of Regulation NMS, the Proposed Amendment is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Act, specifically regarding:

○ Whether the impact of the proposed Limitation of Liability Provisions on the incentives of the Participants to ensure the security of the CAT and CAT Data is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of a national market system, or otherwise in furtherance of the purposes of the Act;

○ whether the Proposed Amendment is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of a national market system, or otherwise in furtherance of the purposes of the Act in light of any regulatory immunity applicable to the Participants; and

○ whether the application of the proposed Limitation of Liability Provisions to willful misconduct, gross negligence, bad faith or criminal acts is necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of a national market system, or otherwise in furtherance of the purposes of the Act;

• Whether, and if so how, the Proposed Amendment would affect efficiency, competition or capital formation;
• Whether modifications to the Proposed Amendment, or conditions to its approval, would be necessary or appropriate in the public interest, for the protection of investors and the maintenance of fair and orderly markets, to remove impediments to, and perfect the mechanisms of, a national market system, or otherwise in furtherance of the purposes of the Act.

VI. Commission's Solicitation of Comments

The Commission requests that interested persons provide written submissions of their views, data, and arguments with respect to the issues identified above, as well as any other concerns they may have with the proposals. In particular, the Commission invites the written views of interested persons concerning whether the proposals are consistent with Section 11A or any other provision of the Act, or the rules and regulations thereunder. Although there do not appear to be any issues relevant to approval or disapproval that would be facilitated by an oral presentation of views, data, and arguments, the Commission will consider, pursuant to Rule 608(b)(2)(i) of Regulation NMS, any request for an opportunity to make an oral presentation.

Interested persons are invited to submit written data, views, and arguments regarding whether the proposals should be approved or disapproved by May 3, 2021. Any person who wishes to file a rebuttal to any other person's submission must file that rebuttal by May 17, 2021. Comments may be submitted by any of the following methods:

Electronic Comments

• Use the Commission's internet comment form ( http://www.sec.gov/rules/sro.shtml ); or
• Send an email to rule-comments@sec.gov. Please include File Number 4-698 on the subject line.

Paper Comments

• Send paper comments in triplicate to: Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090.

All submissions should refer to File Number 4-698. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's internet website ( http://www.sec.gov/rules/sro.shtml ). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549 on official business days between the hours of 10:00 a.m. and 3:00 p.m. Copies of the filing also will be available for inspection and copying at the Participants' principal offices. All comments received will be posted without change. Persons submitting comments are cautioned that we do not redact or edit personal identifying information from comment submissions. You should submit only information that you wish to make available publicly. All submissions should refer to File Number 4-698 and should be submitted on or before May 3, 2021.