Supporting Statement CAT Data Security (New Request-- Proposed Rule)

SUPPORTING STATEMENT for the Paperwork Reduction Act Information Collection
Submission for Amendments to the National Market System Plan Governing the
Consolidated Audit Trail to Enhance Data Security
New Request—Proposed Rule
This submission is being made pursuant to the Paperwork Reduction Act of 1995, 44
U.S.C. Section 3501 et seq.
A.

JUSTIFICATION
1.

Necessity of Information Collection

The Securities and Exchange Commission (“Commission” or “SEC”) recently proposed
amendments to the national market system plan governing the consolidated audit trail (“the
CAT”), which was originally filed with the Commission in 2015 to comply with the
requirements of Rule 613. 1 The Commission adopted Rule 613 in 2012 to improve the
completeness, accuracy, accessibility, and timeliness of existing audit trail systems. 2 Rule 613
directed each national securities exchange and national securities association (collectively, the
“Participants”) to create a national market system plan to adopt a consolidated audit trail (the
“CAT NMS Plan”), 3 and this plan was approved by the Commission on November 15, 2016. 4
The consolidated audit trail (the “CAT”) was intended to create a system that provides regulators
with more timely access to a sufficiently comprehensive set of trading data, enabling regulators
to more efficiently and effectively reconstruct market events, monitor market behavior, and
identify and investigate misconduct. 5
The CAT NMS Plan approved by the Commission already sets forth a number of
requirements regarding the security and confidentiality of CAT Data. 6 Nevertheless, the
Commission believes that it can and should take additional steps to further protect the security
and confidentiality of CAT Data. Accordingly, pursuant to the statutory authority provided by

1

See 17 CFR 242.613; See also Securities Exchange Act Release No. 67457 (July 18,
2012), 77 FR 45722, 45722 (August 1, 2012) (“Rule 613 Adopting Release”).

2

See id.

3

Id.

4

See Securities Exchange Act Release No. 78318 (November 15, 2016), 81 FR 84696
(November 23, 2016) (“CAT NMS Plan Approval Order” or “CAT NMS Plan”).

5

See Rule 613 Adopting Release, supra note 2, at 45723, 45730-33.

6

“CAT Data” means “data derived from Participant Data, Industry Member Data, SIP
Data, and such other data as the Operating Committee may designate as “CAT Data”
from time to time.” See CAT NMS Plan, supra note 4, at Section 1.1.

the Exchange Act, 7 including Sections 11A(a)(3)(B), 8 17(a), 9 19(b), 10 and 23(a) 11 thereof, and
pursuant to Rule 608(a)(2) and (b)(2), 12 the Commission proposed to amend the CAT NMS Plan
to enhance the security of CAT Data on [date]. 13
The proposed amendments to the CAT NMS Plan would require 31 new collections of
information, and these collections of information will cover ten (10) data security areas:
a.

Evaluation of the Comprehensive Information Security Plan. Section
6.6(b)(ii)(B)(3) of the CAT NMS Plan currently requires the Chief
Compliance Officer 14 (the “CCO”) to oversee the regular written
assessment of the performance of the Plan Processor. 15 The proposed
amendments would newly require the CCO to evaluate elements of the
Comprehensive Information Security Program (the “CISP”) that relate to
secure analytical workspaces (“SAWs”) that would be provided by the
Plan Processor under the proposed amendments. The proposed
amendments would also newly require the CCO, in collaboration with the
Chief Information Security Officer (the “CISO”), 16 to include in this
evaluation a review of the quantity and type of CAT Data extracted from
the CAT System 17 to assess the security risk of permitting such CAT Data

7

See 15 U.S.C. 78a.

8

See 15 U.S.C. 78k-1(a)(3)(B).

9

See 15 U.S.C. 78q(a).

10

See 15 U.S.C. 78s(b).

11

See 15 U.S.C. 78w(a).

12

See 17 CFR 242.608(a)(2), (b)(2).

13

See Securities Exchange Act Release No. __ (date), __ FR __ (date) (File No. __)
(“Proposing Release”).

14

“Chief Compliance Officer” means “the individual then serving (even on a temporary
basis) as the Chief Compliance Officer pursuant to Section 4.6, Section 6.1(b), and
Section 6.2(a).” See CAT NMS Plan, supra note 4, at Section 1.1.

15

“Plan Processor” means “the Initial Plan Processor or any other Person selected by the
Operating Committee pursuant to SEC Rule 613 and Sections 4.3(b)(i) and 6.1, and with
regard to the Initial Plan Processor, the Selection Plan, to perform the CAT processing
functions required by SEC Rule 613 and set forth in this Agreement.” See id.

16

“Chief Information Security Officer” means “the individual then serving (even on a
temporary basis) as the Chief Information Security Officer pursuant to Section 4.6,
Section 6.1(b), and Section 6.2(b).” See id.

17

“CAT System” means “all data processing equipment, communications facilities, and
other facilities, including equipment, utilized by the Company or any third parties acting
2

to be extracted and to identify any appropriate corrective measures. The
Participants, under the existing provisions of the CAT NMS Plan, would
be entitled to review and comment on these new elements of the written
assessment of the Plan Processor’s performance.
b.

Security Working Group. Proposed Section 4.12(c) would require the
proposed Security Working Group to advise the CISO and the Operating
Committee, 18 including with respect to certain information security and
technology issues. The proposed amendments would also require the
CISO to apprise the Security Working Group of relevant developments
and to provide it with all information and materials necessary to fulfill its
purpose.

c.

SAWs. There are a number of information collections related to the
proposed SAWs, all of which are set forth in proposed Section 6.13.
i.

Policies, Procedures, and Detailed Design Specifications.
Proposed Section 6.13(a) would require the Plan Processor to
develop a CISP that would apply to SAWs and, more specifically,
that would include data access and extraction policies and
procedures and security controls, policies, and procedures for
SAWs. Under proposed Section 6.13(b), the Plan Processor would
also be required to develop, maintain, and make available to
Participants detailed design specifications for the technical
implementation of the access, monitoring, and other controls
required for SAWs by the CISP.

ii.

Implementation and Operation Requirements. Proposed Section
6.13(b) would also require the Plan Processor to notify the
Operating Committee once a Participant’s SAW has achieved
compliance with the detailed design specifications. In addition, the
Plan Processor would be required under proposed Section 6.13(c)
to monitor each Participant’s SAW in accordance with these
detailed design specifications and to notify the Participant of any
identified non-compliance with the CISP or the detailed design
specifications.

on the Company’s behalf in connection with operation of the CAT and any related
information or relevant systems pursuant to this Agreement.” See id.
18

“Operating Committee” means “the governing body of the Company designated as such
and described in Article IV.” See id. The Operating Committee consists of one voting
member representing each Participant and one alternative voting member representing
each Participant who has the right to vote in the absence of that Participant’s voting
member of the Operating Committee. See id. at Section 4.2.
3

iii.

Non-SAW Environments. Proposed Section 6.13(d) would require
Participants seeking an exception from certain SAW usage
requirements to provide the CISO, the CCO, the members of the
Security Working Group (and their designees), and Commission
observers of the Security Working Group with various application
materials. The CISO and CCO would then be required to review
these materials and to issue a determination in accordance with
policies and procedures developed by the Plan Processor. As part
of this process, the CISO and the CCO would be required to
provide the requesting Participant with a detailed written
explanation setting forth the reasons for that determination and, for
applications that are denied, to specifically identify the deficiencies
that must be remedied before an exception could be granted.
Finally, the proposed amendments would set forth certain
implementation and operation requirements for approved nonSAW environments that largely mirror those set forth for SAWs,
as well as a requirement that the Participant notify the Plan
Processor, the Security Working Group (and their designees), and
Commission observers of the Security Working Group of any
material changes to its security controls for the non-SAW
environment.

d.

Online Targeted Query Tool and Logging of Access and Extraction. The
CAT NMS Plan currently requires the targeted online query tool to log
submitted queries, query parameters, the user ID of the submitter, the date
and time of the submission, and the delivery of results, 19 and requires that
the Plan Processor provides monthly reports based on this information to
each Participant, the SEC and the Operating Committee. The Commission
proposes to modify these requirements by defining the term “delivery of
results” as “the number of records in the result(s) and the time it took for
the query to be performed” and requiring that access and extraction of
CAT Data be logged. 20 This change would also require the same logging
of access and extraction of CAT Data from user-defined direct queries and
bulk extraction tools.

e.

Customer and Account Attributes. There are a two information
collections related to the proposed amendments regarding Customer and
Account Attributes.

19

See CAT NMS Plan, supra note 4, at Appendix D, Section 8.1.1.

20

See proposed Appendix D, Section 8.1.1.
4

f.

i.

Reporting the Transformed Value. The CAT NMS Plan currently
requires that Industry Members 21 report a Customer’s SSN or ITIN
as part of the information necessary for the Plan Processor to
create a Customer-ID. 22 The Commission proposes to amend the
Plan to require the Participants to adopt compliance rules to require
Industry Members to use the CCID Transformation Logic 23 in
conjunction with an API provided by the Plan Processor, to
transform their Customer’s SSN/ITIN using the CCID
Transformation Logic to create a Transformed Value and then
report that Transformed Value to the CCID Subsystem. Once the
Transformed Value is reported to the CCID Subsystem, the CCID
Subsystem would perform another transformation of the
Transformed Value to create a globally unique Customer-ID for
each Customer.

ii.

Regular Written Assessment. The CAT NMS Plan currently
requires the CCO to oversee the Regular Written Assessment of
the Plan Processor’s performance, which must be provided to the
Commission at least annually and which must include an
evaluation of the performance of the CAT. 24 The Commission
proposes to amend the Plan to require that the overall performance
and design of the CCID Subsystem and the process for creating
Customer-ID(s) be included in the annual Regular Written
Assessment of the Plan Processor, as required by Article VI,
Section 6.6(b)(ii)(A).

Customer Identifying Systems Workflow. There are a two information
collections related to the proposed amendments regarding the Customer
Identifying Systems:
i.

Audit Trail. The current CAT NMS Plan requires that a full audit
trail of PII access (who accessed what data, and when) be

21

“Industry Member” is a defined term under the CAT NMS Plan and means “a member of
a national securities exchange or a member of a national securities association.” See CAT
NMS Plan supra note 4 at Article I, Section 1.1.

22

See CAT NMS Plan, supra note 4, at Appendix D, Section 9.1

23

“CCID Transformation Logic” would be defined to mean the mathematical logic
identified by the Plan Processor that accurately transforms an ITIN/SSN/EIN into a
Transformed Value(s) for submission to the CCID Subsystem as set forth in Appendix D,
Section 9.1. The Commission is proposing that the CCID Transformation Logic will be
embedded in the CAT Reporter Portal or used by the Industry Member in machine to
machine processing. See proposed Appendix D, Section 9.1.

24

See CAT NMS Plan, supra note 4, Section 6.6(b)(ii)(A).
5

maintained, and that the CCO and the CISO have access to daily
PII reports that list all users who are entitled to PII access, as well
as the audit trail of all PII access that has occurred for the day. 25
The proposed amendments require that the Plan Processor maintain
an audit trail of access to Customer Identifying Systems by each
Participant and the Commission (who accessed what data within
each Participant, and when), and to require that the Plan Processor
maintain the full audit trail of access and provide such audit trail to
each Participant and the Commission for their respective users on a
monthly basis. The amendments also will require that the CCO
and the CISO to provide the daily reports that list all users who are
entitled to Customer Identifying Systems access be provided to the
Operating Committee on a monthly basis.
ii.

g.

Data Confidentiality Policies, Procedures and Usage Restrictions. The
Commission is proposing to amend Section 6.5(g)(i) of the CAT NMS
Plan to modify and enhance existing provisions and require the
Participants to create and maintain identical confidentiality and related
policies (“Data Confidentiality Policies”). There are three information
collections related to the proposed Data Confidentiality Policies:
i.

25

Application for Programmatic Access. The proposed amendments
require that each Participant submit an application that has been
approved by the Participant’s Chief Regulatory Officer (or
similarly designated head(s) of regulation) to the Commission for
authorization to use Programmatic Customer and Account
Information System (“CAIS”) Access or Programmatic CCID
Subsystem Access if a Participant requires programmatic access.

Data Confidentiality Policies – Identical Policies. Proposed
Section 6.5(g)(iv) would require that that the Data Confidentiality
Policies be identical and made publicly available on each of the
Participants’ websites, or collectively on the CAT NMS Plan
website, redacted of sensitive proprietary information. The
Commission proposes Sections 6.2(a)(v)(R) and 6.2(b)(viii) in the
CAT NMS Plan to require that both the CISO and CCO of the Plan
Processor be required to review the Data Confidentiality Policies.
In addition, the Commission proposes to require that the CCO of
the Plan obtain assistance and input from the Compliance
Subcommittee, and require that the policies required by proposed
Section 6.5(g)(i) of the CAT NMS Plan be subject to review and
approval by the Operating Committee, after review by the CISO
and CCO.

See CAT NMS Plan, supra note 4, Appendix D, Section 4.1.6 (PII Data Requirements).
6

h.

26

ii.

Data Confidentiality Policies – Procedures and Usage Restrictions.
Proposed Section 6.5(g)(i) would require each Participant to
establish, maintain and enforce procedures and usage restriction
controls in accordance with the Data Confidentiality Policies.
Proposed Section 6.5(g)(ii) would require the Participant to
periodically review the effectiveness of the policies and procedures
and usage restriction controls required by Section 6.5(g)(i),
including by using the monitoring and testing protocols
documented within the policies pursuant to Section 6.5(g)(i)(K),
and take prompt action to remedy deficiencies in such policies,
procedures and usage restriction controls. In addition, proposed
Section 6.5(g)(iii) would require that each Participant, as
reasonably practicable, and in any event within 24 hours, report to
the Chief Compliance Officer, in accordance with the guidance
provided by the Operating Committee, any instance of which such
Participant becomes aware of: (A) noncompliance with the policies
and procedures adopted by such Participant pursuant to Section
6.5(g)(i); or (B) a breach of the security of the CAT.

iii.

Data Confidentiality Policies – Examination Report. Proposed
Section 6.5(g)(v) would require that, on an annual basis, each
Participant engage an independent accountant to perform an
examination of compliance with the policies required by Section
6.5(g)(i) in accordance with attestation standards of the American
Institute of Certified Public Accountants (“AICPA”) (referred to as
U.S. Generally Accepted Auditing Standards or GAAS) or the
Public Company Accounting Oversight Board (“PCAOB”), and
with Commission independence standards based on SEC Rule 2-01
of Regulation S-X. 26 The examination results shall be submitted to
the Commission upon completion, in a text-searchable format (e.g.,
text-searchable PDF).

Secure Connectivity – Allow Listing. The Commission is proposing to
amend Appendix D, Section 4.1.1 of the CAT NMS Plan to require “allow
listing.” Specifically, the Commission proposes to require that for all
connections to CAT infrastructure, the Plan Processor must implement
capabilities to allow access (i.e., “allow list”) only to those countries
where CAT reporting or regulatory use is both necessary and expected. In
addition, proposed Appendix D, Section 4.1.1 would require, where
possible, more granular allow listing to be implemented (e.g., by IP
address). Lastly, the Plan Processor would be required to establish
policies and procedures to allow access if the source location for a
particular instance of access cannot be determined technologically.

See 17 CFR §210.2-01.
7

i.

j.

27

Breach Management. Appendix D, Section 4.1.5 of the CAT NMS Plan
requires the Plan Processor to develop policies and procedures governing
its responses to systems or data breaches, including a formal cyber
incident response plan, and documentation of all information relevant to
breaches. 27 The Commission is proposing amendments and there are two
information collections related to Breach Management:
i.

Breach Management – Policies and Procedures. The Commission
proposes to require that the formal cyber incident response plan
incorporate corrective actions and breach notifications. As
proposed, the Plan Processor would be allowed to delay breach
notifications “if the Plan Processor determines that dissemination
of such information would likely compromise the security of the
CAT System or an investigation of the systems or data breach, and
documents the reasons for such determination.” The proposal
would further require affirmative documentation of the reasons for
the Plan Processor’s determination to delay a breach notification.
In addition, breach notifications would not be required for systems
or data breaches “that the Plan Processor reasonably estimates
would have no or a de minimis impact on the Plan Processor’s
operations or on market participants.” For a breach that the Plan
Processor believes to be a de minimis breach, the Plan Processor
would be required to document all information relevant to such
breach.

ii.

Breach Management – Breach Notifications. The Commission
proposes to require the Plan Processor to provide breach
notifications of systems or data breaches to CAT Reporters that it
reasonably estimates may have been affected, as well as to the
Participants and the Commission, promptly after any responsible
Plan Processor personnel have a reasonable basis to conclude that a
systems or data breach has occurred.

Customer Information for Allocation Report FDIDs. Proposed Section
6.4(d)(ii)(C) would explicitly require that Customer and Account
Attributes be reported for Firm Designated IDs submitted in connection
with Allocation Reports, and not just for FDIDs submitted in connection
with the original receipt or origination of an order. Specifically, proposed
Section 6.4(d)(ii)(C), as amended, of the CAT NMS Plan would state that
each Participant shall, through its Compliance Rule, require its Industry
Members to record and report, for original receipt or origination of an
order and Allocation Reports, the Firm Designated ID for the relevant

See CAT NMS Plan, supra note 4, at Appendix D, Section 4.1.5. The cyber incident
response plan is subject to review by the Operating Committee. See id.
8

Customer, and in accordance with Section 6.4(d)(iv), Customer and
Account Attributes for the relevant Customer.
2.

Purpose and Use of the Information Collection

The Commission believes that the proposed amendments enhance the security of CAT
Data. Specifically, the above amendments would collect information to be used in the following
ways:
a.

Evaluation of the CISP. The proposed evaluation would improve the
security of CAT Data by facilitating Commission oversight of the security
risks posed by the extraction of CAT Data.

b.

Security Working Group. The proposed amendments would help to keep
the Security Working Group adequately informed about issues that fall
within its purview which, in turn, should enable the Security Working
Group to provide the CISO and the Operating Committee with valuable
feedback regarding the security of the CAT.

c.

SAWs. By requiring the development of policies, procedures, and design
specifications that would implement the CISP, the proposed amendments
are designed to better protect CAT Data. The implementation and
operation requirements for SAWs are likewise designed to protect CAT
Data by requiring that SAWs are correctly implemented and monitored
and that Participants are notified of non-compliance. Finally, the
requirements for non-SAW environments are designed to facilitate a fair
and transparent application and review process.

d.

Online Targeted Query Tool and Logging of Access and Extraction. The
proposed amendment would enhance the logging information provided to
Participants and will assist in the identification of potential issues relating
to the security or access to CAT Data.

e.

Customer and Account Attributes. The proposed amendments requiring
the reporting of Transformed Values will obviate the need for the CAT to
collect certain sensitive pieces of identifying information associated with a
natural person Customer (e.g., the ITIN/SSN); the amendments requiring
an assessment of the overall performance and design of the CCID
Subsystem and the process for creating Customer-ID(s) in the required
written assessment will facilitate an assessment of the overall performance
and design of the CCID Subsystem, including the ingestion of the
Transformed Value and the subsequent creation of an accurate CustomerID, to confirm the CCID Subsystem is operating as intended, or whether
any additional measures should be taken to address the creation and
protection of Customer-IDs.

9

3.

f.

Customer Identifying Systems Workflow. The proposed amendments
requiring an audit trail of access be provided to each Participant and the
Commission for their respective users on a monthly basis, and requiring
the list all users who are entitled to Customer Identifying Systems access
be provided to the Operating Committee on a monthly basis will help to
confirm that only Regulatory Staff who are entitled to access to Customer
Identifying Systems to have such access. The proposed amendments
requiring each Participant to submit an application to use programmatic
access will help ensure that only Participants that require such access have
such access.

g.

Data Confidentiality Policies, Procedures and Usage Restrictions. The
proposed amendments will provide an annual examination report to the
Commission regarding compliance with the data confidentiality policies.

h.

Secure Connectivity – Allow Listing. The proposed amendment would
enhance the security of CAT infrastructure and connections to the CAT
infrastructure by requiring the Plan Processor to limit access to the CAT
infrastructure based on an authorized end user’s geolocation of the IP
addresses of CAT Reporters.

i.

Breach Management. The proposed amendments would obligate the Plan
Processor to respond to systems or data breaches with appropriate steps
necessary to remedy each systems or data breach and mitigate the negative
effects of the Breach notifications could potentially allow affected CAT
Reporters, Participants and/or the Commission to proactively respond to
the information in a way to mitigate any potential harm to themselves,
customers, investors and the public.

j.

Customer Information for Allocation Report FDIDs. The proposal will
help ensure that Industry Members report Customer and Account
Attributes for Firm Designated IDs submitted in connection with
Allocation Reports.

Consideration Given to Improved Information Technology

The proposed amendments use information technology to lessen the burden on the
Participants. While items filed with the Commission are still generally submitted in paper
format, the Participants generally also submit courtesy copies to the Commission in electronic
form, lessening the need for any additional copying or scanning.
The Commission notes that many of the information collections can be completed or
performed electronically, without paper distribution. For instance, instead of requiring the
collection of SSNs, the proposed amendments provide that a Transformed Value would be
collected. This Transformed Value would be generated through an automated process. The Data
Confidentiality Policies are required to be made public on a website, and the required
10

examination report of compliance with such policies and related procedures and usage restriction
controls will be required to be emailed to the Commission in a text-searchable format (e.g., a
text-searchable PDF). The Commission further notes that it does not prohibit the Participants
from using any kind of information technology to facilitate the collection and/or preparation of
the information required by the proposed amendments.
4.

Duplication

The proposed amendments would not result in, or require the collection of, duplicate
information that is otherwise available in a similar form.
5.

Effects on Small Entities

The proposed amendments would have an effect on small entities. Commission rules
generally define a broker-dealer as a small entity for purposes of the Exchange Act and the
Regulatory Flexibility Act if the broker-dealer had a total capital of less than $500,000 on the
date in the prior fiscal year as of which its audited financial statements were prepared, and it is
not affiliated with any person (other than a natural person that is not a small entity).
The amendments require self-regulatory organizations (“SROs”) to adopt compliance
rules that require their members to report a Transformed Value, rather than a Customer’s
SSN/ITIN, to the CAT in order to create a globally unique Customer-ID for every Customer.
These rules would apply to all broker-dealers, including those broker-dealers that are small
entities. The Commission estimates, based on FOCUS filings with the Commission, that as of
the third quarter of 2019, there were approximately 925 Commission-registered broker-dealers
that would be considered small entities for purposes of the statute. Each of these brokersdealers, assuming that they would be subject to CAT reporting obligations, 28 would be
responsible for complying with the proposed amendments that require the reporting of a
Transformed Value. The Commission believes, however, that the reporting requirements related
to the Transformed Value are not unduly burdensome for all broker-dealers, including brokerdealers that would be considered small entities, particularly in relation to the important
objectives served by avoiding the need for the CAT to collect a Customer’s SSN/ITIN.

6.

Consequences of Not Conducting Collection

The CAT NMS Plan approved by the Commission already sets forth a number of
requirements regarding the security and confidentiality of CAT Data. Nevertheless, the
Commission believes that it can and should take additional steps to further protect the security
and confidentiality of CAT Data.

28

The Commission understands that some registered broker-dealers either trade in asset
classes not currently included in the definition of Eligible Security or do not trade at all
(e.g., broker-dealers for the purposes of underwriting, advising, private placements).
11

7.

Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)

Under existing rules and regulations, information collected pursuant to the proposed
amendments would be required to be retained for more than three years. National securities
exchanges and national securities associations would be required to retain records and
information pursuant to Rule 17a-1 under the Exchange Act, which would require the retention
of records for a period of not less than five years. 29 The Plan Processor would be required to
retain the information reported to Rule 613(c)(7) and (e)(6) for a period of not less than five
years. 30 The proposed amendments do not change or alter these obligations.
In addition, certain information collections may require the Participants to submit
confidential information to the Commission, including: the evaluation of the Plan Processor’s
performance under proposed Section 6.6(b)(ii)(B)(3), the examination reports required by
proposed Section 6.5(g)(v), the application materials for non-SAW environments as required
under proposed Section 6.13(d), the annual Regular Written Assessment of the Plan Processor
under proposed Section 6.6(b)(ii)(A), and the application for Programmatic CAIS Access and
Programmatic CCID Subsystem Access under proposed Appendix D, Section 4.1.6. To the
extent the Commission receives confidential information pursuant to the CAT NMS Plan, such
information will be kept confidential, subject to the provisions of applicable law.
The information collection “Online Targeted Query Tool – Logging of Access and
Extraction” requires respondents to report and review information more frequently than
quarterly, specifically, this logging information must be provided monthly. The information
collection “Breach Management – Breach Notifications” could potentially require the
Participants to report and disclose information more frequently than quarterly.
The proposed amendments require the Plan Processor to maintain a full audit trail
reflecting access to the Customer Identifying Systems by the Commission (i.e., who accessed
what data, and when), and to provide such audit trail to the Commission for our respective users
on a monthly basis. Provision of this monthly report may increase the accountability and
transparency regarding access to Customer Identifying Systems, and will help the Commission
staff develop and implement internal policies, procedures and control systems regarding access
to Customer Identifying Systems.
There are no other special circumstances, and this collection is otherwise consistent with
the guidelines in 5 CFR 1320.5(d)(2).
8.

Consultations Outside the Agency

The Commission has issued a release soliciting comment on the proposed amendment’s
requirements and associated paperwork burdens. 31 A copy of the release is attached. Comments
29

See 17 CFR 242.17a-1.

30

See 17 CFR 242.613.

31

See note 13 supra.
12

on Commission releases are generally received from registrants, investors, and other market
participants. In addition, the Commission and staff participate in ongoing dialogue with
representatives of various market participants through public conferences, meetings, and
informal exchanges. Any comments received on this proposed rulemaking will be posted on the
Commission’s public website and made available through
http://www.sec.gov/rules/proposed.shtml. The Commission will consider all comments received
prior to publishing the final rule, and will explain in any adopting release how the final rule
responds to such comments, in accordance with 5 C.F.R. 1320.11(f).
9.

Payment or Gift

No payment or gift is provided to respondents.
10.

Confidentiality

The Commission preliminarily believes that all information required to be submitted to
the Commission under the proposed amendments, including the evaluation of the Plan
Processor’s performance under proposed Section 6.6(b)(ii)(B)(3), the examination reports
required by proposed Section 6.5(g)(v), the application materials for non-SAW environments as
required under proposed Section 6.13(d), the annual Regular Written Assessment of the Plan
Processor under proposed Section 6.6(b)(ii)(A), the application for Programmatic CAIS Access
and Programmatic CCID Subsystem Access under proposed Appendix D, Section 4.1.6 should
be protected from disclosure subject to the provisions of applicable law. 32
Public disclosure of other collections of information could raise concerns about the
security of the CAT and therefore the Commission preliminarily believes that the Plan Processor
and the Participants, as applicable, would keep these materials confidential. 33 Such collections
32

See, e.g., 5 U.S.C. 552 et seq.; 15 U.S.C. 78x (governing the public availability of
information obtained by the Commission).

33

The Participants must comply with the security plan developed by the Plan Processor
pursuant to Appendix D, Section 4.1 of the CAT NMS Plan and any security-related
policies and procedures developed pursuant to Regulation SCI. See CAT NMS Plan,
supra note 4, at Appendix D, Section 4.1 (requiring the Plan Processor to provide to the
Operating Committee a comprehensive security plan, including a process for responding
to security incidents and reporting of such incidents); 17 CFR 242.1001 (requiring each
SCI entity to establish, maintain, and enforce written policies and procedures reasonably
designed to ensure that its SCI systems have levels of security adequate to maintain
operational capabilities and promote the maintenance of fair and orderly markets). In
some cases, non-member invitees of the Security Working Group may be given access to
otherwise confidential information, but the Commission believes that the CISO and the
Operating Committee should consider requiring any non-member invitees sign a nondisclosure agreement or adhere to some other protocol designed to prevent the release of
confidential information regarding the security of the CAT System. Members of the
Security Working Group (and their designees) would be subject to the existing
confidentiality obligations set forth in Section 9.6 of the CAT NMS Plan.
13

of information include: the development of SAW-specific provisions for the CISP and related
policies, procedures, and security controls required pursuant to proposed Section 6.13(a); the
development of the detailed design specifications required pursuant to proposed Section
6.13(b)(i); the evaluation of each Participant’s SAW and related notification to the Operating
Committee under proposed Section 6.13(b)(ii), the monitoring of SAWs and non-SAW
environments and notification of non-compliance events required by proposed Section 6.13(c)(i)
and proposed Section 6.13(d)(iii); the collection of application materials for an exception to the
proposed SAW usage requirements pursuant to proposed Section 6.13(d); the development of
policies and procedures for review of such applications and the issuance of exceptions to the
SAW usage requirements by the CISO and the CCO pursuant to proposed Section 6.13(d); and
the audit trail of access to Customer Identifying Systems and the daily reports of users entitled to
access Customer Identifying Systems as required by the proposed amendments to Section 4.1.6
of Appendix D;
Finally, the policies required by proposed Section 6.5(g)(i) would not be confidential.
Rather, the proposed rule would require Participants to make the policies required by Section
6.5(g)(i) publicly available on each of the Participant websites, or collectively on the CAT NMS
Plan website, redacted of sensitive proprietary information.
11.

Sensitive Questions

The information collection may collect information of a sensitive nature to include
personally identifiable information. This rule implements alternatives to collecting the SSN by
requesting Participants to use a Transformed Value in place of the SSN. The SEC does not
collect the data of CAT. Therefore, a SORN and a PIA are not required for this information
collection.
12.

Burden of Information Collection

As noted above, the proposed amendment would establish 31 new collections of
information, which are listed in the chart below. The Commission anticipates that the respondents
would incur a total estimated industry burden for all internal collections of information of
approximately 58,437 hours per year. Each of the collections of information is explained further
in the discussion.

14

Summary of Hourly Burdens 34

Evaluation of the CISP

Reporting

25

0

1

0

Initial
Burden
Annualized
per Entity
per Response
0

Security Working
Group -- Attendance

Third Party
Disclosure

25

0

52

0

0

7

7

364

9,100

Security Working
Group – Updates

Third Party
Disclosure

25

0

0

0

0

0

0

0

0

SAWs – Policies &
Procedures (Initial)

Recordkeeping

25

0

0

0

0

0

0

0

0

SAWs – Policies &
Procedures (Ongoing)

Recordkeeping

25

0

0

0

0

0

0

0

0

Third Party
Disclosure

25

0

0

0

0

0

0

0

0

SAWs – Design
Specifications
(Ongoing)

Recordkeeping

25

0

0

0

0

0

0

0

0

SAWs –
Implementation
Requirements

Third Party
Disclosure

25

0

0

0

0

0

0

0

0

SAWs – Operational
Requirements (Initial)

Recordkeeping

25

0

0

0

0

0

0

0

0

SAWs – Operational
Requirements
(Maintenance)

Recordkeeping

25

0

0

0

0

0

0

0

0

SAWs – Operational
Requirements
(Notification)

Third Party
Disclosure

25

0

0

0

0

0

0

0

0

Non-SAW
Environments –
Application Materials
(Initial)

Third Party
Disclosure

6

0

1

275

91.66

0

0

91.67

550

Non-SAW
Environments –
Application Materials
(Ongoing)

Third Party
Disclosure

6

0

1

0

0

140

140

140

840

25

0

0

0

0

0

0

0

0

25

0

0

0

0

0

0

0

0

Name of Information
Collection

SAWs – Design
Specifications (Initial)

Type of
Burden

Number
of Entities
Impacted

Small
Business
Entities
Affected

Annual
Responses
per Entity

Initial
Burden per
Entity per
Response

Ongoing
Burden per
Entity per
Response

Annual
Burden Per
Entity per
Response

Total Annual
Burden Per
Entity

Total
Approximate
Industry
Burden

25

25

25

625

Recordkeeping

Non-SAW
Environments –
Determinations
(Initial)

Recordkeeping

Non-SAW
Environments –
Determinations
(Ongoing)

Recordkeeping

Third Party
Disclosure

Third Party
Disclosure

Non-SAW
Environments –
Revocations

Third Party
Disclosure

25

0

0

0

0

0

0

0

0

Non-SAW
Environments –
Implementation
Requirements

Third Party
Disclosure

25

0

0

0

0

0

0

0

0

Non-SAW
Environments –
Operational
Requirements
(Material Changes)

Third Party
Disclosure

6

0

4

0

0

15

15

60

360

Recordkeeping

25

0

0

0

0

0

0

0

0

Non-SAW
Environments –
Operational

34

This hourly burden chart includes collections of information where there may only be an
external cost and not an hourly burden, and this is reflected by an entry of zero hours.
Where there is not an hourly burden for certain collections of information, those items are
not specifically described in Item 12.
15

Requirements
(Notification)

Third Party
Disclosure

Online Targeted Query
Tool and Logging of
Access and Extraction
– Review Monthly
Reports

Recordkeeping

25

0

12

0

0

0.40

0.40

4.80

120

Online Targeted Query
Tool and Logging of
Access and Extraction
– Additional Logging

Recordkeeping

25

0

0

0

0

0

0

0

0

Customer and Account
Attributes –
Transformed Value(s)

Third Party
Disclosure

1,500

925

1

80

26.67

0

26.67

26.67

40,000

Customer and Account
Attributes – Regular
Written Assessment

Reporting

25

0

1

0

0

50

50

50

1,250

Customer Identifying
Systems Workflow –
Preparation of
Programmatic Access
Application

Reporting

25

0

1

50.00

16.67

16.67

16.67

417

Customer Identifying
Systems Workflow –
Audit Trail Report

Third Party
Disclosure

25

0

0

0

0

0

0

0

0

Data Confidentiality
Policies – Identical
Policies

Third Party
Disclosure

25

0

1

20

6.67

4

10.67

10.67

267

Data Confidentiality
Policies – Procedures
and Usage Restrictions

Recordkeeping

25

0

1

282

94

87

181

181

4,525

Data Confidentiality
Policies – Examination
Report

Reporting

25

0

1

0

0

15

15

15

375

Secure Connectivity –
Allow Listing

Recordkeeping

25

0

1

0

0

0

0

0

0

Breach Management –
Policies and
Procedures

Recordkeeping

25

0

1

1

0.33

0

0.33

0.33

8

Breach Management –
Breach Notifications

Third Party
Disclosure

25

0

1

0

0

0

0

0

0

TOTAL HOURLY BURDEN FOR ALL RESPONDENTS

a.

58,437

Evaluation of the CISP

The CAT NMS Plan already requires the Participants to submit to the Commission, at
least annually, a written assessment of the Plan Processor’s performance that is prepared by the
CCO. The proposed amendments would newly require the CCO to evaluate elements of the
CISP that relate to SAWs and, in collaboration with the CISO, to include a review of CAT Data
extracted from the CAT System to assess the security risk of permitting such CAT Data to be
extracted. The Participants would also have the right to review and comment on these new
elements of the written assessment.
The respondents to this collection of information would be the 25 Participants. In
addition to the external costs that would be incurred by the Participants, 35 the Commission
preliminarily estimates that each Participant would incur an ongoing reporting burden of

35

See Item 13.a. infra.
16

approximately 25 hours annually to review and comment on these new elements, for an
aggregate industry reporting burden of approximately 625 hours annually. 36
b.

Security Working Group – Attendance

The respondents to this collection of information would be the 25 Participants. In
addition to the external costs that would be incurred by the Participants, 37 to comply with the
proposed requirement that the Security Working Group advise the CISO and the Operating
Committee, the Commission preliminarily believes that the chief or deputy chief information
security officer of each Participant will likely spend approximately 5 hours per week, on average,
to prepare for a weekly meeting of the Security Working Group and approximately 2 hours to
attend the weekly meeting. The Commission therefore preliminarily estimates that each
Participant would incur an ongoing annual third-party disclosure burden of approximately
364 hours annually, for an aggregate industry third-party disclosure burden of 9,100 hours
annually. 38
c.

SAWs

In addition to various external costs that would be incurred by the Participants, 39 the
Commission estimates that the Participants would also incur certain burdens in seeking an
exception to the proposed SAW usage requirements.
i.

Non-SAW Environments - Application Materials
a.

Application Materials (Initial)

Specifically, the Commission preliminarily estimates that 6 Participants will apply for an
exception to the SAW usage requirements and that each Participant would spend approximately
275 hours to prepare the required application materials and submit the application to the CCO,
the CISO, the members of the Security Working Group (and their designees), and Commission
observers of the Security Working Group. Accordingly, the Commission preliminarily estimates
that the Participants would together incur an initial, one-time aggregate burden of approximately
1,650 hours. 40 When annualized over three years, the Commission preliminarily estimates
that the Participants would together incur an initial, one-time, aggregate third-party
disclosure burden of approximately 550 hours annually 41 and each Participant would incur
36

25 hours per Participant x 25 Participants = 625 hours.

37

See Item 13.b. infra.

38

(5 hours + 2 hours) x 52 weeks = 364 hours per Participant per year. 364 hours per
Participant x 25 Participants = 9,100 hours.

39

See Item 13.c. infra.

40

275 hours x 6 non-SAW environments = 1,650 hours.

41

1,650 hours / 3 years = 550 hours per year.
17

an initial, one-time, third-party disclosure burden of approximately 91.66 hours per
Participant annually.42
b.

Application Materials (Ongoing)

The Commission preliminarily estimates that 6 Participants would apply for a continued
exception or re-apply for an initial exception per year. To prepare updated application materials,
the Commission preliminarily believes that each Participant would spend approximately 140
hours to prepare the required application materials and submit the application to the CCO, the
CISO, the members of the Security Working Group (and their designees), and Commission
observers of the Security Working Group. Accordingly, the Commission preliminarily
estimates that the Participants would together incur an ongoing third-party disclosure
burden of approximately 840 hours annually, for an ongoing annual third-party disclosure
burden of approximately 140 hours per Participant annually.43

ii.

Non-SAW Environments – Operation Requirements

The respondents to this collection of information would be 6 Participants. With respect
to the requirement that each Participant using an approved non-SAW environment
simultaneously notify the Plan Processor, the members of the Security Working Group (and their
designees), and Commission observers of the Security Working Group of any material changes
to its security controls for the non-SAW environment, the Commission preliminarily believes
that 6 Participants would apply for an exception to use a non-SAW environment and that each of
these 6 Participants would materially change its security controls approximately 4 times a year.
The Commission also preliminarily believes that each such notification would require 15 burden
hours. Accordingly, the Commission preliminarily estimates that the Participants would
together incur an ongoing aggregated third-party disclosure burden of approximately 360
hours annually, or that each Participant would incur an ongoing third-party disclosure burden of
approximately 60 hours annually. 44
d.

Online Targeted Query Tool and Logging of Access and Extraction
i. Review Monthly Reports

The respondents to this collection of information would be the 25 Participants. The CAT
NMS Plan currently states that the logs required by Appendix D, Section 8.1.1 of the CAT NMS
Plan are to be submitted to the Operating Committee on a monthly basis. The Commission
42

550 hours per year / 6 Participants = 91.66 hours per year per Participant.

43

140 hours x 6 non-SAW environments = 840 hours.

44

15 hours per notification x 4 notifications per year = 60 hours per year. 60 hours per year
x 6 non-SAW environments = 360 hours.
18

preliminarily estimates that the ongoing burden of Participants to review the newly required
information in these logs, through the Operating Committee (as members of the Operating
Committee), would be an estimated 10 aggregate internal burden hours each month. The
Commission preliminarily believes it is reasonable to estimate aggregate internal burden hours
because the obligation to receive and review the logs required by Appendix D, Section 8.1.1 is
with the Operating Committee itself and is not an obligation of individual Participants. Thus, in
addition to the external costs that would be incurred by the Participants, 45 the Commission
preliminarily estimates that each Participant would incur an ongoing recordkeeping
burden of approximately 4.8 hours annually to review the newly required information in
these logs, for an aggregate industry burden of approximately 120 hours annually.46
j.

Customer and Account Attributes

In addition to various external costs that would be incurred by the Participants, 47 the
Commission estimates that the Participants would also incur certain burdens in light of the
proposed amendments relating to CAT Customer and Account Attributes.
i.

Transformed Value(s)

The Commission estimates that the Participants would incur certain burdens in reporting
Transformed Value(s), and certain burdens by requiring the annual Regular Written Assessment
of the Plan Processor’s Performance include an evaluation of the overall performance and design
of the CCID Subsystem and the process for creating Customer-ID(s).
The Commission preliminarily estimates that the one-time burden to Industry Members
to modify systems to report a Transformed Value to the CAT instead of SSNs or ITINs per the
proposed amendments will be minimal. However, the Commission preliminarily believes there
will be a cost to install and test the transformation logic. As proposed, Industry Members would
use the CCID Transformation Logic in conjunction with an API provided by the Plan Processor
and the only cost to Industry Members will be installation and testing of the transformation logic.
The respondents to this collection of information would be the 1,500 Industry Members.
The Commission estimates that the one-time burden to each Industry Member to install and test
this technology will be 80 staff burden hours per Industry Member or 120,000 hours in the
aggregate. 48 When annualized over three years, the Commission preliminarily estimates
that the Industry Members would together incur an initial, one-time, aggregate third-party
disclosure burden of approximately 40,000 hours annually,49 and each Industry Member
45

See Item 13.d. infra.

46

4.8 hours per Participant x 25 Participants = 120 hours.

47

See Item 13.c. infra.

48

80 burden hours x 1,500 Industry Members = 120,000.

49

120,000 hours / 3 years = 40,000 hours per year.
19

would incur an initial, one-time, third-party disclosure burden of approximately 26.67 hours per
Industry Member annually. 50 The Commission believes that the on-going annual burden to
report the Transformed Value will be the same as the burden to report a SSN or ITIN once the
CCID Transformation Logic is installed.
ii.

Regular Written Assessment

The respondents to this collection of information would be the 25 Participants. The CAT
NMS Plan currently requires the CCO to oversee the Regular Written Assessment of the Plan
Processor’s performance, which must be provided to the Commission at least annually and which
must include an evaluation of the performance of the CAT. 51 The proposed amendment requires
an evaluation of the overall performance and design of the CCID Subsystem and the process for
creating Customer-ID(s) to be included in each such annual Regular Written Assessment of the
Plan Processor’s Performance.
The Commission preliminarily estimates that assessment of the CCID subsystem require
an additional 50 ongoing burden hours of internal legal, compliance, business operations, and
information technology, per Participant, for an aggregate ongoing reporting burden of
approximately 1,250 hours 52 annually.
k.

Customer Identifying Systems Workflow – Preparation of Programmatic
Access Application

The respondents to this collection of information would be the 25 Participants. In
connection with the application for authorization, the Commission preliminarily estimates that
each of the Participants would incur a one-time burden of 50 burden hours for preparation and
review of the application that seeks Programmatic CAIS and/or Programmatic CCID Subsystem
Access. 53 This is an aggregate one-time reporting burden of approximately 1,250 hours per
application, 54 or 417 hours per year when annualized over three years. 55
l.

Data Confidentiality Policies, Procedures and Usage Restrictions

50

40,000 hours per year / 1,500 Industry Members = 26.67 hours per Industry Member
annually.

51

See CAT NMS Plan, supra note 4, Section 6.6(b)(ii)(A).

52

50 burden hours x 25 Participants = 1,250 hours.

53

For purposes of the Paperwork Reduction Act, staff preliminarily believes that number of
Participants that may apply for such access will range from 1 to 25 Participants. Staff
took a conservative approach and preliminarily estimated that 25 Participants will submit
an application for programmatic access.

54

50 hours per application x 25 Participants = 1,250 hours.

55

1,250 industry hours / 3 years = 416.67 (rounded to 417) industry hours per year
20

The Commission preliminarily believes that proposed Section 6.5(g) creates three
different types of paperwork burdens: (i) a third-party disclosure burden relating to preparation,
review and public disclosure of the Data Confidentiality Policies; (ii) a recordkeeping burden
associated with the related documentation, procedures, and usage restriction controls required by
Section 6.5(g)(i) and the Data Confidentiality Policies; and (iii) a reporting burden associated
with the annual requirement to provide the Commission an examination report in Section
6.5(g)(v).
i.

Data Confidentiality Policies – Identical Policies

The respondents to this collection of information would be the 25 Participants. The
Commission preliminarily estimates that the initial hourly burden of preparing, reviewing and
approving the Data Confidentiality Policies would be an aggregate 500 hours for the Participants,
or 20 hours for each individual Participant. 56 This estimation includes burden hours associated
with: (i) preparing and reviewing the identical policies required by Section 6.5(g)(i); (2) making
the policies publicly available on each of the Participant websites, or collectively on the CAT
NMS Plan website, redacted of sensitive proprietary information as required by Section
6.5(g)(iv); and (3) Operating Committee review and approval as required by Section 6.5(g)(vi). 57
The Commission believes that Participants already have individual policies and procedures
relating to the confidentiality of CAT Data, as required by existing provisions of the CAT NMS
Plan, and Participants can use these existing policies and procedures in order to help prepare,
review and approve the policies and procedures required by proposed Section 6.5(g)(i).
The Commission preliminarily estimates that Participants will require 100 burden hours,
or 4 hours per Participant 58 annually to comply with proposed Section 6.5(g)(ii), which requires
the Participants to periodically review the effectiveness of the policies required by Section
6.5(g)(i), including by using the monitoring and testing protocols documented within the policies
pursuant to Section 6.5(g)(i)(K), and take prompt action to remedy deficiencies in such policies.
The Commission preliminarily believes it is appropriate to estimate that review of and updates to
the Data Confidentiality Policies should be one-fifth the burden hours necessary for initially
creating and approving the Data Confidentiality Policies because the Commission preliminarily
believes it should take substantially less time and effort to review and update the Data
Confidentiality Policies than in initially creating and approving them. This estimated burden
includes any updates to the Data Confidentiality Policies initiated by the Participants, based on
their review pursuant to proposed Section 6.5(g)(ii) or based on changed regulatory needs.

56

500 hours / 25 Participants = 20 hours per Participant.

57

To the extent that the CISO consults with the Security Working Group regarding the
development and approval of the Proposed Confidentiality Policies, those burdens and
costs have already been accounted for elsewhere.

58

100 hours / 25 Participants = 4 hours per Participant.
21

Accordingly, in addition to the external costs that would be incurred by the Participants, 59
the Commission preliminarily estimates that each Participant would incur an initial third-party
disclosure hourly burden of 20 hours and an ongoing third-party disclosure hourly burden of
approximately 4 hours per year to satisfy this information collection requirement. Thus, the
total estimated industry burden, including the initial, one-time burden and ongoing
burden, is approximately 267 hours per year when annualized over three years. 60
ii.

Data Confidentiality Polices – Procedures and Usage Restrictions

The respondents to this collection of information would be the 25 Participants. The
Commission preliminarily estimates that each Participant would require an average of 282
burden hours, or 7,050 hours for all Participants, 61 to initially develop and draft the procedures
and usage restriction controls required by proposed Section 6.5(g)(i). The Commission
preliminarily believes that this estimation includes all initial reporting burdens associated with
the documentation, procedures and usage restriction controls required by Section 6.5(g)(i).
The Commission preliminarily estimates that the ongoing annual burden of maintaining
and reviewing the procedures and usage restriction controls required by Section 6.5(g)(i),
including by using monitoring and testing protocols documented within the policies pursuant to
Section 6.5(g)(i)(K), and taking prompt action to remedy deficiencies in such policies,
procedures and usage restriction controls as required by proposed Section 6.5(g)(ii), would be 87
burden hours for each Participant, or 2,175 burden hours for all Participants. 62 The Commission
preliminarily believes that this estimation includes all ongoing reporting burdens associated with
the procedures and usage restriction controls required by Section 6.5(g)(i). This estimation also
includes the hourly burden associated with proposed Section 6.5(g)(iii), which requires each
Participant, as reasonably practicable, and in any event within 24 hours of becoming aware,
report to the Chief Compliance Officer, in accordance with the guidance provided by the
Operating Committee, any instance of noncompliance with the policies, procedures, and usage
restriction controls adopted by such Participant pursuant to Section 6.5(g)(i). 63
Accordingly, in addition to the external costs that would be incurred by the Participants, 64
the Commission preliminarily estimates that each Participant would incur an initial
recordkeeping hourly burden of 282 hours and an ongoing recordkeeping hourly burden of
59

See Item 13.e.i infra.

60

((20 hours / 3 years = 6.67) + (4 hours)) x 25 Participants = 267 hours (266.67 rounded).

61

282 hours x 25 Participants = 7,050 hours.

62

87 hours x 25 Participants = 2,175 hours.

63

Proposed Section 6.5(g)(iii) also requires reporting of any instance a Participant becomes
aware of a breach of the security of the CAT, but this obligation is a pre-existing
obligation and not a new information collection requirement. See CAT NMS Plan, supra
note 4, at Section 6.5(f)(iii).

64

See Item 13.e.ii infra.
22

approximately 87 hours per year to satisfy this information collection requirement. Thus, the
total estimated industry burden, including the initial, one-time burden and ongoing
burden, is 4,525 hours per year when annualized over three years. 65
iii.

Data Confidentiality Policies – Examination Report

The respondents to this collection of information would be the 25 Participants. The
Commission preliminarily believes that Participants will incur annual hour burdens to comply
with proposed Section 6.5(g)(v), which the Commission preliminarily estimates to be 15 hours
for each Participant, or 375 hours for all Participants. The Commission believes that this burden
hour estimation includes the staff time necessary to engage an independent accountant, staff time
required to allow the independent auditor to review compliance and prepare the examination
report and the staff time required to submit the examination report to the Commission. The
Commission believes that proposed Section 6.5(g)(v) does not require Participants to review and
respond to the examination report, and only requires a Participant to submit the prepared
examination report to the Commission. However, the Commission notes that such examination
report may require Participants to take action pursuant to proposed Section 6.5(g)(ii) or Section
6.5(g)(iii), including updating policies, procedures and usage restrictions, but such burdens are
accounted for in other areas of this Paperwork Reduction Act analysis.
In addition to the external costs that would be incurred by the Participants, 66 the
Commission preliminarily estimates that each Participant would incur an ongoing reporting
hourly burden of approximately 15 hours per year to satisfy this information collection
requirement. Thus, the total estimated industry burden is 375 hours per year when
annualized over three years. 67
m.

Secure Connectivity – Allow Listing

The Commission does not believe there are any hour burdens to the respondents for this
collection of information, because only external cost burdens are associated with this information
collection as the proposed amendment would require the Participants to have the Plan Processor
implement the required changes. 68
n.

Breach Management

The Plan Processor is already required to establish policies and procedures and a cyber
incident response plan pursuant to Section 4.1.5 of the CAT NMS Plan, so the Commission
believes it is appropriate to estimate a burden of revising breach management policies and
procedures and the cyber incident response plan relate to the new elements required by proposed
Section 4.1.5 of the CAT NMS Plan.
65

((282 hours / 3 years = 94 hours) + 87 hours) x 25 Participants = 4,525 hours.

66

See Item 13.e.ii infra.

67

15 hours x 25 Participants = 375 hours.

68

See Item 13.h infra.
23

i.

Breach Management – Policies and Procedures

The respondents to this collection of information would be the 25 Participants. The
Commission believes that there would be an initial internal burden of 25 hours for the
Participants, or 1 hour per Participant (25 / 25 Participants) for review and approval of the
updated cyber incident response plan by the Operating Committee. Accordingly, in addition to
the external costs that would be incurred by the Participants, 69 the Commission preliminarily
estimates that each Participant would incur an initial recordkeeping hourly burden of 1 hour to
satisfy this information collection requirement. Thus, the total estimated industry burden is
approximately 8 hours per year when annualized over three years. 70
ii.

Breach Management – Breach Notifications.

The Commission believes there would be no hour burden associated with the breach
notifications, because only external cost burdens are associated with this information
collection, 71 as the proposed amendment would require the Participants to have the Plan
Processor implement the required changes.
o.

Customer Information for Allocation Report FDIDs

The Commission preliminarily believes that this requirement is already accounted for
in the existing information collections burdens associated with Rule 613 and the CAT NMS
Plan Approval Order submitted under OMB number 3235-0671. 72 Specifically, the CAT NMS
Plan Approval Order takes into account requirements on broker-dealer members to record and
report CAT Data to the Central Repository in accordance with specified timelines, including
customer information associated with Firm Designated IDs.
13.

Costs to Respondents

As noted above, the proposed amendment would establish 31 new collections of
information, which are listed in the chart, below. Many aspects of the proposed amendment to the
CAT NMS Plan would require the Plan Processor to do certain activities. However, because the
CAT NMS Plan applies to and obligates the Participants and not the Plan Processor, the
Commission preliminarily believes it is appropriate to estimate the Participants’ external cost based
on the estimated Plan Processor staff hours required to comply with the proposed obligations. The
Commission derives these estimated costs associated with Plan Processor staff time based on per
hour figures from SIFMA’s Management & Professional Earnings in the Securities Industry 2013,
69

See Item 13.i.i infra.

70

25 hours / 3 years = approximately 8 hours per year (8.33 rounded down to 8 hours).

71

See Item 13.i.ii infra.

72

See, CAT NMS Plan Approval Order, supra note 4, at 84911-43.
24

modified by Commission staff to account for an 1800-hour work-year, and multiplied by 5.35 to
account for bonuses, firm size, employee benefits and overhead, and adjusted for inflation based on
Bureau of Labor Statistics data on CPI-U between January 2013 and January 2020 (a factor of
1.12).73
The Commission believes that respondents will incur a total estimated industry cost for all
external collections of information of approximately $6,824,207 per year, in connection with the
proposed amendments. Each of the collections of information is explained further in the
discussion.
Summary of Dollar Costs 74
Small
Business
Entities
Affected

Annual
Responses
per Entity

Initial Cost
per Entity
per
Response

Initial Cost
Annualized
per Entity
per
Response

Approximate
Ongoing
Cost per
Entity per
Response

Approximate
Annual Cost
Per Entity
per Response

Total
Approximate
Annual Cost
Per Entity

Total
Approximate
Industry Cost

25

0

1

$0

$0

$6,196.00

$6,196.00

$6,196.00

$154,900

Third Party
Disclosure

25

0

52

$0

$0

$217.20

$217.20

$11,294.40

$282,360

Third Party
Disclosure

25

0

1

$0

$0

$1,086.00

$1,086.00

$1,086.00

$27,150

Recordkeeping

25

0

1

$4,640.80

$1,546.93

$0

$0

$1,546.93

$38,673

Recordkeeping

25

0

1

$2,265.92

$2,265.92

$2,265.92

$56,648

Recordkeeping

25

0

1

$4,127.20

$1,375.73

$0

$0

$1,375.73

$34,393

Third Party
Disclosure

25

0

1

$118.60

$39.53

$0

$0

$39.53

$988

Recordkeeping

25

0

1

0

0

$1,930.00

$1,930.00

$1,930.00

$48,250

Third Party
Disclosure

25

0

1

$18,550.00

$6,183.33

$0

$0

$6,183.33

$154,583

Recordkeeping

25

0

1

$2,094.00

$698.00

$0

$0

$698.00

$17,450

Recordkeeping

25

0

1

$0

$0

$25,168.80

$25,168.80

$25,168.80

$629,220

Third Party
Disclosure

25

0

5

$0

$0

$471.75

$2,358.75

$2,358.75

$58,969

Type of
Burden

Number
of
Entities
Impacted

Evaluation of the
CISP

Reporting

Security
Working Group - Attendance
Security
Working Group - Updates

Name of
Information
Collection

SAWs -- Policies
& Procedures
(Initial)
SAWs – Policies
& Procedures
(Ongoing)
SAWs – Design
Specifications
(Initial)
SAWs – Design
Specifications
(Ongoing)
SAWs –
Implementation
Requirements
SAWs –
Operational
Requirements
(Initial)
SAWs –
Operational
Requirements
(Maintenance)
SAWs –
Operational

73

For example, the 2020 inflation-adjusted effective hourly wage rate for attorneys is
estimated at $426 ($380 x 1.12). For purposes of this Paperwork Reduction Act analysis,
the Commission has preliminarily estimated the per hour cost of a Chief Information
Security Officer to be identical to the per hour cost of a Chief Compliance Officer ($543
per hour).

74

This dollar cost chart includes collections of information where there may only be an
hourly burden and not an external cost, and this is reflected by an entry of zero dollars.
Where there is not an external cost for certain collections of information, those items are
not specifically described in Item 13.
25

Requirements
(Notification)
Non-SAW
Environments –
Application
Materials
(Initial)

Third Party
Disclosure

6

0

1

$250,000

$83,333.33

$0

$0

$83,333.33

$500,000

Third Party
Disclosure

6

0

1

$0

$0

$250,000.00

$250,000.00

$250,000

$1,500,000

Recordkeeping

25

0

1

$2,236.80

$745.60

$0

$0

$745.60

$18,640

Third Party
Disclosure

25

0

1

$22,022.40

$7,340.80

$0

$0

$7,340.80

$183,520

Recordkeeping

25

0

1

$0

$0

$1,268.00

$1,268.00

$1,268.00

$31,700

Third Party
Disclosure

25

0

1

$0

$0

$22,022.40

$22,022.40

$22,022.40

$550,560

Third Party
Disclosure

25

0

1

$0

$0

$700.40

$700.40

$700.40

$17,510

Non-SAW
Environments –
Implementation
Requirements

Third Party
Disclosure

25

0

1

$4,452.00

$1,484.00

$0

$0

$1,484.00

$37,100

Non-SAW
Environments –
Operational
Requirements
(Material
Changes)

Third Party
Disclosure

6

0

0

$0

$0

$0

$0

$0

$0

Recordkeeping

25

0

1

$0

$0

$12,105.60

$12,105.60

$12,105.60

$302,640

Third Party
Disclosure

25

0

1

$0

$0

$566.10

$566.10

$566.10

$14,153

Recordkeeping

25

0

0

0

0

0

0

0

0

Recordkeeping

25

0

1

$3,518.40

$1,172.80

$204.00

$1,376.80

$1,376.80

$34,420

Third Party
Disclosure

1,500

925

0

0

0

0

0

0

0

Recordkeeping

25

0

1

$26,002.00

$8,667.33

$0

$8,667.33

$8,667.33

$216,683

Customer
Identifying
Systems
Workflow –
Preparation of
Programmatic
Access
Application

Reporting

25

0

0

$0

$0

$0

$0

$0

$0

Customer
Identifying
Systems
Workflow –
Audit Trail
Report

Third Party
Disclosure

25

0

12

$0

$0

$1,244.88

$1,244.88

$14,938.56

$373,464

Data
Confidentiality

Third Party
Disclosure

25

0

1

$2,434.40

$811.47

$417.20

$1,228.67

$1,228.67

$30,717

Non-SAW
Environments –
Application
Materials
(Ongoing)
Non-SAW
Environments –
Determinations
(Initial)
Non-SAW
Environments –
Determinations
(Ongoing)
Non-SAW
Environments –
Revocations

Non-SAW
Environments –
Operational
Requirements
(Notification)
Online Targeted
Query Tool and
Logging of
Access and
Extraction –
Review Monthly
Reports
Online Targeted
Query Tool and
Logging of
Access and
Extraction –
Additional
Logging
Customer and
Account
Attributes –
Transformed
Value(s)
Customer and
Account
Attributes –
Regular Written
Assessment

26

Policies –
Identical Policies
Data
Confidentiality
Policies –
Procedures and
Usage
Restrictions

Recordkeeping

25

0

1

$0

$0

$0

$0

$0

$0

Data
Confidentiality
Policies –
Examination
Report

Reporting

25

0

1

$0

$0

$57,460.00

$57,460.00

$57,460.00

$1,436,500

Recordkeeping

25

0

1

$1,324.80

$441.60

$126.76

$568.36

$568.36

$14,209

Recordkeeping

25

0

1

$1,992.20

$664.07

$1,137.96

$1,802.03

$1,802.03

$45,051

Third Party
Disclosure

25

0

1

$0

$0

$550.24

$550.24

$550.24

$13,756

Secure
Connectivity –
Allow Listing
Breach
Management Policies and
Procedures
Breach
Management –
Breach
Notifications

TOTAL APPROXIMATE COST FOR ALL RESPONDENTS

a.

$6,824,207

Evaluation of the CISP

The CAT NMS Plan already requires the Participants to submit to the Commission, at
least annually, a written assessment of the Plan Processor’s performance that is prepared by the
CCO. The proposed amendments would newly require the CCO to evaluate elements of the
CISP that relate to SAWs and, in collaboration with the CISO, to include a review of CAT Data
extracted from the CAT System to assess the security risk of permitting such CAT Data to be
extracted. The Participants would also have the right to review and comment on these new
elements of the written assessment.
The respondents to this collection of information are the 25 Participants. Because the
Commission preliminarily estimates that Plan Processor staff would need approximately 250
hours per year to perform the new evaluation required by the proposed amendments, the
Commission preliminarily believes that the Participants would together incur an aggregate
ongoing reporting burden of approximately $129,900 per year, or that each Participant would
incur an annual expense of approximately $5,196. 75 In addition, the Commission preliminarily
estimates that each Participant would spend approximately $1,000 on external legal consulting
costs or that all Participants would spend approximately $25,000 on external legal consulting
costs. 76
75

The estimated 250 hours of Plan Processor staff time include 100 hours by the CCO, 100
hours by the CISO, and 50 hours for an attorney. Accordingly, the Commission
preliminarily estimates that the Participants would together incur an ongoing annual
expense of $129,900. (100 hours for CCO = $54,300) + (100 hours for CISO = $54,300)
+ (50 hours for Attorney = $21,300). Each Participant would therefore incur an ongoing
annual expense of $5,196. $129,900 / 25 Participants = $5,196 per Participant.

76

$1,000 per Participant x 25 Participants = $25,000.
27

Therefore, the Commission preliminarily estimates that each Participant would
incur an ongoing reporting cost of approximately $6,196 annually to review and comment
on these new elements, for an aggregate industry reporting cost of approximately $154,900
annually. 77
b.

Security Working Group
i.

Attendance

The respondents to this collection of information are the 25 Participants. The proposed
amendments would require the CISO to prepare for and attend meetings of the Security Working
Group. The Commission preliminarily believes that the Security Working Group will meet
weekly and that the CISO would spend 8 hours preparing for each meeting of the Security
Working Group and 2 hours to attend each meeting. Accordingly, the Commission
preliminarily estimates that the Participants would incur an ongoing weekly aggregated
third-party disclosure cost of approximately $282,360 annually, or that each Participant
would incur an ongoing third-party disclosure cost of approximately $11,294.40 annually. 78
ii.

Updates

The respondents to this collection of information are the 25 Participants. The proposed
amendments would require the CISO to keep the Security Working Group apprised of relevant
developments and to provide it with all information and materials necessary to fulfill its purpose.
The Commission preliminarily believes that the CISO would spend approximately 50 hours per
year to comply with these requirements. Accordingly, the Commission preliminarily
estimates that the Participants would incur an ongoing aggregated third-party disclosure
cost of approximately $27,150 annually, or that each Participant would incur an ongoing thirdparty disclosure cost of approximately $1,086 annually. 79
c.
SAWs
There are a number of costs associated with the proposed requirements related to SAWs.
i.

Policies & Procedures, and Detailed Design Specifications

The respondents to this collection of information are the 25 Participants.
a.

Policies & Procedures (Initial)

77

25 hours per Participant x 25 Participants = 625 hours.

78

10 hours x 52 weeks = 520 hours. 520 hours for CISO = $282,360. $282,360 / 25
Participants = $11,294.40 per year. $11,294.40 per year / 52 weeks = $217.20 per week.

79

50 hours for CISO = $27,150. $27,150 / 25 Participants = $1,086 per year.
28

For the Plan Processor to develop a CISP that incorporates the SAW-specific additions
that would be required under the proposed amendments, the Commission preliminarily estimates
that the Participants would together incur an initial, one-time recordkeeping cost of
approximately $89,020, or that each Participant would incur an initial, one-time recordkeeping
expense of approximately $3,560.80, based on a preliminary estimate that Plan Processor staff
would need approximately 270 hours to comply with these new requirements. 80 The
Commission also preliminarily estimates that the Participants would incur an initial, one-time
recordkeeping burden of approximately $27,000, in connection with related legal and consulting
costs, or that each Participant would incur an initial, one-time recordkeeping burden of
approximately $1,080. 81 When annualized over three years, the Commission preliminarily
estimates that the Participants would together incur an initial, one-time, recordkeeping
cost of approximately $38,673 annually, 82 or that each Participant would incur an initial,
one-time, recordkeeping cost of approximately $1,546.93 annually. 83
b.

Ongoing Policies & Procedures

The Commission preliminarily estimates that Plan Processor staff would need
approximately 175 hours per year to maintain those elements of the CISP that relate to SAWs.
Accordingly, the Commission preliminarily estimates that the Participants would incur an
ongoing recordkeeping cost of approximately $56,648 annually, or that each Participant
would incur an ongoing recordkeeping cost of approximately $2,265.92 annually. 84
c.

Design Specifications (Initial)

For the Plan Processor to develop detailed design specifications for the technical
implementation of the access, monitoring, and other controls required for SAWs, the
Commission preliminarily estimates that Plan Processor staff would need approximately 160
hours. Accordingly, the Commission preliminarily estimates that the Participants would incur an
initial, one-time recordkeeping cost of approximately $56,180, or that each Participant would

80

(200 hours for senior systems analyst = $58,200) + (40 hours for compliance attorney =
$14,960) + (20 hours for chief compliance officer = $10,860) + (10 hours for director of
compliance = $5,000) = $89,020. Each Participant would therefore incur an ongoing
annual expense of $3,560.80. $89,020 / 25 Participants = $3,560.80 per Participant.

81

$27,000 / 25 Participants = $1,080 per Participant.

82

$89,020 + $27,000 = $116,020. $116,020 / 3 years = $38,673.33 per year.

83

$38,673.33 / 25 Participants = $1,546.93 per Participant per year.

84

(134 hours for senior systems analyst = $38,994) + (26 hours for compliance attorney =
$9,724) + (10 hours for chief compliance officer = $5,430) + (5 hours for director of
compliance = $2,500) = $56,648. Each Participant would therefore incur an ongoing
annual expense of approximately $2,265.92. $56,648 / 25 Participants = $2,265.92 per
Participant.
29

incur an initial, one-time recordkeeping cost of approximately $2,247.20. 85 The Commission
also preliminarily estimates that the Participants would incur an initial, one-time recordkeeping
burden of approximately $47,000 in external legal and consulting costs, or that each Participant
would incur an initial, one-time recordkeeping burden of approximately $1,880. 86 When
annualized over three years, the Commission preliminarily estimates that the Participants
together would incur a one-time, initial recordkeeping cost of approximately $34,393
annually, or that each Participant would incur an initial, one-time recordkeeping cost of
approximately $1,375.73 annually. 87
Finally, the Commission preliminarily believes that Plan Processor staff would need
approximately 10 hours to make the required detailed design specifications available to
Participants, such that the Participants would incur an initial, one-time third-party disclosure cost
of approximately $2,965, or that each Participant would incur an initial, one-time third-party
disclosure expense of approximately $118.60. 88 When annualized over three years, the
Commission preliminarily estimates that the aggregate industry third-party disclosure cost
associated with providing the detailed design specifications to Participants would be
approximately $988 annually, or approximately $39.53 per Participant annually. 89
d.

Design Specifications (Ongoing)

To maintain the required detailed design specifications, the Commission preliminarily
estimates that the Participants would incur an ongoing expense of approximately $48,250
annually, or that each Participant would incur an ongoing, annual expense of
approximately $1,930, based on a preliminary estimate that Plan Processor staff would need
approximately 145 hours per year to maintain the required detailed design specifications. 90
85

(100 hours for senior systems analyst = $29,100) + (30 hours for compliance attorney =
$11,220) + (20 hours for chief compliance officer = $10,860) + (10 hours for director of
compliance = $5,000) = $56,180. Each Participant would therefore incur an ongoing
annual expense of $2,247.20. $56,180 / 25 Participants = $2,247.20 per Participant.

86

$47,000 / 25 Participants = $1,880 per Participant.

87

$56,180 + $47,000 = $103,180. $103,180 / 3 years = $34,393.33 per year. $34,393.33 /
25 Participants = $1,375.73 per Participant per year.

88

(5 hours for senior systems analyst = $1,455) + (2 hours for compliance attorney = $748)
+ (3 hours for webmaster = $762) = $2,965. $2,965 / 25 Participants = $118.60 per
Participant.

89

$2,965 / 3 years = $988.33 per year. $988.33 / 25 Participants = $39.53 per Participant
per year.

90

(100 hours for senior systems analyst = $29,100) + (30 hours for compliance attorney =
$11,220) + (10 hours for chief compliance officer = $5,430) + (5 hours for director of
compliance = $2,500) = $48,250. Each Participant would therefore incur an ongoing
annual expense of $1,930. $48,250 / 25 Participants = $1,930 per Participant.
30

ii.

Implementation Requirements

The respondents to this collection of information are the 25 Participants. For the Plan
Processor to evaluate each Participant’s SAW to confirm that the SAW has achieved compliance
with the detailed design specifications and notify the Operating Committee of such compliance,
the Commission preliminarily estimates that the Participants would incur an initial, one-time
third-party disclosure expense of approximately $463,750, or that each Participant would incur
an initial, one-time expense of approximately $18,550, based on a preliminary estimate that Plan
Processor staff would need approximately 45 hours per SAW to perform the required evaluation
and notification of the Operating Committee. 91 When annualized over three years, the
Commission preliminarily estimates that the aggregate industry third-party disclosure cost
would be approximately $154,583 per year, or approximately $6,183.33 per Participant per
year. 92
iii.

Operational Requirements

The respondents to this collection of information are the 25 Participants.
a.

Operational Requirements (Initial)

The Commission preliminarily estimates that Plan Processor staff would need
approximately 170 hours to build the automated monitoring systems that would enable the
monitoring of the SAWs that is required by the proposed amendments. Accordingly, the
Commission preliminarily believes that the Participants would incur an initial, one-time
recordkeeping cost of approximately $52,350, or that each Participant would incur an initial,
one-time recordkeeping cost of approximately $2,094. 93 When annualized over three years, the
Commission preliminarily estimates that the initial, one-time aggregate recordkeeping cost
would be approximately $17,450 per year, or approximately $698 per Participant per
year. 94

91

(20 hours for senior systems analyst = $5,820) + (20 hours for chief information security
officer = $10,860) + (5 hours for compliance attorney = $1,870) = $18,550 per SAW.
$18,550 x 25 Participants = $463,750.

92

$463,750 / 3 years = $154,583.33 per year (rounded to $154,583). $154,583.33 / 25
Participants = $6,183.33 per Participant per year.

93

(40 hours for senior programmer = $13,560) + (40 hours for programmer = $11,120) +
(40 hours for programmer = $11,120) + (40 hours for programmer = $11,120) + (10
hours for CISO = $5,430) = $52,350. Each Participant would therefore incur an initial,
one-time expense of $2,094. $52,350 / 25 Participants = $2,094.

94

$52,350 / 3 years = $17,450 per year. $17,450 / 25 Participants = $698 per Participant
per year.
31

b.

Operational Requirements (Maintenance)

For the Plan Processor to maintain such systems and to monitor each Participant’s SAW,
the Commission preliminarily believes that Plan Processor staff would need approximately 2,150
hours per year to maintain the required systems and to conduct the required monitoring.
Accordingly, the Commission preliminarily estimates that the Participants would incur an
ongoing recordkeeping cost of approximately $629,220 per year, or that each Participant
would incur an ongoing annual expense of approximately $25,168.80. 95
c.

Ongoing Requirements (Notification)

For the Plan Processor to notify the Participant of any identified non-compliance with the
CISP or the detailed design specifications, the Commission preliminarily believes that the Plan
Processor staff would identify 5 non-compliance events per year for each SAW, or 125 noncompliance events across all SAWs.96 The Commission also preliminarily estimates that the
Plan Processor staff would need approximately 1.5 hours for each notification of noncompliance. Accordingly, the Commission preliminarily estimates that the Participants
would incur an ongoing third-party disclosure cost of approximately $58,969 per year, or
that each Participant would incur an ongoing third-party disclosure cost of approximately
$2,358.75 per year. 97

95

The Commission preliminarily believes that one senior systems analyst working 40 hours
per week could conduct the required monitoring for all SAWs. Accordingly, the
Commission preliminarily estimates that the Participants would together incur an ongoing
annual expense of $605,280. 40 hours x 52 weeks = 2,080 hours. 2,080 hours for senior
systems analyst = $605,280. Each Participant would therefore incur an ongoing annual
expense of $24,211.20. $605,280 / 25 Participants = $24,211.20. In addition, to
maintain the automated monitoring systems, the Commission preliminarily estimates that
Plan Processor staff would need 70 hours, including 30 hours for a senior programmer,
30 hours for a programmer, and 10 hours for the CISO. Accordingly, the Commission
preliminarily estimates that the Participants would together incur an ongoing annual
expense of $23,940. (30 hours for senior programmer = $10,170) + (30 hours for
programmer = $8,340) + (10 hours for CISO = $5,430) = $23,940. Each Participant
would therefore incur an ongoing annual expense of $957.60. $23,940 / 25 Participants =
$957.60 per Participant. Altogether, the ongoing annual expenses to the Participants as a
whole would be $629,220, or $25,168.80 for each individual Participant. $605,280 +
$23,940 = $629,220. $629,220 / 25 Participants = $25,168.80 per Participant.

96

5 events per SAW x 25 SAWs = 125 events.

97

(0.5 hours for senior systems analyst = $145.50) + (0.25 for compliance manager =
$79.25) + (0.25 for attorney = $106.50) + (0.5 hours for senior business analyst =
$140.50) = $471.75 per event. 125 events x $471.75 = $58,968.75 (rounded to $58,969).
Each Participant would therefore incur an ongoing annual expense of $2,358.75.
$58,968.75 / 25 Participants = $2,358.75 per Participant.
32

iv.

Non-SAW Environments – Application Materials
a.

Application Materials (Initial)

The Commission preliminarily estimates that 6 Participants will apply for an exception to
the proposed SAW usage requirements and that a security assessment conducted by a named,
independent security assessor would cost approximately $250,000. Accordingly, the
Commission preliminarily estimates that each Participant would spend an initial, one-time
amount of approximately $250,000 on external consulting costs to obtain the required security
assessment and that the Participants would together incur an initial, aggregate one-time thirdparty disclosure cost of approximately $1,500,000. 98 When annualized over three years, the
Commission preliminarily estimates that the initial, one-time aggregate third-party
disclosure cost would be approximately $500,000 per year, or approximately $83,333.33 per
Participant per year. 99
b.

Application Materials (Ongoing)

Participants that are denied an exception or that want to apply for a continuance would
incur the same cost as an ongoing third-party disclosure annual expense. The Commission
preliminarily estimates that 6 Participants would re-apply for an exception or a continuance.
Accordingly, the Commission preliminarily estimates that each Participant would spend an
ongoing annual amount of approximately $250,000 on external consulting costs to obtain
the required security assessment and that the Participants would incur an aggregate
ongoing annual third-party disclosure expense of approximately $1,500,000. 100
v.

Non-SAW Environments – Exception and Revocation
Determinations

The respondents to this collection of information would be the Participants.
a.

Determinations (Initial)

The proposed amendments require the Plan Processor to develop policies and procedures
governing the review of applications for exceptions to the proposed SAW usage requirements.
Based on a preliminary estimate that Plan Processor staff would need approximately 130 hours to
develop such policies and procedures, the Commission preliminarily estimates that the
Participants would together incur an initial, one-time recordkeeping cost of $55,920, or that each

98

$250,000 per non-SAW environment x 6 Participants = $1,500,000.

99

$1,500,000 / 3 years = $500,000 per year. $500,000 / 25 Participants = $83,333.33 per
Participant per year.

100

$250,000 per non-SAW environment x 6 Participants = $1,500,000.
33

Participant would incur an initial, one-time recordkeeping expense of $2,236.80. 101 When
annualized over three years, the Commission preliminarily estimates that the initial, one-time
aggregate recordkeeping cost would be approximately $18,640 per year, or approximately
$745.60 per Participant per year. 102
To review the initial applications for exceptions to the proposed SAW usage
requirements and issue the required determination and supporting written statement, the
Commission preliminarily estimates that Plan Processor staff would need approximately 200
hours. The Commission therefore preliminarily estimates that the Participants would incur an
initial, one-time third-party disclosure expense of approximately $550,560, or that each
Participant would incur an initial, one-time third-party disclosure expense of $22,022.40. 103
When annualized over three years, the Commission preliminarily estimates that the initial,
one-time aggregate third-party disclosure cost would be approximately $183,520 per year,
or approximately $7,340.80 per Participant per year. 104
b.

Determinations (Ongoing)

To maintain the policies and procedures governing the review of applications for
exceptions, the Commission preliminarily estimates that Plan Processor staff would need
approximately 65 hours per year to maintain and update maintain the policies and procedures
governing the review of applications for exceptions. Accordingly, the Commission
preliminarily estimates that the Participants would together incur an ongoing
recordkeeping cost of $31,700 per year, or that each Participant would incur an ongoing
recordkeeping cost of approximately $1,268 per year. 105

101

(40 hours for CISO = $21,720) + (40 hours for CCO = $21,720) + (40 hours for
compliance attorney = $7,480) + (10 hours for director of compliance = $5,000) =
$55,920. Each Participant would therefore incur an ongoing annual expense of
$3,560.80. $55,920 / 25 Participants = $2,236.80 per Participant.

102

$55,920 / 3 years = $18,640 per year. $18,640 / 25 Participants = $745.60 per Participant
per year.

103

(60 hours by the CCO = $32,580) + (60 hours by the CISO = $32,580) + (40 hours for
senior systems analyst = $11,640) + (40 hours for compliance attorney = $14,960) =
$91,760 per initial application. $91,760 x 6 Participants = $550,560. Each Participant
would therefore incur an initial, one-time expense of $22,022.40. $550,560 / 25
Participants = $22,022.40 per Participant.

104

$550,560 / 3 years = $183,520 per year. $183,520 / 25 Participants = $7,340.80 per
Participant per year.

105

(20 hours by the CISO = $10,860) + (20 hours by the CCO = $10,860) + (20 hours for
compliance attorney = $7,480) + (5 hours for director of compliance = $2,500) =
$31,700. Each Participant would therefor incur an ongoing annual expense of $1,268.
$31,700 / 25 Participants = $1,268 per Participant.
34

The Commission preliminarily believes that the ongoing annual expenses associated with
the review of each application for a continued exception would be the same, as the process for
continued exceptions is the same as the process for initial applications. Therefore, in connection
with applications for a continued exception, the Commission preliminarily estimates that the
Participants would together incur an ongoing third-party disclosure cost of approximately
$550,560 per year, or that each Participant would incur an ongoing third-party disclosure
cost of $22,022.40 per year.
c.

Revocations

Additionally, for each such instance where Participants would be denied a continued
exception, the Commission preliminarily believes that Plan Processor staff would need
approximately 40 hours to revoke the exception and to determine which remediation timeframe
the Participant should be applied. The Commission is unable to estimate in advance how often
these instances might occur; however, for the purposes of this submission only, the Commission
has estimated this would happen to one Participant per year. Accordingly, the Commission
preliminarily estimates that the Participants would together incur an ongoing third-party
disclosure cost of approximately $17,510 per year, or that each Participant would incur an
ongoing third-party disclosure cost of approximately $700.40 per year. 106
vi.

Non-SAW Environments – Implementation Requirements

The respondents to this collection of information are the Participants. For the Plan
Processor to evaluate each Participant’s non-SAW environment to confirm that it has achieved
compliance with the detailed design specifications and notify the Operating Committee of such
compliance, the Commission preliminarily believes that Plan Processor staff would need
approximately 45 hours per non-SAW environment. In addition, the Commission estimates that
the Plan Processor will only need to evaluate 6 non-SAW environments. Accordingly, the
Commission preliminarily estimates that the Participants would incur an initial, one-time thirdparty disclosure cost of approximately $111,300, or that each Participant would incur an initial,
one-time third-party disclosure cost of $4,452. 107 When annualized over three years, the

106

(10 hours by the CCO = $5,430) + (10 hours by the CISO = $5,430) + (10 hours for
senior systems analyst = $2,910) + (10 hours for compliance attorney = $3,740) =
$17,510 per application. Each Participant would therefore incur an ongoing annual
expense of $700.40. $17,510 / 25 Participants = $700.40 per Participant.

107

(20 hours for senior systems analyst = $5,820) + (20 hours for chief information security
officer = $10,860) + (5 hours for compliance attorney = $1,870) = $18,550 per non-SAW
environment. $18,550 x 6 non-SAW environments = $111,300. Each Participant would
therefore incur an initial, one-time expense of $4,452. $111,300 / 25 Participants =
$4,452 per Participant.
35

Commission preliminarily estimates that the aggregate industry third-party disclosure cost
would be approximately $37,100 per year, or approximately $1,484 per Participant per year. 108
vii.

Non-SAW Environments – Operational Requirements (Notification)

The respondents to this collection of information are the Participants.
With respect to the proposed requirement that the Plan Processor monitor the non-SAW
environment, the Commission preliminarily believes that Plan Processor staff would need
approximately 1,040 hours to conduct such monitoring. Accordingly, the Commission
preliminarily estimates that the industry would incur an aggregate ongoing recordkeeping
cost of approximately $302,640 per year, or that each Participant would incur an ongoing
recordkeeping cost of approximately $12,105.60. 109
For the Plan Processor to notify the Participant of any identified non-compliance with the
detailed design specifications, the Commission preliminarily estimates that the Plan Processor
would identify 5 non-compliance events per year per non-SAW environment, or 30 noncompliance events across all non-SAW environments. 110 The Commission also preliminarily
estimates that the Plan Processor staff would need approximately 1.5 hours on each notification
of non-compliance. Accordingly, the Commission preliminarily estimates that the
Participants would incur an ongoing third-party disclosure cost of approximately $14,153
per year, or that each Participant would incur an ongoing third-party disclosure cost of
approximately $566.10 per year. 111
d.

Online Targeted Query Tool and Logging of Access and Extraction
i.

Additional Logging

The respondents to this collection of information would be the 25 Participants. The
Commission preliminarily estimates that the Participants would incur an initial, one-time

108

$463,750 / 3 years = $154,583.33 per year. $154,583.33 / 25 Participants = $6,183.33
per Participant per year.

109

20 hours x 52 weeks = 1,040 hours. 1,040 hours for senior systems analyst = $302,640.
Each Participant would therefore incur an ongoing annual expense of $12,105.60.
$302,640 / 25 Participants = $12,105.60.

110

5 events per non-SAW environment x 6 non-SAW environments = 30 events.

111

(0.5 hours for senior systems analyst = $145.50) + (0.25 for compliance manager =
$79.25) + (0.25 for attorney = $106.50) + (0.5 hours for senior business analyst =
$140.50) = $471.75 per event. 30 events x $471.75 = $14,152.50 (rounded to $14,153).
Each Participant would therefore incur an ongoing annual expense of $566.10.
$14,152.50 / 25 Participants = $566.10.
36

external expense of $87,960, or a per Participant expense of $3,518.40 112 for Plan Processor staff
time required to make the initial necessary programming and systems changes to log delivery of
results and the access and extraction of CAT Data, based on a preliminarily estimate that it
would take 260 hours of Plan Processor staff time to implement these changes. 113 Therefore,
the Commission preliminarily estimates that when annualized over three years, this initial
recordkeeping cost would be approximately $29,320 annually, or $1,172.80 per Participant
annually. 114
The Commission preliminarily estimates that the Participants would incur an
annual ongoing external expense of $5,100, or $204 per Participant, 115 for Plan Processor staff
time required to generate and provide the additional information required by proposed Section
Appendix D, Section 8.1.1, which the Commission preliminarily estimates to be 2 Plan Processor
hours for each monthly report or 24 hours annually. 116 Therefore, the Commission
preliminarily estimates that each Participant would incur an initial reporting cost of
approximately $3,518.40 and an ongoing reporting cost of approximately $204 to satisfy this
information collection requirement, for an aggregate industry reporting cost of
approximately $34,420 per year. 117
e.

CAT Customer and Account Attributes

The respondents to this collection of information would be the 25 Participants. The
proposed amendments will require modifications to the CAT System to develop the CCID
Subsystem to generate Customer-IDs using Transformed Values, as opposed to SSNs or ITINs.
112

$87,960 / 25 Participants = $3,518.40 per Participant.

113

The estimated 260 hours of Plan Processor staff time include 160 hours by a Senior
Programmer, 40 hours by a Senior Database Administrator, 40 hours for a Senior
Business Analyst and 20 hours for an Attorney. The Commission preliminarily estimates
that the initial, one-time external expense for Participants will be $87,960 = (Senior
Programmer for 160 hours at $339 an hour = $54,240) + (Senior Database Administrator
for 40 hours at $349 an hour = $13,960) + (Senior Business Analyst for 40 hours at $281
an hour = $11,240) + (Attorney for 20 hours at $426 an hour = $8,520).

114

($3,518.40 / 3 years = $1,172.80) x 25 Participants = $29,320

115

$5,100 / 25 Participants = $204 per Participant.

116

The estimated 2 hours of Plan Processor staff time include 1 hour by a Programmer
Analyst and 1 hour by a Junior Business Analyst. This estimate would apply monthly,
meaning the annual ongoing estimate would be 24 hours of Plan Processor staff time,
which would include 12 hours by a Programmer Analyst and 12 hours by a Junior
Business Analyst. The Commission preliminarily estimates the annual ongoing external
cost to generate and provide the proposed information on logs would be $5,100 =
(Programmer Analyst for 12 hours at $246 per hour = $2,952) + (Junior Business Analyst
for 12 hours at $179 an hour = $2,148).

117

(($3,518.40 / 3 years = $1,172.80) + $240) x 25 Participants = $34,420.
37

Therefore Commission estimates that the modifications necessary to the CAT System to develop
the CCID Subsystem to generate Customer-IDs using Transformed Values, as opposed to SSNs
or ITINs, would result in an initial, one-time recordkeeping aggregate external cost of $650,052
for the Participants, 118 or $26,002 for each Participant. 119 When annualized over three years,
this initial recordkeeping cost would be approximately $216,683 annually, or $8,667.33 per
Participant annually. 120
f.

Customer Identifying Systems Workflow – Audit Trail Report

The proposed amendments require the Plan Processor maintain a full audit trail of access
to Customer Identifying Systems by each Participant and the Commission (who accessed what
data within each Participant, and when) and provide such audit trail of each Participant’s and the
Commission’s access to each the Participant and the Commission for their respective users on a
monthly basis, and the requirement to provide the Operating Committee with the daily reports
that list all users who are entitled to Customer Identifying Systems access on a monthly basis. 121
The respondents to this collection of information would be the 25 Participants.
Therefore, the Commission preliminarily estimates that it will result in an aggregate thirdparty disclosure ongoing annual external cost to the Participants of $373,464 per year or
$14,939 per Participant. 122 This cost represents approximately $700 per monthly report – one
118

The Commission preliminarily estimates the one-time aggregate external cost to update
the CAT System to ingest and use the Transformed Value reported by Industry Members
would be $650,000. The Commission preliminarily believes that this modification will
take an estimated 2,101 hours of Plan Processor staff time including 130 hours by the
CCO, 130 hours by the CISO, 602 hours by a Senior Programmer and 1239 hours by a
Program Analyst. Accordingly, the Commission preliminarily estimates that the
Participants would together incur a one-time aggregated external cost $650,052. (Chief
Compliance Officer for 130 hours at $543 per hour = $70,590) + (Chief Information
Security Officer for 130 hours at $543 per hour = $70,590) + (Senior Programmer for
602 hours at $339 = $204,078) + (Program Analyst for 1239 hours at $246 = $304,794) =
$650,052. $650,052 / 25 Participants = $26,002 / Participant.

119

$650,052 / 25 Participants = $26,002 per Participant.

120

$26,002 per Participant / 3 years = $8,667.33 per Participant per year. $8,667.33 x 25
Participants = $216,683.33 (rounded to $216,683).

121

See proposed Appendix D, Section 4.1.6.

122

The Commission estimates that each monthly report will require 2 hours by an
Operations Specialist, 1 hour by an Attorney, and 1 hour by the Chief Compliance
Officer. The ongoing aggregate cost for Participants is preliminarily estimated to be
$373,464. (2 hours for Operational Specialist x $140 = $280) + (1 hours for compliance
attorney x $374 = $374) + (1 hour for chief compliance officer x $543 = $543) = $1,197.
$1,197 x 12 months = $14,364. For the Commission report paid for by the Participants,
the cost is $14,364 annually, or $1,197 per month. $1,197 per month / 25 Participants =
additional incremental monthly cost of $47.88 per Participant. Thus, the total ongoing
38

monthly report to the Operating Committee, and the daily reports of all users to the Operating
Committee on a monthly basis.
g.

Proposed Confidentiality Policies, Procedures and Usage Restrictions

The Commission believes that Participants already have individual policies and
procedures relating to the confidentiality of CAT Data, as required by existing provisions of the
CAT NMS Plan, and Participants can use these existing policies and procedures in order to help
prepare, review and approve the policies and procedures required by proposed Section 6.5(g)(i).
i.

Data Confidentiality Policies – Identical Policies

The respondents to this collection of information would be the 25 Participants. The
Commission preliminarily estimates that it would require 10 hours by the CCO and 10 hours by
the CISO, both employees of the Plan Processor and not the Participants, to review the Proposed
Confidentiality Policies, as required by proposed Sections 6.2(a)(v)(R) and 6.2(b)(viii). The
Commission preliminarily estimates that this would result in a one-time external cost of $10,860
for Participants, 123 or $434.40 for each Participant. 124 The Commission also preliminarily
believes that the Participants will consult with outside legal counsel in the drafting of the
Proposed Confidentiality Policies, and estimates this external cost to be $50,000, or $2,000 125 for
each Participant. 126 Thus, the Commission believes that the total initial one-time external cost
burden for each Participant will be $2,434.40, or $60,860 for all Participants. 127
For purposes of this Paperwork Reduction Act analysis only, the Commission
preliminarily estimates that the Participants would revise the Proposed Confidentiality Policies
once a year, which would require review by the CCO and CISO of the Plan Processor, as
required by proposed Sections 6.2(a)(v)(R) and 6.2(b)(viii). The Commission preliminarily
believes that the CCO and CISO would require less time to review subsequent updates to the
Proposed Confidentiality Policies, so the Commission preliminarily estimates that it would
require 5 hours of review by the CCO and 5 hours of review by the CISO, which would result in
monthly cost per Participant is $1,244.88 ($1,197 + $47.88). $1,244.88 x 25 Participants
= $373,464. Each Participant would therefore incur an ongoing annual expense of
$14,939 ($373,464/25 Participants).
123

$10,860 = (Chief Compliance Officer for 10 hours at $543 per hour = $5,430) + (Chief
Information Security Officer for 10 hours at $543 per hour = $5,430).

124

$10,860 / 25 Participants = $434.40 per Participant.

125

$50,000 / 25 Participants = $2,000 per Participant.

126

$50,000 = (100 hours at $500 an hour). For purposes of this Paperwork Reduction Act
analysis, the Commission is estimating the cost of outside legal counsel to be $500 an
hour.

127

$2,434.40 x 25 Participants = $60,860.
39

an external cost of $5,430 for the Participants, 128 and $217.20 for each Participant annually. 129
In addition, the Commission preliminarily estimates that Participants will consult with outside
legal counsel in updating the Proposed Confidentiality Policies, and preliminarily estimates this
external cost to be $5,000. 130 In total, the Commission preliminarily estimates an aggregate
external cost of $10,430 for all Participants related to reviewing and updating the Proposed
Confidentiality Policies, or $417.20 per Participant. 131
Therefore, the Commission preliminarily estimates that each Participant would
incur an initial third party disclosure cost of $2,434.40 and an ongoing third party
disclosure cost of approximately $417.20 to satisfy this information collection requirement,
for an aggregate industry reporting cost of approximately $30,717 annually, when
annualized over three years. 132
i.

Data Confidentiality Policies – Procedures and Usage Restriction
Controls

The Commission preliminarily estimates that there is no external cost burden associated
with the proposed documentation, procedures and usage restriction controls required by proposed
Section 6.5(g)(i) and the Data Confidentiality Policies.
ii.

Data Confidentiality Policies – Examination Report

The respondents to this collection of information would be the 25 Participants. The
Commission preliminarily estimates that the annual ongoing external cost of compliance with
Section 6.5(g)(v), which requires each Participant to engage an independent accountant to
perform an examination of compliance with the policies required by Section 6.5(g)(i) and submit
the examination report to the Commission, would be $57,460 for each Participant. 133 The
Commission preliminarily believes that this would be the average cost of engaging an
independent accountant to perform the necessary examination on an annual basis. Therefore,
the Commission preliminarily estimates that each Participant would incur an ongoing

128

$5,430 = (Chief Compliance Officer for 5 hours at $543 per hour = 2,715) + (Chief
Information Security Officer for 5 hours at $543 per hour = $2,715).

129

$5,430 / 25 Participants = $217.20 per Participant.

130

$5,000 = (outside legal counsel for 10 hours at $500 an hour).

131

$10,430 / 25 Participants = $417.20 per Participant.

132

(($2,434.40 / 3 years = $811.47) + $417.20) x 25 Participants = $30,716.67.

133

The Commission preliminarily estimates it would require 170 hours by a Manager
Internal Audit to perform the examination. The preliminary estimated cost of engaging
an independent accountant to perform the examination of compliance and submit an
examination report is $57,460 (Manager Internal Audit at $338 an hour for 170 hours).
40

reporting cost of approximately $57,460 to satisfy this information collection requirement,
for an aggregate industry reporting cost of approximately $1,436,500 per year. 134
h.

Secure Connectivity – Allow Listing

The respondents to this collection of information would be the 25 Participants. The
Commission estimates that the proposed amendment to Appendix D, Section 4.1.1 of the CAT
NMS Plan, requiring the Plan Processor to implement capabilities to allow access (i.e., “allow
list”) only to those countries or more granular access points where CAT reporting or regulatory
use is both necessary and expected would result in an initial, one-time aggregate external cost of
$13,690 for the Participants, or $547.60 for each Participant. 135 This cost represents expenses
associated with Plan Processor staff time required to develop the list of discrete access points
that are approved for use, which the Commission estimates would be 30 hours of staff time. 136
In addition, the Commission estimates that Participants will incur an aggregate ongoing external
cost burden of $1,226, or $49.04 for each Participant, 137 for Plan Processor staff time required to
maintain and update the list of discrete access points, which the Commission estimates would be
3 hours of staff time. 138
The Commission estimates that the proposed requirement that the Plan Processor develop
policies and procedures to allow access if the source location for a particular instance of access
134

$57,460 x 25 Participants = $1,436,500.

135

$13,690 / 25 Participants = $547.60 per Participant.

136

The Commission preliminarily believes that creation of the documentation necessary for
“allow listing” could require legal advice, discussions with staff familiar with CAT
security and higher level discussions and analysis. The estimated 30 hours of Plan
Processor staff time include 5 hours by an Attorney, 5 hours by an Operations Specialist,
10 hours by the Chief Compliance Officer and 10 hours by the Chief Information
Security Officer. The initial, one-time aggregate cost for Participants is preliminarily
estimated to be $ = $13,690 (Attorney for 5 hours at $426 per hour = $2,130) +
(Operations Specialist for 5 hours at $140 per hour = $700) + (Chief Compliance Officer
for 10 hours at $543 per hour = $5,430) + (Chief Information Security Officer for 10
hours at $543 per hour = $5,430).

137

$1,226 / 25 Participants = $49.04 per Participant.

138

The Commission believes it is appropriate to estimate that the Plan Processor staff time
required to maintain and update the list as approximately one-tenth the staff time required
to initially create the list. Specifically, the estimated aggregate ongoing external cost is
based on an estimate of 3 hours of Plan Processor staff time include 1 hour by an
Operations Specialist, 1 hour by the Chief Compliance Officer and 1 hour by the Chief
Information Security Officer. The estimated aggregate ongoing external cost is
preliminarily estimated to be $1,226 = (Operations Specialist for 1 hour at $140) + (Chief
Compliance Officer for 1 hour at $543) + (Chief Information Security Officer for 1 hour
at $543).
41

cannot be determined technologically, as required by proposed Appendix D, Section 4.1.1 of the
CAT NMS Plan, would require an aggregate one-time initial external cost of $19,430 for the
Participants, or $777.20 for each individual Participant. 139 This cost represents expenses
associated with Plan Processor staff time required to create these policies and procedures, which
the Commission estimates would be 50 hours of staff time. 140 Further, the Commission
estimates that the Participants will incur an aggregate ongoing external cost of $1,943, or $77.72
for each individual Participant, 141 for Plan Processor staff time required to maintain, update and
enforce these policies and procedures, which the Commission estimates would be 5 hours of staff
time. 142
Therefore, the Commission preliminarily estimates that each Participant would
incur an initial recordkeeping cost of approximately $1,324.80 143 and an ongoing
recordkeeping cost of approximately $126.76 144 to satisfy this information collection
requirement, for an aggregate industry reporting cost of approximately $14,209 annually
when annualized over three years. 145

139

$19,430 / 25 Participants = $777.20 per Participant.

140

The estimate 50 hours of Plan Processor staff time include 10 hours by an Attorney, 10
hours by a Senior Systems Analyst, 10 hours by an Operations Specialist, 10 hours by the
Chief Compliance Officer and 10 hours by the Chief Information Security Officer. The
initial, one-time aggregate cost for Participants is preliminarily estimated to be $19,430 =
(Attorney for 10 hours at $426 per hour = $4,260) + (Senior Systems Analyst for 10
hours at $291 per hour = $2,910) + (Operations Specialist for 10 hours at $140 per hour =
$1,400) + (Chief Compliance Officer for 10 hours at $543 per hour = $5,430) + (Chief
Information Security Officer for 10 hours at $543 per hour = $5,430).

141

$1,943 / 25 Participants = $77.72 per Participant.

142

The Commission believes it is appropriate to estimate that the Plan Processor staff time
required to maintain, update and enforce these policies and procedures should be
approximately one-tenth the staff time required to initially create these policies and
procedures. Specifically, the Commission estimates 5 hours of Plan Processor staff time
that includes 1 hour by an Attorney, 1 hour by a Senior Systems Analyst, 1 hour by an
Operations Specialist, 1 hour by the Chief Compliance Officer and 1 hour by the Chief
Information Security Officer. The ongoing external cost is preliminarily estimated to be
$ = (Attorney for 1 hour at $426) + (Senior Systems Analyst for 1 hour at $291) +
(Operations Specialist for 1 hour at $140) + (Chief Compliance Officer for 1 hour at
$543) + (Chief Information Security Officer for 1 hour at $543).

143

$547.60 + $777.20 = $1,324.80.

144

$49.04 + $77.72 = $126.76.

145

(($1,324.80 / 3 years = $441.60) + $126.76) x 25 Participants = $14,209.
42

i.

Breach Management Policies and Procedures

The Plan Processor is already required to establish policies and procedures and a cyber
incident response plan pursuant to Section 4.1.5 of the CAT NMS Plan, so the Commission
believes it is appropriate to estimate a burden of revising breach management policies and
procedures and the cyber incident response plan relate to the new elements required by proposed
Section 4.1.5 of the CAT NMS Plan. The respondents to this collection of information would be
the 25 Participants.
i.

Breach Management – Policies and Procedures

The Commission preliminarily believes that these requirements would result in a onetime external cost of $49,805 for Participants, or $1,992.20 per Participant, 146 based on the
Commission’s estimation that it would require approximately 124 Plan Processor staff hours to
incorporate the new elements required by proposed Section 4.1.5 of the CAT NMS Plan. 147
Further, the Commission estimates that the Participants will incur an aggregate ongoing external
cost of $42,205, or $1,688.20 for each individual Participant, 148 for Plan Processor staff time
required to maintain, update and enforce these policies and procedures and the cyber incident
response plan, which the Commission estimates would be 103 hours of Plan Processor staff time
annually. 149 This external aggregate cost estimate includes enforcement of the requirements of
the cyber incident response plan relating to the proposed breach notification requirement, which
146

$49,805 / 25 Participants = $1,992.20 per Participant.

147

The estimate of 124 hours of Plan Processor staff time include 32 hours by an Attorney,
32 hours by a Compliance Manager, 10 hours by a Senior Systems Analyst, 10 hours by
an Operations Specialist, 20 hours by the Chief Compliance Officer and 20 hours by the
Chief Information Security Officer. The total estimated one-time external cost for
Participants is $49,805 = (Attorney for 32 hours at $426 per hour = $13,631) +
(Compliance Manager for 32 hours at $317 per hour = $10,144) + (Senior Systems
Analyst for 10 hours at $291 per hour = $2,910) + (Operations Specialist for 10 hours at
$140 per hour = $1,400) + (Chief Compliance Officer for 20 hours at $543 per hour =
$10,860) + (Chief Information Security Officer at $543 per hour = $10,860).

148

$42,205 / 25 Participants = $1,688.20 per Participant.

149

The estimated aggregate ongoing external cost is based on an estimate of 103 hours of
Plan Processor staff time that includes 23 hours by an Attorney, 23 hours by a
Compliance Manager, 16 hours by a Senior Systems Analyst, 3 hours by an Operations
Specialist, 9 hours by an Assistant General Counsel, 17 hours by the Chief Compliance
Officer and 12 hours by the Chief Information Security Officer. The estimated aggregate
ongoing external cost is preliminarily estimated to be $42,205 = (Attorney for 23 hours
at $426 per hour = $9,798) + (Compliance Manager for 23 hours at $317 per hour =
$7,291) + (Senior Systems Analyst for 16 hours at $291 per hour = $4,656) + (Operations
Specialist for 3 hours at $140 per hour = $420) + (Assistant General Counsel for 9 hours
at $477 per hour = $4,293) + (Chief Compliance Officer for 17 hours at $543 per hour =
$9,231) + (Chief Security Officer for 12 hours at $543 per hour = $6,516).
43

is accounted for in the following information collection, 150 as well as staff time for documenting
breaches that the Plan processor reasonably estimates would have no impact or a de minimis
impact on the Plan Processor’s operations or on market participants. 151
Therefore, the Commission preliminarily estimates that each Participant would
incur an initial recordkeeping cost of approximately $1,992.20 and an ongoing
recordkeeping cost of approximately $1,137.96 to satisfy this information collection
requirement, for an aggregate industry reporting cost of approximately $45,051 per
year. 152
ii.

Breach Management – Breach Notifications

The Commission preliminarily estimates that providing breach notifications will require
34 hours of staff time annually from the Plan Processor, resulting in an ongoing annual external
cost burden of $13,756 for the Participants, or $550.24 for each Participant ($13,756 / 25
Participants). 153 This estimate relates only to the proposed requirement that the Plan Processor
150

The external third party disclosure cost of providing breach notifications are provided
separately below. See, infra, note 153, and accompanying text. The Commission
preliminarily estimates that providing breach notifications will require 34 hours of staff
time annually from the Plan Processor, resulting in an ongoing annual external cost
burden of $13,756 for the Participants, or $550.24 for each Participant ($13,756 / 25
Participants). See, infra, note 153. This figure is subtracted from the above mentioned
estimated ongoing external cost in determining the aggregate industry reporting cost for
this information collection, because it is accounted for in a separate information
collection below.

151

The Commission preliminarily estimates that this requirement will require 30 hours of
staff time annually from the Plan Processor, resulting in an ongoing annual external cost
of $12,324 to the Participants, or $492.96 per Participant ($12,324 / 25 Participants). The
30 hours include 6 hours by an Attorney, 6 hours by a Compliance Manager, 6 hours by a
Senior Systems Analyst, 6 hours by an Assistant General Counsel, 3 hours by the Chief
Compliance Officer and 3 hours by the Chief Information Security Officer. The ongoing
external cost of this obligation is preliminarily estimated to be $12,324 = (Attorney for 6
hours at $426 per hour = $2,556) + (Compliance Manager for 6 hours at $317 per hour =
$1,902) + (Senior Systems Analyst for 6 hours at $291 per hour = $1,746) + (Assistant
General Counsel for 6 hours at $477 per hour = $2,862) + (Chief Compliance Officer for
3 hours at $543 per hour = $1,629) + (Chief Information Security Officer for 3 hours at
$543 per hour = $1,629).

152

(($1,992.20 / 3 years = $664.07) + $1,137.96) x 25 Participants = approximately $45,051.

153

The 34 hours include 8 hours by an Attorney (Attorney for 8 hours at $426 an hour =
$3,408), 8 hours by a Compliance Manager (Compliance Manager for $317 an hour =
$2,536), 7 hours by a Senior Systems Analyst (Senior Systems Analyst for 7 hours at
$291 an hour = $2,037), 3 hours by an Assistant General Counsel (Assistant General
Counsel for 3 hours at $477 per hour = $1,431), 4 hours by a Chief Compliance Officer
44

provide breach notifications and does not include other costs related to breaches, such as
determination of whether a breach has occurred or assessing the scope of any breach, which is
already required by the CAT NMS Plan. Therefore, the Commission preliminarily estimates
that each Participant would incur an ongoing third party disclosure cost of approximately
$550.24 to satisfy this information collection requirement, for an aggregate industry
reporting cost of approximately $13,756 per year. 154
j.

Customer Information for Allocation Report FDIDs

As discussed above, the Commission preliminarily believes that this requirement is
already accounted for in the existing information collections burdens associated with Rule 613
and the CAT NMS Plan Approval Order submitted under OMB number 3235-0671, and thus
there are no costs for this collection of information.
14.

Cost to Federal Government

The federal government would not incur a cost in connection with the collection of this
information.
15.

Changes in Burden

Not applicable.
16.

Information Collection Planned for Statistical Purposes

Not applicable. The information collection is not used for statistical purposes.
17.
date.

OMB Expiration Date Display Approval

The Commission is not seeking approval to not display the OMB approval expiration
18.

Exceptions to Certification for Paperwork Reduction Act Submissions

This collection complies with the requirements in 5 CFR 1320.9.
B.

COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL
METHODS
This collection does not involve statistical methods.
(Chief Compliance Officer for 4 hours at $543 per hour = $2,172) and 4 hours by the
Chief Information Security Officer (Chief Information Security Officer for 4 hours at
$543 per hour = $2,172) = $13,756.

154

$550.24 x 25 Participants = $13,756.
45