After seven years in development and weeks from accepting data, the Consolidated Audit Trail may face a delay.

Congressman Warren Davidson (R-OH) has sponsored H.R. 3973, or The Market Data Protection Act, which would have the US Securities and Exchange Commission, national securities associations, and the CAT operator develop “a comprehensive internal risk control mechanism to safeguard and govern the storage of all market data by such entity.”

The bill also would ban the CAT from accepting market data until it has developed such mechanisms and provide relief to those who are required to submit market data to the CAT while the CAT operator develops such mechanisms.

“This has been building up following the announcement regarding the breach of the SEC’s EDGAR platform,” Valerie Bogard, equities analyst at research firm Tabb Group, told Markets Media.”It has been a top concern for regulators and legislators.”

Chairman Jay Clayton announced on September 20, approximately two weeks after credit-rating agency Equifax revealed that hackers obtained personal information of more than 143 million Americans,that hackers compromised the SEC’s corporate filings database and may have traded on the information which they obtained.

In the following weeks, Chairman Clayton has been the lone witness in oversight hearings held by the Senate Committee on Banking, Housing, and Urban Affairs as well as the House Financial Services Committee, in which the CAT was discussed in detail.

“There is already a lot of pressure on the SEC to ensure that the CAT is secure,” said Bogard. “There’s been a lot of pressure from the exchanges and brokers to make sure that there are all of these risk controls in place. If the SEC is moving forward and making sure that those controls are there, then the House may not see the need for legislation, but it depends on how it plays out.”

In the meantime, the SEC has been working to get its cyber-security house in order, such as implementing the National Insitute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity and establishing its “Cyber Unit” that will target cyber-related misconduct, according to Chairman Clayton.

Bogard is uncertain if the House of Representatives and Senate can pass parallel bills, reconcile them, and have President Trump sign it into law before self-regulatory organizations start submitting market data to the CAT.

“The other issue why firms may be reluctant to push back the November 15 deadline is that the CAT has been seven years in the making,” she said. “It’s been pushed back several times over that period. There may be some reluctance to push it back even more.”

However, Jess Haberman, a senior vice president and compliance director at Fidessa, noted that the CAT will not start to collect personal identifiable information next month.

“The plan does not require that to be collected until the end of next year,” he said.

Thesys CAT, the operator of the CAT, did not immediately respond to a request for comment.