In the US, this is totally legal, although there may be disclosure requirements (I'm not sure). The "my system, my rules" argument wins. My workplace does this, and they informed me that they do this when I was hired.
OK, Their system their rules.
First, keep all your stuff off company hardware.
But there are places where things overlap.
Companies have interactions with your bank and expect you to interact with
your bank, some credit cards, retirement accounts and any seen
passwords not specific to the company incur a liability on the company.....
One important thing to do is draft up a letter to the CTO that you do
not indemnify them from data breaches involving your personal data that costs
you and do not relinquish any rights you have under the law. Acknowledge that they
have rights to protect their property but you feel that some tools
that implement "Man in the Middle" methods are problematic because
they impersonate ostensibly secure sites (plural) and should their
tools be hacked you do not wish to be a victim as well.
Have it sent by your attorney.
If they object have them object in writing and keep on working.
I might note that data breaches like Target can be achieved
in many ways. If the internal MITM tool intercepted credentials for
anyone and then were abused to attack the system it would
be almost impossible to prove that the MITM audit tools were
the root cause.
Of interest this is implicit in any expense report procedure and tax law.
There are tax return deductions an individual can take if and only if
the company denies them. Many managers forget that they
have a responsibility to both you and the company. If the company
policy is no, say so in writing so you can act within the law
on your own tax return (not a global thing for sure).