SEC proposes expanding Regulation SCI

By R. Jason Howard, J.D.

The SEC proposed amendments expanding the scope of entities subject to Regulation Systems Compliance and Integrity (SCI) and updating several of the regulation’s requirements. The proposed changes are designed to account for the evolution of technology and trading since the regulation’s adoption in 2014, and to help ensure the capacity, integrity, resiliency, availability, and security of the technology infrastructure of the U.S. securities markets.

Regulation SCI. The fact sheet accompanying the proposal notes that Regulation SCI was adopted in 2014 to strengthen the technology infrastructure of the U.S. securities markets, and “applies to certain entities (SCI entities) with respect to their automated and similar systems (SCI systems) that directly support any one of six key securities market functions.” Those functions include trading, clearance and settlement, order routing, market data, market regulation, or market surveillance, in addition to systems (indirect SCI systems) that, if breached, would be reasonably likely to pose a security threat to SCI systems.

Currently Regulation SCI requires entities to, among other things: have comprehensive policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain operational capability and promote the maintenance of fair and orderly markets; take appropriate corrective action in response to systems issues; provide notices and reports to the Commission designed to facilitate oversight of securities market technology; disseminate information about systems issues to affected parties; conduct an annual review of compliance with Regulation SCI (SCI review); conduct coordinated business continuity and disaster recovery (BC/DR) testing; and make, keep, and preserve records.

Proposed amendments. The proposed amendments would expand the definition of SCI entities to include:

• Registered security-based swap data repositories;
• Broker-dealers registered with the Commission under Section 15(b) that exceed a total assets threshold or a transaction activity threshold in NMS stocks, exchange-listed options, U.S. Treasury securities, or Agency securities; and
• All clearing agencies exempted from registration.

In addition, the proposed amendments would also update and strengthen Regulation SCI, including to:

• Specify that an SCI entity’s required policies and procedures include:
• An inventory, classification, and lifecycle management program for SCI systems and indirect SCI systems;
• A program to manage and oversee third party providers, including cloud service providers, that provide or support SCI or indirect SCI systems;
• BC/DR plans that address the unavailability of any third-party provider without which there would be a material impact on critical SCI systems;
• A program to prevent unauthorized access to SCI systems and information therein; and
• Identification of current SCI industry standards with which each such policy and procedure is consistent, if any.
• Amend the definition of “systems intrusion” to include additional types of cyber events and threats, which is intended to capture cybersecurity events such as certain distributed denial-of-service attacks, and require notification of systems intrusions to the Commission without delay;
• Update the SCI review to specify that objective personnel assess the risks to covered systems, internal control design and operating effectiveness, and third-party provider management risks and controls, and require penetration testing at least annually;
• Specify that SCI entities include key third-party providers in annual BC/DR testing; and
• Update Regulation SCI’s recordkeeping provisions and Form SCI consistent with these amendments.

The proposal would bring the largest broker-dealers, along with swap data repositories and certain exempt clearinghouses, under the umbrella of Regulation SCI. As Gensler said in an accompanying statement, “if any of these brokers were affected by a technological event, it could disrupt or impede our markets’ orderly and efficient operations. Thus, their resiliency to technology events is too important for the Commission not to consider requiring these entities to meet Reg SCI’s requirements.”

Gensler also emphasized the requirement of the proposal that key market participants perform an annual “thorough, holistic, and interconnected” systems review, which he believes could help maintain technological resilience.

Commissioner Caroline Crenshaw echoed these observations and also noted that alternative trading systems trading corporate debt or municipal securities were not included at Regulation SCI’s adoption because these entities relied less on automation and electronic trading. While manual trading is still more prevalent in the fixed-income markets, Crenshaw said the technology for trading these securities has evolved rapidly, and the distinctions in the original adoption release may not hold up today. She looks forward to comments on whether these ATSs should be included in the rule.

Comment period. The public comment period will remain open until 60 days after the date of publication of the proposing release in the Federal Register.