The SEC today published in the Federal Register its Regulation SCI (Regulation Systems Compliance and Integrity), which requires key market participants to have and implement written policies and procedures reasonably designed to ensure the availability, confidentiality and integrity of their systems as necessary to assure the fair and orderly operation of the markets. Among the specific requirements are periodic testing, annual systems review and disclosure of “SCI events” – including both functional and security issues. In addition to security issues, the new regulation is aimed in part at avoiding incidents like the “flash crash” of 2010 and the operational problems that occurred during the Facebook IPO in 2012.
Critically, the threshold for reporting incidents will generally be substantially lower than that in place under Regulation ATS. A “systems intrusion” will be defined as “any unauthorized entry into the SCI systems or SCI security systems of an SCI entity.” While there is no materiality threshold, the SEC does make it clear that unsuccessful attempts at unauthorized entry will not be treated as a Systems Intrusion.