On November 19, 2014, the five commissioners of the U.S. Securities and Exchange Commission (SEC) unanimously voted to adopt Regulation SCI, which stands for Systems Compliance and Integrity, to govern the technology infrastructure of the U.S.’s securities exchanges and certain other trading platforms and market participants. The new rules, first proposed in March 2013, are designed to minimize disruptions to the U.S.’s markets and enhance the capability of exchanges and trading platforms to respond to, and remedy, breakdowns in their systems. The rules are the first updates in more than two decades to the technological standards governing exchange-based automated trading systems.
The adoption of Regulation SCI demonstrates the SEC’s commitment to requiring greater vigilance from the entities it regulates on cybersecurity and technological risks. Although Regulation SCI will apply to a relatively narrow category of entities whose systems pose the gravest risk to national trading, the SEC noted that the rules, or a subset of them, may be extended to additional market participants in the future. Also, the SEC’s Office of Compliance Inspections and Examinations issued a risk alert earlier this year similarly indicating that other SEC-regulated entities, such as registered broker-dealers and investment advisors, also need to address their controls over system integrity and risk. As one of the commissioners noted in approving Regulation SCI, “it is imperative that all market participants and registrants are vigilant about identifying and protecting against cybersecurity threats.” This announcement comes on the heels of a recent finding that financial services companies plan to bolster their cybersecurity budgets by about $2 billion over the next two years, according to a PricewaterhouseCoopers survey.
In large measure, the impetus for the adoption of Regulation SCI stemmed from the highly publicized system-glitches at the U.S.’s securities exchanges, as well as other market-impacting incidents that resulted in Chairman Mary Jo White calling a meeting of the heads of all exchanges in September 2013. Another reason was the SEC’s recognition of the increasing interconnectedness of the U.S.’s trading systems. As the SEC noted in the release accompanying the new regulation, “technological advances have generated an increasing risk of operational problems with automated systems, including failures, disruptions, delays, and intrusions,” which means that, in today’s environment, even “a seemingly minor systems problem at a single entity can quickly create losses and liability for market participants, and spread rapidly across the national market system, potentially creating widespread damage and harm to market participants, including investors.”
Regulation SCI will become effective 60 days after it is published in the U.S. Federal Register, and the entities subject to it will then have nine months to comply with its new rules. Under the regulation, the U.S.’s securities exchanges, certain alternative trading systems (such as dark pools) that exceed specified volume thresholds, plan processors for market data plans and certain exempt clearing agencies will have to adopt comprehensive controls to oversee and monitor their technology systems. Among other controls, these entities will have to implement policies and procedures to ensure that their systems have the capacity, integrity and security needed to maintain operational capability and continuity, and that adequate resources are available to remedy and mitigate the impact of incidents. The new rules also require entities to report to the SEC any systems-impacting events and planned changes, provide semiannual reports on the implementation of changes, and notify its members and participants of certain types of system events. Entities will also have to conduct an annual review by independent personnel of their compliance with the new rules and submit a report of such review to their senior management and the SEC. Finally, entities will have to meet certain other requirements, like maintaining records related to compliance with the new regulation and ensuring that SEC examiners have reasonable access to the entities’ systems.
Perhaps the most controversial aspect of the new regulation was whether it would be extended to cover additional market participants, such as certain broker-dealers. In the aftermath of market-impacting incidents, certain commissioners and various commenters on the proposed regulation advocated that the new rules be extended to broker-dealers whose systems pose a risk to the U.S.’s trading. In the accompanying release, the SEC acknowledged that there are “other categories of entities not included within the definition of SCI entity that, given their increasing size and importance, could pose risks to the market should an SCI event occur.” However, the SEC stated that a “measured approach that [implements] an incremental expansion” is appropriate, and, therefore, “at this time,” it has determined not to expand the definition of entities subject to the new regulation—suggesting that such an expansion may be forthcoming at a later date, after the SEC has had a chance to evaluate the implementation of the new rules and the risks posed by other entities. Indeed, SEC Chair Mary Jo White directed the SEC’s staff to evaluate whether rules similar to Regulation SCI should be established for other significant market participants, such as broker-dealers and transfer agents.