New, Mandatory Regulatory Framework for the Technological Systems of Exchanges, Certain Alternative Trading Systems, Plan Processors and Exempt Clearing Agencies
SUMMARY On November 19, 2014, the SEC adopted new rules to improve the technological infrastructure of securities markets. Regulation Systems Compliance and Integrity (“Regulation SCI”) will apply to a range of market participants, including certain self-regulatory organizations and alternative trading systems. The final rules create a comprehensive compliance framework that requires an entity subject to Regulation SCI (an “SCI entity”) to: establish, maintain and enforce written policies and procedures reasonably designed to ensure that certain systems of the entity have levels of capacity, integrity, resiliency, availability and security adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets; establish, maintain and enforce written policies and procedures reasonably designed to achieve compliance with the Securities Exchange Act of 1934, the rules and regulations thereunder and the SCI entity’s rules and governing documents; take appropriate corrective actions when responsible SCI personnel (as defined in Section II.D below) have a reasonable basis to conclude that an SCI event (as defined in Section II.C. below) has occurred; such corrective action would include, at a minimum, mitigating potential harm to investors and market integrity and devoting adequate resources to remedy the SCI event as soon as reasonably practicable; notify the Securities and Exchange Commission within 24 hours of SCI events (other than the de minimis events which are subject to quarterly reporting), with follow-up notifications culminating in a final report upon resolution of the event; -2- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets disseminate information promptly to market members and participants upon any responsible SCI personnel having a reasonable basis to conclude that a systems disruption or systems compliance has occurred; prepare quarterly and supplemental reports regarding material systems changes; conduct a review of the SCI entity’s compliance with Regulation SCI not less than once each calendar year; test business continuity and disaster recovery plans not less than once each calendar year; comply with recordkeeping requirements; and make electronic filings on the new Form SCI. Regulation SCI will become effective on February 3, 2015, and the compliance date for most of its requirements will be nine months thereafter. I. BACKGROUND AND SIGNIFICANT REQUIREMENTS In March 2013, the Securities and Exchange Commission (the “Commission”) published proposed rules for Regulation SCI.1 The proposed rules were intended to update, formalize and expand the Commission’s existing voluntary Automation Review Policy Inspection Program (“ARP Inspection Program”) and, with respect to a defined group of SCI entities (defined below), to replace the Commission’s ARP Policy Statements2 and rules concerning systems capacity, integrity and security in Rule 301(b)(6) of Regulation ATS. In November 2014, the Commission adopted final rules to implement Regulation SCI. The Commission’s rulemaking was motivated by a variety of factors: the fact that markets have evolved to be more dependent upon complex and interconnected technologies; its experience with strengths and weaknesses of the voluntary ARP Inspection Program; recent events involving systems issues at exchanges and other trading venues; the risks posed by single points of failure in securities markets; and comments received during the Regulation SCI rulemaking process. Regulation SCI is significant in that it represents a shift to a system of mandatory requirements, including immediate and quarterly reporting, in a field where the Commission previously encouraged voluntary review of technology infrastructure. The effective date of Regulation SCI is February 3, 2015 (the “Effective Date”). The compliance date for Regulation SCI will then occur nine months after the Effective Date, except with respect to: ATSs newly meeting the volume thresholds that result in designation as an SCI ATS (defined below) and the industryor sector-wide coordinated business continuity and disaster recovery testing requirements. ATSs newly meeting the volume thresholds will be provided an additional six months from the time they first meet the -3- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets applicable threshold to comply, while SCI entities will have 21 months from the Effective Date to coordinate industry- and sector-wide testing. II. KEY DEFINITIONS AND CONCEPTS The definition of the four categories of SCI entities establishes the universe of organizations that must comply with the new rules. Other definitions also define the scope of the regulations and the type of events that trigger the reporting and disclosure requirements. A. SCI ENTITY The requirements of Regulation SCI apply to an “SCI entity,” defined to include: an SCI self-regulatory organization; an SCI alternative trading system; a plan processor; or an exempt clearing agency subject to ARP. 1. SCI Self-Regulatory Organization An SCI self-regulatory organization (“SCI SRO”) is any national securities exchange registered under Section 6(b) of the Securities Exchange Act of 1934 (the “Exchange Act”), registered securities association, registered clearing agency and the Municipal Securities Rulemaking Board.3 The Commission notes that there are 18 registered national securities exchanges,4 1 registered national securities association,5 and 7 registered clearing agencies.6 2. SCI Alternative Trading System An SCI alternative trading systems (“SCI ATS”) is an alternative trading system, as defined in Rule 300(a) of Regulation ATS, which during at least four of the preceding six calendar months: Had with respect to NMS stocks7 : Five percent or more in any single NMS stock, and one-quarter percent or more in all NMS stocks, of the average daily dollar volume reported by applicable reporting plans; or One percent or more in all NMS stocks of the average daily dollar volume reported by applicable transaction reporting plans; or Had with respect to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, five percent or more of the average daily dollar volume as calculated by the self-regulatory organization to which such transactions are reported. The adopted definition of SCI ATS is similar to the proposed definition except in two notable respects. First, in response to comments, the definition excludes ATSs that trade only municipal securities or -4- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets corporate debt securities. Second, the definition allows an ATS that meets a volume threshold for the first time six months to comply with Regulations SCI. The Commission states that volume thresholds identify those ATSs that could, in the case of an SCI event, have a significant impact on the overall market or a significant impact on a single NMS stock (and some impact on the overall market as a whole at the same time). Depending on its structure, it may be possible for an ATS to limit trading so as not to reach the volume thresholds and thereby not be subject to Regulation SCI. With respect to volume thresholds for NMS stock, the two-prong disjunctive definition seeks to capture two types of ATSs. The first prong of the definition pairs a single NMS stock threshold and an all-NMS stock threshold so that Regulation SCI will not apply to an ATS that has a large volume only in a single NMS stock and little volume in other NMS stocks. The second prong then captures ATSs that have significant trading volume in all NMS stocks. The volume threshold for equity securities that are not NMS stock is higher because the Commission believes that a systems issue at an SCI entity relating to nonNMS stock would not be as likely to have widespread impact. 3. Plan Processor Regulation SCI defines “plan processor” as having the meaning set forth in Rule 600(b)(55) of Regulation NMS, which, in turn, defines plan processor as any self-regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective national market systems plan. In the adopting release for Regulation SCI (“Adopting Release”)8 the Commission underscored the requirement of exclusivity in this definition. 4. Exempt Clearing Agency Subject to ARP The term “exempt clearing agency subject to ARP” is an entity that has received from the Commission an exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to the Commission’s Automation Review Policies (“ARP”). Only one entity currently falls within this category: the Omego Matching Services – US, LLC. B. SYSTEMS TO WHICH REGULATION SCI APPLIES 1. SCI Systems The term “SCI systems” means all computer, network, electronic, technical, automated or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation or market surveillance. The Commission views the six functions covered by the definition of SCI systems as central to the functioning of the U.S. securities markets and states in the Adopting Release that the term encompasses systems operated on behalf of an SCI entity by a third party that directly supports one of the six functions. These -5- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets systems are subject to almost all the rules of Regulation SCI, except those imposed only on critical SCI systems (defined below). As observed by some commenters, the definition is relatively broad. However, the concept of “directly support” does limit its scope somewhat. For instance, the Commission indicates that this differentiates between those systems that connect to markets and those systems used to “run a business”. The clause “with respect to securities” was added in response to a comment which suggested that without such qualification the definition would apply to systems that have practically “no relevance or relation to SEC markets” and would potentially apply to systems not subject to the Commission’s jurisdiction. 2. Critical SCI Systems The term “critical SCI systems” means any SCI systems of, or operated by or on behalf of, an SCI entity that: Directly support functionality relating to: Clearance and settlement systems of clearing agencies; Openings, reopenings and closings on the primary listing market; Trading halts; Initial public offerings; The provision of consolidated market data; or Exclusively-listed securities; or Provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets. The Commission believes that it is appropriate to hold systems that pose the greatest risk to markets if they malfunction to higher standards and the more stringent requirements of Regulation SCI. Although the first prong lists six central functions, the second prong is open-ended. The Commission clarified that it is not currently aware of any SCI systems that would fall within this category. Rather, this language is intended to account for future technological evolution that would create new systems that should be considered critical SCI systems. 3. Indirect SCI Systems The term “indirect SCI systems” means any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems. This definition replaces the concept of “SCI security systems” in the proposed rules. The Commission states that it believes that this modification “reflects that [the term] is intended to cover non-SCI systems only if they are not appropriately secured and segregated from SCI systems, and therefore could indirectly pose risk to SCI systems.” In other words, the Commission explained that “[s]ystems that are -6- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets adequately physically or logically separated (i.e., isolated from SCI systems, such that they do not provide vulnerable points of entry into SCI systems) will not fall within the definition of indirect SCI systems.” Indirect SCI systems will be subject to a more limited set of requirements when compared to SCI systems generally. C. SCI EVENTS The occurrence of an SCI event triggers requirements relating to corrective action, reporting to the Commission and disseminating information to members and participants. The requirements that are triggered by an SCI event are discussed below in Section III.B. “SCI events” is defined to include three types of occurrences: systems disruptions; systems compliance issues; and systems intrusions. The definitions of SCI event and its component categories do not contain a materiality qualifier. Instead, the Commission adopted a risk-based approach with respect to the obligations of an SCI entity with respect to an SCI event (for example, the limited notification requirements for de minimis SCI events). Moreover, SCI events that qualify as major SCI events will trigger additional obligations for the SCI entity. 1. Systems Disruption A “systems disruption” is an event in an SCI entity’s SCI systems that disrupts, or significantly degrades, the normal operation of an SCI system. The adopted definition represents a shift from the prescriptive proposed definition which specified seven specific types of malfunctions as systems disruptions. The Commission views the final definition as a more flexible standards-based approach that gives SCI entities greater flexibility and discretion in determining when a systems disruption has occurred. The Commission encourages SCI entities to establish parameters that establish what constitutes normal operations of each SCI system and when such normal operations have been disrupted or significantly degraded. 2. Systems Compliance Issues A “systems compliance issue” is an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the Exchange Act and the rules and regulations thereunder, or the entity’s rules or governing documents, as applicable. According to the Commission, a systems compliance issue could occur, for example, when a change to an SCI system is made by information technology staff, without the knowledge or input of regulatory staff, that results in a system operating in contravention of the Exchange Act and the rules thereunder or the SCI entity’s rules or governing documents.-7- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets 3. Systems Intrusion A “systems intrusion” is any unauthorized entry into the SCI systems or indirect systems of an SCI entity. The Commission emphasizes that the definition covers any unauthorized entry “regardless of the identity of the person committing the intrusion (whether they are outsiders, employees, or agents of the SCI entity),” and “whether or not the intrusion was part of a cyber attack, potential criminal activity, or other unauthorized attempt to retrieve, manipulate, or destroy data, or access or disrupt systems of SCI entities.” However, the Commission indicates in the Adopting Release that the definition does not include unsuccessful attempts at unauthorized entry. 4. Major SCI Events The term “major SCI event” means an SCI event that has had, or the SCI entity reasonably estimates would have, any impact on a critical SCI system, or a significant impact on the SCI entity’s operations or on market participants. The occurrence of major SCI events triggers heightened information dissemination requirements. D. RESPONSIBLE SCI PERSONNEL Regulation SCI defines “responsible SCI personnel” to mean, for a particular SCI system or indirect SCI system impacted by an SCI event, senior managers of the SCI entity having responsibility for the system, and their designees. An SCI entity’s policies and procedures will need to include criteria for identifying responsible SCI personnel. As explained further in Section III.B below, identification of a responsible SCI personnel is significant because their having a reasonable basis to conclude that an SCI event has occurred will trigger certain obligations for the SCI entity, including taking corrective action and disseminating information to participants and members. The Commission states that an SCI entity’s policies and procedures must also provide for escalation procedures to “quickly inform” SCI personnel of potential SCI events. III. OBLIGATIONS OF SCI ENTITIES A. POLICIES AND PROCEDURES Rule 1001 specifies written policies and procedures that the SCI entity must establish, maintain and enforce. These policies and procedures can be divided into two categories. The first concerns the robustness of an SCI entity’s systems, while the second concerns the operational compliance of an SCI entity’s SCI systems with the Exchange Act and the rules and regulations thereunder and the entity’s rules and governing documents, as applicable. -8- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets 1. Policies and Procedures to Achieve Capacity, Integrity, Resiliency, Availability and Security Rule 1001(a) provides that each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security adequate to maintain the SCI entity’s operational capability and promote the maintenance of fair and orderly markets. Rule 1000(a)(4) provides that policies and procedures will be considered reasonably designed if they “are consistent with current SCI industry standards.” Industry standards are, in turn, to be based on “information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization.” Concurrent with the publication of the Adopting Release, the Commission issued staff guidance on current SCI industry standards.9 The guidance lists particular publications that the Commission believes best represent SCI industry standards at this time. The Commission views the list as providing transparency initially on how the staff will prepare for and conduct its inspections pursuant to Regulation SCI. In developing its written policies and procedures, an SCI entity must include the following seven minimum elements: the establishment of reasonable current and future technological infrastructure capacity planning estimates; periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; a program to review and keep current systems development and testing methodology for such systems; regular reviews and testing, as applicable, of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or man-made disasters; business continuity and disaster recovery plans that are resilient and geographically diverse and that are reasonably designed to achieve next-business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; standards that result in such systems being designed, developed, tested, maintained, operated and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and monitoring of such systems to identify potential SCI events. The final rules also require the SCI entity to periodically review the effectiveness of the policies and procedures, and take prompt action to remedy deficiencies. -9- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets 2. Policies and Procedures to Achieve Systems Compliance Rule 1001(b) requires each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Exchange Act and the rules and regulations thereunder and the entity’s rules and governing documents, as applicable. Like Rule 1001(a), the policies and procedures must include at least the following four features: testing of all SCI systems and any changes to SCI systems prior to implementation; a system of internal controls over changes to SCI systems; a plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Exchange Act and the rules and regulations thereunder, and the SCI entity’s rules and governing documents; and a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing and controls designed to detect and prevent systems compliance issues. In response to concerns raised by commentators, the Commission emphasizes in the Adopting Release that the mere occurrence of an SCI event will not necessarily result in a violation of Rule 1001(b). According to the Commission, while the occurrence of a systems compliance issue may be probative of the reasonableness of an SCI entity’s policies and procedures, it is not determinative. The topic of a safe harbor from liability for SCI entities and their personnel received significant comment. After considering the comments, the Commission determined not to adopt a safe harbor from liability for SCI entities because, among other reasons, Rule 1001(b) requires policies and procedures “reasonably designed” to ensure compliance with the Exchange Act (rather than policies and procedures that operate in a manner that complies with the Exchange Act as proposed). The proposed safe harbor for individuals, however, was retained with certain modifications. The individual safe harbor, as adopted, provides that personnel of an SCI entity will be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by an SCI entity of Rule 1001(b) if the person: has reasonably discharged the duties and obligations incumbent upon such person by the SCI entity’s policies and procedures; and was without reasonable cause to believe that the policies and procedures relating to an SCI system for which such person was responsible, or had supervisory responsibility, were not established, maintained, or enforced in accordance with Rule 1001(b) in any material respect. Because Regulation SCI imposes obligations only on SCI entities, the Commission has designed the individual safe harbor to cover so-called “secondary liability” – for example, aiding and abetting. The safe harbor extends to all personnel of an SCI entity and, according to the Commission, this would encompass -10- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets not only employees, but also contractors, consultants and similar non-employees that act in a capacity similar to an SCI entity’s employees. In adopting the safe harbor, the Commission explicitly rejected a proposal by commentators to limit liability of SCI personnel to willful or intentional misconduct. B. OBLIGATIONS TRIGGERED BY SCI EVENTS If a responsible SCI personnel has a reasonable basis to conclude that an SCI event has taken place, the SCI entity then must begin to take corrective action, notify the Commission, and disseminate information to participants and members. The proposed rule suggested that an SCI entity’s obligations would be triggered when its SCI personnel “become aware” of an SCI event. In response to comments, the Commission modified the standard to a “reasonable basis to conclude” because such an approach allows an SCI entity to perform an initial analysis and assessment as to whether an SCI event has occurred, rather than taking immediate action upon a responsible SCI personnel becoming aware of an SCI event. 1. Corrective Action Appropriate corrective action includes, at a minimum, mitigating harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. Unlike certain other requirements in Regulation SCI, this provision does not specify in detail the specific actions that must be taken. Rather, it imposes a duty to act on the SCI entity coupled with flexibility to determine the specific steps necessary to mitigate the harm of the SCI event. 2. Commission Notification An SCI entity generally will be obligated to give the Commission immediate notice when any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred and share information on a regular basis until the SCI event has been resolved. However, for SCI events that have had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants, Commission notifications are more limited and are based on a quarterly reporting paradigm. a. SCI Events Initial steps that must be taken upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred include immediate notification to the Commission. The immediacy of the requirement is tempered by the threshold trigger that gives SCI personnel some time to form a reasonable basis to conclude that an SCI event has taken place. However, once that reasonable basis exists, the Commission must be notified immediately even if the situation occurs outside normal business hours. The Commission recognizes that this immediate notice may be informal and specifically clarifies in the Adopting Release that the requirement can be satisfied via telephone or e-mail. The immediate notification must, however, be followed-up with a written notification within 24 hours of any -11- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred. The written notification is subject to a good faith, best efforts standard and must include a description of the SCI event, including the system(s) affected and, to the extent available as of the time of the notification: the SCI entity’s current assessment of the types and numbers of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or time frame within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event. The addition of a “good faith, best efforts” standard is a modification from the proposed rules. This acknowledges that written notification provided within 24 hours may prove in retrospect to be incomplete or inaccurate. The Commission states that SCI entities should not be penalized for “unintentional inaccuracies or omissions” in the initial notifications. However, the Commission indicates that the “best efforts” standard will help ensure an SCI entity will make a diligent and timely attempt to provide all the information required by the written notification requirement. The notification requirements also include an obligation to provide updates relating to such SCI events on a regular basis, or at such frequency as reasonably requested by a representative of the Commission to correct any materially incorrect information previously provided, or when new material information is discovered, including, but not limited to, any of the information that should have been provided at the time of the 24-hour written notification. As discussed in Section IV below, an SCI entity may request confidential treatment of information included in a Form SCI. An SCI entity is not required (but may) submit the initial communication to the Commission on the occurrence of an SCI event and the related updates on Form SCI. To the extent an SCI entity does not utilize Form SCI for those communications, the Commission in the Adopting Release indicates that it will keep such communications confidential to the extent permitted by law. Accordingly, SCI entities providing these communications other than on Form SCI should expressly request confidentiality in accordance with the Commission’s rules and regulations.10 Ultimately, a report must be submitted when the SCI event is resolved and the SCI entity’s investigation of the SCI event is closed. The notification in this report must include: a detailed description of: the SCI entity’s assessment of the types and number of market participants affected by the SCI event; the SCI entity’s assessment of the impact of the SCI event on the market;-12- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity’s rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; a copy of any information disseminated pursuant to Rule 1002(c) of Regulation SCI by the SCI entity to date regarding the SCI event to any of its members or participants; and an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. There are specific timing requirements relating to the final report. If an SCI event is not resolved or the SCI entity’s investigation of the SCI event is not closed within 30 calendar days of the occurrence of the SCI event, then the SCI entity must submit an interim written notification relating to such SCI event to the Commission within 30 calendar days after the occurrence of the SCI event. The interim written notification must include the information required in the final report to the extent known at that time. Upon the ultimate resolution of the SCI event and the closure of the investigation, a final written notification must be provided within five business days. b. SCI Events that have no or a de minimis impact on SCI entity’s operations or on market participants Notification requirements do not apply to any SCI event that has had or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity’s operations or on market participants. For such events, the SCI entity is required to make, keep and preserve records relating to all such SCI events and to submit to the Commission a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of such systems disruptions and systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions and systems intrusions during the applicable calendar quarter. The Commission notes that whether an SCI event is within the de minimis exception will depend on all the facts and circumstances, and that relevant factors could include: whether critical SCI systems are impacted; the duration of the SCI event; whether there is loss in redundancy; whether an alternative trading system is available following a systems disruption; the size of the affected market trading volume; whether the processes for trade completion or clearance or settlement are adversely impacted; whether settlement is completed on time; whether an event is resolved before the market opens; whether a post-trade event is resolved before the market closes;-13- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets whether a failover, despite being successful, results in a system operating without a back-up; and the number of securities symbols adversely affected. The Commission stresses in the Adopting Release that the notifications are not subject to a “materiality” qualifier and that a materiality threshold would likely exclude from notification “a large number of SCI events that are not de minimis.” 3. Dissemination of Information Subject to certain exceptions, an SCI entity is required to disseminate certain information to its members or participants upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred. The information that must be disclosed differs depending on the type of SCI event, with one set of rules applying to systems disruptions and systems compliance issues and another qualified requirement applying to systems intrusions. Regardless of the type of SCI event, the information that must be disseminated must be sent to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event. Further, prompt disclosure is required to any additional members or participants that any SCI responsible officer subsequently reasonably estimates may have been affected by the SCI event. However, for major SCI events, the information must be promptly disseminated by the SCI entity to all its members or participants. The Commission indicates that posting information on a website accessible to, at a minimum, all of an SCI entity’s members or participants, will meet the requirement for major SCI events. a. Systems Disruptions and Systems Compliance Issues Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, the SCI entity must disseminate information about the systems affected by the SCI event and a summary description of the SCI event. The Commission indicates in the Adopting Release that the “requirement for prompt dissemination, as opposed to immediate dissemination, is designed to provide some limited flexibility to an SCI entity to determine an efficient way to disseminate information to multiple potentially affected persons or participants, as the case may be, in a timely manner.” When known, the SCI entity must promptly further disseminate a detailed description of the SCI event, the SCI entity’s current assessment of the types and numbers of market participants potentially affected by the SCI event and a description of the progress of its corrective action for the SCI event, and when the SCI event has been or is expected to be resolved. Until the SCI event is resolved, the SCI entity will have an obligation to provide regular updates of any information that it must disseminate. -14- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets b. Systems Intrusions Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems intrusion has occurred, the SCI entity must disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the system intrusion has been or is expected to be resolved. However, if the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity’s SCI systems or indirect SCI systems, or an investigation of the systems intrusion, then the SCI entity need not promptly disseminate such information. In order to qualify for this exception, an SCI entity must document the reasons for its determination that it should not disseminate information promptly. The Commission states in the Adopting Release that it views the permitted delay for disclosing systems intrusions as only allowing a delay in dissemination of information and not completely relieving the SCI entity of its obligation to ever disseminate information. The Commission emphasizes that only a delay is possible since the circumstances allowing for such an exception would not continue indefinitely. c. Reporting Exceptions The requirement to provide the reports to members or participants does not apply to: SCI events that relate to market regulation or market surveillance; or any SCI event that the SCI entity reasonably determines will have no or a de minimis impact on the SCI entity’s operations or market participants. C. NOTIFICATIONS OF SYSTEMS CHANGES Rule 1003(a) establishes a system of quarterly notification to the Commission about completed, ongoing or planned material systems changes. This feature of the final rules represents a notable shift from the proposed rules based on the comments that the Commission received. As proposed, the rule would have required the SCI entity, absent exigent circumstances, to notify the Commission in writing at least 30 calendar days before implementing any planned material systems changes. The pre-notification requirements in the proposed rules were to be coupled with two reports per year on systems changes. The final rules do not include any pre-notification requirements. Consistent with the elimination of a prenotification requirement, the Commission indicates that the Commission staff will not use the reports to require approvals of prospective system changes or delay the implementation of systems changes. 1. Criteria to identify a material systems change Regulation SCI does not include a specified definition for what constitutes a material systems change, as initially proposed. Instead, final rules provide SCI entities a degree of flexibility in determining what constitutes a material systems change. The final rules require an SCI entity to establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material. Reports relating to such changes must be in accordance with these established, written criteria. -15- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets These criteria (as with other policies and procedures of the SCI entity) will be subject to review by the Commission staff. 2. Quarterly and Supplemental Reports Within 30 calendar days after the end of each calendar quarter, each SCI entity must submit to the Commission a report describing completed, ongoing and planned material changes to its SCI systems, and the security of indirect systems during the prior, current and subsequent calendar quarters, including the dates or expected dates of commencement and completion. Additionally, an SCI entity must promptly submit a supplemental report notifying the Commission of a material error in or material omission in its previously submitted quarterly report. The Commission emphasizes in the Adopting Release that the quarterly reports need only to “describe” the material systems changes and the dates or expected dates of their commencement and completion. This, according to the Commission, gives “each SCI entity reasonable flexibility in determining precisely how to describe its material systems changes in the report in a manner that best suits the needs of that SCI entity as well as the needs of the Commission and its staff.” D. SCI REVIEWS An SCI entity must conduct an SCI review of its compliance with Regulation SCI not less than once each calendar year subject to two limited exceptions discussed below. An SCI review is defined as a review, following established procedures and standards, that is performed by objective personnel having appropriate experience to conduct reviews of SCI systems and indirect SCI systems, and which contains the following: a risk assessment with respect to such systems of an SCI entity; and an assessment of internal control design and effectiveness of its SCI systems and indirect SCI systems to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards. According to the Commission, the “established procedures and standards” will be identified and established by the SCI entity itself. The Commission has clarified that “objective personnel” does not necessarily require review by an independent third party. According to the Commission, this provision does, however, require that the review be performed by “persons who have not been involved in the development, testing, or implementation of such systems being reviewed” because such objectivity would put a person in a better position to identify weaknesses and deficiencies. The Commission states that any personnel with a conflict of interest that has not been adequately mitigated to allow for objectivity should be excluded from the independent review. In this regard, the Commission indicates that SCI entities can have policies and -16- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets procedures in place to mitigate conflicts of interest or to help ensure departments or specified personnel (such as internal audit) are appropriately insulated from such conflicts. A report on the SCI review must be submitted to senior management of the SCI entity no more than 30 calendar days after completion of the review. Senior management is defined in this context to include an SCI entity’s Chief Executive Officer, Chief Technology Officer, Chief Information Officer, General Counsel and Chief Compliance Officer (or their equivalents). Within 60 calendar days after submission of such report to senior management of the SCI entity, the report, along with any response by senior management to the report, must be submitted to the Commission and to the board of directors (or equivalent) of the SCI entity. The final rules do not require certification of the report, but the Adopting Release includes a warning that “it is unlawful for any person to willfully or knowingly make, or cause to be made, a false or misleading statement with respect to any material fact in such reports or responses.” Two aspects of an SCI Review are subject to a longer cycle. First, penetration test reviews of the network, firewalls and production systems of the SCI must be conducted at a frequency of not less than once every three years. Second, assessments of SCI systems directly supporting market regulation or market surveillance must be conducted at a frequency based upon the risk assessment conducted as part of the SCI review, but in no case less than once every three years. E. BUSINESS CONTINUITY AND DISASTER RECOVERY PLANS TESTING REQUIREMENTS FOR MEMBERS OR PARTICIPANTS Regulation SCI requires SCI entities to engage in business continuity and disaster recovery planning and to work with others to ensure the effectiveness of such efforts. Notably, SCI entities must cause the participation of certain of their members or participants in such testing. Rule 1004 requires the SCI entity to establish standards for the designation of those members or participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans. The SCI entity must then designate members or participants pursuant to such standards and require participation by such designated members or participants in scheduled functional and performance testing of the operations of such plans, in the manner and frequency specified by the SCI entity (but not less than every twelve months). The Commission indicates, consistent with the proposing release, that functional and performance testing would include testing not only connectivity, but also testing of an SCI entity’s systems, such as order entry, execution, clearance and settlement, order routing, and transmission and receipt of market data. However, the Commission also indicates that this testing would not require a full test of the functional and performance characteristics of each back-up facility to be conducted all at once and in coordination with other SCI entities at the same time. Rather, according to the Commission, the final rule requires coordinated, annual testing of whether the back-up facilities of SCI entities can function -17- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets and perform in the event of widespread disruption. The Commission also notes that performance testing is not synonymous with “stress testing.” The Commission indicated in the Adopting Release the manner in which SCI entities can mandate the participation of members or participants. According to the Commission, SCI SROs may use their rulemaking authority, while all SCI entities should be able to implement this requirement through their contractual arrangements with participants or members. Commentators raised numerous concerns over the impact of the rule on members and participants that may be required to participate in the testing, including that some members may be overburdened by multiple testing requests and that some entities may withdraw as members or participants due to the cost. The Commission rejected these comments noting, among other things, SCI entities will have an incentive to limit the scope of testing to the minimum number of participants or members to comply with the rule and that it is “unlikely” a firm that meets the testing standard would withdraw from testing. Rule 1004 also requires an SCI entity to coordinate the testing of its business continuity and disaster recovery plans on an industry- or sector-wide basis with other SCI entities. As described in Section I, the compliance date for this particular requirement is 21 months from the Effective Date given the anticipated logistical difficulties of pursuing coordinated efforts. F. RECORDKEEPING AND ACCESS An SCI SRO must make, keep and preserve all documents relating to its compliance with Regulation SCI as prescribed in Rule 17a-1 under the Exchange Act. The Commission views the existing recordkeeping obligations of SCI SROs pursuant to this rule as sufficient for purposes of Regulation SCI. An SCI entity that is not an SCI SRO must: make, keep and preserve at least one copy of all documents, including any correspondences, memoranda, papers, books, notices, accounts and other such records relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems; keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and upon request of any representative of the Commission, promptly furnish to the possession of such representative copies of any documents required to be kept and preserved by it pursuant to these recordkeeping requirements. As part of its recordkeeping obligations, an SCI entity is responsible for ensuring that third parties that operate an SCI system or indirect SCI system on its behalf provide the records required to be made, kept and preserved under Regulation SCI to representatives of the Commission. The Commission indicates that to fulfill this obligation, an SCI entity would need to have contractual provisions to require the third party to maintain the required records and provide the required documents to representatives of the Commission. Similarly, the final rules require that if required records are prepared or maintained by a -18- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets service bureau or recordkeeping service on behalf of an SCI entity, the SCI entity must cause the service bureau or other recordkeeping service to submit a written undertaking, in a form acceptable to the Commission, signed by a duly authorized person of such service bureau or recordkeeping service, to permit the Commission and its representatives to examine such records during normal business hours and to promptly furnish to the Commission and its representatives true, correct and current electronic files (in a form acceptable to the Commission or its representatives) or hard copies of the records. The final rules also provide that the preservation and maintenance of the records by a service bureau or recordkeeping service does not relieve an SCI entity from its recordkeeping obligations under Regulation SCI. Provisions of the proposed rules that would have required an SCI entity to provide Commission representatives reasonable access to its SCI systems and SCI security systems to assess compliance with Regulation SCI were not adopted in the final rules. This shift was in response to comments that noted such access was antithetical to one of the purposes of Regulation SCI—maintaining the security of such systems. The Commission concluded that such access was not required in the final rules since the Commission could sufficiently achieve the objectives of such access through its examination authority and through the recordkeeping requirements of the final rules. IV. ELECTRONIC FILINGS AND FORM SCI Except with respect to the requirements for immediate notice to the Commission of SCI events and updates to the Commission regarding SCI events, any notification, review, description, analysis or report to the Commission required to be submitted under Regulation SCI must be filed electronically on Form SCI, include all information prescribed in Form SCI and the instructions thereto, and contain an electronic signature. The Form SCI does not need to have tagged data like XBRL, but must be in a text-searchable format. There is one Form SCI that is meant to accommodate the various sorts of filings that may be required under Regulation SCI. Accordingly, the form includes short questions that identify the sort of filing that is being made. The sort of filing that is being made also determines which questions must be answered in the form. In addition to the short questions, Form SCI contemplates the inclusion of exhibits for certain types of filings. There are six types of exhibits: Exhibit 1: Rule 1002(b)(2) Notification of SCI Event. Exhibit 2: Rule 1002(b)(4) Final or Interim Report of SCI Event. Exhibit 3: Rule 1002(b)(5)(ii) Quarterly Report of De minimis SCI Events. Exhibit 4: Rule 1003(a) Quarterly Report of Systems Changes.-19- January 9, 2015 Regulation SCI: Final Rules Relating to the Technology Infrastructure of U.S. Securities Markets Exhibit 5: Rule 1003(b)(3) Report of SCI Review. Exhibit 6: Optional Attachments. The Form SCI must include an electronic signature of a duly authorized individual of the SCI entity. The SCI entity is required to maintain a manually executed version of the signature page, which must be executed before the Form SCI is filed and must be retained as required by the record retention rules of Regulation SCI. The Commission indicates in the Adopting Release that the signature is not intended as a verification of the accuracy and completeness of the information in the Form SCI; rather, the electronic signature requirement is intended to ensure that the person executing the Form SCI has been properly authorized to submit Form SCI filings on behalf of the SCI entity. Finally, in connection with the electronic filing requirements of Regulation SCI, the Commission adopted certain amendments to Rule 24b-2 of the Exchange Act to allow information submitted by Form SCI to be treated as confidential by the Commission and not to require a paper submission of a confidential treatment request. An SCI entity may request confidential treatment of information submitted on Form SCI by completing Section IV of Form SCI. Such requests will lead the Commission to treat the information confidentially to the extent it is permitted to do so by law. V. POTENTIAL FOR ADDITIONAL RULEMAKING CONCERNING BROKER DEALERS, SECURITYBASED SWAP DATA REPOSITORIES AND SECURITY-BASED SWAP EXECUTION FACILITIES In the proposing release, the Commission sought comment on applying Regulation SCI to security-based swap data repositories, security-based swap execution facilities and broker-dealers (other than SCI ATSs). The Commission received extensive comment on whether these entities should be subject to Regulation SCI. The Commission indicates that it would proceed with separate rule makings if it determines that any of those categories of entities should be subject to Regulation SCI.