As odd as it may sound, even severe weather can result in a new cybersecurity and data protection law. In October 2012 the U.S. security exchanges were closed for two days in the wake of Superstorm Sandy. In hindsight, market participants and regulators concluded that the disruption likely could have been avoided had appropriate disaster recovery and business continuity processes been in place. Trading on securities markets similarly has been disrupted as a result of “software bugs” or software errors. Other system errors have caused delays in initial public offerings (IPOs), which in one infamous instance led to a $62 million accommodation program to compensate for losses from the flawed Facebook IPO process. Because securities markets increasingly are dependent upon interconnected securities systems, all of these phenomena present continuing risks to capital markets.
In response, in November 2014 the Securities and Exchange Commission (SEC) enacted the Regulation Systems Compliance and Integrity Rule, known as Regulation SCI.* Regulation SCI includes six specific rules, enacted as Rules 1001 to 1007. Rule 1000 relates to the scope of the regulations. Regulation SCI applies to “SCI entities,” defined in Rule 1000(a) to include all self-regulatory organizations (including national securities exchanges but excluding securities futures exchanges), alternative trading systems meeting certain volume thresholds, plan processors and certain exempt clearing agencies (currently only one entity, Omgeo). The SEC has estimated that 44 entities initially are covered by the new rules.
Rule 1001 requires SCI entities to “establish, maintain and enforce written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets, and operate in a manner that complies with the Exchange Act.” The regulations contain specific minimum requirements for the written plans, including the establishment of current and future capacity planning estimates, periodic capacity stress tests, regular system review and testing, and business continuity and disaster recovery plans. An organization’s policies and procedures are deemed to be reasonable if consistent with current industry standards. Staff guidance lists examples of industry standards for compliance with Regulation SCI.
Rule 1002 requires certain corrective action, SEC notification and information dissemination after a system failure or breach, known as an “SCI event.” An SCI event is defined broadly in Rule 1000 and includes system disruptions, systems compliance issues or a system intrusion. SCI events that have a de minimus impact on the SCI entity’s operations or on market participants are subject to recordkeeping requirements, but not immediate SEC notification.
If SCI entities make material system changes, Rule 1003 requires quarterly notification to the SEC and corresponding SEC reviews. Rule 1003 also requires annual reports detailing the SCI entities’ compliance with all the regulations, which must be shared with the entities’ boards of directors and submitted to the SEC with comments from management. Rule 1004 requires procedures and testing for business continuity and disaster recovery. Rules 1005, 1006 and 1007 mandate specific recordkeeping and electronic filing requirements and address certain other related matters.
Regulation SCI will become effective 60 days after publication in the Federal Register. SCI entities generally will have to comply nine months after the effective date, with extended deadlines for testing requirements.
Although the SEC unanimously voted in favor of Regulation SCI, it was somewhat dissatisfied that the new regulations apply only to a few dozen large entities and not a broader group of entities, including broker-dealers. SEC Chair Mary Jo White has directed the SEC staff to “develop recommendations as to expand Regulation SCI’s fundamental requirements to additional market participants,” such as broker-dealers and transfer agents. The SEC previously has noted that all types of businesses are concerned with the risks associated with cybersecurity and protecting themselves against cyber-threats. Because SCI entities often choose to abide by cybersecurity regulations applicable to businesses with which they interact, it is likely that Regulation SCI will affect more businesses than those governed directly by the new rules.
Similarly, in November 2014 the Federal Financial Institutions Examination Council (FFIEC) issued a series of cybersecurity preparedness guidelines for financial institutions. Although the recommendations were derived from the FFIEC’s study of over 500 community banks, the recommendations for evaluating each entity’s level of preparedness to respond to and mitigate cyber-attacks are applicable to companies in almost every industry.