[Federal Register Volume 86, Number 220 (Thursday, November 18, 2021)]
[Notices]
[Pages 64566-64569]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-25173]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[SEC File No. 270-653, OMB Control No. 3235-0703]


Proposed Collection; Comment Request

Upon Written Request, Copies Available From: Securities and Exchange 
Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 
20549-2736

Extension:
    Regulation SCI, Form SCI

    Notice is hereby given that pursuant to the Paperwork Reduction Act 
of 1995 (``PRA'') (44 U.S.C. 3501 et seq.), the Securities and Exchange 
Commission (``Commission'') is soliciting comments on the collection of 
information provided for in Regulation Systems Compliance and Integrity 
(``Regulation SCI'') (17 CFR 242.1000-1007) and Form SCI (17 CFR 
249.1900) under the Securities Exchange Act of 1934 (``Exchange Act'') 
(15 U.S.C. 78a et seq.). The Commission plans to submit this existing 
collection of information to the Office of Management and Budget 
(``OMB'') for extension and approval.
    Regulation SCI requires certain key market participants to, among 
other things: (1) Have comprehensive policies and procedures in place 
to help ensure the robustness and resiliency of their technological 
systems, and also that their technological systems operate in 
compliance with the federal securities laws and with their own rules; 
and (2) provide certain notices and reports to the Commission to 
improve Commission oversight of securities market infrastructure.
    Regulation SCI advances the goals of the national market system by 
enhancing the capacity, integrity, resiliency, availability, and 
security of the automated systems of entities important to the 
functioning of the U.S. securities markets, as well as reinforcing the 
requirement that such systems operate in compliance with the Exchange 
Act and rules and regulations thereunder, thus strengthening the 
infrastructure of the U.S. securities markets and improving its 
resilience when technological issues arise. In this respect, Regulation 
SCI establishes an updated and formalized regulatory framework, thereby 
helping to ensure more effective Commission oversight of such systems.
    Respondents consist of national securities exchanges and 
associations, registered clearing agencies, exempt clearing agencies, 
plan processors, and alternative trading systems. There are currently 
47 respondents, and the Commission staff estimates that, on average, 2 
new respondents may become SCI entities each year, 1 of which would be 
a self-regulatory organization (``SRO''). Accordingly, Commission staff 
estimates that over the next three years there will be an average of 49 
respondents per year.
    In addition, in December 2020, the Commission adopted amendments to 
Regulation SCI in connection with updates to the national market system 
for the collection, consolidation, and dissemination of information 
with respect to quotations for and transactions in national market 
system (``NMS'') stocks (``Infrastructure Amendments''). Specifically, 
the Commission adopted a definition of ``SCI competing consolidator'' 
that will subject competing consolidators to Regulation SCI, after a 
transition period, if they are above a specified consolidated market 
data gross revenue threshold.\1\ The Infrastructure Amendments 
increased the number of respondents to the collections of information 
in Regulation SCI, and the Commission estimates that seven competing 
consolidators will meet this definition and be subject to the 
requirements of Regulation SCI.\2\ Rule 1001(a) requires each SCI 
entity to establish, maintain, and enforce written policies and 
procedures reasonably designed to ensure that its SCI systems and, for 
purposes of security standards, indirect SCI systems, have levels of 
capacity, integrity, resiliency, availability, and security, adequate 
to maintain the SCI entity's operational capability and promote the 
maintenance of fair and orderly markets. The Commission staff estimates 
that the total annual initial recordkeeping burden for 7 new 
respondents will be 4,511 hours, and the annual ongoing recordkeeping 
burden for all 54 respondents will be,

[[Page 64567]]

on average, 12,528 hours. The Commission staff estimates that the 7 new 
respondents would incur, on average, an annual initial internal cost of 
compliance of $1,513,382, as well as outside legal or consulting costs 
of $305,500. In addition, all respondents will incur, on average, an 
estimated ongoing annual internal cost of compliance of $4,205,412.
---------------------------------------------------------------------------

    \1\ See Securities Exchange Act Release No. 34-90610 (December 
9, 2020), 86 FR 18596 (April 9, 2021) (File No. S7-03-20) 
(``Infrastructure Adopting Release'').
    \2\ Some of these respondents were estimated to incur no, or 
only part of, the estimated initial burdens because they were 
already subject to Regulation SCI (i.e., as plan processors, SROs or 
affiliates of SROs).
---------------------------------------------------------------------------

    Rule 1001(b) requires each SCI entity to establish, maintain, and 
enforce written policies and procedures reasonably designed to ensure 
that its SCI systems operate in a manner that complies with the 
Exchange Act and the rules and regulations thereunder and the entity's 
rules and governing documents, as applicable. The Commission staff 
estimates that the total annual initial recordkeeping burden for 7 new 
respondents will be 1,755 hours, and the annual ongoing recordkeeping 
burden for all respondents will be, on average, 8,010 hours. The 
Commission staff estimates that the 7 new respondents would incur an 
initial internal cost of compliance of $660,270, as well as outside 
legal or consulting costs of $175,500. In addition, all respondents 
will incur, on average, an estimated ongoing annual internal cost of 
compliance of $2,539,890.
    Rule 1001(c) requires each SCI entity to establish, maintain, and 
enforce reasonably designed written policies and procedures that 
include the criteria for identifying responsible SCI personnel, the 
designation and documentation of responsible SCI personnel, and 
escalation procedures to quickly inform responsible SCI personnel of 
potential SCI events. The Commission staff estimates that the total 
annual initial recordkeeping burden for 7 new respondents will be 741 
hours, and the annual ongoing recordkeeping burden for all respondents 
will be, on average, 2,106. The Commission staff estimates that the 7 
new respondents would incur an initial internal cost of compliance of 
$276,432, and all respondents will incur, on average, an estimated 
ongoing annual internal cost of compliance of $839,592.
    Rule 1004 requires each SCI entity to establish standards for the 
designation of certain members or participants for BC/DR plan testing, 
to designate members or participants in accordance with these 
standards, to require participation by designated members or 
participants in such testing at least annually, and to coordinate such 
testing on an industry- or sector-wide basis with other SCI entities. 
The Commission staff estimates that the total annual initial 
recordkeeping burden for 9 new respondents will be 2,700 hours, and the 
annual ongoing recordkeeping burden for all respondents that are not 
plan processors will be, on average, 7,290 hours. The Commission staff 
estimates that the 7 new respondents would incur an initial internal 
cost of compliance of $804,735. In addition, all respondents that are 
not plan processors will incur, on average, an estimated ongoing annual 
internal cost of compliance of $1,939,950. In addition, the Commission 
staff estimates that the 2 plan processor respondents will incur an 
estimated ongoing annual cost of $108,000 for outside legal services 
($54,000 per plan processor respondent x 2 respondents).
    Rule 1002(b)(1) requires each SCI entity, upon any responsible SCI 
personnel having a reasonable basis to conclude that an SCI event has 
occurred, to notify the Commission immediately. The Commission staff 
estimates that the total annual ongoing burden for all 54 respondents 
will be, on average, 432 hours. The Commission staff estimates that 
respondents will incur, on average, an estimated ongoing annual 
internal cost of compliance of $133,030.
    Rule 1002(b)(2) requires each SCI entity, within 24 hours of any 
responsible SCI personnel having a reasonable basis to conclude that 
the SCI event has occurred, to submit a written notification to the 
Commission pertaining to the SCI event on a good faith, best efforts 
basis. These notifications are required to be submitted on Form SCI. 
The Commission staff estimates that the total annual ongoing burden for 
all 54 respondents will be, on average, 6,480 hours. The Commission 
staff estimates that respondents will incur, on average, an estimated 
ongoing annual internal cost of compliance of $2,134,890.
    Rule 1002(b)(3) requires each SCI entity to provide updates to the 
Commission pertaining to an SCI event on a regular basis, or at such 
frequency as reasonably requested by a representative of the 
Commission, until the SCI event is resolved and the SCI entity's 
investigation of the SCI event is closed. The Commission staff 
estimates that the total annual ongoing burden for all 54 respondents 
will be, on average, 567 hours. The Commission staff estimates that all 
respondents will incur, on average, an estimated ongoing annual 
internal cost of compliance of $177,106.50.
    Rule 1002(b)(4) requires each SCI entity to submit written interim 
reports, as necessary, and a written final report regarding an SCI 
event to the Commission. These reports are required to be submitted on 
Form SCI. The Commission staff estimates that the total annual ongoing 
burden for all 54 respondents will be, on average, 9,450 hours. The 
Commission staff estimates that all respondents will incur, on average, 
an estimated ongoing annual internal cost of compliance of $3,297,510.
    Rule 1002(b)(5) requires each SCI entity to submit to the 
Commission quarterly reports containing a summary description of any 
systems disruption or systems intrusion that has had, or the SCI entity 
reasonably estimates would have, no or a de minimis impact on the SCI 
entity's operations or on market participants. These reports are 
required to be submitted on Form SCI. The Commission staff estimates 
that the total annual ongoing burden for all 54 respondents will be, on 
average, 8,640 hours. The Commission staff estimates that respondents 
will incur, on average, an estimated ongoing annual internal cost of 
compliance of $2,919,348.
    In addition, the Commission staff estimates that all 54 respondents 
will incur, on average, annual costs of $313,200 for outside legal 
advice in preparation of certain notifications required by Rule 
1002(b).
    Rule 1002(c)(1)(i) requires each SCI entity, promptly after any 
responsible SCI personnel has a reasonable basis to conclude that an 
SCI event (other than a systems intrusion) has occurred, to disseminate 
certain information to its members or participants. The Commission 
staff estimates that the total annual ongoing burden for all 54 
respondents will be, on average, 1,134 hours. The Commission staff 
estimates that all respondents will incur, on average, an estimated 
ongoing annual internal cost of compliance of $741,557.50.
    Rule 1002(c)(1)(ii) requires each SCI entity, when known, to 
promptly disseminate additional information about an SCI event (other 
than a systems intrusion) to its members or participants. Rule 
1002(c)(1)(iii) requires each SCI entity to provide to its members or 
participants regular updates of any information required to be 
disseminated under Rules 1002(c)(1)(i) and (ii) until the SCI event is 
resolved. The Commission staff estimates that the total annual ongoing 
burden for all 54 respondents will be, on average, 6,318 hours. The 
Commission staff estimates that all respondents will incur, on average, 
an estimated ongoing annual internal cost of compliance of $2,496,096.
    Rule 1002(c)(2) requires each SCI entity to disseminate certain 
information regarding a systems intrusion to its members or 
participants,

[[Page 64568]]

and provides an exception when the SCI entity determines that 
dissemination of such information would likely compromise the security 
of its SCI systems or indirect SCI systems, or an investigation of the 
systems intrusion, and documents the reasons for such determination. 
The Commission staff estimates that the total annual ongoing burden for 
all 54 respondents will be, on average, 540 hours. The Commission staff 
estimates that all respondents will incur, on average, an estimated 
ongoing annual internal cost of compliance of $212,827.25.
    In addition, the Commission staff estimates that all 54 respondents 
will incur, on average, annual costs of $179,280 for outside legal 
advice in preparation of certain notifications required by Rule 
1002(c).
    Rule 1003(a)(1) requires each SCI entity to submit to the 
Commission quarterly reports describing completed, ongoing, and planned 
material changes to its SCI systems and security of indirect SCI 
systems during the prior, current, and subsequent calendar quarters. 
These reports are required to be submitted on Form SCI. The Commission 
staff estimates that the total annual ongoing burden for all 54 
respondents will be, on average, 27,000 hours. The Commission staff 
estimates that all respondents will incur, on average, an estimated 
ongoing annual internal cost of compliance of $8,063,820.
    Rule 1003(a)(2) requires each SCI entity to promptly submit a 
supplemental report notifying the Commission of a material error in or 
material omission from a report previously submitted under Rule 
1003(a)(1). These reports are required to be submitted on Form SCI. The 
Commission staff estimates that the total annual ongoing burden for all 
54 respondents will be, on average, 810 hours. The Commission staff 
estimates that all respondents will incur, on average, an estimated 
ongoing annual internal cost of compliance of $256,716.
    Rule 1003(b)(1) requires each SCI entity to conduct an SCI review 
of its compliance with Regulation SCI not less than once each calendar 
year, with an exception for penetration test reviews, which are 
required to be conducted not less than once every three years. Rule 
1003(b)(1) also provides an exception for assessments of SCI systems 
directly supporting market regulation or market surveillance, which are 
required to be conducted at a frequency based on the risk assessment 
conducted as part of the SCI review, but in no case less than once 
every three years. Rule 1003(b)(2) requires each SCI entity to submit a 
report of the SCI review to senior management no more than 30 calendar 
days after completion of the review. The Commission staff estimates 
that the total annual ongoing burden for all 54 respondents will be, on 
average, 37,260 hours. The Commission staff estimates that all 
respondents will incur, on average, an estimated ongoing annual 
internal cost of compliance of $11,934,810.
    Rule 1003(b)(3) requires each SCI entity to submit the report of 
the SCI review to the Commission and to its board of directors or the 
equivalent of such board, together with any response by senior 
management, within 60 calendar days after its submission to senior 
management. These reports are required to be submitted on Form SCI. The 
Commission staff estimates that the total annual ongoing burden for all 
54 respondents will be, on average, 54 hours. The Commission staff 
estimates that all respondents will incur, on average, an estimated 
ongoing annual internal cost of compliance of $22,248.
    In addition, the Commission staff estimates that all respondents 
will incur, on average, annual costs of $2,700,000 for outside legal 
advice in preparation of certain notifications required by Rule 
1003(b).
    Rule 1006 requires each SCI entity, with a few exceptions, to file 
any notification, review, description, analysis, or report to the 
Commission required under Regulation SCI electronically on Form SCI 
through the EFFS. An SCI entity will submit to the Commission an EAUF 
to register each individual at the SCI entity who will access the EFFS 
system on behalf of the SCI entity. The Commission staff estimates that 
the total annual initial burden for 7 new respondents will be 1.95 
hours, and the annual ongoing burden for all respondents will be, on 
average, 8.1 hours. The Commission staff estimates that the 7 new 
respondents would incur an initial internal cost of compliance of $806. 
In addition, all 54 respondents will incur, on average, an estimated 
ongoing annual internal cost of compliance of $3,348, as well as 
outside costs to obtain a digital ID of $2,700.
    Rule 1002(a) requires each SCI entity, upon any responsible SCI 
personnel having a reasonable basis to conclude that an SCI event has 
occurred, to begin to take appropriate corrective action. The 
Commission staff estimates that the total annual initial recordkeeping 
burden for 7 new respondents will be 741 hours, and the annual ongoing 
recordkeeping burden for all 54 respondents will be, on average, 2,106 
hours. The Commission staff estimates that the 7 new respondents would 
incur an initial internal cost of compliance of $276,432. In addition, 
all 54 respondents will incur, on average, an estimated ongoing annual 
internal cost of compliance of $831,438.
    Rule 1003(a)(1) requires each SCI entity to establish reasonable 
written criteria for identifying a change to its SCI systems and the 
security of indirect SCI systems as material. The Commission staff 
estimates that the total annual initial recordkeeping burden for 7 new 
respondents will be 741 hours, and the annual ongoing recordkeeping 
burden for all 54 respondents will be, on average, 1,458 hours. The 
Commission staff estimates that the 7 new respondents would incur an 
initial internal cost of compliance of $276,432. In addition, all 54 
respondents will incur, on average, an estimated ongoing annual 
internal cost of compliance of $622,944.
    Regulation SCI also requires SCI entities to identify certain types 
of events and systems. The Commission staff estimates that the total 
annual initial recordkeeping burden for 7 new respondents will be 1,287 
hours, and the annual ongoing recordkeeping burden for all 54 
respondents will be, on average, 2,106 hours. The Commission staff 
estimates that the 7 new respondents would incur an initial internal 
cost of compliance of $453,089. In addition, all 54 respondents will 
incur, on average, an estimated ongoing annual internal cost of 
compliance of $831,438.
    Rules 1005 and 1007 establish recordkeeping requirements for SCI 
entities other than SROs. The Commission staff estimates that for 6 new 
respondents that are not SROs the average annual initial burden would 
be 935 hours, and the annual ongoing burden for all 18 respondents will 
be, on average, 450 hours. The Commission staff estimates that 6 new 
respondents would incur an estimated internal initial internal cost of 
compliance of $64,515, as well as a one-time cost of $5,400 to modify 
existing recordkeeping systems. In addition, all 18 respondents will 
incur, on average, an estimated ongoing internal cost of compliance of 
$31,050.
    Written comments are invited on: (a) Whether the proposed 
collection of information is necessary for the proper performance of 
the functions of the Commission, including whether the information 
shall have practical utility; (b) the accuracy of the Commission's 
estimates of the burden of the proposed collection of information; (c) 
ways to enhance the quality, utility, and clarity of the information to 
be collected; and

[[Page 64569]]

(d) ways to minimize the burden of the collection of information on 
respondents, including through the use of automated collection 
techniques or other forms of information technology. Consideration will 
be given to comments and suggestions submitted in writing within 60 
days of this publication.
    An agency may not conduct or sponsor, and a person is not required 
to respond to, a collection of information under the PRA unless it 
displays a currently valid OMB control number.
    Please direct your written comments to: David Bottom, Director/
Chief Information Officer, Securities and Exchange Commission, c/o John 
Pezzullo, 100 F Street NE, Washington, DC 20549, or send an email to: 
[email protected].

    Dated: November 15, 2021.
J. Matthew DeLesDernier,
Assistant Secretary.
[FR Doc. 2021-25173 Filed 11-17-21; 8:45 am]
BILLING CODE 8011-01-P