[Federal Register Volume 88, Number 72 (Friday, April 14, 2023)]
[Proposed Rules]
[Pages 23146-23274]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-05775]
[[Page 23145]]
Vol. 88
Friday,
No. 72
April 14, 2023
Part II
Securities and Exchange Commission
-----------------------------------------------------------------------
17 CFR Parts 242 and 249
Regulation Systems Compliance and Integrity; Proposed Rule
��Federal Register / Vol. 88 , No. 72 / Friday, April 14, 2023 /
Proposed Rules��
[[Page 23146]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
17 CFR Parts 242 and 249
[Release No. 34-97143; File No. S7-07-23]
RIN 3235-AN25
Regulation Systems Compliance and Integrity
AGENCY: Securities and Exchange Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Securities and Exchange Commission (``Commission'' or
``SEC'') is proposing amendments to Regulation Systems Compliance and
Integrity (``Regulation SCI'') under the Securities Exchange Act of
1934 (``Exchange Act''). The proposed amendments would expand the
definition of ``SCI entity'' to include a broader range of key market
participants in the U.S. securities market infrastructure, and update
certain provisions of Regulation SCI to take account of developments in
the technology landscape of the markets since the adoption of
Regulation SCI in 2014. The proposed expansion would add the following
entities to the definition of ``SCI entity'': registered security-based
swap data repositories (``SBSDRs''); registered broker-dealers
exceeding an asset or transaction activity threshold; and additional
clearing agencies exempted from registration. The proposed updates
would amend provisions of Regulation SCI relating to systems
classification and lifecycle management; third party/vendor management;
cybersecurity; the SCI review; the role of current SCI industry
standards; and recordkeeping and related matters. Further, the
Commission is requesting comment on whether significant-volume
alternative trading systems (ATSs) and/or broker-dealers using
electronic or automated systems for trading of corporate debt
securities or municipal securities should be subject to Regulation SCI.
DATES: Comments should be received on or before June 13, 2023.
ADDRESSES: Comments may be submitted by any of the following methods:
Electronic Comments
Use the Commission's internet comment form (https://www.sec.gov/rules/proposed.shtml); or
Send an email to [email protected]. Please include
File Number S7-07-23 on the subject line.
Paper Comments
Send paper comments to, Secretary, Securities and Exchange
Commission, 100 F Street NE, Washington, DC 20549-1090.
All submissions should refer to File Number S7-07-23. This file number
should be included on the subject line if email is used. To help the
Commission process and review your comments more efficiently, please
use only one method of submission. The Commission will post all
comments on the Commission's website (https://www.sec.gov/rules/proposed.shtml). Comments are also available for website viewing and
printing in the Commission's Public Reference Room, 100 F Street NE,
Washington, DC 20549 on official business days between the hours of 10
a.m. and 3 p.m. Operating conditions may limit access to the
Commission's Public Reference Room. All comments received will be
posted without change. Persons submitting comments are cautioned that
we do not redact or edit personal identifying information from comment
submissions. You should submit only information that you wish to make
available publicly.
Studies, memoranda, or other substantive items may be added by the
Commission or staff to the comment file during this rulemaking. A
notification of the inclusion in the comment file of any materials will
be made available on our website. To ensure direct electronic receipt
of such notifications, sign up through the ``Stay Connected'' option at
www.sec.gov to receive notifications by email.
FOR FURTHER INFORMATION CONTACT: Heidi Pilpel, Senior Special Counsel;
David Liu, Special Counsel; Sara Hawkins, Special Counsel; Gita
Subramaniam, Special Counsel; Josh Nimmo, Special Counsel; An Phan,
Special Counsel, at (202) 551-5500, Office of Market Supervision,
Division of Trading and Markets, U.S. Securities and Exchange
Commission, 100 F Street NE, Washington, DC 20549.
SUPPLEMENTARY INFORMATION: The Commission is proposing amendments to
the following rules under the Exchange Act and conforming amendments to
Form SCI.
------------------------------------------------------------------------
Commission reference CFR citation (17 CFR)
------------------------------------------------------------------------
Rule 1000................................ Sec. 242.1000
Rule 1001................................ Sec. 242.1001
Rule 1001(a)............................. Sec. 242.1001(a)
Rule 1001(a)(2).......................... Sec. 242.1001(a)(2)
Rule 1001(a)(2)(v)....................... Sec. 242.1001(a)(2)(v)
Rule 1001(a)(2)(vi)...................... Sec. 242.1001(a)(2)(vi)
Rule 1001(a)(2)(vii)..................... Sec. 242.1001(a)(2)(vii)
Rule 1001(a)(4).......................... Sec. 242.1001(a)(4)
Rule 1002................................ Sec. 242.1002
Rule 1002(b)............................. Sec. 242.1002(b)
Rule 1002(b)(4)(ii)(B)................... Sec. 242.1002(b)(4)(ii)(B)
Rule 1002(b)(5).......................... Sec. 242.1002(b)(5)
Rule 1002(b)(5)(i)....................... Sec. 242.1002(b)(5)(i)
Rule 1002(b)(5)(ii)...................... Sec. 242.1002(b)(5)(ii)
Rule 1002(c)............................. Sec. 242.1002(c)
Rule 1002(c)(3).......................... Sec. 242.1002(c)(3)
Rule 1002(c)(4).......................... Sec. 242.1002(c)(4)
Rule 1002(c)(4)(i)....................... Sec. 242.1002(c)(4)(i)
Rule 1002(c)(4)(ii)...................... Sec. 242.1002(c)(4)(ii)
Rule 1003................................ Sec. 242.1003
Rule 1003(b)............................. Sec. 242.1003(b)
Rule 1003(b)(1).......................... Sec. 242.1003(b)(1)
Rule 1003(b)(2).......................... Sec. 242.1003(b)(2)
Rule 1003(b)(3).......................... Sec. 242.1003(b)(3)
Rule 1004................................ Sec. 242.1004
Rule 1004(a)............................. Sec. 242.1004(a)
Rule 1004(b)............................. Sec. 242.1004(b)
Rule 1005................................ Sec. 242.1005
Rule 1005(c)............................. Sec. 242.1005(c)
------------------------------------------------------------------------
I. Introduction
II. Background and Overview
A. History of Regulation SCI
B. Current Regulation SCI
1. SCI Entities and SCI Systems
2. Reasonably Designed Policies and Procedures
3. SCI Events
4. Systems Changes and SCI Review
5. Business Continuity and Disaster Recovery Testing with
Members/Participants
6. Recordkeeping and Other Provisions (Rules 1005-1007)
C. Overview of Proposed Amendments to Regulation SCI
III. Proposed Amendments to Regulation SCI
A. Definition of SCI Entity
1. Evolution: Current and Proposed SCI Entities
2. New Proposed SCI Entities
3. General Request for Comment on Proposed Expansion of SCI
Entities
B. Request for Comment Regarding Significant-Volume Fixed Income
ATSs and Broker-Dealers Using Electronic or Automated Systems for
Trading of Corporate Debt Securities or Municipal Securities
1. Discussion
2. Request for Comment
C. Strengthening Obligations of SCI Entities
1. Systems Classification and Lifecycle Management
2. Third-Party Provider Management
3. Security
4. SCI Review
5. Current SCI Industry Standards
6. Other Changes
D. SCI Entities Subject to the Exchange Act Cybersecurity
Proposal and/or Regulation S-P
1. Discussion
2. Request for Comment
IV. Paperwork Reduction Act
A. Summary of Collections of Information
B. Proposed Use of Information
1. Rule 1001 of Regulation SCI
2. Rule 1002 of Regulation SCI
3. Rule 1003 of Regulation SCI
4. Rule 1004 of Regulation SCI
5. Rule 1005 and 1007 of Regulation SCI
6. Rule 1006 of Regulation SCI
[[Page 23147]]
C. Respondents
D. Total Initial and Annual Reporting Burdens
1. Rule 1001
2. Rule 1002
3. Rule 1003
4. Rule 1004
5. Rule 1005
6. Rule 1006
7. Summary of the Information Collection Burden
E. Collection of Information Is Mandatory
F. Confidentiality of Responses to Collection of Information
G. Request for Comment
V. Economic Analysis
A. Introduction
B. Baseline
1. New SCI Entities
2. Existing SCI Entities:
3. Current Market Practice
4. Other Affected Parties
C. Analysis of Benefits and Costs of Proposed Amendments
1. General Benefits and Costs of Proposed Amendments
2. Expansion to New SCI Entities
3. Specific Benefits and Costs of Regulation SCI Requirements
for All SCI Entities
D. Efficiency, Competition, and Capital Formation Analysis
E. Reasonable Alternatives
1. Limiting the Scope of the Regulation SCI Provisions for New
SCI Entities
2. Mandating Compliance with Current SCI Industry Standards
3. Requiring Diversity of Back-Up Plan Resources
4. Penetration Testing Frequency
5. Attestation for Critical SCI System Vendors
6. Transaction Activity Threshold for SCI Broker-Dealers
7. Limitation on Definition of ``SCI Systems'' for SCI Broker-
Dealers
VI. Regulatory Flexibility Act Certification
A. ``Small Entity'' Definitions
B. Current SCI Entities
1. SCI SROs
2. The MSRB
3. SCI ATSs
C. Proposed SCI Entities
1. SBSDRs
2. SCI Broker-dealers
3. Exempt Clearing Agencies
D. Certification
Statutory Authority
I. Introduction
The U.S. securities markets are among the largest and most liquid
in the world, attracting a wide variety of issuers and broad investor
participation, and are essential for capital formation, job creation,
and economic growth, both domestically and across the globe. The fair
and orderly functioning of the U.S. securities markets is critically
important to the U.S. economy. In 2014, recognizing the decades-long
transformation of many U.S. securities markets from primarily manual
markets to those that had become almost entirely electronic and highly
dependent on sophisticated technology, including complex and
interconnected trading, clearing, routing, market data, regulatory,
surveillance and other technological systems, the Commission adopted 17
CFR 242.1000 through 242.1007 (``Regulation SCI'') to supersede and
replace the Commission's voluntary Automation Review Policy Program
(``ARP'') and certain provisions of 17 CFR 242.300 through 242.304
(``Regulation ATS'').\1\ Regulation SCI, which applies to ``SCI
entities'' with respect to their ``SCI systems'' and ``indirect SCI
systems,'' was the Commission's first formal extensive regulatory
framework for oversight of the core technology of the U.S. securities
markets.
---------------------------------------------------------------------------
\1\ See Securities Exchange Act Release No. 73639 (Nov. 19,
2014), 79 FR 72252 (Dec. 5, 2014) (``SCI Adopting Release'').
---------------------------------------------------------------------------
The U.S. securities markets have demonstrated resilience since the
adoption of Regulation SCI, with some market observers crediting
Regulation SCI in helping to ensure that markets and market
participants were prepared for the unprecedented trading volumes and
volatility experienced in March 2020 at the onset of the COVID-19
pandemic.\2\ The U.S. securities markets continue to experience changes
and new challenges, however. The growth of electronic trading allows
ever-increasing volumes of securities transactions in a broader range
of asset classes to take place at increasing speed by competing trading
platforms, including those offered by broker-dealers that play multiple
roles in the markets.\3\ In addition, new types of registered entities
that are highly dependent on interconnected technology have entered the
markets.\4\ The prevalence of remote workforces, furthered by the
COVID-19 pandemic,\5\ and increased outsourcing to third-party
providers, including cloud service providers, continue to drive the
markets' and market participants' reliance on new and evolving
technology.\6\ While these advances demonstrate the dynamic and
adaptable nature of the U.S. securities markets and market
participants, the greater dispersal, sophistication, and
interconnection of the technology underpinning our markets bring
potential new risks. These risks include not only the heightened risk
of exposure to cybersecurity events from threat actors intent on doing
harm, but also operational systems problems that can and do arise
inadvertently.
---------------------------------------------------------------------------
\2\ See, e.g., Shane Remolina, Is Remote Trading Leading to a
Paradigm Shift on the Trading Desk?, Traders Magazine (May 20,
2020), available at www.tradersmagazine.com/departments/buyside/is-remote-trading-leading-to-a-paradigm-shift-on-the-trading-desk
(observing ``no outages'' at the stock exchanges in Mar. 2020 in
contrast to ``glitches'' experienced in 2000s); Financial Industry
Regulatory Authority, Inc. (``FINRA''), Market Structure & COVID-19:
Handling Increased Volatility and Volumes (Apr. 28, 2020), available
at https://www.finra.org/media-center/finra-unscripted/market-structure-covid19-coronavirus (observing that market infrastructure
and integrity held during the challenges in Mar. 2020, and crediting
Regulation SCI, among other regulatory protections).
\3\ See, e.g., Securities Industry and Financial Markets
Association (``SIFMA''), SIFMA Insights: Electronic Trading Market
Structure Primer (Oct. 2019), available at https://www.sifma.org/wp-content/uploads/2019/10/SIFMA-Insights-Electronic-Trading-Market-Structure-Primer.pdf (summarizing electronic trading history and
trends in different markets). See also SEC Staff Report on
Algorithmic Trading in U.S. Capital Markets at 16-19, 37 (Aug. 5,
2020), available at https://www.sec.gov/files/marketstructure/research/algo_trading_report_2020.pdf (discussing broker-dealer ATSs
and internalizers, and other in-house sources of liquidity, such as
single-dealer platforms (``SDPs''), and central risk books operated
by broker-dealers) (``Algorithmic Trading Report''). Staff reports,
Investor Bulletins, and other staff documents (including those cited
herein) represent the views of Commission staff and are not a rule,
regulation, or statement of the Commission. The Commission has
neither approved nor disapproved the content of these staff
documents and, like all staff statements, they have no legal force
or effect, do not alter or amend applicable law, and create no new
or additional obligations for any person.
\4\ See infra section III.A.2.a (discussing registered SBSDRs).
\5\ See FS-ISAC, Navigating Cyber 2021 (Apr. 2021), available at
https://www.fsisac.com/navigatingcyber2021-report. See also Vikki
Davis, Combating the cybersecurity risks of working home, Cyber
Magazine (Dec. 2, 2021), available at https://cybermagazine.com/cyber-security/combating-cybersecurity-risks-working-home.
\6\ See, e.g., Angus Loten, Cloud Demand Drives Data Center
Market to New Records, Wall St. J. (Feb. 27, 2020); Angus Loten,
CIOs Accelerate Pre-Pandemic Cloud Push, Wall St. J. (Apr. 26,
2021).
---------------------------------------------------------------------------
As the Commission has acknowledged, Regulation SCI is not, nor can
it be, designed to guarantee that SCI entities have flawless
systems.\7\ Rather, its goals are to strengthen the technology
infrastructure of the U.S. securities markets and improve its
resilience when technology falls short.\8\ To help achieve these goals,
the regulation requires that SCI entities have policies and procedures
reasonably designed to ensure that their systems have levels of
capacity, integrity, resiliency, availability, and security, adequate
to maintain their operational capability and promote the maintenance of
fair and orderly markets, and requires measures that facilitate the
Commission's oversight of securities market technology
infrastructure.\9\ Consistent with the goals of addressing
technological vulnerabilities and improving oversight of the core
[[Page 23148]]
technology of key U.S. securities market entities, the Commission is
proposing amendments to Regulation SCI that would expand its
application to additional key market participants and update certain of
its provisions to take account of the evolution of technology and
trading since the rule's adoption in 2014. The application of
Regulation SCI to a broader range of entities together with updates to
certain provisions--including to account for heightened cybersecurity
risks, wider use of cloud service providers, and the increasingly
complex and interconnected nature of SCI entities' systems--should help
ensure that the technology infrastructure of the U.S. securities
markets remains robust, resilient, and secure.
---------------------------------------------------------------------------
\7\ See SCI Adopting Release, supra note 1, at 72291, 72351.
\8\ See id. at 72257.
\9\ See generally SCI Adopting Release, supra note 1, at 72299,
72372, 72402, 72404-05.
---------------------------------------------------------------------------
The Commission has issued other proposals related to cybersecurity
that would apply to SCI entities as well as other entities under the
Commission's jurisdiction.\10\ Regulation SCI, currently, and as
proposed to be amended, however, differs from these proposals in terms
of its purpose and scope. Regulation SCI applies to entities designated
as key market participants because they play a significant role in the
U.S. securities markets and/or have the potential to impact investors,
the overall market, or the trading of individual securities in the
event of a systems issue. Regulation SCI requires key market
participants to (i) have policies and procedures in place to help
ensure the robustness and resiliency of their market technology
systems, and (ii) provide certain notices and reports to the
Commission, and in some cases, market participants, to facilitate
Commission oversight of securities market infrastructure. While
Regulation SCI has cybersecurity aspects and certain of the proposed
amendments to Regulation SCI would update policies and procedures
requirements designed to keep SCI systems and indirect SCI systems
secure, the proposed amendments are designed, more broadly, to ensure
that SCI entities (current and proposed) have systems technology
adequate to maintain operational capability of the systems on which the
maintenance of fair and orderly markets depend.
---------------------------------------------------------------------------
\10\ These include a proposal to adopt new rules requiring
broker-dealers, major security-based swap participants, national
securities exchanges, national securities associations, security-
based swap data repositories, security-based swap dealers, transfer
agents, and the Municipal Securities Rulemaking Board (``MSRB'') to
adopt and implement written cybersecurity policies and procedures
reasonably designed to address cybersecurity risks to their
``information systems'' and notify the Commission and the public of
significant cybersecurity incidents affecting their information
systems. See Securities Exchange Release No. 97142 (Mar. 15, 2023),
88 FR 20212 (April 5, 2023) (proposing 17 CFR 242.10) (for ease of
reference, this proposal is referred to as the ``Exchange Act
Cybersecurity Proposal''). See also Securities Exchange Release No.
97141 (Mar. 15, 2023), 88 FR 20616 (April 6, 2023) (proposing to
amend 17 CFR part 248, subpart A (``Regulation S-P''), to, among
other things, require broker-dealers, investment companies, SEC-
registered investment advisers, and transfer agents to adopt
incident response programs to address unauthorized access to or use
of customer records and information, including procedures for
providing timely notification to individuals affected by an
information security incident designed to help affected individuals
respond appropriately) (``Regulation S-P 2023 Proposing Release'').
See infra section III.D (discussing of how SCI entities would be
affected if the Exchange Act Cybersecurity Proposal, Regulation S-P
2023 Proposing Release, and this proposal are all adopted as
proposed). In addition, the Commission has pending proposals to
address cybersecurity risk with respect to investment advisers,
investment companies, and public companies. See Cybersecurity Risk
Management for Investment Advisers, Registered Investment Companies,
and Business Development Companies, Release Nos. 33-11028, 34-94917,
IA-5956, IC-34497 (Feb. 9, 2022), 87 FR 13524 (Mar. 9, 2022) (``IA/
IC Cybersecurity Proposing Release''); Cybersecurity Risk
Management, Strategy, Governance, and Incident Disclosure, Release
Nos. 33-11038, 34-94382, IC-34529 (Mar. 9, 2022), 87 FR 16590 (Mar.
23, 2022). The Commission has reopened the comment period for the
IA/IC Cybersecurity Proposing Release to allow interested persons
additional time to analyze the issues and prepare their comments in
light of other regulatory developments, including the proposed rules
and amendments regarding this proposal, the Exchange Act
Cybersecurity Proposal and the Regulation S-P 2023 Proposing
Release. The Commission encourages commenters to review those
proposals to determine whether they might affect their comments on
this proposing release.
---------------------------------------------------------------------------
II. Background and Overview
A. History of Regulation SCI
The Commission adopted Regulation SCI in 2014 to supersede and
replace the Commission's legacy voluntary ARP Program as well as
certain provisions of Regulation ATS.\11\ In doing so, the Commission
sought to strengthen the technology infrastructure of the U.S.
securities markets, reduce the occurrence of systems issues in those
markets, improve their resiliency when technological issues arise, and
establish an updated and formalized regulatory framework, thereby
helping to ensure more effective Commission oversight of such
systems.\12\ Several factors contributed to the Commission's decision
to adopt this regulation. Recognizing the growing importance of
technology in the securities markets, the Commission issued the ARP I
and ARP II Policy Statements in 1989 and 1991, respectively.\13\ In the
decades that followed, key market participants in the securities
industry increasingly relied on ever more complex technologies for
trading and clearance and settlement of securities. The increased
reliance on technology introduced challenges for the securities
markets, as evidenced by a variety of market disruptions occurring in a
relatively short time period.\14\ The Commission convened a roundtable
entitled ``Technology and Trading: Promoting Stability in Today's
Markets'' (``Technology Roundtable'') in 2012.\15\ Shortly thereafter,
following Superstorm Sandy on the U.S. East Coast, the U.S. national
securities exchanges closed for two business days in light of concerns
over the physical safety of personnel and the possibility of technical
issues.\16\ These and other developments in U.S. securities markets led
the Commission to consider the effectiveness of the 1980s and 90s-era
ARP Program. The focus of the ARP Program was to ensure that the self-
regulatory organizations (``SROs'') had adequate capacity, security,
and business continuity plans by, among other things, reporting to the
Commission staff their planned systems changes 30 days in advance and
reporting outages in trading and related systems.\17\ While the ARP
Policy Statements were rooted in Exchange Act
[[Page 23149]]
requirements, as policy statements rather than Commission rules,
compliance was voluntary and in many instances the SROs did not fully
disclose problems that occurred. In the SCI Proposing Release, the
Commission stated that ``the continuing evolution of the securities
markets to the current state, where they have become almost entirely
electronic and highly dependent on sophisticated trading and other
technology (including complex regulatory and surveillance systems, as
well as systems relating to the provision of market data, intermarket
routing and connectivity, and a variety of other member and issuer
services), has posed challenges for the ARP Inspection Program.'' \18\
Informed by its review of recent technology problems in the markets,
the discussions at the Technology Roundtable, and its evaluation of the
ARP Program,\19\ the Commission proposed Regulation SCI in 2013 to help
address the technological vulnerabilities, and improve Commission
oversight, of the core technology of key U.S. securities markets
entities, including national securities exchanges and associations,
significant-volume ATSs, clearing agencies, and plan processors.\20\
After considering the views of a wide variety of commenters, the
Commission adopted Regulation SCI in 2014.\21\ In the SCI Adopting
Release, the Commission stated that it was taking a ``measured
approach'' and pursuing an ``incremental expansion from the entities
covered under the ARP Inspection Program'' given the potential costs of
compliance with Regulation SCI.\22\ It added, however, that this
approach would allow it ``to monitor and evaluate the implementation of
Regulation SCI, the risks posed by the systems of other market
participants, and the continued evolution of the securities markets,
such that it may consider, in the future, extending the types of
requirements in Regulation SCI to additional categories of market
participants, such as non-ATS broker-dealers, security-based swap
dealers, investment advisers, investment companies, transfer agents,
and other key market participants.'' \23\ In 2021, the Commission
amended Regulation SCI to add certain ``competing consolidators'' to
the definition of SCI entity.\24\ Specifically, a competing
consolidator that exceeds a five percent consolidated market data gross
revenue threshold over a specified time period is an SCI competing
consolidator because it is a significant source of consolidated market
data for NMS stocks on which market participants rely.\25\
---------------------------------------------------------------------------
\11\ See generally SCI Adopting Release, supra note 1.
\12\ See SCI Adopting Release, supra note 1, at 72252-56
(discussing the background of Regulation SCI).
\13\ See Securities Exchange Act Release Nos. 27445 (Nov. 16,
1989), 54 FR 48703 (Nov. 24, 1989), and 29185 (May 9, 1991), 56 FR
22490 (May 15, 1991).
\14\ See Securities Exchange Act Release No. 69077 (Mar. 8,
2013), 78 FR 18083, 18089 (Mar. 25, 2013) (``SCI Proposing
Release'') (citing, among other things, Findings Regarding the
Market Events of May 6, 2010, Report of the Staffs of the Commodity
Futures Trading Commission (``CFTC'') and SEC to the Joint Advisory
Committee on Emerging Regulatory Issues (Sept. 30, 2010) (``Staff
Report'') and discussing hackers penetrating certain Nasdaq OMX
Group, Inc. computer networks in 2011, a ``software bug'' that
hampered the initial public offerings of BATS Global Markets, Inc.
in 2012, and issues with Nasdaq's trading systems delaying the start
of trading in the high-profile initial public offering of Facebook,
Inc.).
\15\ See Securities Exchange Act Release No. 67802 (Sept. 7,
2012), 77 FR 56697 (Sept. 13, 2012) (File No. 4-652); Technology
Roundtable Transcript, available at https://www.sec.gov/news/otherwebcasts/2012/ttr100212-transcript.pdf. A webcast of the
Roundtable is available at www.sec.gov/news/otherwebcasts/2012/ttr100212.shtml. The Technology Roundtable examined the relationship
between the operational stability and integrity of the securities
market and the ways in which market participants design, implement,
and manage complex and interconnected trading technologies. The
Technology Roundtable also highlighted that quality standards,
testing, and improved response mechanisms were issues ripe for
consideration. See SCI Proposing Release, supra note 14, at 18090-91
(providing for further discussion of the Technology Roundtable).
\16\ See SCI Proposing Release, supra note 14, at 18091. See
also SCI Adopting Release, supra note 1, at 72254-72255 (summarizing
additional disruptions during the period between publication of the
SCI Proposing and Adopting Releases).
\17\ See supra note 13.
\18\ SCI Proposing Release, supra note 14, at 18089.
\19\ See SCI Proposing Release, supra note 14, at 18085-91 for a
further discussion of these considerations.
\20\ As further explained in the SCI Adopting Release, the term
``plan processor'' means ``any self-regulatory organization or
securities information processor acting as an exclusive processor in
connection with the development, implementation and/or operation of
any facility contemplated by an effective national market system
plan.'' See SCI Adopting Release, supra note 1, at 72270 n. 196.
This term refers to the securities information processors that are
exclusive processors (and frequently referred to as the ``SIPs'')
that collect and process (for distribution) quotation data and/or
transaction reports on behalf of the Consolidated Tape Association
System (``CTA Plan''), Consolidated Quotation System (``CQS Plan''),
Joint Self-Regulatory Organization Plan Governing the Collection,
Consolidation, and Dissemination of Quotation and Transaction
Information for Nasdaq-Listed Securities Traded on Exchanges on an
Unlisted Trading Privileges Basis (``Nasdaq UTP Plan''), and Options
Price Reporting Authority (``OPRA Plan''). The CTA Plan and Nasdaq
UTP Plan (applicable to national market system (``NMS'') stocks) are
each a ``transaction reporting plan'' as well as a ``national market
system plan'' as defined in 17 CFR 242.600 (``Rule 600'' of
Regulation NMS). The OPRA Plan (applicable to exchange-listed
options) is a national market system plan. See infra note 212. See
also text accompanying note 212 (discussing these Plans and how
transaction reports containing the price and volume associated with
a transaction involving the purchase or sale of a security are
currently, and anticipated in the future to be, readily available to
enable SCI ATSs and SCI broker-dealers to ascertain the total
average daily dollar volume traded in NMS stock and exchange-listed
options in a calendar month and self-assess if they exceed the
proposed transaction activity thresholds discussed below).
\21\ See generally SCI Adopting Release, supra note 1.
\22\ Id. at 72259.
\23\ Id. See also supra note 10 and accompanying text
(referencing other cybersecurity rules proposed to apply to
Commission registrants).
\24\ See Securities Exchange Act Release No. 90610 (Dec. 9,
2020), 86 FR 18596, 18659-18676 (Apr. 9, 2021) (``Market Data
Infrastructure Adopting Release'') (adopting rules with respect to
competing consolidators and defining ``competing consolidator'' to
mean a securities information processor required to be registered
pursuant to 17 CFR[thinsp]242.614 (``Rule 614'') or a national
securities exchange or national securities association that receives
information with respect to quotations for and transactions in NMS
stocks and generates a consolidated market data product for
dissemination to any person).
\25\ An ``SCI competing consolidator'' is any competing
consolidator, which during at least four of the preceding six
calendar months, accounted for five percent or more of consolidated
market data gross revenue paid to the effective national market
system plan or plans required under 17 CFR 242.603(b) (``Rule
603(b)'') for NMS stocks (1) listed on the New York Stock Exchange,
(2) listed on The Nasdaq Stock Market, or (3) listed on national
securities exchanges other than the New York Stock Exchange or The
Nasdaq Stock Market, as reported by such plan or plans pursuant to
the terms thereof. See Rule 1000. An SCI competing consolidator is
subject to Regulation SCI, and a competing consolidator for which
Regulation SCI does not apply is subject the systems capability
requirement in 17 CFR 242.614(d)(9) (``Rule 614(d)(9)'' of
Regulation NMS). See infra note 28 and accompanying text.
---------------------------------------------------------------------------
B. Current Regulation SCI
1. SCI Entities and SCI Systems
Regulation SCI applies to ``SCI entities.'' \26\ SCI entities are
those that the Commission has determined are market participants that
play a significant role in the U.S. securities markets and/or have the
potential to impact investors, the overall market, or the trading of
individual securities in the event of certain types of systems
problems.\27\ Today SCI entities comprise the self-regulatory
organizations (excluding securities futures exchanges) (``SCI SROs''),
ATSs meeting certain volume thresholds with respect to NMS stocks and
non-NMS stocks (``SCI ATSs''), exclusive disseminators of consolidated
market data (``plan processors''), certain competing disseminators of
consolidated market (``SCI competing consolidators'' \28\), and certain
exempt clearing agencies.\29\
---------------------------------------------------------------------------
\26\ See 17 CFR 242.1000 (defining the term ``SCI entity'' and
terms included therein).
\27\ See SCI Adopting Release, supra note 1, at 72259. Although
some commenters had urged that Regulation SCI apply to fewer
entities and only the most systemically important entities, the
Commission disagreed, stating, ``[L]imiting the applicability of
Regulation SCI to only the most systemically important entities
posing the highest risk to the markets is too limited of a category
of market participants, as it would exclude certain entities that,
in the Commission's view, have the potential to pose significant
risks to the securities markets should an SCI event occur.'' Id.
\28\ See supra notes 24-25 (stating the definitions of competing
consolidator and SCI competing consolidator). SCI competing
consolidators are subject to Regulation SCI after a one-year
transition period. See Market Data Infrastructure Adopting Release,
supra note 24, at 18604. Competing consolidators in the transition
period and competing consolidators below the gross revenue threshold
are subject to a tailored set of operational capability and
resiliency obligations designed to help ensure that the provision of
consolidated market data products is prompt, accurate, and reliable.
See Market Data Infrastructure Adopting Release, supra note 24, at
18690-97 (providing for a full discussion of systems capability
requirements for competing consolidators (that are not subject to
Regulation SCI), but instead subject to Rule 614(d)(9)).
\29\ See 17 CFR 242.1000 (defining the term SCI entity to mean
``an SCI self-regulatory organization, SCI alternative trading
system, plan processor, exempt clearing agency subject to ARP, or
SCI competing consolidator'' and also separately defining each of
these terms). See also SCI Adopting Release, supra note 1, at 72258-
72 (discussing the rationale for inclusion of SCI SROs, SCI ATSs,
plan processors, and certain exempt clearing agencies in the
original adopted definition of SCI entity); infra notes 83-84 and
accompanying text (citing the releases explaining the expansion the
definition of SCI entity to include SCI competing consolidators, and
the recent proposal to further expand the definition of SCI entity
to include certain ATSs that trade U.S. Treasury Securities or
Agency Securities exceeding specified volume thresholds
(``Government Securities ATSs'')).
---------------------------------------------------------------------------
An SCI entity has obligations with respect to its ``SCI systems,''
``critical SCI systems,'' and ``indirect SCI
[[Page 23150]]
systems.'' \30\ ``SCI systems'' are, broadly, the technology systems
of, or operated by or on behalf of, an SCI entity that, with respect to
securities, directly support at least one of six market functions: (i)
trading; (ii) clearance and settlement; (iii) order routing; (iv)
market data; (v) market regulation; or (vi) market surveillance.\31\ In
addition, Regulation SCI defines ``critical SCI systems,'' which are a
subset of SCI systems,\32\ and designated as such because they
represent potential single points of failure in the U.S. securities
markets.\33\
---------------------------------------------------------------------------
\30\ See 17 CFR 242.1000 (defining the terms ``SCI systems,''
``critical SCI systems,'' and ``indirect SCI systems'').
\31\ Id. (defining SCI systems to mean ``all computer, network,
electronic, technical, automated, or similar systems of, or operated
by or on behalf of, an SCI entity that, with respect to securities,
directly support trading, clearance and settlement, routing, market
data, market regulation, or market surveillance'').
\32\ Id. (defining critical SCI systems to mean any SCI systems
of, or operated by or on behalf of, an SCI entity that: (1) Directly
support functionality relating to: (i) Clearance and settlement
systems of clearing agencies; (ii) Openings, reopenings, and
closings on the primary listing market; (iii) Trading halts; (iv)
Initial public offerings; (v) The provision of consolidated market
data; or (vi) Exclusively listed securities; or (2) Provide
functionality to the securities markets for which the availability
of alternatives is significantly limited or nonexistent and without
which there would be a material impact on fair and orderly markets).
\33\ As discussed in the SCI Adopting Release, ``critical SCI
systems'' are subject to certain heightened resilience and
information dissemination provisions of Regulation SCI on the
rationale that, lacking or having limited substitutes, these systems
pose the greatest risks to the continuous and orderly function of
the markets if they malfunction. See SCI Adopting Release, supra
note 1, at 72277-79 (providing additional discussion of critical SCI
systems).
---------------------------------------------------------------------------
The term ``indirect SCI systems'' describes systems of, or operated
by or on behalf of, an SCI entity that, ``if breached, would be
reasonably likely to pose a security threat to SCI systems.'' \34\ The
distinction between SCI systems and indirect SCI systems seeks to
encourage SCI entities physically and/or logically to separate systems
that perform or directly support securities market functions from those
that perform other functions (e.g., corporate email; general office
systems for member regulation and recordkeeping).\35\
---------------------------------------------------------------------------
\34\ Id. at 72279.
\35\ See SCI Adopting Release, supra note 1, at 72281 (``[I]f an
SCI entity designs and implements security controls so that none of
its non-SCI systems would be reasonably likely to pose a security
threat to SCI systems, then it will have no indirect SCI systems.
If, however, an SCI entity does have indirect SCI systems, then
certain provisions of Regulation SCI will apply to those indirect
SCI systems.'').
---------------------------------------------------------------------------
Currently, the application of Regulation SCI is triggered when an
entity meets the definition of SCI entity. If an entity meets the
definition of SCI entity, Regulation SCI applies to its SCI systems and
indirect SCI systems. The scope of an SCI entity's technology systems
is determined by whether they are operated ``by or on behalf of'' the
SCI entity and whether they directly support any of the six market
functions enumerated in the definition. As a result, the SCI systems
and indirect SCI systems of an SCI entity are neither limited by the
type of security nor by the type of business in which an SCI entity
primarily conducts its securities market activities. Thus, if an SCI
entity elects to, or obtains the necessary approvals to, engage in
market functions in multiple types of securities, Regulation SCI's
obligations apply to the relevant functional systems relating to all
such securities.\36\ Accordingly, the SCI systems of an SCI entity may
include systems pertaining to any type of security, whether those
securities are NMS stocks, over-the-counter (OTC) equity securities,
listed options, debt securities, security-based swaps (``SBS''), crypto
asset securities,\37\ or another type of security.\38\
---------------------------------------------------------------------------
\36\ The current definition of ``SCI systems,'' includes the
clause, ``with respect to securities,'' without limitation. SCI
systems ``means all computer, network, electronic, technical,
automated, or similar systems of, or operated by or on behalf of, an
SCI entity that, with respect to securities, directly support
trading, clearance and settlement, order routing, market data,
market regulation, or market surveillance.'' See 17 CFR 242.1000
(emphasis added). But see infra section III.A.2.b.iv (discussing the
proposed limitation to the definition of SCI systems for certain SCI
broker-dealers).
\37\ The term ``digital asset'' refers to an asset that is
issued and/or transferred using distributed ledger or blockchain
technology (``distributed ledger technology''), including, but not
limited to, so-called ``virtual currencies,'' ``coins,'' and
``tokens.'' See Custody of Digital Asset Securities by Special
Purpose Broker-Dealers, Securities Exchange Act Release No. 90788
(Dec. 23, 2020), 86 FR 11627, 11627 n.1 (Feb. 26, 2021) (``Crypto
Asset Securities Custody Release''). A digital asset may or may not
meet the definition of a ``security'' under the Federal securities
laws. See, e.g., Report of Investigation Pursuant to Section 21(a)
of the Securities Exchange Act of 1934: The DAO, Securities Exchange
Act Release No. 81207 (July 25, 2017) (``DAO 21(a) Report''),
available at https://www.sec.gov/litigation/investreport/34-81207.pdf. See also SEC v. W.J. Howey Co., 328 U.S. 293 (1946). To
the extent digital assets rely on cryptographic protocols, these
types of assets also are commonly referred to as ``crypto assets,''
and ``digital asset securities'' can be referred to as ``crypto
asset securities.'' For purposes of this release, the Commission
does not distinguish between the terms ``digital asset securities''
and ``crypto asset securities.''
\38\ Today, under the current definition of SCI systems, an SCI
entity (current or future) that engages in market functions for any
type of securities, including crypto asset securities, is required
to assess whether the technological systems of, or operated by or on
its behalf, with respect to securities, directly support at least
one of six market functions: (i) trading; (ii) clearance and
settlement; (iii) order routing; (iv) market data; (v) market
regulation; or (vi) market surveillance. As discussed below,
however, the Commission is proposing an amendment to the definition
of SCI systems that would limit its scope solely for certain
proposed SCI broker-dealers. See infra section III.A.2.b.iv.
---------------------------------------------------------------------------
2. Reasonably Designed Policies and Procedures
The foundational principles of Regulation SCI are set forth in Rule
1001, which requires each SCI entity to establish, maintain, and
enforce written policies and procedures reasonably designed to ensure
that its SCI systems and, for purposes of security standards, indirect
SCI systems, have levels of capacity, integrity, resiliency,
availability, and security adequate to maintain their operational
capability and promote the maintenance of fair and orderly markets.\39\
Rule 1001(a)(2) of Regulation SCI requires that, at a minimum, such
policies and procedures include: current and future capacity planning;
periodic stress testing; systems development and testing methodology;
reviews and testing to identify vulnerabilities; business continuity
and disaster recovery planning (inclusive of backup systems that are
geographically diverse and designed to meet specified recovery time
objectives); standards for market data collection, processing, and
dissemination; and monitoring to identify potential systems
problems.\40\ Under 17 CFR 242.1001(a)(3) (``Rule 1001(a)(3)'' of
Regulation SCI), SCI entities must periodically review the
effectiveness of these policies and procedures and take prompt action
to remedy any deficiencies.\41\ Rule 1001(a)(4) of Regulation SCI
provides that an SCI entity's policies and procedures will be deemed to
be reasonably designed if they are consistent with ``current SCI
industry standards,'' which is defined to be comprised of information
technology practices that are widely available to information
technology professionals in the financial sector and issued by an
authoritative body that is a U.S. governmental entity or agency,
association of U.S. governmental entities or agencies, or widely
recognized organization; however, Rule 1001(a)(4) of Regulation SCI
also makes clear that compliance with such ``current SCI industry
standards'' is not the exclusive means to comply with these
requirements.\42\
---------------------------------------------------------------------------
\39\ See 17 CFR 242.1001(a)(1).
\40\ See 17 CFR 242.1001(a)(2).
\41\ See 17 CFR 242.1001(a)(3).
\42\ See 17 CFR 242.1001(a)(4).
---------------------------------------------------------------------------
Under 17 CFR 242.1001(b)(1) (``Rule 1001(b)(1)'' of Regulation
SCI), each SCI entity is required to establish, maintain,
[[Page 23151]]
and enforce written policies and procedures reasonably designed to
ensure that its SCI systems operate in a manner that complies with the
Exchange Act and the rules and regulations thereunder and the entity's
rules and governing documents, as applicable, and specifies certain
minimum requirements for such policies and procedures.\43\ In addition,
17 CFR 242.1001(b)(2) (``Rule 1001(b)(2)'') requires that at a minimum,
these policies and procedures must include: testing of all SCI systems
and any changes to SCI systems prior to implementation; a system of
internal controls over changes to SCI systems; a plan for assessments
of the functionality of SCI systems designed to detect systems
compliance issues, including by ``responsible SCI personnel'' (defined
below) and by personnel familiar with applicable provisions of the
Exchange Act and the rules and regulations thereunder and the SCI
entity's rules and governing documents; and a plan of coordination and
communication between regulatory and other personnel of the SCI entity,
including by responsible SCI personnel, regarding SCI systems design,
changes, testing, and controls designed to detect and prevent systems
compliance issues.\44\
---------------------------------------------------------------------------
\43\ See 17 CFR 242.1001(b)(1).
\44\ See 17 CFR 242.1001(b)(2).
---------------------------------------------------------------------------
Under 17 CFR 242.1001(b)(3) (``Rule 1001(b)(3)'' of Regulation
SCI), SCI entities must periodically review the effectiveness of these
policies and procedures and take prompt action to remedy any
deficiencies.\45\ Under 17 CFR 242.1001(b)(4) (``Rule 1001(b)(4)'' of
Regulation SCI), individuals are provided with a safe harbor from
liability under Rule 1001(b) if certain conditions are met.\46\
---------------------------------------------------------------------------
\45\ See 17 CFR 242.1001(b)(3).
\46\ See 17 CFR 242.1001(b)(4).
---------------------------------------------------------------------------
Further, 17 CFR 242.1001(c) (``Rule 1001(c)'' of Regulation SCI),
requires SCI entities to establish, maintain, and enforce reasonably
designed written policies and procedures that include the criteria for
identifying responsible SCI personnel, the designation and
documentation of responsible SCI personnel, and escalation procedures
to quickly inform responsible SCI personnel of potential SCI
events.\47\ Rule 1000 of Regulation SCI defines ``responsible SCI
personnel'' to mean, for a particular SCI system or indirect SCI system
impacted by an SCI event, such senior manager(s) of the SCI entity
having responsibility for such system, and their designee(s).\48\ Rule
1000 also defines ``SCI event'' to mean an event at an SCI entity that
constitutes a systems disruption, a systems compliance issue, or a
systems intrusion.\49\ Under 17 CFR 242.1001(c)(2) (``Rule 1001(c)(2)''
of Regulation SCI), SCI entities are required periodically to review
the effectiveness of these policies and procedures and take prompt
action to remedy any deficiencies.\50\
---------------------------------------------------------------------------
\47\ See 17 CFR 242.1001(c).
\48\ 17 CFR 242.1000.
\49\ Id.
\50\ See 17 CFR 242.1001(c)(2).
---------------------------------------------------------------------------
3. SCI Events
Under Rule 1002 of Regulation SCI, SCI entities have certain
obligations regarding SCI events. An ``SCI event'' is defined as: (i) a
``systems disruption,'' which is an event in an SCI entity's SCI
systems that disrupts, or significantly degrades, the normal operation
of an SCI system; and/or (ii) a ``systems intrusion,'' which is any
unauthorized entry into the SCI systems or indirect SCI systems of an
SCI entity; and/or (iii) a ``systems compliance issue,'' which is an
event at an SCI entity that has caused any SCI system of such entity to
operate in a manner that does not comply with the Exchange Act and the
rules and regulations thereunder or the entity's rules or governing
documents, as applicable.\51\
---------------------------------------------------------------------------
\51\ See 17 CFR 242.1000.
---------------------------------------------------------------------------
When any responsible SCI personnel has a reasonable basis to
conclude that an SCI event has occurred, the SCI entity must begin to
take appropriate corrective action which must include, at a minimum,
mitigating potential harm to investors and market integrity resulting
from the SCI event and devoting adequate resources to remedy the SCI
event as soon as reasonably practicable.\52\ With limited
exceptions,\53\ Rule 1002(b) provides the framework for notifying the
Commission of SCI events including, among other things, requirements
to: notify the Commission of the event immediately; provide a written
notification on Form SCI within 24 hours that includes a description of
the SCI event and the system(s) affected, with other information
required to the extent available at the time; provide regular updates
regarding the SCI event until the event is resolved; and submit a final
detailed written report regarding the SCI event.\54\
---------------------------------------------------------------------------
\52\ See 17 CFR 242.1002(a).
\53\ See 17 CFR 242.1002(b)(5) (relating to the exception for de
minimis SCI events).
\54\ See 17 CFR 242.1002(b).
---------------------------------------------------------------------------
Rule 1002(c) of Regulation SCI also requires that SCI entities
disseminate information to their members or participants regarding SCI
events.\55\ These information dissemination requirements are scaled
based on the nature and severity of an event. SCI entities are required
to disseminate certain information about the event to certain of its
members or participants (i.e., those that are reasonably estimated to
have been affected) promptly after any responsible SCI personnel has a
reasonable basis to conclude that an SCI event has occurred. For
``major SCI events,'' such dissemination must be made to all of its
members or participants. In addition, dissemination of information to
members or participants is permitted to be delayed for systems
intrusions if such dissemination would likely compromise the security
of the SCI entity's systems or an investigation of the intrusion.\56\
In addition, 17 CFR 242.1002(c)(4) (``Rule 1002(c)(4)'' of Regulation
SCI) provides exceptions to the dissemination requirements under Rule
1002(c) of Regulation SCI for SCI events to the extent they relate to
market regulation or market surveillance systems or SCI events that
have had, or the SCI entity reasonably estimates would have, either a
de minimis or no impact on the SCI entity's operations or on market
participants.\57\
---------------------------------------------------------------------------
\55\ See 17 CFR 242.1002(c).
\56\ See id. The rule also requires that the SCI entity document
its reasons for delayed notification. Id.
\57\ See 17 CFR 242.1002(c)(4).
---------------------------------------------------------------------------
4. Systems Changes and SCI Review
Under 17 CFR 242.1003(a) (``Rule 1003(a)'' of Regulation SCI), SCI
entities are required to provide reports to the Commission relating to
system changes, including a report each quarter describing completed,
ongoing, and planned material changes to their SCI systems and the
security of indirect SCI systems, during the prior, current, and
subsequent calendar quarters, including the dates or expected dates of
commencement and completion.\58\ Rule 1003(b) of Regulation SCI also
requires that an SCI entity conduct an ``SCI review'' not less than
once each calendar year.\59\ ``SCI review'' is defined in Rule 1000 of
Regulation SCI to mean a review, following established procedures and
standards, that is performed by objective personnel having appropriate
experience to conduct reviews of SCI systems and indirect SCI systems,
and which review contains: a risk assessment with respect to such
systems of an SCI entity; and an assessment of internal control design
and effectiveness of its SCI systems and indirect SCI systems to
include logical and physical security controls,
[[Page 23152]]
development processes, and information technology governance,
consistent with industry standards.\60\ Under Rule 1003(b)(2) and (3),
SCI entities are also required to submit a report of the SCI review to
their senior management, and must also submit the report and any
response by senior management to the report, to their board of
directors, as well as to the Commission.\61\
---------------------------------------------------------------------------
\58\ See 17 CFR 242.1003(a).
\59\ See 17 CFR 242.1003(b).
\60\ See 17 CFR 242.1000. Rule 1003(b)(1) of Regulation SCI also
states that penetration test reviews of an SCI entity's network,
firewalls, and production systems must be conducted at a frequency
of not less than once every three years, and assessments of SCI
systems directly supporting market regulation or market surveillance
must be conducted at a frequency based upon the risk assessment
conducted as part of the SCI review, but in no case less than once
every three years. See 17 CFR 242.1003(b)(1)(i) and (ii) (``Rule
1003(b)(1)(i) and (ii)'').
\61\ See 17 CFR 242.1003(b)(2) and (3).
---------------------------------------------------------------------------
5. Business Continuity and Disaster Recovery Testing With Members/
Participants
Rule 1004 of Regulation SCI sets forth certain requirements for
testing an SCI entity's business continuity and disaster recovery plans
with its members or participants. This rule requires that, with respect
to an SCI entity's business continuity and disaster recovery plan,
including its backup systems, each SCI entity shall: (a) establish
standards for the designation of those members or participants that the
SCI entity reasonably determines are, taken as a whole, the minimum
necessary for the maintenance of fair and orderly markets in the event
of the activation of such plans; (b) designate members or participants
pursuant to the standards established and require participation by such
designated members or participants in scheduled functional and
performance testing of the operation of such plans, in the manner and
frequency specified by the SCI entity, provided that such frequency
shall not be less than once every 12 months; and (c) coordinate the
testing of such plans on an industry- or sector-wide basis with other
SCI entities.\62\
---------------------------------------------------------------------------
\62\ See 17 CFR 242.1004.
---------------------------------------------------------------------------
6. Recordkeeping and Other Provisions (Rules 1005-1007)
SCI entities are required by Rule 1005 of Regulation SCI to make,
keep, and preserve certain records related to their compliance with
Regulation SCI.\63\ In addition, 17 CFR 242.1006 (``Rule 1006'' of
Regulation SCI), provides for certain requirements relating to the
electronic filing, on Form SCI, of any notification, review,
description, analysis, or report to the Commission required to be
submitted under Regulation SCI.\64\ Finally, 17 CFR 242.1007 (``Rule
1007'' of Regulation SCI) requires a written undertaking when records
required to be filed or kept by an SCI entity under Regulation SCI are
prepared or maintained by a service bureau or other recordkeeping
service on behalf of the SCI entity.\65\
---------------------------------------------------------------------------
\63\ See 17 CFR 242.1005. Unlike 17 CFR 242.1005(a) (``Rule
1005(a)'') of Regulation SCI, which relates to recordkeeping
provisions for SCI SROs, 17 CFR 242.1005(b) (``Rule 1005(b)'')
relates to the recordkeeping provision for SCI entities other than
SCI SROs.
\64\ See 17 CFR 242.1006.
\65\ See 17 CFR 242.1007.
---------------------------------------------------------------------------
C. Overview of Proposed Amendments to Regulation SCI
The Commission is proposing amendments to Regulation SCI that would
expand the definition of ``SCI entity'' to include a broader range of
key market participants in the U.S. securities market infrastructure
and update certain provisions of Regulation SCI to take account of
developments in the technology landscape of the markets and the
Commission and its staff's oversight experience since the adoption of
Regulation SCI in 2014. As discussed in section III.A, the Commission
is proposing to expand the definition of SCI entity to include
registered SBSDRs, registered broker-dealers exceeding a size threshold
(``SCI broker-dealers''), and additional clearing agencies exempt from
registration.\66\ As discussed in section III.C, the Commission is also
proposing to update several requirements of Regulation SCI to
acknowledge certain technology changes in the market, including
cybersecurity and third-party provider management challenges since the
adoption of Regulation SCI in 2014, and to account for the experience
and insights the Commission and its staff have gained with respect to
technology issues surrounding SCI entities and their systems. These
include:
---------------------------------------------------------------------------
\66\ See infra section III.A.2.a. through c. (providing a
detailed discussion of each of these categories of entities and
associated proposed definitions).
---------------------------------------------------------------------------
Amendments to Rule 1001(a) to require that an SCI entity's
policies and procedures for SCI systems, critical SCI systems, and
indirect SCI systems, address with specificity:
[cir] Systems classification and life cycle management; \67\
---------------------------------------------------------------------------
\67\ See infra section III.C.1.
---------------------------------------------------------------------------
[cir] Management of third-party providers, including cloud service
providers and providers of critical SCI systems; \68\
---------------------------------------------------------------------------
\68\ See infra section III.C.2.
---------------------------------------------------------------------------
[cir] Access controls; \69\ and
---------------------------------------------------------------------------
\69\ See infra section III.C.3.a.
---------------------------------------------------------------------------
[cir] Identification of current SCI industry standards, if any;
\70\
---------------------------------------------------------------------------
\70\ See infra section III.C.5.c.
---------------------------------------------------------------------------
Expansion of the definition of ``systems intrusion'' in
Rule 1000 to include a wider range of cybersecurity events; \71\
---------------------------------------------------------------------------
\71\ See infra section III.C.3.c.
---------------------------------------------------------------------------
Amendments to Rule 1002 regarding notice of systems
intrusions to the Commission and affected persons; \72\
---------------------------------------------------------------------------
\72\ See infra section III.C.3.c.
---------------------------------------------------------------------------
Amendments to the definition of ``SCI review'' and Rule
1003(b) to specify in greater detail the contents of the SCI review and
associated report, and to require annual penetration testing; \73\
---------------------------------------------------------------------------
\73\ See infra sections III.C.3.b and III.C.4.
---------------------------------------------------------------------------
Amendments to Rule 1004 to require that SCI entities
designate key third-party providers for participation in annual
business continuity/disaster recovery testing; \74\
---------------------------------------------------------------------------
\74\ See infra section III.C.2.d.
---------------------------------------------------------------------------
Amendments to Rule 1001(a)(4) to address how an SCI entity
may avail itself of the safe harbor provision; \75\
---------------------------------------------------------------------------
\75\ See infra section III.C.5.
---------------------------------------------------------------------------
Amendments to Rule 1005 to address the maintenance of
records by a former SCI entity; and
Changes to Form SCI consistent with the proposed
changes.\76\
---------------------------------------------------------------------------
\76\ See infra section III.C.6.
---------------------------------------------------------------------------
The amendments to Regulation SCI are proposed independently of the
proposals discussed in the Exchange Act Cybersecurity Proposal and
Regulation S-P 2023 Proposing Release. However, the relationship of all
three proposals, as each may apply to an SCI entity, is discussed in
section III.D.
III. Proposed Amendments to Regulation SCI
A. Definition of SCI Entity
1. Evolution: Current and Proposed SCI Entities
Currently, SCI entities are the SCI SROs, SCI ATSs, plan
processors, certain exempt clearing agencies, and, as of 2020, SCI
competing consolidators.\77\ In 2013, the Commission proposed to
include other entities: specifically, ATSs trading corporate debt or
municipal securities (hereafter, ``Fixed Income ATSs'') exceeding
specified volume thresholds.\78\ The Commission did not include any
Fixed Income ATSs as SCI entities at adoption in 2014, however, based
on consideration of comments regarding the risk profile of Fixed
[[Page 23153]]
Income ATSs at that time.\79\ In 2013, the Commission also solicited
comment on the inclusion of several other types of entities, including
SBSDRs and broker-dealers (beyond SCI ATSs).\80\ At adoption in 2014,
comments regarding these and other entities were summarized, with
specific proposals deferred for possible future consideration.\81\ In
sum, the Commission stated in 2014 that it was neither limiting the
applicability of Regulation SCI to only the most systemically important
entities as urged by some commenters, nor taking a broad approach at
the outset, but rather that it was taking a ``measured'' approach in
establishing the initial scope of SCI entities.\82\ Since the initial
adoption of Regulation SCI, the Commission has considered expansion of
the definition of SCI entity several times: first to propose and adopt
certain competing consolidators as SCI entities,\83\ and more recently
to propose and repropose adding ATSs that trade U.S. Treasury
Securities or Agency Securities exceeding specified volume thresholds
(``Government Securities ATSs'') as SCI entities.\84\
---------------------------------------------------------------------------
\77\ See supra notes 27-29 and accompanying text; infra note 83
and accompanying text.
\78\ See SCI Proposing Release, supra note 14, at 18097.
\79\ See SCI Adopting Release, supra note 1, at 72270, 72409
(discussing determination not to apply Regulation SCI to ATSs
trading only corporate debt and municipal securities at that time).
\80\ See SCI Proposing Release, supra note 14, at 18133-41. The
Commission also solicited comment on the inclusion of security-based
swap execution facilities (``SB SEFs''), which entities are now the
subject of another proposal. See Rules Relating to Security-Based
Swap Execution and Registration and Regulation of Security-Based
Swap Execution Facilities, Release No. 94615 (Apr. 6, 2022), 87 FR
28872 (May 11, 2022) (proposing that SB SEFs be subject to 17 CFR
242.800 through 242.835 (``Regulation SE'') which includes
operational capability requirements closely modeled on a detailed
CFTC rule for SEFs (17 CFR 37.1401)). SB SEFs are not further
discussed herein.
\81\ See SCI Adopting Release, supra note 1, at 72364-66
(contemplating possible future proposals).
\82\ See SCI Adopting Release, supra note 1, at 72259 (stating
that this measured approach would enable the Commission to ``monitor
and evaluate the implementation of Regulation SCI, the risks posed
by the systems of other market participants, and the continued
evolution of the securities markets, such that it may consider, in
the future, extending the types of requirements in Regulation SCI to
additional categories of [key] market participants . . . .'').
\83\ See Market Data Infrastructure Adopting Release, supra note
24, at 18659-18676.
\84\ See Securities Exchange Act Release Nos. 90019 (Sept. 28,
2020), 85 FR 87106 (Dec. 31, 2020) (``Government Securities ATS
Proposing Release''); 94062 (Jan. 26, 2022), 87 FR 15496 (Mar. 18,
2022) (``Government Securities ATS Reproposal'') (among other
things, citing operational similarities between Government
Securities ATSs and NMS stock ATSs). In the Government Securities
ATS Reproposal, the Commission proposed amendments to 17 CFR 240.3b-
16(a) (``Rule 3b-16(a)'' of the Exchange Act), which defines certain
terms used in the statutory definition of ``exchange'' under section
3(a)(1) of the Exchange Act, to include systems that offer the use
of non-firm trading interest and provide communication protocols to
bring together buyers and sellers of securities. Trading systems
that may fall within the criteria of proposed 17 CFR 240.3b-16
(``Rule 3b-16''), as proposed to be amended, would likely operate as
ATSs, and possibly SCI ATSs. Because the proposed amendments to Rule
3b-16(a) could result in a greater number of ATSs, and the
amendments proposed to expand and update SCI could impact newly
designated ATSs, commenters are encouraged to review both the
Government Securities ATS Reproposal and this proposal to determine
whether it might affect their comments on this proposal, as well as
their responses to the Commission's request for comment on
application of Regulation SCI to Fixed Income ATS contained herein.
---------------------------------------------------------------------------
The Commission now proposes a further expansion of the definition
of SCI entity to include SBSDRs, certain registered broker-dealers
(i.e., SCI broker-dealers), and additional clearing agencies exempted
from registration. The Commission also solicits comment on whether, in
light of technological changes in the fixed income markets in recent
years, Fixed Income ATSs should again be proposed to be subject to
Regulation SCI, rather than 17 CFR 240.301(b)(6) (``Rule 301(b)(6)'' of
Regulation ATS), and also whether and how broker-dealers trading
corporate debt and municipal securities should be considered.\85\
---------------------------------------------------------------------------
\85\ Currently, Rule 301(b)(6) of Regulation ATS applies to
Fixed Income ATSs exceeding a volume threshold. Under Rule
301(b)(6), an ATS that trades only municipal securities or corporate
debt at a threshold of 20% or more of the average daily volume
traded in the United States, during at least four of the preceding
six calendar months, is required to comply with capacity, integrity,
and security requirements with respect to those systems that support
order entry, order routing, order execution, transaction reporting,
and trade comparison. See 17 CFR 242.301(b)(6). As discussed further
below, the amendments proposed in this release do not include
amendments to modify the numerical volume thresholds or to otherwise
modify Rule 301(b)(6) of Regulation ATS, or move systems
requirements for Fixed Income ATSs from Regulation ATS to Regulation
SCI. The Commission does, however, request comment on the state of
electronic trading and automation in the corporate debt and
municipal securities markets, as well as the risks associated with
entities with significant activity in these markets. See infra
section III.B.
---------------------------------------------------------------------------
2. New Proposed SCI Entities
When it adopted Regulation SCI, the Commission acknowledged that
there may be other categories of entities not included in the
definition of SCI entity that, given their increasing size and
importance, could pose risks to the market should an SCI event occur,
but decided to include only certain key market participants at that
time.\86\ The Commission proposes to expand the definition of SCI
entity to include SBSDRs, certain types of broker-dealers, and
additional clearing agencies exempted from registration as additional
key market participants that would also have to comply with Regulation
SCI because they play a significant role in the U.S. securities markets
and/or have the potential to impact investors, the overall market, or
the trading of individual securities in the event of a systems issue.
If this amendment is adopted, these new SCI entities would become
subject to all provisions of Regulation SCI, including the provisions
proposed to be amended as discussed in section III.C of this release.
---------------------------------------------------------------------------
\86\ See SCI Adopting Release, supra note 1, at 72259. See also
supra note 82 and accompanying text.
---------------------------------------------------------------------------
a. Registered Security-Based Swap Data Repositories (SBSDRs)
The Commission proposes to expand the application of Regulation SCI
to SBSDRs. As registered securities information processors that
disseminate market data and provide price transparency in the SBS
market, and centralized trade repositories for SBS data for use by
regulators, SBSDRs play a key role in the SBS market.\87\
---------------------------------------------------------------------------
\87\ Rule 1000 would define the term registered security-based
swap data repository to mean ``a security-based swap data
repository, as defined in 15 U.S.C. 78c(a)(75), and that is
registered with the Commission pursuant to 15 U.S.C. 78m(n) and
Sec. 240.13n-1,'' with a proviso that compliance with Regulation
SCI would not be required until six months after the entity's
registration is effective. See proposed Rule 1000.
---------------------------------------------------------------------------
As noted, the Commission solicited comment on the inclusion of
SBSDRs as SCI entities when it first proposed Regulation SCI in
2013.\88\ At that time, the Commission anticipated that SBSDRs would
``play an important role in limiting systemic risk and promoting the
stability of the SBS market [and] also would serve as information
disseminators in a manner similar to plan processors in the equities
and options markets.'' \89\ But it also acknowledged that there may be
differences between the equities and options markets and the SBS
market, ``including differing levels of automation and stages of
regulatory development.'' \90\
---------------------------------------------------------------------------
\88\ See supra text accompanying note 80.
\89\ SCI Proposing Release, supra note 14, at 18135 (citation
omitted).
\90\ Id.
---------------------------------------------------------------------------
Comments received on the inclusion of SBSDRs as SCI entities in the
SCI Proposing Release were limited. One commenter stated that ``the
similarities between certain SCI entities and SB SDRs . . . do not
provide a clear justification for a different set of rules.'' \91\
Another commenter stated that SBSDRs should have standards that are
consistent with, but not identical to, those of SCI entities because
the
[[Page 23154]]
functions that SBSDRs perform are significantly different from those
performed by SCI entities.\92\ Other commenters, however, felt the
practical differences between options and equities and derivatives
called for some form of harmonization of rules, but not direct
application of Regulation SCI to these entities.\93\ The Commission
deferred and stated in the SCI Adopting Release that, ``should [it]
decide to propose to apply the requirements of Regulation SCI to SB
SDRs [it] would issue a separate release discussing such a proposal.''
\94\ Taking into account the role of SBSDRs in the SBS market, their
reliance on technology to perform their functions, and the current
state of regulatory development in the SBS market, the Commission is
doing so now.
---------------------------------------------------------------------------
\91\ SCI Adopting Release, supra note 1, at 72364.
\92\ See id.
\93\ See id.
\94\ SCI Adopting Release, supra note 1, at 72364; SCI Proposing
Release, supra note 14, at 18134.
---------------------------------------------------------------------------
i. Role of SBSDRs and Associated Risks
Title VII of the Dodd-Frank Act, enacted in 2010, provided for a
comprehensive, new regulatory framework for swaps and security-based
swaps, including regulatory reporting and public dissemination of
transactions in security-based swaps.\95\ In 2015, the Commission
established a regulatory framework for SBSDRs to provide improved
transparency to regulators and help facilitate price discovery and
efficiency in the SBS market.\96\ Under this framework, SBSDRs are
registered securities information processors and disseminators of
market data in the SBS market,\97\ thereby serving Title VII's goal of
having public dissemination of price information for all security-based
swaps, to enhance price discovery for market participants.\98\ Like
FINRA's Trade Reporting and Compliance Engine (``TRACE'') and the
MSRB's Electronic Municipal Market Access (``EMMA''),\99\ SBSDRs serve
an important function for market participants because they disseminate
market data, thereby providing price transparency in the SBS
market.\100\ Just as TRACE and EMMA provide price transparency to
market participants and regulatory information to regulators, SBSDRs
are designed to meet two purposes as mandated by Title VII of the Dodd-
Frank Act: (1) to provide SBS data and information to regulators to
surveil the markets and assess for market risks; and (2) to enhance
price discovery to market participants.\101\ As discussed in detail
below, given that SBSDRs rely on automated systems and are designed to
limit systemic risk and promote the stability of the markets they
serve, the Commission believes that including SBSDRs in the definition
of SCI entities would better ensure that SBSDR systems are robust,
resilient, and secure. Additionally, this approach is reasonable and
consistent as other entities that play a key price transparency role in
their respective markets, such as plan processors, SCI competing
consolidators, FINRA and the MSRB, are SCI entities, and their systems
that directly support market data, among other functions, are currently
SCI systems.\102\
---------------------------------------------------------------------------
\95\ Public Law 111-203, section 761(a) (adding Exchange Act
section 3(a)(75) (defining SBSDR)) and section 763(i) (adding
Exchange Act section 13(n) (establishing a regulatory regime for
SBSDRs)).
\96\ See Security-Based Swap Data Repository Registration,
Duties, and Core Principles, Securities Exchange Act Release No.
74246 (Feb. 11, 2015), 80 FR 14438, 14441 (Mar. 19, 2015) (``SBSDR
Adopting Release''); Regulation SBSR--Reporting and Dissemination of
Security-Based Swap Information, Securities Exchange Act Release No.
74244 (Feb. 11, 2015), 80 FR 14563 (Mar. 19, 2015) (``SBSR Adopting
Release'').
\97\ See 17 CFR 242.909 (``A registered security-based swap data
repository shall also register with the Commission as a securities
information processor on Form SDR.''); see also Form SDR (``With
respect to an applicant for registration as a security-based swap
data repository, Form SDR also constitutes an application for
registration as a securities information processor.'').
\98\ See, e.g., SBSR Adopting Release, supra note 96, at 14604-
05.
\99\ FINRA members are subject to transaction reporting
obligations under FINRA Rule 6730, while municipal securities
dealers are subject to transaction reporting obligations under MSRB
Rule G-14. See FINRA Rule 6730(a)(1) (requiring FINRA members to
report transactions in TRACE-Eligible Securities, which FINRA Rule
6710 defines to include a range of fixed-income securities). See
also MRSB Rule G-14 (requiring transaction reporting by municipal
bond dealers). EMMA, established by the MSRB in 2009, serves as the
official repository of municipal securities disclosure providing the
public with free access to relevant municipal securities data, and
is the central database for information about municipal securities
offerings, issuers, and obligors. Additionally, the MSRB's Real-Time
Transaction Reporting System (``RTRS''), with limited exceptions,
requires municipal bond dealers to submit transaction data to the
MSRB within 15 minutes of trade execution, and such near real-time
post-trade transaction data can be accessed through the MSRB's EMMA
website.
\100\ See Committee on Payment and Settlement Systems and
Technical Committee of the International Organization of Securities
Commissions, Principles for financial market infrastructures, at
1.14, Box 1 (Apr. 16, 2012) (``PFMI''), available at https://www.bis.org/publ/cpss101a.pdf (stating that ``[a] TR [trade
repository] may serve a number of stakeholders that depend on having
effective access to TR services, both to submit and retrieve data.
In addition to relevant authorities and the public, other
stakeholders can include exchanges, electronic trading venues,
confirmation or matching platforms, and third-party service
providers that use TR data to offer complementary services.'').
\101\ See, e.g., SBSR Adopting Release, supra note 96, at 14604-
05.
\102\ See SBSDR Adopting Release, supra note 96.
---------------------------------------------------------------------------
As centralized repositories for SBS data for use by regulators,
SBSDRs provide important infrastructure that assists relevant
authorities in performing their market oversight.\103\ Data maintained
by SBSDRs may assist regulators in preventing market abuses, performing
supervision, and resolving issues and positions if an institution
fails.\104\ SBSDRs are required to collect and maintain accurate SBS
transaction data so that relevant authorities can access and analyze
the data from secure, central locations, thereby putting the regulators
in a better position to monitor for potential market abuse and risks to
financial stability.\105\ SBSDRs also have the potential to reduce
operational risk and enhance operational efficiency, such as by
maintaining transaction records that would help counterparties to
ensure that their records reconcile on all of the key economic
details.\106\
---------------------------------------------------------------------------
\103\ See generally PFMI, supra note 100, at 1.14 (stating that
``[b]y centralising the collection, storage, and dissemination of
data, a well-designed TR that operates with effective risk controls
can serve an important role in enhancing the transparency of
transaction information to relevant authorities and the public,
promoting financial stability, and supporting the detection and
prevention of market abuse.'').
\104\ See Security-Based Swap Data Repository Registration,
Duties, and Core Principles, Exchange Act Release No. 63347 (Nov.
19, 2010), 75 FR 77306, 77307 (Dec. 10, 2010), corrected at 75 FR
79320 (Dec. 20, 2010) and 76 FR 2287 (Jan. 13, 2011) (``SBSDR
Proposing Release'').
\105\ See SBSDR Adopting Release, supra note 96, at 14440
(stating that ``SDRs are required to collect and maintain accurate
SBS transaction data so that relevant authorities can access and
analyze the data from secure, central locations, thereby putting
them in a better position to monitor for potential market abuse and
risks to financial stability.'').
\106\ See SBSDR Proposing Release, supra note 104, at 77307
(stating that ``[t]he enhanced transparency provided by an SDR is
important to help regulators and others monitor the build-up and
concentration of risk exposures in the SBS market . . . . In
addition, SDRs have the potential to reduce operational risk and
enhance operational efficiency in the SBS market.'').
---------------------------------------------------------------------------
Furthermore, SBSDRs themselves are subject to certain operational
risks that may impede the ability of SBSDRs to meet the goals set out
in Title VII of the Dodd-Frank Act and the Commission's rules.\107\ For
instance, the links established between an SBSDR and other entities,
including unaffiliated clearing agencies and other SBSDRs, may expose
the SBSDR to vulnerabilities outside of its direct control.\108\
Without appropriate
[[Page 23155]]
safeguards in place for the systems of SBSDRs, their vulnerabilities
could lead to significant failures, disruptions, delays, and
intrusions, which could disrupt price transparency and oversight of the
SBS market. For instance, an SBSDR processes and disseminates trade
data using electronic systems, and if these systems fail, public access
to timely and reliable trade data for the derivatives markets could
potentially be compromised.\109\ Also, if the data stored at an SBSDR
is corrupted, the SBSDR would not be able to provide accurate data to
relevant regulatory authorities, which could hinder the oversight of
the derivatives markets. Moreover, because SBSDRs receive and maintain
proprietary and sensitive information (e.g., trading data, non-public
personal information), it is essential that their systems be capable of
ensuring the security and integrity of this data.
---------------------------------------------------------------------------
\107\ See SBSDR Adopting Release, supra note 96 at 14450 (``SDRs
themselves are subject to certain operational risks that may impede
the ability of SDRs to meet these goals, and the Title VII
regulatory framework is intended to address these risks.'').
\108\ See PFMI, supra note 100, at 3.20.20 (stating that ``A TR
should carefully assess the additional operational risks related to
its links to ensure the scalability and reliability of IT
[information technology] and related resources. A TR can establish
links with another TR or with another type of FMI. Such links may
expose the linked FMIs to additional risks if not properly designed.
Besides legal risks, a link to either another TR or to another type
of FMI may involve the potential spillover of operational risk. The
mitigation of operational risk is particularly important because the
information maintained by a TR can support bilateral netting and be
used to provide services directly to market participants, service
providers (for example, portfolio compression service providers),
and other linked FMIs.'').
\109\ See PFMI, supra note 100, at 1.14, Box 1 (stating that
``[t]he primary public policy benefits of a TR, which stem from the
centralisation and quality of the data that a TR maintains, are
improved market transparency and the provision of this data to
relevant authorities and the public in line with their respective
information needs. Timely and reliable access to data stored in a TR
has the potential to improve significantly the ability of relevant
authorities and the public to identify and evaluate the potential
risks posed to the broader financial system.'').
---------------------------------------------------------------------------
Along with the reliance of SBSDRs on automated systems to perform
their functions, regulatory development of the SBS market has proceeded
significantly since 2015. In particular, security-based swap dealers
have registered with the Commission,\110\ SBSDRs have registered with
the Commission,\111\ security-based swap execution facilities
(``SBSEF'') registration has been proposed,\112\ and straight-through
processing has increased in the market.\113\ On November 8, 2021, SBS
data began being reported to SBSDRs, which in turn began disseminating
such data to the Commission and the public.\114\ In light of the
important role of SBSDRs in the markets for security-based swaps, their
level of automation, and the regulatory development of the SBS market
in recent years, the Commission believes it is timely to propose
enhanced requirements for registered SBSDRs with respect to their
technology systems that are central to the performance of their
regulated activities.
---------------------------------------------------------------------------
\110\ See List of Security-Based Swap Dealers and Major
Security-Based Swap Participants, Commission (last updated Jan. 4,
2023), available at: https://www.sec.gov/files/list_of_sbsds_msbsps_1_4_2023locked_final.xlsx.
\111\ The Commission approved the registration of two SBSDRs in
2021. See Security-Based Swap Data Repositories, DTCC Data
Repository (U.S.), LLC, Order Approving Application for Registration
as a Security-Based Swap Data Repository, Securities Exchange Act
Release No. 91798 (May 7, 2021), 86 FR 26115 (May 12, 2021);
Security-Based Swap Data Repositories, ICE Trade Vault, LLC, Order
Approving Application for Registration as a Security-Based Swap Data
Repository, Securities Exchange Act Release No. 92189 (Jun. 16,
2021), 86 FR 32703 (Jun. 22, 2021).
\112\ See Rules Relating to Security-Based Swap Execution and
Registration and Regulation of Security-Based Swap Execution
Facilities, Securities Exchange Act Release No. 94615 (Apr. 6,
2022), 87 FR 28872 (May 11, 2022).
\113\ See, e.g., Security-Based Swap Data Repositories, DTCC
Data Repository (U.S.), LLC, Notice of Filing of Application for
Registration as a Security-Based Swap Data Repository, Securities
Exchange Act Release No. 91071 (Feb. 5, 2021), 86 FR 8977 (Feb. 10,
2021) (``[T]he SDR process is an end-to-end straight through
process; from the receipt of data, processing and maintenance of
data, and dissemination of data, processes are automated and do not
require manual intervention.'').
\114\ See SEC Approves Registration of First Security-Based Swap
Data Repository; Sets the First Compliance Date for Regulation SBSR,
Press Release, Commission (May 7, 2021), available at: https://www.sec.gov/news/press-release/2021-80.
---------------------------------------------------------------------------
ii. Current Regulation
The Commission believes the current technology regulation framework
for SBSDRs should be strengthened. SBSDR technology regulation is
currently governed by 17 CFR 240.13n-6 (``Rule 13n-6''), a broad,
principles-based operational risk rule,\115\ which the Commission
adopted in 2015 when regulatory development of the SBS market was still
nascent and SBSDRs were not yet registered with the Commission under 17
CFR 240.13n-1 (``Rule 13n-1'').\116\ Additionally, Rule 13n-6 was
adopted shortly after the adoption of Regulation SCI, with
modifications that did not include some of the more detailed proposed
requirements.\117\ As a result, the two currently-registered SBSDRs
(which are affiliated with registered clearing agencies that are
subject to Regulation SCI) \118\ remain subject to the broad
principles-based rule, Rule 13n-6, which is the only applicable
operational risk requirement for SBSDRs in the Commission's current
regulatory framework.
---------------------------------------------------------------------------
\115\ See 17 CFR 240.13n-6.
\116\ See SBSDR Adopting Release, supra note 96, at 14499, 14550
(``[T]he Commission may consider the application of any features of
Regulation SCI to SDRs in the future.''); SCI Adopting Release,
supra note 1, at 72364.
\117\ See SBSDR Adopting Release, supra note 96, at 14499
(stating that ``[t]he Commission is not adopting Rule 13n-6 as
proposed because, after proposing Rule 13n-6, the Commission
considered the need for an updated regulatory framework for certain
systems of the U.S. securities trading markets and adopted
Regulation Systems Compliance and Integrity (`Regulation SCI').'').
Specifically, the Commission stated that the rule as adopted better
sets an appropriate core framework for the policies and procedures
of SBSDRs with respect to automated systems and that the framework
adopted is ``broadly consistent'' with Regulation SCI. See id.
Therefore, the Commission declined to adopt more prescriptive
elements of the rule as proposed, including proposed Rule 13n-6(b),
which would have required that every security-based swap data
repository, with respect to those systems that support or are
integrally related to the performance of its activities: (1)
establish, maintain, and enforce written policies and procedures
reasonably designed to ensure that its systems provide adequate
levels of capacity, resiliency, and security. These policies and
procedures shall, at a minimum: (i) establish reasonable current and
future capacity estimates; (ii) conduct periodic capacity stress
tests of critical systems to determine such systems' ability to
process transactions in an accurate, timely, and efficient manner;
(iii) develop and implement reasonable procedures to review and keep
current its system development and testing methodology; (iv) review
the vulnerability of its systems and data center computer operations
to internal and external threats, physical hazards, and natural
disasters; and (v) establish adequate contingency and disaster
recovery plans; (2) on an annual basis, submit an objective review
to the Commission within thirty calendar days of its completion.
Where the objective review is performed by an internal department,
an objective, external firm shall assess the internal department's
objectivity, competency, and work performance with respect to the
review performed by the internal department. The external firm must
issue a report of the objective review, which the security-based
swap data repository must submit to the Commission on an annual
basis, within 30 calendar days of completion of the review; (3)
promptly notify the Commission of material systems outages and any
remedial measures that have been implemented or are contemplated
(prompt notification includes the following: (i) immediately notify
the Commission when a material systems outage is detected; (ii)
immediately notify the Commission when remedial measures are
selected to address the material systems outage; (iii) immediately
notify the Commission when the material systems outage is addressed;
and (iv) submit to the Commission within five business days of the
occurrence of the material systems outage a detailed written
description and analysis of the outage and any remedial measures
that have been implemented or are contemplated); and (4) notify the
Commission in writing at least thirty calendar days before
implementation of any planned material systems changes. See SBSDR
Proposing Release, supra note 104, at 77370.
\118\ The two registered SBSDRs, DTCC Data Repository (U.S.),
LLC and ICE Trade Vault, LLC, are affiliated with the registered
clearing agencies, Depository Trust Company and ICE Clear Credit
LCC, respectively.
---------------------------------------------------------------------------
Rule 13n-6 requires that SBSDRs, with respect to those systems that
support or are integrally related to the performance of their
activities, establish, maintain, and enforce written policies and
procedures reasonably designed to ensure that their systems provide
adequate levels of capacity, integrity, resiliency, availability, and
[[Page 23156]]
security.\119\ The operational risk principles underlying Rule 13n-6
are an essential part of the rules that comprise the core framework for
SBSDRs that the Commission established in 2015 at the opening of its
regulatory regime governing SBSDRs. The core framework influences all
applicable requirements relevant to SBSDRs that follow. The core
framework not only addresses SBSDR operational risk, but also other
SBSDR enumerated duties, including registration, market access to
services and data, governance arrangements, conflicts of interest, data
collection and maintenance, privacy and disclosure requirements, and
chief compliance officers,\120\ thereby implementing the provisions of
Exchange Act section 13(n).\121\ Therefore, the SBSDR core framework,
which Rule 13n-6 is a part, is different in focus and broader in scope
than proposed Regulation SCI--as it relates to SBSDRs--which is focused
on, among things, protecting the security of SBSDR systems. While Rule
13n-6 may not provide the absolute requirements relating to SBSDR
operational risk, as the Commission's regulatory regime continues to
evolve, Rule 13n-6 sets forth an enumerated duty for operational risk
concerns that registered SBSDRs must address--at the time of
registration and throughout its registration with the Commission.
Compliance with the core principles and requirements in the SBSDR
rules, including Rule 13n-6, is, thus, an important building block for
better ensuring the integrity of an SBSDR's data quality upon which the
Commission and the securities markets rely. In this regard, the
Commission believes that Rule 13n-6 should be preserved, with the
requirements of this proposal, if adopted, working to complement Rule
13n-6.\122\ Specifically, the proposed requirements of Regulation SCI
on SBSDRs would exist and operate in conjunction with Rule 13n-6 and
would prescribe certain key features and more detailed functional
requirements to help ensure that SBSDR market systems are robust,
resilient, and secure.\123\
---------------------------------------------------------------------------
\119\ See 17 CFR 240.13n-6.
\120\ See 17 CFR 240.13n-1 through 240.13n-12; See SBSDR
Adopting Release, supra note 96, at 14440-42.
\121\ 15 U.S.C. 78m(n).
\122\ When adopting Rule 13n-6, the Commission acknowledged the
potential application of Regulation SCI provisions to SBSDRs in the
future. See SBSDR Adopting Release, supra note 96, at 14438, 14499
(stating that ``[c]onsistent with this approach and in recognition
of the importance of SDRs as the primary repositories of SBS trade
information, the Commission may consider the application of any
features of Regulation SCI to SDRs in the future.''). Additionally,
as guidance, the Commission stated that, in preparing their policies
and procedures to comply with Rule 13n-6, SBSDRs may consider
whether to incorporate aspects of Regulation SCI that may be
appropriate for their particular implementation of Rule 13n-6. See
id., at 14499, n.826 (stating that ``[i]n preparing their policies
and procedures, SDRs may consider whether to incorporate aspects of
Regulation SCI that may be appropriate for their particular
implementation of Rule 13n-6, including where an SDR is related by
virtue of its corporate structure to an entity subject to Regulation
SCI.'').
\123\ In 2014, the SEC's SBSDR regulatory framework was subject
to a Level 2 assessment by the Bank for International Settlements'
Committee on Payments and Market Infrastructures (``CPMI'') and the
International Organization of Securities Commissions (``IOSCO''),
which concluded that ``the U.S. jurisdiction has developed rules or
proposed rules that completely and consistently implement the
majority of Principles that are applicable to CCPs [central
counterparties] [but that] [t]he progress of the U.S. jurisdiction
towards completely and consistently implementing the Principles for
[trade repositories] has been more limited.'' See CPMI-IOSCO,
Implementation Monitoring of PFMIs: Level 2 assessment report for
central counterparties and trade repositories--United States (Feb.
26, 2015), available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD477.pdf. Additionally, CPMI-IOSCO issued guidance for cyber
resilience for financial market infrastructures (``FMIs''),
including trade repositories. See CPMI-IOSCO, Guidance on cyber
resilience for financial market infrastructures (June 2016),
available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD535.pdf; see also CPMI-IOSCO, Implementation monitoring of
the PFMI: Level 3 assessment on Financial Market Infrastructures'
Cyber Resilience (Nov. 2022), available at https://www.iosco.org/library/pubdocs/pdf/IOSCOPD723.pdf (presenting the results of an
assessment of the state of cyber resilience (as of Feb. 2021) at 37
FMIs from 29 jurisdictions that participated in this exercise in
2020 to 2022).
---------------------------------------------------------------------------
Regulation SCI, among other things, defines the scope of systems
covered, and requires: the establishment, maintenance, and enforcement
of written policies and procedures to ensure that SCI systems have
levels of capacity, integrity, resiliency, availability, and security
adequate to maintain operational capacity and promote the maintenance
of fair and orderly markets, with minimum elements that include, among
others, standards designed to facilitate the successful collection,
processing, and dissemination of market data and robust business
continuity and disaster recovery plans; policies and procedures
designed to ensure compliance with the federal securities laws;
corrective action and reporting and dissemination of SCI events,
quarterly reporting of material systems changes, and an annual SCI
review; and participation of key members in SCI entity's business
continuity and disaster recovery plans.
The Commission believes that SBSDRs operate with similar complexity
and in a similar fashion as other registered securities information
processors that are currently subject to Regulation SCI and that they
play an important role in the SBS market and face similar technological
vulnerabilities as existing SCI entities, such as FINRA's TRACE and
MSRB's EMMA. For example, were an SBSDR to experience a systems issue,
market participants could be prevented from receiving timely
information regarding accurate prices for individual SBSs. Given
SBSDRs' reliance on automated systems and their dual Dodd-Frank
mandated role of providing price transparency to market participants
and SBS data to regulators to surveil markets to better ensure that
systemic risk is limited and market stability is enhanced, the
Commission believes it appropriate to include SBSDRs into the scope of
the Regulation SCI proposal.
Currently, there are two registered SBSDRs that would become
subject to Regulation SCI should the Regulation SCI amendments be
adopted.\124\
---------------------------------------------------------------------------
\124\ See supra note 118.
---------------------------------------------------------------------------
iii. Request for Comment
1. The Commission requests comment generally on the inclusion of
SBSDRs as SCI entities. Is their inclusion appropriate? Why or why not?
Please be specific and provide examples, if possible, to illustrate
your points.
2. Should all or some aspects of Regulation SCI apply to SBSDRs?
Why or why not? If only a portion, please specify which portion(s) and
explain why. If all, explain why.
3. Are the definitions of SCI systems and indirect SCI systems
appropriate for SBSDRs? Why or why not? Are there any systems of SBSDRs
that should be included but would not be covered by these definitions?
Please explain. Are there any systems of SBSDRs that should be excluded
by these definitions? Please explain. Do SBSDRs have any systems that
would or should be covered by the definition of critical SCI systems?
Please explain.
4. Is current Rule 13n-6 sufficient to govern the technology of
SBSDRs? If not, why not? Would the Regulation SCI proposed
requirements, together with Rule 13n-6, be sufficient to address
operational risk concerns posed by SBSDRs? Why or why not? Should Rule
13n-6 serve as an operational risk requirement for new SBSDR
registrants during the first year registered with the Commission, with
Regulation SCI proposed requirements imposed after the first year of
registration? Why or why not? Please be specific and respond with
examples, if possible.
5. Given the current practices of SBSDRs, would the proposed
Regulation SCI requirements pose unreasonable or unworkable
difficulties
[[Page 23157]]
for them, technologically, legally, operationally, or procedurally? Why
or why not? Please be specific and respond with examples, if possible.
6. Should Regulation SCI distinguish among different types of
SBSDRs such that some requirements of Regulation SCI might be
appropriate for some SBSDRs but not others? Why or why not? If so, what
are those distinctions and what are those requirements? For example,
should any requirements be based on criteria such as number of
transactions or notional volume reported to a SBSDR? If so, what would
be an appropriate threshold for any such criteria, and why? Please be
specific and provide examples, if possible.
7. Because proposed Regulation SCI would include SBSDRs as ``SCI
entities,'' SBSDRs that share systems with affiliated clearing agencies
could be required to classify those shared systems as SCI systems of
the SBSDR and indirect SCI systems of the clearing agency, and vice
versa. Is this outcome appropriate? Why or why not? Please be specific
and provide examples, if possible.
8. Is Regulation SCI, including as proposed to be amended,
comprehensive and robust enough to address SBSDRs that rely on third-
party providers to support core SBSDR operations? Why or why not?
Please be specific and provide examples, if possible.
b. SCI Broker-Dealers
The Commission further proposes to expand the application of
Regulation SCI by including certain broker-dealers--to be referred to
as ``SCI broker-dealers''--in the definition of SCI entity. An SCI
broker-dealer would be a broker or dealer registered with the
Commission pursuant to section 15(b) of the Exchange Act that exceeds
one or more size thresholds. An SCI broker-dealer would be a broker-
dealer that meets or exceeds: (i) a total assets threshold, or (ii) one
or more transaction activity thresholds.
The proposed thresholds are designed to identify the largest U.S.
broker-dealers by size, as measured in two different ways. The first is
analysis of broker-dealer size based on total assets reported on Form
X-17A-5 (Financial and Operational Combined Uniform Single (``FOCUS'')
Report Part II, Item 940),\125\ which reveals the largest firms based
on their balance sheets at a point in time, and which is a measure used
by the Board of Governors of the Federal Reserve System (``Federal
Reserve Board'') to calculate and provide to the public on a quarterly
basis a measure of total assets of all security broker-dealers.\126\
The second is a measure of broker-dealer size using transaction
activity to identify significant firms active in certain enumerated
types of securities. As discussed further below, the total assets
threshold is expressed in terms of the broker-dealer's total assets at
specified points in time as a percentage of the ``total assets of all
security broker-dealers'' with ``total assets of all security-broker-
dealers'' being calculated and made publicly available by the Federal
Reserve Board for the associated preceding calendar quarter, or any
subsequent provider of such information.\127\ The trading activity
threshold is expressed in terms of the sum of buy and sell transactions
that the broker-dealer transacted during a specified time period as a
percentage of reported total average daily dollar volume in one or more
enumerated types of securities. The proposed total assets threshold is
broadly similar to the approach banking regulators use to assess the
appropriate capital and liquidity requirements for banks.\128\ The
proposed transaction activity thresholds are similar to, but
distinguishable from, the market share thresholds for SCI ATSs.\129\
The proposed threshold approaches in the proposed definition of SCI
broker-dealer are designed to identify entities that play key roles in
the U.S. securities markets due to the magnitude of their activity in
these markets.\130\
---------------------------------------------------------------------------
\125\ See Form X-17A-5, FOCUS Report, Part II, at 3, available
at https://www.sec.gov/files/formx-17a-5_2_2.pdf (requiring broker-
dealers to report their total assets in Item 940).
\126\ See infra note 127.
\127\ For additional detail on the calculation of total assets
of all security broker-dealers, see Z.1: Financial Accounts of the
United States, available at https://www.federalreserve.gov/apps/fof/Guide/z1_tables_description.pdf; ((i) stating that the term
``security broker-dealers'' refers to firms that buy and sell
securities for a fee, hold an inventory of securities for resale, or
do both; and firms that make up this sector are those that submit
information to the Commission on one of two reporting forms, either
the Financial and Operational Combined Uniform Single Report of
Brokers and Dealers (FOCUS) or the Report on Finances and Operations
of Government Securities Brokers and Dealers (FOGS); and (ii)
describing the major assets of the security brokers and dealers
sector). Currently, this information is readily accessible on the
Federal Reserve Economic Data (``FRED'') website. See Board of
Governors of the Federal Reserve System (US), Security Brokers and
Dealers; Total Assets (Balance Sheet), Level [BOGZ1FL664090663Q],
retrieved from FRED, Federal Reserve Bank of St. Louis, available
at: https://fred.stlouisfed.org/series/BOGZ1FL664090663Q (making
publicly available the total assets of all security brokers and
dealers, as calculated and updated quarterly by the Federal Reserve
Board).
\128\ See infra notes 178-180 and accompanying text.
\129\ See infra section III.A.b.iii.
\130\ See infra text accompanying notes 138-142 (summarizing
comments on the SCI Proposing Release from commenters urging that
application of Regulation SCI to broker-dealers should be limited to
those with substantial transaction volume or having a large
``footprint'').
---------------------------------------------------------------------------
i. Background
There are approximately 3,500 broker-dealers registered with the
Commission pursuant to section 15(b) of the Exchange Act, and these
entities encompass a broad range of sizes, business activities, and
business models.\131\ In 2013, the Commission proposed to include
significant volume ATSs in the definition of SCI entity but at that
time did not propose to include any other aspects of broker-dealer
operations.\132\ Rather, the Commission solicited comment on whether
certain classes of broker-dealers should be covered. In particular, the
Commission sought comment on whether Regulation SCI should apply, for
example, to OTC market makers \133\ (either all or those
[[Page 23158]]
that execute a significant volume of orders), exchange market makers
\134\ (either all or those that trade a significant volume on
exchanges), order-entry firms that handle and route order flow for
execution (either all or those that handle a significant volume of
investor orders), clearing broker-dealers (either all or those that
engage in a significant amount of clearing activities), and/or large
multi-service broker-dealers that engage in a variety of order
handling, trading, and clearing activities.\135\ Although OTC market
makers and clearing broker-dealers were noted specifically as examples
of categories of broker-dealers that could pose significant risk to the
market if a large portion of the order flow they handle or process were
disrupted due to a systems issue, the Commission broadly solicited
commenters' views on the importance of different categories of broker-
dealers to the stability of overall securities market infrastructure
and the risks posed by their systems.\136\
---------------------------------------------------------------------------
\131\ This estimate is derived from information on broker-dealer
FOCUS Report Form X-17A-5 Schedule II filings as of Dec. 31, 2021,
as well as the third quarter of 2022. See also FINRA, 2022 FINRA
Industry Snapshot (Mar. 2022), available at https://www.finra.org/sites/default/files/2022-03/2022-industry-snapshot.pdf. Section
15(b)(8) of the Exchange Act prohibits any broker-dealer from
effecting transactions in securities unless it is a member of a
registered national securities association (i.e., FINRA) or effects
securities transactions solely on a national securities exchange of
which it is a member. See 15 U.S.C. 78o(b)(8); see also 17 CFR
240.15b9-1 (``Rule 15b9-1'') (exempting proprietarily trading
dealers from section 15(b)(8)'s national securities association
membership requirement if they are a member of a national securities
exchange and meet certain other requirements). But see Securities
Exchange Act Release No. 95388 (July 29, 2022), 87 FR 49930 (Aug.
12, 2022) (proposing amendments to Exchange Act Rule 15b9-1 that
would generally require proprietary trading firms that are
registered broker-dealers to become a registered member of a
national securities association (i.e., FINRA) if they effect
securities transactions otherwise than on an exchange of which they
are a member). See also Securities Exchange Act Release No. 94524
(Mar. 28, 2022), 87 FR 23054 (Apr. 18, 2022) (``Dealer-Trader
Release'') (proposing to further define ``dealer'' and ``government
securities dealer'' to identify certain activities that would
constitute a ``regular business'' requiring a person engaged in
those activities to register as a ``dealer'' or a ``government
securities dealer,'' absent an exception or exemption). Because the
proposed amendments to further define the definition of dealer could
result in a greater number of dealers and the amendments proposed to
expand and update Regulation SCI could impact these newly designated
dealers, commenters also are encouraged to review the Dealer-Trader
Release to determine whether it might affect their comments on this
proposal.
\132\ See SCI Proposing Release, supra note 14, at 18138-42.
\133\ An OTC market maker is a dealer that holds itself out as
willing to buy and sell NMS stocks on a continuous basis in amounts
of less than block size otherwise than on an exchange. See 17 CFR
242.600(b)(64).
\134\ An exchange market maker is any member of a national
securities exchange that is registered as a specialist or market
maker pursuant to the rules of such exchange. See 17 CFR
242.600(b)(32).
\135\ See SCI Proposing Release, supra note 14, at 18139-40.
\136\ See SCI Proposing Release, supra note 14, at 18138-40
(including questions 194-196 soliciting comment on whether and how
to distinguish between and among categories of broker-dealers, such
as OTC market makers, order entry firms that handle and route order
flow for execution, clearing broker-dealers, and large multi-service
broker-dealers that engage in a variety of order handling, trading,
and clearing activities).
---------------------------------------------------------------------------
As summarized in the SCI Adopting Release, commenters' views
varied.\137\ One commenter opined that market makers and brokers or
dealers that execute orders internally by trading as a principal or
crossing orders as an agent and handle market share that exceeds that
of certain SCI ATSs should be subject to Regulation SCI.\138\ Others
stated that market makers, high frequency trading firms, or any firm
with market access should be included, arguing that these market
participants could present systemic risks to the market and had ``a
significant footprint in the markets.'' \139\ Others stated that
broker-dealers should be SCI entities because 17 CFR 240.15c3-5 (``Rule
15c3-5'' or ``Market Access Rule''),\140\ requiring the implementation
of risk management and supervisory controls to limit risk associated
with routing orders to exchanges or ATSs, was not sufficient by itself,
as it does not address the reliability or integrity of the systems that
implement such controls.\141\ One commenter stated that Regulation SCI
should be extended to any trading platforms that transact significant
volume, including systems that are not required to register as an ATS
because all executions are against the bids and offers of a single
dealer.\142\ In contrast, other commenters argued that broker-dealers
should not be subject to Regulation SCI because they must comply with
other Exchange Act and FINRA rules and the proposed Regulation SCI
requirements would be ``duplicative and unduly burdensome.'' \143\ At
adoption, the Commission stated that ``should [it] decide to propose to
apply the requirements of Regulation SCI to [broker-dealer operations
other than ATSs, it] would issue a separate release discussing such a
proposal and would take these comments into account.'' \144\
---------------------------------------------------------------------------
\137\ See SCI Adopting Release, supra note 1, at 72365.
\138\ See id. (citing letter from the New York Stock Exchange,
Inc. (``NYSE'')).
\139\ See id. (citing letters from Liquidnet, Inc., David Lauer,
and R.T. Leuchtkafer).
\140\ See 17 CFR 240.15c3-5.
\141\ See SCI Adopting Release, supra note 1, at 72365 (citing
letters from David Lauer and the NYSE).
\142\ See id. (citing letter from BlackRock at 4, in which
BlackRock stated that trading systems that ``transact significant
volume'' are ``venues that have a meaningful role and impact on the
equity market'').
\143\ See id.
\144\ SCI Adopting Release, supra note 1, at 72366.
---------------------------------------------------------------------------
In considering expansion of Regulation SCI to broker-dealers or
broker-dealer operations beyond SCI ATSs, the Commission has considered
the extent to which current Commission and FINRA rules affect how
broker-dealers design and review their systems for capacity, integrity,
resiliency, availability, and/or security adequate to maintain
operational capability and promote the maintenance of fair and orderly
markets and compliance with federal securities laws and regulations,
and whether additional technology oversight is appropriate for certain
broker-dealers based on the magnitude of their activity in the markets
today.\145\ The Commission proposes to apply Regulation SCI to a
limited number of the approximately 3,500 broker-dealers registered
with the Commission. The proposed thresholds are designed to identify
firms that, by virtue of their total assets or level of transaction
activity over a period of time and on a consistent basis, play a
significant role in the orderly functioning of U.S. securities markets.
The thresholds are designed to identify firms that, if adversely
affected by a technology event, could disrupt or impede orderly and
efficient market operations more broadly.
---------------------------------------------------------------------------
\145\ As noted above, the concurrently issued Exchange Act
Cybersecurity Proposal would establish minimum ``cybersecurity
rules'' for all broker-dealers. That proposal does not, however,
independently address weaknesses in broker-dealer operational
capacity or resiliency not attributable to cybersecurity breaches.
---------------------------------------------------------------------------
ii. Current Regulatory Oversight of Broker-Dealer Systems Technology
There are a number of Commission and FINRA rules that affect how
broker-dealers design and maintain their technology and promote
business continuity and regulatory compliance.\146\ Although these
rules may support the goal of more resilient broker-dealer systems,
they are not designed to address the same concerns that Regulation SCI
addresses and are not a substitute for Regulation SCI.\147\
---------------------------------------------------------------------------
\146\ 17 CFR 240.3a1-1(a)(2) (``Rule 3a1-1(a)(2)''), exempts
from the Exchange Act section 3(a)(1) definition of ``exchange'' an
organization, association, or group of persons that complies with
Regulation ATS. All such exempted ATSs must be a registered broker-
dealer and become a member of an SRO, which typically is FINRA.
Accordingly, FINRA rules applicable to broker-dealers apply to ATSs.
A similar discussion of FINRA rules applicable to ATSs appears in
the SCI Adopting Release, supra note 1, at 72263.
\147\ See infra notes 148-166 and accompanying text. See also
SCI Adopting Release, supra note 1, at 72263 (n. 115 and
accompanying text), 72365 (discussing comments received).
---------------------------------------------------------------------------
As some commenters on the SCI Proposing Release stated, the Market
Access Rule is relevant to certain broker-dealer systems. The Market
Access Rule requires broker-dealers with market access to implement, on
a market-wide basis, effective financial and regulatory risk management
controls and supervisory procedures reasonably designed to limit
financial exposure and ensure compliance with applicable regulatory
requirements, and thus seeks to address, among other things, certain
risks posed to the markets by broker-dealer systems.\148\ Pursuant to
the Market Access Rule, a broker or dealer with market access, or that
provides a customer or any other
[[Page 23159]]
person with access to a national securities exchange or ATS through use
of its market participant identifier or otherwise, must establish,
document, and maintain a system of risk management controls and
supervisory procedures reasonably designed to manage the financial,
regulatory, and other risks of this business activity.\149\ The Market
Access Rule specifies standards for financial and regulatory risk
management controls and supervisory procedures.\150\ It requires that
the financial risk management controls and supervisory procedures must
be reasonably designed to limit systematically the financial exposure
of the broker or dealer that could arise from market access.\151\ In
addition, the Market Access Rule requires that regulatory risk
management controls and supervisory procedures be reasonably designed
to ensure compliance with all regulatory requirements.\152\ As such,
the focus of the Market Access Rule requires controls to prevent
technology and other errors that can create some of the more
significant risks to broker-dealers and the markets, namely those that
arise when a broker-dealer enters orders into a national securities
exchange or ATS, including when it provides sponsored or direct market
access to customers or other persons, where the consequences of such an
error can rapidly magnify and spread throughout the markets. Further,
the Market Access Rule requires specific controls and procedures around
a broker-dealer entering orders on a national securities exchange or
ATS that Regulation SCI does not and would not prescribe.
---------------------------------------------------------------------------
\148\ See Securities Exchange Act Release No. 63241 (Nov. 3,
2010), 75 FR 69792 (Nov. 15, 2010) (``Market Access Release'').
Under 17 CFR 240.15c3-5(a)(1) (``Rule 15c3-5(a)(1)''), ``market
access'' is defined to mean: (i) access to trading in securities on
an exchange or ATS as a result of being a member or subscriber of
the exchange or ATS, respectively; or (ii) access to trading in
securities on an ATS provided by a broker-dealer operator of an ATS
to a non-broker-dealer. See 17 CFR 240.15c3-5(a)(1). In adopting
Rule 15c3-5(a)(1), the Commission stated that ``the risks associated
with market access . . . are present whenever a broker-dealer trades
as a member of an exchange or subscriber to an ATS, whether for its
own proprietary account or as agent for its customers, including
traditional agency brokerage and through direct market access or
sponsored access arrangements.'' See Market Access Release at 69798.
As such, the Commission stated that ``to effectively address these
risks, Rule 15c3-5 must apply broadly to all access to trading on an
Exchange or ATS.'' Id.
\149\ See 17 CFR 240.15c3-5(b).
\150\ See 17 CFR 240.15c3-5(c).
\151\ See 17 CFR 240.15c3-5(c)(1).
\152\ See 17 CFR 240.15c3-5(c)(2). See also 17 CFR 240.15c3-
5(a)(2) (defining ``regulatory requirements'' to mean all Federal
securities laws, rules and regulations, and rules of self-regulatory
organizations, that are applicable in connection with market
access).
---------------------------------------------------------------------------
In contrast, the policies and procedures required by Regulation SCI
apply broadly to technology that supports trading, clearance and
settlement, order routing, market data, market regulation, and market
surveillance and, among other things, address their overall capacity,
integrity, resilience, availability, and security independent of market
access. Whereas the Market Access Rule prescribes specific controls and
procedures around a broker-dealer entering orders on an exchange or
ATS, it is not designed to ensure that the key technology pervasive and
important to the functioning of the U.S. securities markets is robust,
resilient, and secure.\153\ Among other requirements, the policies and
procedures requirements of Regulation SCI are designed to help ensure
that the systems of SCI entities are adequate to maintain operational
capability independent of any specific SCI event (i.e., a systems issue
such as a systems disruption, systems intrusion, or systems compliance
issue). Further, the SCI review requirement obligates an SCI entity to
assess the risks of its systems and effectiveness of its technology
controls at least annually, identify weaknesses, and ensure compliance
with the safeguards of Regulation SCI. The Market Access Rule and
Regulation SCI, therefore, have different requirements and would
operate in conjunction with each other to help ensure that SCI broker-
dealer SCI systems, whether used for access to the national securities
exchanges or ATSs or not, are robust, resilient, and secure.
---------------------------------------------------------------------------
\153\ See also supra note 141 and accompanying text.
---------------------------------------------------------------------------
Broker-dealers are also subject to the Commission's financial
responsibility rules (17 CFR 240.15c3-1 (``Rule 15c3-1'') and 17 CFR
240.15c3-3 (``Rule 15c3-3'')) under the Exchange Act. Rule 15c3-1
requires broker-dealers to maintain minimum amounts of net capital,
ensuring that the broker-dealer at all times has enough liquid assets
to promptly satisfy all creditor claims if the broker-dealer were to go
out of business.\154\ Rule 15c3-3 imposes requirements relating to
safeguarding customer funds and securities.\155\ These rules provide
protections for broker-dealer counterparties and customers and can help
to mitigate the risks to, and impact on, customers and other market
participants by protecting them from the consequences of financial
failure that may occur because of a systems issue at a broker-dealer,
and thus have a different scope and purpose from Regulation SCI.\156\
---------------------------------------------------------------------------
\154\ See 17 CFR 240.15c3-1.
\155\ See 17 CFR 240.15c3-3.
\156\ Similarly, 17 CFR 248.30 (``Rule 30'' of Regulation S-P),
which requires registered brokers and dealers to have written
policies and procedures that are reasonably designed to safeguard
customer records and information--to insure their security and
confidentiality, protect against threats or hazards to their
security and integrity and protect against unauthorized access or
use that could result in substantial harm or inconvenience to any
customer--is not designed to help ensure operational capability of
market related systems. In addition, 17 CFR 248.201 (``Regulation S-
ID'') requires financial institutions or creditors (defined to
include registered broker-dealers) that have one or more covered
accounts, as defined in 17 CFR 248.201(b)(3) (e.g., brokerage
account), to develop and implement a written identity theft
prevention program to detect, prevent, and mitigate identity theft
in connection with covered accounts that includes policies and
procedures to identify and incorporate red flags into the program,
detect and respond to red flags, and incorporate periodic updates to
the program. This rule, however, is also not designed to ensure
operational capability of market related systems.
---------------------------------------------------------------------------
Pursuant to 17 CFR 240.17a-3 (``Rule 17a-3'' under the Exchange
Act) and 17 CFR 240.17a-4 (``Rule 17a-4'' under the Exchange Act),
broker-dealers are required to make and keep current records detailing,
among other things, securities transactions, money balances, and
securities positions.\157\ A systems issue at a broker-dealer would not
excuse the broker-dealer for noncompliance with these
requirements.\158\ Further, a broker-dealer that fails to make and keep
current the records required by Rule 17a-3 must give notice to the
Commission of this fact on the same day and, thereafter, within 48
hours transmit a report to the Commission stating what the broker-
dealer has done or is doing to correct the situation.\159\ Regulation
SCI, however, more directly addresses mitigating the impact of
technology failures with respect to SCI systems and indirect SCI
systems (which include systems that are not used to make and keep
current the records required by Rule 17a-3). Specifically, it requires
notifications to the Commission for a different set of events--systems
intrusions, systems compliance issues, and systems disruptions--than
the notification requirements of 17 CFR 240.17a-11 (``Rule 17a-11''),
and is therefore not duplicative of Rule 17a-11. In addition, it
requires that, when an SCI event has occurred, an SCI entity must begin
to take appropriate corrective action which must include, at a minimum,
mitigating potential harm to investors and market integrity resulting
from the SCI event and devoting adequate resources to remedy the SCI
event as soon as reasonably practicable.
---------------------------------------------------------------------------
\157\ See 17 CFR 240.17a-3; 17 CFR 240.17a-4.
\158\ See, e.g., Securities Exchange Act Release No. 40162 (July
2, 1998), 63 FR 37668 (July 13, 1998) (stating that computer systems
with ``Year 2000 Problems'' may be deemed not to have accurate and
current records and be in violation of Rule 17a-3).
\159\ See 17 CFR 240.17a-11.
---------------------------------------------------------------------------
FINRA also has several rules that are similar to, but take a
different approach from, Regulation SCI. For example, FINRA Rule 4370
requires that each broker-dealer create and maintain a written business
continuity plan identifying procedures relating to an emergency or
significant business disruption that are reasonably designed to enable
them to meet their existing obligations to customers. The procedures
must also address the broker-dealer's existing relationships
[[Page 23160]]
with other broker-dealers and counterparties. A broker-dealer is
required to update its plan in the event of any material change to the
member's operations, structure, business, or location and must conduct
an annual review of its business continuity plan to determine whether
any modifications are necessary in light of changes to the member's
operations, structure, business, or location. The rule sets forth
general minimum elements that a broker-dealer's business continuity
plan must address.\160\
---------------------------------------------------------------------------
\160\ Specifically, FINRA Rule 4370 requires that each plan
must, at a minimum, address: data back-up and recovery; all mission
critical systems; financial and operational assessments; alternate
communications between customers and the member; alternate
communications between the member and its employees; alternate
physical location of employees; critical business constituent, bank,
and counter-party impact; regulatory reporting; communications with
regulators; and how the member will assure customers' prompt access
to their funds and securities in the event that the member
determines that it is unable to continue its business.
---------------------------------------------------------------------------
This rule is akin to Regulation SCI's Rule 1001(a)(2)(v) requiring
policies and procedures for business continuity and disaster recovery
plans.\161\ However, unlike Regulation SCI, the FINRA rule does not
include the requirement that the business continuity and disaster
recovery plans be reasonably designed to achieve next business day
resumption of trading and two-hour resumption of critical SCI systems
following a wide-scale disruption, nor does it require the functional
and performance testing and coordination of industry or sector-testing
of such plans, which are instrumental in achieving the goals of
Regulation SCI with respect to SCI entities.\162\ In addition, FINRA
Rule 4370 contains certain provisions that Regulation SCI does
not.\163\ For example, a broker-dealer must disclose to its customers
through public disclosure statements how its business continuity plan
addresses the possibility of a future significant business disruption
and how the member plans to respond to events of varying scope.\164\
Accordingly, FINRA Rule 4370 and Regulation SCI would operate in
conjunction with one another to help ensure that an SCI broker-dealer
has business continuity and disaster recovery plans to achieve the
goals of each rule.
---------------------------------------------------------------------------
\161\ See SCI Adopting Release, supra note 1, at 72263-64.
\162\ Id.
\163\ See supra note 160.
\164\ See FINRA Rule 4370(e).
---------------------------------------------------------------------------
FINRA Rule 3110(b)(1) requires each broker-dealer to establish,
maintain, and enforce written procedures to supervise the types of
business in which it engages and to supervise the activities of
registered representatives, registered principals, and other associated
persons that are reasonably designed to achieve compliance with
applicable securities laws and regulations.
This supervisory obligation extends to member firms' outsourcing of
certain ``covered activities''--activities or functions that, if
performed directly by a member firm, would be required to be the
subject of a supervisory system and written supervisory procedures
pursuant to FINRA Rule 3110.\165\ This rule is broadly similar to Rule
1001(b) of Regulation SCI regarding policies and procedures to ensure
systems compliance. However, unlike Rule 1001(b), which focuses on
ensuring that an entity's systems operate in compliance with the
Exchange Act, the rules and regulations thereunder, and the entity's
rules and governing documents, this FINRA rule does not specifically
address compliance of broker-dealers' systems. Further, this provision
does not cover more broadly policies and procedures akin to those in
Rule 1001(a) of Regulation SCI regarding ensuring the SCI entity's
operational capability. FINRA Rule 3110(b)(1) and Regulation SCI would
operate in conjunction to help ensure that the SCI systems of SCI
broker-dealers, including those operated by third parties, are robust,
resilient, and operate as intended.
---------------------------------------------------------------------------
\165\ See FINRA, Regulatory Notice 21-29: Vendor Management and
Outsourcing (Aug. 13, 2021), available at https://www.finra.org/sites/default/files/2021-08/Regulatory-Notice-21-29.pdf; FINRA,
Notice to Members 05-48: Outsourcing (July 2005), available at
https://www.finra.org/sites/default/files/NoticeDocument/p014735.pdf.
---------------------------------------------------------------------------
FINRA Rule 3130 requires a broker-dealer's chief compliance officer
to certify annually that the member has in place processes to
establish, maintain, review, test, and modify written policies and
procedures reasonably designed to achieve compliance with applicable
FINRA rules, MSRB rules, and federal securities laws and regulations.
This rule is similar to Rule 1001(b) of Regulation SCI regarding
policies and procedures to ensure systems compliance; however, like
FINRA Rule 3130(b)(1), it does not specifically address compliance of
broker-dealers' systems, and does not require similar policies and
procedures to those in Rule 1001(a) of Regulation SCI regarding
operational capability of SCI entities. Therefore, FINRA Rule 3130 and
Regulation SCI would operate in conjunction with each other to help
ensure compliance with applicable law.
FINRA Rule 4530 imposes a regime for reporting certain events to
FINRA, including, among other things, compliance issues and other
events where a broker-dealer has concluded, or should have reasonably
concluded, that a violation of securities or other enumerated law,
rule, or regulation of any domestic or foreign regulatory body or SRO
has occurred. This requirement is similar to Regulation SCI's reporting
requirements under Rule 1002 with respect to systems compliance issues;
however, it does not cover reporting of systems disruptions and systems
intrusions that did not also involve a violation of a securities law,
rule, or regulation. Further, the FINRA reporting rule differs from the
Commission notification requirements with respect to the scope, timing,
content and required recipient of the reports. FINRA Rule 4530
addressing reporting of certain issues to FINRA is thus not duplicative
of Regulation SCI, which, among other things, was designed to enhance
direct Commission oversight of entities designated as key entities
because they play a significant role in the U.S. securities markets.
Additionally, while regulations and associated guidance applicable
to bank holding companies promulgated by the Federal Reserve Board and
other bank regulators address operational resilience, their direct
application is to bank holding companies rather than broker-dealers
registered with the Commission. For example, a 2020 interagency paper
issued by the Federal Reserve Board, the Office of the Comptroller of
the Currency, and the Federal Deposit Insurance Corporation sets forth
``sound practices'' for the largest, most complex firms, including U.S.
bank holding companies, to follow to strengthen their operational
resilience. While this publication offers key strategies for covered
entities to follow to remain resilient, many of which are similar to
what Regulation SCI requires, they are not mandatory for registered
broker-dealers.\166\ Thus,
[[Page 23161]]
although some Exchange Act and FINRA rules other than Regulation SCI
support the goal of robust and resilient broker-dealer systems, the
Commission believes that additional protections, reporting of systems
problems, and direct Commission oversight of broker-dealer technology
is appropriate for the largest broker-dealers.
---------------------------------------------------------------------------
\166\ See Federal Reserve Board, SR 20-24: Interagency Paper on
Sound Practices to Strengthen Operational Resilience (Nov. 2, 2020),
(``Banking Interagency Paper''), available at https://www.federalreserve.gov/supervisionreg/srletters/SR2024.htm (``To
help large and complex domestic firms address unforeseen challenges
to their operational resilience, the sound practices are drawn from
existing regulations, guidance, and statements as well as common
industry standards that address operational risk management,
business continuity management, third-party risk management,
cybersecurity risk management, and recovery and resolution
planning.''). The paper applies to national banks, state member
banks, state nonmember banks, savings associations, U.S. bank
holding companies, and savings and loan holding companies that have
average total consolidated assets greater than or equal to (a) $250
billion or (b) $100 billion and have $75 billion or more in average
cross-jurisdictional activity, average weighted short-term wholesale
funding, average nonbank assets, or average off-balance sheet
exposure. As discussed below, the Commission's proposed approach to
identifying SCI broker-dealers similarly takes into account the size
of the firm, as measured by a total assets threshold and/or market
activity thresholds.
---------------------------------------------------------------------------
iii. Proposed Thresholds for an ``SCI Broker-Dealer''
Overview
As proposed, Regulation SCI would apply to a limited number of
broker-dealers that satisfy: (i) a total assets threshold, or (ii) one
or more transaction activity thresholds.
The Commission preliminarily believes that a broker-dealer that
meets the proposed thresholds for assets or transaction activity,
whether operating in multiple markets or predominantly in a single
market, that becomes unreliable or unavailable due to a systems issue,
risks disrupting fair and orderly market functioning.
Current Regulation SCI applies to all national securities exchanges
and certain significant-volume ATSs, all of which are highly dependent
on sophisticated automated and interconnected systems. As electronic
trading has grown, and continues to grow in some asset classes, many
broker-dealers are similarly dependent on sophisticated and
interconnected automated systems.\167\ These broker-dealer systems
contribute to the orderly functioning of U.S. securities markets,
encompassing, for example, systems for trading and quoting, order
handling, dissemination and processing of market data, and the process
of clearance and settlement.
---------------------------------------------------------------------------
\167\ For example, see Algorithmic Trading Report, supra note 3
(discussing many uses of computer systems in contemporary markets,
particularly with respect to the trading of equity and debt
securities).
---------------------------------------------------------------------------
An ``SCI broker-dealer'' would be a broker or dealer registered
with the Commission pursuant to section 15(b) of the Exchange Act
which:
In at least two of the four preceding calendar quarters,
ending March 31, June 30, September 30, and December 31, reported to
the Commission, on Form X-17A-5 (Sec. 249.617),\168\ total assets in
an amount that equals five percent (5%) or more of the total assets of
all security brokers and dealers; or \169\
---------------------------------------------------------------------------
\168\ Broker-dealers that file Form X-17A-5 on a monthly basis
would use their total assets, as reported on Item 940 of Form X-17A-
5, for the months ending Mar. 31, June 30, Sept. 30, and Dec. 31.
Broker-dealers that file Form X-17A-5 on a quarterly basis would use
their total assets, as reported on Item 940 of Form X-17A-5, for the
quarters ending Mar. 31, June 30, Sept. 30, and Dec. 31.
\169\ See definition of SCI broker-dealer in proposed amended
Rule 1000. The term ``total assets of all security brokers and
dealers'' would, for purposes of this threshold, mean the total
assets calculated and made publicly available by the Board of
Governors of the Federal Reserve, or any subsequent provider of such
information, for the associated preceding calendar quarter. Id. See
supra note 127; infra text accompanying notes 181-185.
---------------------------------------------------------------------------
During at least four of the preceding six calendar months:
[cir] With respect to transactions in NMS stocks, transacted
average daily dollar volume in an amount that equals ten percent (10%)
or more of the average daily dollar volume \170\ reported by or
pursuant to applicable effective transaction reporting plans, provided,
however, that for purposes of calculating its activity in transactions
effected otherwise than on a national securities exchange or on an
alternative trading system, the broker-dealer shall exclude
transactions for which it was not the executing party; or
---------------------------------------------------------------------------
\170\ For June 2022, the average daily dollar volume in NMS
stocks, as reported by applicable effective transaction reporting
plans, was approximately $560 billion, with 10% of that reflecting
approximately $56 billion.
---------------------------------------------------------------------------
[cir] With respect to transactions in exchange-listed options
contracts, transacted average daily dollar volume in an amount that
equals ten percent (10%) or more of the average daily dollar volume
\171\ reported by an applicable effective national market system plan;
or
---------------------------------------------------------------------------
\171\ For June 2022, the average daily dollar volume in
exchange-listed options contracts, as reported by an applicable
effective national market system plan, was approximately $23.8
billion, with 10% of that reflecting approximately $2.4 billion.
---------------------------------------------------------------------------
[cir] With respect to transactions in U.S. Treasury Securities,
transacted average daily dollar volume in an amount that equals ten
percent (10%) or more of the total average daily dollar volume \172\
made available by the self-regulatory organizations \173\ to which such
transactions are reported; or
---------------------------------------------------------------------------
\172\ For June 2022, the average daily dollar volume in U.S
Treasury Securities, according to FINRA TRACE data, was
approximately $634.1 billion, with 10% of that reflecting
approximately $63.4 billion.
\173\ Currently, there is one self-regulatory organization to
which transactions in U.S Treasury Securities are reported (i.e.,
FINRA).
---------------------------------------------------------------------------
[cir] With respect to transactions in Agency Securities, transacted
average daily dollar volume in an amount that equals ten percent (10%)
or more of the total average daily dollar volume \174\ made available
by the self-regulatory organizations \175\ to which such transactions
are reported.
---------------------------------------------------------------------------
\174\ For June 2022, the average daily dollar volume in Agency
Securities, according to FINRA TRACE data was approximately $223
billion, with 10% of that reflecting approximately $22.3 billion.
\175\ Currently, there is one self-regulatory organization to
which transactions in U.S Treasury Securities are reported (i.e.,
FINRA) and one organization to which transactions in Agency
securities are reported (i.e., FINRA).
---------------------------------------------------------------------------
An SCI broker-dealer would be required to comply with the
requirements of Regulation SCI six months after the SCI broker-dealer
satisfied either threshold for the first time.
The proposed thresholds are designed to identify the largest U.S.
broker-dealers. To assess which broker-dealers should be subject to
Regulation SCI,\176\ the Commission has taken into account the size of
registered broker-dealers based on analyses of: (i) total assets
reported on Form X-17A-5 (Financial and Operational Combined Uniform
Single (``FOCUS'') Report Part II, Item 940),\177\ and (ii) transaction
activity in certain asset classes.
---------------------------------------------------------------------------
\176\ See supra note 82 and accompanying text.
\177\ See Form X-17A-5, FOCUS Report, Part II, at 3, available
at https://www.sec.gov/files/formx-17a-5_2_2.pdf (requiring broker-
dealers to report their total assets in Item 940).
---------------------------------------------------------------------------
Proposed Total Assets Threshold
A broker-dealer would be an SCI broker-dealer and included in the
definition of SCI entity if, in at least two of the four preceding
calendar quarters ending March 31, June 30, September 30, and December
31, it reported to the Commission on Form X-17A-5, FOCUS Report Part
II, Item 940 total assets in an amount that equals five percent or more
of the total assets of all security brokers and dealers. Congress and
multiple regulators have used total assets as a factor in assessing
whether an entity warrants heightened oversight. For example, under the
Dodd-Frank Act, the Financial Stability Oversight Council (``FSOC'')
considers financial assets as one factor to determine whether a U.S.
non-bank financial services company is supervised by the Federal
Reserve Board and subject to enhanced prudential standards.\178\
Furthermore, the Dodd-Frank Act requires the Federal Reserve Board to
establish enhanced prudential standards for bank holding companies over
a certain threshold of total assets.\179\ Additionally, the Federal
[[Page 23162]]
Deposit Insurance Corporation (``FDIC'') increases its Deposit
Insurance Fund assessment for large and highly complex institutions as
compared to small banks.\180\
---------------------------------------------------------------------------
\178\ See Dodd-Frank Act section 113(a)(2), 12 U.S.C.
5323(a)(2).
\179\ See Dodd-Frank Act section 165, 12 U.S.C. 5365(a)(1). See
also Federal Reserve Board, Prudential Standards for Large Bank
Holding Companies, Savings and Loan Holding Companies, and Foreign
Banking Organizations, 84 FR 59032 (Nov. 1, 2019), and Federal
Reserve Board, Changes to Applicability Thresholds for Regulatory
Capital and Liquidity Requirements, 84 FR 59230 (Nov. 1, 2019). See
SCI Adopting Release, supra note 1, at 72259, and also definition of
``critical SCI systems'' in 17 CFR 142.1000.
\180\ See FDIC, Deposit Insurance Fund, Assessment Rates &
Methodology (last updated July 20, 2021), available at https://www.fdic.gov/resources/deposit-insurance/deposit-insurance-fund/dif-assessments.html.
---------------------------------------------------------------------------
Although a broker-dealer's total assets alone could be used as the
proposed rule's measure of an entity's size and significance, to ensure
that a total assets measure reflects significant activity in relative
terms, the Commission proposes to scale each broker-dealer's total
assets (the numerator) to a quarterly measure of ``total assets of all
security brokers and dealers,'' as calculated by the Federal Reserve
Board (the denominator).\181\ The firm's total assets filed on FOCUS
reports (of which each firm has current and direct knowledge) would be
divided by the broader measure of total assets for all securities
brokers and dealers calculated and made publicly available by the
Federal Reserve Board, or any subsequent provider of such information,
for the purpose of comparing the size of a broker-dealer to the group
of entities tracked by the Federal Reserve Board.\182\ The Commission
understands that the Federal Reserve Board publishes total assets for
all security brokers and dealers approximately ten weeks after the end
of the quarter (e.g., 2022 third quarter results ((for quarter ending
September 30, 2022)) were published on December 13, 2022). Therefore,
the information for the preceding quarter should be available prior to
the date on which the firm's FOCUS report is required to be filed with
the Commission for the relevant quarter. To enable each firm to
calculate whether it exceeds the threshold at the time it files its
FOCUS report (which is due 17 days after the end of the quarter/
month),\183\ broker-dealers would compare their total assets to the
previous quarter on or before the FOCUS report filing deadline.
Accordingly, to assess whether it exceeds the threshold for a relevant
calendar quarter, a broker-dealer would divide its total assets
reported on Form X-17A-5, FOCUS Report Part II, Item 940 for that
quarter by the total assets of all security brokers and dealers for the
preceding quarter, as made available by the Federal Reserve.\184\
Although it is possible that the total assets of all security brokers
and dealers could increase or decrease sharply from one quarter to the
next, the FRED data shows that this has occurred rarely and that the
asset totals in the Federal Reserve Board's data generally do not
change significantly from quarter to quarter.\185\ The Commission
therefore believes that overall, the data made available by the Federal
Reserve Board is an appropriate and consistent figure for use as a
denominator in the proposed threshold.\186\
---------------------------------------------------------------------------
\181\ See supra note 127. This figure has been calculated by the
Federal Reserve Board and made available on the Federal Reserve
Economic Data (FRED) website for many years. As stated above, the
total assets figure calculated by the Federal Reserve Board is based
on the information reported to the Commission by ``security broker-
dealers'' on either the FOCUS report or the FOGS report. See id.
\182\ Id.
\183\ Form X-17A-5 must be filed within 17 business days after
the end of each calendar quarter, within 17 business days after the
end of the fiscal year where that date is not the end of a calendar
quarter, and/or monthly, in accordance with 17 CFR 240.17a-5,
240.17a-12, or 240.18a-7, as applicable. See Instructions to Form X-
17A-5, FOCUS Report, Part II, at 2, available at https://www.sec.gov/files/formx-17a-5_22.pdf.
\184\ See supra note 127. For example, to assess whether it
exceeds the threshold for the calendar quarter ending Dec. 31, a
broker-dealer would divide its total assets reported Form X-17A-5,
FOCUS Report Part II, Item 940 for the quarter ending Dec. 31, and
divide that by the total assets of security brokers and dealers for
the third quarter (ending Sept. 30) of the same year, as obtained
from the Federal Reserve Board. If a broker-dealer reported $350
billion, $385 billion, $359 billion, and $386 billion in total
assets on its FOCUS reports for Q4 2022, Q3 2022, Q2 2022, and Q1
2022, respectively, the broker-dealer would divide its total assets
for each quarter by 5.07 trillion (for Q3 2022), $5.07 trillion (for
Q2 2022), $5.23 trillion (for Q1 2022), and $4.96 trillion (for Q1
2021), respectively. See infra note 185. The broker-dealer's total
assets as a percentage of the total assets of all security broker-
dealers would be 6.9% for Q4 2022, 7.6% for Q3 2022. 6.9% for Q2
2022, and 7.8% for Q1 2022. In all four quarters, the broker-dealer
would exceed the 5% threshold and therefore meet the definition of
SCI broker-dealer.
\185\ See Board of Governors of the Federal Reserve System (US),
Security Brokers and Dealers; Total Assets (Balance Sheet), Level
[BOGZ1FL664090663Q], retrieved from FRED, Federal Reserve Bank of
St. Louis; https://fred.stlouisfed.org/series/BOGZ1FL664090663Q. The
total assets data from the Federal Reserve shows a sharp drop at the
time of the financial crisis, from Q3 2008 to Q4 2008. See id. More
recent data show total assets for all security-broker dealers for
purpose of the proposed denominator in recent quarters in trillion
dollars as follows: Q3 2022: 5.07 trillion; Q2 2022: $5.07 trillion;
Q1 2022: $5.23 trillion; Q4 2021: $4.96 trillion; Q3 2021: $5.05
trillion; Q2 2021: $4.94 trillion. See id.
\186\ The Federal Reserve Board data includes total assets
reported on both FOCUS and FOGS forms. Its use would result in a
conservative number of broker-dealers meeting the total assets
threshold (i.e., because elimination of FOGS data would reduce the
size of the denominator). The Commission solicits comment below on
whether another figure would be a more appropriate and useful
measure for determining if a broker-dealer is in the top 5% of all
broker-dealers in terms of its total assets, and if a percentage
threshold is better measure than a dollar measure.
---------------------------------------------------------------------------
If a firm meets or exceeds the threshold in two of the four
preceding calendar quarters, it would be required to comply with
Regulation SCI beginning six months after the end of the quarter in
which the SCI broker-dealer satisfied the proposed asset threshold for
the first time. Based on data from recent quarters, at the proposed
threshold, a broker-dealer registered with the Commission pursuant to
section 15(b) of the Exchange Act and having total assets on its
balance sheet in excess of approximately $250 billion in two of the
preceding four calendar quarters would be an SCI broker-dealer for as
long as it continued to satisfy the threshold.\187\
---------------------------------------------------------------------------
\187\ As a specific example, based on totals retrieved from FRED
(see supra note 127) a broker-dealer assessing its total assets in
Dec. 2022 would determine if that level exceeded 5% of total assets
in two of the preceding four quarters (approximately $253 billion,
$253 billion, $261 billion, and $248 billion, for Q3 of 2022, Q2 of
2022, Q1 of 2022, and Q4 of 2021, respectively). See also Banking
Interagency Paper, supra note 166 (applicable to banking
institutions having in excess of an average of $250 billion in total
assets).
---------------------------------------------------------------------------
The Commission believes that the proposed threshold of five percent
of total assets is a reasonable approach to identifying the largest
broker-dealers. In addition to its broad consistency with the approach
taken by banking regulators,\188\ this approach takes into
consideration the multiple roles that the largest broker-dealers play
in the U.S. securities markets. Not only do the largest broker-dealers
generate liquidity in multiple types of securities, but many also
operate multiple types of trading platforms.\189\ Further, entities
with assets at this level also take risk that they seek to hedge, in
some cases using ``central risk books'' for that and other purposes,
and engage in routing substantial order flow to other trading
venues.\190\ For these reasons, the
[[Page 23163]]
Commission believes that systems issues at firms having assets at this
level would have the potential to impact investors, the overall market,
and the trading of individual securities, and that therefore their
market technology should be subject to the requirements and safeguards
of Regulation SCI. The threshold is designed to be appropriately high
enough to ensure that only the largest broker-dealers are subject to
the obligations, and associated burdens and costs, of Regulation SCI.
It is also designed to be a relative measure that does not become
outdated over time, as the size of the overall market expands or
contracts.
---------------------------------------------------------------------------
\188\ See, e.g., supra notes 166 and 187 (discussing Banking
Interagency Paper).
\189\ For a broad discussion of these roles, see, e.g.,
Rosenblatt Securities, 2022 US Equity Trading Venue Guide (May 24,
2022) (discussing among other things the features of single-dealer
platforms for equity securities that are operated by broker-
dealers); Regulation of NMS Stock Alternative Trading Systems,
Securities Exchange Act Release No. 83663 (July 18, 2018), 83 FR
38768 at 38770-72 (Aug. 7, 2018) (discussing among other things the
operational complexity of multi-service broker-dealer with
significant brokerage and dealing activity apart from operation of
one or more ATSs).
\190\ See, e.g., Rosenblatt Securities, Central Risk Books: What
the Buy Side Needs to Know (Oct. 18, 2018) (stating that all of the
biggest bank-affiliated broker-dealers have some form of central
risk book and that the ``critical mass of order flow or principal
activity, spread across asset classes and regions'' may not justify
the operation of these books for smaller more focused firms). See
also Algorithmic Trading Report, supra note 3, at 41-42 (describing
central risk books as an important source of block liquidity). All
of the firms that satisfy the proposed total assets threshold also
satisfy at least one of the proposed trading activity thresholds.
See infra text accompanying note 219.
---------------------------------------------------------------------------
As noted, the proposed total assets threshold for SCI broker-
dealers would include a proposed time period measurement of ``at least
two of the four preceding calendar quarters.'' Requiring that the
threshold is met in two out of the four preceding quarters would help
mitigate the effect of a steep increase/decrease in total assets in any
individual quarter.
Further, this measurement is designed to capture only the broker-
dealers that are consistently at or above the proposed five percent
threshold, and would not include a broker-dealer that may have had an
anomalous quarterly increase, so that a short-term spike in total
assets uncharacteristic of the broker-dealer's overall total asset
history would not cause it to become subject to Regulation SCI.
Although the Commission is also proposing a time period measurement of
``at least four of the preceding six calendar months'' for the trading
activity thresholds discussed below (consistent with the time period
measurement for SCI ATSs),\191\ using a quarterly measure for the total
asset threshold is appropriate because FOCUS reports are required at
least quarterly for all broker-dealers and the proposed scaling measure
is one that is updated quarterly. Based on its analysis of FOCUS
reports during the period from Q4 2021 through Q3 2022, the Commission
estimates that five entities would exceed the proposed threshold (with
the fifth-ranked firm in each quarter reporting total assets in excess
of $300 billion, and all firms ranging from approximately seven to 14
percent of the total assets reported by the Federal Reserve Board for
the previous quarter), and further anticipates that this threshold
would result in little, if any, variation in which firms exceed the
threshold over the course of four calendar quarters.\192\
---------------------------------------------------------------------------
\191\ See Rule 1000 (definition of ``SCI ATS'') (providing a
time period measurement of ``at least four of the preceding six
calendar months'').
\192\ As with other entities that are SCI entities because they
satisfy a threshold (e.g., SCI ATSs), an SCI broker-dealer would no
longer be an SCI broker-dealer, and thus no longer be subject to
Regulation SCI, in the quarter when it no longer satisfies the total
assets test (i.e., it does not meet the threshold in two of the
previous four quarters). This assumes the broker-dealer also does
not meet or no longer satisfies the proposed transaction activity
threshold.
---------------------------------------------------------------------------
Proposed Transaction Activity Threshold
In the Commission's view, a broker-dealer's transaction activity is
another reasonable measure for estimating the significance of a broker-
dealer's role in contributing to fair and orderly markets. In several
asset classes, the transaction activity of each of a relatively small
number of broker-dealers constitutes a share of trading that could, if
affected by a systems issue, negatively impact fair and orderly
markets. For example, in NMS stocks, some broker-dealers constitute
significant concentrations of on-exchange trading, and some broker-
dealers execute off-exchange transactions at levels that rival or
exceed the volume of trading on current SCI entities.\193\ For listed
options, which are required to execute on a national securities
exchange, a small number of firms participate in a high proportion of
trades.\194\ Similarly, transaction reporting data for U.S. Treasury
Securities and Agency Securities reveal that a handful of broker-
dealers each represent a significant percentage of the average weekly
(for U.S. Treasury Securities) or daily (for Agency Securities) dollar
volume reported by FINRA (currently the only SRO to which such
transactions are reported).\195\
---------------------------------------------------------------------------
\193\ For example, in Sept. 2022, one broker-dealer executed a
greater proportion of shares in NMS stocks than all but two national
securities exchanges. See, e.g., FINRA, OTC Transparency Data,
available at https://otctransparency.finra.org/otctransparency;
CBOE, Historical Market Volume Data, available at https://www.cboe.com/us/equities/market_statistics/historical_market_volume/.
\194\ As discussed further below in this section, the Commission
estimates that six firms would satisfy the 10% options transaction
activity threshold.
\195\ As discussed further below in this section, the Commission
estimates that four firms would satisfy the 10% U.S. Treasury
Security transaction activity threshold, and six firms would satisfy
the 10% Agency Security transaction activity threshold.
---------------------------------------------------------------------------
Accordingly, the Commission is proposing to include as an SCI
entity any registered broker-dealer that, irrespective of the size of
its balance sheet, consistently engages in transaction activity at a
substantially high level in certain enumerated asset classes, scaled as
a percentage of total average daily dollar volume over a specified time
period.\196\ If a significant systems issue at a broker-dealer that
meets the proposed thresholds were to occur, the concern is that its
effect would have widespread impact, for example, by impeding the
ability of other market participants to trade securities in one or more
of the identified asset classes, interrupting the price discovery
process, or contributing to capacity issues at other broker-dealers.
Further, if executions were delayed by a systems disruption in an SCI
broker-dealer's trading, order routing, clearance and settlement, or
market data system, due to the magnitude of the proposed covered
transaction activity in which these firms consistently engage, the
delay could have cascading effects disruptive to the broader
market.\197\
---------------------------------------------------------------------------
\196\ As discussed further below, the Commission proposes that
average daily dollar volume be the denominator used as the scaling
measure for each relevant asset class. See infra notes 211-217 and
accompanying text (discussing entities that currently and may in the
future receive and make available transaction reports, or aggregated
volume statistics in NMS stocks, exchange-listed options, U.S.
Treasury Securities, and Agency Securities).
\197\ For example, capacity constraints, whether due to risk
management, or operational capability limitations of systems, could
limit how much one broker-dealer could handle a sudden increase in
order flow from a large broker-dealer. For context, based on
analysis of data from the Consolidated Audit Trail, in 2022, two
large market makers in NMS stocks engaged in over-the counter
transactions (all purchases and all sales effected otherwise than on
a national securities exchange or ATS) having a total dollar volume
of at least $37 billion on most trading days; with at least a
quarter of trading days in 2022 having total dollar volume of $42.3
billion or more, and all trading days having an average total dollar
volume of $37.3 billion. Counting volume across all venues (all
purchases and all sales effected over-the counter, on a national
securities exchange, or on ATS), these figures for the same two
firms, respectively, are: at least $82.2 billion, ($67.6 marked as
principal/riskless principal) on most trading days; at least $97.1
billion ($83.7 billion marked as principal/riskless principal) on at
least a quarter of the trading days; and $83.5 billion ($69.4
billion marked as principal/riskless principal) as the average for
all trading days.
---------------------------------------------------------------------------
The proposed transaction thresholds are broadly similar across
different types of securities. However, because of differences in
market structure, there are notable differences in the application of
the thresholds across types of securities.
Regulation SCI currently applies to, among other entities, national
securities exchanges for both listed equities and listed options, and
to ATSs trading significant volume in NMS stocks. A national securities
exchange and an ATS are a type of ``trading center,'' as that term is
defined in 17 CFR 242.600 through 242.614 (``Regulation NMS'').\198\
For purposes of counting
[[Page 23164]]
transaction activity in NMS stocks, the proposed thresholds are
anchored to broker-dealer activity conducted on or as a trading center.
Therefore, the Commission is proposing, with respect to the transaction
thresholds for NMS stocks, to include broker-dealer activity on
national securities exchanges and NMS Stock ATSs, as well as broker-
dealer activity as a trading center. Broker-dealer activity ``as a
trading center'' refers in this context to trading activity in NMS
stocks not effected on a national securities exchange or on an ATS, but
by the broker-dealer, where the broker-dealer is the executing party,
either as principal or as agent.\199\ A similar distinction is not made
for exchange-listed options contracts because those transactions are
executed on a national securities exchange.\200\
---------------------------------------------------------------------------
\198\ Rule 600 of Regulation NMS defines the term trading center
to mean: a national securities exchange or national securities
association that operates an SRO trading facility, an alternative
trading system, an exchange market maker, an OTC market maker, or
any other broker or dealer that executes orders internally by
trading as principal or crossing orders as agent. 17 CFR
242.600(b)(95).
\199\ See 17 CFR 242.600(a)(95), defining ``trading center'' to
include, among other entities, ``an OTC market maker, or any other
broker or dealer that executes orders internally by trading as
principal or crossing orders as agent.''
\200\ In some cases, matching of orders for exchange-listed
options occur on an ATS, with matches then routed to one or more
national securities exchange for execution.
---------------------------------------------------------------------------
The ``trading center'' term in Regulation NMS applies only to NMS
securities; however, there exist today electronic venues for fixed
income securities that perform similar functions as trading centers and
that are equally important to investors to execute trades in fixed
income securities. Such electronic trading venues, particularly for
U.S. Treasury Securities and Agency Securities (where electronic
trading is prevalent \201\), have developed from a market structure in
which electronic bilateral trading was and continues to be important.
For this reason, the Commission is proposing to include under the SCI
broker-dealer threshold all trades for U.S. Treasury Securities and
Agency Securities in which a broker-dealer may participate.
---------------------------------------------------------------------------
\201\ See Government Securities ATS Reproposal, supra note 84.
---------------------------------------------------------------------------
As proposed, an ``SCI broker-dealer'' would include a broker-dealer
that, during at least four of the preceding six calendar months: (i)
with respect to transactions in NMS stocks, transacted average daily
dollar volume in an amount that equals ten percent (10%) or more of the
average daily dollar volume reported by or pursuant to applicable
effective transaction reporting plans, provided, however, that for
purposes of calculating its activity in transactions effected otherwise
than on a national securities exchange or on an alternative trading
system, the broker-dealer shall exclude transactions for which it was
not the executing party; (ii) with respect to transactions in exchange-
listed options contracts, transacted average daily dollar volume in an
amount that equals ten percent (10%) or more of the average daily
dollar volume reported by an applicable effective national market
system plan; (iii) with respect to transactions in U.S. Treasury
Securities, transacted average daily dollar volume in an amount that
equals ten percent (10%) or more of the total average daily dollar
volume made available by the self-regulatory organizations to which
such transactions are reported; or (iv) with respect to transactions in
Agency securities, transacted average daily dollar volume in an amount
that equals ten percent (10%) or more of the total average daily dollar
volume made available by the self-regulatory organizations to which
such transactions are reported.\202\
---------------------------------------------------------------------------
\202\ The proposed definition of SCI broker-dealer does not
include a transaction activity threshold for equity securities that
are not NMS stocks and for which transactions are reported to an SRO
as a category in the proposed transaction activity threshold. The
size of this market, as currently measured, is substantially smaller
than the other asset classes enumerated. Based on its analysis of
data from the Consolidated Audit Trail, between Oct. 2021 and Sept.
2022, for example, the average daily dollar volume for this market
segment was approximately $2.6 billion. Nor do the proposed
amendments to Regulation SCI include Fixed Income ATSs or broker-
dealers that exceed a transaction activity threshold in corporate
debt or municipal securities. But see infra section III.A.3
(requesting comment on the matter).
---------------------------------------------------------------------------
The Commission proposes to add a definition of ``U.S. Treasury
Security'' and ``Agency Security'' to clarify how the transaction
activity threshold for these asset classes would operate.\203\ A ``U.S.
Treasury Security'' would mean a security issued by the U.S. Department
of the Treasury. ``Agency Security'' would mean a debt security issued
or guaranteed by a U.S. executive agency, as defined in 5 U.S.C. 105,
or government-sponsored enterprise, as defined in 2 U.S.C. 622(8).
These definitions are designed to provide the scope of securities an
SCI broker-dealer must include when assessing whether it has satisfied
the proposed transaction activity threshold. The proposed definitions
are similar to and consistent with those in FINRA's rules,\204\ to
avoid confusion and facilitate the comparison between data used to
create the numerator and denominator when assessing whether a broker-
dealer surpassed the U.S. Treasury Security or Agency Security
transaction thresholds.
---------------------------------------------------------------------------
\203\ The Commission believes that the terms NMS stock and
exchange-listed options are currently well understood. See Rule 600
of Regulation NMS (defining the terms NMS stock and NMS security and
distinguishing NMS stocks from listed options on the basis of how
transaction reports are made available).
\204\ See FINRA Rules 6710(l) and 6710(p). FINRA Rule 6710 also
establishes which securities are eligible for transaction reporting
to the ``Trade Reporting and Compliance Engine'' (TRACE), which is
the automated system developed by FINRA that, among other things,
accommodates reporting and dissemination of transaction reports
where applicable.
---------------------------------------------------------------------------
As is the case currently for the thresholds applicable to SCI
ATSs,\205\ the proposed thresholds for SCI broker-dealers would include
a proposed time period measurement of ``at least four of the preceding
six calendar months.'' Specifically, the proposed time measurement
period is designed to capture broker-dealers that consistently meet the
proposed thresholds and not capture broker-dealers with relatively low
transaction activity that may have had an anomalous increase in trading
on a given day or few days. In other words, a short-term spike in
transaction activity uncharacteristic of a broker-dealer's overall
activity should not cause it to become subject to Regulation SCI; using
the proposed time period of at least four of the preceding six calendar
months would help ensure this.
---------------------------------------------------------------------------
\205\ See Rule 1000 (definition of ``SCI ATS'').
---------------------------------------------------------------------------
The proposed thresholds would generally take into account all of a
broker-dealer's transactions.\206\ The thresholds proposed are designed
to identify firms whose transaction activity is of such a magnitude
that a systems issue negatively impacting that activity could
contribute to a disruption in fair and orderly markets, and for which
the application of Regulation SCI is therefore appropriate.
---------------------------------------------------------------------------
\206\ As described further above and below, the proposed
threshold for NMS stocks would operate slightly differently.
---------------------------------------------------------------------------
With respect to NMS stocks, only transactions which the broker-
dealer (i) trades on a national securities exchange or an ATS, or (ii)
executes off of a national securities exchange or an ATS would be
counted. When a broker-dealer is the non-executing counterparty to an
off-exchange, non-ATS transaction that transaction would not be counted
for that broker-dealer.\207\ The purpose of this approach is to count
towards the threshold for NMS stocks broker-dealer activity on or as a
trading center.
---------------------------------------------------------------------------
\207\ The volume for that trade, as reported through an
effective transaction reporting plan, would still be included in the
overall calculation of market volume used as the denominator in
threshold calculations.
---------------------------------------------------------------------------
To assess whether it satisfies the proposed thresholds, a broker-
dealer would need to determine its average daily dollar volume in an
enumerated asset class each calendar month, and
[[Page 23165]]
divide that figure by the total reported average daily dollar volume
for that month. More specifically, its numerator would be the average
daily dollar volume during the calendar month, taking into account all
relevant purchase and sale transactions \208\ in which the broker-
dealer engaged during that calendar month, as determined by the broker-
dealer from information in its books and records, as required to be
kept pursuant to Exchange Act Rule 17a-3.\209\ The denominator would be
the total average daily dollar volume for each calendar month, as that
total is determined from one or more sources that receive and make
available transaction reports, or, as the case may be, aggregated price
and volume statistics.
---------------------------------------------------------------------------
\208\ For NMS stocks, this would exclude those purchases or
sales off-exchange and not effected through an ATS, in which the
broker-dealer was not the executing party. As specific examples,
when broker-dealer A routes a customer order to broker-dealer B for
routing and execution, and broker-dealer B executes the customer
order as principal or crosses it against another order it is
holding, the volume for that order would contribute towards the
threshold for broker-dealer B but not for broker-dealer A.
Similarly, if broker-dealer A sends an order to the single-dealer
platform operated by broker-dealer B, and broker-dealer B executes a
trade against that order, the volume would contribute towards the
threshold for broker-dealer B but not for broker-dealer A. For any
asset class, the proposed definition of SCI broker-dealer would not
exclude from a broker-dealer operator's transaction tally
transactions executed on its own ATS. For example, if the broker-
dealer operator trades as a participant on its ATS, or where a
broker-dealer operator acts as a counterparty to every trade on its
own ATS, its volume would be counted as trading activity of the
broker-dealer.
\209\ See 17 CFR 240.17a-3(a)(6) (requiring a broker-dealer to
keep a memorandum of each brokerage order given or received for the
purchase or sale of a security, to include the price at which the
order executed); 17 CFR 240.17a-3(a)(7) (requiring a memorandum of
purchases and sales of a security for its own account, to include
the price).
---------------------------------------------------------------------------
With respect to NMS stocks, information necessary to calculate the
denominator currently is available from the plan processors (i.e., the
SIPs) of the CTA/CQ Plans and Nasdaq UTP Plan. These Plans are
effective transaction reporting plans, and effective national market
systems plans.\210\ Following implementation of the Market Data
Infrastructure rules, the information necessary to calculate the
denominator would be available from a competing consolidator or may be
self-determined by a self-aggregator that obtains the information
pursuant to effective transaction reporting plans, as required by 17
CFR 242.601 (``Rule 601'' of Regulation NMS) and 17 CFR 242.603(b)
(``Rule 603(b)'' of Regulation NMS).\211\ For listed options, total
average daily dollar volume may be determined from consolidated
information made available by the plan processor of the OPRA Plan.\212\
---------------------------------------------------------------------------
\210\ See supra note 20 and infra note 211. See also infra note
262 (stating that an ATS that trades NMS stocks is subject to
Regulation SCI if its trading volume reaches: (i) 5% or more in any
single NMS stock and 0.25% or more in all NMS stocks of the average
daily dollar volume reported by applicable transaction reporting
plans; or (ii) 1% or more in all NMS stocks of the average daily
dollar volume reported by applicable transaction reporting plans).
\211\ With respect to NMS stocks, Rule 601 of Regulation NMS (17
CFR 242.601) requires national securities exchanges and national
securities associations to report transactions and last sale data
pursuant to an effective transaction reporting plan filed with the
Commission in accordance with 17 CFR 242.608 (``Rule 608'' of
Regulation NMS). See 17 CFR 242.601. The national securities
exchanges and FINRA comply with Rule 601 by satisfying the
requirements of Rule 603(b) of Regulation NMS (which requires the
national securities exchanges and FINRA to act jointly pursuant to
one or more effective national market system plans, to disseminate
consolidated information, including transactions, in NMS stocks).
Currently, transaction information is consolidated by the
(exclusive) plan processor of each effective national market system
plan (i.e., the CTA/CQ Plan and Nasdaq UTP Plan for NMS stocks). See
CTA Plan, available at https://www.ctaplan.com; Nasdaq UTP Plan,
available at https://www.utpplan.com. After the implementation of
the Market Data Infrastructure rules (see Market Data Infrastructure
Adopting Release, supra note24) national securities exchanges and
FINRA will be required to provide transaction reports to competing
consolidators and/or self-aggregators pursuant to new effective
national market system plans that satisfy the requirements of Rule
603(b). Pursuant to 17 CFR 242.600(a)(14) (Rule 600(a)(14) of
Regulation NMS) the term ``competing consolidator'' means a
securities information processor required to be registered pursuant
to Rule 614 of Regulation NMS or a national securities exchange or
national securities association that receives information with
respect to quotations for and transactions in NMS stocks and
generates a consolidated market data product for dissemination to
any person. Pursuant to 17 CFR 242.600(a)(83) (Rule 600(a)(83) of
Regulation NMS) the term ``self-aggregator'' means a broker, dealer,
national securities exchange, national securities association, or
investment adviser registered with the Commission that receives
information with respect to quotations for and transactions in NMS
stocks, including all data necessary to generate consolidated market
data, and generates consolidated market data solely for internal use
(with a proviso that a self-aggregator may make consolidated market
data available to its affiliates that are registered with the
Commission for their internal use). See Market Data Infrastructure
Adopting Release, supra note 24 (providing a full discussion of
these terms). Following implementation of the Market Data
Infrastructure rules, a broker-dealer may obtain consolidated
average daily dollar volume from its chosen competing consolidator,
or independently calculate that figure itself, as a ``self-
aggregator.''
\212\ See OPRA Plan, available at https://www.opraplan.com.
---------------------------------------------------------------------------
With respect to U.S. Treasury Securities and Agency Securities,
total average daily dollar volume may be determined from information
made available by SROs to which transactions in U.S. Treasury
Securities and Agency Securities are reported. Currently there is only
one SRO to which this information is reported: FINRA.\213\ In
connection with its TRACE system, FINRA is currently the most complete
source of aggregate volume in U.S. Treasury Securities and Agency
Securities.\214\ Specifically, FINRA Rule 6750(a) requires FINRA to
disseminate information on Agency Securities, immediately upon receipt
of the transaction report.\215\ With respect to U.S. Treasury
Securities, information in TRACE regarding individual transactions is
for regulatory purposes only and is not disseminated publicly. However,
pursuant to FINRA Rule 6750, on March 10, 2020, FINRA began posting on
its website weekly, aggregate data on the trading volume of U.S.
Treasury Securities reported to TRACE, and the Commission recently
approved website posting of aggregate data more frequently (i.e.,
daily).\216\ Notwithstanding the transparency provided by FINRA/TRACE,
aggregate trading volume in U.S. Treasury and Agency securities does
not purport to reflect the whole of these markets, as aggregate volume
statistics are limited to volume reported by TRACE reporters, including
ATSs, registered-broker dealers that are members of FINRA, and
[[Page 23166]]
depository institutions meeting transaction volume thresholds in U.S.
Treasury Securities, agency-issued debt and mortgage-backed
securities.\217\
---------------------------------------------------------------------------
\213\ However, should a national securities exchange (an SRO)
trade U.S. Treasury or Agency Securities in the future, if
transaction reports are made available by that SRO, they would be
relevant to determining consolidated average daily dollar volume.
\214\ See FINRA, Trade Reporting and Compliance Engine (TRACE),
available at https://www.finra.org/filing-reporting/trace. FINRA
Rule 6730(a)(1) requires FINRA members to report transactions in
TRACE-Eligible Securities, which FINRA Rule 6710 defines to include
U.S. Treasury Securities and Agency Securities. For each transaction
in U.S. Treasury Securities and Agency Securities, a FINRA member
would be required to report the CUSIP number or similar numeric
identifier or FINRA symbol; size (volume) of the transaction; price
of the transaction (or elements necessary to calculate price);
symbol indicating whether transaction is a buy or sell; date of
trade execution (``as/of'' trades only); contra-party's identifier;
capacity (principal or agent); time of execution; reporting side
executing broker as ``give-up'' (if any); contra side introducing
broker (in case of ``give-up'' trade); the commission (total dollar
amount), if applicable; date of settlement; if the member is
reporting a transaction that occurred on an ATS pursuant to FINRA
Rule 6732, the ATS's separate Market Participant Identifier
(``MPID''); and trade modifiers as required. For when-issued
transactions in U.S. Treasury Securities, a FINRA member would be
required to report the yield in lieu of price. See FINRA Rule
6730(c).
\215\ See FINRA Rule 6750(a).
\216\ See Securities Exchange Act Release No. 95438 (Aug. 5,
2022), 87 FR 49626 (Aug. 11, 2022) (Order Approving a Proposed Rule
Change to Amend FINRA Rule 6750 Regarding the Publication of
Aggregated Transaction Information on U.S. Treasury Securities). The
implementation date for these TRACE enhancements for U.S. Treasury
Securities was Feb. 13, 2023, at which point the weekly data reports
were replaced with daily and monthly reports. Using daily reports of
U.S. Treasury Security data, broker-dealers should have the
information necessary to complete the calculations needed to assess
if they satisfy the proposed threshold.
\217\ See Federal Reserve Board, Agency Information Collection
Activities: Announcement of Board Approval Under Delegated Authority
and Submission to OMB (Oct. 21, 2021) 86 FR 59716 (Oct. 28, 2021).
---------------------------------------------------------------------------
Counting all relevant purchases and sales from all broker-dealers
may result in counting a transaction more than once across the market,
and would sum to total volume across broker-dealers that exceeds what
is reported pursuant to the relevant plans or SRO. Similarly, summing
the percentages that result from dividing the total activity of each
broker-dealer by the total volume reported by the relevant plans or SRO
would result in a value greater than 100 percent.\218\ Accordingly, the
proposed ten percent (10%) transaction activity thresholds for
measuring a broker-dealer's significance in the markets are not market
share thresholds analogous to the current SCI ATS volume thresholds.
However, because the types of transactions proposed to be counted are a
measure of a broker-dealer's size and significance, it is particularly
useful if that measure continues to reflect significant activity as the
size of the overall market expands or contracts and remains stable
relative to a recognizable measure so that it does not become outdated
over time. Therefore, the Commission proposes as a denominator a
measure that would scale each broker-dealer's average daily dollar
transaction volume to consolidated average daily dollar transaction
volume, the latter being determinable from information reported by, or
made available by or pursuant to, applicable effective transaction
reporting or national market system plans or self-regulatory
organizations, as described above.
---------------------------------------------------------------------------
\218\ Transaction reporting systems generally report volume for
trades, rather than volume for purchase and sales separately.
Consequently, adding up the total purchase and sale activity for all
broker-dealers will not equal the total volume reported through
these systems. For example, a trade for 100 shares of an NMS stock
between two broker-dealers on a national securities exchange would
be reported by the effective transaction reporting plan as 100
shares, even though one broker-dealer bought 100 shares and another
sold 100 shares. Similarly, because broker-dealers often trade with
customers, doubling the transaction volume reported through these
systems does not provide an accurate measure of total broker-dealer
purchase and sale activity. After the implementation of the Market
Data Infrastructure rules (see Market Data Infrastructure Adopting
Release, supra note 24) national securities exchanges on which NMS
stocks are traded and FINRA, each of which is required by Rule 601
of Regulation NMS to file a transaction reporting plan in accordance
with Rule 608 of Regulation NMS, will be further required, pursuant
to Rule 603(b) of Regulation NMS, to make available to all competing
consolidators and self-aggregators its information with respect to
quotations for and transactions in NMS stocks, including all data
necessary to generate consolidated market data. Following
implementation of the Market Data Infrastructure rules, a broker-
dealer may determine average daily dollar volume from information
provided by its chosen competing consolidator, or independently
calculate that figure itself, as a ``self-aggregator.''
---------------------------------------------------------------------------
Any broker-dealer that transacts, as proposed, ten percent (10%) or
more of the average daily dollar volume in an enumerated asset class,
during at least four of the preceding six calendar months would be an
SCI broker-dealer. The proposed trading activity thresholds are
designed to measure the size of a broker-dealer's footprint in the
market in terms that provide a method for assessing the size of its
footprint as the market grows (or shrinks). In this way, the proposed
thresholds identify broker-dealers by their transaction activity as
compared to a consistent measure of market volume, and give a sense of
the size and significance of a broker-dealer activity in the markets in
a manner that should not become outdated over time.
The Commission also believes that a threshold of ten percent (10%)
or more in the identified asset classes is appropriately high enough to
apply Regulation SCI only to the large broker-dealers on which the
maintenance of fair and orderly markets depend. The Commission
estimates that 17 entities would satisfy one or more of the proposed
transaction activity thresholds (the same five entities identified by
the total assets threshold plus 12 additional entities).\219\ In sum,
the Commission believes that the proposed total assets threshold and
transaction activity thresholds are appropriate measures for
identifying broker-dealers that would pose a substantial risk to the
maintenance of fair and orderly markets in the event of a systems
issue.
---------------------------------------------------------------------------
\219\ See supra text accompanying notes 189-190.
---------------------------------------------------------------------------
SCI broker-dealers would not have to comply with the requirements
of Regulation SCI until six months after the end of the quarter in
which the SCI broker-dealer satisfied the proposed asset threshold for
the first time, or six months after the end of the month in which the
SCI broker-dealer satisfied one of the proposed activity thresholds for
the first time. The Commission believes this is an appropriate amount
of time for firms to come into compliance with Regulation SCI.
iv. Proposed Revision to Definition of ``SCI Systems'' for Certain SCI
Broker-Dealers; SCI Entities Trading Multiple Asset Classes, Which May
Include Crypto Asset Securities
In conjunction with the proposed inclusion of SCI broker-dealers as
SCI entities, the Commission proposes to limit the definition of ``SCI
systems'' for an SCI broker-dealer that qualifies as an SCI entity only
because it satisfies a transaction activity threshold. Specifically,
the Commission is proposing to revise the definition of ``SCI systems''
to add a limitation that states, ``provided, however, that with respect
to an SCI broker-dealer that satisfies only the requirements of
paragraph (2) of the definition of `SCI broker-dealer,' such systems
shall include only those systems with respect to the type of securities
for which an SCI broker-dealer satisfies the requirements of paragraph
(2) of the definition.''
The current definition of ``SCI systems'' does not contain the
limitation that is proposed for SCI broker-dealers. For example, an SCI
ATS that exceeds the average daily dollar volume threshold for NMS
stocks is subject to Regulation SCI requirements for all of its SCI
systems (i.e., that meet the definition of SCI systems discussed in
section II.B.1 above) and indirect SCI systems. Thus, to the extent
that the SCI systems and indirect SCI systems of an SCI ATS (or any
other SCI entity) relate to equity securities that are non-NMS stocks,
exchange-listed options, debt securities, security-based swaps, or any
other securities, including crypto asset securities, such systems are
subject to the Regulation SCI requirements.\220\
---------------------------------------------------------------------------
\220\ See supra notes 37-38 and 36 and accompanying text
(discussing the scope of the current definition of ``SCI systems'').
---------------------------------------------------------------------------
As it considers the expansion of Regulation SCI to broker-dealers,
many of which operate multiple business lines and transact in different
types of securities, the Commission preliminarily believes that an SCI
broker-dealer that qualifies as an SCI entity based only on a
transaction activity threshold for a particular type of security should
have its obligations limited to systems with respect to that type of
security. If a broker-dealer meets only the transaction activity
threshold for NMS stocks, for example, its systems that directly
support trading, clearance and settlement, order routing, market data,
market regulation, or market surveillance for NMS stocks are those that
raise the concerns Regulation SCI is meant to address. If the broker-
dealer's activity with respect to other classes of securities is
nominal, it is unlikely to pose risk to the maintenance of fair and
orderly markets if the systems with respect to those types of
securities were unavailable (assuming the systems for the distinct
asset class are separate). If a system of the broker-dealer is used for
[[Page 23167]]
more than one type of securities (i.e., an asset class that triggered
the threshold and an asset class that did not or is not subject to SCI
thresholds), such system would still meet the definition of ``SCI
system.'' \221\ Current SCI entities are and will continue to be, and
proposed SCI entities other than SCI broker-dealers that satisfy a
transaction activity threshold would be, required to assess whether the
technology systems of, or operated by or on their behalf, with respect
to any type of security (including crypto asset securities, discussed
further below) are SCI systems covered by Regulation SCI because they
directly support: (i) trading; (ii) clearance and settlement; (iii)
order routing; (iv) market data; (v) market regulation; or (vi) market
surveillance.
---------------------------------------------------------------------------
\221\ For example, if a broker-dealer operator of an SCI ATS
uses an SCI system to trade both a type of security that triggered
the SCI threshold and a type of security that did not trigger the
threshold, that system will be an SCI system for both types of
securities. A broker-dealer operator of such SCI ATS could wish to
use the SCI system only for trading the type of security that
triggered the SCI threshold and create a separate system only to
trade the type of security that did not trigger the SCI threshold.
---------------------------------------------------------------------------
v. Crypto Asset Securities
Public information about the size and characteristics of the crypto
asset securities market is limited.\222\ However, the Commission,
currently understands that only a small portion of crypto asset
security trading activity is occurring within Commission registered
entities, and particularly, registered broker-dealers. This may be due
in part to the fact that there are currently no special purpose broker-
dealers authorized to maintain custody of crypto asset securities.\223\
Without the ability to custody a customer's crypto-asset securities, a
broker-dealer is limited in the amount of agency business in crypto-
asset securities that it could do. Similarly, today, only a limited
amount of crypto asset security volume occurs on ATSs operating
pursuant to the Regulation ATS exemption.\224\ This may be due in part
to the significant trading activity in crypto asset securities that may
be in non-compliance with the federal securities laws.\225\
Nonetheless, if an SCI entity (current or proposed) trades crypto asset
securities, the systems used for trading crypto asset securities may
currently and in the future be subject to the requirements of
Regulation SCI.\226\
---------------------------------------------------------------------------
\222\ See, e.g., Fin. Stability Oversight Council, Report on
Digital Asset Financial Stability Risks and Regulation 119 (2022)
(``FSOC Report''), available at https://home.treasury.gov/system/files/261/FSOC-Digital-Assets-Report-2022.pdf (``The crypto-asset
ecosystem is characterized by opacity that creates challenges for
the assessment of financial stability risks.''); U.S. Dep't of the
Treasury, Crypto-Assets: Implications for Consumers, Investors, and
Businesses 12 (Sept. 2022) (``Crypto-Assets Treasury Report''),
available at https://home.treasury.gov/system/files/136/CryptoAsset_EO5.pdf (finding that data pertaining to ``off-chain
activity'' is limited and subject to voluntary disclosure by trading
platforms and protocols, with protocols either not complying with or
not subject to obligations ``to report accurate trade information
periodically to regulators or to ensure the quality, consistency,
and reliability of their public trade data''); Fin. Stability Bd.,
Assessment of Risks to Financial Stability from Crypto-assets 18-19
(Feb. 16, 2022) (``FSB Report''), available at https://www.fsb.org/wp-content/uploads/P160222.pdf (finding that the difficulty in
aggregating and analyzing available data in the crypto asset space
``limits the amount of insight that can be gained with regard to the
[crypto asset] market structure and functioning,'' including who the
market participants are and where the market's holdings are
concentrated, which, among other things, limits regulators' ability
to inform policy and supervision); Raphael Auer et al., Banking in
the Shadow of Bitcoin? The Institutional Adoption of
Cryptocurrencies 4, 9 (Bank for Int'l Settlements, Working Paper No.
1013, May 2022), available at https://www.bis.org/publ/work1013.pdf
(stating that data gaps, which can be caused by limited disclosure
requirements, risk undermining the ability for holistic oversight
and regulation of cryptocurrencies); Int'l Monetary Fund, The Crypto
Ecosystem and Financial Stability Challenges, in Global Financial
Stability Report 41, 47 (Oct. 2021), available at https://www.imf.org/-/media/Files/Publications/GFSR/2021/October/English/ch2.ashx (finding that crypto asset service providers provide
limited, fragmented, and, in some cases, unreliable data, as the
information is provided voluntarily without standardization and, in
some cases, with an incentive to manipulate the data provided).
\223\ For background on Rule 15c3-3 as it relates to digital
asset securities, see Commission, Joint Staff Statement on Broker-
Dealer Custody of Digital Asset Securities (July 8, 2019), available
at https://www.sec.gov/news/public-statement/joint-staff-statement-broker-dealer-custody-digital-asset-securities; FINRA, SEC Staff No-
Action Letter, ATS Role in the Settlement of Digital Asset Security
Trades (Sept. 25, 2020), available at https://www.sec.gov/divisions/marketreg/mr-noaction/2020/finra-ats-role-in-settlement-of-digital-asset-security-trades-09252020.pdf. To date, five offerings of
crypto asset securities have been registered or qualified under the
Securities Act of 1933, and five classes of crypto asset securities
have been registered under the Exchange Act. The Commission issued a
statement describing its position that, for a period of five years,
special purpose broker-dealers operating under the circumstances set
forth in the statement will not be subject to a Commission
enforcement action on the basis that the broker-dealer deems itself
to have obtained and maintained physical possession or control of
customer fully paid and excess margin digital asset securities for
purposes of 17 CFR 240.15c3-3(b)(1) (``Rule 15c3-3(b)(1)'' under the
Exchange Act). See Crypto Asset Securities Custody Release, supra
note 37. To date, no such special purpose broker-dealer registration
applications have been granted by FINRA.
\224\ ATSs that do not trade NMS stocks file with the Commission
a Form ATS notice, which the Commission does not approve. Form ATS
requires, among other things, that ATSs provide information about:
classes of subscribers and differences in access to the services
offered by the ATS to different groups or classes of subscribers;
securities the ATS expects to trade; any entity other than the ATS
involved in its operations; the manner in which the system operates;
how subscribers access the trading system; procedures governing
entry of trading interest and execution; and trade reporting,
clearance, and settlement of trades on the ATS. In addition, all
ATSs must file quarterly reports on Form ATS-R with the Commission.
Form ATS-R requires, among other things, volume information for
specified categories of securities, a list of all securities traded
in the ATS during the quarter, and a list of all subscribers that
were participants. To the extent that an ATS trades crypto asset
securities, the ATS must disclose information regarding its crypto
asset securities activities as required by Form ATS and Form ATS-R.
Form ATS and Form ATS-R are deemed confidential when filed with the
Commission. Based on information provided on these forms, a limited
number of ATSs have noticed on Form ATS their intention to trade
certain crypto asset securities and a subset of those ATSs have
reported transactions in crypto asset securities on their Form ATS-
R. See also supra note 223, referencing, Commission, Joint Staff
Statement on Broker-Dealer Custody of Digital Asset Securities (July
8, 2019), available at https://www.sec.gov/news/public-statement/joint-staff-statement-broker-dealer-custody-digital-asset-securities; FINRA, SEC Staff No-Action Letter, ATS Role in the
Settlement of Digital Asset Security Trades (Sept. 25, 2020),
available at https://www.sec.gov/divisions/marketreg/mr-noaction/2020/finra-ats-role-in-settlement-of-digital-asset-security-trades-09252020.pdf.
\225\ See also FSOC Report, supra note 222, at 5, 87, 94, 97
(emphasizing the importance of the existing financial regulatory
structure while stating that certain digital asset platforms may be
listing securities while not in compliance with exchange, broker-
dealer, or other registration requirements, which may impose
additional risk on banks and investors and result in ``serious
consumer and investor protection issues''); Crypto-Assets Treasury
Report, supra note 222, at 26, 29, 39, 40 (stating that issuers and
platforms in the digital asset ecosystem may be acting in non-
compliance with statutes and regulations governing traditional
capital markets, with market participants that actively dispute the
application of existing laws and regulations, creating risks to
investors from non-compliance with, in particular, extensive
disclosure requirements and market conduct standards); FSB Report,
supra note 222, at 4, 8, 18 (stating that some trading activity in
crypto assets may be failing to comply with applicable laws and
regulations, while failing to provide basic investor protections due
to their operation outside of or in non-compliance with regulatory
frameworks, thereby failing to provide the ``market integrity,
investor protection or transparency seen in appropriately regulated
and supervised financial markets'').
\226\ But see supra section II.B.1 (discussing how current SCI
entities that trade crypto asset securities must assess whether
their systems for trading crypto asset securities are SCI systems).
As a specific example, if an SCI SRO were to obtain Commission
approval to add a crypto asset security trading facility, that
facility would be part of an SCI SRO that is subject to Regulation
SCI.
---------------------------------------------------------------------------
SCI Broker-Dealer Activity in Crypto Asset Securities
As discussed above, the Commission is proposing to include as SCI
entities large broker-dealers: those that satisfy a total assets
threshold or a transaction activity threshold. The total assets
threshold applies to broker-dealers irrespective of asset classes in
which they conduct significant transaction activity. In contrast, the
proposed transaction activity threshold specifies four enumerated asset
classes: NMS stocks, exchange-listed options, U.S.
[[Page 23168]]
Treasury Securities, and Agency Securities.
The proposal would affect an SCI broker-dealer that engages in
crypto asset security activity as follows: for purposes of assessing
whether it meets a transaction activity threshold, a broker-dealer
would need to consider if it trades crypto asset securities that are
NMS stocks, exchange-listed options, U.S. Treasury Securities, or
Agency securities, and if so, include those transactions in its
transaction tally of NMS stocks, exchange-listed options, U.S. Treasury
Securities, or Agency securities, to assess if it satisfies one or more
of the proposed thresholds. In addition, as proposed, the SCI systems
and indirect SCI systems pertaining to crypto asset securities that are
NMS stocks, exchange-listed options, U.S. Treasury Securities, or
Agency securities would be subject to Regulation SCI, including as it
is proposed to be amended, as discussed in section III.C, with respect
to the asset class for which the SCI broker-dealer satisfies the
transaction activity threshold.
Furthermore, as proposed, an SCI broker-dealer that meets the
proposed total assets threshold would need consider its crypto asset
security activities and assess whether any systems pertaining to crypto
asset securities meet the current definition of SCI systems or indirect
SCI systems. Any such systems would be subject to Regulation SCI,
including as it is proposed to be amended, as discussed in section
III.C.\227\
---------------------------------------------------------------------------
\227\ Likewise, an ATS currently is an SCI ATS if it satisfies a
trading volume threshold for NMS stocks or equity securities that
are not NMS stocks. For purposes of assessing whether it meets an
SCI ATS trading volume threshold, an ATS needs to consider if it
trades crypto asset securities that are equity securities; and if it
does trade such securities, those transactions need to be included
in its transaction tally as (i) NMS stocks or (ii) equity securities
that are not NMS stocks, as they case may be, in order to calculate
the volume threshold. Additionally, the definition of SCI systems
and indirect SCI systems do not contain an asset class limitation
with respect to SCI SROs (or any other current SCI entity). See
supra note 36 and accompanying text.
---------------------------------------------------------------------------
vi. Request for Comment
9. Should Regulation SCI apply to broker-dealers? If not, why not?
If so, should Regulation SCI apply to all broker-dealers, or just a
subset? Please explain. At what size or level of a broker-dealer's
activity would market integrity or the protection of investors be
affected if the broker-dealer were no longer able to operate due to a
systems disruption, systems compliance issue, or a systems intrusion?
Are broker-dealers subject to more market discipline than current SCI
entities? Please explain. Conversely, does a lack of transparency
regarding events like SCI events limit this market discipline? Why or
why not?
10. Would it be more appropriate to define an SCI broker-dealer
using an approach that identifies a broker-dealer by category, rather
than by size? For example, what are commenters' views on the impact to
overall market integrity or the protection of investors if an OTC
market maker was no longer able to operate due to a systems disruption,
systems compliance issue, or a systems intrusion? Or an exchange market
maker? Or a clearing broker-dealer? What are commenters' views on the
importance of different categories of broker-dealers to the stability
of the overall U.S. securities market infrastructure, in the context of
requiring them to comply with Regulation SCI? What risks do the systems
of broker-dealers pose to the U.S. securities markets?
11. If the Commission were to identify an SCI broker-dealer by
category, rather than by size, which categories should be covered and
how should they be defined? For example, if commenters believe that
Regulation SCI should apply to significant ``OTC market makers,'' how
should they be defined? Is it sufficiently clear which entities are
``OTC market makers,'' as that term is defined under the Exchange Act?
If not, why not? If so, should a threshold be used to identify those
that are the most significant? What should that threshold be and how
should it be calculated?
12. Is the current broker-dealer regulatory regime, including the
Market Access Rule and other Commission and FINRA rules, sufficient to
reasonably ensure the operational capability of the technological
systems of the proposed SCI broker-dealers?
13. As discussed above, an SCI broker-dealer would be a broker-
dealer registered with the Commission pursuant to section 15(b) of the
Exchange Act, which: (1) in at least two of the four preceding calendar
quarters, ending March 31, June 30, September 30, and December 31,
reported to the Commission on Form X-17A-5 total assets in an amount
that equals five percent (5%) or more of the quarterly total assets
level of all security brokers and dealers; or (2) during at least four
of the preceding six calendar months: (i) with respect to transactions
in NMS stocks, transacted average daily dollar volume in an amount that
equals ten percent (10%) or more of the average daily dollar volume
reported by or pursuant to applicable effective transaction reporting
plans, provided, however, that for purposes of calculating its activity
in transactions effected otherwise than on a national securities
exchange or on an ATS, the broker-dealer shall exclude transactions for
which it was not the executing party; (ii) with respect to transactions
in exchange-listed options contracts, transacted average daily dollar
volume reported by an applicable effective national market system plan;
(iii) with respect to transactions in U.S. Treasury Securities,
transacted average daily dollar volume in an amount that equals ten
percent (10%) or more of the total average daily dollar volume made
available by the self-regulatory organization to which such
transactions are reported; or (iv) with respect to transactions in
Agency Securities, transacted average daily dollar volume in an amount
that equals ten percent (10%) or more of the total average daily dollar
volume made available by the self-regulatory organization to which such
transactions are reported. The Commission solicits comment with respect
to all aspects of the proposed definition, including those aspects
identified in the succeeding questions.
14. Is the proposed total assets threshold an appropriate way to
identify broker-dealers that would pose a substantial risk to the
maintenance of fair and orderly markets in the event of a systems
issue?
15. Should the proposed total assets threshold be scaled using the
proposed sources as the denominator? Why or why not? Is use of data
made available by the Federal Reserve Board appropriate as the
denominator for the measure of all security broker-dealer total assets?
If not, what metric, if any, would be appropriate for the Commission to
use as the denominator? Should the denominator be different in the
event that such data is no longer made available by the Federal Reserve
Board? Recognizing that the proposed numeric thresholds ultimately
represent a matter of judgment by the Commission as it proposes to
apply Regulation SCI to the largest broker-dealers, the Commission
solicits comment on the proposed thresholds levels. Is the proposed
five percent numeric threshold appropriate? Why or why not? Is the
proposed two of the preceding four quarter methodology, with lookback
to the previous quarter for the denominator appropriate? Why or why
not?
16. Are the proposed transaction activity thresholds an appropriate
way to identify broker-dealers that would pose a substantial risk to
the maintenance of fair and orderly markets in the event of a systems
issue?
[[Page 23169]]
17. With respect to the proposed transaction activity thresholds,
are the asset classes identified appropriate? Are there asset classes
that are included that should be excluded, or asset classes that are
excluded that should be included? Which ones and why? For example,
should U.S. Treasury Securities and Agency Securities be included? Why
or why not? Should OTC equity securities be included? Or security-based
swaps? Is the size of the market in each asset class relevant? Why or
why not?
18. With respect to the proposed transaction activity thresholds,
recognizing that the proposed numeric thresholds ultimately represent a
matter of judgment by the Commission as it proposes to apply Regulation
SCI to the largest broker-dealers, the Commission solicits comment on
the proposed threshold levels. Are the 10 percent transaction activity
threshold levels proposed appropriate? Would higher or lower thresholds
be appropriate? Should thresholds vary based on asset class? Is there a
different approach that would be more appropriate?
19. For purposes of the numerator in each transaction activity
threshold, is use of average daily dollar volume of all purchase and
sale transactions, as proposed appropriate? If not, why not? Is there
an alternative measure of market activity that could be consistently
determined by broker-dealers, as well as the Commission, and that would
identify large broker-dealer activity that, if disrupted, could disrupt
market functioning more broadly? Would share volume be more appropriate
for any of the proposed asset classes?
20. Is it clear what average daily dollar volume, as made available
by or pursuant to applicable effective transaction reporting plans,
would be following implementation of the Market Data Infrastructure
rules? Why or why not?
21. Should the transaction activity thresholds denominator have a
minimum, so that if the market for a particular product shrinks
significantly, entities that have a significant portion of that small
market would not be scoped into the test? For example, should an
options trading activity threshold specify that the threshold is
exceeded if average daily dollar volume equals the greater of ten
percent (10%) or more of the average daily dollar volume reported by or
pursuant to an applicable effective transaction reporting plan,
applicable national market system plan, applicable SRO, or $x billion?
Why or why not? What would be an appropriate minimum dollar threshold
and why? Please be specific.
22. Is the four out of the preceding six-month measurement period
an appropriate timeframe for the transaction activity thresholds? Why
or why not? Is there a different timeframe or approach that would be
more appropriate? Please explain.
23. Do commenters believe that six months after the end of the
quarter in which the broker-dealer satisfies the total assets threshold
and six months after the end of the month in which the broker-dealer
satisfies the transaction activity threshold constitute an appropriate
amount of time to allow them to come into compliance with the
requirements of Regulation SCI? Why or why not? Is there a different
time period that would be more appropriate? Please explain.
24. What are the differences between the current practices of
broker-dealers and the practices that would be necessary if the
proposed changes to Regulation SCI are adopted? Please describe and be
specific.
25. Should all of the current or newly proposed requirements set
forth in Regulation SCI apply to SCI broker-dealers? If only a portion,
please specify which portion(s) and explain why. If all, explain why.
26. Is it appropriate to limit the application of the definition of
``SCI systems'' for SCI broker-dealers that meet the definition of an
SCI broker-dealer only because of a transaction activity threshold only
to those systems related to the types of securities for which the
entity has triggered the threshold, as the Commission is proposing? Why
or why not?
27. Should the definition of SCI systems as it applies to SCI
broker-dealers be modified further than as proposed? Is the limitation
of the definition of SCI systems as proposed to apply to SCI broker-
dealers (and not applicable to broker-dealers that satisfy the total
assets threshold) appropriate? Should the Commission instead provide a
unique definition of SCI systems and indirect SCI systems for broker-
dealers? If so, what should it be and why? For example, in the context
of broker-dealers, would systems that ``directly support trading'' be a
category of systems that is overbroad, or too narrow? Why or why not?
Please explain. Are there any types of systems of broker-dealers to
which Regulation SCI would apply that should not be covered? Which ones
and why? Are there any types of systems of broker-dealers that would
not be covered by the definitions of SCI systems and indirect SCI
systems as proposed that should be covered? Which types and why? Please
be specific.
28. Is it clear how Regulation SCI would apply to proposed new SCI
entities that trade crypto asset securities? Why or why not? Please be
specific.
29. Are any of the proposed amendments to Regulation SCI (as
discussed in section III.C below) inappropriate for broker-dealers? If
so, which ones? As discussed in section III.C.6 below, the Commission
proposes to add language to Rule 1002(c) of Regulation SCI regarding
dissemination of information about SCI events by an SCI broker-dealer
to its ``customers,'' as a broker-dealer does not have ``members and
participants.'' Should the Commission require an SCI broker-dealer to
notify its customers of an SCI event in the same manner as other SCI
entities? Why or why not? Should the term ``customers'' be defined? If
so, how? Should Rule 1002(c) be specifically tailored to SCI broker-
dealers in a way that differs from the current rule? If so, how? Please
be specific. Is the proposed requirement that, pursuant to Rule
1002(b)(4)(ii)(B), notices to the Commission include a copy of the
information disseminated to customers appropriate? Why or why not?
30. Do commenters believe that different or unique requirements
should apply to an SCI broker-dealer or systems of broker-dealers? What
should they be, and why?
31. What effect, if any, would there be of having the largest
broker-dealers subject to Regulation SCI, while others are not? Should
the Commission include additional broker-dealers as SCI entities, based
on size or function? Why or why not? For example, should the largest
carrying broker-dealers, based on a size threshold, be subject to
Regulation SCI? If so, should the size threshold be based on total
assets or number of customer accounts, or some other metric? If
application of all of Regulation SCI is not appropriate for these
entities, should they be required to adopt and implement reasonably
designed policies and procedures to address their ability to continue
to process customer and account transactions in a timely manner during
reasonably anticipated surges in demand?
32. Should the proposed thresholds take into account whether a
broker-dealer is affiliated with another broker-dealer?[thinsp]For
example, should the Commission aggregate the transaction activity of
affiliated broker-dealers for purposes of determining whether the
transaction activity threshold test has been satisfied and, if it has,
apply Regulation SCI to each broker-dealer?
[[Page 23170]]
Why or why not? Should it aggregate total assets of affiliated broker-
dealers? Why or why not?
33. Is the proposed six-month period during which a broker-dealer
that meets the threshold to become an SCI broker-dealer does not have
to comply with Regulation SCI appropriate? Should the Commission adopt
a different time period? If so, how long should the period be and why?
34. Are there characteristics specific to SCI broker-dealers that
would make applying Regulation SCI, either broadly or by specific
existing/proposed provision(s), unduly burdensome or inappropriate for
SCI broker-dealers? How much time would an SCI broker-dealer reasonably
need to come into compliance with Regulation as proposed?
c. Exempt Clearing Agencies (Deletion of ``Subject to ARP'')
The Commission proposes to include all ``exempt clearing agencies''
as SCI entities. This proposed approach would expand the scope of
exempt clearing agencies covered by Regulation SCI, which currently
covers certain exempt clearing agencies--those that are ``subject to
ARP.'' \228\ The technology systems that underpin operations of both
registered clearing agencies and exempt clearing agencies are critical
systems that drive the global financial markets. Further, the
activities of exempt clearing agencies subject to ARP and those not
subject to ARP are similar. For example, for covered clearing agencies
in particular,\229\ such systems include those that set and calculate
margin obligations and other charges, perform netting and calculate
payment obligations, facilitate the movement of funds and securities,
or effectuate end-of-day settlement. Increasingly, the technology
behind these systems are subject to both rapid innovation and
interconnectedness.\230\ For the exempt clearing agencies not subject
to ARP, they also provide CSD functions for transactions in U.S.
securities between U.S. and non-U.S. persons, using similar
technologies.\231\ More generally, all exempt clearing agencies offer
services that centralize a variety of technology functions, increasing
access to services that help improve the efficiency of the clearance
and settlement process by, for example, standardizing and automating
functions necessary to complete clearance and settlement.\232\ Over
time, the increasing availability of, and access to, such technologies
has also increased the dependence that market participants have on such
services, raising the potential that such services could become single
points of failure for U.S. market participants.\233\ Further, as the
services that exempt clearing agencies provide have evolved over time,
they have become increasingly reliant on the provision of new
technologies to market participants, and so the Commission has
increasingly focused its oversight of exempt clearing agencies on the
ways that such services might introduce operational risk to U.S. market
participants.\234\ Therefore, the Commission proposes to expand the
scope of SCI entities to cover all exempt clearing agencies. As a
result, there would no longer be a difference in how exempt clearing
agencies are addressed by Regulation SCI.
---------------------------------------------------------------------------
\228\ See Rule 1000; SCI Adopting Release, supra note 1, at
72271 (an ``exempt clearing agency subject to ARP'' is an entity
that has received from the Commission an exemption from registration
as a clearing agency under section 17A of the Exchange Act, and
whose exemption contains conditions that relate to the Commission's
Automation Review Policies, or any Commission regulation that
supersedes or replaces such policies (such as Regulation SCI)).
\229\ 17 CFR 240.17Ad-22 (``Rule 17Ad-22'' under the Exchange
Act) provides for two categories of registered clearing agencies and
contains a set of rules that apply to each category. The first
category is covered clearing agencies, which are subject to 17 CFR
240.17Ad-22(e) (Rule 17Ad-22(e)), which includes requirements
intended to address the activity and risks that their size,
operation, and importance pose to the U.S. securities markets, the
risks inherent in the products they clear, and the goals of both the
Exchange Act and the Dodd-Frank Act. See Securities Exchange Act
Release No. 78961 (Sept. 28, 2016), 81 FR 70786, 70793 (Oct. 13,
2016) (``CCA Standards Adopting Release''). Covered clearing
agencies are registered clearing agencies that provide central
counterparty (``CCP'') or central securities depository (``CSD'')
services. See 17 CFR 240.17Ad-22(a)(5). A CCP is a type of
registered clearing agency that acts as the buyer to every seller
and the seller to every buyer, providing a trade guaranty with
respect to transactions submitted for clearing by the CCP's
participants. See 17 CFR 240.17Ad-22(a)(2); Securities Exchange Act
Release No. 88616 (Apr. 9, 2020), 85 FR 28853, 28855 (May 14, 2020)
(``CCA Definition Adopting Release''). A CCP may perform a variety
of risk management functions to manage the market, credit, and
liquidity risks associated with transactions submitted for clearing.
If a CCP is unable to perform its risk management functions
effectively, however, it can transmit risk throughout the financial
system. A CSD is a type of registered clearing agency that acts as a
depository for handling securities, whereby all securities of a
particular class or series of any issuer deposited within the system
are treated as fungible. Through use of a CSD, securities may be
transferred, loaned, or pledged by bookkeeping entry without the
physical delivery of certificates. A CSD also may permit or
facilitate the settlement of securities transactions more generally.
See 15 U.S.C. 78c(a)(23)(A); 17 CFR 240.17Ad-22(a)(3); CCA
Definition Adopting Release, at 28856. If a CSD is unable to perform
these functions, market participants may be unable to settle their
transactions, transmitting risk through the financial system.
Currently, all clearing agencies registered with the Commission that
are actively providing clearance and settlement services are covered
clearing agencies. They are The Depository Trust Company (``DTC''),
FICC, NSCC, ICE Clear Credit (``ICC''), ICE Clear Europe
(``ICEEU''), The Options Clearing Corporation (``OCC''), and LCH SA.
\230\ The second category includes registered clearing agencies
other than covered clearing agencies; such clearing agencies must
comply with 17 CFR 240.17Ad-22(d) (``Rule 17Ad-22(d)''). See 17 CFR
240.17Ad-22(d). Rule 17Ad-22(d) establishes a regulatory regime to
govern registered clearing agencies that do not provide CCP or CSD
services. See CCA Standards Adopting Release, at 70793. Although
subject to Rule 17Ad-22(d), the Boston Stock Exchange Clearing
Corporation (``BSECC'') and Stock Clearing Corporation of
Philadelphia (``SCCP'') are currently registered with the Commission
as clearing agencies but conduct no clearance or settlement
operations. See Securities Exchange Act Release No. 63629 (Jan. 3,
2011), 76 FR 1473, 1474 (Jan. 10, 2011) (``BSECC Notice'');
Securities Exchange Act Release No. 63268 (Nov. 8, 2010), 75 FR
69730, 69731 (Nov. 15, 2010) (``SCCP Notice'').
\231\ See, e.g., Release No. 79577 (Dec. 16, 2016), 81 FR 93994
(Dec. 22, 2016) (``Euroclear Exemption''); Release No. 38328 (Feb.
24, 1997), 62 FR 9225 (Feb. 28, 1997) (``Clearstream Exemption'').
To manage the potential risks associated with these functions, the
Commission's exemptions impose volume limits on the amount of
transactions in U.S. Government securities for which each entity may
perform clearance and settlement.
\232\ See, e.g., Euroclear Exemption, supra note 231 (adding
services for collateral management); Release No. 44188 (Apr. 17,
2001), 66 FR 20494 (Apr. 23, 2001) (granting an exemption to provide
a central matching service to Global Joint Venture Matching Services
US LLC, now known as DTCC ITP Matching US LLC, to facilitate the
settlement of transactions between broker-dealers and their
institutional customers) (``ITPM Exemption'').
\233\ See Securities Exchange Act Release No. 76514 (Nov. 25,
2015), 80 FR 75387, 75401 (Dec. 1, 2015) (granting an exemption to
provide matching services to each of Bloomberg STP LLC and SS&C
Technologies, Inc. and stating that ``[o]n balance, the Commission
believes that the redundancy created by more interfaces and linkages
within the settlement infrastructure increases resiliency''); SEC
Division of Trading and Markets and Office of Compliance Inspections
and Examinations, Staff Report on the Regulation of Clearing
Agencies (Oct. 1, 2020) (``Staff Report on Clearing Agencies''),
available at https://www.sec.gov/files/regulation-clearing-agencies-100120.pdf (staff stating that ``consolidation among providers of
clearance and settlement services concentrates clearing activity in
fewer providers and has increased the potential for providers to
become single points of failure.'').
\234\ For example, in 2016 the Commission approved modifications
to the Euroclear Exemption that included, among other things, a new
set of conditions for the reporting of service outages. See
Euroclear Exemption, supra note 231, at 94003 (setting forth eight
``Operational Risk Conditions Applicable to the Clearing Agency
Activities'').
---------------------------------------------------------------------------
i. Current Regulatory Framework for Exempt Clearing Agencies
The registration and supervisory framework for clearing agencies
under the Exchange Act provides the Commission with broad authority to
provide exemptive relief from certain of the Commission's regulatory
requirements under the Exchange Act. Specifically, section 17A(b)(1) of
the Exchange Act provides the Commission with authority to exempt a
clearing agency or any class of clearing agencies from any provision of
section 17A or the
[[Page 23171]]
rules or regulations thereunder.\235\ Such an exemption may be effected
by rule or order, upon the Commission's own motion or upon application,
either conditionally or unconditionally. The Commission's exercise of
authority to grant exemptive relief must be consistent with the public
interest, the protection of investors, and the purposes of section 17A,
including the prompt and accurate clearance and settlement of
securities transactions and the safeguarding of securities and
funds.\236\ The Commission has granted exemptions from clearing agency
registration to three entities that provide matching services. These
exempt clearing agencies are DTCC ITP Matching US, LCC (successor in
name to Omgeo and Global Joint Venture Matching Services US, LLC),
Bloomberg STP LLC (``BSTP''), and SS&C Technologies, Inc.
(``SS&C'').\237\ In certain instances, non-U.S. clearing agencies also
have received exemptions from registration as a clearing agency. These
exempt clearing agencies include Euroclear Bank SA/NV (successor in
name to Morgan Guaranty Trust Company of NY) \238\ and Clearstream
Banking, S.A. (successor in name to Cedel Bank, soci[eacute]t[eacute]
anonyme, Luxembourg).\239\ Each has an exemption to provide clearance
and settlement for U.S. Government and agency securities for U.S.
participants, subject to limitations on the volume of transactions set
forth in their exemptions. The Euroclear Exemption also provides an
exemption from registration to provide collateral management services
for transactions in U.S. equity securities between U.S. persons and
non-U.S. persons.
---------------------------------------------------------------------------
\235\ The Commission has also provided temporary relief from
registration to certain clearing agencies under section 36 of the
Exchange Act. On July 1, 2011, the Commission published a
conditional, temporary exemption from clearing agency registration
for entities that perform certain post-trade processing services for
security-based swap transactions. See, e.g., Release No. 64796 (July
1, 2011), 76 FR 39963 (July 7, 2011) (providing an exemption from
registration under section 17A(b) of the Exchange Act, and stating
that ``[t]he Commission is using its authority under section 36 of
the Exchange Act to provide a conditional temporary exemption [from
clearing agency registration], until the compliance date for the
final rules relating to registration of clearing agencies that clear
security-based swaps pursuant to sections 17A(i) and (j) of the
Exchange Act, from the registration requirement in section 17A(b)(1)
of the Exchange Act to any clearing agency that may be required to
register with the Commission solely as a result of providing
Collateral Management Services, Trade Matching Services, Tear Up and
Compression Services, and/or substantially similar services for
security-based swaps''). The order facilitated the Commission's
identification of entities that operate in that area and that
accordingly may fall within the clearing agency definition.
Recently, the Commission indicated that the 2011 Temporary Exemption
may no longer be necessary. See Securities Exchange Act Release No.
94615 (Apr. 6, 2022), 87 FR 28872, 28934 (May 11, 2022) (stating
that the ``Commission preliminarily believes that, if it adopts a
framework for the registration of [security-based swap execution
facilities (``SBSEFs'')], the 2011 Temporary Exemption would no
longer be necessary because entities carrying out the functions of
SBSEFs would be able to register with the Commission as such,
thereby falling within the exemption from the definition of
`clearing agency' in existing [17 CFR 240.17Ad-24 (Rule 17Ad-
24)]'').
\236\ See 15 U.S.C. 78q-1(b)(1).
\237\ See exemption, supra note 233 (granting an exemption to
provide matching services to each of BSTP and SS&C).
\238\ See Euroclear Exemption, supra note 231.
\239\ See Clearstream Exemption, supra note 231.
---------------------------------------------------------------------------
As previously discussed, each of these exempt clearing agencies
makes available to market participants an increasingly wide array of
technology services that help centralize and automate the clearance and
settlement of securities transactions for market participants. This
increasing reliance on new technologies has focused the Commission's
attention on the potential for such services to introduce operational
risk or introduce single points of failure into the national system for
clearance and settlement. Given this important role of exempt clearing
agencies in helping to ensure the functioning, resilience, and
stability of U.S. securities markets, and their growing technological
innovations and interconnectedness, the Commission proposes to expand
the scope of ``SCI entity'' to cover all exempt clearing agencies,
rather than only those ``subject to ARP'' to help ensure that the risks
associated with the greater dispersal, sophistication, and
interconnection of such technologies are appropriately mitigated.\240\
In this regard, pursuant to the terms and conditions of the clearing
agency exemptive orders, the Commission may modify by order the terms,
scope, or conditions if the Commission determines that such
modification is necessary or appropriate in the public interest, for
the protection of investors, or otherwise in furtherance of the
purposes of the Exchange Act.\241\
---------------------------------------------------------------------------
\240\ See supra note 228. Pursuant to the Commission's statement
on CCPs in the European Union (``EU'') authorized under the European
Markets Infrastructure Regulation (``EMIR''), an EU CCP may request
an exemption from the Commission where it has determined that the
application of SEC requirements would impose unnecessary,
duplicative, or inconsistent requirements in light of EMIR
requirements to which it is subject. See Statement on Central
Counterparties Authorized under the European Markets Infrastructure
Regulation Seeking to Register as a Clearing Agency or to Request
Exemptions from Certain Requirements Under the Securities Exchange
Act of 1934, Securities Exchange Act Release No. 90492 (Nov. 23,
2020), 85 FR 76635, 76639 (Nov. 30, 2020), available at https://www.govinfo.gov/content/pkg/FR-2020-11-30/pdf/FR-2020-11-30.pdf
(stating that in seeking an exemption, an EU CCP could provide ``a
self-assessment. . . [to] explain how the EU CCP's compliance with
EMIR corresponds to the requirements in the Exchange Act and
applicable SEC rules thereunder, such as Rule 17Ad-22 and Regulation
SCI'').
\241\ See ITPM Exemption, supra note 231; Euroclear Exemption,
supra note 231; Clearstream Exemption, supra note 231.
---------------------------------------------------------------------------
ii. Request for Comment
35. Is expanding the scope of ``SCI entity'' to cover all exempt
clearing agencies, not just those exempt clearing agencies subject to
ARP, appropriate? Why or why not? Please be specific and provide
examples, if possible, to illustrate your points.
36. Should all or some aspects of Regulation SCI apply to all
exempt clearing agencies? Why or why not? If only a portion, please
specify which portion(s) and explain why. If all, explain why.
37. Would the Regulation SCI proposed requirements, together with
the conditions under which the exempt clearing agency is subject in the
Commission exemptive order, be sufficient to address operational risk
concerns posed by exempt clearing agencies? Why or why not? Please be
specific and respond with examples, if possible.
38. Given the proposed new requirements of Regulation SCI, should
exempt clearing agencies be subject to a revised Commission exemptive
order? Why or why not?
39. In support of the public interest and the protection of
investors, the Commission is proposing to amend the clearing agency
exemptive orders to replace all operational risk conditions with a
condition that each exempt clearing agency must comply with Regulation
SCI requirements. Should the ordering language provide that the exempt
clearing agency must comply with all requirements in Regulation SCI? If
so, explain why. If not, explain why not.
40. Should proposed Regulation SCI distinguish among different
types of exempt clearing agencies such that some requirements of
Regulation SCI might be appropriate for some exempt clearing agencies,
but not others? Why or why not? If so, what are those distinctions and
what are those requirements? Please be specific and provide examples,
if possible.
41. To what extent do exempt clearing agencies rely on third-party
providers to provide systems that support their clearance and
settlement functions? Do such third-party providers introduce
operational or other risks that would be subject to the requirements of
Regulation SCI? Are there any
[[Page 23172]]
circumstances in which the use of a third-party provider would prevent
compliance with Regulation SCI? Why or why not? Please be specific and
provide examples, if possible.
42. For EU CCPs authorized under EMIR, the Commission stated that
exemptive relief may be considered under section 17A(b)(1) of the
Exchange Act in scenarios where SEC requirements are unnecessary,
duplicative, or inconsistent relative to EMIR requirements. The
Commission recognizes that the EU and other jurisdictions may have
requirements similar those being proposed in Regulation SCI. Should the
Commission provide foreign CCPs with exemptive relief from newly
proposed Regulation SCI? Why or why not? In the context of exemptive
requests for newly proposed Regulation SCI, what factors should the
Commission take into account in assessing whether SEC requirements may
be ``unnecessary, duplicative, or inconsistent'' relative to home
jurisdiction requirements for foreign CCPs, including EU CCPs
authorized under EMIR? Please be specific and provide examples, if
possible.
3. General Request for Comment on Proposed Expansion of SCI Entities
43. The Commission requests comment generally on the proposed
expansion of the definition of SCI entity. Are there are other entities
that should be included as SCI entities? If so, which entities and why?
Further, are there any entities, which if included as SCI entities,
would have critical SCI systems? Please explain.
B. Request for Comment Regarding Significant-Volume Fixed Income ATSs
and Broker-Dealers Using Electronic or Automated Systems for Trading of
Corporate Debt Securities or Municipal Securities
1. Discussion
As stated above, the Commission did not include Fixed Income ATSs
as SCI entities when it adopted Regulation SCI based on consideration
of comments regarding the risk profile of these ATSs at that time.\242\
In light of the evolution of technology since then, and specifically,
the technology for trading corporate debt and municipal securities, the
Commission requests comment on whether significant-volume ATSs and/or
broker-dealers with significant transaction activity in corporate debt
or municipal securities should be subject to Regulation SCI.\243\
---------------------------------------------------------------------------
\242\ See supra text accompanying note 79.
\243\ For purposes of this release, the term Fixed Income ATSs
refers only to ATSs trading corporate debt and municipal securities
and excludes Government Securities ATSs, which are the subject of a
separate proposal. See supra notes 84-85 and accompanying text.
---------------------------------------------------------------------------
Currently, an ATS is subject to Rule 301(b)(6) of Regulation ATS if
its trading volume reaches ``20 percent or more of the average daily
volume traded in the United States'' in either corporate debt or
municipal securities.\244\ Among other things, Rule 301(b)(6) requires
such a significant-volume Fixed Income ATS to notify the Commission
staff of material systems outages and significant systems changes and
to establish adequate contingency and disaster recovery plans.\245\ The
requirements of Rule 301(b)(6) applicable to significant-volume Fixed
Income ATSs, which date to 1998 and have not been updated since that
time, are less rigorous than the requirements of Regulation SCI.\246\
The Commission explained in the SCI Adopting Release that it adopted
Regulation SCI to expand upon, update, and modernize the requirements
of Rule 301(b)(6) for those ATSs trading NMS stocks and equity
securities that are not NMS stocks that it had identified as playing a
significant role in the U.S. securities markets.\247\ Regulation SCI
did this by, for example, moving from the Commission's 1980s and 90s-
era technology precepts to a framework that speaks to a broader set of
systems that are subject to an overarching standard: that they be
subject to policies and procedures reasonably designed to maintain
operational capability and promote the maintenance of fair and orderly
markets. Regulation SCI also requires tested business continuity and
disaster recovery plans that include geographic diversity to achieve
specified recovery time objectives. In addition, Regulation SCI
requires notice and dissemination of information regarding a wider
range of systems problems (i.e., SCI events) to the Commission and
affected market participants, and also requires that corrective action
be taken with respect to such problems.\248\
---------------------------------------------------------------------------
\244\ See 17 CFR 242.301(b)(6). Until Regulation SCI was
adopted, Rule 301(b)(6) applied to an ATS trading NMS stocks, equity
securities that are not NMS stocks, corporate debt securities, or
municipal securities exceeding a 20% volume threshold. Since the
adoption of Regulation SCI, Rule 301(b)(6) has applied only to ATSs
trading corporate debt securities or municipal securities exceeding
a 20% volume threshold. Rule 301(b)(6) currently does not specify
whether the thresholds refer to share, dollar, or transaction
volume. In the Government Securities ATS Reproposal, the Commission
has proposed to specify that these thresholds refer to ``average
daily dollar volume.'' See Government Securities ATS Reproposal,
supra note 84, at 15572.
\245\ More specifically, with regard to systems that support
order entry, order routing, order execution, transaction reporting,
and trade comparison, Rule 301(b)(6)(ii) of Regulation ATS requires
significant-volume ATSs to: establish reasonable current and future
capacity estimates; conduct periodic capacity stress tests of
critical systems to determine their ability to accurately, timely
and efficiently process transactions; develop and implement
reasonable procedures to review and keep current system development
and testing methodology; review system and data center vulnerability
to threats; establish adequate contingency and disaster recovery
plans; perform annual independent reviews of systems to ensure
compliance with the above listed requirements and perform review by
senior management of reports containing the recommendations and
conclusions of the independent review; and promptly notify the
Commission of material systems outages and significant systems
changes. See 17 CFR 242.301(b)(6)(ii). As discussed in the SCI
Adopting Release, the application of Rule 301(b)(6) to Fixed Income
ATSs is in addition to various Exchange Act and FINRA rules
applicable to broker-dealers operating ATSs. See SCI Adopting
Release, supra note 1, at 72263. See also supra notes 146-166 and
accompanying text (providing an updated discussion of various
Exchange Act, FINRA, and certain other regulations applicable to
broker-dealers, including those operating ATSs).
\246\ See Securities Exchange Act Release No. 40760 (Dec. 8,
1998), 63 FR 70844, (Dec. 22, 1998) (``Regulation ATS Adopting
Release'').
\247\ See SCI Adopting Release, supra note 1, at 72264.
\248\ As discussed further below, the Commission is now
proposing updates to Regulation SCI that are designed to take
account of new and emerging technology challenges. If adopted, these
changes to Regulation SCI will render Rule 301(b)(6) even more
outdated by comparison. Below the Commission solicits comment on
whether, in lieu of applying Regulation SCI to these entities, Rule
301(b)(6) should be updated instead.
---------------------------------------------------------------------------
When proposing Regulation SCI in 2013, the Commission sought to
include as SCI entities those ATSs that are reliant on automated
systems and represent a significant pool of liquidity in certain asset
classes.\249\ Regarding Fixed Income ATSs, the Commission proposed to
include those exceeding five percent or more of either average daily
dollar volume or average daily transaction volume traded in the United
States, but it did not adopt that proposal.\250\ Instead, for ATSs
trading corporate debt or municipal securities
[[Page 23173]]
exceeding a 20 percent ``average daily volume'' threshold, it left in
place the older, more limited technology regulations in Rule 301(b)(6)
of Regulation ATS.\251\ In support of that determination, the
Commission distinguished the equity markets from the corporate debt and
municipal securities markets, stating that the latter markets generally
relied much less on automation and electronic trading than markets that
trade NMS stocks or equity securities that are not NMS stocks, and also
tended to be less liquid than the equity markets, with slower execution
times and less complex routing strategies.\252\
---------------------------------------------------------------------------
\249\ See SCI Proposing Release, supra note 14, at 18094-96.
\250\ See SCI Proposing Release, supra note 14, at 18093, 18095.
At adoption, the Commission included only ATSs that trade NMS stocks
and equity securities that are not NMS stocks exceeding a specified
volume threshold. Rule 1000 of Regulation SCI defines SCI ATS to
mean an ATS, which, during at least four of the preceding six
calendar months, had: (1) With respect to NMS stocks: (i) 5% or more
in any single NMS stock, and 0.25% or more in all NMS stocks, of the
average daily dollar volume reported by an effective transaction
reporting plan, or (ii) 1% or more, in all NMS stocks, of the
average daily dollar volume reported by an effective transaction
reporting plan; or (2) with respect to equity securities that are
not NMS stocks and for which transactions are reported to an SRO, 5%
or more of the average daily dollar volume as calculated by the SRO
to which such transactions are reported. See 17 CFR 242.1000. Rule
1000 also states that an ATS that meets one of these thresholds is
not required to comply with Regulation SCI until six months after
satisfying the threshold for the first time. See id.
\251\ See SCI Adopting Release, supra note 1, at 72270.
\252\ See id. The Commission also acknowledged comments stating
that lowering the 20% threshold in Rule 301(b)(6) could have the
unintended effect of discouraging technology evolution in these
markets. Id.
---------------------------------------------------------------------------
Due to changes in the market and updates to technology, the
Commission again requests comment on applying Regulation SCI to
significant-volume Fixed Income ATSs, and further requests comment
regarding broker-dealers trading significant volume in corporate debt
or municipal securities.\253\ In particular, the Commission is
soliciting comment on whether the distinctions drawn by the Commission
in its original adoption of Regulation SCI, between equities markets on
the one hand, and the corporate debt and municipal securities markets
on the other, based on differences in their reliance on automation and
electronic trading strategies have diminished such that Fixed Income
ATSs or broker-dealers with significant activity in corporate debt and
municipal securities should be subject to increased technology
oversight pursuant to Regulation SCI.
---------------------------------------------------------------------------
\253\ See SCI Adopting Release, supra note 1, at 72409 (stating,
``[A]s the Commission monitors the evolution of automation in this
market, the Commission may reconsider the benefits and costs of
extending the requirements of Regulation SCI to fixed-income ATSs in
the future.'').
---------------------------------------------------------------------------
As noted above, the Commission proposed and then recently re-
proposed to extend Regulation SCI to ATSs that trade U.S. Treasury
Securities or Agency Securities (i.e., Government Securities ATSs)
exceeding a five percent dollar volume threshold in at least four out
of the preceding six months, citing the increased reliance on
technology in the government securities markets in recent years and the
resulting operational similarities and technological vulnerabilities
and risks of such ATSs to existing SCI entities.\254\ In the Government
Securities ATS Reproposal, the Commission discussed ways in which the
government securities markets have become increasingly dependent on
electronic trading in recent years.\255\ The Commission solicits
comment on whether trading in corporate debt securities or municipal
securities by ATSs and/or broker-dealers has evolved similarly.
---------------------------------------------------------------------------
\254\ See Government Securities ATS Proposing Release, supra
note 84, at 87152-54. See also Government Securities ATS Reproposal,
supra note 84, at 15527-29. Specifically, in the Government
Securities ATS Reproposal, the Commission discussed how advances in
technology have resulted in the increased use of systems that use
protocols and non-firm trading interest to bring together buyers and
sellers of securities and how these systems functioned as market
places similar to market places provided by registered exchanges and
ATSs. See Government Securities ATS Reproposal, supra note 84, at
15497-98.
\255\ See Government Securities ATS Reproposal, supra note 84,
at 15526.
---------------------------------------------------------------------------
The growth in electronic trading in the corporate debt and
municipal securities markets in recent years appears to be
substantial,\256\ and accelerating.\257\ Although traditional methods
of bilateral corporate bond trading conducted through either dealer-to-
dealer or dealer-to-customer negotiations (often using telephone calls)
remain important (with an estimated 71.4 percent of trading in
corporate bonds facilitated via bilateral voice trading during the
first half of 2021),\258\ more recent data suggest that dependencies on
electronic protocols have increased in the last year alone.\259\
---------------------------------------------------------------------------
\256\ See Government Securities ATS Reproposal, supra note 84,
at 15528 at n. 389, 15606, and 15609. See also SIFMA Insights:
Electronic Trading Market Structure Primer, supra note 3 (outlining
and comparing electronification trends in different markets); SIFMA,
SIFMA Insights: US Fixed Income Market Structure Primer (July 2018),
available at https://www.sifma.org/wp-content/uploads/2018/07/SIFMA-Insights-FIMS-Primer_FINAL.pdf (discussing several different types
of fixed-income markets, noting that the historically quote-driven
voice broker market structure has moved to accommodate limit order
book protocols in the intradealer markets and request-for-quote
(``RFQ'') protocols in the dealer-to-client markets; and assessing
that ``Current growth [in the dealer-to-client markets] is enabling
the total growth in overall electronification percentages: UST 70%,
Agency 50%, Repos 50%, IG Corporates 40% and HY Corporates 25%'').
\257\ See Annabel Smith, Pandemic sees electronic fixed income
trading skyrocket in 2021, the Trade (Mar. 3, 2021), available at
https://www.thetradenews.com/pandemic-sees-electronic-fixed-income-trading-skyrocket-in-2021/; Municipal Securities Rulemaking Board,
Characteristics of Municipal Securities Trading on Alternative
Trading Systems and Broker's Broker Platforms (Aug. 2021), available
at https://msrb.org/MarketTopics/-/media/27E4F111D18246C6B9DA849082230CD0.ashx (discussing volume on ATSs and
broker's broker platforms from 2016-2021).
\258\ See Government Securities ATS Reproposal, supra note 84,
at 15606-07. Market observers also note increased use of electronic
trading in the growth of all-to-all trading and portfolio trading.
See Greenwich Associates, All-to-All Trading Takes Hold in Corporate
Bonds (Q2 2021), available at https://content.marketaxess.com/sites/
default/files/2021-04/All-to-All-Trading-Takes-Hold-in-Corporate-
Bonds.pdf#:~:text=In%20all-%20to-
all%20markets%2C%20where%20asset%20managers%20provide,of%20the%20corp
orate%20bond%20market%E2%80%99s%20growth%20and%20evolution (stating
that all-to-all trading, which allows asset managers to provide
liquidity to dealers and each other and for dealers to trade with
one another electronically, has increased from 8% of investment
grade volume in 2019 to 12% of investment grade volume in 2020); see
also Li Renn Tsai, Understanding Portfolio Trading, Tradeweb (Sept.
6, 2022), available at https://www.tradeweb.com/newsroom/media-
center/in-the-news/understanding-portfolio-trading/
#:~:text=Portfolio%20Trading%20is%20a%20solution%20that%20gives%20ass
et,savings%2C%20mitigate%20operational%20risk%2C%20and%20reduce%20mar
ket%20slippage (discussing that portfolio trading, a process similar
to program trading for equities which allows asset managers to buy/
sell a basket of bonds to trade together as a single package,
increased from 2% of total corporate bond trades in Jan. 2020 to 5%
in Sept. 2021); Kate Marino, Algorithms have arrived in the bond
market, Axios (Sept. 3, 2021), available at https://www.axios.com/2021/09/03/bond-market-trading-algorithms (discussing the increase
in portfolio trading in the bond market).
\259\ See Jack Pitcher, Record E-Trading Brings More Liquidity
to Corporate Bond Market, Bloomberg (Oct. 31, 2022), available at
https://www.bloomberg.com/news/articles/2022-10-31/electronic-credit-trading-surges-to-record-boosting-liquidity (citing a Sept.
2022 Coalition Greenwich report stating that ``Investment-grade
electronic trading accounted for 42% of volume in September, up 9
percentage points from the same month last year, and high yield was
34%, up 10 percentage points'' and about one third of trading volume
on junk bonds was through online trading in Sept. 2022, up from
about a quarter of trading volume in the same period last year); but
see Maureen O'Hara and Xing Alex Zhou, The electronic evolution of
corporate bond dealers, Journal of Financial Economics (Jan. 5,
2021), available at https://www.sciencedirect.com/science/article/pii/S0304405X21000015 (discussing that any eventual domination of
electronic bond trading may ultimately be limited because of the
particular nature of bond trading, which includes bond illiquidity,
the inability for larger trades to be broken into smaller trade
sizes that can trade electronically, dealer unwillingness to trade
more information-sensitive high-yield bonds electronically, and the
lack of new dealers in bond market structure).
---------------------------------------------------------------------------
In the municipal securities markets, a majority (56.4%) of all
inter-dealer trades and 26% of inter-dealer par value traded were
executed on ATSs during the period from August 2016 through April
2021.'' \260\ Moreover, as recently reported by the MSRB, the number of
transactions with a dealer on an ATS
[[Page 23174]]
more than tripled from 2015 to 2021; the average daily number of
municipal securities trades increased more than 550% from 2015 to 2022
and also increased more than 75% in 2022; and the average daily par
amount traded increased more than 400% since 2015 and more than doubled
in 2022 compared to 2021.\261\
---------------------------------------------------------------------------
\260\ See Simon Z. Wu, Characteristics of Municipal Securities
Trading on Alternative Trading Systems and Broker's Broker
Platforms, Municipal Securities Rulemaking Board (Aug. 2021),
available at https://www.msrb.org/sites/default/files/MSRB-Trading-on-Alternative-Trading-Systems.pdf. See also Government Securities
ATS Reproposal, supra note 84, at 15609 (discussing use of
electronic trading protocols in the municipal securities markets,
and noting that ``one MSRB report found that technological
advancements in this market and the movement away from voice trading
and towards electronic trading have helped reduce transaction costs
for dealer-customer trades by 51 percent between 2005 and 2018'').
\261\ See John Bagley and Marcelo Vieira, Customer Trading with
Alternative Trading Systems, Municipal Securities Rulemaking Board
(Aug. 2022), available at https://www.msrb.org/sites/default/files/2022-08/MSRB-Customer-Trading-with-Alternative-Trading-Systems.pdf.
---------------------------------------------------------------------------
While technological developments provide many benefits to the U.S.
securities markets and investors, they also increase the risk of
operational problems that have the potential to cause a widespread
impact on the securities markets and market participants. The trend in
electronic trading in these markets and recent data on the volume of
Fixed Income ATSs suggest that there is likely to be one or more Fixed
Income ATSs (or broker-dealers) that both rely on electronic trading
technology and represent or generate significant sources of liquidity
in these asset classes. In light of these developments, the Commission
believes that it is appropriate to request comment on whether ATSs and
broker-dealers that trade significant volume in corporate debt
securities or municipal securities should also be subject to some or
all of the requirements of Regulation SCI, and if so, what an
appropriate threshold would be.\262\
---------------------------------------------------------------------------
\262\ An ATS that trades NMS stocks is subject to Regulation SCI
if its trading volume reaches: (i) 5% or more in any single NMS
stock and 0.25% or more in all NMS stocks of the average daily
dollar volume reported by applicable transaction reporting plans; or
(ii) 1% or more in all NMS stocks of the average daily dollar volume
reported by applicable transaction reporting plans. An ATS that
trades equity securities that are not NMS stocks is subject to
Regulation SCI if its trading volume is 5% or more of the average
daily dollar volume (across all equity securities that are not NMS
stocks) as calculated by the SRO to which such transactions are
reported. As stated in the SCI Adopting Release, the higher
threshold for equity securities that are not NMS stocks versus NMS
stocks was selected taking into account the lower degree of
automation, electronic trading, and interconnectedness in the market
for equity securities that are not NMS stocks and assessment that
those ATSs would present lower risk to the market in the event of a
systems issue, but not necessarily no risk. See SCI Adopting
Release, supra note 1, at 72269. As stated above, a 5% average daily
dollar volume threshold is proposed for Government Securities ATSs
(i.e., ATSs that that trade Agency Securities and/or U.S. Treasury
Securities), where electronic trading is prevalent.
---------------------------------------------------------------------------
2. Request for Comment
The Commission is requesting comment on whether to apply Regulation
SCI to Fixed Income ATSs on the basis of volume, or to broker-dealers
that trade corporate debt or municipal securities on or above a trading
activity threshold. Specifically:
44. Should significant volume ATSs and/or broker-dealers with
significant transaction activity in corporate debt or municipal
securities be subject, in whole or in part, to Regulation SCI? \263\
---------------------------------------------------------------------------
\263\ The Commission notes that ATSs may also trade crypto asset
securities. See section II.A.3.b.v. (discussing obligations of ATSs
trading crypto asset securities).
---------------------------------------------------------------------------
45. Do commenters agree that the corporate debt and municipal
securities markets have become increasingly electronic in recent years?
Why or why not? Please provide data to support your views. If
electronic trading in the corporate debt and municipal securities
markets has increased, are these markets sufficiently different or
unique to warrant an approach to technology oversight that differs from
the approach taken in Regulation SCI? Why or why not?
46. What are the risks associated with systems issues at Fixed
Income ATSs or broker-dealers that trade corporate debt or municipal
securities today? What impact would a systems issue at a Fixed Income
ATS or such broker-dealer have on the trading of corporate debt or
municipal securities and the maintenance of fair and orderly markets?
47. Do electronic systems used to trade corporate debt or municipal
securities markets today have linkages to any trading venues, including
to U.S. Treasury markets? Are these linkages developing or likely to
develop? If not, are there interconnections with third-party or other
types of systems? How do any interconnections impact the risk of an SCI
event at a Fixed Income ATS or broker-dealer that trades corporate debt
or municipal securities on the market and/or market participants?
48. If commenters believe that Regulation SCI should apply, in
whole or in part, to Fixed Income ATSs or broker-dealers that trade
corporate debt or municipal securities, should there be a volume
threshold? For example, should the definition of SCI ATS include those
ATSs which, during at least four of the preceding six calendar months
had: (1) with respect to municipal securities, five percent or more of
the average daily dollar volume traded in the United States, as
provided by the self-regulatory organization to which such transactions
are reported; or (2) with respect to corporate debt securities, five
percent or more of the average daily dollar volume traded in the United
States as provided by the self-regulatory organization to which such
transactions are reported? Similarly, should the definition of SCI-
broker-dealer include a similar threshold to that proposed for
registered broker-dealers trading Treasury or Agency securities (during
at least four of the preceding six calendar months reported to the
self-regulatory organization(s) to which such transactions are
reported, average daily dollar volume in an amount that equals ten
percent (10%) or more of the total average daily dollar volume as made
available by the self-regulatory organization to which such
transactions are reported)?
49. Is basing a threshold on a percentage of average daily dollar
volume appropriate? Should there be an alternative threshold based on
average daily share volume? Or par value? Or transaction volume?
50. Would commenters have a different view on what an appropriate
threshold would be for Fixed Income ATSs if additional entities become
Fixed Income ATSs as a result of adoption of the amendments to Rule 3b-
16(a) that the Commission has proposed in the Government Securities ATS
Reproposal?
51. If the Commission proposes to apply Regulation SCI to Fixed
Income ATSs, should it propose a similar approach for broker-dealers
that trade corporate debt or municipal securities? Why or why not?
52. Would four out of the preceding six months be an appropriate
period to measure the volume thresholds for corporate debt and
municipal securities for purposes of Regulation SCI? Why or why not?
Would Fixed Income ATSs or broker-dealers that trade corporate debt or
municipal securities have available appropriate data with which to
determine whether a proposed threshold has been met? If not, what data
or information is missing? Does the answer depend on whether the
Government Securities ATS Reproposal (proposing to expand the
definition of exchange in Rule 3b-16(a)) is adopted as proposed?
53. Should any or all Fixed Income ATSs that meet a volume
threshold be subject to Rule 301(b)(6) of Regulation ATS instead of
Regulation SCI (i.e., should Rule 301(b)(6) be retained)? Why or why
not? Alternatively, should any or all Fixed Income ATSs or broker-
dealers that trade corporate debt or municipal securities be subject to
only certain provisions of Regulation SCI? Which ones and why? Please
explain. Alternatively, should Rule 301(b)(6) of Regulation ATS be
updated to be more similar to Regulation SCI in certain respects? If
so, how?
[[Page 23175]]
54. If commenters believe Rule 301(b)(6) should continue to apply
to Fixed Income ATSs, is the 20 percent average daily volume threshold
an appropriate threshold? Should it be amended to specify what the 20
percent average daily volume refers to (e.g., share? dollar? par?
transaction?)? Should the Commission amend Rule 301(b)(6) to subject
all Fixed Income ATSs, or certain Fixed Income ATSs, to the
requirements of the rule if the Fixed Income ATS reaches a 5 percent,
10 percent, 15 percent or another volume threshold? If so, please
explain why such a threshold would be appropriate. Alternatively,
should Rule 301(b)(6) be superseded and replaced by Regulation SCI?
55. Are there characteristics specific to the corporate debt and
municipal securities markets that would make applying Regulation SCI
broadly or any specific provision of Regulation SCI to Fixed Income
ATSs or broker-dealers that trade corporate debt or municipal
securities unduly burdensome or inappropriate? Please explain. For
example, if an ATS that fits the description of a Communication
Protocol System (as described in the Government Securities ATS
Proposal) were to be become an SCI ATS, would there be certain features
or functions of that system that would not meet the definition of SCI
systems, but that should be subject to Regulation SCI as SCI systems?
Would there be any features or functions of that system that would meet
the definition of SCI systems, but that should not be subject to
Regulation SCI? Commenters that recommend that the Commission propose
that ATSs and/or broker-dealers with significant transaction activity
in corporate debt or municipal securities be subject to Regulation SCI
are requested to specifically address the expected benefits and costs
of their recommendations, above the current baseline of Rule 301(b)(6)
of Regulation ATS, and the expected effects of their recommendations on
efficiency, competition, and capital formation.
C. Strengthening Obligations of SCI Entities
In adopting Regulation SCI, the Commission recognized that
technology, standards, and threats would continue to evolve and that
the regulation would need to be flexible so as to develop alongside
such changes. Thus, 17 CFR 242.1001(a)(1) (``Rule 1001(a)(1)'' of
Regulation SCI) requires that each SCI entity have ``written policies
and procedures reasonably designed to ensure that its SCI systems and,
for purposes of security standards, indirect SCI systems, have levels
of capacity, integrity, resiliency, availability, and security,
adequate to maintain the SCI entity's operational capability and
promote the maintenance of fair and orderly markets.'' \264\ While Rule
1001(a)(2) itemizes certain minimum requirements such policies and
procedures must include, they are generally broad areas that must be
covered (e.g., requiring capacity planning estimates, stress tests,
systems development and testing programs, reviews and testing for
threats, business continuity and disaster recovery plans, standards
with respect to market data, and monitoring for potential SCI events),
Rule 1001(a) does not prescribe in detail how they should be
addressed.\265\
---------------------------------------------------------------------------
\264\ See 17 CFR 242.1001(a)(1).
\265\ Id.
---------------------------------------------------------------------------
Since the adoption and implementation of Regulation SCI, technology
and the ways SCI entities employ such technology have continued to
evolve, as have the potential vulnerabilities of, and threats posed to,
SCI entities. In addition, the Commission and its staff have gained
valuable experience and insights with respect to technology issues
surrounding SCI entities and their systems. Given the important role
SCI entities play in our markets, it is appropriate to strengthen the
requirements Regulation SCI imposes on SCI entities to help ensure that
their SCI systems and indirect SCI systems continue to remain robust,
resilient, and secure.
1. Systems Classification and Lifecycle Management
a. Discussion
The terms ``SCI systems,'' ``indirect SCI systems,'' and ``critical
SCI systems'' are foundational definitions within Regulation SCI. These
terms map out the scope of Regulation SCI's applicability to an SCI
entity. If an SCI entity does not classify its systems pursuant to
these defined terms, it cannot fully understand how it should apply
Regulation SCI's requirements and where its obligations under the
regulation start and end. Specifically, ``SCI systems'' is defined to
mean ``all computer, network, electronic, technical, automated, or
similar systems of, or operated by or on behalf of, an SCI entity that,
with respect to securities, directly support trading, clearance and
settlement, order routing, market data, market regulation, or market
surveillance.'' The definition of ``SCI systems'' does not scope in
every system of an SCI entity; rather, it is limited to those functions
the Commission believed were of particular significance for the
purposes of Regulation SCI, namely systems that, with respect to
securities, directly support trading, clearance and settlement, order
routing, market data, market regulation, or market surveillance.
``Indirect SCI systems'' come into play with respect to security
standards and systems intrusions and include ``any systems of, or
operated by or on behalf of, an SCI entity that, if breached, would be
reasonably likely to pose a security threat to SCI systems.''
Importantly, both definitions include systems operated by an SCI entity
as well as systems operated by third parties on behalf of a given SCI
entity.
Except as discussed above,\266\ the proposed rule amendments would
not change the definition of SCI systems, indirect SCI systems, or
critical SCI systems. However, the Commission is proposing to modify
certain existing, and add a number of additional, requirements to the
policies and procedures required of SCI entities with respect to their
SCI systems (and indirect SCI systems or critical SCI systems, as the
case may be), under Rule 1001(a), as discussed in further detail below.
---------------------------------------------------------------------------
\266\ See supra section III.A.2.b.iv (discussing the proposed
limitation to the definition of SCI systems for certain SCI broker-
dealers).
---------------------------------------------------------------------------
One of the first steps many SCI entities take to comply with
Regulation SCI is developing a classification of their systems in
accordance with these definitions; i.e., a documented inventory of the
specific systems of the SCI entity that fall within each type of
systems (i.e., SCI system, indirect SCI system, and critical SCI
system). However, not all SCI entities maintain such a list. A
foundational and essential step for an SCI entity to be able to meet
its obligations under Regulation SCI is to be able to identify clearly
the systems that are subject to obligations under Regulation SCI.
Therefore, the Commission is proposing a new provision to ensure that
SCI entities develop and maintain a written inventory of their systems
and classification. Specifically, new paragraph (a)(2)(viii) in Rule
1001 would require each SCI entity to include in their policies and
procedures the maintenance of a written inventory and classification of
all of its SCI systems, critical SCI systems, and indirect SCI systems.
In addition, 17 CFR 242.1001(a)(2)(viii) (``proposed Rule
1001(a)(2)(viii)'') would require that the
[[Page 23176]]
SCI entity's policies and procedures include a program with respect to
the lifecycle management of such systems, including the acquisition,
integration, support, refresh, and disposal of such systems, as
applicable. This provision would require SCI entities to consider how a
system subject to Regulation SCI moves through its lifecycle, from
initial acquisition to eventual disposal. The purpose of this provision
is to help ensure that an SCI entity is able to identify risks an SCI
system may face during its various lifecycle phases. Importantly, SCI
entities would need to address the refresh of such systems in their
lifecycle management program. Generally, systems that are properly
refreshed and updated include up-to-date software and security patches.
In addition, the lifecycle management program required in their
policies and procedures must address disposal of such systems. Disposal
generally should include sanitization of end-of-life systems to help
ensure that systems that are no longer intended as SCI systems or
indirect SCI systems do not contain sensitive information (e.g.,
relating to the operations or security of the SCI entity or its systems
architecture) that might be unintentionally revealed if such end-of-
life systems fall into the wrong hands.\267\ Thus, this generally would
require SCI entities to pinpoint precisely when a given system
``becomes'' an SCI system (or an indirect SCI system), as well as the
point at which it is officially ``no longer'' an SCI system (or an
indirect SCI system).
---------------------------------------------------------------------------
\267\ For example, such policies generally should not simply
require mere disposal of end-of-life SCI systems but should ensure
their effective disposal such that sensitive information (including
software, configuration info, middleware, etc.) that could
compromise the security of an SCI entity's data and network is not
inadvertently revealed.
---------------------------------------------------------------------------
b. Request for Comment
56. Do commenters agree with the proposed requirement in proposed
Rule 1001(a)(2)(viii) to require SCI entities to include in their
policies and procedures the maintenance of a written inventory and
classification of all of its SCI systems, critical SCI systems, and
indirect SCI systems? Why or why not?
57. Do commenters believe that Regulation SCI should require that
SCI entities have a program with respect to the lifecycle management of
such systems, including the acquisition, integration, support, refresh,
and disposal of such systems, as applicable? Why or why not? Do SCI
entities currently maintain such lifecycle management programs? Are
there other aspects of lifecycle management that commenters believe
should be included in the proposed requirement? If so, please describe.
2. Third-Party Provider Management
a. Third-Party Provider Management Issues
When it adopted Regulation SCI, the Commission recognized that an
SCI entity may choose to use third parties to assist it in running its
SCI systems and indirect SCI systems. The Commission took into account
such scenarios by including the phrase ``or operated by or on behalf of
'' \268\ in key definitions such as ``SCI systems,'' ``critical SCI
systems,'' and ``indirect SCI systems.'' The inclusion of the phrase
``or on behalf of'' was intended to make clear that outsourced systems
are not excluded and that any such systems were within the scope of
Regulation SCI, even when operated not by the SCI entity itself but
rather by a third party. In the SCI Adopting Release, the Commission
made clear that it was the responsibility of the SCI entity to manage
its relationships with such third parties through due diligence,
contract terms, and monitoring of third-party performance.\269\ In
addition, as the Commission stated when adopting Regulation SCI, ``[i]f
an SCI entity is uncertain of its ability to manage a third-party
relationship . . . to satisfy the requirements of Regulation SCI, then
it would need to reassess its decision to outsource the applicable
system to such third party. (footnotes omitted)'' \270\
---------------------------------------------------------------------------
\268\ Emphasis added.
\269\ See SCI Adopting Release, supra note 1, at 72276.
\270\ Id.
---------------------------------------------------------------------------
An SCI entity may decide to outsource certain functionality to, or
utilize the support or services of, a third-party provider (which would
include both affiliated providers as well as vendors unaffiliated with
the SCI entity) for a variety of reasons. In selecting a third-party
provider to operate an SCI system on its behalf, an SCI entity may be
attracted to the potential benefits that it may believe the third-party
provider would bring, which could range from cost efficiencies and
increased automation to particular expertise the vendor may provide in
areas such as security and data latency. Third-party providers may also
provide services that an SCI entity may not currently have in-house,
such as a particular type of software required to run or monitor a
given SCI system, or a data or pricing feed.
The Commission believes that the use of third-party providers by
SCI entities can be appropriate and even advantageous and preferable in
certain instances, given the benefits they may provide when employed
appropriately. However, as the Commission discussed in the SCI Adopting
Release, when utilizing a third-party provider, an SCI entity is
``responsible for having in place processes and requirements to ensure
that it is able to satisfy the requirements of Regulation SCI for
systems operated on behalf the SCI entity by a third party.'' \271\
Thus, an SCI entity generally should be aware of the potential costs
and risks posed by this choice including, for example: cybersecurity
risks (e.g., a compromise in a third-party provider's systems impacting
the systems of the SCI entity); operational risks (e.g., a disruption
or shutdown of a third-party provider's service, or a bankruptcy or
cessation of operation of a third-party provider, negatively impacting
or disrupting the operation of an SCI system); reputational risks
(e.g., a faulty or incorrect input from a third-party provider causing
an SCI entity's output to be incorrect); and legal and regulatory risks
(e.g., a third-party provider's lack of responsiveness or unwillingness
to provide the SCI entity necessary information or detail results in an
SCI entity missing a reporting or compliance deadline, such as a
deadline for reporting an SCI event or taking corrective action on an
SCI event). With the continued and increasing use of third-party
providers by SCI entities and, in some cases, with third-party
providers playing increasingly important and even critical roles in
ensuring the reliable, resilient, and secure operation of SCI systems
and indirect SCI systems, the Commission believes that it is
appropriate to strengthen Regulation SCI's requirements with respect to
SCI entities' use of third-party providers and the management of such
relationships, as described in detail below.\272\
---------------------------------------------------------------------------
\271\ See SCI Adopting Release, supra note 1, at 72276.
\272\ See infra sections III.C.2.b. through d (discussing the
proposed rule changes with respect to third-party management
programs, third-party providers for critical SCI systems, and third-
party provider participation in BC/DR testing).
---------------------------------------------------------------------------
In recent years, many types of businesses have turned to cloud
service providers (``CSPs'') to take advantage of their services.\273\
Today, CSPs can provide a range of support to a wide variety of
businesses, with deployment models ranging from public cloud, private
cloud, hybrid cloud, and multi-cloud, and service models including
Infrastructure as a Service (``IaaS''), Platform as a Service
(``PaaS''), and
[[Page 23177]]
Software as a Service (``SaaS'').\274\ SCI entities are also engaging
with CSPs to assist in operating their SCI systems and some utilize, or
have announced their intention to utilize, CSPs for all or nearly all
of their applicable systems,\275\ others have begun moving towards
employing CSPs at a more deliberate pace,\276\ and others continue to
explore and consider whether or not to use such services. A decision to
move their systems from an ``on-premises,'' \277\ internally run data
center to ``the cloud'' is a significant one, often with potential
benefits that may include cost efficiencies, automation, increased
security, and resiliency, and entities may also take advantage of such
an opportunity to reengineer or otherwise update their systems and
applications to run even more efficiently than before.
---------------------------------------------------------------------------
\273\ See, e.g., Angus Loten, CIOs Accelerate Pre-Pandemic Cloud
Push Wall St. J. (Apr. 26, 2021).
\274\ Additional information relating to the services provided
by CSPs is widely available online from CSPs as well as firms that
provide consulting services for potential clients of CSPs. FINRA,
Cloud Computing in the Securities Industry 3-4 (Aug. 2021),
available at https://www.finra.org/sites/default/files/2021-08/2021-cloud-computing-in-the-securities-industry.pdf (providing a summary
description of these services). For a discussion of considerations
and risks relevant to the use of cloud service providers by entities
in the financial services sector, see the Financial Services
Sector's Adoption of Cloud Services, U.S. Dept. of the Treasury
(issued February 8, 2023), available at: https://home.treasury.gov/system/files/136/Treasury-Cloud-Report.pdf.
\275\ See, e.g., FINRA, Podcast: How the Cloud has
Revolutionized FINRA Technology (July 30, 2018), available at
www.finra.org/media-center/finra-unscripted/how-cloud-has-revolutionized-finra-technology; Securities Exchange Act Release No.
93433 (Oct. 27, 2021), 86 FR 60503 (Nov. 2, 2021) (SR-OCC-2021-802)
(Notice of Filing and Extension of Review Period of Advance Notice
Relating to OCC's Adoption of Cloud Infrastructure for New Clearing,
Risk Management, and Data Management Applications). See also, Huw
Jones, Microsoft invests $2 billion in London Stock Exchange,
Reuters (Dec. 12, 2022).
\276\ See, e.g., Nasdaq, Press Release: Nasdaq and AWS Partner
to Transform Capital Markets (Nov. 30, 2021), available at
www.nasdaq.com/press-release/nasdaq-and-aws-partner-to-transform-capital-markets-2021-12-01; Nasdaq, Press Release: Nasdaq Completes
Migration of the First U.S. Options Market to AWS (Dec. 5, 2022),
available at https://www.nasdaq.com/press-release/nasdaq-completes-migration-of-the-first-u.s.-options-market-to-aws-2022-12-05.
\277\ In using the term ``on-premises,'' the Commission means
that the data center's hardware (e.g., the servers, switches, and
other physical machines) is generally under the control of and
operated by the SCI entity, even if the data center is physically
located in a facility operated by a third party and for which such
third party provides or arranges for certain services including, but
not limited to, power, water, and physical security.
---------------------------------------------------------------------------
In deciding whether to utilize a CSP, an SCI entity generally
should take into account the various factors it would as with any other
third-party providers.\278\ However, given the degree to which CSP
services may be integral to the operation of SCI systems, SCI entities
generally should examine closely any potential relationship and
utilization of CSP services. Importantly, regardless of the CSP and
service model an SCI entity may be considering, it is the SCI entity's
responsibility to ensure that it can and does comply with Regulation
SCI. For example, in describing the services they provide, CSP
marketing materials typically describe their service models as ``shared
responsibilities'' between the CSP and client. With respect to an SCI
entity's obligations under Regulation SCI, however, the SCI entity
bears responsibility for compliance with the requirements of Regulation
SCI, including for SCI systems operated on its behalf by third-party
providers. As with other third-party providers that operate SCI systems
on behalf of an SCI entity, if an SCI entity is uncertain of its
ability to manage a CSP relationship (whether through appropriate due
diligence, contract terms, monitoring, or other methods) to satisfy the
requirements of Regulation SCI, the SCI entity would need to reassess
its decision to outsource the applicable system to such CSP. As with
any third-party provider, the SCI entity generally should not rely
solely on the reputation of or attestations from a given CSP. In
addition, an SCI entity that utilizes a CSP should not view the usage
of a CSP from the perspective of being able to turn over its Regulation
SCI-related responsibilities to the CSP; instead, an SCI entity
generally should ensure that its own personnel have the requisite
skills to properly manage and oversee such a relationship, and
understand the issues--including technical ones--that may arise from
the utilization of a CSP and are relevant to ensure its compliance with
Regulation SCI.\279\
---------------------------------------------------------------------------
\278\ See SCI Adopting Release, supra note 1, at 72275-76. In
this section, the Commission discusses many issues that may be
relevant for SCI entities to consider in relation to their use of
third-party vendors generally, and with respect to cloud service
providers specifically. These issues include those that the
Commission and its staff have encountered with respect to SCI
entities since the adoption and implementation of Regulation SCI;
however, this is not meant to be a comprehensive list of all
potential issues and considerations, and the Commission welcomes
comment on other applicable issues and considerations that
commenters believe are relevant for SCI entities with respect to
third-party providers.
\279\ See SCI Adopting Release, supra note 1, at 72276.
---------------------------------------------------------------------------
Rule 1001(a)(2)(v) of Regulation SCI requires that an SCI entity's
policies and procedures include business continuity and disaster
recovery plans that include maintaining backup and recovery
capabilities sufficiently resilient and geographically diverse and that
are reasonably designed to achieve next business day resumption of
trading and two-hour resumption of critical SCI systems following a
wide-scale disruption.\280\ When the Commission adopted this provision
it did not specifically discuss its application to CSPs. Whereas ``on-
premises'' systems are installed and run at a site under the control of
an SCI entity, the systems of an SCI entity that reside ``in the public
cloud'' may not be tied to any specific geographic location. However,
SCI entities must ensure that their SCI systems, whether ``on-
premises'' or ``in the public cloud,'' comply with the requirement in
Regulation SCI to have backup and recovery capabilities sufficiently
resilient and geographically diverse and that are reasonably designed
to achieve next business day resumption of trading and two-hour
resumption of critical SCI systems following a wide-scale disruption.
These provisions of Regulation SCI exist to help limit the downtime
caused by wide-scale disruptions. Thus, for example, in determining
whether any SCI-related systems ``in the public cloud'' can meet this
requirement, SCI entities generally should understand where its systems
will reside (i.e., the locations of the CSP data center site(s) that
may be used), and should consider whether those sites provide
sufficient geographical diversity and operational resiliency to achieve
the resumption requirements of Rule 1001(a)(2)(v).\281\
---------------------------------------------------------------------------
\280\ See SCI Adopting Release, supra note 1, at 72295. See also
infra section III.C.2.c, including notes 292-294 and accompanying
text (discussing the proposed modifications to Rule 1001(a)(2)(v)).
\281\ While CSPs may use slightly different nomenclature,
typically, a CSP's region contains multiple availability zones, and
an availability zone contains multiple data centers.
---------------------------------------------------------------------------
As discussed in section III.C.2.b.2 below, the Commission's
proposal includes a requirement that every SCI entity undertake a risk-
based assessment of the criticality of each of its third-party
providers, including analyses of third-party provider concentration, of
key dependencies if the third-party provider's functionality, support,
or service were to become unavailable or materially impaired, and of
any potential security, including cybersecurity, risks posed. This
third-party provider assessment may be particularly relevant with
respect to CSPs utilized by SCI entities, and an SCI entity may want to
take into consideration the degree to which it may be ``locked-in'' to
any given CSP it is considering engaging. As with any third-party
provider, it could consider its exit strategies with respect to any
potential CSP it might choose and may consider architectural decisions
that would enable a quick re-deployment to another CSP if needed. Even
when tools,
[[Page 23178]]
such as containerization,\282\ exist that are designed to automate and
simplify the deployment of systems to CSPs, and which appear at first
glance to allow for greater portability among CSPs, SCI entities may
want to consider any lock-in effects that utilizing CSP-specific tools
might have. In addition, it may be useful for SCI entities to consider
the relative benefits and costs of potential alternatives that could
reduce dependence on any single CSP. In cases where the use of CSPs is
being considered for both primary and backup systems, an SCI entity,
taking into account the nature of its systems, may want to consider
whether it is appropriate to utilize different CSPs, for such systems,
as well as whether an ``on-premises'' backup may be appropriate.
Similarly, SCI entities should generally engage their CSPs to ensure
that they can meet the business continuity and disaster recovery
requirements of Regulation SCI, which may not apply to the vast
majority of a CSP's other clients.
---------------------------------------------------------------------------
\282\ Containerization allows developers to deploy applications
more quickly by bundling an application with its required
frameworks, configuration files, and libraries such that it may be
run in different computing environments. Container orchestrators
allow for automated deployment of identical applications across
different environments, and simplify the process for management,
scaling, and networking of containers.
---------------------------------------------------------------------------
More broadly, an SCI entity should ensure that it is able to meet
its regulatory obligations under Regulation SCI, including the notice
and dissemination requirements of Rule 1002. When there is a systems
issue (including, for example, an outage or a cybersecurity event) at a
CSP, a wide swath of CSP clients may be affected. SCI entities have
regulatory requirements under Regulation SCI that other CSP clients may
not have, and an SCI entity must have information regarding such issues
within the time requirements of Regulation SCI to comply with its
notice and dissemination requirements.\283\
---------------------------------------------------------------------------
\283\ See, e.g., Rule 1002 (relating to an SCI entity's
obligations with respect to SCI events). See also Rule 1001(c)
(which include requirements that an SCI entity's policies and
procedures include escalation procedures to quickly inform
responsible SCI personnel of potential SCI events).
---------------------------------------------------------------------------
An SCI entity should also be cognizant of its data security and
recordkeeping obligations under Regulation SCI,\284\ and generally
should consider how the CSP and its employees or contractors would
secure confidential information, how and where it would retain
information (including all records required to be kept under Regulation
SCI), how the information would be accessed by the personnel of the SCI
entity, or others, such as those conducting SCI reviews and Commission
staff, as well as ensure that such information access will be provided
in a manner that provides for its compliance with the requirements of
Regulation SCI.
---------------------------------------------------------------------------
\284\ See 17 CFR 242.1001(a)(2)(iv) (``Rule 1001(a)(2)(iv)'')
(relating to, among other things, vulnerabilities pertaining to
internal threats) and Rule 1005 (relating to recordkeeping
requirements related to compliance with Regulation SCI). See also
infra section III.C.3.a (discussing newly proposed 17 CFR
242.1001(a)(2)(x) (``proposed Rule 1001(a)(2)(x)''), relating to
unauthorized access to systems and information).
---------------------------------------------------------------------------
While the discussion above is focused on CSPs, they are only one of
many types of third-party providers an SCI entity may utilize. The
discussion above is not an exhaustive list of issues SCI entities
generally should consider with respect to utilizing CSPs; in addition,
while the discussion provides some illustrative examples of areas of
potential concern in an SCI entity's relationship with a CSP, similar
issues may be applicable to the relationships between SCI entities and
other types of third parties. In addition, some third-party providers
may provide key functionality that may not have been widely utilized by
SCI entities when Regulation SCI was adopted,\285\ and the Commission
anticipates that third-party providers will likely arise to provide
other types of functionality, service, or support to SCI entities that
are not contemplated yet today. All the same, the Commission believes
that any third-party provider that an SCI entity uses with respect to
its SCI systems and indirect SCI systems should be managed
appropriately by the SCI entity to help ensure that such utilization of
the third-party provider is consistent with the SCI entity's
obligations under Regulation SCI.
---------------------------------------------------------------------------
\285\ One example of this are the services of shadow
infrastructure providers, such as edge cloud computing, content
delivery networks, and DNS providers.
---------------------------------------------------------------------------
As discussed above, when the Commission adopted Regulation SCI in
2014, it had accounted for the possibility that an SCI entity might
utilize third-party providers to operate its SCI systems or indirect
SCI systems by incorporating the phrase ``on behalf of'' in certain key
definitions of Regulation SCI.\286\ In addition, ``outsourcing'' is one
of the ``domains'' identified by the Commission and its staff.\287\
Based on the experience of Commission staff, all SCI entities that
utilize third-party providers have some level of third-party provider
oversight in place. However, given the growing role they are playing
with respect to SCI systems and indirect SCI systems, and because the
myriad of issues that may arise with respect to third-party providers
(including, but not limited to oversight, access, speed of information
flow, security and unauthorized access, loss of expertise internally,
and lock-in) may become even more amplified when taking into account
the regulatory obligations of SCI entities, the Commission believes
that it is appropriate to delineate more clearly requirements with
respect to the oversight and management of third-party providers, and
thus is proposing to revise Regulation SCI to include additional
requirements relating to third-party providers.\288\
---------------------------------------------------------------------------
\286\ See supra notes 268-270 and accompanying text (discussing
``on behalf of'').
\287\ See SCI Adopting Release, supra note 1, at 72302. See also
Staff Guidance on Current SCI Industry Standards 5, 8 (Nov. 19,
2014), available at https://www.sec.gov/rules/final/2014/staff-guidance-current-sci-industry-standards.pdf.
\288\ The Commission proposed the Clearing Agency Governance
rules in Aug. 2022, which contains, among other proposed
requirements, proposed new 17 CFR 240.17Ad-25(i) (``Rule 17Ad-
25(i)''). See Clearing Agency Governance and Conflicts of Interest,
Securities Exchange Act Release No. 95431 (Aug. 8, 2022), 87 FR
51812 (Aug. 23, 2022) (proposing policy and procedure requirements
for clearing agency board of directors to oversee relationships with
service providers for critical services to, among other things,
confirm and document that risks related to relationships with
service providers for critical services are managed in a manner
consistent with its risk management framework, and review senior
management's monitoring of relationships with service providers for
critical services, and to review and approve plans for entering into
third-party relationships where the engagement entails being a
service provider for critical services to the registered clearing
agency). Registered clearing agencies that would be subject to
proposed Rule 17Ad-25(i), if adopted, would also be subject to
Regulation SCI, as proposed to be amended. However, the scope of
proposed Rule 17Ad-25(i) is meant to address not only service
providers providing technology or systems-based services, but also
service providers that would include the clearing agency's parent
company under contract to staff the registered clearing agency, as
well as service providers that are investment advisers under
contract to help facilitate the closing out of a defaulting
participant's portfolio. See id. at 51836. Commenters are encouraged
to review the Clearing Agency Governance proposed rules to determine
whether they might affect their comments on this proposal.
---------------------------------------------------------------------------
b. Third-Party Provider Management Program
The Commission is proposing new 17 CFR 242.1001(a)(2)(ix)
(``proposed Rule 1001(a)(2)(ix)'') regarding third-party provider
management. While some SCI entities may already have a formal vendor
management program, the Commission is proposing to require that SCI
entities have a third-party provider management program that includes
certain elements. Specifically, proposed Rule 1001(a)(2)(ix) would
require each SCI entity to include in its policies and procedures
required under Rule 1001(a)(1) a program to manage and
[[Page 23179]]
oversee third-party providers that provide functionality, support or
service, directly or indirectly, for its SCI systems and, for purposes
of security standards, indirect SCI systems. The Commission is
proposing this new provision to help ensure that an SCI entity that
elects to utilize a third-party provider will be able to meet its
obligations under Regulation SCI.
i. Third-Party Provider Contract Review
First, the program would be required to include initial and
periodic review of contracts with such third-party providers for
consistency with the SCI entity's obligations under Regulation SCI. The
Commission believes that it is critical that each SCI entity carefully
analyze and understand the impact any third-party providers it chooses
to utilize may have on its ability to satisfy its obligations under
Regulation SCI. As discussed above,\289\ the Commission recognizes that
many SCI entities may seek to and, in practice, do outsource certain of
its SCI-related functionality, support, or service to third parties. As
key entities in our securities markets, SCI entities have regulatory
obligations that are not placed upon non-SCI entities, and third-party
providers SCI entities may utilize may not be familiar with the
requirements of Regulation SCI. As the Commission stated in adopting
Regulation SCI, if an SCI entity determines to utilize a third party
for an applicable system, ``it is responsible for having in place
processes and requirements to ensure that it is able to satisfy the
applicable requirements of Regulation SCI for such system.'' \290\ And,
if an SCI entity is uncertain of its ability to manage a third-party
relationship (including through contract terms, among other methods) to
satisfy the requirements of Regulation SCI, ``then it would need to
reassess its decision to outsource the applicable system to such third
party.'' \291\ Thus, it is incumbent on SCI entities to review their
relationships with such third-party providers to ensure that the SCI
entities are able to satisfy their obligations under Regulation SCI. In
addition, consistent with the current requirement that an SCI entity
periodically review the effectiveness of its policies and procedures,
this provision would require an SCI entity to review contracts with
such third-party providers periodically for consistency with the SCI
entity's obligations under Regulation SCI.
---------------------------------------------------------------------------
\289\ See supra section III.C.2.a.
\290\ See SCI Adopting Release, supra note 1, at 72276.
\291\ See id.
---------------------------------------------------------------------------
A foundational part of this review is to ensure that any contracts
that the SCI entity has with such third-party providers are consistent
with the requirements of Regulation SCI. These documents govern the
obligations and expectations as between an SCI entity and a third-party
provider it utilizes, and the SCI entity is responsible for assessing
if these agreements allow it to comply with the requirements of
Regulation SCI. For example, an SCI entity generally should consider
whether or not it is appropriate to rely on a third-party provider's
standard contract or standard service level agreement (``SLA''),
particularly if such contract or SLA has not been drafted with
Regulation SCI's requirements in mind. For example, regardless of
whether an SCI entity is negotiating with the dominant provider in the
field, has made its best efforts in negotiating contract or SLA terms,
or has extracted what it believes to be ``the best terms'' it (or any
client of the third party) could get, if the SCI entity determines that
any term in such agreements are inconsistent with such SCI entity's
obligations under Regulation SCI, the SCI entity should reassess
whether such outsourcing arrangement is appropriate and will allow it
to meet its obligations under Regulation SCI. In addition, in some
cases, particularly where the third-party provider would play a
significant role in the operation of an SCI entity's SCI systems or
indirect SCI systems, or provide functionality, support, or service to
such systems without which there would be a meaningful impact, an SCI
entity and its third-party provider may find it useful to negotiate an
addendum to any standard contract to separate and highlight the
contractual understanding of the parties with respect to SCI-related
obligations.
While each contract's specific terms and circumstances will likely
differ, there are several considerations that SCI entities generally
should take into consideration when entering into such a contract. For
example, SCI entities generally should consider whether a contract
raises doubt on its consistency with the SCI entity's obligations under
Regulation SCI (e.g., the contract terms are vague regarding the third-
party provider's obligations to the SCI entity to enable the SCI entity
to meets its SCI obligations). Generally, contractual terms should not
be silent or lack substance on key aspects of Regulation SCI that would
need the third-party provider's cooperation (e.g., SCI event
notifications and information dissemination, and business continuity
and disaster recovery for an SCI entity seeking to move its SCI systems
to a cloud service provider). Nor should they undermine the ability of
the SCI entity to oversee and manage the third party (e.g., by limiting
the SCI entity's personnel ability to assess whether systems operated
by a third-party provider on behalf of the SCI entity satisfy the
requirements of Regulation SCI). The SCI entity may want to consider
and, if appropriate, negotiate provisions that provide priority to the
SCI entity's systems, such as for failover and/or business continuity
and disaster recovery (``BC/DR'') scenarios, if needed to meet the SCI
entity's obligations under Regulation SCI. In addition, an SCI entity
generally should review the contract for provisions that, by their
terms, are inconsistent with Regulation SCI or would otherwise fail to
satisfy the requirements of Regulation SCI (e.g., restricting
information flow to the SCI entity and/or Commission and its staff
pursuant to a non-disclosure agreement in a manner inconsistent with
the requirements of Regulation SCI; specifying response times that are
inconsistent with (i.e., slower than) those required by Regulation SCI
with respect to notifications regarding SCI events under Rule 1002).
The Commission also believes that, to the extent possible, SCI entities
may want to avoid defining terms in a contract with a third-party
provider differently from how they are used in Regulation SCI, as this
may introduce confusion as to the scope and applicability of Regulation
SCI. In addition, although it is a term that may be common in many
commercial contracts, provisions that provide the third-party provider
with the contractual right to be able to make decisions that would
negatively impact an SCI entity's obligations in its ``commercially
reasonable discretion'' should be carefully considered, as what may be
considered ``commercially reasonable'' for many entities that are not
subject to Regulation SCI may not be appropriate for an SCI entity and
its SCI systems and indirect SCI systems when taking into consideration
the regulatory obligations of Regulation SCI.
ii. Risk-Based Assessment of Third-Party Providers
The Commission is also proposing in proposed Rule 1001(a)(2)(ix) to
require each SCI entity to undertake a risk-based assessment of each
third-party provider's criticality to the SCI entity, including
analyses of third-party provider concentration, of key dependencies if
the third-party provider's functionality, support, or
[[Page 23180]]
service were to become unavailable or materially impaired, and of any
potential security, including cybersecurity, risks posed. The
Commission believes that specifically requiring each SCI entity to
undertake a risk-based assessment of each of its third-party providers'
criticality to the SCI entity will help them more fully understand the
risks and vulnerabilities of utilizing each third-party provider, and
provide the opportunity for the SCI entity to better prepare in advance
for contingencies should the provider's functionality, support, or
service become unavailable or materially impaired. In performing this
risk-based assessment, SCI entities would be required to consider
third-party provider concentration, which would help ensure that they
properly account and prepare contingencies or alternatives for an
overreliance on a given third-party provider by the SCI entity or by
its industry. In addition, each SCI entity would be required to assess
any potential security, including cybersecurity, risks posed by its
third-party provider, to help ensure that the SCI entity does not only
take into consideration the benefits it believes a third-party provider
can provide it, but the security risks involved in utilizing a given
provider as well.
c. Third-Party Providers for Critical SCI Systems
The newly proposed provisions of proposed Rule 1001(a)(2)(ix)
discussed above would apply to all SCI entities for all of their SCI
systems. However, given the essential nature of critical SCI
systems,\292\ the Commission believes that it is appropriate to require
SCI entities to have even more robust policies and procedures with
respect to any third-party provider that supports such systems. In
adopting Regulation SCI, the Commission stated that critical SCI
systems are those SCI systems ``whose functions are critical to the
operation of the markets, including those systems that represent
potential single points of failure in the securities markets [and] . .
. are those that, if they were to experience systems issues, the
Commission believes would be most likely to have a widespread and
significant impact on the securities market.'' \293\ Therefore, the
Commission is proposing to revise Rule 1001(a)(2)(v), which relates to
the business continuity and disaster recovery plans of SCI entities.
Currently, Rule 1001(a)(2)(v) requires their policies and procedures to
include business continuity and disaster recovery plans that include
maintaining backup and recovery capabilities sufficiently resilient and
geographically diverse and that are reasonably designed to achieve next
business day resumption of trading and two-hour resumption of critical
SCI systems following a wide-scale disruption. To help ensure that SCI
entities are appropriately prepared for any contingency relating to a
third-party provider with respect to critical SCI systems, the
Commission is proposing to revise Rule 1001(a)(2)(v) to also require
the BC/DR plans of SCI entities to be reasonably designed to address
the unavailability of any third-party provider that provides
functionality, support, or service to the SCI entity without which
there would be a material impact on any of its critical SCI systems.
---------------------------------------------------------------------------
\292\ Critical SCI systems include systems that directly support
functionality relating to: (i) clearance and settlement systems of
clearing agencies; (ii) openings, reopenings, and closings on the
primary listing market; (iii) trading halts; (iv) initial public
offerings; (v) the provision of market data by a plan processor; or
(vi) exclusively listed securities. In addition, the definition of
critical SCI systems includes a catchall provision for systems that
provide functionality to the securities markets for which the
availability of alternatives is significantly limited or nonexistent
and without which there would be a material impact on fair and
orderly markets.
\293\ See SCI Adopting Release, supra note 1, at 72277.
---------------------------------------------------------------------------
As discussed above, the Commission is proposing under proposed Rule
1001(a)(2)(ix) to require each SCI entity to conduct a risk-based
assessment of the criticality of each of its third-party providers to
the SCI entity. With respect to an SCI entity's critical SCI systems,
the Commission believes the revised provisions of Rule 1001(a)(2)(v)
are appropriate to ensure that an SCI entity has considered and
addressed in its BC/DR plans how it would deal with a situation in
which a third-party provider that provides any functionality, support,
or service for any of its critical SCI systems has an issue that would
materially impact any such system. For example, such BC/DR plans
generally should not only take into account and address temporary
losses of functionality, support, or service--such as a momentary
outage that causes a feed to be interrupted or extended cybersecurity
event on the third-party provider--but also consider more extended
outage scenarios, including if the third-party provider goes into
bankruptcy or dissolves, or if it breaches its contract and decides to
suddenly, unilaterally, and/or permanently cease to provide the SCI
entity's critical SCI systems with functionality, support, or
service.\294\ In determining how to satisfy the requirement that
policies and procedures be reasonably designed to address the
unavailability of any third-party provider that provides functionality,
support, or service to the SCI entity without which there would be a
material impact on any of its critical SCI systems, an SCI entity could
consider if use of a CSP for its critical SCI systems also warrants
maintaining an ``on-premises'' backup data center or other contingency
plan which could be employed in the event of the scenarios noted above.
---------------------------------------------------------------------------
\294\ While such scenarios may appear to be improbable, given
the criticality of the critical SCI systems to the SCI entity and
U.S. securities markets, SCI entities should have plans in place to
account for such scenarios, however remote.
---------------------------------------------------------------------------
d. Third-Party Provider Participation in BC/DR Testing
With respect to an SCI entity's business continuity and disaster
recovery plans, including its backup systems, Rule 1004 of Regulation
SCI requires SCI entities to: (a) establish standards for the
designation of those members or participants that the SCI entity
reasonably determines are, taken as a whole, the minimum necessary for
the maintenance of fair and orderly markets in the event of the
activation of such plans; (b) designate members or participants
pursuant to such standards and require participation by such designated
members or participants in scheduled functional and performance testing
of the operation of such plans, in the manner and frequency specified
by the SCI entity, provided that such frequency shall not be less than
once every 12 months; and (c) coordinate the testing of such plans on
an industry- or sector-wide basis with other SCI entities.\295\
---------------------------------------------------------------------------
\295\ See 17 CFR 242.1004. See also SCI Adopting Release, supra
note 1, at 72347-55 (providing a more detailed discussion of the BC/
DR testing requirements under Rule 1004).
---------------------------------------------------------------------------
Because the Commission believes that some third-party providers may
be of such importance to the operations of an SCI entity, the
Commission is proposing to include certain third-party providers in the
BC/DR testing requirements of Rule 1004. In the same way SCI entities
currently are required to establish standards for and require
participation by their members or participants in the annual industry-
wide testing required of all SCI entities, the Commission is adding
third-party providers as another category of entities. Thus, pursuant
to revised paragraph (a) of Rule 1004, an SCI entity would be required
also to establish standards for the designation of third-party
providers (in addition to members or participants) that it determines
are, taken as a whole, the minimum necessary for the
[[Page 23181]]
maintenance of fair and orderly markets in the event of the activation
of the SCI entity's BC/DR plans. In addition, paragraph (b) of Rule
1004 would require each SCI entity to designate such third-party
providers (in addition to members or participants) pursuant to such
standards and require their participation in the scheduled functional
and performance testing of the operation of such BC/DR plans, which
would occur not less than once every 12 months and which would be
coordinated with other SCI entities on an industry- or sector-wide
basis.
As discussed above, SCI entities often employ a wide array of
third-party providers which perform a multitude of different functions,
support, or services for them. While many of these third-party
providers may provide relatively minor functions, support, or services
for an SCI entity, there may be one or more third-party providers of
such significance to the operations of an SCI entity that, without the
functions, support, or services of such provider(s), the maintenance of
fair and orderly markets in the event of the activation of the SCI
entity's BC/DR plans would not be possible. For example, the Commission
believes it likely that, for an SCI entity that utilizes a cloud
service provider for all, or nearly all, of its operations, such CSP
would be of such importance to the operations of the SCI entity and the
maintenance of fair and orderly markets in the event of the activation
of the SCI entity's BC/DR plans that it would be required to
participate in the BC/DR testing required by Rule 1004.\296\
---------------------------------------------------------------------------
\296\ Contractual arrangements with applicable third-party
providers that require such providers to engage in BC/DR testing
could help ensure implementation of this requirement. See also SCI
Adopting Release, supra note 1, at 72350 (discussing how contractual
arrangements by SCI entities that are not SROs would enable such SCI
entities to implement the BC/DR testing requirement for their
members or participants).
---------------------------------------------------------------------------
e. Third-Party Providers of Certain Registered Clearing Agencies
The Commission may examine the provision of services by third-party
providers of certain registered clearing agencies. The Financial
Stability Oversight Council (``FSOC'') has designated certain financial
market utilities (``FMUs'') \297\ as systemically important or likely
to become systemically important financial market utilities
(``SIFMUs'').\298\ The Payment, Clearing, and Settlement Supervision
Act of 2010 (``Clearing Supervision Act''), enacted in Title VIII of
the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
(``Dodd-Frank Act''), provides for the enhanced regulation of certain
FMUs.\299\ FMUs include clearing agencies that manage or operate a
multilateral system for the purpose of transferring, clearing, or
settling payments, securities, or other financial transactions among
financial institutions or between financial institutions and the
FMU.\300\ For SIFMUs, the Clearing Supervision Act provides for
enhanced coordination between the Commission and Federal Reserve Board
by allowing for regular on-site examinations and information
sharing,\301\ and further provides that the Commission and CFTC shall
coordinate with the Federal Reserve Board to develop risk management
supervision programs for SIFMUs jointly.\302\ In addition, section 807
of the Clearing Supervision Act provides that ``[w]henever a service
integral to the operation of a designated financial market utility is
performed for the designated financial market utility by another
entity, whether an affiliate or non-affiliate and whether on or off the
premises of the designated financial market utility, the Supervisory
Agency may examine whether the provision of that service is in
compliance with applicable law, rules, orders, and standards to the
same extent as if the designated financial market utility were
performing the service on its own premises.'' \303\ Given the
importance of the provision of services by SIFMUs to the U.S. financial
system and global financial stability, SIFMU third-party providers may
be integral to the operation of the SIFMU and thus be examined by the
Commission.
---------------------------------------------------------------------------
\297\ See 12 U.S.C. 5462(6). The definition of ``financial
market utility'' in section 803(6) of the Clearing Supervision Act
contains a number of exclusions that include, but are not limited
to, certain designated contract markets, registered futures
associations, swap data repositories, swap execution facilities,
national securities exchanges, national securities associations,
alternative trading systems, security-based swap data repositories,
security-based swap execution facilities, brokers, dealers, transfer
agents, investment companies, and futures commission merchants. See
12 U.S.C. 5462(6)(B).
\298\ See 12 U.S.C. 5463. An FMU is systemically important if
the failure of or a disruption to the functioning of such FMU could
create or increase the risk of significant liquidity or credit
problems spreading among financial institutions or markets and
thereby threaten the stability of the U.S. financial system. See 12
U.S.C. 5462(9). On July 18, 2012, the FSOC designated as
systemically important the following then-registered clearing
agencies: CME Group (``CME''), DTC, FICC, ICC, NSCC, and OCC. The
Commission is the supervisory agency for DTC, FICC, NSCC, and OCC,
and the CFTC is the supervisory agency for CME and ICE. The
Commission jointly regulates ICC and OCC with the CFTC. The
Commission also jointly regulates ICE Clear Europe (``ICEEU''),
which has not been designated as systemically important by FSOC,
with the CFTC and Bank of England. The Commission also jointly
regulated CME with the CFTC until 2015, when the Commission
published an order approving CME's request to withdraw from
registration as a clearing agency. See Securities Exchange Act
Release No. 76678 (Dec. 17, 2015), 80 FR 79983 (Dec. 23, 2015).
\299\ The objectives and principles for the risk management
standards prescribed under the Clearing Supervision Act shall be to
(i) promote robust risk management; (ii) promote safety and
soundness; (iii) reduce systemic risks; and (iv) support the
stability of the broader financial system. Further, the Clearing
Supervision Act states that the standards may address areas such as
risk management policies and procedures; margin and collateral
requirements; participant or counterparty default policies and
procedures; the ability to complete timely clearing and settlement
of financial transactions; capital and financial resources
requirements for designated FMUs; and other areas that are necessary
to achieve the objectives and principles described above. See 12
U.S.C. 5464(b), (c).
\300\ See 12 U.S.C. 5462(6).
\301\ See 12 U.S.C. 5466.
\302\ See 12 U.S.C. 5472; see also Federal Reserve Board, et
al., Risk Management Supervision of Designated Clearing Entities
(July 2011), available at https://www.federalreserve.gov/publications/other-reports/files/risk-management-supervision-report-201107.pdf (describing the joint supervisory framework of the
Commission, CFTC, and Federal Reserve Board).
\303\ 12 U.S.C. 5466.
---------------------------------------------------------------------------
f. Request for Comment
58. Do SCI entities employ third-party providers to operate SCI
systems or indirect SCI systems on their behalf? If so, what types of
systems are most frequently operated by third parties?
59. Please describe SCI entities' use of third-party providers
generally, even if they do not operate SCI systems or indirect SCI
systems on behalf of an SCI entity. What types of functionality,
support, or service do such entities provide to SCI entities? Please
describe.
60. The Commission requests commenters' views on significant issues
that they believe SCI entities should take into account with respect to
their use of third-party providers and the requirements of Regulation
SCI. Are there common or important issues that commenters believe the
Commission should focus on in addition to those discussed above? If so,
please describe.
61. Do commenters believe it is appropriate to require, as in
proposed Rule 1001(a)(2)(ix), that each SCI entity have a program to
manage and oversee third-party providers that provide functionality,
support or service, directly or indirectly, for its SCI systems and,
for purposes of security standards, indirect SCI systems? Do commenters
believe that such a program should require an initial and periodic
review of contracts with such providers for consistency with the SCI
entity's obligations under Regulation SCI? Why or why not?
62. Do commenters believe that it is appropriate to require each
SCI entity to
[[Page 23182]]
include a risk-based assessment of each third-party provider's
criticality to the SCI entity, including analyses of third-party
provider concentration, of key dependencies if the third-party
provider's functionality, support, or service were to become
unavailable or materially impaired, and of any potential security,
including cybersecurity, risks posed? Why or why not?
63. Are there any third-party providers, or types of third-party
providers, that commenters believe an SCI entity or SCI entities rely
on in a manner that creates, from the commenters' point of view, undue
concentration risk? If so, please describe.
64. Are there other aspects of third-party provider management that
commenters believe should be included in the proposed rule provision?
If so, please describe.
65. Do commenters agree with the proposed revisions to Rule
1001(a)(2)(v) to require the BC/DR plans of SCI entities to be
reasonably designed to address the unavailability of any third-party
provider that provides functionality, support, or service to the SCI
entity without which there would be a material impact on any of its
critical SCI systems? Why or why not? Do commenters believe that any
such providers exist today for the critical SCI systems of SCI
entities? If so, please describe. Should the Commission require third-
party provider diversity for critical systems of an SCI entity, for
example, requiring an SCI entity that utilizes a third-party provider
for its critical SCI systems to use a different party (i.e., another
third-party provider or operate the critical SCI system itself) for its
backup for such systems? Why or why not?
66. Do commenters agree with the proposed revisions to Rule 1004 to
require that SCI entities establish standards and designate third-party
providers that must participate in BC/DR testing in the annual
industry-wide BC/DR testing required by Rule 1004? Why or why not?
3. Security
The Commission recognized the importance of security for the
technology systems of SCI entities and included various requirements
and provisions in Regulation SCI relating to the security of an SCI
entity's SCI systems. For example, the rules provide that minimum
policies and procedures must provide for, among other things, regular
reviews and testing of systems, including backup systems, to identify
vulnerabilities from internal and external threats.\304\ In addition,
penetration testing is required as part of the SCI review.\305\
Recognizing that SCI systems may be vulnerable if other types of
systems are not physically or logically separated (or ``walled off''),
Regulation SCI also specifies that ``indirect systems''--defined as
systems that if breached, are reasonably likely to pose a security
threat to SCI systems--are also subject to the provisions of Regulation
SCI relating to security standards and systems intrusions.\306\ Thus,
the application of Regulation SCI to indirect SCI systems could
encourage SCI entities to establish effective controls that result in
the core SCI systems being logically or physically separated from other
systems that could provide vulnerable entry points into SCI systems,
thereby removing these non-SCI systems from the scope of indirect SCI
systems.\307\
---------------------------------------------------------------------------
\304\ See 17 CFR 242.1001(a)(2)(iv).
\305\ See 17 CFR 242.1003(b)(1)(i).
\306\ See 17 CFR 242.1000.
\307\ See SCI Adopting Release, supra note 1, at 72287-89
(discussing systems intrusions).
---------------------------------------------------------------------------
Regulation SCI also includes ``systems intrusions'' \308\ as one of
three types of SCI events for which SCI entities are required to take
corrective action, provide notification to the Commission, and
disseminate information to their members and participants.\309\ Since
the adoption of Regulation SCI in 2014, cybersecurity has continued to
be a significant concern for SCI entities and non-SCI entities alike.
Various studies and surveys have noted significant increases in
cybersecurity events \310\ across all types of companies in recent
years.\311\ Among these are targeted ransomware attacks that lock
access to a victim's data unless a ransom is paid, and have included
certain high-profile incidents involving the local government of a
major U.S. city \312\ as well as one of the largest oil pipelines in
the United States.\313\ Cybersecurity events have also included hacks
that have had widespread impacts across many industries and types of
entities.\314\ Financial sector entities have been vulnerable to
cybersecurity events as well, including the Society for Worldwide
Interbank Financial Telecommunication (``SWIFT''), an international
cooperative of financial institutions that provides safe and secure
financial transactions for its members, which was the target of a
series of cybersecurity events in 2015 and 2016, including one incident
in which $81 million was stolen.\315\
---------------------------------------------------------------------------
\308\ A ``systems intrusion'' is defined as ``any unauthorized
entry into the SCI systems or indirect SCI systems of an SCI
entity.'' See 17 CFR 242.1000.
\309\ See 17 CFR 242.1002.
\310\ Cybersecurity events can span a wide variety of types of
threats. For example, FINRA summarized common cybersecurity threats
faced by broker-dealers to include phishing, imposter websites,
malware, ransomware, distributed denial-of-service attacks, and
vendor breaches, among others. See FINRA, Common Cybersecurity
Threats, available at www.finra.org/rules-guidance/guidance/common-cybersecurity-threats.
\311\ See, e.g., Financial Services Information Sharing and
Analysis Center, Navigating Cyber 2022 (Mar. 2022), available at
www.fsisac.com/navigatingcyber2022-report (detailing cyber threats
that emerged in 2021 and predictions for 2022); Bree Fowler, Number
and cost of cyberattacks continue to grow, new survey says, CNET
(Jan. 21, 2022), available at https://www.cnet.com/news/privacy/cyberattacks-continue-to-increase-new-survey-says (citing, among
other things, Anomali's poll of cybersecurity decision makers that
87% of their companies had experienced a cyberattack in the past
three years that resulted in damage, disruption, or data breach);
Accenture, Triple digit increase in cyberattacks: What next? (Aug.
4, 2021), available at www.accenture.com/us-en/blogs/security/triple-digit-increase-cyberattacks; Chris Morris, Cyberattacks and
ransomware hit a new record in 2021, says report, Fast Company (Jan.
25, 2022), available at https://www.fastcompany.com/90715622/cyberattacks-ransomware-data-breach-new-record-2021 (citing report
by Identity Theft Resource Center stating that the number of
security compromises was up more than 68% in 2021).
\312\ See, e.g., Stephen Deere, Cost of City of Atlanta's cyber
attack: $2.7 million--and rising, The Atlanta Journal-Constitution
(Apr. 12, 2018), available at https://www.ajc.com/news/cost-city-atlanta-cyber-attack-million-and-rising/nABZ3K1AXQYvY0vxqfO1FI/
(describing the costs relating to a five-day ransomware attack on
the City of Atlanta in Mar. 2018).
\313\ See, e.g., Clare Duffy, Colonial Pipeline attack: A `wake
up call' about the threat of ransomware, CNN Business (May 16,
2021), available at https://www.cnn.com/2021/05/16/tech/colonial-ransomware-darkside-what-to-know/index.html (describing the
ransomware attack on a pipeline and concerns regarding the potential
for similar attacks on critical US infrastructure).
\314\ See, e.g., David Uberti, et al., The Log4j Vulnerability:
Millions of Attempts Made Per Hour to Exploit Software Flaw, Wall
Street Journal (Dec. 21, 2021), available at https://www.wsj.com/articles/what-is-the-log4j-vulnerability-11639446180 (discussing the
Log4j hack).
\315\ See, e.g., Kim Zetter, That Insane, $81M Bangladesh Bank
Heist? Here's What We Know, WIRED (May 17, 2016), available at
https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/.
---------------------------------------------------------------------------
Given the continued and increasing risks associated with
cybersecurity for SCI entities, the Commission believes it is
appropriate to enhance the cybersecurity provisions of Regulation SCI
to help ensure that SCI systems and indirect SCI systems of the most
important entities in our securities markets remain secure.
a. Unauthorized Access to Systems and Information
While Rule 1001(a)(1) already requires an SCI entity to have
policies and procedures reasonably designed to ensure that its SCI
systems and indirect SCI systems have levels of security adequate to
maintain operational capabilities and promote the
[[Page 23183]]
maintenance of fair and orderly markets, and Rule 1001(a)(4) specifies
that policies and procedures will be deemed reasonable if consistent
with current SCI industry standards, Rule 1001(a)(2) is not specific in
terms of the need for an SCI entity to have access controls designed to
protect both the security of the systems and the information residing
therein. Limiting access to SCI systems and indirect SCI systems and
the information residing therein to authorized purposes and users is
particularly important given that these systems include the core
technology of key U.S. securities markets entities, and would help
ensure that such systems and information remain safeguarded and
protected from unauthorized uses. Proposed Rule 1001(a)(2)(x) would
specify that the Rule 1001(a)(1) policies and procedures of SCI
entities include a program to prevent the unauthorized access to such
systems and information residing therein. An SCI entity's policies and
procedures generally should specify appropriate access controls to
ensure that its applicable systems and information is protected. Such
policies and controls generally should be designed to prevent both
unauthorized external intruders as well as unauthorized internal
personnel from access to these systems and information. For example,
this would also include personnel that may be inappropriately accessing
certain systems and/or information residing on such systems, though
they may have authorized access to other systems, portions of systems,
or certain information residing in such systems at the SCI entity.
Thus, for example, the procedures and access controls at the SCI entity
generally should provide for an appropriate patch management cycle for
systems software, to ensure that known software vulnerabilities are
identified and patches are deployed and validated in a timely manner.
The procedures and access controls generally should also be calibrated
sufficiently to account for such different levels of access for each
person granted access to any part of the SCI entity's systems or
information. In addition, this requirement would make clear that an SCI
entity's policies and procedures are required to address not only
protection of its technology systems, but also of the information
residing on such systems.
In developing and implementing such policies and procedures, SCI
entities generally should develop a clear understanding of the need for
access to systems and data, including identifying which users should
have access to sensitive systems or data. In general, such policies and
procedures should include: requiring standards of behavior for
individuals authorized to access SCI systems and indirect SCI systems
and information residing therein, such as an acceptable use policy;
identifying and authenticating individual users; establishing
procedures for timing distribution, replacement, and revocation of
passwords or methods of authentication; restricting access to specific
SCI systems or components thereof or information residing therein only
to individuals requiring access to such systems or information as is
necessary for them to perform their responsibilities or functions for
the SCI entity; and securing remote access technologies used to
interface with SCI systems.\316\ Access to systems and data can be
controlled through a variety of means, including but not limited to the
issuance of user credentials, digital rights management with respect to
proprietary hardware and copyrighted software, authentication methods
including multifactor authentication as appropriate, tiered access to
sensitive information and network resources, and security and access
measures that are regularly monitored not only to provide access to
authorized users, but also to remove access for users that are no
longer authorized (e.g., due to termination of employment).\317\ As
with other policies and procedures required under Rule 1001, SCI
entities may, if they choose, look to SCI industry standards in
developing their policies and procedures to prevent unauthorized access
to information and systems.\318\
---------------------------------------------------------------------------
\316\ See Exchange Act Cybersecurity Proposal, supra note 10.
\317\ See Exchange Act Cybersecurity Proposal, supra note 10
(similarly discussing examples of access controls).
\318\ See Rule 1001(a)(4) of Regulation SCI (defining current
SCI industry standards), which is discussed further in infra section
III.C.5.
---------------------------------------------------------------------------
b. Penetration Testing
Penetration tests can help entities understand how effective their
security policies and controls are in the face of attempted and
successful systems intrusions, and assist in revealing the potential
threats and vulnerabilities to the entity's network and controls that
might be exploited by malicious attackers to disrupt the operation of
their systems, result in stolen confidential information, and damage
their reputations. When the Commission adopted Regulation SCI in 2014,
it required that SCI entities conduct penetration testing as part of
its SCI review \319\ but, because of the costs associated with
penetration testing at the time, only required that such tests be
conducted once every three years.\320\ In the time since the adoption
of Regulation SCI, cybersecurity has become an even greater and more
pervasive concern for all types of businesses, including SCI entities.
At the same time, best practices of businesses with respect to
penetration testing have evolved such that such tests occur on a much
more frequent basis, as businesses confront the threat of cybersecurity
events on a wider scale.\321\
---------------------------------------------------------------------------
\319\ Specifically, paragraph (b)(1) of Rule 1003 currently
requires that ``[p]enetration test reviews of the network,
firewalls, and production systems shall be conducted at a frequency
of not less than once every three years . . .''. Rule 1003(b)(1).
\320\ See SCI Adopting Release, supra note 1, at 72344.
\321\ See, e.g., Fortra, 2022 Penetration Testing Report 14
(July 7, 2022), available at https://static.fortra.com/core-security/pdfs/guides/cs-2022-pen-testing-report.pdf (stating that
42% of respondents conducted penetration testing one or two times a
year, and 45% of respondents conducted penetration testing at a more
frequent pace); PCI Security Standards Council, Information
Supplement: Penetration Testing Guidance 6 (Sept. 2017), available
at https://listings.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-v1_1.pdf (``at least annually and upon significant
changes'').
---------------------------------------------------------------------------
Given this, the Commission is proposing to increase the frequency
of penetration testing by SCI entities such that they are conducted at
least annually, rather than once every three years. The Commission
believes that such tests are a critical component of ensuring the
cybersecurity health of an SCI entity's technology systems and that
such a frequency would help to ensure that robust measures are in place
to protect an SCI entity's systems from cybersecurity events. In
addition, the proposed annual frequency would only be a minimum
frequency and SCI entities may choose to adopt even more frequent
penetration tests if they feel it appropriate to do so.\322\
---------------------------------------------------------------------------
\322\ As discussed further below, as part of the proposed
revisions to the SCI review requirement, the Commission is also
moving rule provisions relating to the substantive requirements of
the SCI review to Rule 1000 under the definition of ``SCI review,''
while timing requirements relating to the SCI review and the report
of the SCI review would be contained in Rule 1003(b). Thus, although
currently the requirement relating to penetration test reviews is in
Rule 1003, it is now proposed to be in Rule 1000.
---------------------------------------------------------------------------
In addition, the Commission is proposing to require that the
conduct of such penetration testing include testing by the SCI entity
of any vulnerabilities of its SCI entity's SCI systems and indirect SCI
systems identified pursuant to Sec. 242.1001(a)(2)(iv). Currently, the
requirement in Rule 1003 with respect to penetration testing does not
include this phrase. However, Rule 1001(a)(2)(iv) requires an SCI
entity's policies and procedures to include,
[[Page 23184]]
among other things, ``regular reviews and testing . . . to identify
vulnerabilities pertaining to internal and external threats . . .'' The
new language with respect to penetration testing (which is proposed to
be located in the definition of SCI review in Rule 1000) would require
SCI entities to include testing of the vulnerabilities identified
pursuant to its regular review and testing requirement in designing its
penetration testing. Thus, rather than, for example, running a static
annual test against a portion of its SCI systems, this proposed
language would require an SCI entity's penetration testing program to
include any identified relevant threats and then conduct penetration
testing accordingly, which should help ensure the security and
resiliency of SCI systems.
c. Systems Intrusions
Rule 1000 of Regulation SCI defines a ``systems intrusion'' as any
unauthorized entry into the SCI systems or indirect SCI systems of an
SCI entity. Systems intrusions are one of three types of SCI events
that each SCI entity must monitor for and, when they occur, subject to
certain exceptions, an SCI entity must: take corrective action; \323\
immediately notify the Commission and maintain certain records with
respect to the event; \324\ and promptly disseminate information about
the event to applicable members and participants of each SCI
entity.\325\ As discussed in the SCI Adopting Release,\326\ the
definition of systems intrusion has several important characteristics
to it, two of which are relevant to the changes proposed. First,
because the term ``entry'' is used in the current definition, the term
systems intrusions only applies to ``successful'' intrusions, thus
excluding attempted (i.e., unsuccessful) intrusions. In addition, the
term ``entry into'' implies that the intrusion is limited to events
that result in an intruder entering into the SCI entity's SCI systems
or indirect SCI systems, and thus does not include any types of attacks
on systems outside of the SCI entity's SCI systems or indirect SCI
systems that nonetheless impacts such systems.
---------------------------------------------------------------------------
\323\ See 17 CFR 242.1002(a).
\324\ See 17 CFR 242.1002(b) (setting forth the notification and
follow-up reporting that is required for a systems intrusion that is
not de minimis).
\325\ See 17 CFR 242.1002(c).
\326\ See SCI Adopting Release, supra note 1, at 72288.
---------------------------------------------------------------------------
As discussed above, cybersecurity has become ever more increasingly
important for all types of entities, and the same is true for SCI
entities. The Commission believes that it is appropriate to expand the
definition of systems intrusion to include two additional types of
cybersecurity events. The first additional type of systems intrusion
would include certain types of incidents that are currently considered
to be cybersecurity events that are not included in the current
definition, as discussed below. In addition, the revised definition
would ensure that the Commission and its staff are made aware when an
SCI entity is the subject of a significant cybersecurity threat,
including those that may be ultimately unsuccessful, which would
provide important information regarding threats that may be posed to
other entities in the securities markets, including other SCI entities.
By requiring SCI entities to submit SCI filings for these new types of
systems intrusions, the Commission believes that the revised definition
of systems intrusion would provide the Commission and its staff more
complete information to assess the security status of the SCI entity,
and also assess the impact or potential impact that unauthorized
activity could have on the security of the SCI entity's affected
systems as well on other SCI entities and market participants.
The proposed definition would have three prongs, the first of which
would contain the current requirement that defines any ``unauthorized
entry into the SCI systems or indirect SCI systems of an SCI entity''
as a systems intrusion, and would continue to include a wide range of
cybersecurity events. As stated in the SCI Adopting Release, the
current definition describes ``any unauthorized'' entry or ``breach''
into SCI systems or indirect SCI systems, and includes unauthorized
access, whether intentional or inadvertent, by employees or agents of
the SCI entity that resulted from weaknesses in the SCI entity's access
controls and/or procedures.\327\ For example, data breaches are
included under the first prong, as are instances in which an employee
of an SCI entity accessed an SCI system without proper authorization.
It also includes instances in which an employee, such as a systems
administrator, was authorized to access a system, but where the
employee improperly accessed confidential information within such
system. Similarly, an instance in which members of an SCI entity were
properly accessing a system but were inadvertently exposed to the
confidential information of other members would also likewise fall
within this prong.\328\
---------------------------------------------------------------------------
\327\ See SCI Adopting Release, supra note 1, at 72887-89
(providing a more detailed discussion of the current definition of
systems intrusions).
\328\ See id. (providing a more detailed discussion of the
current definition of systems intrusions).
---------------------------------------------------------------------------
The new second prong would expand the definition of systems
intrusion to include any cybersecurity event that disrupts, or
significantly degrades, the normal operation of an SCI system. This
prong is intended to include cybersecurity events on the SCI entity's
SCI systems or indirect SCI systems that cause disruption to such
systems, regardless of whether the event resulted in an entry into or
access to them. For example, in distributed denial-of-service attacks,
the attacker, often using malware-infected machines, typically seeks to
overwhelm or drain the resources of the target with illegitimate
requests to prevent the target's systems from providing services to
those seeking to access or use them. Unlike cybersecurity events that
would qualify under the current definition of systems intrusions (i.e.,
the first prong of the proposed definition), the objective of these
attacks is often simply to disrupt or disable the target's operations,
rendering them unable to run efficiently, or run at all. For example,
given the essential role hypervisors play in supporting cloud
computing, an attack on a CSP's hypervisor, which enables the sharing
of physical compute and memory resources across multiple virtual
machines, could also significantly disrupt or even disable, albeit
indirectly, the SCI systems of an SCI entity that is utilizing such
CSP, and thus constitute a systems intrusion under the proposed second
prong. Likewise, these systems intrusions could include certain command
and control attacks where a malicious actor is able to infiltrate a
system to install malware to enable it to send commands to infected
devices remotely. Similarly, supply chain attacks that enter a SCI
entity's systems through an apparently authorized means, such as
through regular maintenance software updates that--unbeknownst to the
software provider and the recipient--contain malicious code and could
also be systems intrusions under this proposal.\329\ Because such
cybersecurity events can cause serious harm and disruption to an SCI
entity's operations, the Commission believes that the definition of
systems intrusion should be broadened to include cybersecurity events
that may not entail actually entering or accessing the SCI entity's SCI
systems or indirect SCI systems, but still cause disruption or
significant
[[Page 23185]]
degradation. For this second prong, the Commission believes it is
appropriate to utilize language similar to that used in the definition
of systems disruption (i.e., ``disrupts, or significantly degrades, the
normal operation of an SCI system'').\330\ Similar to a systems
disruption that occurs within the SCI systems or indirect SCI systems,
if a cybersecurity event disrupts, or significantly degrades, an SCI
entity's normal operations,\331\ it would constitute a systems
intrusion under the proposed revised definition, and the obligations
and reporting requirements of Rule 1002 would apply.\332\
---------------------------------------------------------------------------
\329\ See supra note 314 and accompanying text (discussing the
Log4j hack).
\330\ The Commission believes that the term ``cybersecurity
event,'' as used here, would generally be understood to mean ``an
unauthorized activity that disrupts or significantly degrades the
normal operation of an SCI system.''
\331\ See SCI Adopting Release, supra note 1, at 72284 (``SCI
entities would likely find it helpful to establish parameters that
can aid them and their staff in determining what constitutes the
`normal operation' of each of its SCI systems and when such `normal
operation' has been disrupted or significantly degraded because
those parameters have been exceeded.'' (footnotes omitted)).
\332\ Such events may, in some cases, first appear to an SCI
entity to be a ``systems disruption'' but, upon further
investigation and understanding of the true cause of the SCI event,
may turn out to be both a ``systems intrusion'' as well as a
``systems disruption.'' In such cases, the applicable SCI entity
should mark the SCI event as both types on its submissions to the
Commission on Form SCI.
---------------------------------------------------------------------------
The third prong would include any significant attempted
unauthorized entry into the SCI systems or indirect SCI systems of an
SCI entity, as determined by the SCI entity pursuant to established
reasonable written criteria. In contrast to the types of systems
intrusions that are part of the first prong of the proposed definition,
the third prong is intended to capture unsuccessful, but significant,
attempts to enter an SCI entity's SCI systems or indirect SCI systems.
The Commission recognizes that it would be inefficient, inappropriate,
and undesirable (for both SCI entities as well as the Commission and
its staff) to require that all attempted entries be considered systems
intrusions. Rather, the Commission is seeking to include only attempts
that an SCI entity believes to be significant attempts to its systems,
even if successfully prevented.
The term ``significant attempted unauthorized entry'' would not be
defined in the rule. Rather, the proposed rule would require each SCI
entity to establish reasonable written criteria for it to use to
determine whether a significant attempted unauthorized entry has
occurred, because the Commission believes that each SCI entity should
be granted some degree of discretion and flexibility in determining
what constitutes a significant attempted unauthorized entry for its
purposes, given that SCI entities differ in nature, size, technology,
business model, and other aspects of their businesses.\333\ However,
the Commission believes that certain characteristics of attempted
unauthorized entries would generally weigh in favor of such attempted
unauthorized entries being considered significant and constituting
systems intrusions that should be considered SCI events subject to the
requirements of Regulation SCI, including: when an SCI entity becomes
aware of reconnaissance that may be leveraged by a threat actor; a
targeted campaign that is customized to the SCI entity's system; \334\
an attempted cybersecurity event that required the SCI entity's
personnel to triage, even if it was ultimately determined to have no
impact; an attempted attack from a known sophisticated advanced threat
actor; the depth of the breach in terms of proximity to SCI systems and
critical SCI systems; and a cybersecurity event that, if successful,
had meaningful potential to result in widespread damage and/or loss of
confidential data or information.
---------------------------------------------------------------------------
\333\ Under 17 CFR 242.1003(a)(1) (``Rule 1003(a)(1)''), each
SCI entity is similarly required to establish reasonable written
criteria for identifying a material change to its SCI systems for
quarterly reporting to the Commission. See also SCI Adopting
Release, supra note 1, at 72341-42 (discussing the definition of
material systems change).
\334\ A wide variety of entities engage in web scanning, which
may be in a targeted manner (e.g., looking at certain IP address
ranges) or broadly across the internet. Often, such scanning may be
for non-malicious purposes such as, for example, indexing website
content (for search engines) or mapping networks. Others may engage
in such scanning to identify vulnerable systems or websites, which
could be to inform vulnerability management identification and
remediation efforts or identify opportunities for exploitation.
Because of the wide range of possible uses of scanning and the
nature of scanning tools' interactions with systems, such scanning
activity alone is not necessarily indicative of malicious intent or
even a vulnerable system capable of being exploited. However,
evidence of further, follow-on activity indicative of a precursor to
unauthorized entry may be a factor that an SCI entity should
consider in weighing whether a significant attempted unauthorized
entry has occurred.
---------------------------------------------------------------------------
As with all SCI events, SCI entities would be required under 17 CFR
242.1002(a) (``Rule 1002(a)'') to take corrective action with respect
to any events that were determined to be systems intrusions under the
proposed revised definition. In addition, the Commission is proposing
to make a revision to the Commission reporting requirements relating to
systems intrusions under Rule 1002(b) such that all systems intrusions
would be required to be immediately reported to the Commission pursuant
to the requirements of Rule 1002(b). Currently, paragraph (b)(5) of
Rule 1002 states that the Commission notification requirements under
paragraphs (b)(1) through (4) do not apply to any SCI event that has
had, or the SCI entity reasonably estimates would have, no or a de
minimis impact on the SCI entity's operations or on market participants
(``de minimis SCI events'').\335\ Instead, SCI entities are currently
required to make, keep and preserve records relating to all such SCI
events, and provide a quarterly report of de minimis systems intrusions
and systems disruptions pursuant to Rule 1002(b)(5).\336\ The
Commission is proposing to eliminate the de minimis exception's
applicability to systems intrusions, thus requiring all systems
intrusions, whether de minimis or non-de minimis, to be reported
pursuant to the requirements of 17 CFR 242.1002(b)(1) through (4)
(``Rule 1002(b)(1) through (4)'').\337\ By their very nature, systems
intrusions may be difficult to identify, and assessing the impact of
any systems intrusion is often complex and could potentially require a
lengthy investigation before any conclusions may be reached with any
degree of certainty. Because of this, the Commission recognizes that it
may be difficult for SCI entities to make a clear determination in a
timely manner of whether a systems intrusion is de minimis. At the same
time, the Commission believes that it is important for the Commission
and its staff to receive notification of systems intrusions to be aware
of potential and actual security threats to individual SCI entities,
particularly given that such threats may extend to other market
participants in the securities markets, including other SCI entities.
Thus, the Commission believes it is appropriate to eliminate systems
intrusions from the types of SCI events that may make use of the
exception for de minimis SCI events and be quarterly reported, and
instead require that each systems intrusion be reported under the
[[Page 23186]]
framework in Rule 1002(b)(1) through (4).\338\
---------------------------------------------------------------------------
\335\ Rule 1002(b)(5).
\336\ Id.
\337\ To conform to the proposed elimination of de minimis
systems intrusions from the quarterly report, Rule 1002(b)(5)(i)
would be amended by replacing the phrase ``all such SCI events''
with the phrase ``all such systems disruptions or systems compliance
issues,'' and Rule 1002(b)(5)(ii) would be amended to no longer
include references to systems intrusions and instead read: ``Submit
to the Commission a report, within 30 calendar days after the end of
each calendar quarter, containing a summary description of such
systems disruptions, including the SCI systems affected by such
systems disruptions during the applicable calendar quarter.''
\338\ The Commission notes that systems intrusions, as currently
defined in Rule 1000 of Regulation SCI, have been relatively
infrequent as compared to other types of SCI events, and thus the
burden of this proposed change in reporting for systems intrusions
under the current definition (which is the first prong of the
proposed revised definition of systems intrusions) should be
relatively low for SCI entities. For example, in the three-year
period from 2019 to 2021, systems intrusions only accounted for 27
of the 10,501 SCI events in total (including both de minimis and
non-de minimis SCI events). The Commission requests comment below
regarding the frequency of systems intrusions as defined by the
second and third prongs of the proposed revised definition of
systems intrusion.
---------------------------------------------------------------------------
Rule 1002(c) sets forth the requirements with respect to
disseminating information regarding SCI events to applicable members or
participants of SCI entities, and the Commission believes that it would
be appropriate that information about systems intrusions under the
proposed second prong of the systems intrusion definition (a
``cybersecurity event that disrupts, or significantly degrades, the
normal operation of an SCI system'') be disseminated pursuant to Rule
1002(c)'s requirements. However, importantly, in contrast to the more
detailed information dissemination requirements for SCI entities in
paragraph (c)(1) of Rule 1002 for systems disruptions and systems
compliance issues, in recognition of the more sensitive nature of
systems intrusions (disclosure of which may alert threat actors of an
existing or potential weakness in an SCI entity's systems, or alert
them of an ongoing investigation of a systems intrusion), the
Commission's information dissemination requirements for systems
intrusions contained in paragraph (c)(2) of Rule 1002 only requires SCI
entities to provide a ``summary description'' for such events.\339\ In
addition, paragraph (c)(2) also permits an SCI entity to delay
disclosure of a systems intrusion in cases where the SCI entity
``determines that dissemination of such information would likely
compromise the security of the SCI entity's SCI systems or indirect SCI
systems, or an investigation of the systems intrusion, and documents
the reasons for such determination.'' \340\
---------------------------------------------------------------------------
\339\ The information dissemination requirements described here
for systems intrusions differ from the analogous requirements for
the other two types of SCI events (systems disruptions and systems
compliance issues), which require SCI entities to also, among other
things, further provide a more detailed description of such SCI
events when known. See 17 CFR 242.1002(c)(1).
\340\ See 17 CFR 242.1002(c)(2) (``Rule 1002(c)(2)'').
---------------------------------------------------------------------------
With respect to information dissemination to an SCI entity's
members or participants, however, the Commission believes that
information regarding significant attempted unauthorized entries should
not be required to be disseminated to an SCI entity's members or
participants, as any benefits associated with disseminating information
about unsuccessful attempted unauthorized entries to members or
participants of an SCI entity would likely not be justified due to
distractions that such information would bring, particularly since the
SCI entity's security controls were able, in fact, to repel the
cybersecurity event. In addition, disseminating information regarding
unsuccessful intrusions could result in the threat actors being
unnecessarily alerted that they have been detected, which could make it
more difficult to identify the attackers and halt their efforts on an
ongoing, more permanent basis. Thus, the Commission is proposing to new
17 CFR 242.1002(c)(4)(iii) (``proposed Rule 1002(c)(4)(iii)'') which
would exclude systems intrusions that are significant attempted
unauthorized entries into the SCI systems or indirect SCI systems of an
SCI entity from the information dissemination requirements of 17 CFR
242.1002(c)(1) through (3) (``Rule 1002(c)(1) through (3)'').
d. Request for Comment
67. Do commenters agree that cybersecurity is an area that the
Commission should enhance as part of Regulation SCI? Is it necessary to
help ensure that SCI entities maintain a robust technology
infrastructure for the SCI systems and indirect SCI systems? Why or why
not?
68. Do commenters agree with the proposed addition of Rule
1001(a)(2)(x), to enumerate that the policies and procedures of SCI
entities shall include a program to prevent the unauthorized access to
SCI systems and, for purposes of security standards, indirect SCI
systems, and information residing therein? Why or why not?
69. Do commenters agree that SCI entities should be required to
have an increased frequency of penetration test reviews? Why or why
not? Do commenters feel that the requirement to have such tests at
least annually is appropriate? How frequently do SCI entities conduct
penetration testing today? Do commenters agree with the proposed
requirement that the penetration testing include testing of any
identified vulnerabilities? Why or why not?
70. Do commenters believe that it is appropriate to modify the
definition of systems intrusion as proposed in Rule 1000? Do commenters
believe that it would be useful (for example, for SCI entities and the
Commission and its staff) to include other types of scenarios in the
definition of systems intrusion? If so, which scenarios should be
included and why? If not, why not?
71. Do commenters agree with the proposed revisions to the
definition of systems intrusions to include the second prong, (i.e.,
for any cybersecurity event that disrupts, or significantly degrades,
the normal operation of an SCI system)? Why or why not? Could such
events put the security or operational capability of an SCI system at
risk? How frequently do commenters believe systems intrusions, as
defined by the proposed second prong, occur at SCI entities? The
Commission does not define the term ``cybersecurity event'' in the
proposed rule text but, as noted, believes it would generally be
understood to mean ``an unauthorized activity that disrupts or
significantly degrades the normal operation of an SCI system.'' Do
commenters agree? Do commenters believe it is necessary to provide a
definition of the term ``cybersecurity event'' in the proposed rule
text? If so, do commenters agree with the meaning above? If not, how
should it be defined? Please be specific.
72. Do commenters believe that significant attempted unauthorized
entries into the SCI systems or indirect SCI systems of an SCI entity
should be included in the definition of systems intrusions, as under
the proposed third prong? Why or why not? Do commenters believe that
the Commission should define the term ``significant attempted
unauthorized entry,'' or do commenters believe it is appropriate to
require an SCI entity to establish reasonable written criteria to make
such determinations to provide SCI entities some degree of discretion
and flexibility in determining what constitutes a significant attempted
unauthorized entry for its purposes, given differences as between SCI?
What types of criteria or scenarios do commenters believe should
constitute a significant attempted unauthorized entry? Please describe
and be specific. How frequently do commenters believe systems
intrusions, as defined by the proposed third prong, occur at SCI
entities?
73. Do commenters agree with the proposed removal of systems
intrusions from the types of de minimis SCI events permitted to be
reported quarterly under Rule 1002(b)(5)? Why or why not? Should there
be a requirement that SCI events that are systems intrusions, as
proposed to be defined, be reported to senior management of an SCI
entity? Why or why not?
74. Do commenters agree with proposed addition of Rule
[[Page 23187]]
1002(c)(4)(iii), which would exclude systems intrusions that are
significant attempted unauthorized entries from the information
dissemination requirements of Rule 1002(c)(1) through (3)? Why or why
not?
4. SCI Review
a. Discussion
Rule 1000 currently defines the SCI review to be a review,
following established procedures and standards, that is performed by
objective personnel having appropriate experience to conduct reviews of
SCI systems and indirect SCI systems, and which review contains: (a) a
risk assessment with respect to such systems of an SCI entity; and (b)
an assessment of internal control design and effectiveness of its SCI
systems and indirect SCI systems to include logical and physical
security controls, development processes, and information technology
governance, consistent with industry standards. Paragraph (b)(1) of
Rule 1003 requires each SCI entity to conduct an SCI review of the SCI
entity's compliance with Regulation SCI not less than once each
calendar year; however, penetration test reviews of the network,
firewalls, and production systems may be conducted at a frequency of
not less than once every three years, and assessments of SCI systems
directly supporting market regulation or market surveillance may be
conducted at a frequency based upon the risk assessment conducted as
part of the SCI review, but in no case less than once every three
years. Paragraph (b)(2) of Rule 1003 requires SCI entities to submit a
report of the SCI review to senior management of the SCI entity for
review no more than 30 calendar days after completion of such SCI
review, and paragraph (b)(3) requires SCI entities to submit to the
Commission, and to the board of directors of the SCI entity or the
equivalent of such board, a report of the SCI review, together with any
response by senior management, within 60 calendar days after its
submission to senior management of the SCI entity.
The SCI review is an important part of Regulation SCI because it is
a periodic evaluation by objective personnel of an SCI entity's
compliance with SCI and helps the SCI entity to identify weaknesses and
vulnerabilities in its systems and controls. In addition, because of
Rule 1003(b)'s reporting requirements, the SCI review and the report of
the SCI review helps to ensure that the senior management and board of
the SCI entity are involved in and aware of the SCI entity's compliance
with the regulation. Finally, the report provides the Commission and
its staff insight into the SCI entity's compliance with Regulation SCI
as well and assists the staff in determining how to follow up with the
SCI entity in reviewing and addressing any identified weaknesses and
vulnerabilities.
The SCI review is currently required to be conducted by ``objective
personnel,'' and the Commission believes that this requirement
continues to be appropriate. Thus, as the Commission discussed in the
SCI Adopting Release, SCI reviews may be performed by personnel of the
SCI entity (such as internal audit function) or an external firm,
provided that such personnel are, in fact, objective and, as required
by rule, have the appropriate experience to conduct reviews of SCI
systems and indirect SCI systems.\341\
---------------------------------------------------------------------------
\341\ See SCI Adopting Release, supra note 1, at 72343. The
Commission continues to believe that persons who were not involved
in the process for development, testing, and implementation of the
systems being reviewed would generally be in a better position to
identify weaknesses and deficiencies that were not identified in the
development, testing, and implementation stages. Thus, any personnel
with conflicts of interest that have not been adequately mitigated
to allow for objectivity should be excluded from serving in this
role, and a person or persons conducting an SCI review should not
have a conflict of interest that interferes with their ability to
exercise judgment, express opinions, and present recommendations
with impartiality. See id.
---------------------------------------------------------------------------
As described below, the Commission is proposing a number of
revisions to the requirements relating to SCI reviews and for the
reports SCI entities submit (both to their board of directors as well
as to the Commission).\342\ The definition of SCI review in Rule 1000
is proposed to be amended to contain the substantive requirements for
an SCI review, which would be required to be ``a review, following
established and documented procedures and standards, that is performed
by objective personnel having appropriate experience to conduct reviews
of SCI systems and indirect SCI systems . . .'' The revised definition
of SCI review in Rule 1000 would go on to detail what an SCI review
would be required to include and would require the use of appropriate
risk management methodology. Specifically, paragraph (1) of the
definition would require, with respect to each SCI system and indirect
SCI system of the SCI entity, three assessments to be performed by
objective personnel conducting the SCI review. The first required
assessment would be of the risks related to the capacity, integrity,
resiliency, availability, and security. The second assessment would be
of internal control design and operating effectiveness to include
logical and physical security controls, development processes, systems
capacity and availability, information technology service continuity,
and information technology governance, consistent with industry
standards. The third assessment would be of third-party provider
management risks and controls. As discussed above, the Commission is
also proposing to update the requirement for penetration testing, from
the current requirement of at least once every three years to at least
annually.\343\ Finally, the definition of SCI review in Rule 1000 would
provide that assessments of SCI systems directly supporting market
regulation or market surveillance would be required to be conducted at
a frequency based upon the risk assessment conducted as part of the SCI
review, but in no case less than once every three years.
---------------------------------------------------------------------------
\342\ Rule 1000 (definition of SCI review) and Rule 1003(b) both
currently contain requirements relating to SCI reviews. As described
in this section, the Commission is proposing to focus the definition
of SCI review in Rule 1000 on requirements relating to the SCI
review itself, whereas Rule 1003(b)'s proposed language would be
focused on the required contents of the report of the SCI review, as
well as the timelines for when the SCI review is required to be
conducted and when the report of the SCI review is required to be
provided to senior management and the Commission.
\343\ See supra section III.C.3.b (discussing the frequency of
required penetration test reviews).
---------------------------------------------------------------------------
It has been the experience of the Commission and its staff that the
SCI reviews and their reports of such SCI reviews vary among SCI
entities in content and detail. To help ensure that every SCI review
and report of such reviews contain the assessments and related
information the Commission and its staff believes is necessary for an
SCI entity to be able to assess its compliance with Regulation SCI, the
Commission proposes adding certain additional requirements and details
with respect to each SCI review and the report of the SCI review that
are submitted to the SCI entity's board and to the Commission. In the
lead-in provision for the definition, the words ``and documented'' are
proposed to be added to ensure that SCI entities and the objective
personnel conducting SCI reviews document the work that is done during
the SCI review. Documentation is necessary as evidence that the
requirements relating to the SCI review are being complied with, and
would help ensure that policies and procedures are followed.
Documentation is also critical to any follow-on reviews of the work
that may be required, such as follow-up on the work of the SCI review
by SCI entity personnel (including by its senior management or board of
directors) or by the Commission or its staff. In addition,
[[Page 23188]]
such documentation would facilitate follow-up required to address
deficiencies and weaknesses that may be identified during the SCI
review, such as through mitigation and remediation plans.
The proposed definition of SCI review would also require that the
SCI review use ``appropriate risk management methodology.'' The
objective personnel conducting the SCI review would be required to
establish, document, and utilize a given risk methodology in conducting
the SCI review that is appropriate for the SCI entity being reviewed.
The Commission is not specifying a particular methodology that a given
SCI entity and its objective personnel must use, but rather is
providing the flexibility to such objective personnel to determine the
risk management methodology that should be utilized, so long as it is
appropriate given the SCI entity's characteristics and risks.
The requirements of the SCI review would apply to each individual
SCI system and indirect SCI system, and would require that the SCI
review include three specific assessments to be performed by objective
personnel. This language is intended to require that each of these
assessments be performed by objective personnel--either by those
conducting the SCI review or others that those conducting the SCI
review engage for such purposes--rather than utilizing, for example,
enterprise or IT risk assessments as the basis for the SCI review after
deeming them ``reasonable.'' The proposed requirement would not specify
a particular control framework to be applied for such assessments, but
rather would provide flexibility to those conducting the SCI review to
choose the methodology they believe to be most appropriate given the
particular characteristics and risks of the SCI entity's systems being
assessed, and undertake the assessments themselves, or oversee and
direct other objective personnel on how the assessments should be
performed. The Commission considers the SCI reviews to be an important
window into the strength of the technological infrastructure of SCI
entities, and whether the controls implemented by the SCI entity are
appropriate and employed properly. In addition, the Commission requires
that objective personnel be used to help ensure the impartiality of the
review and that the reviewers examine what they believe to be most
appropriate for such a review.\344\ The Commission believes that, by
requiring that these assessments be performed by objective personnel,
these assessments and tests will be able to provide the SCI entity, its
senior management, its board of directors, and the Commission, an
appropriately impartial and accurate assessment of the risks associated
with the SCI entity's SCI systems and indirect SCI systems.
---------------------------------------------------------------------------
\344\ See supra note 341 and accompanying text (discussing
``objective personnel'').
---------------------------------------------------------------------------
In the definition of SCI review in Rule 1000, the phrase ``a risk
assessment with respect to such systems of an SCI entity'' would be
replaced with an assessment of ``the risks related to the capacity,
integrity, resiliency, availability, and security'' of each such
system. The Commission believes that the additional detail in the
proposed language would tie the required risk assessment more closely
with the key principles of Regulation SCI (found in Rule 1001(a)(1))
relating to the ``capacity, integrity, resiliency, availability and
security'' of each SCI entity's systems, while maintaining the focus of
the assessment on the overall risks associated with such systems.
Further, in the definition of SCI review he phrase ``internal
control design and effectiveness'' would be revised to read ``internal
control design and operating effectiveness'' to clarify that the
associated assessment must examine how well the internal controls
performed in actual operations, i.e., in practice. Thus, this
assessment would look not only at how the controls worked in theory
(i.e., as designed), but also in practice (i.e., in operations).\345\
In addition, the definition of SCI review in Rule 1000 would expand on
the list of controls to be assessed, adding ``systems capacity and
availability'' and ``information technology service continuity'' to the
current list of ``logical and physical security controls, development
processes, and information technology governance.'' The Commission
believes that systems capacity and availability and information
technology service continuity are important areas for SCI entities to
consider when conducting their SCI reviews, and is proposing to include
them on the list of controls reviewed by objective personnel performing
the SCI reviews to ensure that these additional areas of controls are
assessed during each SCI review. As stated above, the foundational
principles of Regulation SCI are set forth in Rule 1001 and require in
part that each SCI entity establish, maintain, and enforce written
policies and procedures reasonably designed to ensure that their SCI
systems and, for purposes of security standards, indirect SCI systems,
have levels of capacity, integrity, resiliency, availability, and
security adequate to maintain their operational capability and promote
the maintenance of fair and orderly markets.\346\ The proposed addition
of ``systems capacity and availability'' relates to this requirement
with respect to ``capacity'' and ``availability,'' and ``information
technology service continuity'' relates to this requirement with
respect to ``resiliency'' and ``availability,'' and would require that
objective personnel consider whether an SCI entity's internal controls
have been designed and implemented in a manner to achieve these
objectives of Regulation SCI, rather than only those currently
enumerated regarding security, development processes, and governance.
---------------------------------------------------------------------------
\345\ See, e.g., Sunil Bakshi, Tips for Effective Control
Design, ISACA (Feb. 9, 2022), available at https://www.isaca.org/resources/news-and-trends/newsletters/atisaca/2022/volume-6/tips-for-effective-control-design; PCAOB, AS2201: An Audit of Internal
Controls Over Financial Reporting That is Integrated with An Audit
of Financial Statements, available at https://pcaobus.org/oversight/standards/auditing-standards/details/AS2201; and AICPA, AU-C Section
94), An Audit of Internal Controls Over Financial Reporting That is
Integrated With an Audit of Financial Statements, available at
https://us.aicpa.org/content/dam/aicpa/research/standards/auditattest/downloadabledocuments/au-c-00940.pdf.
\346\ See supra note 39 and accompanying text.
---------------------------------------------------------------------------
New paragraph (1)(C) of the definition of SCI review in Rule 1000
would require an assessment of third-party provider management risks
and controls with respect to each of its SCI systems and indirect SCI
systems. As discussed in detail above,\347\ third-party provider
management is an important part of managing the risks posed when an SCI
entity uses a third-party for functionality, support, or services.
---------------------------------------------------------------------------
\347\ See supra section III.C.2.
---------------------------------------------------------------------------
Importantly, the proposed amended definition of SCI review under
Rule 1000 uses the phrase ``with respect to each'' when referencing SCI
systems and indirect SCI systems. This wording clarifies that the
associated assessments are required to be made for each applicable
system for each SCI review (i.e., every year). Thus, the Commission
believes it to be appropriate to conduct these assessments for each and
every SCI system or, as applicable, indirect SCI system annually,
rather than, for example, rotating control testing across several years
such that not all systems and/or relevant controls are tested each
year. However, in adopting Regulation SCI, the Commission determined to
allow assessments of SCI systems directly supporting market regulation
or market surveillance to be conducted, based upon a risk-assessment,
at least
[[Page 23189]]
once every three years, rather than annually, and the Commission is not
amending this provision.\348\
---------------------------------------------------------------------------
\348\ See 17 CFR 242.1003(b)(1)(ii).
---------------------------------------------------------------------------
Proposed paragraph (2) would contain the requirement that
penetration test reviews be performed by objective personnel, conducted
at least once each year. As discussed above, the revised requirements
relating to SCI reviews would change the frequency of required
penetration testing provision (currently located in Rule 1003(b)(1) but
proposed to be relocated to the definition of ``SCI review'' in Rule
1000) from ``not less than once every three years'' to at least
annually with each SCI review, and require that they include testing of
any identified vulnerabilities of its SCI systems and indirect SCI
systems.\349\ In addition, the language relating to the frequency of
assessments of SCI systems directly supporting market regulation or
market surveillance, proposed to be in paragraph (3), would remain
unchanged.\350\
---------------------------------------------------------------------------
\349\ See supra section III.C.3.b. and proposed paragraph (2) of
the definition of SCI review in Rule 1000, (relating to
cybersecurity revisions, including penetration testing). Of course,
while SCI entities would be required to conduct penetration test
reviews at least annually as part of the SCI review, nothing in the
proposed rule would prevent them from conducting penetration testing
more frequently if warranted.
\350\ As noted above, while the substance of the provision
relating to the frequency of assessments of SCI systems directly
supporting market regulation or market surveillance would remain
unchanged, the provision would be moved from current Rule
1003(b)(1)(ii) to proposed paragraph (3) of the definition of SCI
review in Rule 1000.
---------------------------------------------------------------------------
Proposed Rule 1003(b) would continue to include requirements
relating to the timeframes for conducting the SCI review (unchanged at
``not less than once each calendar year'') \351\ and submitting reports
of the SCI review to senior management (unchanged at ``no more than 30
calendar days after completion of such SCI review'') \352\ and the
Commission (unchanged at ``within 60 calendar days after its submission
to senior management'').\353\ However, proposed Rule 1003(b)(1) would
add the phrase ``for each calendar year during which it was an SCI
entity for any part of such calendar year'' to clarify that, if an SCI
entity is an SCI entity for any part of the calendar year, it must
conduct the SCI review and submit the associated report of the SCI
review to the SCI entity's senior management and board, as well as to
the Commission. Thus, an SCI review would be required for a new SCI
entity, even in its first year as an SCI entity and even if its
starting date as an SCI entity were not until late in the year.
Similarly, if an SCI entity ceased to be an SCI entity during the
middle of a calendar year (e.g., an SCI ATS that falls out of the SCI
ATS thresholds in July of a given year), it would still be required to
submit an SCI review for that portion of the calendar year during which
it was an SCI entity. The Commission believes this is appropriate, as
the SCI review and the report of the SCI review contain, among other
things, assessments of the SCI entity's compliance with the
requirements of Regulation SCI which help to confirm, through objective
personnel, that the capacity, integrity, resiliency, availability and
security requirements of Regulation SCI have been met by the entity for
the period during which it was an SCI entity.
---------------------------------------------------------------------------
\351\ See proposed Rule 1003(b)(1).
\352\ See proposed Rule 1003(b)(2).
\353\ See proposed Rule 1003(b)(3).
---------------------------------------------------------------------------
Rule 1003(b) would also add additional detail on what the report of
the SCI review is required to contain. Currently, the rule does not
provide any specific requirements with respect to the contents of the
report of the SCI review. In the experience of Commission staff, this
has resulted in a wide range in the types and quality of SCI reports
the Commission receives from SCI entities. In reviewing the reports,
the Commission staff has found certain information particularly
important in assessing the SCI review, and as a result the Commission
is now revising the rule to require this information to be included in
all reports on SCI reviews. Rule 1003(b)(2) would be revised to require
the report of the SCI review to include: (i) the dates the SCI review
was conducted and the date of completion; (ii) the entity or business
unit of the SCI entity performing the review; (iii) a list of the
controls reviewed and a description of each such control; (iv) the
findings of the SCI review with respect to each SCI system and indirect
SCI system, which must include, at a minimum, assessments of: the risks
related to the capacity, integrity, resiliency, availability, and
security; internal control design and operating effectiveness; and
vendor management risks and controls; (v) a summary, including the
scope of testing and resulting action plan, of each penetration test
review conducted as part of the SCI review; and (vi) a description of
each deficiency and weakness identified by the SCI review.
Items (i) and (ii) contain basic administrative information
(relating to dates and the entity/unit conducting the SCI review) about
the SCI review to identify the period over which the SCI review was
conducted and the entity/unit responsible for such review that
Commission staff may contact for any questions regarding the SCI review
or the report of the SCI review. Item (iii), relating to controls
reviewed as part of the SCI review, would assist Commission staff in
understanding the scope of the review and, if applicable, also allow
staff to identify and request additional information regarding any of
the controls listed or any controls it believed to be missing. Item
(iv) would contain the substantive findings of the SCI review and
relate to the three assessments that are required to be part of the SCI
review under paragraph (1) of the definition of SCI review in Rule
1000. Similarly, item (v) relates to paragraph (2) of the definition of
SCI review relating to penetration test reviews and would require an
SCI entity to provide a summary of each penetration test review
conducted as part of the SCI review.\354\ Item (v) also would require
that the summary include the scope of testing and the resulting action
plan. Item (vi) would require a description of each deficiency and
weakness identified during the SCI review, including through the
assessments and any testing conducted as part of the SCI review. This
information is proposed to be included in the report of the SCI review
to provide the senior management and board of the SCI entity, as well
as the Commission and its staff, with information on the SCI review,
including any deficiencies and weaknesses identified by the objective
personnel that conducted the SCI review.
---------------------------------------------------------------------------
\354\ The Commission notes that the proposed requirement under
item (vi) would specify that a summary of each penetration test
review be included but does not call for the penetration test review
itself be included. The Commission believes that a summary that
includes the scope of testing and action plan of the penetration
test would provide Commission staff with sufficient initial
information to obtain a broad understanding of what was tested and
any vulnerabilities it identified and that Commission staff could,
in any case, if it believed it appropriate, request that the SCI
entity provide it with a copy of the penetration test review.
---------------------------------------------------------------------------
The Commission believes that requiring this minimum set of
requirements for the report of the SCI review, as described above,
would help ensure that SCI entities and the objective personnel that
conduct the SCI review include in the report of the SCI review the key
pieces of information relating to the SCI review (i.e., information
relating to the controls reviewed; substantive findings from the
assessments conducted as part of the SCI review; summaries of
penetration test reviews; and descriptions of each deficiency and
weakness identified) that go towards ensuring that the SCI
[[Page 23190]]
systems of SCI entities remain robust with respect to their capacity,
integrity, resiliency, availability, and security, and are in
compliance with the requirements of Regulation SCI.
Finally, the Commission is proposing several revisions to paragraph
(b)(3) of Rule 1003, which relates to submission of the report of the
SCI review to the Commission and to the board of directors (or its
equivalent) of the SCI entity. First, because Rule 1003(b)(2) now
contains details relating to the required contents of the report of the
SCI review, the Commission is proposing to update the internal cross-
reference in paragraph (b)(3) from ``paragraph (b)(1)'' to ``paragraph
(b)(2).'' The proposed revisions would also require that, when the
report is submitted to the board of directors of the SCI entity and the
Commission, it must also include the date the report was submitted to
senior management. In addition, the revisions would make mandatory that
a response from senior management to the report is included when it is
submitted to the Commission and board, whereas previously the language
appeared permissive. The Commission believes that mandating a response
from senior management will help ensure that both the SCI entity's
senior management and board are informed of the findings in the report
of the SCI review and that the SCI entity's policies and procedures are
reasonably designed, as required by the rule, and as informed by the
issues identified in the report.
b. Request for Comment
75. Do commenters agree with the proposed revisions to the
definition of ``SCI review'' in Rule 1000? Why or why not? Do
commenters agree with the proposed addition of ``and documented'' to
require that the work relating to the SCI review be documented? Why or
why not? Do commenters agree with the proposed addition that the
objective personnel conducting the SCI review use ``appropriate risk
management methodology?'' Why or why not? What risk management
methodologies do commenters believe would be appropriate for use by SCI
entities? Please describe. Does the requirement that SCI reviews be
performed by ``objective personnel'' remain appropriate? For example,
should the term ``objective personnel'' be defined? Why or why not?
Should there be a requirement that the SCI review be performed by an
independent third party? Why or why not? Should there be a requirement
that senior management certify that the SCI review was performed by
objective personnel? Why or why not?
76. What are commenters' views on not specifying a particular
control framework to be applied for the internal control assessments?
What are the costs and benefits to SCI entities if the Commission
required the application of, for example, a suitable, recognized
control framework that is established by a body or group that has
followed due-process procedures, including the broad distribution of
the framework for public comment?
77. With respect to the three assessments proposed to be required
by paragraph (1) of the definition of SCI review, do commenters agree
that these assessments should be overseen by the objective personnel
responsible for the SCI review, rather than utilizing, for example,
enterprise or IT risk assessments as the basis for the SCI review after
deeming them ``reasonable''? Why or why not? What is the current
practice among objective personnel conducting assessments for SCI
reviews? Please describe. What do commenters believe would be the
advantages and disadvantages for this proposed requirement?
78. Do commenters believe that it is appropriate that the SCI
review include an assessment of ``the risks related to the capacity,
integrity, resiliency, availability, and security,'' as proposed to be
required in paragraph (1)(A) of the definition of SCI review under Rule
1000? Why or why not?
79. Do commenters believe that the revisions to the second
assessment proposed to be required in paragraph (1)(A) of the
definition of SCI review in Rule 1000 (replacing the phrase ``internal
control design and effectiveness'' with ``internal control design and
operating effectiveness,'' and adding ``systems capacity and
availability'' and ``information technology service continuity'' to the
current list of controls to be assessed) are appropriate as part of the
SCI review?'' Why or why not?
80. Do commenters agree that the third assessment proposed to be
required as part of the SCI review, relating to third-party provider
management risks and controls, is appropriate? Why or why not?
81. Do commenters agree with the revision that the three
assessments in paragraph (1) of the definition of SCI review be made
``with respect to each'' SCI system and indirect SCI system, thereby
requiring that these assessments be made for each applicable system for
each SCI review every year? Why or why not?
82. Do commenters agree that the SCI review and report of the SCI
review should be conducted by an SCI entity ``for each calendar year
during which it was an SCI entity for any part of such calendar year,''
as proposed to be added to Rule 1003(b)(1)? Why or why not?
83. Do commenters believe that the requirements in proposed Rule
1003(b)(2) are appropriate for the report of the SCI review? Why or why
not? Do commenters believe additional requirements should be added or
that any proposed requirements should be modified or not included? Why
or why not? Please describe.
5. Current SCI Industry Standards
a. Overview of Current Rule 1001(a)(4)
Rule 1001(a)(4) of Regulation SCI states that, for purposes of
paragraph (a) of Rule 1001, an SCI entity's policies and procedures
will be deemed to be reasonably designed if they are consistent with
``current SCI industry standards.'' The provision defines ``current SCI
industry standards'' to be ``comprised of information technology
practices that are widely available to information technology
professionals in the financial sector and issued by an authoritative
body that is a U.S. governmental entity or agency, association of U.S.
governmental entities or agencies, or widely recognized organization.''
In addition, Rule 1001(a)(4) also states that compliance with such
current SCI industry standards shall not be the exclusive means to
comply with the requirements of paragraph (a). Thus, Rule 1001(a)(4)
provides a safe harbor for SCI entities to comply with Rule 1001(a)
(i.e., they will be deemed to comply if they have policies and
procedures that are consistent with current SCI industry standards),
while at the same time stating that following such current SCI industry
standards is not the sole means of achieving compliance with the rule.
b. Rule 1001(a)(4) Safe Harbor
The Commission believes that utilizing current SCI industry
standards is an appropriate way for SCI entities to develop their Rule
1001(a) policies and procedures. It has been the experience of the
Commission and its staff that some SCI entities look to publications
issued by the federal government's National Institute of Standards and
Technology (``NIST'') Framework for Improving Critical Infrastructure
Cybersecurity (``NIST Framework''),\355\ or frameworks issued by non-
[[Page 23191]]
governmental bodies such as the International Organization for
Standardization (``ISO'') \356\ or the Control Objectives for
Information and Related Technologies (``COBIT''),\357\ and some SCI
entities may not point to any specific industry standards at all. In
addition, among those SCI entities that utilize industry standards,
some may look to a single industry standard for most or all of their
policies and procedures, while others may ``mix and match'' standards
for different policies and procedures. And, in some cases, an SCI
entity may utilize multiple industry standards for a single set of
their policies and procedures.
---------------------------------------------------------------------------
\355\ The NIST Framework is available at https://www.nist.gov/cyberframework/framework.
\356\ ISO is an independent, non-governmental international
organization whose members include national standards bodies that
develops and publishes international standards. See International
Organization for Standardization, available at https://www.iso.org.
\357\ COBIT is a leading framework for the enterprise governance
of information and technology and is issued by ISACA, an
international professional associated focused on information
technology governance. See ISACA, available at https://www.isaca.org.
---------------------------------------------------------------------------
The Commission believes that use of industry standards continues to
be an appropriate framework for SCI entities to model their policies
and procedures.\358\ To make clear that Rule 1001(a)(4)'s reference to
and definition of ``current SCI industry standards'' provides a safe
harbor for SCI entities with respect to their Rule 1001(a) policies and
procedures, the Commission proposes to add the words ``safe harbor'' in
Rule 1001(a)(4).\359\
---------------------------------------------------------------------------
\358\ We note that concurrent with the Commission's adoption of
Regulation SCI in 2014, Commission staff stated its views regarding
``current SCI industry standards,'' including a listing of examples
of publications describing processes, guidelines, frameworks, or
standards for each inspection area, or domain, an SCI entity could
look to in developing its reasonably designed policies and
procedures. See Commission, Staff Guidance on Current SCI Industry
Standards (Nov. 19, 2014), available at https://www.sec.gov/rules/final/2014/staff-guidance-current-sci-industry-standards.pdf.
Commission staff is reviewing staff statements with respect to
Regulation SCI to determine whether any such statements, or portion
thereof, should be revised or withdrawn in connection with any
adoption of this proposal. These statements include the Staff
Guidance on Current SCI Industry Standards, as well as the Responses
to Frequently Asked Questions Concerning Regulation SCI, Sept. 2,
2015 (Updated Aug. 21, 2019), available at https://www.sec.gov/divisions/marketreg/regulation-sci-faq.shtml.
\359\ Specifically, the second sentence of Rule 1001(a)(4) would
be revised to read: ``Compliance with such current SCI industry
standards as a safe harbor, however, shall not be the exclusive
means to comply with the requirements of paragraph (a) of this
section.''
---------------------------------------------------------------------------
c. Identification of Current SCI Industry Standards Used
In the experience of Commission staff, many SCI entities align
their Rule 1001(a) policies and procedures, in part or whole, with
current SCI industry standards, often referencing such standards in
communications with Commission staff during inspections or
examinations. However, some SCI entities do not reference any industry
standard(s) for their Rule 1001(a) policies and procedures.
In conjunction with the proposed revision to Rule 1001(a)(4), the
Commission is proposing to add a new requirement in Rule 1001(a)(2),
which lays out certain minimum requirements for an SCI entity's Rule
1001(a) policies and procedures. Specifically, proposed new 17 CFR
242.1001(a)(2)(xi) (``proposed Rule 1001(a)(2)(xi)'') would require
that an SCI entity's policies and procedures include ``[a]n
identification of the current SCI industry standard(s) with which each
such policy and procedure is consistent, if any.'' SCI entities are not
required to avail themselves of the safe harbor of Rule 1001(a)(4) by
aligning their policies and procedures required by Rule 1001(a) with
current SCI industry standards,\360\ but for SCI entities that choose
to do so, this proposed provision would require SCI entities to provide
a list of the specific current SCI industry standard(s) with which each
of its policies and procedures is consistent. Thus, for example, such
SCI entities would be required to identify the standard(s) used for
their business continuity and disaster recovery policies and
procedures, and separately identify the standard(s) used for its vendor
management policies and procedures.
---------------------------------------------------------------------------
\360\ For SCI entities that do not seek to avail themselves of
the safe harbor of Rule 1001(a)(4), the requirements of proposed
Rule 1001(a)(2)(xi) would not apply.
---------------------------------------------------------------------------
In addition, the Commission recognizes that there may be cases in
which an SCI entity may draw from multiple current SCI industry
standards in developing a given policy and procedure, and proposed Rule
1001(a)(2)(xi) recognizes this may be the case (``. . . the current SCI
industry standard (s). . .''). In such cases, an SCI entity may simply
list multiple standards with which the given policy and procedure is
consistent.
d. Request for Comment
84. Do commenters agree with the proposed revisions to Rule
1001(a)(4) relating to current SCI industry standards? Why or why not?
85. Do SCI entities seek to make use of the safe harbor contained
in Rule 1001(a)(4) for compliance with Rule 1001(a) of Regulation SCI?
Why or why not? With what current SCI industry standard(s) do SCI
entities seek to make their policies and procedures consistent?
86. For an SCI entity that seeks to avail itself of the safe
harbor, do commenters agree that an SCI entity should identify the
current SCI industry standard(s) with which each of its policies and
procedures is consistent? Why or why not?
6. Other Changes
Rule 1002(c) of Regulation SCI requires that SCI entities
disseminate information to their members or participants regarding SCI
events.\361\ These information dissemination requirements are scaled
based on the nature and severity of an event, with SCI entities
required to disseminate certain information about the event to members
or participants that the SCI entity reasonably estimated to have been
affected by the SCI event, and, in the case of a major SCI event, to
all members or participants.\362\ In connection with the proposal to
include SCI broker-dealers as SCI entities, the Commission proposes
that an SCI broker-dealer be required to disseminate information about
an SCI event it is experiencing, in accordance with the requirements of
Rule 1002(c), to its ``customers.'' As discussed above, the Commission
proposes to include SCI broker-dealers as SCI entities because it
believes that a systems issue at an SCI broker-dealer could, for
example, impede the ability of other market participants to trade
securities in a fair and orderly manner. As explained in the SCI
Adopting Release, information about an SCI event is likely to be of
greatest value to those market participants affected by it, who can use
such information to evaluate the event's impact on their trading and
other activities and develop an appropriate response.\363\ To the
extent that an SCI event at a broker-dealer affects its customers
(i.e., those with whom it trades or for whom it facilitates trades as
an agent), the Commission believes that the SCI broker-dealer should
inform them, and do so in the same manner and as required for other SCI
entities, pursuant to Rule 1002(c). Similarly, and consistent with the
current requirement of Rule 1002(b)(4)(ii)(B), an SCI broker-dealer
would be required to include in its notices to the Commission a copy of
any information it disseminated to its
[[Page 23192]]
customers.\364\ The Commission requests comment on the proposed
amendments to Rule 1002(b)(4)(ii)(B) and Rule 1002(c) in section
III.A.2.b above, which discusses the proposed definition of an SCI
broker-dealer.\365\
---------------------------------------------------------------------------
\361\ See 17 CFR 242.1002(c).
\362\ Id. See also supra section II.B.3 (discussing current Rule
1002(c)).
\363\ See SCI Adopting Release, supra note 1 at 72334.
\364\ Id. See also supra section II.B.3 (discussing current Rule
1002(b)(4).
\365\ See supra section III.A.2.b.
---------------------------------------------------------------------------
Rule 1005 of Regulation SCI requires SCI entities to make, keep,
and preserve certain records related to their compliance with
Regulation SCI.\366\ Rule 1005(c) specifies that the recordkeeping
period survives even if an SCI entity ceases to do business or ceases
to be registered under the Exchange Act. The Commission proposes to add
that this survival provision applies to an SCI entity ``otherwise
ceasing to be an SCI entity.'' This addition accounts for circumstances
not expressly covered; specifically, those in which an SCI entity
continues to do business or remains a registered entity, but may cease
to qualify as an SCI entity, such as an SCI ATS that no longer
satisfies a volume threshold. Such entities would not be excepted from
complying with the recordkeeping provisions of Rule 1005 and would be
required to make, keep, and preserve their records related to their
compliance with Regulation SCI related to the period during which they
were an SCI entity.
---------------------------------------------------------------------------
\366\ See 17 CFR 242.1005. Rule 1005(a) of Regulation SCI
relates to recordkeeping provisions for SCI SROs, whereas Rule
1005(b) relates to the recordkeeping provision for SCI entities
other than SCI SROs.
---------------------------------------------------------------------------
In addition, Form SCI is proposed to be modified to conform the
text of the General Instructions and description of the attached
Exhibits to the other changes proposed herein. Specifically, the
operational aspects of Form SCI filing are unchanged, except to reflect
that quarterly reports of SCI events with no or a de minimis impact
would pertain only to systems disruptions, and not to systems
intrusions.\367\ Furthermore, the instructions to Exhibit 5 of Form SCI
is proposed to be modified to reflect the requirement that an SCI
entity's senior management respond to the report of the SCI
review.\368\ In addition, the Commission proposes to update section I
of the General Instructions for Form SCI: Explanation of Terms to
reflect the proposed changes in the definitions in Rule 1000, by
revising the definitions of SCI entity, SCI review, SCI systems, and
Systems Intrusion.
---------------------------------------------------------------------------
\367\ See supra section III.C.3.c (discussing proposed changes
to Rule 1002(b)(5)(ii)).
\368\ See supra section III.C.4 (discussing proposed changes to
Rule 1003(b)(3)).
---------------------------------------------------------------------------
D. SCI Entities Subject to the Exchange Act Cybersecurity Proposal and/
or Regulation S-P
1. Discussion
a. Introduction
The Commission separately is proposing the Exchange Act
Cybersecurity Proposal,\369\ and separately is also proposing to amend
Regulation S-P.\370\ As discussed in more detail below, certain types
of SCI entities also are or would be subject to the Exchange Act
Cybersecurity Proposal and/or Regulation S-P (currently and as it would
be amended).\371\ The Exchange Act Cybersecurity Proposal and
Regulation S-P (currently and as it would be amended) have or would
have provisions requiring policies and procedures that address certain
types of cybersecurity risks.\372\ The Exchange Act Cybersecurity
Proposal also requires certain reporting to the Commission on Form SCIR
of certain types of cybersecurity incidents.\373\ These notification
and subsequent reporting requirements of the Exchange Act Cybersecurity
Proposal are triggered by a ``significant cybersecurity incident,''
\374\ which could also be an SCI event such as a ``systems intrusion''
as that term would be defined in current and proposed Rule 1000 of
Regulation SCI.\375\ Finally, the Exchange Act Cybersecurity Proposal
and Regulation S-P (currently and as it would be amended) have or would
have provisions requiring disclosures of certain cybersecurity
incidents.\376\ Consequently, if the proposed amendments to Regulation
SCI and the other proposals are all adopted as proposed, SCI entities
could be subject to requirements of that rule that relate to certain
proposed requirements of the Exchange Act Cybersecurity Proposal and
certain existing and proposed requirements of Regulation S-P. In the
Commission's view, this would be appropriate because, while the current
and proposed cybersecurity requirements of Regulation SCI may impose
some broadly similar obligations, it has a different scope and purpose
than the Exchange Act Cybersecurity Proposal and Regulation S-P.
Moreover, in many instances, compliance with the current and proposed
cybersecurity requirements of Regulation SCI that relate to the
proposed requirements of the Exchange Act Cybersecurity Proposal and
the existing or proposed requirements Regulation S-P can be
accomplished through similar efforts.
---------------------------------------------------------------------------
\369\ See Exchange Act Cybersecurity Proposal, supra note 10.
\370\ See Regulation S-P 2023 Proposing Release supra note 10.
\371\ See proposed 17 CFR 242.10 of the Exchange Act
Cybersecurity Proposal Rule (``Rule 10''); 17 CFR 248.1 through
248.30 (Regulation S-P). See also section III.D.1.b. of this release
(discussing the types of SCI Entities that are or would be subject
to the Exchange Act Cybersecurity Proposal and/or Regulation S-P).
\372\ See infra section III.D.1.c (discussing the proposed
requirements of the Exchange Act Cybersecurity Proposal and the
existing and proposed requirements of Regulation S-P to have
policies and procedures that address certain cybersecurity risks).
\373\ See infra section III.D.1.d (discussing the proposed
Commission notification requirements of the Exchange Act
Cybersecurity Proposal).
\374\ The Exchange Act Cybersecurity Proposal defines a
``significant cybersecurity incident'' to be a cybersecurity
incident, or a group of related cybersecurity incidents, that: (i)
Significantly disrupts or degrades the ability of the market entity
to maintain critical operations; or (ii) Leads to the unauthorized
access or use of the information or information systems of the
market entity, where the unauthorized access or use of such
information or information systems results in or is reasonably
likely to result in: (A) Substantial harm to the market entity; or
(B) Substantial harm to a customer, counterparty, member,
registrant, or user of the market entity, or to any other market
participant that interacts with the market entity. See proposed
Sec. 242.10(a) of the Exchange Act Cybersecurity Proposal.
\375\ See current and proposed Rule 1000 of Regulation SCI
(defining the term ``systems intrusion'').
\376\ See infra section III.D.1.e (discussing the proposed
disclosure requirements of the Exchange Act Cybersecurity Proposal
and the existing and proposed disclosure requirements of Regulation
S-P).
---------------------------------------------------------------------------
The specific instances in which the cybersecurity requirements of
current and proposed Regulation SCI would relate to the proposed
requirements of the Exchange Act Cybersecurity Proposal and the
existing or proposed requirements of Regulation S-P are discussed
briefly below. The Commission encourages interested persons to provide
comments on the discussion below, as well as on the potential
application of Regulation SCI, the Exchange Act Cybersecurity Proposal,
and Regulation S-P. More specifically, the Commission encourages
commenters: (1) to identify any areas where they believe the relation
between requirements of the existing or proposed requirements of
Regulation SCI and the proposed requirements of the Exchange Act
Cybersecurity Proposal and the existing or proposed requirements of
Regulation S-P would be particularly costly or create practical
implementation difficulties; (2) to provide details on why these
instances would be particularly costly or create practical
implementation difficulties; and (3) to make recommendations on
[[Page 23193]]
how to minimize these potential impacts, while also achieving the goal
of this proposal to address, among other things, the cybersecurity
risks faced by SCI entities. To assist this effort, the Commission is
seeking specific comment below on these topics.\377\
---------------------------------------------------------------------------
\377\ See infra section III.D.2.
---------------------------------------------------------------------------
b. SCI Entities That Are or Would Be Subject to the Exchange Act
Cybersecurity Proposal and/or Regulation S-P
Various SCI entities under this proposal are or would be subject to
the Exchange Act Cybersecurity Proposal and/or Regulation S-P
(currently and as it would be amended). In particular, most SCI
entities under Regulation SCI (currently and as it would be amended)
would be subject to the requirements of Exchange Act Cybersecurity
Proposal. Specifically, all SCI entities other than plan processors and
SCI competing consolidators that are or would be subject to Regulation
SCI also would be subject to the Exchange Act Cybersecurity Proposal as
``covered entities'' \378\ of that proposal. Therefore, if the proposed
amendments to Regulation SCI and the Exchange Act Cybersecurity
Proposal are all adopted as proposed, these SCI entities would be
subject to the requirements of Regulation SCI in addition to the
requirements of the Exchange Act Cybersecurity Proposal.
---------------------------------------------------------------------------
\378\ The requirements of the Exchange Act Cybersecurity
Proposal would apply to broker-dealers, clearing agencies, major
security-based swap participants, the MSRB, national securities
associations, national securities exchanges, security-based swap
data repositories, security-based swap dealers, and transfer agents.
See proposed 17 CFR 240.10(a). The Commission believes that a
broker-dealer that exceeds one or more of the transaction activity
thresholds under the proposed amendments to Regulation SCI (i.e., an
SCI broker-dealer) likely would meet one of the broker-dealer
definitions of ``covered entity'' in proposed Rule 10 of the
Exchange Act Cybersecurity Proposal given their size and activities.
For example, it would either be a carrying broker-dealer, have
regulatory capital equal to or exceeding $50 million, have total
assets equal to or exceeding $1 billion, or operate as a market
maker. See paragraphs (a)(1)(i)(A), (C), (D), and (E) of proposed
Rule 10. The Commission is seeking comment in the Exchange Act
Cybersecurity Proposal as to whether a broker-dealer that is an SCI
entity should be defined specifically as a ``covered entity'' under
proposed Rule 10. See section II.A.10 of the Exchange Act
Cybersecurity Proposal. In addition, the Commission requests comment
in the Exchange Act Cybersecurity Proposal as to whether plan
processors and SCI competing consolidators should be subject to its
requirements. See id. The discussion in this section III.D focuses
on the requirements of the Exchange Act Cybersecurity Proposal only
as they would apply to current and proposed SCI entities.
---------------------------------------------------------------------------
In addition, broker-dealers that would be subject to Regulation SCI
and those that operate certain ATSs currently subject to Regulation ATS
(i.e., as SCI ATSs or SCI broker-dealers) also are or would be subject
to Regulation S-P (currently and as it would be amended).\379\
Therefore, if the proposed amendments to Regulation SCI and Regulation
S-P are all adopted as proposed, broker-dealers could be subject to
Regulation SCI in addition to the requirements of Regulation S-P
(currently and as it would be amended).
---------------------------------------------------------------------------
\379\ Regulation S-P applies to additional types of market
participants that are not or would not be subject to Regulation SCI.
See 17 CFR 248.3. For example, with regard to the proposed inclusion
of broker-dealers, Regulation SCI would only be applicable to an
estimated 17 broker-dealers under the proposed definition of SCI
broker-dealer. The discussion in this section III.D focuses on the
current and proposed requirements of Regulation S-P only as they
would apply to current and proposed SCI entities.
---------------------------------------------------------------------------
c. Policies and Procedures To Address Cybersecurity Risks
As discussed below, Regulation S-P currently has certain
cybersecurity-related provisions. The Exchange Act Cybersecurity
Proposal and the proposed amendments to Regulation S-P would add to
these requirements. These existing and proposed requirements would
relate to certain of the requirements of Regulation SCI (currently and
as it would be amended). The Commission believes this result would be
appropriate because the policies and procedures requirements of
Regulation SCI (currently and as it would be amended) differ in scope
and purpose from those of the Exchange Act Cybersecurity Proposal and
Regulation S-P, and because the policies and procedures required under
Regulation SCI that relate to cybersecurity (currently and as it would
be amended) are generally consistent with the proposed requirements of
the Exchange Act Cybersecurity Proposal and the existing and proposed
requirements of Regulation S-P that pertain to cybersecurity.
i. Different Scope of the Policies and Procedures Requirements
As discussed above in sections II.B and III.C, Regulation SCI
(currently and as it would be amended) limits its requirements to SCI
systems, which are certain systems of the SCI entity that support
specified securities market related functions,\380\ and indirect SCI
systems.\381\ Therefore, the policies and procedures requirements of
Regulation SCI (currently and as it would be amended) that pertain to
cybersecurity apply to SCI systems and indirect SCI systems. They do
not and would not apply to other systems maintained by an SCI entity.
---------------------------------------------------------------------------
\380\ See 17 CFR 242.1000 (defining ``SCI systems''). See also
supra section II.B.1.
\381\ See 17 CFR 242.1000 (defining ``indirect SCI systems'').
See also supra section II.B.1.
---------------------------------------------------------------------------
Regulation S-P's safeguards provisions currently apply to customer
records and information.\382\ Regulation S-P defines ``customer'' to
mean a consumer who has a customer relationship with the broker-
dealer.\383\ Regulation S-P further defines the term ``consumer'' to
mean an individual who obtains or has obtained a financial product or
service from the broker-dealer that is to be used primarily for
personal, family, or household purposes, or that individual's legal
representative.\384\ Regulation S-P's disposal provisions apply to
consumer report information maintained for a business purpose.\385\
Regulation S-P currently defines ``consumer report information'' to
mean any record about an individual, whether in paper, electronic or
other form, that is a consumer report or is derived from a consumer
report and also a compilation of such records.\386\ The Commission is
separately proposing to amend the scope of information covered under
both the Regulation S-P safeguards provisions and the Regulation S-P
disposal provisions.\387\ The amendments, however, would not
fundamentally broaden the scope of these provisions. Therefore, the
existing and proposed policies and procedures requirements of the
Regulation S-P safeguards and disposal provisions that pertain to
cybersecurity would apply to customer and consumer-related information.
They do not and would not apply to other types of information stored on
the information systems of the broker-dealer.\388\
---------------------------------------------------------------------------
\382\ See 17 CFR 248.30(a).
\383\ See 17 CFR 248.3(j).
\384\ See 17 CFR 248.3(g)(1).
\385\ See 17 CFR 248.30(b)(2).
\386\ See 17 CFR 248.30(b)(1)(ii).
\387\ See Regulation S-P 2023 Proposing Release.
\388\ Additionally, Regulation S-P (currently and as it would be
amended) implicates cybersecurity to the extent that customer
records or information or consumer report information is stored on
an information system (e.g., on a computer). If this information is
stored in paper form (e.g., in a file cabinet), the requirements of
Regulation S-P apply but the policies and procedures required under
the rule would need to address risks that are different than
cybersecurity risks--for example, the physical security risk that
individuals could gain unauthorized access to the room or file
cabinet where the paper records are stored as compared to the
cybersecurity risk that individuals could gain unauthorized access
to the information system on which the records are stored
electronically.
---------------------------------------------------------------------------
Regulation SCI (currently and as it would be amended), the Exchange
Act Cybersecurity Proposal, and Regulation S-P (currently and as it
would be amended) would, therefore, differ in scope. The Exchange Act
Cybersecurity
[[Page 23194]]
Proposal would require covered entities to establish, maintain, and
enforce written policies and procedures that are reasonably designed to
address their cybersecurity risks.\389\ Therefore, the Exchange Act
Cybersecurity Proposal does not limit its application to certain
systems or information residing on those systems based on the functions
and operations performed by the covered entity through the system or
the use of the information residing on the system unlike Regulation SCI
(currently and as it would be amended). In addition, the Exchange Act
Cybersecurity Proposal does not limit its application to a specific
type of information residing on an information system unlike Regulation
S-P (currently and as it would be amended).
---------------------------------------------------------------------------
\389\ See paragraphs (b) and (e) of proposed Rule 10 (setting
forth the requirements of covered entities, among others, to have
policies and procedures to address their cybersecurity risks).
---------------------------------------------------------------------------
ii. Consistency of the Policies and Procedures Requirements
The Commission also believes that it would be appropriate to apply
Regulation SCI to SCI entities even if they also are subject to the
requirements of the Exchange Act Cybersecurity Proposal and/or
Regulation S-P (currently and as it would be amended) because an SCI
entity could use one comprehensive set of policies and procedures to
satisfy the requirements of the current and proposed cybersecurity-
related policies and procedures requirements of Regulation SCI, the
Exchange Act Cybersecurity Proposal, and Regulation S-P. As explained
below, the more focused current and proposed policies and procedures
requirements of Regulation SCI and Regulation S-P addressing certain
cybersecurity risks would logically fit within and be consistent with
the broader policies and procedures required under the Exchange Act
Cybersecurity Proposal to address all cybersecurity risks (including
those outside of SCI systems and indirect SCI systems).
SCI entities that would be covered entities under the proposed
requirements of the Exchange Act Cybersecurity Proposal would be
subject the proposed policies and procedures requirements of the
Exchange Act Cybersecurity Proposal. In addition, broker-dealers that
would be subject to Regulation SCI and those that operate certain ATSs
currently subject to Regulation ATS (i.e., as SCI ATSs or SCI broker-
dealers) are subject to the requirements of Regulation S-P (currently
and as it would be amended).
General Cybersecurity Policies and Procedures Requirements.
Regulation SCI, Regulation S-P, and the Exchange Act Cybersecurity
Proposal all include requirements that address certain cybersecurity-
related risks. Regulation SCI requires an SCI entity to have reasonably
designed policies and procedures to ensure that its SCI systems and,
for purposes of security standards, indirect SCI systems, have levels
of capacity, integrity, resiliency, availability, and security,
adequate to maintain the SCI entity's operational capability and
promote the maintenance of fair and orderly markets.\390\
---------------------------------------------------------------------------
\390\ See 17 CFR 242.1001(a)(1).
---------------------------------------------------------------------------
Regulation S-P's safeguards provisions require broker-dealers to
adopt written policies and procedures that address administrative,
technical, and physical safeguards for the protection of customer
records and information.\391\ Additionally, Regulation S-P's disposal
provisions require broker-dealers that maintain or otherwise possess
consumer report information for a business purpose to properly dispose
of the information by taking reasonable measures to protect against
unauthorized access to or use of the information in connection with its
disposal.\392\
---------------------------------------------------------------------------
\391\ See 17 CFR 248.30(a).
\392\ See 17 CFR 248.30(b)(2). Regulation S-P currently defines
the term ``disposal'' to mean: (1) the discarding or abandonment of
consumer report information; or (2) the sale, donation, or transfer
of any medium, including computer equipment, on which consumer
report information is stored. See 17 CFR 248.30(b)(1)(iii).
---------------------------------------------------------------------------
Rule 10 of the Exchange Act Cybersecurity Proposal would require a
covered entity to establish, maintain, and enforce written policies and
procedures that are reasonably designed to address the covered entity's
cybersecurity risks. These requirements are designed to position
covered entities to be better prepared to protect themselves against
cybersecurity risks, to mitigate cybersecurity threats and
vulnerabilities, and to recover from cybersecurity incidents. They are
also designed to help ensure that covered entities focus their efforts
and resources on the cybersecurity risks associated with their
operations and business practices.
A covered entity that implements reasonably designed policies and
procedures in compliance with the requirements of the Exchange Act
Cybersecurity Proposal that cover its SCI systems and indirect SCI
systems should generally satisfy the current and proposed general
policies and procedures requirements of Regulation SCI that pertain to
cybersecurity.\393\ Similarly, policies and procedures implemented by a
broker-dealer that is an SCI entity that are reasonably designed in
compliance with the current and proposed cybersecurity requirements of
Regulation SCI should generally satisfy the existing general policies
and procedures requirements of Regulation S-P safeguards and disposal
provisions discussed above that pertain to cybersecurity.
---------------------------------------------------------------------------
\393\ The CAT System is a facility of each of the Participants
and an SCI system. See also Joint Industry Plan; Order Approving the
National Market System Plan Governing the Consolidated Audit Trail,
Securities Exchange Act Release No. 79318 (Nov. 15, 2016), 81 FR
84696, 84758 (Nov. 23, 2016) (``CAT NMS Plan Approval Order''). It
would also qualify as an ``information system'' of each national
securities exchange and each national securities association under
the Exchange Act Cybersecurity Proposal. The CAT NMS Plan requires
the CAT's Plan Processor to follow certain security protocols and
industry standards, including the NIST Cyber Security Framework,
subject to Participant oversight. See, e.g., CAT NMS Plan at
Appendix D, Section 4.2. For the reasons discussed above and below
with respect to SCI systems, the policies and procedures
requirements of Regulation SCI are not intended to be inconsistent
with the security protocols set forth in the CAT NMS Plan. Moreover,
to the extent the CAT NMS Plan requires security protocols beyond
those that would be required under Regulation SCI, those additional
security protocols should generally fit within and be consistent
with the policies and procedures required under the Exchange Act
Cybersecurity Proposal to address all cybersecurity risks.
---------------------------------------------------------------------------
Requirements to Oversee Service Providers. Under the amendments to
Regulation SCI, the policies and procedures required of SCI entities
would need to include a program to manage and oversee third-party
providers that provide functionality, support or service, directly or
indirectly, for SCI systems and indirect SCI systems, and are discussed
above in more detail in section III.C.2. In addition, proposed
amendments to Regulation S-P's safeguards provisions would require
broker-dealers to include written policies and procedures within their
response programs that require their service providers, pursuant to a
written contract, to take appropriate measures that are designed to
protect against unauthorized access to or use of customer information,
including notification to the broker-dealer in the event of any breach
in security resulting in unauthorized access to a customer information
maintained by the service provider to enable the broker-dealer to
implement its response program.\394\
---------------------------------------------------------------------------
\394\ See Regulation S-P 2023 Proposing Release.
---------------------------------------------------------------------------
Proposed Rule 10 of the Exchange Act Cybersecurity Proposal would
have several policies and procedures requirements that are designed to
address similar cybersecurity-related
[[Page 23195]]
risks to these proposed amendments to Regulation SCI and Regulation S-
P. First, a covered entity's policies and procedures under proposed
Rule 10 would need to require periodic assessments of cybersecurity
risks associated with the covered entity's information systems and
information residing on those systems.\395\ This element of the
policies and procedures would need to include requirements that the
covered entity identify its service providers that receive, maintain,
or process information, or are otherwise permitted to access its
information systems and any of its information residing on those
systems, and assess the cybersecurity risks associated with its use of
these service providers.\396\ Second, under proposed Rule 10, a covered
entity's policies and procedures would need to require oversight of
service providers that receive, maintain, or process its information,
or are otherwise permitted to access its information systems and the
information residing on those systems, pursuant to a written contract
between the covered entity and the service provider, and through that
written contract the service providers would need to be required to
implement and maintain appropriate measures that are designed to
protect the covered entity's information systems and information
residing on those systems.\397\
---------------------------------------------------------------------------
\395\ See paragraph (b)(1)(i)(A) of proposed Rule 10; see also
section II.B.1.a of the Exchange Act Cybersecurity Proposal
(discussing this requirement in more detail).
\396\ See paragraph (b)(1)(i)(A)(2) of proposed Rule 10.
\397\ See paragraphs (b)(1)(iii)(B) of proposed Rule 10; see
also section II.B.1.c. of this release (discussing this requirement
in more detail).
---------------------------------------------------------------------------
A covered entity that implements these requirements of proposed
Rule 10 of the Exchange Act Cybersecurity Proposal with respect to its
SCI systems and indirect SCI systems should generally satisfy the
proposed requirements of Regulation SCI that the SCI entity's policies
and procedures include a program to manage and oversee third-party
providers that provide functionality, support or service, directly or
indirectly, for SCI systems and indirect SCI systems. Similarly, a
broker-dealer that is an SCI entity that implements these requirements
of Regulation SCI should generally comply with the proposed
requirements of Regulation S-P's safeguards provisions relating to the
oversight of service providers.
Unauthorized Access Requirements. Under the proposed amendments to
Regulation SCI, SCI entities would be required to have a program to
prevent the unauthorized access to their SCI systems and indirect SCI
systems, and information residing therein, and are discussed above in
more detail in section III.C.3.a. The proposed amendments to Regulation
S-P's disposal provisions would require broker-dealers that maintain or
otherwise possess consumer information or customer information for a
business purpose to properly dispose of this information by taking
reasonable measures to protect against unauthorized access to or use of
the information in connection with its disposal.\398\ The broker-dealer
would be required to adopt and implement written policies and
procedures that address the proper disposal of consumer information and
customer information in accordance with this standard.\399\
---------------------------------------------------------------------------
\398\ See Regulation S-P 2023 Proposing Release. As discussed
above, the general policies and procedures requirements of
Regulation S-P's safeguards provisions require the policies and
procedures--among other things--to protect against unauthorized
access to or use of customer records or information that could
result in substantial harm or inconvenience to any customer. See 17
CFR 248.30(a)(3).
\399\ See Regulation S-P 2023 Proposing Release.
---------------------------------------------------------------------------
Proposed Rule 10 of the Exchange Act Cybersecurity Proposal would
have several policies and procedures requirements that are designed to
address similar cybersecurity-related risks to these proposed
requirements of Regulation SCI and the proposed disposal provisions of
Regulation S-P. First, a covered entity's policies and procedures under
proposed Rule 10 would need controls: (1) requiring standards of
behavior for individuals authorized to access the covered entity's
information systems and the information residing on those systems, such
as an acceptable use policy; (2) identifying and authenticating
individual users, including but not limited to implementing
authentication measures that require users to present a combination of
two or more credentials for access verification; (3) establishing
procedures for the timely distribution, replacement, and revocation of
passwords or methods of authentication; (4) restricting access to
specific information systems of the covered entity or components
thereof and the information residing on those systems solely to
individuals requiring access to the systems and information as is
necessary for them to perform their responsibilities and functions on
behalf of the covered entity; and (5) securing remote access
technologies.\400\
---------------------------------------------------------------------------
\400\ See paragraphs (b)(1)(ii)(A) through (E) of proposed Rule
10; see also section II.B.1.b of the Exchange Act Cybersecurity
Proposal (discussing these requirements in more detail).
---------------------------------------------------------------------------
Second, under proposed Rule 10, a covered entity's policies and
procedures would need to include measures designed to protect the
covered entity's information systems and protect the information
residing on those systems from unauthorized access or use, based on a
periodic assessment of the covered entity's information systems and the
information that resides on the systems.\401\ The periodic assessment
would need to take into account: (1) the sensitivity level and
importance of the information to the covered entity's business
operations; (2) whether any of the information is personal information;
(3) where and how the information is accessed, stored and transmitted,
including the monitoring of information in transmission; (4) the
information systems' access controls and malware protection; and (5)
the potential effect a cybersecurity incident involving the information
could have on the covered entity and its customers, counterparties,
members, registrants, or users, including the potential to cause a
significant cybersecurity incident.\402\
---------------------------------------------------------------------------
\401\ See paragraph (b)(1)(iii)(A) of proposed Rule 10; see also
section II.B.1.c. of the Exchange Act Cybersecurity Proposal
(discussing these requirements in more detail).
\402\ See paragraphs (b)(1)(iii)(A)(1) through (5) of proposed
Rule 10.
---------------------------------------------------------------------------
A covered entity that implements these requirements of proposed
Rule 10 of the Exchange Act Cybersecurity Proposal with respect to its
SCI systems and indirect SCI systems should generally satisfy the
proposed requirements of Regulation SCI that the SCI entity's policies
and procedures include a program to prevent the unauthorized access to
their SCI systems and indirect SCI systems, and information residing
therein. Similarly, a broker-dealer that is an SCI entity that
implements these proposed requirements of Regulation SCI should
generally satisfy the proposed requirements of Regulation S-P's
disposal provisions to adopt and implement written policies and
procedures that address the proper disposal of consumer information and
customer information.
Review Requirements. The current and proposed provisions of
Regulation SCI prescribe certain elements that must be included in each
SCI entity's policies and procedures relating to regular reviews and
testing, penetration testing, and the SCI review, and are discussed
above in more detail in sections II.B.2, II.B.4, III.C.3.b, and
III.C.4.
Proposed Rule 10 of the Exchange Act Cybersecurity Proposal would
have several policies and procedures requirements that are designed to
[[Page 23196]]
address similar cybersecurity-related risks to these existing and
proposed requirements of Regulation SCI. First, a covered entity's
policies and procedures under proposed Rule 10 would need to require
periodic assessments of cybersecurity risks associated with the covered
entity's information systems and information residing on those
systems.\403\ Moreover, this element of the policies and procedures
would need to include requirements that the covered entity categorize
and prioritize cybersecurity risks based on an inventory of the
components of the covered entity's information systems and information
residing on those systems and the potential effect of a cybersecurity
incident on the covered entity.\404\ Second, under proposed Rule 10, a
covered entity's policies and procedures would need to require measures
designed to detect, mitigate, and remediate any cybersecurity threats
and vulnerabilities with respect to the covered entity's information
systems and the information residing on those systems.\405\
---------------------------------------------------------------------------
\403\ See paragraph (b)(1)(i)(A) of proposed Rule 10; see also
section II.B.1.a of the Exchange Act Cybersecurity Proposal
(discussing this requirement in more detail).
\404\ See paragraph (b)(1)(i)(A)(1) of proposed Rule 10.
\405\ See paragraph (b)(1)(iv) of proposed Rule 10; see also
section II.B.1.d of the Exchange Act Cybersecurity Proposal
(discussing this requirement in more detail).
---------------------------------------------------------------------------
A covered entity that implements these requirements of proposed
Rule 10 with respect to its SCI systems and indirect SCI systems should
generally satisfy the current requirements of Regulation SCI that the
SCI entity's policies and procedures require regular reviews and
testing of SCI systems and indirect SCI systems, including backup
systems, to identify vulnerabilities from internal and external
threats. Further, while proposed Rule 10 does not require penetration
testing, the proposed rule requires measures designed to protect the
covered entity's information systems and protect the information
residing on those systems from unauthorized access or use, based on a
periodic assessment of the covered entity's information systems and the
information that resides on the systems \406\ and penetration testing
could be part of these measures.\407\ Therefore, the existing and
proposed requirements of Regulation SCI requiring penetration testing
could be incorporated into and should logically fit within a covered
entity's policies and procedures to address cybersecurity risks under
proposed Rule 10 of the Exchange Act Cybersecurity Proposal.
---------------------------------------------------------------------------
\406\ See paragraph (b)(1)(iii)(A) of proposed Rule 10.
\407\ See also section II.B.1.c of the Exchange Act
Cybersecurity Proposal.
---------------------------------------------------------------------------
Response Program. Regulation SCI requires SCI entities to have
policies and procedures to monitor its SCI systems and indirect SCI
systems for SCI events, which include systems intrusions for
unauthorized access, and also requires them to have policies and
procedures that include escalation procedures to quickly inform
responsible SCI personnel of potential SCI events, which are discussed
above in more detail in section II.B.2.\408\ The amendments to
Regulation S-P's safeguards provisions would require the policies and
procedures to include a response program for unauthorized access to or
use of customer information. Further, the response program would need
to be reasonably designed to detect, respond to, and recover from
unauthorized access to or use of customer information, including
procedures, among others: (1) to assess the nature and scope of any
incident involving unauthorized access to or use of customer
information and identify the customer information systems and types of
customer information that may have been accessed or used without
authorization; and (2) to take appropriate steps to contain and control
the incident to prevent further unauthorized access to or use of
customer information.\409\
---------------------------------------------------------------------------
\408\ See paragraphs (a)(2)(vii) and (c)(1) of Rule 1001 of
Regulation SCI, respectively. See also Rule 1002(a) of Regulation
SCI and supra sections II.B.3 and III.C.3.c (discussing Regulation
SCI's current and proposed requirements with respect to taking
corrective action for SCI events, including systems intrusions).
\409\ See Regulation S-P 2023 Proposing Release. The response
program also would need to have procedures to notify each affected
individual whose sensitive customer information was, or is
reasonably likely to have been, accessed or used without
authorization unless the covered institution determines, after a
reasonable investigation of the facts and circumstances of the
incident of unauthorized access to or use of sensitive customer
information, the sensitive customer information has not been, and is
not reasonably likely to be, used in a manner that would result in
substantial harm or inconvenience. See id.
---------------------------------------------------------------------------
Proposed Rule 10 of the Exchange Act Cybersecurity Proposal would
have several policies and procedures requirements that are designed to
address similar cybersecurity-related risks to these proposed
requirements of Regulation SCI and the proposed requirements of the
safeguards provisions of Regulation S-P. First, under proposed Rule 10,
a covered entity's policies and procedures would need to have measures
designed to detect, mitigate, and remediate any cybersecurity threats
and vulnerabilities with respect to the covered entity's information
systems and the information residing on those systems.\410\ Second,
under proposed Rule 10, a covered entity's policies and procedures
would need to have measures designed to detect, respond to, and recover
from a cybersecurity incident, including policies and procedures that
are reasonably designed to ensure (among other things): (1) the
continued operations of the covered entity; (2) the protection of the
covered entity's information systems and the information residing on
those systems; and (3) external and internal cybersecurity incident
information sharing and communications.\411\
---------------------------------------------------------------------------
\410\ See paragraph (b)(1)(iv) of proposed Rule 10; see also
section II.B.1.d of the Exchange Act Cybersecurity Proposal
(discussing this requirement in more detail).
\411\ See paragraph (b)(1)(v) of proposed Rule 10; see also
section II.B.1.e of the Exchange Act Cybersecurity Proposal
(discussing this requirement in more detail).
---------------------------------------------------------------------------
A covered entity that implements reasonably designed policies and
procedures in compliance with these requirements of proposed Rule 10 of
the Exchange Act Cybersecurity Proposal should generally satisfy the
current and proposed requirements of Regulation SCI and Regulation S-
P's safeguards provisions relating to response programs for
unauthorized access.
d. Commission Notification
As discussed above in sections II.B.3 and III.C.3.c, Regulation SCI
(currently and as it would be amended) provides the framework for
notifying the Commission of SCI events including, among other things,
requirements to: notify the Commission of the event immediately;
provide a written notification on Form SCI within 24 hours that
includes a description of the SCI event and the system(s) affected,
with other information required to the extent available at the time;
provide regular updates regarding the SCI event until the event is
resolved; and submit a final detailed written report regarding the SCI
event.\412\ If proposed Rule 10 of the Exchange Act Cybersecurity
Proposal is adopted as proposed, it would establish a framework for
covered entities to provide the Commission (and other regulators, if
applicable) with immediate written electronic notice of a significant
cybersecurity incident affecting the covered entity and, thereafter,
report and update information about the
[[Page 23197]]
significant cybersecurity incident by filing Part I of proposed Form
SCIR with the Commission (and other regulators, if applicable).\413\
Part I of proposed of Form SCIR would elicit information about the
significant cybersecurity incident and the covered entity's efforts to
respond to, and recover from, the incident.
---------------------------------------------------------------------------
\412\ See 17 CFR 242.1002(b); supra sections II.B.2 and
III.C.3.c (discussing Regulation SCI's current and proposed
requirements relating to SCI events, which include systems
intrusions, and Commission notification for SCI events).
\413\ See paragraphs (c)(1) and (2) of proposed Rule 10
(requiring covered entities to provide immediate written notice and
subsequent reporting on Part I of proposed Form SCIR of significant
cybersecurity incidents); and sections II.B.2. and II.B.4. of the
Exchange Act Cybersecurity Proposal (discussing the requirements of
paragraphs (c)(1) and (2) of proposed Rule 10 and Part I of Form
SCIR in more detail).
---------------------------------------------------------------------------
Consequently, an SCI entity that is also a covered entity under the
Exchange Act Cybersecurity Proposal that experiences a systems
intrusion under Regulation SCI that also is a significant cybersecurity
incident under proposed Rule 10 would be required to make two filings
for the single incident: one on Form SCI and the other on Part I of
proposed Form SCIR. The SCI entity also would be required to make
additional filings on Forms SCI and SCIR pertaining to the systems
intrusion (i.e., to provide updates and final reports). The Commission
believes the approach of having two separate notification and reporting
programs--one under Regulation SCI and the other under proposed Rule 10
of the Exchange Act Cybersecurity Proposal--would be appropriate for
the following reasons.
As discussed earlier, most broker-dealers would not be SCI entities
under the current and proposed requirements of Regulation SCI.\414\
Certain of the broker-dealers that are not SCI entities (currently and
as it would be amended) would be covered entities under the Exchange
Act Cybersecurity Proposal, as would other types of entities.\415\ In
addition, the current and proposed reporting requirements of Regulation
SCI are or would be triggered by events impacting SCI systems and
indirect SCI systems. In addition to SCI systems and indirect SCI
systems, covered entities that are or would be SCI entities use and
rely on information systems that are not SCI systems or indirect SCI
systems under the current and proposed amendments to Regulation SCI.
For these reasons, covered entities under the Exchange Act
Cybersecurity Proposal could be impacted by significant cybersecurity
incidents that do not trigger the current and proposed notification
requirements of Regulation SCI either because they do not meet the
current or proposed definitions of ``SCI entity'' or because the
significant cybersecurity incident does not meet the current or
proposed definitions of ``SCI event.''
---------------------------------------------------------------------------
\414\ See section II.F.1.b of the Exchange Act Cybersecurity
Proposal.
\415\ See paragraphs (a)(1)(i)(A) and (F) of proposed Rule 10
(defining the categories of broker-dealers that would be covered
entities); see also supra note 378.
---------------------------------------------------------------------------
The objective of notification and reporting requirements of
proposed Rule 10 of the Exchange Act Cybersecurity Proposal is to
improve the Commission's ability to monitor and respond to significant
cybersecurity incidents and use the information reported about them to
better understand how they can be avoided or mitigated.\416\ For this
reason, Part I of proposed Form SCIR is tailored to elicit information
relating specifically to cybersecurity, such as information relating to
the threat actor, and the impact of the incident on any data or
personal information that may have been accessed.\417\ The Commission
and its staff could use the information reported on Part I of Form SCIR
to monitor the U.S. securities markets and the covered entities that
support those markets broadly from a cybersecurity perspective,
including identifying cybersecurity threats and trends from a market-
wide view. By requiring all covered entities to report information
about a significant cybersecurity incident on a common form, the
information obtained from these filings over time would create a
comprehensive set of data of all significant cybersecurity incidents
impacting covered entities that is based on these entities responding
to the same check boxes and questions on the form. This would
facilitate analysis of the data, including analysis across different
covered entities and significant cybersecurity incidents. Eventually,
this set of data and the ability to analyze it by searching and sorting
how different covered entities responded to the same questions on the
form could be used to spot common trending risks and vulnerabilities as
well as best practices employed by covered entities to respond to and
recover from significant cybersecurity incidents.\418\
---------------------------------------------------------------------------
\416\ See section II.B.2.a of the Exchange Act Cybersecurity
Proposal.
\417\ See section II.B.2.b of the Exchange Act Cybersecurity
Proposal.
\418\ FSOC has found that ``[s]haring timely and actionable
cybersecurity information can reduce the risk that cybersecurity
incidents occur and can mitigate the impacts of those that do
occur.'' FSOC, Annual Report (2021), available at https://home.treasury.gov/system/files/261/FSOC2021AnnualReport.pdf (``FSOC
2021 Annual Report'').
---------------------------------------------------------------------------
The current and proposed definitions of ``SCI event'' include not
only cybersecurity events, but also events that are not related to
significant cybersecurity incidents under the Exchange Act
Cybersecurity Proposal.\419\ For example, under the current and
proposed requirements of Regulation SCI, the definition of ``SCI
event'' includes ``systems disruptions,'' which are events in an SCI
entity's SCI systems that disrupts, or significantly degrades, the
normal operation of an SCI system.\420\ Therefore, the definitions are
not limited to events in an SCI entity's SCI systems that disrupt, or
significantly degrade, the normal operation of an SCI system caused by
a significant cybersecurity incident. The information elicited in Form
SCI reflects the broader scope of the reporting requirements of
Regulation SCI (as compared to the narrower focus of proposed Rule 10
on reporting about significant cybersecurity incidents). For example,
Form SCI requires the SCI entity to identify the type of SCI event:
systems compliance issue, systems disruption, and/or systems intrusion.
In addition, Form SCI is tailored to elicit information specifically
about SCI systems. For example, the form requires the SCI entity to
indicate whether the type of SCI system impacted by the SCI event
directly supports: (1) trading; (2) clearance and settlement; (3) order
routing; (4) market data; (5) market regulation; and/or (6) market
surveillance. If the impacted system is a critical SCI system, the SCI
entity must indicate whether it directly supports functionality
relating to: (1) clearance and settlement systems of clearing agencies;
(2) openings, reopenings, and closings on the primary listing market;
(3) trading halts; (4) initial public offerings; (5) the provision of
consolidated market data; and/or (6) exclusively listed securities. The
form also requires the SCI entity to indicate if the systems that
provide functionality to the securities markets for which the
availability of alternatives is significantly limited or nonexistent
and without which there would be a material impact on fair and orderly
markets.
---------------------------------------------------------------------------
\419\ See 17 CFR 242.1000 (defining the term ``SCI event''); see
also supra sections II.B.3 and III.C.3.c (discussion the current and
proposed requirements relating to SCI events, including systems
intrusions).
\420\ See 17 CFR 242.1000 (defining the term ``system
disruption'' and including that term in the definition of ``SCI
event'').
---------------------------------------------------------------------------
e. Information Dissemination and Disclosure
As discussed above in sections II.B.3 and III.C.3.c, Regulation SCI
(currently and as it would be amended) would require that SCI entities
disseminate information to their members,
[[Page 23198]]
participants, or customers (as applicable) regarding SCI events,
including systems intrusions.\421\ The proposed amendments to
Regulation S-P would require broker-dealers to notify affected
individuals whose sensitive customer information was, or is reasonably
likely to have been, accessed or used without authorization.\422\
Proposed Rule 10 of the Exchange Act Cybersecurity Proposal would
require a covered entity to make two types of public disclosures
relating to cybersecurity on Part II of proposed Form SCIR.\423\
Covered entities would be required to make the disclosures by filing
Part II of proposed Form SCIR on the Electronic Data Gathering,
Analysis, and Retrieval (EDGAR) system and posting a copy of the filing
on their business websites.\424\ In addition, a covered entity that is
either a carrying or introducing broker-dealer would be required to
provide a copy of the most recently filed Part II of Form SCIR to a
customer as part of the account opening process. Thereafter, the
carrying or introducing broker-dealer would need to provide the
customer with the most recently filed form annually. The copies of the
form would need to be provided to the customer using the same means
that the customer elects to receive account statements (e.g., by email
or through the postal service). Finally, a covered entity would be
required to make updated disclosures promptly through each of the
methods described above (as applicable) if the information required to
be disclosed about cybersecurity risk or significant cybersecurity
incidents materially changes, including, in the case of the disclosure
about significant cybersecurity incidents, after the occurrence of a
new significant cybersecurity incident or when information about a
previously disclosed significant cybersecurity incident materially
changes.
---------------------------------------------------------------------------
\421\ See 17 CFR 242.1002(c).
\422\ However, disclosure under proposed Regulation S-P would
not be required if ``a covered institution has determined, after a
reasonable investigation of the facts and circumstances of the
incident of unauthorized access to or use of sensitive customer
information, that sensitive customer information has not been, and
is not reasonably likely to be, used in a manner that would result
in substantial harm or inconvenience.'' See Regulation S-P 2023
Proposing Release. The proposed amendments to Regulation S-P would
define ``sensitive customer information'' to mean any component of
customer information alone or in conjunction with any other
information, the compromise of which could create a reasonably
likely risk of substantial harm or inconvenience to an individual
identified with the information. Id. The proposed amendments would
provide example of sensitive customer information. Id.
\423\ See paragraph (d)(1) of proposed Rule 10.
\424\ See section II.B.3.b (discussing these proposed
requirements in more detail).
---------------------------------------------------------------------------
Consequently, a covered entity would, if it experiences a
``significant cybersecurity incident,'' be required to make updated
disclosures under proposed Rule 10 by filing Part II of proposed Form
SCIR on EDGAR, posting a copy of the form on its business website, and,
in the case of a carrying or introducing broker-dealer, by sending the
disclosure to its customers using the same means that the customer
elects to receive account statements. Thus, if an SCI entity is a
covered entity under the Exchange Act Cybersecurity Proposal and if the
SCI event would be a significant cybersecurity incident under the
Exchange Act Cybersecurity Proposal, the SCI entity also could be
required to disseminate certain information about the SCI event to
certain of its members, participants, or customers (as applicable).
Further, if the SCI entity is a broker-dealer and, therefore, subject
to Regulation S-P (as it is proposed to be amended), the broker-dealer
also could be required to notify individuals whose sensitive customer
information was, or is reasonably likely to have been, accessed or used
without authorization.
However, the Commission believes that this result would be
appropriate. First, as discussed above, Regulation SCI (currently and
as it would be amended), proposed Rule 10, and Regulation S-P (as
proposed to be amended) require different types of information to be
disclosed. Second, as discussed above, the disclosures, for the most
part, would be made to different persons: (1) affected members,\425\
participants, or customers (as applicable) of the SCI entity in the
case of Regulation SCI; (2) the public at large in the case of proposed
Rule 10 of the Exchange Act Cybersecurity Proposal; \426\ and (3)
affected individuals whose sensitive customer information was, or is
reasonably likely to have been, accessed or used without authorization
or, in some cases, all individuals whose information resides in the
customer information system that was accessed or used without
authorization in the case of Regulation S-P (as proposed to be
amended).\427\ For these reasons, the Commission believes it would be
appropriate to apply these current and proposed requirements of
Regulation SCI to SCI entities even if they would be subject to the
disclosure requirements of proposed Rule 10 of the Exchange Act
Cybersecurity Proposal and/or Regulation S-P (as proposed to be
amended).
---------------------------------------------------------------------------
\425\ Information regarding major SCI events would be required
to be disseminated by an SCI entity to all of its members,
participants, or customers (as applicable). See current and proposed
Rule 1002(c)(3) of Regulation SCI.
\426\ A carrying broker-dealer would be required to make the
disclosures to its customers as well through the means by which they
receive account statements.
\427\ Under the Regulation SCI and Regulation S-P proposals,
there could be circumstances in which a compromise involving
sensitive customer information at a broker-dealer that is an SCI
entity could result in two forms of notification being provided to
customers for the same incident. In addition, under the Exchange Act
Cybersecurity Proposal, the broker-dealer also may need to publicly
disclose a summary description of the incident via EDGAR and the
entity's business internet website, and, in the case of an
introducing or carrying broker-dealer, send a copy of the disclosure
to its customers.
---------------------------------------------------------------------------
2. Request for Comment
The Commission requests comment on the relation between the
requirements of Regulation SCI (as it currently exists and as it is
proposed to be amended), proposed Rule 10, and Regulation S-P (as it
currently exists and as it is proposed to be amended). In addition, the
Commission is requesting comment on the following matters:
87. Should the policies and procedures requirements of current and
proposed Regulation SCI regarding cybersecurity be modified to address
SCI entities that also would be subject to proposed Rule 10 of the
Exchange Act Cybersecurity Proposal and/or the existing and proposed
requirements of Regulation S-P? For example, would it be particularly
costly or create practical implementation difficulties to apply the
requirements of current and proposed Regulation SCI to have policies
and procedures to address cybersecurity risks to SCI entities even if
they also would be subject to requirements to have policies and
procedures under proposed Rule 10 (if it is adopted) and/or Regulation
S-P that address certain cybersecurity risks (currently and it they
would be amended)? If so, explain why. If not, explain why not. Are
there ways the policies and procedures requirements of current or
proposed Regulation SCI regarding could be modified to minimize these
potential impacts while achieving the separate goals of this proposal?
If so, explain how and suggest specific modifications.
88. Should the Commission notification and reporting requirements
of current and proposed Regulation SCI be modified to address SCI
entities that also would be subject to the proposed requirements of
Rule 10 of the Exchange Act Cybersecurity Proposal? For example, would
it be particularly costly or create practical implementation
difficulties to apply the Commission notification and reporting
requirements
[[Page 23199]]
of current and proposed Regulation SCI and Form SCI to SCI entities
even if they also would be subject to immediate notification and
subsequent reporting requirements under proposed Rule 10 of the
Exchange Act Cybersecurity Proposal and Part I of proposed Form SCIR
(if they are adopted)? If so, explain why. If not, explain why not. Are
there ways the Commission notification and reporting requirements of
current or proposed Regulation SCI and Form SCI could be modified to
minimize these potential impacts while achieving the separate goals of
this proposal? If so, explain how and suggest specific modifications.
For example, should Form SCI be modified to include a section that
incorporates the check boxes and questions of Part I of Form SCIR so
that a single form could be filed to meet the reporting requirements of
Regulation SCI and proposed Rule 10? If so, explain why. If not,
explain why not. Should the Commission modify the proposed Commission
notification framework for systems intrusions that are also significant
cybersecurity incidents under Rule 10? For example, should such systems
intrusions be initially reported (i.e., immediately and for the 24-hour
notification) on Form SCI, with subsequent reports exempted from Rule
1002(b)'s requirements if they are reported to the Commission on Form
SCIR pursuant to the proposed requirements of Rule 10? Why or why not?
Are there other ways Form SCI could be modified to combine the elements
of Part I of Form SCIR? If so, explain how.
89. Should the disclosure requirements of proposed and current
Regulation SCI be modified to address SCI entities that also would be
subject to the proposed requirements of the Exchange Act Cybersecurity
Proposal and the existing and proposed requirements of Regulation S-P?
For example, would it be particularly costly or create practical
implementation difficulties to apply the disclosure requirements of
current and proposed Regulation SCI to SCI entities even if they also
would be subject to the proposed Rule 10 and Part II of proposed form
SCIR (if they are adopted) the current and proposed requirements of
Regulation S-P? If so, explain why. If not, explain why not. Are there
ways the disclosure requirements of Regulation SCI could be modified to
minimize these potential impacts while achieving the separate goals of
this proposal? If so, explain how and suggest specific modifications.
90. Would the addition of the requirements in the Exchange Act
Cybersecurity Proposal--together with the current broker-dealer
regulatory regime, including the Market Access Rule and other
Commission and FINRA rules--be sufficient to reasonably ensure the
operational capability of the technological systems of the proposed SCI
broker-dealers? Why or why not? For example, are there any provisions
of Regulation SCI that, if added to the Exchange Act Cybersecurity
Proposal as it applies to broker-dealers, would help ensure the
operational capability of the technological systems of the proposed SCI
broker-dealers? Which provisions?
IV. Paperwork Reduction Act
Certain provisions of the proposal would contain a new ``collection
of information'' within the meaning of the Paperwork Reduction Act of
1995 (``PRA'').\428\ The Commission is submitting the proposed rule
amendments to the Office of Management and Budget (``OMB'') for review
and approval in accordance with the PRA and its implementing
regulations.\429\ An agency may not conduct or sponsor, and a person is
not required to respond to a collection of information unless it
displays a currently valid OMB control number.\430\ The Commission is
proposing to alter the 31 existing collections of information and apply
such collections of information to new categories of respondents. The
title for the collections of information is: Regulation Systems
Compliance and Integrity (OMB control number 3235-0703). The burden
estimates contained in this section do not include any other possible
costs or economic effects beyond the burdens required to be calculated
for PRA purposes.
---------------------------------------------------------------------------
\428\ See 44 U.S.C. 3501 et seq.
\429\ See 44 U.S.C. 3507; 5 CFR 1320.11.
\430\ See 5 CFR 1320.11(l).
---------------------------------------------------------------------------
A. Summary of Collections of Information
The proposed amendments to Regulation SCI create paperwork burdens
under the PRA by (1) adding new categories of respondents to the 31
existing collections of information (across 7 rules) noted above and
(2) modifying the requirements of 16 of those collections, as noted
below. For entities that are already required to comply with Regulation
SCI (``Current SCI Entities''), the proposed amendments would result in
the modification of certain collections of information. Entities that
would become subject to Regulation SCI as a result of the proposed
amendments (``New SCI Entities'') would be newly subject to the 31
existing collections of information, including the modifications.\431\
The collections of information and applicable categories of new
respondents are summarized (by rule) in the following table.\432\
---------------------------------------------------------------------------
\431\ See infra section IV.C (Respondents) for more information
on Current SCI Entities and New SCI Entities.
\432\ Unless otherwise described, none of the existing
information collections are being revised with new requirements.
----------------------------------------------------------------------------------------------------------------
Collection of information Rule Burden description Respondent categories
----------------------------------------------------------------------------------------------------------------
Rule 1001 of Regulation SCI........ Rule 1001(a).......... Rule Description: Current SCI Entities
Requirement to establish, and New SCI Entities.
maintain, and enforce
written policies and
procedures related to
capacity, integrity,
resiliency, availability,
and security.
Revised burden: ensure
policies and procedures
include a program to
manage and oversee third-
party providers that
provide functionality,
support or service for the
SCI entity's SCI systems;
inventory all SCI systems,
include a program to
prevent unauthorized
access to SCI system
access and the information
residing therein, identify
the SCI industry standard
with which such policy and
procedure is consistent,
if any.
[[Page 23200]]
Rule 1001(b).......... Rule Description: New SCI Entities.
Requirement to establish,
maintain, and enforce
policies and procedures
reasonably designed to
ensure that its SCI
systems operate in a
manner that complies with
the Exchange Act, rules
and regulations
thereunder, and the
entity's rules and
governing documents.
Rule 1001(c).......... Rule Description: New SCI Entities.
Establish, maintain, and
enforce reasonably
designed written policies
and procedures that
include the criteria for
identifying responsible
SCI personnel, the
designation and
documentation of
responsible SCI personnel,
and escalation procedures
to inform responsible SCI
personnel of potential SCI
events.
Rule 1002 of Regulation SCI........ Rule 1002(a).......... Rule Description: Each SCI New SCI Entities.
entity is required to take
appropriate corrective
action upon any
responsible SCI personnel
having a reasonable basis
to conclude that an SCI
event has occurred.
Rule 1002(b).......... Rule Description: Rules Current SCI Entities
1002(b)(1) through (4): and New SCI Entities.
Requirement that each SCI
entity, upon any
responsible SCI personnel
having a reasonable basis
to conclude that an SCI
event has occurred, notify
the Commission immediately
of such SCI event and
submit a written
notification within 24
hours of responsible SCI
personnel having a
reasonable basis to
conclude there was an SCI
event. Periodic updates
are required pertaining to
the SCI event on either a
regular basis or at such
frequency requested by
representatives of the
Commission. An interim
written notification is
required if the SCI event
is not closed within 30
days of its occurrence. A
final notification is
required to be submitted
within five days of the
resolution and closure of
the SCI event.
Rule 1002(b)(5): For events
that the SCI entity
reasonably estimates would
have no, or a de minimis
impact on the SCI entity's
operations or on market
participants, submit a
report within 30 days
after the end of each
calendar quarter
containing a summary
description of such
systems disruptions and
systems intrusions.
Revised burden: add (1)
cybersecurity events that
disrupt, or significantly
degrade the normal
operation of an SCI
system, and (2)
significant attempted
unauthorized entries into
SCI systems or indirect
SCI systems, as determined
by the SCI entity pursuant
to established reasonable
written criteria, to the
definition of systems
intrusions in Rule 1000,
thus requiring that SCI
entities provide
notifications under Rule
1002(b)(1) through (4);
eliminate the de minimis
exception's applicability
to systems intrusions,
thus requiring all systems
intrusions to be reported
pursuant to Rule
1002(b)(1) through (4);
require interim written
notification to the
Commission to include a
copy of any information
disseminated pursuant to
Rule 1002(c) regarding the
SCI event by SCI broker-
dealers to their customers.
Rule 1002(c).......... Rule Description: Current SCI Entities
Requirements to and New SCI Entities.
disseminate certain
information to members and
participants concerning
SCI events promptly after
any responsible SCI
personnel has a reasonable
basis to conclude that an
SCI event has occurred.
For major SCI events,
information must be
disseminated to all
members and participants,
and for SCI events that
are not major, the
information must be
disseminated to members or
participants that any
responsible SCI personnel
has reasonably estimated
may have been affected by
the SCI event.
[[Page 23201]]
Revised burden: add
cybersecurity events to
the definition of systems
intrusions in Rule 1000,
thus making them SCI
events and requiring that
SCI entities provide
notifications under Rule
1002(c)(2) for those
additional SCI events;
exclude systems intrusions
that are significant
attempted unauthorized
entries into the SCI
systems or indirect SCI
systems of an SCI entity
from information
dissemination
requirements; add that SCI
broker-dealers would
notify their customers
(rather than members or
participants).
Rule 1003 of Regulation SCI........ Rule 1003(a).......... Rule Description: Submit New SCI Entities.
quarterly report
describing completed,
ongoing, and planned
material changes to SCI
systems and the security
of indirect SCI systems;
establish reasonable
written criteria to
identify changes to SCI
systems and the security
of indirect SCI systems as
material and report such
changes in accordance with
such criteria. Promptly
submit a supplemental
report notifying the
Commission of a material
error in or material
omission from a previously
submitted report.
Rule 1003(b).......... Rule Description: Current SCI Entities
Requirement to conduct an and New SCI Entities.
SCI review of the SCI
entity's compliance with
Regulation SCI not less
than once each calendar
year; conduct penetration
test reviews not less than
once every three years.
Revised burden: include
certain additional
requirements and
information in SCI
reviews, require the SCI
review to be performed
annually, and require a
response by senior
management be reported to
the Commission.
Rule 1004 of Regulation SCI........ Rule 1004............. Rule Description: Establish Current SCI Entities
standards to designate and New SCI Entities.
members and participants
that are the minimum
necessary for the
maintenance of fair and
orderly markets, designate
members or participants
and require their
participation in testing
of the BC/DR plans
pursuant to such
standards, and coordinate
testing on an industry or
sector-wide basis with
other SCI entities.
Revised burden: require SCI
entities to establish
standards for designating
certain third-party
providers that are the
minimum necessary for the
maintenance of fair and
orderly markets, and
designate third-party
providers for BC/DR
testing pursuant to those
standards.
Rule 1005 of Regulation SCI........ Rule 1005............. Rule Description: Current SCI Entities
Requirement to make, keep, and New SCI Entities.
and preserve all documents
relating to compliance
with Regulation SCI.
Revised burden: Entities
that ``otherwise [cease]
to be an SCI entity'' are
required to comply with
the recordkeeping
requirements in this
section.
Rule 1006.......................... Rule 1006............. Rule Description: Require New SCI Entities.
submissions to the
Commission pursuant to
Regulation SCI to be made
electronically on Form SCI.
Rule 1007.......................... Rule 1007............. Rule Description: New SCI Entities.
Requirement that SCI
entities make available
records required to be
filed or kept under
Regulation SCI that are
prepared or maintained by
a service bureau or other
recordkeeping service on
behalf of the SCI entity.
----------------------------------------------------------------------------------------------------------------
B. Proposed Use of Information
The existing information collections and the proposed amendments
are used as described below:
1. Rule 1001 of Regulation SCI
Rule 1001(a)(1) of Regulation SCI requires each SCI entity to
establish, maintain, and enforce written policies and procedures
reasonably designed to ensure that their SCI systems and, for purposes
of security standards, indirect SCI systems, have levels of capacity,
integrity, resiliency, availability, and security adequate to maintain
their operational capability and promote the maintenance of fair and
orderly markets.\433\ Rule 1001(a)(2) of Regulation SCI requires that,
at a minimum, such policies and procedures include: current and future
capacity planning; periodic stress testing; systems development and
testing methodology; reviews and testing to identify vulnerabilities;
business continuity and disaster recovery planning (inclusive of backup
systems that are geographically diverse and designed to meet specified
recovery
[[Page 23202]]
time objectives); standards for market data collection, processing, and
dissemination; and monitoring to identify potential SCI events.\434\
Rule 1001(a)(3) of Regulation SCI requires that SCI entities
periodically review the effectiveness of these policies and procedures
and take prompt action to remedy any deficiencies.\435\ Rule 1001(a)(4)
of Regulation SCI provides that an SCI entity's policies and procedures
will be deemed to be reasonably designed if they are consistent with
current SCI industry standards, which is defined to be comprised of
information technology practices that are widely available to
information technology professionals in the financial sector and issued
by an authoritative body that is a U.S. governmental entity or agency,
association of U.S. governmental entities or agencies, or widely
recognized organization; \436\ however, Rule 1001(a)(4) of Regulation
SCI also makes clear that compliance with such ``current SCI industry
standards'' is not the exclusive means to comply with these
requirements.
---------------------------------------------------------------------------
\433\ See 17 CFR 242.1001(a)(1).
\434\ See 17 CFR 242.1001(a)(2).
\435\ See 17 CFR 242.1001(a)(3).
\436\ See 17 CFR 242.1001(a)(4).
---------------------------------------------------------------------------
Rule 1001(b) of Regulation SCI requires each SCI entity to
establish, maintain, and enforce written policies and procedures
reasonably designed to ensure that its SCI systems operate in a manner
that complies with the Exchange Act and the rules and regulations
thereunder and the entity's rules and governing documents, as
applicable, and specifies certain minimum requirements for such
policies and procedures.\437\ Rule 1001(c) of Regulation SCI requires
SCI entities to establish, maintain, and enforce reasonably designed
written policies and procedures that include the criteria for
identifying responsible SCI personnel, the designation and
documentation of responsible SCI personnel, and escalation procedures
to quickly inform responsible SCI personnel of potential SCI
events.\438\
---------------------------------------------------------------------------
\437\ See 17 CFR 242.1001(b).
\438\ See 17 CFR 242.1001(c).
---------------------------------------------------------------------------
The Commission is proposing revisions to Rule 1001(a)(2) and (4) of
Regulation SCI to include four additional elements in the policies and
procedures: (1) the maintenance of a written inventory of all SCI
systems, critical SCI systems, and indirect SCI systems, including a
lifecycle management program with respect to such systems; (2) a
program to manage and oversee third-party providers that includes an
initial and periodic review of contracts with third-party providers and
a risk-based assessment of each third-party provider's criticality to
the SCI entity; (3) a program to prevent unauthorized SCI system
access; and (4) identification of the SCI industry standard with which
such policies and procedures are consistent, if any. The Commission
also proposes to amend the existing requirements in Rule 1001(a)(2)(v)
for the BC/DR plan to include the requirement to maintain backup and
recovery capabilities that are reasonably designed to address the
unavailability of any third-party provider without which there would be
a material impact on any of its critical SCI systems.
The requirement to have a third-party provider management program
would help ensure that any third-party provider an SCI entity selects
is able to support the SCI entity's compliance with Regulation SCI's
requirements.
Additionally, the proposed revisions would ensure SCI entities are
creating an inventory of their SCI systems, critical SCI systems, and
indirect SCI systems and have a lifecycle management program for such
systems, which would ensure that SCI entities are able to identify when
a system becomes an SCI system or indirect SCI system and when it
ceases to be one. Next, the revisions would require SCI entities to
have in place a program to prevent unauthorized SCI system access. The
existing collections of information, which would be extended to new SCI
entities would advance the goals of promoting the maintenance of fair
an orderly markets and improving Commission review and oversight of
U.S. securities market infrastructure. The proposed additional
collections of information would advance these same goals.
2. Rule 1002 of Regulation SCI
Under Rule 1002 of Regulation SCI, SCI entities have certain
obligations regarding SCI events. Rule 1002(a) requires an SCI entity
to begin to take appropriate corrective action when any responsible SCI
personnel has a reasonable basis to conclude that an SCI event has
occurred. The corrective action must include, at a minimum, mitigating
potential harm to investors and market integrity resulting from the SCI
event and devoting adequate resources to remedy the SCI event as soon
as reasonably practicable.\439\ Rule 1002(b)(1) requires each SCI
entity to immediately notify the Commission of an SCI event.\440\ Under
17 CFR 242.1002(b)(2) (``Rule 1002(b)(2)''), each SCI entity is
required, within 24 hours of any responsible SCI personnel having a
reasonable basis to conclude that the SCI event has occurred, to submit
a written notification to the Commission pertaining to the SCI event
that includes a description of the SCI event and the system(s)
affected, with other information required to the extent available at
the time.\441\ Under 17 CFR 242.1002(b)(3) (``Rule 1002(b)(3)''), each
SCI entity is required to provide regular updates regarding the SCI
event until the event is resolved.\442\ Under 17 CFR 242.1002(b)(4)(i)
(``Rule 1002(b)(4)(i)''), each SCI entity is required to submit written
interim reports, as necessary, and a written final report regarding an
SCI event to the Commission.\443\ Under 17 CFR 242.1002(b)(4)(ii)
(``Rule 1002(b)(4)(ii)''), the information that is required to be
included in the interim and final written reports is set forth,
including the SCI entity's assessment of the types and number of market
participants affected by the SCI event and the impact of the SCI event
on the market, and a copy of any information disseminated pursuant to
Rule 1002(c) regarding the SCI event to the SCI entity's members or
participants. For any SCI event that ``has had, or the SCI entity
reasonably estimates would have, no or a de minimis impact on the SCI
entity's operations or on market participants,'' Rule 1002(b)(5)
provides an exception to the general Commission notification
requirements under Rule 1002(b) Instead, an SCI entity must make, keep,
and preserve records relating to all such SCI events, and submit a
quarterly report to the Commission regarding any such events that are
systems disruptions or systems intrusions. SCI events that are reported
immediately and later determined to have a de minimis impact may be
reclassified as de minimis.\444\
---------------------------------------------------------------------------
\439\ See 17 CFR 242.1002(a).
\440\ See 17 CFR 242.1002(b)(1).
\441\ See 17 CFR 242.1002(b)(2).
\442\ See 17 CFR 242.1002(b)(3).
\443\ See 17 CFR 242.1002(b)(4).
\444\ See 17 CFR 242.1002(b)(5).
---------------------------------------------------------------------------
Rule 1002(c) of Regulation SCI requires that SCI entities
disseminate information to their members or participants regarding SCI
events.\445\ Under 17 CFR 242.1002(c)(1)(i) (``Rule 1002(c)(1)(i)''),
each SCI entity is required, promptly after any responsible SCI
personnel has a reasonable basis to conclude that an SCI event (other
than a systems intrusion) has occurred, to disseminate certain
information to its members or participants. Under 17 CFR
242.1002(c)(1)(ii) (``Rule 1002(c)(1)(ii)''), each SCI entity is
required, when
[[Page 23203]]
known, to disseminate additional information about an SCI event (other
than a systems intrusion) to its members or participants promptly.
Under 17 CFR 242.1002(c)(1)(iii) (``Rule 1002(c)(1)(iii)''), each SCI
entity is required to provide to its members or participants regular
updates of any information required to be disseminated under Rule
1002(c)(1)(i) and (ii) until the SCI event is resolved. Rule 1002(c)(2)
requires each SCI entity to disseminate certain information regarding a
systems intrusion to its members or participants. For ``major SCI
events,'' these disseminations must be made to all of its members or
participants. For SCI events that are not ``major SCI events,'' SCI
entities must disseminate such information to those SCI entity members
and participants reasonably estimated to have been affected by the
event.\446\ In addition, dissemination of information to members or
participants is permitted to be delayed for systems intrusions if such
dissemination would likely compromise the security of the SCI entity's
systems or an investigation of the intrusion and documents the reasons
for such determination.\447\ Rule 1002(c)(4) of Regulation SCI provides
exceptions to the dissemination requirements under Rule 1002(c) of
Regulation SCI for SCI events to the extent they relate to market
regulation or market surveillance systems and SCI events that have had,
or the SCI entity reasonably estimates would have, no or a de minimis
impact on the SCI entity's operations or on market participants.\448\
Rule 1000 sets out the definition of systems intrusion, which means any
unauthorized entry into the SCI systems or indirect SCI systems of an
SCI entity.
---------------------------------------------------------------------------
\445\ See 17 CFR 242.1002(c).
\446\ See 17 CFR 242.1002(c)(3).
\447\ See 17 CFR 242.1002(c)(2).
\448\ See 17 CFR 242.1002(c)(4).
---------------------------------------------------------------------------
The Commission proposes to amend the definition of systems
intrusion in Rule 1000 to include cybersecurity events that disrupt, or
significantly degrade, the normal operation of an SCI system and
significant attempted unauthorized entries into the SCI systems or
indirect SCI systems of an SCI entity, as determined by the SCI entity
pursuant to established reasonable written criteria. SCI entities would
be required to report information concerning these systems intrusions
pursuant to Rule 1002(b). The Commission believes that it is
appropriate to expand the definition of systems intrusion to include
two additional types of cybersecurity events that are currently not
part of the current definition as described above. The additional
notifications that would result from the proposed revised definition of
systems intrusion would provide the Commission and its staff more
complete information to assess the security status of the SCI entity,
and also assess the impact or potential impact that unauthorized
activity could have on the security of the SCI entity's affected
systems as well on other SCI entities and market participants.
The proposed revisions to Rule 1002(b) would eliminate the de
minimis exception's applicability to systems intrusions, thus requiring
all systems intrusions, whether de minimis or non-de minimis, to be
reported pursuant to Rule 1002(b)(1) through (4). The Commission would
also amend the information required under Rule 1002(b)(4)(ii) to be
included in the interim and final written notifications to include a
copy of any information disseminated pursuant to Rule 1002(c) by an SCI
broker-dealer to its customers. The Commission would use this
information to be aware of potential and actual security threats to SCI
entities, including threats that may extend to other market
participants in the securities markets, including other SCI entities.
As a result of the amendment to the definition of systems
intrusions, SCI entities would be required to disseminate information
to members and participants pursuant to Rule 1002(c)(2) concerning
cybersecurity events not currently covered by the rule. This would have
the effect of increasing the number of SCI events that would be
required to be disseminated. Further, in connection with expansion of
Regulation SCI to SCI broker-dealers, amended Rule 1002(c)(3) would
require that SCI broker-dealers promptly disseminate information about
major SCI events to all of its customers and, for SCI events that are
not major SCI events, to customers that any responsible SCI personnel
subsequently reasonably estimates may have been affected by the SCI
event. Such information would be used by the SCI entity's members and
participants, and in the case of an SCI broker-dealer, its customers,
to understand better the threats faced by the SCI entity, evaluate the
event's impact on their trading or other business with the SCI entity
and formulate a response, thereby advance the Commission's goal of
promoting fair and orderly markets and investor protection. The
proposed revisions to Rule 1002(c), however, would exclude systems
intrusions that are significant attempted unauthorized entries into the
SCI systems or indirect SCI systems of an SCI entity from the
information dissemination requirements of Rule 1002(c)(1) through
(3).\449\
---------------------------------------------------------------------------
\449\ See proposed amended Rule 1002(c)(4).
---------------------------------------------------------------------------
3. Rule 1003 of Regulation SCI
Rule 1003(a) establishes reporting burdens for all SCI entities.
Rule 1003(a)(1) requires each SCI entity to submit to the Commission
quarterly reports describing completed, ongoing, and planned material
changes to its SCI systems and security of indirect SCI systems during
the prior, current, and subsequent calendar quarters, including the
dates or expected dates of commencement and completion.\450\ Under 17
CFR 242.1003(a)(2) (``Rule 1003(a)(2)''), each SCI entity is required
to promptly submit a supplemental report notifying the Commission of a
material error in or material omission from a report previously
submitted under Rule 1003(a)(1).
---------------------------------------------------------------------------
\450\ See 17 CFR 242.1003(a).
---------------------------------------------------------------------------
Rule 1003(b) of Regulation SCI also requires that an SCI entity
conduct an ``SCI review'' not less than once each calendar year.\451\
``SCI review'' is defined in Rule 1000 of Regulation SCI to mean a
review, following established procedures and standards, that is
performed by objective personnel having appropriate experience to
conduct reviews of SCI systems and indirect SCI systems, and which
review contains: (1) a risk assessment with respect to such systems of
an SCI entity; and (2) an assessment of internal control design and
effectiveness of its SCI systems and indirect SCI systems to include
logical and physical security controls, development processes, and
information technology governance, consistent with industry standards
Rule 1003(b)(2) requires each SCI entity to submit a report of the SCI
review to senior management no more than 30 calendar days after
completion of the review.\452\ Rule 1003(b) requires that penetration
test reviews of the network, firewalls, and production systems shall be
conducted at a frequency of not less than once every three years and
that assessments of SCI systems directly supporting market regulation
or market surveillance shall be conducted at a frequency based upon the
risk assessment conducted as part of the SCI review, but in no case
less than once every three years.\453\ Rule 1003(b)(2) requires that
the submission of a report of the SCI review to senior management of
the SCI entity for review no more than 30 calendar days after
completion
[[Page 23204]]
of such SCI review.\454\ Rule 1003(b)(3) requires each SCI entity to
submit the report of the SCI review to the Commission and to its board
of directors or the equivalent of such board, together with any
response by senior management, within 60 calendar days after its
submission to senior management.\455\
---------------------------------------------------------------------------
\451\ See 17 CFR 242.1003(b).
\452\ See 17 CFR 242.1003(b)(2).
\453\ See 17 CFR 242.1003(b)(1)(i) and (ii).
\454\ See 17 CFR 242.1003(b)(2).
\455\ See 17 CFR 242.1003(b)(3).
---------------------------------------------------------------------------
The Commission is proposing revisions to Rule 1003(b) and the
definition of SCI review. The Commission is proposing to increase the
frequency of penetration testing by SCI entities such that they are
conducted at least annually, rather than once every three years, and
that the penetration tests include any of the vulnerabilities of its
SCI systems and indirect SCI systems identified pursuant to Rule
1001(a)(2)(iv).\456\ The Commission would use this more frequent
information to have more up-to-date information regarding an SCI
entity's systems vulnerabilities and help the Commission with its
oversight of U.S. securities market technology infrastructure.
---------------------------------------------------------------------------
\456\ See 17 CFR 242.1000.
---------------------------------------------------------------------------
In addition, the Commission is proposing a number of revisions to
the requirements relating to SCI reviews and for the reports SCI
entities submit (both to their board of directors as well as to the
Commission). The definition of SCI review in Rule 1000 is proposed to
contain the substantive requirements for an SCI review, which would be
required to be ``a review, following established and documented
procedures and standards, that is performed by objective personnel
having appropriate experience to conduct reviews of SCI systems and
indirect SCI systems . . .'' \457\ The Commission proposes to amend the
definition of SCI review in Rule 1000 to require that the SCI review:
(1) use appropriate risk management methodology, (2) include third-
party provider management risks and controls, (3) include the risks
related to the capacity, integrity, resiliency, availability, and
security, and (4) include systems capacity and availability and
information technology service continuity within the review of internal
control design and operating effectiveness.\458\
---------------------------------------------------------------------------
\457\ See id.
\458\ See id.
---------------------------------------------------------------------------
The Commission also proposes to amend Rule 1003(b)(2) to require
that the SCI review be conducted in each calendar year during which the
entity was an SCI entity for any part of that calendar year and that
the SCI entity submit the associated report of the SCI review to the
SCI entity's senior management and board, as well as to the
Commission.\459\ The Commission proposes amend Rule 1003(b)(2) to
specify that certain elements be included in the report of the SCI
review, namely: (1) the dates the SCI review was conducted and the date
of completion; (2) the entity or business unit of the SCI entity
performing the review; (3) a list of the controls reviewed and a
description of each such control; (4) the findings of the SCI review
with respect to each SCI system and indirect SCI system, which shall
include, at a minimum, assessments of: the risks related to the
capacity, integrity, resiliency, availability, and security; internal
control design and operating effectiveness; and an assessment of third-
party provider management risks and controls; (5) a summary, including
the scope of testing and resulting action plan, of each penetration
test review conducted as part of the SCI review; and (6) a description
of each deficiency and weakness identified by the SCI review.\460\ The
Commission also proposes to amend Rule 1003(b)(3) to require a response
to the report of the SCI review from senior management and to require
that the date the report was submitted to senior management be
submitted to the Commission and the board of directors, and that the
response from senior management include a response for each deficiency
and weakness identified by the SCI review, and the associated
mitigation and remediation plan and associated dates for each.\461\
---------------------------------------------------------------------------
\459\ See 17 CFR 242.1003(b)(2) and (3).
\460\ See 17 CFR 242.1003(b)(2).
\461\ See 17 CFR 242.1003(b)(3).
---------------------------------------------------------------------------
The additional requirements and details are designed to ensure SCI
reviews contain certain baseline information and are based on the
appropriate risk management methodology. The enhanced SCI review and
corresponding report would provide the Commission and its staff greater
insight into the SCI entity's compliance with Regulation SCI and would
more thoroughly assist the staff in determining how to follow up with
the SCI entity in reviewing and addressing any identified weaknesses
and vulnerabilities. The Commission would use this additional reporting
and information to improve the Commission's oversight of the technology
infrastructure of SCI entities further.
4. Rule 1004 of Regulation SCI
Rule 1004 of Regulation SCI requires SCI entities to, with respect
to an SCI entity's business continuity and disaster recovery plans,
including its backup systems: (a) establish standards for the
designation of those members or participants that the SCI entity
reasonably determines are, taken as a whole, the minimum necessary for
the maintenance of fair and orderly markets in the event of the
activation of such plans; (b) designate members or participants
pursuant to such standards and require participation by such designated
members or participants in scheduled functional and performance testing
of the operation of such plans, in the manner and frequency specified
by the SCI entity, provided that such frequency shall not be less than
once every 12 months; and (c) coordinate the testing of such plans on
an industry- or sector-wide basis with other SCI entities.\462\
---------------------------------------------------------------------------
\462\ See 17 CFR 242.1003(b)(4).
---------------------------------------------------------------------------
The Commission is proposing to include certain third-party
providers in the BC/DR testing requirements of Rule 1004. Specifically,
an SCI entity would be required to establish standards for the
designation of third-party providers (in addition to members or
participants) that it determines are, taken as a whole, the minimum
necessary for the maintenance of fair and orderly markets in the event
of the activation of the SCI entity's BC/DR plans. In addition, Rule
1004 would require each SCI entity to designate such third-party
providers (in addition to members or participants) pursuant to such
standards and require their participation in the scheduled functional
and performance testing of the operation of such BC/DR plans.\463\
---------------------------------------------------------------------------
\463\ See id.
---------------------------------------------------------------------------
The Commission believes that the requirement that SCI entities
establish standards that require designated third-party providers to
participate in the testing of their business continuity and disaster
recovery plans will help reduce the risks associated with an SCI
entity's decision to activate its BC/DR plans and help to ensure that
such plans operate as intended, if activated. The testing participation
requirement should help an SCI entity to ensure that its efforts to
develop effective BC/DR plans are not undermined by a lack of
participation by third-party providers that the SCI entity believes are
necessary to the successful activation of such plans. This requirement
should also assist the Commission in maintaining fair and orderly
markets in a BC/DR scenario following a wide-scale disruption.
[[Page 23205]]
5. Rule 1005 and 1007 of Regulation SCI
Rule 1005 of Regulation SCI requires SCI entities to make, keep,
and preserve certain records related to their compliance with
Regulation SCI.\464\ Rule 1007 sets forth requirements for a SCI entity
whose Regulation SCI records are prepared or maintained by a service
bureau or other recordkeeping service on behalf of the SCI entity.\465\
---------------------------------------------------------------------------
\464\ See 17 CFR 242.1005. Rule 1005(a) of Regulation SCI
relates to recordkeeping provisions for SCI SROs, whereas Rule
1005(b) relates to the recordkeeping provision for SCI entities
other than SCI SROs.
\465\ See 17 CFR 242.1007.
---------------------------------------------------------------------------
Rule 1005(c) specifies that the requirement that records required
to be made, kept, and preserved by Rule 1005 be accessible to the
Commission and its representatives for the period required by Rule
1005, in cases where an SCI entity ceases to do business or ceases to
be registered under the Exchange Act.\466\ The Commission proposes to
add that this survival provision similarly applies to an SCI entity
that ``otherwise [ceases] to be an SCI entity.'' \467\ This addition
accounts for circumstances not expressly covered; specifically, the
circumstance in which an SCI entity continues to do business or remains
a registered entity, but may cease to qualify as an SCI entity (e.g.,
an SCI ATS that no longer satisfies a volume threshold). Such entities
would not be excepted from complying with the recordkeeping provisions
of Rule 1005.
---------------------------------------------------------------------------
\466\ See 17 CFR 242.1005(c).
\467\ See id.
---------------------------------------------------------------------------
The Commission believes the records of entities that ceased being
SCI entities are important for assisting the Commission and its staff
in understanding whether such an SCI entity met its obligations under
Regulation SCI, assessing whether such an SCI entity had appropriate
policies and procedures with respect to its technology systems, helping
to identify the causes and consequences of an SCI event, and
understanding the types of material systems changes that occurred at
such an SCI entity. The Commission expects this revision to facilitate
the Commission's inspections and examinations of SCI entities that have
ceased to be SCI entities and assist it in evaluating such SCI entity's
previous compliance with Regulation SCI. Furthermore, having an SCI
entity's records available even after it has ceased to be an SCI entity
should provide an additional tool to help the Commission to reconstruct
important market events and better understand the impact of such
events. There are no amendments to Rule 1007, which sets forth
requirements for a SCI entity whose Regulation SCI records are prepared
or maintained by a service bureau or other recordkeeping service on
behalf of the SCI entity.
6. Rule 1006 of Regulation SCI
Rule 1006 requires each SCI entity, with a few exceptions, to file
any notification, review, description, analysis, or report to the
Commission required under Regulation SCI electronically on Form
SCI.\468\ There are no amendments to this section. The Commission staff
would use the collection of information in its examination and
oversight program in identifying patterns and trends across
registrants.
---------------------------------------------------------------------------
\468\ See 17 CFR 242.1003(b)(6).
---------------------------------------------------------------------------
C. Respondents
The collection of information requirements contained in Regulation
SCI apply to SCI entities. As of 2021, there were an estimated 47
Current SCI Entities (i.e., entities that met the definition of SCI
entity) \469\ that were subject to the requirements of Regulation
SCI.\470\ The Commission preliminarily estimates that as a result of
the proposed amendments to Rule 1000, there would be a total of 23 New
SCI Entities (i.e., meet the amended definition of SCI entity) that
would become subject to the requirements of Regulation SCI. Thus, the
Commission preliminarily estimates that a total of 70 entities would be
subject to the requirements of Regulation SCI. The Commission
preliminarily believes that the remaining amendments would not add any
additional respondents but would result in additional reporting
burdens, which are discussed in section IV.D (Total Initial and Annual
Reporting Burdens).
---------------------------------------------------------------------------
\469\ In 2020, the Commission amended Regulation SCI to add as
SCI entities SCI competing consolidators, defined as competing
consolidators that exceed a five percent consolidated market data
gross revenue threshold over a specified time period. See Market
Data Infrastructure Adopting Release, supra note 24. The Commission
estimated that seven persons would meet the definition of SCI
competing consolidator and be subject to Regulation SCI, two of
which would be Current SCI Entities (as plan processors) and five of
which would be new SCI competing consolidators, if they registered
as competing consolidators and exceeded the threshold. See Extension
Without Change of a Currently Approved Collection: Regulation SCI
and Form SCI; ICR Reference No. 202111-3235-005; OMB Control No.
3235-0703 (Mar. 3, 2022), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202111-3235-005 (``2022 PRA
Supporting Statement''). Currently, no competing consolidators have
registered with the Commission. As a result, no competing
consolidators (in addition to the two current plan processors that
are Current SCI Entities) are included as Current SCI Entities. To
the extent that a competing consolidator registers with the
Commission and qualifies as an SCI competing consolidator it would
be subject to the same additional burdens as Current SCI Entities as
a result of the proposed amendments to Regulation SCI. The
additional burdens for Current SCI Entities are set forth in section
IV.D.
\470\ Proposed Collection; Comment Request; Extension:
Regulation SCI, Form SCI; SEC File No. 270-653, OMB Control No.
3235-0703, 87 FR 3132.
---------------------------------------------------------------------------
The following table summarizes the estimated number of Current SCI
Entities and New SCI Entities:
------------------------------------------------------------------------
Type of SCI entity Number
------------------------------------------------------------------------
Current SCI Entities.................................... 47
New SCI Entities:
SBSDR \1\........................................... 3
SCI broker-dealers \2\.............................. 17
Exempt Clearing Agencies \3\........................ 3
---------------
Total New SCI Entities.......................... 23
---------------
Total SCI Entities.............................. 70
------------------------------------------------------------------------
\1\ See supra notes 118, 124 and accompanying text. As noted earlier,
two SBSDRs are currently registered with the Commission. The
Commission estimates for purposes of the PRA that one additional
entity may seek to register as an SBSDR in the next three years, and
so for purposes of this proposal the Commission has assumed three
SBSDR respondents.
\2\ See supra note 219 and accompanying text.
\3\ See supra notes 240 and accompanying text. As noted earlier, the
Commission proposes to expand the scope of ``SCI entity'' to cover two
additional exempt clearing agencies that are not subject to ARP, which
are Euroclear Bank SA/NV and Clearstream Banking, S.A. The Commission
estimates for purposes of the PRA that one additional entity may
receive an exemption from registration as a clearing agency in the
next three years, and so for purposes of this proposal the Commission
has assumed three exempt clearing agency respondents.
[[Page 23206]]
D. Total Initial and Annual Reporting Burdens
As stated above, each requirement to disclose information, offer to
provide information, or adopt policies and procedures constitutes a
collection of information requirement under the PRA. We discuss below
the collection of information burdens associated with the proposed
rules and rule amendments.
1. Rule 1001
The rules under Regulation SCI that would require an SCI entity to
establish policies and procedures are discussed more fully in sections
II.B, and the proposed amendments are discussed more fully in sections
III.A and III.C above.
a. Rule 1001(a)
Current SCI Entities are already required to establish, maintain,
and enforce policies and procedures pursuant to Rule 1001(a) and
therefore already incur baseline initial \471\ and ongoing burden \472\
for complying with Rule 1001(a), so the amendments should only impose a
burden required to comply with the additional requirements.\473\
Presently, none of the New SCI Entities are required to comply with the
policies and procedures requirement of Rule 1001(a), but the proposed
amendments will newly impose the baseline burden to develop and draft
written policies and procedures and review and update annually such
policies and procedures, as well as the additional burden to include
the proposed requirements in the policies and procedures. The
Commission estimates an initial compliance burden of 386 additional
hours \474\ for Current SCI Entities and 890 hours \475\ for New SCI
Entities. The Commission estimates an annual compliance burden of 58
hours \476\ for Current SCI Entities and 145 hours \477\ for New SCI
Entities.\478\ The table below summarizes the initial and ongoing
annual burden estimates for Current SCI Entities and New SCI Entities:
---------------------------------------------------------------------------
\471\ The Commission's currently approved baseline for average
compliance burden per SCI entity to develop and draft the policies
and procedures required by Rule 1001(a) (except for 17 CFR
242.1001(a)(2)(vi) (``Rule 1001(a)(2)(vi)'')) is 534 hours. See
Extension Without Change of a Currently Approved Collection:
Regulation SCI and Form SCI; ICR Reference No. 202111-3235-005; OMB
Control No. 3235-0703 (Mar. 3, 2022), available at https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=202111-3235-005
(``2022 PRA Supporting Statement''). Rule 1001(a)(2) currently
requires six elements (excluding Rule 1001(a)(2)(vi)) to be included
in the policies and procedures required by Rule 1001(a)(1). The
burden hours for each element would be 89 hours per policy element
(534 hours/6 policy elements).
\472\ The Commission's currently approved baseline for average
compliance burden per SCI entity to review and update the policies
and procedures required by Rule 1001(a) (except for Rule
1001(a)(2)(vi)) is 87 hours. See 2022 PRA Supporting Statement,
supra note 471. The burden hours for each element would be 14.5
hours per policy element (87 hours/6 policy elements).
\473\ The Commission estimates that at the additional burden
would be the result of the additions to Rule 1001(a)(2),
specifically the proposed requirement in the BC/DR plan and the four
proposed additional policy elements. The Commission does not
anticipate that Current SCI Entities or New SCI Entities would incur
any additional burden from the amendment to Rule 1001(a)(4) above
and beyond the burden hours estimated for the policies and
procedures in this release.
\474\ 89 hours x 4 additional policy elements = 356 hours. The
Commission estimates a one-time burden of 30 hours (one-third of 89
hours per policy element) for SCI entities to address the
unavailability of third-party providers in their BC/DR plans. 356
hours + 30 hours = 386 hours. The burden hours include 139
Compliance Manager hours, 139 Attorney hours, 43 Senior System
Analyst hours, 43 Operations Specialist hours, 15 Chief Compliance
Officer hours, and 7 Director of Compliance hours.
\475\ 534 baseline burden hours + 356 additional burden hours =
890 hours. The burden hours include 320 Compliance Manager hours,
320 Attorney hours, 100 Senior System Analyst hours, 100 Operations
Specialist hours, 33 Chief Compliance Officer hours, and 17 Director
of Compliance hours.
\476\ 14.5 hours x 4 additional policy elements = 58 hours. The
burden hours include 19 Compliance Manager hours, 19 Attorney hours,
5 Senior System Analyst hours, 5 Operations Specialist hours, 7
Chief Compliance Officer hours, and 3 Director of Compliance hours.
\477\ 87 baseline burden hours + 58 additional burden hours =
145 hours. The burden hours include 47 Compliance Manager hours, 47
Attorney hours, 13 Senior System Analyst hours, 13 Operations
Specialist hours, 17 Chief Compliance Officer hours, and 8 Director
of Compliance hours.
\478\ The Commission recognizes that the some of the Regulation
SCI requirements and certain proposed requirements in the Exchange
Act Cybersecurity Proposal rule may appear duplicative. The
Commission believes that although the requirements are related, they
are ultimately separate obligations. Thus, the Commission has not
considered the requirements of the Exchange Act Cybersecurity
Proposal rule in formulating its estimates.
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Estimated Burden hours entities (estimated
Respondent type Burden type respondents per entity respondents x
(entities) (hours) burden hours per
entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities............... Initial.............. 47 386 18,142
Annual............... 47 58 2,726
New SCI Entities................... Initial.............. 23 890 20,470
Annual............... 23 145 3,335
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance for Current SCI Entities and New
SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities........... Initial.......... 47 \1\ $144,787 $6,804,989
Annual........... 47 \2\ 23,403 1,099,941
New SCI Entities............... Initial.......... 23 \3\ 333,371 7,667,533
[[Page 23207]]
Annual........... 23 \4\ 58,315 1,341,245
----------------------------------------------------------------------------------------------------------------
\1\ (139 Compliance Manager hours x $344) + (139 Attorney hours x $462) + (43 Senior Systems Analyst hours x
$316) + (43 Operations Specialist hours x $152) + (15 Chief Compliance Officer hours x $589) + (7 Director of
Compliance hours x $542) = $144,787. The Commission derived this estimate based on per hour figures from
SIFMA's Management & Professional Earnings in the Securities Industry 2013, modified by Commission staff to
account for an 1,800-hour work-year and inflation, and multiplied by 5.35 to account for bonuses, firm size,
employee benefits, and overhead.
\2\ (19 Compliance Manager hours x $344) + (19 Attorney hours x $462) + (5 Senior Systems Analyst hours x $316)
+ (5 Operations Specialist hours x $152) + (7 Chief Compliance Officer hours x $589) + (3 Director of
Compliance hours x $542) = $23,403.
\3\ (320 Compliance Manager hours x $344) + (320 Attorney hours x $462) + (100 Senior Systems Analyst hours x
$316) + (100 Operations Specialist hours x $152) + (33 Chief Compliance Officer hours x $589) + (17 Director
of Compliance hours x $542) = $333,371.
\4\ (47 Compliance Manager hours x $344) + (47 Attorney hours x $462) + (13 Senior Systems Analyst hours x $316)
+ (13 Operations Specialist hours x $152) + (17 Chief Compliance Officer hours x $589) + (8 Director of
Compliance hours x $542) = $58,315.
The proposed amendments would newly impose a burden on New SCI
Entities to comply with Rule 1001(a)(2)(vi), which requires the
policies and procedures required by Rule 1001(a) to include standards
that result in systems being designed, developed, tested, maintained,
operated, and surveilled in a manner that facilitates the successful
collection, processing, and dissemination of market data.\479\ The
Commission estimates that New SCI Entities would incur an initial
burden of 160 hours and an ongoing burden of 145 hours to annually
review and update the policies and procedures.\480\ The table below
summarizes the initial and ongoing annual burden estimates for New SCI
Entities to comply with Rule 1001(a)(2)(vi):
---------------------------------------------------------------------------
\479\ Current SCI Entities would incur no additional burden as
they are already required to include the required standards in their
policies and procedures.
\480\ These estimates are consistent with the Commission-
approved baseline initial and ongoing average compliance burdens per
SCI entity. See 2022 PRA Supporting Statement, supra note 471. The
160 hour initial burden includes 100 Compliance Manager hours, 20
Chief Compliance Officer hours, 10 Director of Compliance hours, and
30 Compliance Attorney hours. The 145 annual burden hours includes
100 Compliance Manager hours, 10 Chief Compliance Officer hours, 5
Director of Compliance hours, and 30 Compliance Attorney hours.
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Estimated Burden hours entities (estimated
Respondent type Burden type respondents per entity respondents x
(entities) burden hours per
entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................... Initial.............. 23 160 3,680
Annual............... 23 145 3,335
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance for New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................ Initial........... 23 \1\ $60,980 $1,402,540
Annual............ 23 \2\ 52,380 1,204,740
----------------------------------------------------------------------------------------------------------------
\1\ (100 Senior Systems Analyst hours x $316) + (20 Chief Compliance Officer hours x $589) + (10 Director of
Compliance hours x $542) + (30 Compliance Attorney hours x $406) = $60,980.
\2\ (100 Senior Systems Analyst hours x $316) + (10 Chief Compliance Officer hours x $589) + (5 Director of
Compliance hours x $542) + (30 Compliance Attorney hours x $406) = $52,380.
[[Page 23208]]
The Commission estimates that on average, Current SCI Entities
would seek outside legal and/or consulting services to initially update
their policies and procedures for the proposed additional requirements
at a cost of $29,050 per SCI entity,\481\ while New SCI Entities would
seek such services in the initial preparation of the policies and
procedures (including the proposed requirements) at a cost of $73,800
per SCI entity.\482\
---------------------------------------------------------------------------
\481\ The Commission's currently approved baseline for
annualized recordkeeping cost per SCI entity to consult outside
legal and/or consulting services in the initial preparation policies
and procedures required by Rule 1001(a) is $47,000. See 2022 PRA
Supporting Statement, supra note 471. Rule 1001(a)(2) currently
requires seven elements (including Rule 1001(a)(2)(vi)) to be
included in the policies and procedures required by Rule 1001(a)(1).
The cost per element would be approximately $6,700 per policy
element ($47,000 hours/7 policy elements = $6,714). As noted
earlier, the Commission proposes to add four additional elements to
the policies and procedures. $6,700 per policy element x 4
additional policy elements = $26,800. The Commission also estimates
a one-time burden of approximately $2,250 per SCI entity (one-third
of $6,700 per policy element) to address the unavailability of
third-party providers in their BC/DR plans. $26,800 + $2,250 =
$29,050.
\482\ $47,000 + $26,800 = $73,800.
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average external (estimated
Respondent type respondents cost per entity respondents x
(entities) average external
cost per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities................................ 47 $29,050 $1,365,350
New SCI Entities.................................... 23 73,800 1,697,400
----------------------------------------------------------------------------------------------------------------
b. Rule 1001(b)
New SCI Entities would be required to meet the requirements of Rule
1001(b), which requires each SCI entity to establish, maintain, and
enforce systems compliance policies. The Commission estimates a
compliance burden of 270 hours initially to design the systems
compliance policies and procedures and 95 hours annually to review and
update such policies and procedures.\483\ The table below summarizes
the initial and ongoing annual burden estimates for New SCI Entities to
comply with Rule 1001(b):
---------------------------------------------------------------------------
\483\ The Commission estimates that the burden for New SCI
Entities is consistent with the Commission's current approved
baselines for the initial and ongoing burdens. For the initial
recordkeeping burden, this baseline is 270 hours (40 Compliance
Attorney hours + 200 Senior System Analyst hours + 20 Chief
Compliance Officer hours + 10 Director of Compliance hours). The
Commission estimated separate baselines for the ongoing
recordkeeping burden for SCI SROs and entities that were not SROs.
Since none of the entities that would potentially be subject to
Regulation SCI as a result of the proposed amendments are SROs, the
Commission is basing its estimates on the baseline for non-SROs. The
Commission's current approved baseline for the ongoing recordkeeping
burden for entities that are not SROs is 95 hours (14 Compliance
Attorney hours + 66 Senior System Analyst hours + 10 Chief
Compliance Officer hours + 5 Director of Compliance hours). See 2022
PRA Supporting Statement, supra note 471.
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Respondent type Burden type Estimated Burden hours per entities (estimated
respondents entity respondents x burden
hours per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................ Initial........... 23 270 6,210
Annual............ 23 95 2,185
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance for New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................ Initial........... 23 \1\ $96,640 $2,222,720
Annual............ 23 \2\ 35,140 808,220
----------------------------------------------------------------------------------------------------------------
\1\ (200 Senior Systems Analyst hours x $316) + (20 Chief Compliance Officer hours x $589) + (10 Director of
Compliance hours x $542) + (40 Compliance Attorney hours x $406) = $96,640.
\2\ (66 Senior Systems Analyst hours x $316) + (10 Chief Compliance Officer hours x $589) + (5 Director of
Compliance hours x $542) + (14 Compliance Attorney hours x $406) = $35,140.
In establishing, maintaining, and enforcing the policies and
procedures required by Rule 1001(b), the Commission believes that each
new SCI entity will seek outside legal and/or consulting services in
the initial preparation of such policies and procedures. The total
annualized cost of seeking outside legal and/or consulting services
will be $621,000.\484\
---------------------------------------------------------------------------
\484\ The Commission estimates that the cost for outside legal
and/or consulting services for New SCI Entities is consistent with
the Commission's current approved baselines, which is $27,000 per
new SCI entity. See 2022 PRA Supporting Statement, supra note 471.
$27,000 for the first year x 23 New SCI Entities = 621,000.
---------------------------------------------------------------------------
c. Rule 1001(c)
The proposed amendments would newly impose a burden on New SCI
Entities to develop and maintain policies with Rule 1001(c), relating
to
[[Page 23209]]
the policies for designation of responsible SCI personnel. The
Commission estimates a compliance burden of 114 hours initially to
design the systems compliance policies and procedures and 39 hours
annually to review and update such policies and procedures.\485\ The
table below summarizes the initial and ongoing annual burden estimates
for New SCI Entities to comply with Rule 1001(b):
---------------------------------------------------------------------------
\485\ The Commission's current approved baseline 114 hours for
the initial burden to establish the criteria for identifying
responsible SCI personnel and the escalation procedures (32
Compliance Manager hours + 32 Attorney hours x $412 + 10 Senior
Systems Analyst hours x $282 + 10 Operations Specialist hours x $135
+ 20 Chief Compliance Officer hours x $526 + 10 Director of
Compliance). The Commission's approved baseline is 39 hours for the
ongoing burden to annually review and update the criteria and the
escalation procedures (9.5 Compliance Manager hours + 9.5 Attorney
hours + 2.5 Senior Systems Analyst hours + 2.5 Operations Specialist
hours + 10 Chief Compliance Officer hours + 5 Director of Compliance
hours). See 2022 PRA Supporting Statement, supra note 471.
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Respondent type Burden type Estimated Burden hours entities (estimated
respondents per entity respondents x burden
hours per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................... Initial.............. 23 114 2,622
Annual............... 23 39 897
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance for New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................ Initial........... 23 \1\ $47,672 $1,096,456
Annual............ 23 \2\ 17,427 400,821
----------------------------------------------------------------------------------------------------------------
\1\ (32 Compliance Manager hours x 344) + (32 Attorney hours x $462) + (10 Senior Systems Analyst hours x $316)
+ (10 Operations Specialist hours x $152) + (20 Chief Compliance Officer hours x $589) + (10 Director of
Compliance hours x $542) = $47,672.
\2\ (9.5 Compliance Manager hours x $344) + (9.5 Attorney hours x $462) + (2.5 Senior Systems Analyst hours x
$316) + (2.5 Operations Specialist hours x $152) + (10 Chief Compliance Officer hours x $589) + (5 Director of
Compliance hours x $542) = $17,427.
The Commission does not expect SCI entities to incur any external
PRA costs in connection with the policies and procedures required under
Rule 1001(c).
2. Rule 1002
The rules under Regulation SCI that would require an SCI entity to
take corrective action, provide certain notifications and reports, and
disseminate certain information regarding SCI events are discussed more
fully in sections II.B, and the proposed amendments are discussed more
fully in sections III.A and III.C above.
a. Rule 1002(a)
As noted above, Rule 1002(a) requires each SCI entity, upon any
responsible SCI personnel having a reasonable basis to conclude that an
SCI event has occurred, to begin to take appropriate corrective action.
The Commission has previously expressed the view that Rule 1002(a)
would likely result in SCI entities developing and revising their
processes for corrective action.\486\ The Commission believes that the
requirement to take corrective action for these additional systems
intrusions would likely result in SCI entities updating their processes
for corrective action.\487\
---------------------------------------------------------------------------
\486\ See 2022 PRA Supporting Statement, supra note 471.
\487\ The Commission's estimate includes the amendments to the
definition of systems intrusions adding (1) cybersecurity events
that disrupt, or significantly degrade, the normal operation of an
SCI system and (2) significant attempted unauthorized entries into
the SCI systems or indirect SCI systems of an SCI entity. It does
not include the systems intrusions that would previously have been
classified as de minimis events because Current SCI Entities are
already required to take corrective action to resolve such SCI
events.
---------------------------------------------------------------------------
The Commission continues to believe that Rule 1002(a) will likely
result in SCI entities developing and revising their processes for
corrective action as well as review them annually.\488\ Current SCI
Entities are already required to take corrective action pursuant to
Rule 1002(a) and therefore already incur the initial \489\ and ongoing
\490\ baseline burdens for developing and revising their corrective
action process, so the amendments should only impose a one-time burden
required to update the procedures to account for the additional types
of systems intrusions.\491\ The Commission estimates that the one-time
burden for each SCI entity to include in its corrective action process
the proposed systems intrusions would be 20% of the 114 hours baseline
[[Page 23210]]
burden.\492\ Presently, the New SCI Entities are not required to comply
with requirement in Rule 1002(a) to take corrective action, but the
proposed amendments will newly impose these burdens, including the
burden for incorporating the additional systems intrusions into the
corrective action process. For Current SCI Entities, the Commission
estimates a one-time compliance burden of 23 hours. For New SCI
Entities, the Commission estimates an initial burden of 137 hours \493\
and an annual compliance burden of 39 hours \494\ for New SCI Entities.
The table below summarizes the initial and ongoing annual burden
estimates for Current SCI Entities and New SCI Entities:
---------------------------------------------------------------------------
\488\ See 2022 PRA Supporting Statement, supra note 471.
\489\ The Commission's currently approved baseline for average
compliance burden per respondent to develop a process for corrective
action is 114 hours (32 Compliance Manager hours + 32 Attorney hours
+ 10 Senior Systems Analyst hours + 10 Operations Specialist hours +
20 Chief Compliance Officer hours + 10 Director of Compliance
hours). See 2022 PRA Supporting Statement, supra note 471.
\490\ The average compliance burden for each SCI entity to
review their process is 39 hours (9 Compliance Manager hours + 9
Attorney hours + 3 Senior Systems Analyst hours + 3 Operations
Specialist hours + 10 Chief Compliance Officer hours + 5 Director of
Compliance hours. See 2022 PRA Supporting Statement, supra note 471.
\491\ The Commission also proposes to remove the option for SCI
entities to classify systems intrusions as de minimis and
potentially report them pursuant to Rule 1002(b)(5) on the quarterly
SCI reports as de minimis events. SCI entities would instead report
these systems intrusions pursuant to Rule 1002(b)(1) through (4).
The Commission believes that the burden for developing a corrective
action plan for these systems intrusions is already incorporated in
the baseline burden estimates. See supra notes 489-490.
\492\ 114 hours x 0.20 = 23 hours. The burden hours include 7
Compliance Manager hours, 6 Attorney hours, 2 Senior Systems Analyst
hours, 2 Operations Specialist hours, 4 Chief Compliance Officer
hours, and 2 Director of Compliance hours.
\493\ 114 baseline burden hours + 23 burden hours for additional
systems intrusions = 137 hours. The burden hours include 39
Compliance Manager hours, 38 Attorney hours, 12 Senior Systems
Analyst hours, 12 Operations Specialist hours, 24 Chief Compliance
Officer hours, and 12 Director of Compliance hours.
\494\ The Commission estimates that the ongoing recordkeeping
burden for each New SCI Entity to review its corrective action
process would be the same as the baseline ongoing recordkeeping
burden of 39 hours. See supra note 490.
----------------------------------------------------------------------------------------------------------------
Burden hours for all
respondents
Estimated Burden hours (estimated
Respondent type Burden type respondents per SCI entity respondents x burden
hours per SCI
entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities............... One-time Burden...... 47 23 1,081
New SCI Entities................... Initial.............. 23 137 3,151
Ongoing.............. 39 897
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the cost
of compliance for Current SCI Entities and New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Average internal (estimated
Respondent type Burden type Estimated cost of compliance respondents x
respondents per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities............ One-time Burden... 47 \1\ $9,556 $449,132
New SCI Entities................ Initial........... 23 \2\ 57,228 1,316,244
Ongoing........... \3\ 17,258 396,934
----------------------------------------------------------------------------------------------------------------
\1\ (7 Compliance Manager hours x 344) + (6 Attorney hours x $462) + (2 Senior Systems Analyst hours x $316) +
(2 Operations Specialist hours x $152) + (4 Chief Compliance Officer hours x $589) + (2 Director of Compliance
hours x $542) = $9,556.
\2\ (39 Compliance Manager hours x 344) + (38 Attorney hours x $462) + (12 Senior Systems Analyst hours x $316)
+ (12 Operations Specialist hours x $152) + (24 Chief Compliance Officer hours x $589) + (12 Director of
Compliance hours x $542) = $57,228.
\3\ (9 Compliance Manager hours x 344) + (9 Attorney hours x $462) + (3 Senior Systems Analyst hours x $316) +
(3 Operations Specialist hours x $152) + (10 Chief Compliance Officer hours x $589) + (5 Director of
Compliance hours x $542) = $17,258.
The Commission does not expect SCI entities to incur any external
PRA costs in connection with the requirement to take corrective actions
under Rule 1002(a).
b. Rule 1002(b)(1) Through (4)
As noted earlier, SCI entities have certain reporting obligations
regarding SCI events. Current SCI Entities are already required to
submit the notifications, updates, and reports required by Rule
1002(b)(1) through (4) and therefore already incur a baseline burden.
As a result of the additional systems intrusions, including the
amendments to the definition of systems intrusions and the exclusion of
systems intrusions from de minimis SCI events required to be reported
to the Commission, Current SCI Entities could potentially incur new
burdens pursuant to Rule 1002(b)(1) through (4) reporting additional
SCI events for which they currently either do not report or which they
currently report quarterly as de minimis. As proposed, New SCI Entities
would for the first time be required to provide the submissions
required by Rule 1002(b)(1) through (4) and would bear the existing
burden for compliance with Rule 1002(b)(1) through (4) and the
additional burden to report the proposed systems intrusions.
The Commission estimates that on average each Current SCI Entity
will experience an additional three SCI events each year that are not
de minimis SCI events \495\ and New SCI Entities will experience an
average of eight SCI events each year that are not de minimis SCI
events.\496\
---------------------------------------------------------------------------
\495\ The Commission's currently approved baseline for the
number of SCI events is five events per year that are not de
minimis. See 2022 PRA Supporting Statement, supra note 471. The
Commission estimates that as a result of the additional systems
intrusions that SCI entities would be required to report, the number
of SCI events would increase by three events per year that are not
de minimis.
\496\ The Commission estimates that each New SCI Entity would
experience the baseline burden of five SCI events and three
additional SCI events, for a total of eight SCI events that are not
de minimis.
---------------------------------------------------------------------------
As a result, pursuant to Rule 1002(b)(1), which requires immediate
notification of SCI events, the Commission estimates that each Current
SCI Entity will submit, on average, an additional three notifications
per year beyond the current baseline,\497\ and each New SCI Entity will
submit eight
[[Page 23211]]
notifications per year.\498\ These notifications can be made orally or
in writing, and the Commission estimates that approximately one-fourth
of these notifications will be submitted in writing (i.e.,
approximately one event per year for each Current SCI Entity and two
events per year for each New SCI Entity \499\), and approximately
three-fourths will be provided orally (i.e., approximately two events
per year for each Current SCI Entity \500\ and six events per year for
each New SCI Entity \501\). The Commission estimates that each written
notification will require two hours and each oral notification will
require 1.5 hours.\502\ The Commission estimates a burden of 5 hours
\503\ for each Current SCI Entities and 13 hours \504\ for New SCI
Entities. The table below summarizes the initial and ongoing annual
burden estimates for Current SCI Entities and New SCI Entities:
---------------------------------------------------------------------------
\497\ The Commission's currently approved baseline for the
number of notifications submitted by an SCI entity pursuant to Rule
1002(b)(1) is five notifications per year, with one-fourth of the
five notifications submitted in writing (i.e., approximately one
event per year for each SCI entity), and approximately three-fourths
provided orally (i.e., approximately four events per year for each
SCI entity). See 2022 PRA Supporting Statement, supra note 471. The
Commission estimates that the proposed systems intrusions will
result in each SCI entity submitting three additional notifications,
one for each of the three estimated additional SCI events.
\498\ The Commission estimates that each New SCI Entity will
submit both the current baseline of five notifications and the
additional three notifications, for a total of eight notifications.
See supra note 497 (discussing the 3 additional notifications).
\499\ 8 SCI events / 4 = 2 SCI events reported in writing. The
Commission estimates that each Current SCI Entities already reports
one SCI event per year in writing. See 2022 PRA Supporting
Statement, supra note 471. The Commission therefore estimates that
they would report one additional SCI event in writing. New SCI
Entities would report two SCI events in writing.
\500\ 3 SCI events-1 SCI event reported in writing = 2 SCI
events reported orally.
\501\ 8 SCI events-2 SCI events reported in writing = 6 SCI
events reported orally.
\502\ The Commission-approved baseline for the burden hours for
each notification are 2 hours for written communications (0.5
Compliance Manager hours + 0.5 Attorney hours + 0.5 Senior Systems
Analyst hours + 0.5 Senior Business Analyst hours) and 1.5 hours for
oral communications (0.25 Compliance Manager hours + 0.25 Attorney
hours + 0.5 Senior Systems Analyst hours + (0.5 Senior Business
Analyst hours). See 2022 PRA Supporting Statement, supra note 471.
The Commission does not believe that reporting the proposed systems
intrusions would change the estimated burden hours.
\503\ 1 written notification each year * 2 hours per
notification + 2 oral notifications each year * 1.5 hours per
notification = 5 hours.
\504\ 2 written notification each year * 2 hours per
notification + 6 oral notifications each year * 1.5 hours per
notification = 13 hours.
----------------------------------------------------------------------------------------------------------------
Burden hours for
all respondents
Estimated Burden hours (estimated
Respondent type respondents per SCI entity respondents x
(entities) burden hours per
SCI entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities...................................... 47 5 235
New SCI Entities.......................................... 23 13 299
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance associated with the ongoing
reporting burden for Current SCI Entities and New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type respondents cost of compliance respondents x
(entities) per SCI entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities................................ 47 \1\ $1,737.50 $81,663
New SCI Entities.................................... 23 \2\ 4,499 103,477
----------------------------------------------------------------------------------------------------------------
\1\ The average internal cost of compliance for each Current SCI entity to submit an additional written
notification per year is $713.50 (0.5 Compliance Manager hours x $344) + (0.5 Attorney hours x $462) + (0.5
Senior Systems Analyst hours x $316) + (0.5 Senior Business Analyst hours x $305) = $713.50 per written
notification. $713.50 x 1 written notification each year = $713.50.
(0.25 Compliance Manager hours x $344) + (0.25 Attorney hours x $462) + (0.5 Senior Systems Analyst hours x
$316) + (0.5 Senior Business Analyst hours x $305) = $512 per oral notification. $512 x 2 = $1,024.
$713.50 + $1,024 = $1,737.50.
\2\ $713.50 per written notification x 2 written notifications + $512 per written notification x 6 oral
notifications = $4,499.
The Commission estimates that each notification submitted pursuant
to Rule 1002(b)(2) will require 24 hours per SCI entity.\505\ The
Commission estimates an average of 72 hours \506\ for each Current SCI
Entity and 192 hours \507\ for each New SCI Entity to submit the 24
hour written notifications required by Rule 1002(b)(2). The table below
summarizes the initial and ongoing annual burden estimates for Current
SCI Entities and New SCI Entities:
---------------------------------------------------------------------------
\505\ The Commission-approved baseline for the burden hours for
each written notification is 24 hours (5 Compliance Manager hours +
5 Attorney hours + 6 Senior Systems Analyst hours + 1 Assistant
General Counsel hour + 1 Chief Compliance Officer hour + 6 Senior
Business Analyst hours) for each SCI entity. See 2022 PRA Supporting
Statement, supra note 471.
\506\ 3 additional notifications x 24 hours per notification =
72 hours. See supra note 497 (discussing the three additional
notifications for each Current SCI Entity).
\507\ 8 notifications x 24 hours per notification = 192 hours.
See supra note 498 (discussing the eight notifications for each New
SCI Entity).
----------------------------------------------------------------------------------------------------------------
Burden hours for
all respondents
Estimated Burden hours (estimated
Respondent type respondents per SCI entity respondents x
(entities) burden hours per
SCI entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities...................................... 47 72 3,384
New SCI Entities.......................................... 23 192 4,416
----------------------------------------------------------------------------------------------------------------
[[Page 23212]]
The table below summarizes the Commission's estimates for the cost
of compliance associated with the ongoing reporting burden for Current
SCI Entities and New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type respondents cost of compliance respondents x
(entities) per SCI entity average internal
cost of compliance
per entity
----------------------------------------------------------------------------------------------------------------
Current SCI Entities................................ 47 \1\ $26,589 $1,249,683
New SCI Entities.................................... 23 \2\ 70,904 1,630,792
----------------------------------------------------------------------------------------------------------------
\1\ The average internal cost of compliance for each Current SCI entity to submit an additional written
notification per year is $8,863 per notification ((5 Compliance Manager hours x $344) + (5 Attorney hours x
$462) + (6 Senior Systems Analyst hours x $316) + (1 Assistant General Counsel x $518) + (6 Senior Business
Analyst hours x $305) + (1 Chief Compliance Officer hour x $589)). $8,863 per notification x 3 notifications
each year = $26,589.
\2\ $8,863 per notification x 8 notifications each year = $70,904.
As for Rule 1002(b)(3), the Commission estimates that, based on
past experience, each Current SCI entity will submit 1 additional
written update and 1 additional oral update each year and each New SCI
Entity will submit 2 written updates (on Form SCI) and 2 oral
updates.\508\ The Commission estimates that each written update will
require 6 hours and each oral update will require 4.5 hours.\509\ The
Commission estimates a total burden of 10.5 hours \510\ for Current SCI
Entities and 21 hours \511\ for New SCI Entities. The table below
summarizes the initial and ongoing annual burden estimates for Current
SCI Entities and New SCI Entities:
---------------------------------------------------------------------------
\508\ The Commission's currently approved baseline for the
number of updates submitted by an SCI entity pursuant to Rule
1002(b)(3) is one written update and one oral update each year, for
a total of two updates per a year. See 2022 PRA Supporting
Statement, supra note 471. The Commission estimates that as a result
of the three additional SCI events resulting from the additional
systems intrusions each SCI entity is potentially required to be
report, the total number of updates would increase to two written
updates and two oral updates each year, for a total of four updates
per a year.
\509\ The Commission-approved baseline for the burden hours for
each update are 6 hours for the written update (1.5 Compliance
Manager hours + 1.5 Attorney hours + 1.5 Senior Systems Analyst
hours + 1.5 Senior Business Analyst hours) and 4.5 hours for the
oral update (0.75 Compliance Manager hours + 0.75 Attorney hours +
1.5 Senior Systems Analyst hours + 1.5 Senior Business Analyst
hours). See 2022 PRA Supporting Statement, supra note 471. The
Commission does not propose to change the estimated burden hours at
this time and notes that the estimated hours for the Senior Systems
Analyst and Senior Business Analyst regarding the oral update
reflect a correction to a typographical error in the 2022 PRA
Supporting Statement.
\510\ 1 written notification x 6 hours per written notification
+ 1 oral notification x 4.5 hours per oral notification = 10.5
hours.
\511\ 2 written notifications x 6 hours per written notification
+ 2 oral notifications x 4.5 hours per oral notification = 21 hours.
----------------------------------------------------------------------------------------------------------------
Burden hours for
all respondents
Estimated Burden hours (estimated
Respondent type respondents per SCI entity respondents x
(entities) burden hours per
SCI entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities...................................... 47 10.5 493.5
New SCI Entities.......................................... 23 21 483
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the cost
of compliance associated with the ongoing reporting burden for Current
SCI Entities and New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type respondents cost of compliance respondents x
(entities) per SCI entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI entities................................ 47 \1\ $3,677 $172,819
New SCI Entities.................................... 23 \2\ 7,354 169,142
----------------------------------------------------------------------------------------------------------------
\1\ The average internal cost of compliance for each SCI entity to submit an additional written update is $2,141
per notification ((1.5 Compliance Manager hours x $344) + (1.5 Attorney hours x $462) + (1.5 Senior Systems
Analyst hours x $316) + (1.5 Senior Business Analyst hours x $305)).
The average internal cost of compliance for each SCI entity to submit an additional oral update is $1,536 ((0.75
Compliance Manager hours x $344) + (0.75 Attorney hours x $462) + (1.5 Senior Systems Analyst hours x $316) +
(1.5 Senior Business Analyst hours x $305)).
$2,141 + $1,536 = $3,677 for each Current SCI Entity to submit two additional updates (one written update and
one oral update).
\2\ $2,141 per written update x 2 written updates per year + $1,536 per oral update x 2 oral updates per year =
$7,354 for each New SCI Entity to submit updates in compliance with Rule 1002(b)(3).
[[Page 23213]]
As for Rule 1002(b)(4), the Commission estimates that Current SCI
Entities will submit an additional 3 reports per year above and beyond
the current baseline \512\ and New SCI Entities will submit 8 reports
per year.\513\ The Commission estimates that compliance with Rule
1002(b)(4) for a particular SCI event will require 35 hours.\514\ The
Commission estimates that each Current SCI Entity will incur 105 hours
\515\ and each New SCI Entity will incur 280 hours \516\ to meet the
requirements of Rule 1002(b)(4). The table below summarizes the initial
and ongoing annual burden estimates for Current SCI Entities and New
SCI Entities:
---------------------------------------------------------------------------
\512\ The Commission's currently approved baseline for the
number of reports submitted by an SCI entity pursuant to Rule
1002(b)(4) is five reports per year. See 2022 PRA Supporting
Statement, supra note 471. The Commission estimates that as a result
of the increase in the estimated number of SCI events from five
events to eight events, SCI entities would potentially be required
to submit an additional three reports per year.
\513\ As noted earlier, the Commission estimates that New SCI
Entities would submit both the baseline estimate of five reports and
the additional three reports, for a total of eight reports.
\514\ The Commission's currently approved baseline for burden
hours each SCI entity would incur to comply with Rule 1002(b)(4) for
each SCI event would be 35 hours (8 Compliance Manager hours + 8
Attorney hours + 7 Senior Systems Analyst hours + 2 Assistant
General Counsel hours + 1 General Counsel hour + 2 Chief Compliance
Officer hours + 7 Senior Business Analyst hours). See 2022 PRA
Supporting Statement, supra note 471. The Commission does not
propose to change the estimated burden hours at this time.
\515\ 3 notifications each year x 35 hours per notification =
105 hours.
\516\ 8 notifications each year x 35 hours per notification =
280 hours.
----------------------------------------------------------------------------------------------------------------
Burden hours for
all respondents
Estimated Burden hours (estimated
Respondent type respondents per SCI entity respondents x
(entities) burden hours per
SCI entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities...................................... 47 105 4,935
New SCI Entities.......................................... 23 280 6,440
----------------------------------------------------------------------------------------------------------------
The Commission estimates that the average internal cost of
compliance per notification is $13,672.\517\ The table below summarizes
the Commission's estimates for the cost of compliance associated with
the ongoing reporting burden for Current SCI Entities and New SCI
Entities:
---------------------------------------------------------------------------
\517\ (8 Compliance Manager hours x $344) + (8 Attorney hours x
$462) + (7 Senior Systems Analyst hours x $316) + (2 Assistant
General Counsel hours x $518) + (1 General Counsel hour x $663) + (2
Chief Compliance Officer hours x $589) + (7 Senior Business Analyst
hours x $305) = $13,672.
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type respondents cost of compliance respondents x
(entities) per SCI entity average internal
cost of compliance
per entity
----------------------------------------------------------------------------------------------------------------
Current SCI Entities................................ 47 \1\ $41,016 $1,927,752
New SCI Entities.................................... 23 \2\ 109,376 2,515,648
----------------------------------------------------------------------------------------------------------------
\1\ $13,672 per notification x 3 notifications each year = $41,016.
\2\ $13,672 per notification x 8 notifications per year = $109,376 average internal cost of compliance for each
New SCI Entity.
c. Rule 1002(b)(5)
The Commission estimates that eliminating systems intrusions from
the SCI events reported as de minimis events \518\ on the quarterly
reports reduces the burden for each SCI entity to submit the quarterly
report by 10% less compared to the current baseline, or 36 hours.\519\
Each Current SCI Entity would experience a decrease in its reporting
burden of 4 hours per quarterly report,\520\ for a total decrease of 16
hours per SCI entity.\521\ As New SCI Entities are not currently
required to meet this burden, they would newly incur a burden of 36
hours per report, for a total burden per SCI entity of 144 hours.\522\
---------------------------------------------------------------------------
\518\ Systems intrusions, whether de minimis or non-de minimis,
would be reported pursuant to Rules 1002(b)(1) through (4), as
discussed earlier. See section III.C.3. The burdens for reporting
all systems intrusions as non-de minimis events is discussed above.
See supra notes 495-517 and accompanying text.
\519\ The Commission's currently approved baseline for the
initial and ongoing reporting burden to comply with the quarterly
report requirement is 40 hours. See 2022 PRA Supporting Statement,
supra note 471. 40 hours x 10% = 36 hours. This estimate includes 7
hours for a Compliance Manager, 7 hours for an Attorney, 9 hours for
a Senior Systems Analyst, 1 hours for an Assistant General Counsel,
9 hours for a Senior Business Analyst, 1 hours for a General
Counsel, and 2 hours for a Chief Compliance Officer.
\520\ 40 hours (baseline estimate)-36 hours (revised estimate) =
4 hours per quarterly report. This estimate includes 0.75 hours for
a Compliance Manager, 0.75 hours for an Attorney, 1 hour for a
Senior Systems Analyst, 0.2 hours for an Assistant General Counsel,
1 hours for a Senior Business Analyst, 0.1 hours for a General
Counsel, and 0.2 hours for a Chief Compliance Officer.
\521\ 4 quarterly submissions per year x 4 hours per submission
= 16 hours decrease per SCI entity.
\522\ 4 quarterly submissions per year x 36 hours per submission
= 144 hours per SCI entity.
---------------------------------------------------------------------------
The table below summarizes the initial and ongoing annual burden
estimates for Current SCI Entities and New SCI Entities:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Burden hours for all
Burden hours per SCI respondents
Estimated Number of Hours per entity (number of (estimated
Respondent type respondents reports report reports x hours per respondents x
(entities) report) burden hours per
SCI entity)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Current SCI Entities........................................ 47 4 (4) (16) (752)
[[Page 23214]]
New SCI Entities............................................ 23 4 36 144 3,312
--------------------------------------------------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance associated with the ongoing
reporting burden for Current SCI Entities and New SCI Entities:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Average internal Total internal cost
cost of compliance of compliance
Estimated Internal cost of per SCI entity (estimated
Respondent type respondents Number of compliance per (number of reports x respondents x
(entities) reports report internal cost of average internal
compliance per cost of compliance
report) per entity
--------------------------------------------------------------------------------------------------------------------------------------------------------
Current SCI entities...................................... 47 4 \1\ $(1,513) \2\ $(6,052) $(284,444)
New SCI entities.......................................... 23 4 \3\ 13,619 \4\ 54,476 1,252,948
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ (0.75 Compliance Manager hours x $344) + (0.75 Attorney hours x $462) + (1 Senior Systems Analyst hours x $316) + (0.2 Assistant General Counsel
hours x $518) + (0.1 General Counsel hour x $663) + (0.2 Chief Compliance Officer hours x $589) + (1 Senior Business Analyst hours x $305) = $1,513.
\2\ $1,513 per notification x 4 notifications each year = $6,052 per Current SCI Entity.
\3\ (6.75 Compliance Manager hours x $344) + (6.75 Attorney hours x $462) + (9 Senior Systems Analyst hours x $316) + (1.8 Assistant General Counsel
hours x $518) + (0.9 General Counsel hour x $663) + (1.8 Chief Compliance Officer hours x $589) + (9 Senior Business Analyst hours x $305) = $13,619.
\4\ $13,619 per notification x 4 notifications each year = $54,476 per New SCI Entity.
The Commission estimates that while SCI entities will handle
internally most of the work associated with Rule 1002(b), SCI entities
will seek outside legal advice in the preparation of certain Commission
notifications. The Commission estimates that the total annual reporting
cost of seeing outside legal advice is $5,800 per SCI entity.\523\
Because Rule 1002(b) will impose approximately 32 reporting
requirements \524\ per SCI entity per year and each required
notification will be require an average of $181.25.\525\ The total
annual reporting costs for Current SCI Entities and New SCI Entities is
summarized below:
---------------------------------------------------------------------------
\523\ The Commission-approved baseline for the annual reporting
cost of seeking outside legal advice is $5,800 per SCI entity. See
2022 PRA Supporting Statement, supra note 471.
\524\ The Commission-approved baseline for the number of
reporting requirements required by Rule 1002(b) is 21 requirements
for each SCI entity. See 2022 PRA Supporting Statement, supra note
471. The proposed amendments add an additional 11 reporting
requirements (3 immediate notifications + 3 24-hour notifications +
2 updates pertaining to an SCI event + 3 interim/final
notifications). 21 + 11 = 32 reporting requirements.
\525\ $5,800 per SCI entity/32 reporting requirements = $181.25
per reporting requirement.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost per SCI
entity Total cost
(number of burdens (cost
Number of Number of Cost per reporting per SCI
Rule Type of respondent respondents reporting reporting requirements x entity x
requirements requirement cost per number of
reporting respondents)
requirement)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Rule 1002(b)(1)............................ Current SCI Entities.......... 47 3 $181.25 $544 $25,556
New SCI Entities.............. 23 8 181.25 1,450 33,350
Rule 1002(b)(2)............................ Current SCI Entities.......... 47 3 181.25 544 25,556
New SCI Entities.............. 23 8 181.25 1,450 33,350
Rule 1002(b)(3)............................ Current SCI Entities.......... 47 2 181.25 363 17,038
New SCI Entities.............. 23 4 181.25 725 16,675
Rule 1002(b)(4)............................ Current SCI Entities.......... 47 3 181.25 544 25,556
New SCI Entities.............. 23 8 181.25 1,450 33,350
Rule 1002(b)(5)............................ Current SCI Entities.......... 47 0 181.25 0 0
New SCI Entities.............. 23 4 181.25 725 16,675
--------------------------------------------------------------------------------------------------------------------------------------------------------
d. Rule 1002(c)
The Commission anticipates that the proposed amendment will newly
impose the information dissemination requirements of Rule 1002(c)(1) on
New SCI Entities, and New SCI Entities will incur the same burdens that
Current SCI Entities already incur to comply with these
requirements.\526\ The table below summarizes the burden that would be
newly imposed on New SCI Entities:
---------------------------------------------------------------------------
\526\ Current SCI Entities are already required to comply with
Rule 1002(c)(1). The burdens for compliance are summarized in the
most recent PRA Supporting Statement. See 2022 PRA Supporting
Statement, supra note 471. The proposed amendments impose no
additional burden related to this section. The Commission does not
anticipate that New SCI Entities would incur burdens beyond what is
estimated in the 2022 PRA Supporting Statement.
[[Page 23215]]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Burden hours for all
Burden hours per respondents
Estimated Number of Hours per SCI Entity (estimated
Rule Respondent type respondents dissemination dissemination (number of respondents x
reports x hours burden hours per
per report) SCI entity)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Rule 1002(c)(1)(i)................ New SCI Entities..... 23 3 information \2\ 7 21 483
disseminations \1\.
Rule 1002(c)(1)(ii) and (iii)..... 9 updates \3\........ \4\ 13 117 2,691
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ The Commission's currently approved baseline for the number of each SCI entity's information disseminations per year under Rule 1002(c)(1)(i) is
three information disseminations. See 2022 PRA Supporting Statement, supra note 471.
\2\ The Commission's currently approved baseline is that each information dissemination under Rule 1002(c)(1)(i) would require 7 hours. This includes 1
Compliance Manager hour, 2.67 Attorney hours, 1 Senior System Analyst hour, 0.5 General Counsel hours, 0.5 Director of Compliance hours, 0.5 Chief
Compliance Officer hours, 0.5 Corporate Communications Manager hours, and 0.33 Webmasters hours. See 2022 PRA Supporting Statement, supra note 471.
\3\ The Commission's currently approved baseline for Rule 1002(c)(1)(ii) and (iii) is that each SCI entity will disseminate three updates for each SCI
event. 3 updates per SCI Event x 3 SCI events = 9 updates each year.
\4\ The Commission's currently approved baseline is that each information dissemination under Rule 1002(c)(1)(ii) and (iii) would require 13 hours. This
includes 2 Compliance Manager hours, 4.67 Attorney hours, 2 Senior System Analyst hour, 1 General Counsel hours, 1 Director of Compliance hours, 1
Chief Compliance Officer hours, 1 Corporate Communications Manager hours, and 0.33 Webmasters hours. See 2022 PRA Supporting Statement, supra note
471, at 25-26.
The table below summarizes the Commission's estimates for the
average internal cost of compliance associated with the ongoing
reporting burden for Current SCI Entities and New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Rule Respondent type respondents cost of compliance respondents x
(entities) per SCI entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Rule 1002(c)(1)(i).............. New SCI Entities.. 23 \1\ $9,212 $211,876
Rule 1002(c)(1)(ii) and (iii)... \2\ 51,666 1,188,318
----------------------------------------------------------------------------------------------------------------
\1\ (1 Compliance Manager hours x $344) + (2.67 Attorney hours x $462) + (1 Senior Systems Analyst hours x $316)
+ (0.5 General Counsel hour x $663) + (0.5 Chief Compliance Officer hours x $589) + (0.5 Director of
Compliance hours x $542) + (0.5 Corporate Communications Manager hours x $378) + (0.33 Webmaster hours x $276)
= $3,071. $3,071 per notification x 3 notifications each year = $9,212.
\2\ (2 Compliance Manager hours x $344) + (4.67 Attorney hours x $462) + (2 Senior Systems Analyst hours x $316)
+ (1 General Counsel hour x $663) + (1 Chief Compliance Officer hours x $589) + (1 Director of Compliance
hours x $542) + (1 Corporate Communications Manager hours x $378) + (0.33 Webmaster hours x $276) = $5,741.
$5,741 per notification x 9 notifications each year = $51,666.
With respect to the Rule 1002(c)(2) requirement to disseminate
information regarding systems intrusions, the Commission estimates that
each Current SCI Entity will disseminate information regarding 3
systems intrusions each year and each New SCI Entity will disseminate
information regarding 4 systems intrusions each year.\527\ The
Commission estimates that each dissemination under Rule 1002(c)(2) will
require 10 hours.\528\
---------------------------------------------------------------------------
\527\ The Commission's currently approved baseline for the
number of each SCI entity's information disseminations per year
under Rule 1002(c)(2) is that each SCI entity will disseminate
information about one systems intrusion each year. See 2022 PRA
Supporting Statement, supra note 471. As discussed above, the
Commission estimates an additional three SCI events (i.e., three
additional systems intrusions) as a result of the additional types
of systems intrusions added to the definition systems intrusions in
Rule 1000 and the elimination of systems intrusions from the de
minimis SCI events reported quarterly in Rule 1002(b)(5). The
Commission estimates that each SCI entity would disseminate
information related to four systems intrusions each year. Each
Current SCI Entity would disseminate information for three systems
intrusions beyond the baseline estimate of one systems intrusion. As
New SCI Entities will newly incur this burden, and as a result will
report four systems intrusions.
\528\ The Commission's currently approved baseline is that each
dissemination under Rule 1002(c)(2) will require 10 hours. See 2022
PRA Supporting Statement, supra note 471.
---------------------------------------------------------------------------
The table below summarizes the initial and ongoing annual burden
estimates for Current SCI Entities and New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Burden hours for all
respondents
Estimated Burden hours (estimated
Respondent type respondents per SCI entity respondents x
(entities) burden hours per
SCI entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities...................................... 47 \1\ 30 1,410
New SCI Entities.......................................... 23 \2\ 40 920
----------------------------------------------------------------------------------------------------------------
\1\ 3 information disseminations x 10 hours per dissemination = 30 hours.
\2\ 4 information disseminations x 10 hours per dissemination = 40 hours.
The Commission estimates that the average internal cost of
compliance per notification is $4,406.\529\ The table below summarizes
the Commission's estimates for the cost of compliance associated with
the ongoing reporting burden for Current SCI Entities and New SCI
Entities:
---------------------------------------------------------------------------
\529\ (1.5 Compliance Manager hours x $344) + (3.67 Attorney
hours x $462) + (1.5 Senior Systems Analyst hours x $316) + (0.75
General Counsel hour x $633) + (0.75 Director of Compliance hours x
$542) + (0.75 Chief Compliance Officer hours x $589) + (0.75
Corporate Communications Manager hours x $378) + (0.33 Webmasters
hours x $276) = $4,406 per notification.
[[Page 23216]]
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type respondents cost of compliance respondents x
(entities) per SCI entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities................................ 47 \1\ $13,218 $621,246
New SCI Entities.................................... 23 \2\ 17,624 405,352
----------------------------------------------------------------------------------------------------------------
\1\ $4,406 per notification x 3 information disseminations each year = $13,218.
\2\ $4,406 per notification x 4 information disseminations per year = $17,624.
The Commission believes SCI entities will seek outside legal advice
in the preparation of the information dissemination under Rule 1002(c).
The Commission estimates that the total annual reporting cost of seeing
outside legal advice is $3,320 per SCI entity.\530\ Because Rule
1002(c) will impose approximately 16 third-party disclosure
requirements \531\ per SCI entity per year and each required disclosure
will be require an average of $207.50.\532\ The total annual reporting
costs for Current SCI Entities and New SCI Entities are summarized
below:
---------------------------------------------------------------------------
\530\ The Commission-approved baseline for the annual reporting
cost of seeking outside legal advice is $3,320 per SCI entity. See
2022 PRA Supporting Statement, supra note 471.
\531\ The Commission-approved baseline for the number of
disclosure requirements required by Rule 1002(c) is 13 requirements
for each SCI entity. See 2022 PRA Supporting Statement, supra note
471. The proposed amendments add an additional 3 reporting
requirements (3 additional information disseminations related to 3
additional systems intrusions). 13 + 3 = 16 disclosure requirements.
\532\ $3,320 per SCI entity/16 reporting requirements = $207.50
per reporting requirement.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost per SCI Total cost
entity (number burdens (cost
Rule Respondent type Number of Number of Cost per of disclosures per SCI entity
respondents disclosures disclosure x cost per x number of
disclosure) respondents)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Rule 1002(c)(1)(i)............................ New SCI Entities................. 23 3 $207.50 $622.50 $14,317.50
Rule 1002(c)(1)(ii) and (iii)................. New SCI Entities................. 23 9 207.50 1,867.50 42,952.50
Rule 1002(c)(2)............................... Current SCI Entities............. 47 3 207.50 622.50 29,257.50
New SCI Entities................. 23 4 207.50 830 19,090
--------------------------------------------------------------------------------------------------------------------------------------------------------
As noted above, Regulation SCI requires SCI entities to identify
certain types of events and systems. The Commission believes that the
identification of critical SCI systems, major SCI events, and de
minimis SCI events will impose an initial one-time implementation
burden on new SCI entities in developing processes to quickly and
correctly identify the nature of a system or event. The identification
of these systems and events may also impose periodic burdens on SCI
entities in reviewing and updating the processes. The Commission
anticipates that the because the proposed amendment will newly impose
the requirements of Rule 1002(b) on New SCI Entities, New SCI Entities
will incur the burden to develop processes to comply with these
requirements.\533\ The Commission estimates that each New SCI entity
will initially require 198 hours to establish criteria for identifying
material systems changes and 39 hours to annually to review and update
the criteria.\534\ The table below summarizes the burden that would be
newly imposed on New SCI Entities:
---------------------------------------------------------------------------
\533\ Current SCI Entities are already required to comply with
Rule 1003(a). The burdens for compliance are summarized in the most
recent PRA Supporting Statement. See 2022 PRA Supporting Statement,
supra note 471. The proposed amendments impose no additional burden
related to this section.
\534\ These estimates reflect the Commission-approved baseline.
See 2022 PRA Supporting Statement, supra note 471. The Commission
does not anticipate that New SCI Entities would incur burdens beyond
what is estimated in the 2022 PRA Supporting Statement.
----------------------------------------------------------------------------------------------------------------
Estimated burden
Estimated hours for all
Respondent type Burden type respondents Burden hours entities (estimated
(entities) per entity respondents x burden
hours per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................... Initial.............. 23 198 4,554
Annual............... 23 39 897
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance for New SCI Entities:
[[Page 23217]]
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................ Initial........... 23 \1\ $78,144 $1,797,312
Annual............ 23 \2\ 17,258 396,934
----------------------------------------------------------------------------------------------------------------
\1\ (64 Compliance Manager hours x $344) + (64 Attorney hours x $462) + (20 Senior Systems Analyst hours x $316)
+ (20 Operations Specialist hours x $152) + (20 Chief Compliance Officer hours x $589) + (10 Director of
Compliance hours x $542) = $78,144.
\2\ (9 Compliance Manager hours x $344) + (9 Attorney hours x $462) + (3 Senior Systems Analyst hours x $316) +
(3 Operations Specialist hours x $152) + (10 Chief Compliance Officer hours x $589) + (5 Director of
Compliance hours x $542) = $17,258.
As discussed above in section III.C.3.c, the proposed amendments to
the definition of systems intrusion would require SCI entities to
establish reasonable written criteria to identify significant attempted
unauthorized entries into the SCI systems or indirect SCI systems of an
SCI entity. As this is a new burden for both Current SCI Entities and
New SCI Entities, the Commission estimates an average burden across all
SCI entities of 89 hours \535\ initially to establish the criteria for
identifying material systems changes and 14.5 hours \536\ annually to
review and update the criteria.
---------------------------------------------------------------------------
\535\ This estimate is based on the Commission's burden estimate
for Rule 1001(a), because Rule 1001(a) requires policies and
procedures. See supra notes 474-475 and accompanying text. Rule
1001(a) (excluding Rule 1001(a)(2)(vi)) requires a total of ten
policy elements at a minimum, consisting of six currently required
policy elements and four proposed policy elements. See supra notes
471 and 474. Because the proposed amendment to the definition of
systems intrusion in Rule 1000 requires only one set of written
criteria, the Commission estimates that the initial staff burden to
draft the criteria required to identify significant attempted
unauthorized systems intrusions is one-tenth of the initial staff
burden to draft the policies and procedures required by Rule 1001(a)
(excluding Rule 1001(a)(2)(vi)). 890 hours/10 policy elements = 89
burden hours per policy element. The 89 burden hours includes 25
hours for a Compliance Manager, 25 hours for an Attorney, 8 hours
for a Senior Systems Analyst, and 8 hours for an Operations
Specialist. The Commission also estimates that a Chief Compliance
Officer will spend 15 hours and a Director of Compliance and a
Director of Compliance will spend 8 hours reviewing the policies and
procedures.
\536\ This estimate is based on the Commission's burden estimate
for Rule 1001(a), because Rule 1001(a) requires policies and
procedures. See supra notes 475-476 and accompanying text. Rule
1001(a) (excluding Rule 1001(a)(2)(vi)) requires a total of ten
policy elements at a minimum, consisting of six currently required
policy elements and four proposed policy elements. See supra notes
472 and 475. Because the proposed amendment to the definition of
systems intrusion in Rule 1000 requires only one set of written
criteria, the Commission estimates that the ongoing staff burden to
review and update the criteria required to identify significant
attempted unauthorized systems intrusions is one-tenth of the
ongoing staff burden to review and update the policies and
procedures required by Rule 1001(a) (excluding Rule 1001(a)(2)(vi)).
145 hours/10 policy elements = 14.5 burden hours per policy element.
The 14.5 burden hours includes 2 hours for a Compliance Manager, 2
hours for an Attorney, 1 hours for a Senior Systems Analyst, and 1
hours for an Operations Specialist. The Commission also estimates
that a Chief Compliance Officer will spend 5.5 hours and a Director
of Compliance and a Director of Compliance will spend 3 hours
reviewing the policies and procedures.
---------------------------------------------------------------------------
The table below summarizes the initial and ongoing annual burden
estimates for Current SCI Entities and New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Estimated Burden hours entities (estimated
Respondent type Burden type respondents per entity respondents x
(entities) burden hours per
entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities............... Initial.............. 47 89 4,183
Annual............... 47 14.5 681.5
New SCI Entities................... Initial.............. 23 89 2,047
Annual............... 23 14.5 333.5
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance for New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities............ Initial........... 47 \1\ $37,065 $1,742,055
Annual............ 47 \2\ 6,946 326,462
New SCI Entities................ Initial........... 23 \3\ 37,065 852,495
Annual............ 23 \4\ 6,946 159,758
----------------------------------------------------------------------------------------------------------------
\1\ (25 Compliance Manager hours x $344) + (25 Attorney hours x $462) + (8 Senior Systems Analyst hours x $316)
+ (8 Operations Specialist hours x $152) + (15 Chief Compliance Officer hours x $589) + (8 Director of
Compliance hours x $542) = $37,065.
\2\ (2 Compliance Manager hours x $344) + (2 Attorney hours x $462) + (1 Senior Systems Analyst hours x $316) +
(1 Operations Specialist hours x $152) + (5.5 Chief Compliance Officer hours x $589) + (3 Director of
Compliance hours x $542) = $6,946.
\3\ See supra note 1 of this table.
\4\ See supra note 2 of this table.
[[Page 23218]]
3. Rule 1003
The Commission anticipates that the proposed amendment will newly
impose the Rule 1003(a) requirements to report material system changes
on New SCI Entities, and New SCI Entities will incur the same burdens
that Current SCI Entities already incur to comply with these
requirements.\537\ The table below summarizes the burden that would be
newly imposed on New SCI Entities:
---------------------------------------------------------------------------
\537\ Current SCI Entities are already required to comply with
Rule 1003(a). The burdens for compliance are summarized in the most
recent PRA Supporting Statement. See 2022 PRA Supporting Statement,
supra note 471. The proposed amendments impose no additional burden
related to this section. The Commission does not anticipate that New
SCI Entities would incur burdens beyond what is estimated in the
2022 PRA Supporting Statement.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Burden hours for all
Burden hours per respondents
Estimated Hours per SCI entity (estimated
Rule Respondent type respondents Number of reports report (number of respondents x
(entities) reports x hours burden hours per
per report) SCI entity)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Rule 1003(a)(1)................... New SCI Entities..... 23 4 reports (1 per \1\ 125 500 11,500
quarter).
Rule 1003(a)(2)................... \2\ 1 supplemental \3\ 15 15 345
report.
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ The Commission's currently approved baseline is that each quarterly report under Rule 1003(a)(1) would require 125 hours. This includes 7.5
Compliance Manager hours, 7.5 Attorney hours, 5 Chief Compliance Officer hours, 75 Senior System Analyst hours, and 30 Senior Business Analyst hours.
See 2022 PRA Supporting Statement, supra note 471.
\2\ The Commission's currently approved baseline for Rules 1002(c)(1)(ii) and (iii) is that each SCI entity will submit one supplemental report each
year. See 2022 PRA Supporting Statement, supra note 471.
\3\ The Commission's currently approved baseline is that the supplemental report under Rule 1003(a)(1) would require 15 hours. This includes 2
Compliance Manager hours, 2 Attorney hours, 1 Chief Compliance Officer hours, 7 Senior System Analyst hours, and 3 Senior Business Analyst hours. See
2022 PRA Supporting Statement, supra note 471.
The table below summarizes the average internal cost of compliance
that would be newly imposed on New SCI Entities:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Cost of Average internal (estimated
Rule Respondent type respondents Number of reports compliance cost of compliance respondents x
(entities) per report per entity average internal
cost of compliance
per entity)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Rule 1003(a)(1).................. New SCI Entities.... 23 4 reports (1 per \1\ $41,480 \2\ $167,360 $3,849,280
quarter).
Rule 1003(a)(2).................. 1 supplemental \3\ 5,328 5,328 122,544
report.
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ (7.5 Compliance Manager hours x $344) + (7.5 Attorney hours x $462) + (5 Chief Compliance Officer hours x $589) + (75 Senior Systems Analyst hours x
$316) + (30 Senior Business Analyst hours x $305) = $41,840.
\2\ $41,480 per report x 4 reports each year = $167,360.
\3\ (2 Compliance Manager hours x $344) + (2 Attorney hours x $462) + (1 Chief Compliance Officer hours x $589) + (7 Senior Systems Analyst hours x
$316) + (3 Senior Business Analyst hours x $305) = $5,328.
Rule 1003(a)(1) requires each SCI entity to establish reasonable
written criteria for identifying a change to its SCI systems and the
security of indirect SCI systems as material. The Commission
anticipates that the proposed amendment will newly impose these
requirements on New SCI Entities, and New SCI Entities will incur the
same burdens that Current SCI Entities already incur to comply with
these requirements.\538\ The Commission estimates that each New SCI
entity will initially require 114 hours to establish criteria for
identifying material systems changes and 27 hours to annually to review
and update the criteria.\539\ The table below summarizes the burden
that would be newly imposed on New SCI Entities:
---------------------------------------------------------------------------
\538\ Current SCI Entities are already required to comply with
Rule 1003(a). The burdens for compliance are summarized in the most
recent PRA Supporting Statement. See 2022 PRA Supporting Statement,
supra note 471. The proposed amendments impose no additional burden
related to this section.
\539\ These estimates reflect the Commission-approved baseline.
See 2022 PRA Supporting Statement, supra note 471. The Commission
does not anticipate that New SCI Entities would incur burdens beyond
what is estimated in the 2022 PRA Supporting Statement.
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Estimated Burden hours entities (estimated
Respondent type Burden type respondents per entity respondents x
(entities) burden hours per
entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................... Initial.............. 23 114 2,622
Annual............... 23 27 621
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the cost
of compliance for New SCI Entities:
[[Page 23219]]
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities.................................... 23 \1\ $47,672 $1,096,456
\2\ 12,929 297,367
----------------------------------------------------------------------------------------------------------------
\1\ (32 Compliance Manager hours x $344) + (32 Attorney hours x $462) + (10 Senior Systems Analyst hours x $316)
+ (10 Operations Specialist hours x $152) + (20 Chief Compliance Officer hours x $589) + (10 Director of
Compliance hours x $542) = $47,672.
\2\ (4.5 Compliance Manager hours x $344) + (4.5 Attorney hours x $462) + (1.5 Senior Systems Analyst hours x
$316) + (1.5 Operations Specialist hours x $152) + (10 Chief Compliance Officer hours x $589) + (5 Director of
Compliance hours x $542) = $12,929.
The Commission does not expect SCI entities to incur any external
PRA costs in connection with the reports required under Rule 1003(a).
As for Rule 1003(b), each Current SCI Entity is already required to
perform an SCI review and therefore already incurs a baseline burden
\540\ for compliance, so the amendments should only impose a burden
required to comply with the additional requirements. Presently, none of
the New SCI Entities are required to comply with the requirements of
Rule 1003(b), but the proposed amendments will newly impose both the
baseline burden to conduct the SCI review and the additional burden to
meet the proposed requirements for the SCI review.
---------------------------------------------------------------------------
\540\ The Commission's currently approved baseline for the
annual recordkeeping burden of conducting an SCI review and
submitting the SCI review to senior management of the SCI entity for
review is 690 hours (35 Compliance Manager hours + 80 Attorney hours
+ 375 Senior Systems Analyst hours + 5 General Counsel hours + 5
Director of Compliance hours + 20 Chief Compliance Officer hours
+170 Internal Audit Manager hours). See 2022 PRA Supporting
Statement, supra note 471.
---------------------------------------------------------------------------
The Commission estimates that the proposed additional requirements
for conducting the SCI review will increase the burden of conducting
the SCI review and submitting the report by 50%. With respect to Rule
1003(b)(1) and (2), the Commission estimates an additional burden for
Current SCI Entities of 345 hours \541\ and 1,035 hours \542\ for New
SCI Entities. The table below summarizes the initial and ongoing annual
burden estimates for Current SCI Entities and New SCI Entities:
---------------------------------------------------------------------------
\541\ 690 hours (baseline burden) x 0.5 = 345 hours. This
estimate includes 17.5 hours for a Compliance Manager, 40 hours for
an Attorney, 187.5 hours for a Senior Systems Analyst, 2.5 hours for
General Counsel, 10 hours for a Chief Compliance Officer, 2.5 hours
for a Director of Compliance, and 85 hours for an Internal Audit
Manager.
\542\ 690 baseline burden hours + 345 additional burden hours =
1,035 hours. This estimate includes 52.5 hours for a Compliance
Manager, 120 hours for an Attorney, 562.5 hours for a Senior Systems
Analyst, 7.5 hours for General Counsel, 30 hours for a Chief
Compliance Officer, 7.5 hours for a Director of Compliance, and 255
hours for an Internal Audit Manager.
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Estimated Burden hours entities (estimated
Respondent type respondents per entity respondents x
burden hours per
entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities...................................... 47 345 16,215
New SCI Entities.......................................... 23 1,035 23,805
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance for Current SCI Entities and New
SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Average internal (estimated
Respondent type Estimated cost of compliance respondents x
respondents per entity average internal
cost of compliance
per entity
----------------------------------------------------------------------------------------------------------------
Current SCI Entities................................ 47 \1\ $123,848 $5,820,856
New SCI Entities.................................... 23 \2\ 371,543 $8,545,489
----------------------------------------------------------------------------------------------------------------
\1\ (17.5 Compliance Manager hours x $344) + (40 Attorney hours x $462) + (187.5 Senior Systems Analyst hours x
$316) + (2.5 General Counsel hours x $663) + (2.5 Director of Compliance hours x $542) + (10 Chief Compliance
Officer hours x $589) + (85 Internal Audit Manager hours x $367) = $123,848.
\2\ (52.5 Compliance Manager hours x $344) + (120 Attorney hours x $462) + (562.5 Senior Systems Analyst hours x
$316) + (7.5 General Counsel hours x $663) + (7.5 Director of Compliance hours x $542) + (30 Chief Compliance
Officer hours x $589) + (255 Internal Audit Manager hours x $367) = $371,543.
With respect to Rule 1003(b)(3), the Commission estimates that the
burden for SCI entities would increase to 25 hours from the current
baseline estimate.\543\ Thus, the Commission estimates an additional
burden for
[[Page 23220]]
Current SCI Entities of 24 hours \544\ and a new burden of 25 hours
\545\ for New SCI Entities. The table below summarizes the initial and
ongoing annual burden estimates for Current SCI Entities and New SCI
Entities:
---------------------------------------------------------------------------
\543\ The Commission's currently approved baseline to submit the
report for the SCI review to the board of directors is 1 hour (1
Attorney hour). See 2022 PRA Supporting Statement, supra note 471.
The Commission estimates an increase to 25 hours as a result of the
proposed requirement that senior management provide a response to
the SCI review.
\544\ 25 hours (revised estimate) - 1 hour (baseline estimate) =
24 hours. This estimate includes 1 hours for a Compliance Manager, 3
hours for an Attorney, 13 hours for a Senior Systems Analyst, 1
hours for a Chief Compliance Officer, and 6 hours for an Internal
Audit Manager.
\545\ This estimate includes 1 hours for a Compliance Manager, 3
hours for an Attorney, 14 hours for a Senior Systems Analyst, 1
hours for a Chief Compliance Officer, and 6 hours for an Internal
Audit Manager.
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Estimated Burden hours entities (estimated
Respondent type respondents per entity respondents x
(entities) burden hours per
entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities...................................... 47 24 1,128
New SCI Entities.......................................... 23 25 575
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the
average internal cost of compliance for Current SCI Entities and New
SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities................................ 47 \1\ $8,629 $405,563
New SCI Entities.................................... 23 \2\ 8,945 205,735
----------------------------------------------------------------------------------------------------------------
\1\ (1 Compliance Manager hours x $344) + (3 Attorney hours x $462) + (13 Senior Systems Analyst hours x $316) +
(1 Chief Compliance Officer hours x $589) + (6 Internal Audit Manager hours x $367) = $8,629.
\2\ (1 Compliance Manager hours x $344) + (3 Attorney hours x $462) + (14 Senior Systems Analyst hours x $316) +
(1 Chief Compliance Officer hours x $589) + (6 Internal Audit Manager hours x $367) = $8,945.
Rule 1003(b) imposes recordkeeping costs for SCI entities. The
Commission estimates that while SCI entities will handle internally
some or most of the work associated with compliance with Rule 1003(b),
SCI entities will outsource some of the work associated with an SCI
review. The Commission estimates that the proposed amendments to the
SCI review would increase the annual recordkeeping cost by 50% beyond
the current baseline.\546\ The table below summarizes the Commission's
estimates for the cost of outsourcing for Current SCI Entities and New
SCI Entities:
---------------------------------------------------------------------------
\546\ The Commission-approved baseline for the annual
recordkeeping cost per SCI entity of outsourcing is $50,000. See
2022 PRA Supporting Statement, supra note 471.
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities................................ 47 \1\ $25,000 $1,175,000
New SCI Entities.................................... 23 \2\ 75,000 1,725,000
----------------------------------------------------------------------------------------------------------------
\1\ 50,000 (baseline estimate) x 0.5 = $25,000.
\2\ 50,000 (baseline estimate) x 1.5 = $75,000.
4. Rule 1004
The rules under Regulation SCI that would require an SCI entity to
mandate member or participant participation in business continuity and
disaster recovery plan testing are discussed more fully in sections
II.B, and the proposed amendments including third-party providers in
the requirement are discussed more fully in III.C.2 above.
Current SCI Entities are already required to establish standards
and designate members or participants for testing pursuant to Rule 1004
and therefore already incur baseline initial \547\ and ongoing burdens
\548\ for complying with Rule 1004, so the amendments should only
impose a burden required to comply with the additional requirements.
Presently, none of the New SCI Entities are required to comply with the
requirements of Rule 1004, but the proposed amendments will newly
[[Page 23221]]
impose both the baseline burden to establish standards for the
designation of members and participants for BC/DR testing and
coordinate industry or sector-wide basis testing and additional burden
to establish standards for the designation of third-party providers for
BC/DR testing and coordinate industry or sector-wide basis testing for
third-party providers. The Commission estimates an initial compliance
burden of 90 hours \549\ for Current SCI Entities and 450 hours \550\
for New SCI Entities. The Commission estimates an annual compliance
burden of 34 hours \551\ for Current SCI Entities and 169 hours \552\
for New SCI Entities. The table below summarizes the initial and
ongoing annual burden estimates for Current SCI Entities and New SCI
Entities:
---------------------------------------------------------------------------
\547\ The Commission's currently approved baseline for average
initial compliance burden per respondent with 17 CFR 242.1004(a)
(``Rule 1004(a)'') (i.e., establishment of standards for the
designation of members and participants) and (c) (i.e., the
coordination of testing on an industry- or sector-wide basis) is 360
hours (40 Compliance Manager hours + 60 Attorney hours + 20
Assistant General Counsel hours + 60 Senior Operations Manager hours
+ 140 Operations Specialist hours + 26 Chief Compliance Officer
hours + 14 Director of Compliance hours). See 2022 PRA Supporting
Statement, supra note 471. The estimate of 360 hours includes the
burden for designating members or participants for testing, as
required by 17 CFR 242.1004(b) (``Rule 1004(b)''). Id. at 18 n.50.
\548\ The average annual compliance burden for each SCI entity
to review and update the policies and procedures is 135 hours for
each entity that is not a plan processor. See 2022 PRA Supporting
Statement, supra note 471. None of the New SCI Entities are plan
processors, so the Commission is applying the 135 hour estimate to
the New SCI Entities.
\549\ The Commission estimates that the additional burden to
establish standards for the designation of third-party providers for
BC/DR testing and coordinate testing would be 25% of the 360 hour
baseline burden hours. 360 hours x 0.25 = 90 hours. The burden hours
include 10 Compliance Manager hours, 15 Attorney hours, 5 Assistant
General Counsel hours, 35 Operations Specialist hours, 6 Chief
Compliance Officer hours, 4 Director of Compliance hours, and 15
Senior Operations Manager hours.
\550\ 360 baseline burden hours + 90 additional burden hours =
450 hours.
\551\ The Commission estimates that the additional annual burden
would be 25% of the 135 hour baseline burden hours, or 34 hours (135
hours x 0.25). The burden hours include 3 Compliance Manager hours,
3 Attorney hours, 1 Assistant General Counsel hours, 18 Operations
Specialist hours, 3 Chief Compliance Officer hours, 1 Director of
Compliance hours, and 5 Senior Operations Manager hours.
\552\ 135 baseline burden hours + 34 additional burden hours =
169 hours.
----------------------------------------------------------------------------------------------------------------
Estimated burden
hours for all
Estimated Burden hours entities (estimated
Respondent type Burden type respondents per entity respondents x
(entities) burden hours per
entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities............... Initial.............. 47 90 4,230
Annual............... 47 34 1,598
New SCI Entities................... Initial.............. 23 450 10,350
Annual............... 23 169 3,887
----------------------------------------------------------------------------------------------------------------
The table below summarizes the Commission's estimates for the cost
of compliance for Current SCI Entities and New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
Current SCI Entities............ Initial........... 47 \1\ $30,072 $1,413,384
Annual............ 47 \2\ 10,011 470,517
New SCI Entities................ Initial........... 23 \3\ 150,478 3,460,994
Annual............ 23 \4\ 50,331 1,157,613
----------------------------------------------------------------------------------------------------------------
\1\ (10 Compliance Manager hours x $344) + (15 Attorney hours x $462) + (5 Assistant General Counsel hours x
$518) + (35 Operations Specialist hours x $152) + (6 Chief Compliance Officer hours x $589) + (4 Director of
Compliance hours x $542) + (15 Senior Operations Manager hours x $406) = $30,072.
\2\ (3 Compliance Manager hours x $344) + (3 Attorney hours x $462) + (1 Assistant General Counsel hours x $518)
+ (18 Operations Specialist hours x $152) + (3 Chief Compliance Officer hours x $589) + (1 Director of
Compliance hours x $542) + (5 Senior Operations Manager hours x $406) = $10,011.
\3\ (50 Compliance Manager hours x $344) + (75 Attorney hours x $462) + (25 Assistant General Counsel hours x
$518) + (175 Operations Specialist hours x $152) + (32.5 Chief Compliance Officer hours x $589) + (17.5
Director of Compliance hours x $542) + (75 Senior Operations Manager hours x $406) = $150,478.
\4\ (13 Compliance Manager hours x $344) + (18 Attorney hours x $462) + (6 Assistant General Counsel hours x
$518) + (88 Operations Specialist hours x $152) + (13 Chief Compliance Officer hours x $589) + (6 Director of
Compliance hours x $542) + (25 Senior Operations Manager hours x $406) = $50,331.
The Commission continues to believe that SCI entities (other than
plan processors) would handle internally the work associated with the
requirements of Rule 1004.
5. Rule 1005
Rules 1005 and 1007 impose on SCI entities recordkeeping
requirements related to their compliance with Regulation SCI. These
requirements would be newly imposed on New SCI Entities as a result of
the proposed amendment. The table below summarizes the Commission's
estimates as to the burden that each New SCI Entity would incur to meet
the requirements of Rules 1005 and 1007: \553\
---------------------------------------------------------------------------
\553\ Current SCI Entities are already required to comply with
Rules 1005 and 1007. The burdens for compliance are summarized in
the most recent PRA Supporting Statement. See 2022 PRA Supporting
Statement, supra note 471. The proposed amendments impose no
additional burden related to this section. The Commission does not
anticipate that New SCI Entities would incur burdens beyond what is
estimated in the 2022 PRA Supporting Statement.
[[Page 23222]]
----------------------------------------------------------------------------------------------------------------
Burden hours for all
respondents
Estimated Burden hours (estimated
Respondent type Burden type respondents per SCI entity respondents x
(entities) burden hours per
SCI entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................... Initial.............. 23 \1\ 170 3,910
Annual............... \2\ 25 575
----------------------------------------------------------------------------------------------------------------
\1\ The Commission approved baseline estimate for each new non-SRO SCI entity to set up or modify a
recordkeeping system is 170 hours. See 2022 PRA Supporting Statement, supra note 471.
\2\ The Commission approved baseline estimate for each new non-SRO SCI entity to make, keep, and preserve
records relating to compliance with Regulation SCI, as required by Rule 1005(b), is 25 hours. See 2022 PRA
Supporting Statement, supra note 471.
The table below summarizes the average internal cost of compliance
that would be newly imposed on New SCI Entities:
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................ Initial........... 23 \1\ $13,260 $304,980
Annual............ \2\ 1,950 44,850
----------------------------------------------------------------------------------------------------------------
\1\ 170 Compliance Clerk hours x $78 per hour = $13,260.
\2\ 25 Compliance Clerk hours x $78 per hour = $1,950.
The recordkeeping requirements impose recordkeeping costs for SCI
entities other than SCI SROs. The Commission estimates that a New SCI
Entity other than an SCI SRO will incur a one-time cost of $900 for
information technology costs for purchasing recordkeeping software, for
a total of $20,700.\554\
---------------------------------------------------------------------------
\554\ $900 per SCI entity x 21 SCI entities = $18,900.
---------------------------------------------------------------------------
6. Rule 1006
SCI entities submit Form SCI through the Electronic Form Filing
System (``EFFS''), which is also used by SCI SROs to file Form 19b-4
filings. Access to EFFS establishes reporting burdens for all SCI
entities. An SCI entity will submit to the Commission an External
Application User Authentication Form (``EAUF'') to register each
individual at the SCI entity who will access the EFFS system on behalf
of the SCI entity. The Commission is including in its burden estimates
the reporting burden for completing the EAUF for each individual at a
New SCI Entity that will request access to EFFS.\555\ The table below
summarizes the initial and ongoing burdens that would be New SCI
Entities would incur to establish access to EFFS:
---------------------------------------------------------------------------
\555\ Current SCI Entities would already have incurred these
burdens, which are summarized in the most recent PRA Supporting
Statement. See 2022 PRA Supporting Statement, supra note 471. The
proposed amendments impose no additional burden related to this
section. The Commission does not anticipate that New SCI Entities
would incur burdens beyond what is estimated in the 2022 PRA
Supporting Statement.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Burden hours per Burden hours for all
Number of SCI entity (number respondents
Estimated individuals Time to of individuals (estimated
Respondent type Type of burden respondents requesting complete EAUF requesting access x respondents x
(entities) access time to complete burden hours per
EAUF) SCI entity)
--------------------------------------------------------------------------------------------------------------------------------------------------------
New SCI Entities.................... Initial............... 23 \1\ 2 \2\ 0.15 0.3 6.9
Annual................ \3\ 1 0.15 3.5
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ The Commission approved baseline estimate for the number of individuals per SCI entity who will request access to EFFS initially through the EAUF is
two individuals. See 2022 PRA Supporting Statement, supra note 471.
\2\ The Commission approved baseline estimate to complete the EAUF is 0.15 hours. See 2022 PRA Supporting Statement, supra note 471.
\3\ The Commission approved baseline estimate for the number of individuals per SCI entity who will request access to EFFS annually through the EAUF is
one individual. See 2022 PRA Supporting Statement, supra note 471.
The table below summarizes the average internal cost of compliance
that would be newly imposed on New SCI Entities:
[[Page 23223]]
----------------------------------------------------------------------------------------------------------------
Total internal cost
of compliance
Estimated Average internal (estimated
Respondent type Burden type respondents cost of compliance respondents x
(entities) per entity average internal
cost of compliance
per entity)
----------------------------------------------------------------------------------------------------------------
New SCI Entities................ Initial........... 23 \1\ $139 $3,197
Annual............ \2\ 69 1,587
----------------------------------------------------------------------------------------------------------------
\1\ 0.3 Attorney hours x $462 = $139.
\2\ 0.15 Attorney hours x $462 = $69.
Obtaining the ability for an individual to electronically sign a
Form SCI imposes reporting costs for SCI entities. The table below
summarizes the cost for individuals at each New SCI Entity to obtain
digital IDs to sign Form SCI:
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost per SCI entity
(number of Cost for all
Estimated Number of Cost to obtain individuals respondents
Respondent type respondents individuals to digital ID requesting access x (estimated
(entities) sign form SCI time to complete respondents x burden
EAUF) hours per SCI entity)
--------------------------------------------------------------------------------------------------------------------------------------------------------
New SCI Entities....................................... 23 \1\ 2 \2\ $25 $50 $1,150
--------------------------------------------------------------------------------------------------------------------------------------------------------
\1\ The Commission approved baseline estimate for the number of individuals per SCI entity who will sign Form SCI each year is two individuals. See 2022
PRA Supporting Statement, supra note 471.
\2\ The Commission approved baseline estimate to obtain a digital ID is $50. See 2022 PRA Supporting Statement, supra note 471.
7. Summary of the Information Collection Burden
The table below summarizes the Commission's estimate of the total
hourly burden, total internal costs of compliance, and external cost
estimates for SCI entities under Regulation SCI.
----------------------------------------------------------------------------------------------------------------
Burden hours Costs of compliance
Rule Respondent type ---------------------------------------------------------------
Initial Annual Initial Annual
----------------------------------------------------------------------------------------------------------------
Policies and procedures Current SCI 18,142 2,726 $6,804,989 $1,099,941
required by Rule 1001(a) Entities. 20,470 3,335 7,667,533 1,341,245
(except Rule 1001(a)(2)(vi)) New SCI Entities
(Recordkeeping).
Policies and procedures New SCI Entities 3,680 3,335 1,402,540 1,204,740
required by Rule
1001(a)(2)(vi)
(Recordkeeping).
Costs for outside legal/ Current SCI N/A N/A 1,365,350 N/A
consulting services in Entities. N/A N/A 1,697,400 N/A
initial preparation of New SCI Entities
policies and procedures
required by Rule 1001(a)
(Recordkeeping).
Policies and procedures Current SCI 18,142 2,726 8,170,339 1,099,941
required by Rule 1001(a) Entities. 24,150 6,670 10,767,473 2,545,985
Total. New SCI Entities
Policies and procedures New SCI Entities 6,210 2,185 2,222,720 808,220
required by Rule 1001(b)
(Recordkeeping).
Costs for outside legal/ New SCI Entities N/A N/A 621,000 0
consulting services in
initial preparation of
policies and procedures
required by Rule 1001(b)
(recordkeeping).
Policies and procedures New SCI Entities 6,210 2,185 2,843,720 808,220
required by Rule 1001(b)
Total.
Policies and procedures New SCI Entities 2,622 897 1,096,456 400,821
required by Rule 1001(c)
(Recordkeeping).
Mandate participation in Current SCI 4,230 1,598 1,413,384 470,517
certain testing required by Entities. 10,350 3,887 3,460,994 1,157,613
Rule 1004 (Recordkeeping). New SCI Entities
SCI Event Notice Required By Current SCI 235 235 81,663 81,663
Rule 1002(b)(1) (Reporting). Entities. 299 299 103,477 103,477
New SCI Entities
External Legal Costs for Rule Current SCI N/A N/A 25,556 25,556
1001(b)(1) (Reporting). Entities. N/A N/A 33,350 33,350
New SCI Entities
SCI Event Notice Required By Current SCI 235 235 107,219 107,219
Rule 1002(b)(1) Total. Entities. 299 299 136,827 136,827
New SCI Entities
SCI Event Notice Required By Current SCI 3,384 3,384 1,249,683 1,249,683
Rule 1002(b)(2) (Reporting). Entities. 4,416 4,416 1,630,792 1,630,792
New SCI Entities
External Legal Costs for Rule Current SCI N/A N/A 25,556 25,556
1001(b)(2) (Reporting). Entities. N/A N/A 33,350 33,350
New SCI Entities
SCI Event Notice Required By Current SCI 3,384 3,384 1,275,239 1,275,239
Rule 1002(b)(2) Total. Entities. 4,416 4,416 1,664,142 1,664,142
New SCI Entities
SCI Event Notice Required By Current SCI 493.5 493.5 172,819 172,819
Rule 1002(b)(3) (Reporting). Entities. 483 483 169,142 169,142
New SCI Entities
External Legal Costs for Rule Current SCI N/A N/A 17,038 17,038
1002(b)(3) (Reporting). Entities. N/A N/A 16,675 16,675
New SCI Entities
[[Page 23224]]
SCI Event Notice Required By Current SCI 493.5 493.5 189,857 189,857
Rule 1002(b)(3) Total. Entities. 483 483 185,817 185,817
New SCI Entities
SCI Event Notice Required By Current SCI 4,935 4,935 1,927,752 1,927,752
Rule 1002(b)(4) (Reporting). Entities. 6,440 6,440 2,515,648 2,515,648
New SCI Entities
External Legal Costs for Current SCI N/A N/A 25,556 25,556
1001(b)(4) (Reporting). Entities. N/A N/A 33,350 33,350
New SCI Entities
SCI Event Notice Required By Current SCI 4,935 4,935 1,953,308 1,953,308
Rule 1002(b)(4) Total. Entities. 6,440 6,440 2,548,998 2,548,998
New SCI Entities
SCI Event Notice Required By Current SCI (752) (752) (284,444) (284,444)
Rule 1002(b)(5) (Reporting). Entities. 3,312 3,312 1,252,948 1,252,948
New SCI Entities
External Legal Costs for Rule Current SCI N/A N/A 0 0
1002(b)(5) (Reporting). Entities. N/A N/A 16,675 16,675
New SCI Entities
SCI Event Notice Required By Current SCI (752) (752) (284,444) (284,444)
Rule 1002(b)(5) Total. Entities. 3,312 3,312 1,269,623 1,269,623
New SCI Entities
Dissemination of information New SCI Entities 3,174 3,174 1,400,194 1,400,194
required by Rule 1002(c)(1)
(Third-Party Disclosure).
External Legal Costs for Rule New SCI Entities N/A N/A 57,270 57,270
1002(c)(1) (Third-Party
Disclosure).
Dissemination of information New SCI Entities 3,174 3,174 1,457,464 1,457,464
required by Rule 1002(c)(1)
Total.
Dissemination of information Current SCI 1,410 1,410 621,246 621,246
required by Rule 1002(c)(2) Entities. 920 920 405,352 405,352
(Third-Party Disclosure). New SCI Entities
External Legal Costs for Rule Current SCI N/A N/A 29,257.50 29,257.50
1002(c)(2) (Third-Party Entities. N/A N/A 19,090 19,090
Disclosure). New SCI Entities
Dissemination of information Current SCI 1,410 1,410 650,503.5 650,503.5
required by Rule 1002(c)(2) Entities. 920 920 424,442 424,442
Total. New SCI Entities
Burden to develop processes to New SCI Entities 4,554 897 1,797,312 396,934
identify the nature of a
system or event.
Establish reasonable written Current SCI 4,183 681.5 1,742,055 326,462
criteria for identifying a Entities. 2,047 333.5 852,495 159,758
significant attempted New SCI Entities
unauthorized systems
intrusion.
Material systems change notice New SCI Entities 11,845 11,845 3,971,824 3,971,824
required by Rule 1003(a)(1)
and (2) (Reporting).
Establish reasonable written New SCI Entities 2,622 621 1,096,456 297,367
criteria for identifying a
material change to its SCI
systems and the security of
indirect SCI systems.
SCI review required by Rule Current SCI 16,215 16,215 5,820,856 5,820,856
1003(b)(1) and (2) Entities. 23,805 23,805 8,545,489 8,545,489
(Recordkeeping). New SCI Entities
SCI review required by Rule Current SCI 1,128 1,128 405,563 405,563
1003(b)(3) (Reporting). Entities. 575 575 205,735 205,735
New SCI Entities
External Legal Costs for Rule Current SCI N/A N/A 1,175,000 1,175,000
1003(b) (Recordkeeping). Entities. N/A N/A 1,725,000 1,725,000
New SCI Entities
SCI Review Costs (Rule Current SCI 17,343 17,343 7,401,419 7,401,419
1003(b)) Total. Entities. 24,380 24,380 10,476,224 10,476,224
New SCI Entities
Corrective action required by Current SCI 1,081 N/A 449,132 N/A
Rule 1002(a) (Recordkeeping). Entities. 3,151 897 1,316,244 396,934
New SCI Entities
Recordkeeping required by New SCI Entities 3,910 575 304,980 44,850
Rules 1005/1007
(Recordkeeping).
One-time cost to purchase New SCI Entities N/A N/A 20,700 N/A
recordkeeping software Rules
1005/1007 (Recordkeeping).
Total recordkeeping costs New SCI Entities 3,910 575 325,680 44,850
required by Rules 1005/1007.
Request access to EFFS (Rule New SCI Entities 6.9 3.5 3,197 1,587
1006) (Reporting).
Rule 1006--obtain digital IDs New SCI Entities N/A N/A 1,150 1,150
(Reporting).
Total Costs to comply with New SCI Entities 6.9 3.5 4,347 2,737
Rule 1006.
---------------------------------------------------------------
Total......................... Overall Total... 169,576 104,289 68,764,549 41,536,601
Current SCI 54,685 32,054 23,068,011 13,190,021
Entities. 112,845 72,235 45,696,538 28,346,580
New SCI Entities
Per Entity Hourly Burden/Cost. Current SCI 1,163 682 490,808.75 280,639.75
Entities \1\. 4,995 3,141 1,986,806 1,232,460
New SCI Entities
----------------------------------------------------------------------------------------------------------------
\1\ As noted earlier, currently no SCI competing consolidators have registered with the Commission. See supra
note 469. To the extent that a competing consolidator registers with the Commission, its initial and ongoing
burdens as a result of the proposed amendments would be the same as the initial and ongoing burden per entity
calculated for Current SCI Entities.
[[Page 23225]]
In summary, the estimated paperwork related compliance burdens for
SCI entities as a result of the amendments are approximately 170,000
hours and $69 million initially and approximately 104,000 hours and $41
million annually.
E. Collection of Information Is Mandatory
The collections of information pursuant to Regulation SCI is
mandatory as to all entities subject to the rule.
F. Confidentiality of Responses to Collection of Information
The Commission expects that the written policies and procedures,
processes, criteria, standards, or other written documents developed or
revised by SCI entities pursuant to Regulation SCI will be retained by
SCI entities in accordance with, and for the periods specified in 17
CFR 240.17a-1 (``Rule 17a-1'' of the Exchange Act) and Rule 1005, as
applicable. Should such documents be made available for examination or
inspection by the Commission and its representatives, they would be
kept confidential subject to the provisions of applicable law.\556\ In
addition, the information submitted to the Commission pursuant to
Regulation SCI that is filed on Form SCI, as required by Rule 1006,
will be treated as confidential, subject to applicable law, including
amended 17 CFR 240.24b-2 (``Rule 24b-2'').\557\ The information
disseminated by SCI entities pursuant to Rule 1002(c) under Regulation
SCI to their members or participants will not be confidential.
---------------------------------------------------------------------------
\556\ See, e.g., 15 U.S.C. 78x (governing the public
availability of information obtained by the Commission); 5 U.S.C.
552 et seq.
\557\ See, e.g., 15 U.S.C. 78x (governing the public
availability of information obtained by the Commission); 5 U.S.C.
552 et seq. See also Form SCI section IV (including a provision
stating ``Confidential treatment is requested pursuant to 17 CFR
240.24b-2(g) (``Rule 24b-(g)'')).
---------------------------------------------------------------------------
G. Request for Comment
Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits
comment on the proposed collections of information in order to:
91. Evaluate whether the proposed collections of information are
necessary for the proper performance of the functions of the
Commission, including whether the information would have practical
utility;
92. Evaluate the accuracy of the Commission's estimates of the
burden of the proposed collections of information;
93. Determine whether there are ways to enhance the quality,
utility, and clarity of the information to be collected; and
94. Evaluate whether there are ways to minimize the burden of the
collection of information on those who respond, including through the
use of automated collection techniques or other forms of information
technology.
Persons submitting comments on the collection of information
requirements should direct them to the Office of Management and Budget,
Attention: Desk Officer for the Securities and Exchange Commission,
Office of Information and Regulatory Affairs, Washington, DC 20503, and
should also send a copy of their comments to Vanessa A. Countryman,
Secretary, Securities and Exchange Commission, 100 F Street NE,
Washington, DC 20549-1090, with reference to File Number S7-07-23.
Requests for materials submitted to OMB by the Commission with regard
to this collection of information should be in writing, with reference
to File Number S7-07-23 and be submitted to the Securities and Exchange
Commission, Office of FOIA/PA Services, 100 F Street NE, Washington, DC
20549-2736. As OMB is required to make a decision concerning the
collections of information between 30 and 60 days after publication, a
comment to OMB is best assured of having its full effect if OMB
receives it within 30 days of publication.
V. Economic Analysis
A. Introduction
The Commission is sensitive to the economic effects, including the
costs and benefits, of its rules. When engaging in rulemaking pursuant
to the Exchange Act that requires the Commission to consider or
determine whether an action is necessary or appropriate in the public
interest, section 3(f) of the Exchange Act requires the Commission to
consider, in addition to the protection of investors, whether the
action would promote efficiency, competition, and capital formation. In
addition, section 23(a)(2) of the Exchange Act requires the Commission
in making rules pursuant to the Exchange Act to consider the impact any
such rule would have on competition. The Exchange Act prohibits the
Commission from adopting any rule that would impose a burden on
competition not necessary or appropriate in furtherance of the purposes
of the Exchange Act.
As explained above, the Commission believes that developments in
the U.S. securities markets since the adoption of Regulation SCI in
2014 warrant expanding the scope of Regulation SCI as well as
strengthening the obligations of SCI entities. These developments
include the growth of electronic trading, which allows greater volumes
of securities transactions to take place across a multitude of trading
systems in our markets. In addition, large institutional and other
professional market participants today employ sophisticated methods to
trade electronically on multiple venues simultaneously in ever-
increasing volumes with increasing speed. In recent years, financial
institutions have increasingly used and relied on third parties that
provide information and communications technology systems.\558\
Together, these developments have resulted in greater dispersal,
sophistication, and interconnection of the systems underpinning our
U.S. securities markets, thereby bringing potential new risks.
---------------------------------------------------------------------------
\558\ See, e.g., FINRA, Cloud Computing in the Securities
Industry (Aug. 16, 2021), available at https://www.finra.org/rules-guidance/key-topics/fintech/report/cloud-computing; see also
Franklin Allen et al., A Survey of Fintech Research and Policy
Discussion, 1 Rev. Corp. Fin. 259, 259 (2021) (``Cloud storage and
cloud computing have also played increasing roles in payment
systems, financial services, and the financial system overall'').
See also Financial Stability Board, Regulatory and Supervisory
Issues Relating to Outsourcing and Third-Party Relationships,
(discussion paper Nov. 9, 2020), available at https://www.fsb.org/wp-content/uploads/P091120.pdf.
---------------------------------------------------------------------------
The proposed amendments to Regulation SCI would expand the
definition of ``SCI entity'' to include a broader range of entities
that perform key functions in U.S. securities market infrastructure,
and update certain other definitions and provisions to take account of
technological market developments, including cybersecurity and vendor
management, since the adoption of Regulation SCI in 2014. The proposed
expansion would add to the definition of ``SCI entity'' registered
security-based swap data repositories, and registered broker-dealers
exceeding certain asset and transaction activity thresholds, and the
proposal would expand the category of exempt clearing agencies subject
to Regulation SCI to include all clearing agencies exempted from
registration. Additional proposed amendments to Regulation SCI are
designed to update the requirements of Regulation SCI relating to: (i)
systems classification and lifecycle management; (ii) vendor
management; (iii) cybersecurity; (iv) SCI review; (v) current SCI
industry standards; and (vi) other matters.
The Commission is sensitive to the economic effects of the proposed
expansion and strengthening of Regulation SCI, including its costs and
benefits. As discussed further below, the Commission requests comment
on all
[[Page 23226]]
aspects of the costs and benefits of the proposal, including any
effects the proposed rules may have on efficiency, competition, and
capital formation.
B. Baseline
The Commission proposes to expand the scope of Regulation SCI to
include new entities as well as strengthen the obligations of SCI
entities. In order to assess the benefits and costs that can properly
be attributed to the proposed rules, the Commission begins by
considering the relevant baselines--the current market practices as
well as applicable regulations in the absence of these proposed rules.
1. New SCI Entities
The proposed rules will affect new SCI entities, specifically
SBSDRs, certain broker-dealers, and certain exempt clearing agencies,
in addition to existing SCI entities. The baseline for each category of
entities is discussed in turn, including applicable regulatory
baselines and relevant market descriptions.
a. Registered Security-Based Swap Data Repositories
i. Affected Parties
The Commission proposes to include SBSDRs as SCI entities. SBSDRs
are required for the dissemination of SBS market data to provide price
transparency, limit risk posed to the maintenance of fair and orderly
markets, promote the market stability, prevent market abuses, and
reduce operational risk. They play an important role in transparency in
the market for SBSs and make available to the Commission SBS data that
will provide a broad view of this market and help monitor for pockets
of risk and potential market abuses that might not otherwise be
observed by the Commission and other relevant authorities.
Security-based swaps entail the transfer of financial obligations
between two parties with sometimes a long time horizon. Counterparties
to a security-based swap rely on each other's creditworthiness and bear
this credit risk and market risk until the security-based swap
terminates or expires.\559\ The information provided by SBSDRs, such as
individual counterparty trade and position data, helps the Commission
gain a better understanding of the actual and potential market
risks.\560\ This information also helps the Commission and other
relevant authorities investigate market manipulation, fraud, and other
market abuses.
---------------------------------------------------------------------------
\559\ For cleared trades, the clearing agencies generally step
in the place of the original counterparties and effectively assume
the risk should there be a default.
\560\ See SBSR Adopting Release, supra note 96 (for information
required to be reported by SBSDRs to the Commission).
---------------------------------------------------------------------------
As of February 2023, two data repositories for security-based swap
markets are registered with the Commission. The registered SBSDRs are
Depository Trust & Clearing Corporation Data Repository (``DDR'') and
the ICE Trade Vault (``ITV''). DDR operates as a registered SBSDR for
security-based swap transactions in the credit, equity, and interest
rate derivatives asset classes. ITV operates as a registered SBSDR for
security-based swap transactions in the credit derivatives asset
class.\561\ As of March 2022, 47 entities had registered with the
Commission as security-based swap dealers and pursuant to Regulation
SBSR, they are required to report the trade activities to the
SBSDRs.\562\ In total, these two SBSDRs received approximately 542.6
million reports \563\ between November 2021 and September 2022, from
contracts of 15,593 distinct counterparties.\564\
---------------------------------------------------------------------------
\561\ See DTCC Data Repository (U.S.) LLC; Order Approving
Application, supra note 111; ICE Trade Vault, LLC; Order Approving
Application, supra note 111. Note that additional entities may
register as SBSDRs in the future.
\562\ See List of Registered Security-Based Swap Dealers and
Major Security-Based Swap Participants, supra note 110 (providing
the list of registered security-based swap dealers and major SBS
participants that was updated as of Mar. 28, 2022).
\563\ The transaction reports include not only the initial
trade, but also life-cycle events.
\564\ Number of reports and number of counterparties are
calculated from trade activities data of the DDR and ITV reports.
Number of counterparties is calculated as the number of unique
counterparties' IDs. Due to data limitation, we only included
reports occurred on or after Nov. 8, 2021.
---------------------------------------------------------------------------
ii. Regulatory Baseline
As discussed above in section III.A.2, SBSDRs are subject to Rule
13n-6, which requires that ``every security-based swap data repository,
with respect to those systems that support or are integrally related to
the performance of its activities, shall establish, maintain, and
enforce written policies and procedures reasonably designed to ensure
that its systems provide adequate levels of capacity, integrity,
resiliency, availability, and security.'' \565\ The SBSDRs registered
with the Commission are also registered with the CFTC as swap data
repositories and accordingly are also subject to CFTC rules and
regulations related to swap data repositories, including the ``SDR
System Safeguards'' rule.\566\ That rule requires swap data
repositories to establish and maintain emergency procedures,
geographically diverse backup facilities and staff, and a business
continuity and disaster recovery plan that should enable next day
resumption of the swap data repository's operations following the
disruption.\567\
---------------------------------------------------------------------------
\565\ See 17 CFR 240.13n-6.
\566\ See 17 CFR 49.24.
\567\ See 17 CFR 49.24(a).
---------------------------------------------------------------------------
In addition, the rule requires programs of risk analysis and
oversight with respect to its operations and automated systems to
address each of the following categories of risk analysis and
oversight: (1) information security; (2) business continuity and
disaster recovery planning and resources; (3) capacity and performance
planning; (4) systems operations; (5) systems development and quality
assurance; (6) physical security and environmental controls; and (7)
enterprise risk management.\568\ This rule also requires systems
monitoring to identify potential systems disruptions and cybersecurity
attacks via provisions relating to capacity and performance planning,
information security, and physical security and environmental controls.
It also requires swap data repositories to maintain a security incident
response plan that must include, among other items, policies and
procedures for reporting security incidents and for internal and
external communication and information sharing regarding security
incidents, the hand-off and escalation points in its security incident
response process, and the roles and responsibilities of its management,
staff and independent contractors in responding to security
incidents.\569\
---------------------------------------------------------------------------
\568\ See 17 CFR 49.24(b).
\569\ See 17 CFR 49.24.
---------------------------------------------------------------------------
Furthermore, the rule requires regular, periodic testing and review
of business continuity and disaster recovery capabilities.\570\ Under
the rule, both the senior management and the board of directors of a
swap data repository receive and review reports setting forth the
results of the specified testing and assessment. A swap data repository
is required to establish and follow appropriate procedures for the
remediation of issues identified through the review, and for evaluation
of the effectiveness of testing and assessment protocols.\571\
---------------------------------------------------------------------------
\570\ Id.
\571\ 17 CFR 49.24(m) (Internal reporting and review).
---------------------------------------------------------------------------
The System Safeguards rule requires SDRs to conduct testing and
review sufficiency to ensure that their
[[Page 23227]]
automated systems are reliable, secure, and have adequate scalable
capacity.\572\ The System Safeguards rule requires SDRs to conduct
external and internal penetration testing at a frequency determined by
an appropriate risk analysis, but no less frequently than
annually.\573\
---------------------------------------------------------------------------
\572\ See 17 CFR 49.24(j).
\573\ See 17 CFR 49.24(j)(3).
---------------------------------------------------------------------------
The System Safeguards rule also specifies and defines five types of
system safeguards testing that a SDR necessarily must perform to
fulfill the testing requirement: vulnerability testing; penetration
testing; controls testing; security incident response plan testing; and
enterprise technology risk assessment.\574\ SDRs are required to notify
CFTC staff of any system malfunctions, cyber security incidents, or
activation of the business continuity and disaster recovery plan.\575\
A swap data repository must also give CFTC staff advance notice of
planned changes to automated systems that may affect the reliability,
security, or adequate scalable capacity of such systems.\576\ Finally,
the CFTC's System Safeguards rule requires an SDR to follow generally
accepted standards and best practices with respect to the development,
operation, reliability, security, and capacity of automated systems
related to SDR data.\577\
---------------------------------------------------------------------------
\574\ Id.
\575\ See 17 CFR 49.24(g).
\576\ See 17 CFR 49.24(h).
\577\ See 17 CFR 49.24(c).
---------------------------------------------------------------------------
b. Broker-Dealers
i. Affected Parties
The Commission is proposing to expand the application of Regulation
SCI to include certain broker-dealers in the definition of SCI entity.
There are approximately 3,500 broker-dealers registered with the
Commission pursuant to section 15(b) of the Exchange Act as of Q3
2022.\578\ Figure 1 represents the distribution of all registered
broker-dealer firms between Q4 2021 and Q3 2022 by level of total
assets \579\ (Panel A) and by percentage of aggregate total assets
\580\ (Panel B) with firm size (Panel A) and percentage of aggregate
total assets (Panel B) increasing along the x-axis from left to right.
These entities encompass a broad range of sizes, business activities,
and business models.\581\ The distribution of firms \582\ by level of
total assets (Panel A) shows that the vast majority of firms \583\ fall
somewhere within the $30,000 to $450,000,000 dollar range, with a small
minority of firms showing up as a descending long right tail. The
distribution of broker-dealers \584\ by percentage of aggregate total
assets (Panel B) shows that a small number of firms individually had
percentages of aggregate total assets in the high single digits to low
double digits.
---------------------------------------------------------------------------
\578\ See supra note 131.
\579\ The level of total assets is measured by the average
quarterly total assets for each broker-dealer between Q4 2021 and Q3
2022.
\580\ The percentage of aggregate total assets is estimated by
the average quarterly percentage of aggregate total assets for each
broker-dealer between Q4 2021 and Q3 2022.
\581\ See 2022 FINRA Industry Snapshot, supra note 131.
\582\ Panel A of Figures 1 through 5 is represented on a
logarithmic scale for ease of viewing when the distribution is far
less evenly distributed if displayed using a standard x-axis.
\583\ This represents the range of the average quarterly total
assets for firms that fall between the 5th and 95th percentile.
\584\ The number of individual firms in Panel B of Figures 1
through 5 is more visible here due to use of a standard x-axis even
though the y-axis is represented logarithmically. The use of a
logarithmic y-axis does however flatten the overall distribution
with a disproportionate effect on the firms with percentage of
aggregate average daily dollar volume between 0% and 2.5% making it
slightly less obvious upon first glance that the vast majority of
firms actually fall between 0% and 2.5%.
---------------------------------------------------------------------------
BILLING CODE 8011-01-P
[GRAPHIC] [TIFF OMITTED] TP14AP23.000
Figures 2 through 5 represent the distribution of firms by level of
transaction activity \585\ as measured by average daily dollar volume
\586\ (Panel A) and the distribution of firms by percentage of
transaction activity \587\ (Panel B) for each of four asset classes
including NMS stocks, exchange-listed options, U.S. Treasury
Securities, and Agency Securities respectively. The distributions of
firms \588\ by level of transaction activity (Panel A) show that the
vast majority of firms \589\ fall somewhere within the $30,000 to $14.4
billion dollar range, $500,000 to $3.1 billion dollar range, $2,000 to
$4.0 billion dollar range, and $500 to $1.2 billion dollar range for
the NMS, stock
[[Page 23228]]
exchange-listed options, U.S. Treasury Securities, and Agency
Securities markets, respectively.
---------------------------------------------------------------------------
\585\ The level of transaction activity in Panel A of Figures 2
through 5 is measured by the average of monthly average daily dollar
volume for each broker-dealer from Jan. 2022 to June 2022.
\586\ These measures are described in more detail in section
III.A.2.b.iii.
\587\ Id.
\588\ See supra note 582.
\589\ This represents the range of the average of monthly
average daily dollar volume for firms that fall between the 5th and
95th percentile.
---------------------------------------------------------------------------
Figures 2 through 5 (Panel B), showing the distribution of broker-
dealers by percentage of aggregate average daily dollar volume,\590\
indicate that a very small number of firms \591\ individually had
percentages of aggregate average daily dollar volume in the high single
digits to low double digits.
---------------------------------------------------------------------------
\590\ The percentage of aggregate average daily dollar volume in
Panel B of figures 2 through 5 is estimated by the average of
monthly percentage for each broker-dealer of aggregate average daily
dollar volume reported to the plan processors (SIPs) of the CTA/CQ
Plans and Nasdaq UTP Plan, OPRA Plan, or FINRA TRACE in each
respective asset class from Jan. 2022 to June 2022.
\591\ See supra note 584.
[GRAPHIC] [TIFF OMITTED] TP14AP23.001
[GRAPHIC] [TIFF OMITTED] TP14AP23.002
[[Page 23229]]
[GRAPHIC] [TIFF OMITTED] TP14AP23.003
[GRAPHIC] [TIFF OMITTED] TP14AP23.004
BILLING CODE 8011-01-C
A substantial number of firms had transaction activity \592\ across
these four markets: 336 had transaction activity in NMS equities,\593\
105 had options transaction activity,\594\ 703 had transaction activity
in U.S. Treasury Securities,\595\ and 461 had transaction activity in
Agency Securities.\596\
---------------------------------------------------------------------------
\592\ The number of firms that had transaction activity here may
be different than the number of firms that reported business lines
on Form BD at least in part due to differences in how business
activities are categorized on Form BD, and also because firms are
able to indicate lines of business based on expected business rather
than current business. With respect to categorical differences, Form
BD does not allow firms to distinguish between NMS and OTC equity
business as both types of stocks can be traded over the counter.
Additionally, Form BD does not distinguish between lines of business
for exchange-traded or OTC options. Finally, Form BD allows firms to
indicate government securities broker or dealer lines of business
but does not allow firms to specify more granularly treasury or
agency securities businesses.
\593\ Estimate is based on Consolidated Audit Trail (CAT) data
from Jan. 2022 to June 2022.
\594\ Id.
\595\ Estimate is based on TRACE for Treasury Securities data
from Jan. 2022 to June 2022 and firm names as of Feb. 1, 2023.
\596\ Estimate is based on regulatory TRACE data from Jan. 2022
to June 2022.
---------------------------------------------------------------------------
ii. Regulatory Baseline
As discussed above in section III.A.2.b.ii, there are already a
number of Exchange Act and FINRA rules that affect how broker-dealers
design and maintain their technology and promote business continuity
and regulatory compliance. These include: Commission broker-dealer
rules; \597\ FINRA supervision rules \598\ (discussed at length in
section III.A.2.b); and FINRA's business continuity and reporting rules
(Rule 4370 and 4530, respectively) discussed previously in section
III.A2.b and further in this section. Furthermore, the Commission's
cybersecurity-related regulations (Regulation S-P and 17 CFR part 248,
subpart C (Regulation S-ID)) are discussed further below.\599\
---------------------------------------------------------------------------
\597\ See supra section III.A.2.b (discussing Rules 17a-3, 17a-
4, 17a-11, 15c3-1, 15c3-3, and 15c3-5 (the Market Access Rule)).
\598\ FINRA rule 3110 and 3130.
\599\ See supra note 156.
---------------------------------------------------------------------------
FINRA Rule 4370 primarily requires that each broker-dealer create
and maintain a written business continuity plan \600\ identifying
procedures relating
[[Page 23230]]
to an emergency or significant business disruption that are reasonably
designed to enable them to meet their existing obligations to customers
with explicit requirements for data back-up and recovery with respect
to mission critical systems as well as an alternate physical location
of employees.\601\ Each broker-dealer must update its plan in the event
of any material change to the member's operations, structure, business
or location. Each member must also conduct an annual review of its
business continuity plan to determine whether any modifications are
necessary in light of changes to the member's operations, structure,
business, or location. FINRA identified that firms \602\ frequently
tested their BC/DRs plans as part of their annual review and also
included key vendors in those tests.\603\ Furthermore, a broker-dealer
must disclose to its customers through public disclosure statements how
its business continuity plan addresses the possibility of a future
significant business disruption and how the member plans to respond to
events of varying scope. Such required business continuity public
disclosure statements \604\ offer some summary information on broker-
dealer actual practices that relate to FINRA Rule 4370. Recent FINRA
exam findings reports \605\ in relation to FINRA Rule 4370 suggest
increasing attention by broker-dealers to operational resiliency issues
and the value of capacity planning, stress testing, and the review of
testing and development methodology.
---------------------------------------------------------------------------
\600\ See FINRA, 2019 Report on Examination Findings and
Observations: Business Continuity Plans (BCPs) (Oct. 16, 2019),
available at https://www.finra.org/rules-guidance/guidance/reports/2019-report-exam-findings-and-observations. Broker-dealers are
required to conduct an annual review of their business continuity
plans along with recommended testing and evaluation of its
effectiveness with vendor participation.
\601\ FINRA Rules 4370, 3110 (Supervision), and 4511 (General
Requirements), as well as Securities Exchange Act of 1934 (Exchange
Act) Rules 17a-3 and 17a-4.
\602\ FINRA did not disclose the number or identity of these
firms.
\603\ See FINRA, 2019 Report on Examination Findings and
Observations: Business Continuity Plans (BCPs), supra note 600.
\604\ While broker-dealers are required to provide a brief
summary disclosure statement regarding their BCPs to customers, they
do not disclose the actual BCP. Based on a review of 2021 and 2022
BCP disclosure statements, firms often did not provide any detail on
operational capacity to meet demand surges or any specific
timeframes for resumption of service. They sometimes mention the use
of redundant service centers, data centers, systems, and staff
across geographically diverse locations in case primary centers and
systems go offline; immediate failover to backup systems and plans
to restore services quickly in the event of a technology disruption;
and review of third parties' business contingency plans.
\605\ See FINRA, 2022 Report on FINRA's Examination and Risk
Monitoring Program (Feb. 9, 2022), available at https://www.finra.org/sites/default/files/2022-02/2022-report-finras-examination-risk-monitoring-program.pdf. See also FINRA, 2020 Risk
Monitoring and Examination Priorities Letter (Jan. 9, 2020),
available at https://www.finra.org/rules-guidance/communications-firms/2020-risk-monitoring-and-examination-priorities-letter; FINRA,
Equity Trading Initiatives: Supervision and Control Practices for
Algorithmic Trading Strategies (Mar. 2015), available at https://www.finra.org/sites/default/files/notice_doc_file_ref/Notice_Regulatory_15-09.pdf.
---------------------------------------------------------------------------
FINRA rules relating to supervision \606\ require each member to
establish, maintain, and enforce written procedures to supervise the
types of business in which it engages and the activities of its
associated persons that are reasonably designed to achieve compliance
with applicable securities laws and regulations including Federal
cybersecurity laws and regulations applicable to broker-dealers such as
Regulation S-P \607\ and Regulation S-ID.\608\ As discussed in section
III.D.1.c.i, Regulation S-P's safeguards provisions require broker-
dealers to adopt written policies and procedures that address
administrative, technical, and physical safeguards for the protection
of customer records and information.\609\ The Regulation S-P Safeguards
Rule further provides that these policies and procedures must: (1)
insure the security and confidentiality of customer records and
information; (2) protect against any anticipated threats or hazards to
the security or integrity of customer records and information; and (3)
protect against unauthorized access to or use of customer records or
information that could result in substantial harm or inconvenience to
any customer.\610\ Additionally, the Regulation S-P Disposal Rule
requires broker-dealers that maintain or otherwise possess consumer
report information for a business purpose to properly dispose of the
information by taking reasonable measures to protect against
unauthorized access to or use of the information in connection with its
disposal.\611\ In contrast, Regulation S-ID is more narrowly concerned
with identity theft. Broker-dealers subject to Regulation S-ID must
develop and implement a written identity theft program that includes
policies and procedures to identify and detect relevant red flags.\612\
---------------------------------------------------------------------------
\606\ FINRA Rules 3110 (Supervision) and 3120 (Supervisory
Control Systems).
\607\ See 17 CFR 248.1 through 248.30.
\608\ See 17 CFR 248.201 and 248.202.
\609\ See 17 CFR 248.30(a).
\610\ See 17 CFR 248.30(a)(1) through (3).
\611\ See 17 CFR 248.30(b)(2). Regulation S-P currently defines
the term ``disposal'' to mean: (1) the discarding or abandonment of
consumer report information; or (2) the sale, donation, or transfer
of any medium, including computer equipment, on which consumer
report information is stored. See 17 CFR 248.30(b)(1)(iii).
\612\ See 17 CFR 248.201.
---------------------------------------------------------------------------
Past Commission staff statements \613\ and FINRA guidance \614\
with respect to these rules identify common elements of reasonably
designed cybersecurity policies and procedures including risk
assessment, user security and access,
[[Page 23231]]
information protection, incident response,\615\ and training.\616\
---------------------------------------------------------------------------
\613\ See OCIE, SEC, Cybersecurity: Safeguarding Client Accounts
against Credential Compromise (Sep. 15, 2020), available at https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf;
OCIE, SEC, Select COVID-19 Compliance Risks and Considerations for
Broker-Dealers and Investment Advisers (Aug. 12, 2020), available at
https://www.sec.gov/files/Risk%20Alert%20-%20COVID-19%20Compliance.pdf; OCIE, SEC, Cybersecurity: Ransomware Alert
(July 10, 2020), available at https://www.sec.gov/files/Risk%20Alert%20-%20Ransomware.pdf; OCIE, SEC, Report on OCIE
Cybersecurity and Resiliency Observations (Jan. 27, 2020), available
at https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf; OCIE,
SEC, OCIE Safeguarding Customer Records and Information in Network
Storage--Use of Third Party Security Features (May 23, 2019),
available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Network%20Storage.pdf; OCIE, SEC, Investment Adviser and Broker-
Dealer Compliance Issues Related to Regulation S-P--Privacy Notices
and Safeguard Policies (Apr. 16, 2019), available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf;
OCIE, SEC, Observations from Cybersecurity Examinations (Aug. 7,
2017), available at https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf; OCIE, SEC, Cybersecurity: Ransomware
Alert (May 17, 2017), available at https://www.sec.gov/files/risk-alert-cybersecurity-ransomware-alert.pdf; OCIE, SEC, OCIE's 2015
Cybersecurity Examination Initiative (Sep. 15, 2015), available at
https://www.sec.gov/files/ocie-2015-cybersecurity-examination-initiative.pdf; OCIE, SEC, Cybersecurity Examination Sweep Summary
(Feb. 3, 2015), available at https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf; OCIE, SEC, OCIE's 2014
Cybersecurity Initiative (Apr. 15, 2014), available at https://
www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert_Appendix_-
4.15.14.pdf.
\614\ See FINRA, Core Cybersecurity Threats and Effective
Controls for Small Firms (May 2022), available at https://www.finra.org/sites/default/files/2022-05/Core_Cybersecurity_Threats_and_Effective_Controls-Small_Firms.pdf;
FINRA, Cloud Computing in the Securities Industry (Aug. 16, 2021),
available at https://www.finra.org/rules-guidance/key-topics/fintech/report/cloud-computing; FINRA, Common Cybersecurity Threats
(July 9, 2019), available at https://www.finra.org/rules-guidance/guidance/common-cybersecurity-threats; FINRA, Report on Selected
Cybersecurity Practices (Dec. 1, 2018), available at https://www.finra.org/rules-guidance/guidance/common-cybersecurity-threats;
FINRA, Report on FINRA Examination Findings (Dec. 6, 2017),
available at https://www.finra.org/sites/default/files/2017-Report-FINRA-Examination-Findings.pdf; FINRA, Small Firm Cybersecurity
Checklist (May 23, 2016), available at https://www.finra.org/compliance-tools/small-firm-cybersecurity-checklist. Cybersecurity
has also been a regular theme of FINRA's Regulatory and Examination
Priorities Letter since 2008 often with reference to Regulation S-P.
Similarly the SEC sponsored a Cybersecurity Roundtable and the
Division of Examination conducted cybersecurity initiative I and II
to assess industry practices and legal and compliance issues
associated with broker-dealer and investment adviser cybersecurity
preparedness.
\615\ See FINRA, 2021 Report on FINRA's Examination and Risk
Monitoring Program (Feb. 01, 2021), available at https://www.finra.org/rules-guidance/guidance/reports/2021-finras-examination-and-risk-monitoring-program/cybersecurity (FINRA
recommended among effective practices with respect to incident
response: Establishing and regularly testing (often using tabletop
exercises) a written formal incident response plan that outlines
procedures for responding to cybersecurity and information security
incidents; and developing frameworks to identify, classify,
prioritize, track and close cybersecurity-related incidents.).
\616\ These categories vary somewhat in terms of nomenclature
and the specific categories themselves across different Commission
and FINRA publications.
---------------------------------------------------------------------------
Consistent with these rules, nearly all broker-dealers that
participated in two Commission exam sweeps in 2015 and 2017 reported
\617\ maintaining some cybersecurity policies and procedures;
conducting some periodic risk assessments to identify threats and
vulnerabilities,\618\ conducting firm-wide systems inventorying or
cataloguing, ensuring regular system maintenance including the
installation of software patches to address security vulnerabilities,
performing some penetration testing,\619\ although both sweeps also
discussed various flaws in compliance. A separate staff statement,
based on observed industry practices, noted that at least some firms
implemented capabilities that are able to control, monitor, and inspect
all incoming and outgoing network traffic to prevent unauthorized or
harmful traffic and implemented capabilities that are able to detect
threats on endpoints.\620\ In the two Commission exam sweeps, many
firms indicated that policies and procedures were vetted and approved
by senior management and that firms provided annual cybersecurity
reports to the board while some also provided ad hoc reports in the
event of major cybersecurity events.\621\ Broadly, many broker-dealers
reported relying on industry standards with respect to cybersecurity
\622\ typically by adhering to a specific industry standard or
combination of industry standards or by using industry standards as
guidance in designing policies and procedures. In the Commission's 2017
sweep, however, weaknesses in policies and procedures and failure to
implement policies and procedures were observed at a majority of the
participating firms.\623\
---------------------------------------------------------------------------
\617\ See Cybersecurity Examination Sweep Summary, supra note
613 (Of 57 examined broker-dealers, the vast majority adopted
written information security policies, conducted periodic audits to
determine compliance with these information security policies and
procedures, conducted risk assessments and reported considering such
risk assessments in establishing their cybersecurity policies and
procedures. With respect to vendors, the majority of the broker-
dealers required cybersecurity risk assessments of vendors with
access to their firms' networks and had at least some specific
policies and procedures relating to vendors.). See also Observations
from Cybersecurity Examinations, supra note 613 (This largely
aligned with the prior 2015 Exam Sweep but is based on additional
data from a mixed group of 75 broker-dealers and investment
advisers. For example, nearly all firms had incident response plans.
Still, it appeared that a number of firms did not appear to fully
remediate some of the high risk observations that they discovered
from these tests and vulnerability scans in a timely manner or
failed to conduct penetration testing regularly).
\618\ See Report on Selected Cybersecurity Practices, supra note
614. According to FINRA's 2018 RCA, 94% of higher revenue firms and
70% of mid-level revenue firms use a risk assessment as part of
their cybersecurity program. The Risk Control Assessment (RCA)
Survey is a voluntary survey conducted by FINRA on an annual basis
with all active member firms.
\619\ Id. According to FINRA's 2018 RCA, 100% of higher revenue
firms include penetration testing as a component in their overall
cybersecurity program.
\620\ See Cybersecurity and Resiliency Observations, supra note
614.
\621\ See Cybersecurity Examination Sweep Summary, supra note
613, and Observations from Cybersecurity Examinations, supra note
613.
\622\ Id. Among the firms that were part of the sweep, nearly
90% used one or more of the NIST, ISO or ISACA frameworks or
standards. More specifically, 65% of the respondents reported that
they use the ISO 27001/27002 standard while 25% use COBIT. Some
firms use combinations of these standards for various parts of their
cybersecurity programs. While the report focused on firm utilization
of cybersecurity frameworks specifically, in many cases, the
referenced frameworks were broader IT frameworks.
\623\ See OCIE, SEC, Observations from Cybersecurity
Examinations (Aug. 7, 2017), available at https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.
---------------------------------------------------------------------------
FINRA Rule 3110's supervisory obligation also extends to member
firms' outsourcing of certain ``covered activities''--activities or
functions that, if performed directly by a member firm, would be
required to be the subject of a supervisory system and written
supervisory procedures pursuant to FINRA Rule 3110. These vendor
management obligations are discussed in further guidance.\624\ As
discussed in section III.A.2.b of this release, FINRA Rule 4530
requires broker-dealer reporting of certain events to FINRA, including,
among other things, compliance issues and other events \625\ where a
broker-dealer has concluded or should have reasonably concluded that a
violation of securities or other enumerated law, rule, or regulation of
any domestic or foreign regulatory body or SRO has occurred. Broker-
dealers affiliated with a banking organization \626\ may also be
affected by a cybersecurity notification requirement. For example, if a
broker-dealer is a subsidiary of a bank holding company, an incident at
the broker-dealer would likely be reported by the bank holding company
to its respective banking regulator.
---------------------------------------------------------------------------
\624\ See Regulatory Notice 21-29: Vendor Management and
Outsourcing, supra note 165; Notice to Members 05-48: Outsourcing,
supra note 165. FINRA found that most firms had adequate privacy and
security language in contracts where customer or firm confidential
data or high-risk systems were at risk. Standard contract language
topics that firms included were: non-disclosure agreements/
confidentiality agreements, data storage, retention, and delivery;
breach notification responsibilities; right-to-audit clauses; vendor
employee access limitations; use of subcontractors; and vendor
obligations upon contract termination. Id.
\625\ While FINRA has urged firms to report material cyber
incidents that do not trigger a reporting obligation to their
regulatory coordinator, current practices are unclear.
\626\ In the simplification of the Volcker Rule, effective Jan.
21, 2020, Commission staff estimated that there were 202 broker-
dealers that were affiliated with banking organizations.
---------------------------------------------------------------------------
Aside from specific dissemination obligations under Regulation SCI
for a limited number of broker-dealers with respect to their related
SCI ATSs, there are no Commission or FINRA requirements for broker-
dealers to disseminate notifications of breaches to members or clients
although many firms do so \627\ pursuant to various state data breach
laws.\628\ Broker-dealers are subject to state laws known as ``Blue Sky
Laws,'' which generally are regulations established as safeguards for
investors against securities fraud.\629\ All 50 states have enacted
laws in recent years requiring firms to notify individuals of data
breaches, standards differ by state, with some states imposing
heightened notification requirements relative to other states.\630\
---------------------------------------------------------------------------
\627\ See Cybersecurity Examination Sweep Summary, supra note
613 (Based on a small sample of firms, the vast majority of broker-
dealers maintained plans for data breach incidents and most had
plans for notifying customers of material events.)
\628\ See Digital Guardian, The Definitive Guide to U.S. State
Data Breach Laws, digitalguardian.com, available at https://info.digitalguardian.com/rs/768-OQW-145/images/the-definitive-guide-to-us-state-data-breach-laws.pdf (last visited Nov. 15, 2022).
\629\ See, e.g., Office of Investor Education and Advocacy,
Commission, Blue Sky Laws, available at https://www.investor.gov/introduction-investing/investing-basics/glossary/blue-sky-laws.
\630\ For example, some states may require a firm to notify
individuals when a data breach includes biometric information, while
others do not. Compare Cal. Civil Code sec. 1798.29 (notice to
California residents of a data breach generally required when a
resident's personal information was or is reasonably believed to
have been acquired by an unauthorized person; ``personal
information'' is defined to mean an individual's first or last name
in combination with one of a list of specified elements, which
includes certain unique biometric data), with Ala. Stat. secs. 8-38-
2, 8-38-4, 8-38-5 (notice of a data breach to Alabama residents is
generally required when sensitive personally identifying information
has been acquired by an unauthorized person and is reasonably likely
to cause substantial harm to the resident to whom the information
relates; ``sensitive personally identifying information'' is defined
as the resident's first or last name in combination with one of a
list of specified elements, which does not include biometric
information).
---------------------------------------------------------------------------
[[Page 23232]]
Additionally, market data, including bids, offers, quotation sizes,
among other types of data, are currently collected from broker-dealers
and consolidated and distributed pursuant to a variety of Exchange Act
rules and joint industry plans.\631\
---------------------------------------------------------------------------
\631\ See, e.g., Rules 601 through 17 CFR 242.604 (``Rule 604'')
of Regulation NMS and 17 CFR 242.301(b)(3) (``Rule 301(b)(3)'') of
Regulation ATS.
---------------------------------------------------------------------------
c. Exempt Clearing Agencies
i. Affected Parties
Certain SCI entities are in the market for clearance and settlement
services. Registered clearing agencies and certain exempt clearing
agencies are already SCI entities. The Commission proposes to extend
Regulation SCI to include all other exempt clearing agencies. The
proposed amendment would have the immediate effect of introducing two
exempt clearing agencies into the scope of Regulation SCI.
There are broadly two types of clearing agencies: registered
clearing agencies and exempt clearing agencies. There are seven
registered and active clearing agencies: DTC, FICC, NSCC, ICC, ICEEU,
the Options Clearing Corp., and LCH SA. There are two other clearing
agencies that are no longer active but both maintain registration with
the Commission.\632\ In addition to these registered clearing agencies,
there are clearing agencies that have received from the Commission an
exemption from registration as a clearing agency under section 17A of
the Exchange Act. There are five exempt clearing agencies: Bloomberg
STP (inactive), ITPMATCH (DTCC), SSCNET (SS&C Technologies), Euroclear
Bank SA/NV, and Clearstream Banking, S.A. Of these exempt clearing
agencies, Bloomberg STP, ITPMATCH (DTCC), and SSCNET (SS&C
Technologies) are subject to Regulation SCI as ``exempt clearing
agencies subject to ARP,'' together with registered clearing agencies.
---------------------------------------------------------------------------
\632\ See BSECC Notice and SCCP Notice, supra note 230.
---------------------------------------------------------------------------
The other two, Euroclear Bank SA/NV, and Clearstream Banking, S.A,
both exempt clearing agencies,\633\ have not been required to comply
with Regulation SCI. Each performs CSD functions and provides clearance
and settlement for U.S. Treasury transactions, subject to volume limits
set forth in their exemptions. Euroclear Bank also provides collateral
management services for U.S. equity transactions involving a U.S.
person and a non-U.S. person.
---------------------------------------------------------------------------
\633\ See Euroclear Exemption, supra note 231 (providing an
exemption to Euroclear Bank SA/NV (successor in name to Morgan
Guaranty Trust Company of NY)); Clearstream Exemption, supra note
231 (providing an exemption to Clearstream Banking, S.A. (successor
in name to Cedel Bank, soci[eacute]t[eacute] anonyme, Luxembourg)).
Furthermore, pursuant to the Commission's statement on CCPs in the
European Union (``EU'') authorized under the European Markets
Infrastructure Regulation (``EMIR''), an EU CCP may request an
exemption from the Commission where it has determined that the
application of SEC requirements would impose unnecessary,
duplicative, or inconsistent requirements in light of EMIR
requirements to which it is subject. See Statement on Central
Counterparties Authorized under the European Markets Infrastructure
Regulation Seeking to Register as a Clearing Agency or to Request
Exemptions from Certain Requirements Under the Securities Exchange
Act of 1934 supra note 240 (stating that in seeking an exemption, an
EU CCP could provide ``a self-assessment . . . [to] explain how the
EU CCP's compliance with EMIR corresponds to the requirements in the
Exchange Act and applicable SEC rules thereunder, such as Rule 17Ad-
22 and Regulation SCI.'').
---------------------------------------------------------------------------
ii. Regulatory Baseline
The two exempt clearing agencies not subject to ARP are required
per Commission exemptive orders to submit to the Commission a number of
items including transaction volume data,\634\ notification regarding
material adverse changes in any account maintained for customers,\635\
one or more disclosure documents, amendments to its application for
exemption on Form CA-1,\636\ responses to a Commission request for
information,\637\ etc. In the case of one exempt clearing agency, its
exemptive order also requires submission of additional items related to
its systems including quarterly reports describing completed, ongoing,
and planned material system changes,\638\ notification \639\ regarding
systems events; \640\ as well as a requirement to take appropriate
corrective action regarding such systems events. This exempt clearing
agency is also required to maintain policies and procedures that are
reasonably designed to identify, manage, and monitor systems
operational risk; clearly define the roles and responsibilities of
personnel for addressing operational risk; review such policies and
procedures; conduct systems audits and system tests periodically and at
implementation of significant changes; clearly define operational
reliability objectives for the systems; ensure that the systems have
scalable capacity adequate to handle increasing stress volumes and
achieve the systems service-level objectives; establish comprehensive
physical and information security policies that address all potential
vulnerabilities and threats to the systems; and establish a business
continuity plan \641\ for the systems that addresses events posing a
significant risk of disrupting the systems' operations, including
events that could cause a wide-scale or major disruption in the
provision of the clearing agency activities. Such policies and
procedures should be consistent with current information technology
industry standards \642\ and be reasonably designed to ensure that the
systems operate on an ongoing basis in a manner that complies with the
conditions applicable to the systems and with the exempt clearing
agency's rules and governing documents applicable to the clearing
agency activities. This exempt clearing agency must also provide the
[[Page 23233]]
Commission with an annual update regarding policies and procedures.
---------------------------------------------------------------------------
\634\ Id. This is provided in the form of quarterly reports,
calculated on a twelve-month rolling basis, of volume statistics
related to government securities. One exempt clearing agency also
reports volume statistics related to equities.
\635\ Id. This is for customers that are members or affiliates
of members of a U.S. registered clearing agency in the case of one
exempt clearing or US participants in the case of the other.
\636\ Id. This must be filed prior to the implementation of any
change in stated policies, practices, or procedures that makes the
information contained in the original Form CA-1 incomplete or
inaccurate in any material respect.
\637\ Id. This would typically concern a U.S. customer or its
affiliate about whom the Commission has financial solvency concerns.
\638\ This must be filed within 30 calendar days after the end
of each quarter. These reported information represents changes
related to the Clearing Agency Activities during the prior, current,
and subsequent calendar quarters, including the dates or expected
dates of commencement and completion.
\639\ This requires notification of such systems event within 24
hours after occurrence; regular updates until such time as a systems
event is resolved and investigation of the systems event is closed;
interim written notification within 48 hours after the occurrence of
a systems event or promptly thereafter if such a deadline cannot be
met; a written final report within ten business days after the
occurrence of a systems event or promptly thereafter if such a
deadline cannot be met. For systems events characterized as ``bronze
level'' events (i.e., a Systems Event in which the incident is
clearly understood, almost immediately under control, involves only
one business unit and/or entity, and is resolved within a few
hours), the clearing agency is instead required to provide on a
quarterly basis an aggregated list of bronze level events.
\640\ This includes disruptions, compliance issues, or
intrusions of the systems that impact, or is reasonably likely to
impact clearing agency activities.
\641\ The business continuity plan would require the use of a
secondary site designed to ensure two-hour resumption of operation
following disruptive events; regular testing of business continuity
plans; identification, monitoring, and management of the risks that
key participants, other financial market infrastructures, and
service and utility providers might pose to the systems' operations
in relation to the clearing agency activities.
\642\ The exempt clearing agency is required to provide annual
notice to the Commission regarding the industry standards utilized.
These standards consist of information technology practices that are
widely available to information technology professionals in the
financial sector and issued by a widely recognized organization.
---------------------------------------------------------------------------
Additionally, the two exempt clearing agencies not subject to ARP
are subject to Europe's Central Securities Depositories Regulation
(CSDR) which provides a set of common requirements for CSDs operating
securities settlement systems across the EU.\643\ CSDR provides, among
other things, Operational Risk rules (Article 45).\644\ There are more
specific requirements in the CSDR's Regulatory Technical Standards
\645\ including identifying operational risks; \646\ methods to test,
address and minimize operational risks; \647\ IT systems; \648\ and
business continuity.\649\
---------------------------------------------------------------------------
\643\ The two exempt clearing agencies may also be subject to
the EU Regulation, the Digital Operational Resilience Act (DORA),
which went into effect in 2015: See Proposal for a Regulation of the
European Parliament and of the Council on Digital Operational
Resilience for the Financial Sector and Amending Regulations (EC) No
1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014
available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595.
\644\ See Commission Regulation No. 909/2014 of July 23, 2014,
on improving securities settlement in the European Union and on
central securities depositories and amending Directives 98/26/EC and
2014/65/EU and Regulation (EU) No 236/2012, art. 45, 2014 O.J. (L
257) 47, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32014R0909.
\645\ See Commission Delegated Regulation 2017/392,
Supplementing Regulation (EU) No 909/2014 of the European Parliament
and of the Council with Regard to Regulatory Technical Standards on
Authorization, Supervisory and Operational Requirements for Central
Securities Depositories. 65 Off. J. Eur. Union 48 (2017) available
at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32017R0392&from=EN.
\646\ Id. art. 45:1.
\647\ Id. art. 45:2.
\648\ Id. art. 45:3.
\649\ Id. art. 45:4.
---------------------------------------------------------------------------
Furthermore, each of these two exempt clearing agencies publish
disclosure framework reports \650\ that purport to describe the
policies and procedures \651\ with respect to the operational risk
framework of the Principles for Financial Market Infrastructures (PFMI)
published by CPSS and IOSCO.\652\
---------------------------------------------------------------------------
\650\ See infra notes 683-684.
\651\ The respective disclosure documents have not been reviewed
by the Commission and its staff for accuracy and may or may not
demonstrate implementation/compliance with international standards.
\652\ Bank for International Settlements (BIS), Principles for
Financial Market Infrastructures: Disclosure Framework and
Assessment Methodology (Dec. 2012), available at https://www.bis.org/cpmi/publ/d106.pdf.
---------------------------------------------------------------------------
2. Existing SCI Entities
a. Affected Parties
In addition to these proposed new SCI entities, Regulation SCI has
applied to entities that facilitate several different markets,
including the market for trading services, the market for listing
services, the market for regulation and surveillance services, the
market for clearance and settlement services, and the market for market
data.\653\ As of this writing, there are 47 SCI entities. These include
35 SCI SROs (including 24 exchanges, 9 registered clearing agencies,
FINRA, and the MSRB), 7 SCI ATSs (including 5 NMS stock ATSs and 2 non-
NMS stock ATSs), 2 plan processors, and 3 exempt clearing agencies
subject to ARP.\654\ All of them are already required to comply with
Regulation SCI, and, as discussed in section V.B.2.b, subsets of these
entities also have other specific rules that apply to them.
---------------------------------------------------------------------------
\653\ 17 CFR 242.1000 (definitions of ``SCI systems'' and
``critical SCI systems'').
\654\ In 2021, the Commission amended Regulation SCI to add
competing consolidators that exceed a 5% consolidated market data
gross revenue threshold over a specified time period as SCI
entities. Currently, no competing consolidators have registered with
the Commission. See Market Data Infrastructure Adopting Release,
supra note 24.
---------------------------------------------------------------------------
The general characteristics of the markets in which the existing
SCI entities operate are described in the SCI Proposing Release \655\
and SCI Adopting Release.\656\ There are, however, broad changes to
these markets--as they pertain to Regulation SCI--that should be noted.
The markets have changed in at least four important ways. First, the
total trading volumes have increased across all types of
securities.\657\ Second, there is an increased reliance on technology
and automation among financial institutions, a trend which accelerated
due to the COVID-19 pandemic.\658\ Third, and relatedly, financial
institutions have become increasingly dependent on third parties--
including cloud service providers--to operate their businesses and
provide their services.\659\ This is, in fact, a general trend among
all global companies, and this trend, too, has been driven in part by
the COVID-19 pandemic.\660\ Fourth, cybersecurity events have grown in
both number and sophistication.\661\ These developments in the market
have significantly increased the negative externalities that may flow
from systems failures.
---------------------------------------------------------------------------
\655\ See SCI Proposing Release, supra note 14, at section V.
See also Market Data Infrastructure Adopting Release, supra note 24,
for a description of competing consolidator market characteristics.
\656\ See SCI Adopting Release, supra note 1, at section VI.
\657\ See, e.g., SIFMA Insights: Electronic Trading Market
Structure Primer, supra note 3 (summarizing electronic trading
history and trends in different markets); SEC, Staff Report on
Equity and Options Market Structure Conditions in Early 2021 (Oct.
14, 2021), available at https://www.sec.gov/files/staff-report-equity-options-market-struction-conditions-early-2021.pdf; see also
U.S. House Committee on Financial Services, Game Stopped: How the
Meme Stock Market Event Exposed Troubling Business Practices,
Inadequate Risk Practices, and the Need for Legislative and
Regulatory Reform (June 2022), available at: https://democrats-financialservices.house.gov/uploadedfiles/6.22_hfsc_gs.report_hmsmeetbp.irm.nlrf.pdf.
\658\ See, e.g., Henning Soller, et al., Innovative Technologies
in Financial Institutions: Risk as a Strategic Issue, McKinsey
Digital (Sep. 25, 2020), available at: https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/tech-forward/innovative-technologies-in-financial-institutions-risk-as-a-strategic-issue (``The current COVID-19 crisis has significantly
accelerated the need for financial institutions to adopt innovative
technologies.'').
\659\ See, e.g., Noah Kessler, Cloud Is on the Rise in Financial
Services and Regulators Are Taking Note, ABA Risk and Compliance
(Sept. 29, 2021), available at https://bankingjournal.aba.com/2021/09/cloud-is-on-the-rise-in-financial-services-and-regulators-are-taking-note/.
\660\ See, e.g., Deloitte, 2021 Global Shared Services and
Outsourcing Survey Report 3, available at https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Process-and-Operations/gx-2021-global-shared-services-report.pdf (``[T]here's an increasing
shift to leverage global, multifunctional, and virtual or remote
models, especially driven by learnings from COVID-19'').
\661\ See, e.g., Chuck Brooks, Alarming Cyber Statistics For
Mid-Year 2022 That You Need To Know, Forbes.com (June 3, 2022),
available at https://www.forbes.com/sites/chuckbrooks/2022/06/03/alarming-cyber-statistics-for-mid-year-2022-that-you-need-to-know/?sh=2429c57e7864.
---------------------------------------------------------------------------
Current SCI entities are required to report systems intrusions,
either immediately or on a quarterly basis, rather than immediately if
de miminis in impact. However, current SCI entities have not been
reporting attempted intrusions, as they were not required to do so.
b. Regulatory Baseline
The common regulatory baseline for current SCI entities is
Regulation SCI which was adopted in 2014. Regulation SCI requires,
among other things, that these entities establish, maintain, and
enforce written policies and procedures reasonably designed to ensure
that their SCI systems have levels of capacity, integrity, resiliency,
availability, and security adequate to maintain their operational
capability and promote the maintenance of fair and orderly markets and
operate in a manner that complies with the Exchange Act and the rules
and regulations thereunder and the entity's rules and governing
documents, as applicable, and specifies certain minimum requirements
for such policies and procedures. As a policies and procedures based
rule, and one that employs a risk-based approach, Regulation SCI
provides flexibility to allow each SCI entity to determine how
[[Page 23234]]
to best meet the requirements in Rule 1001(a).
In addition, 17 CFR 242.613 (``Rule 613'') of Regulation NMS
requires national securities exchanges and national securities
associations (FINRA) to jointly develop and submit to the Commission a
Consolidated Audit Trail National Market System (CAT NMS) Plan.\662\
---------------------------------------------------------------------------
\662\ 17 CFR 242.613.
---------------------------------------------------------------------------
Under the Commission-approved CAT NMS Plan, the national securities
exchanges and FINRA (the Participants) conduct the activities related
to the CAT through a jointly owned limited liability company,
Consolidated Audit Trail, LLC (``Company'').\663\ FINRA CAT, LLC--a
wholly-owned subsidiary of FINRA--has entered into an agreement with
the Company to act as the plan processor for the CAT. However, the
Participants remain ultimately responsible for the performance of the
CAT and its compliance with any statutes, rules, and regulations.\664\
The Plan Processor must develop three sets of policies and procedures:
(1) the CAT information security program and related data security
policies and procedures; (2) user security and access policies and
procedures; and (3) breach management policies and procedures.\665\
---------------------------------------------------------------------------
\663\ Consolidated Audit Trail, LLC, CAT NMS Plan, secs. 1.1,
3.1, 4.1 (July 2020), available at https://catnmsplan.com/sites/default/files/2020-07/LLC-Agreement-of-Consolidated-Audit-Trail-LLC-as-of-7.24.20.pdf; see also CAT NMS Plan Approval Order, supra note
393; Joint Industry Plan; Order Approving Amendment to the National
Market System Plan Governing the Consolidated Audit Trail,
Securities Exchange Act Release No. 89397 (July 24, 2020), 85 FR
45941 (July 30, 2020).
\664\ CAT NMS Plan, secs. 4.3, 5.1, 6.1. The Participants
jointly own on an equal basis the Company. As such, the CAT's
Central Repository is a facility of each of the Participants, and
also an SCI system of each of the Participants. See SCI Adopting
Release, supra note 1, at 72275 at n. 246; CAT NMS Plan Approval
Order, supra note 393, at 84758.
\665\ CAT NMS Plan, secs. 6.12 and app. D. secs. 4.1 to 4.1.5.
The Plan Processor is subject to certain industry standards with
respect to its information security program, including, among
others, NIST-800-23 (Guidelines to Federal Organizations on Security
Assurance and Acquisition/Use of Test/Evaluated Products), NIST 800-
53 (Security and Privacy Controls for Federal Information Systems
and Organizations), and NIST 800-115 (Technical Guide to Information
Security Testing and Assessment). CAT NMS Plan, app D sec 4.2.
---------------------------------------------------------------------------
First, the Plan Processor must develop and maintain a comprehensive
information security program, to be approved and reviewed at least
annually by an operating committee, which contains certain specific
requirements for the Company related to data security.\666\ As part of
this requirement, the Plan Processor is required to create and enforce
policies, procedures, and control structures to monitor and address CAT
data security, including reviews of industry standards and periodic
penetration testing.\667\ Second, both the Participants and the Plan
Processor must implement user security and access policies and
procedures that include safeguards to secure access and use of the
CAT.\668\ The Plan Processor must also review Participant information
security policies and procedures related to the Company to ensure that
such policies and procedures are comparable to those of the CAT
system.\669\ Finally, the Plan Processor must develop a cyber-incident
response plan and document all information relevant to breaches.\670\
In addition to these policies and procedures requirements, the CAT NMS
Plan requires several forms of periodic review of CAT, including an
annual written assessment,\671\ regular reports,\672\ and an annual
audit.\673\ The Commission has proposed amendments to the CAT NMS Plan
that are designed to enhance the security of the CAT through increased
security requirements as well as limiting the scope of sensitive
information required to be collected by the CAT.\674\
---------------------------------------------------------------------------
\666\ CAT NMS Plan, app. D sec. 4.1.
\667\ Id. sec. 6.2(b)(v) and app. D secs. 4.1 to 4.2.
\668\ Specifically, these safeguards must include: (1)
restrictions on the acceptable uses of CAT Data; (2) role-based
access controls; (3) authentication of individual users; (4)
multifactor authentication and password controls; (5) implementation
of information barriers to prevent unauthorized staff from accessing
CAT Data; (6) separate storage of sensitive personal information and
controls on transmission of data; (7) security-driven monitoring and
logging; (8) escalation of non-compliance or security events; and
(9) remote access controls. Id. at secs. 6.2(b)(v), 6.5(c)(i),
6.5(c)(iii) and (iv) and app. D secs. 4.1 to 4.1.4, 4.1.6, 8.1,
8.1.1, 8.1.3, 8.2, 8.2.2.
\669\ Id. sec. 6.2(b)(vii).
\670\ Id. app. D sec. 4.1.5.
\671\ The Participants are required to provide the Commission
with an annual written assessment of the Plan Processor's
performance, which must include, among other things, an evaluation
of potential technology upgrades and an evaluation of the CAT
information security program. Id. secs. 6.2(a)(v)(G), 6.6(b).
\672\ The Plan Processor is required to provide the operating
committee with regular reports on various topics, including data
security issues and the Plan Processor. Id. secs. 6.1(o),
6.2(b)(vi), 6.2(a)(v)(E), 6.2(b)(vi).
\673\ The Plan Processor is required to create and implement an
annual audit plan that includes a review of all Plan Processor
policies, procedures, control structures, and tools that monitor and
address data security. Id. secs. 6.2(a)(v)(B) and (C), app. D secs.
4.1.3, 5.3.
\674\ Proposed Amendments to the National Market System Plan
Governing the Consolidated Audit Trail to Enhance Data Security,
Release No. 89632 (Aug. 21, 2020), 85 FR 65990 (Oct. 16, 2020).
---------------------------------------------------------------------------
3. Current Market Practice
This section describes current and new SCI entities' market
practices, as relevant to certain of the proposed and existing
provisions. These market practices include entities' compliance efforts
that exceed current regulatory baseline requirements, entities'
adherence to voluntary standards and best practices, and business
practices not directly related to compliance with a regulatory
obligation that nevertheless overlap with the substantive or procedural
requirements of the proposed rule. To the extent the entities' existing
practices already comply with the requirements or proposed requirements
of Regulation SCI, or to the extent those practices might facilitate
such compliance, the benefits and costs of the proposal could be
mitigated. The Commission requests comment on how the new and existing
SCI entities' current market practices affect the baseline against
which the economic effects are measured.
a. Systems Classification and Lifecycle Management
Based on the experience of Commission most current SCI entities
undertake some form of lifecycle management program that includes
acquisition, integration, support, refresh and disposal of covered
systems, as applicable, and the sanitization of end-of-life systems.
b. Third-Party Vendor Management and Oversight
Globally the end-user spending on public cloud services is
estimated to grow 20.4% in 2022 to a total of $494.7 billion, up from
$410.9 billion in 2021.\675\ In terms of market concentration, as of Q1
2022, the three largest CSPs collectively have the market share of 65
percent global spending on cloud computing \676\ and the eight largest
CSPs have roughly 80 percent of the market.\677\ SCI entities employ
cloud service providers. Some of the largest cloud service providers
appear to be familiar with the Regulation SCI requirements with which
SCI entities are obliged to comply.\678\
---------------------------------------------------------------------------
\675\ See Press Release, Gartner.com (Apr. 19, 2020), available
at https://www.gartner.com/en/newsroom/press-releases/2022-04-19-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-reach-nearly-500-billion-in-2022.
\676\ See Synergy Research Group, Huge Cloud Market Still
Growing at 34% Per Year; Amazon, Microsoft & Google Now Account for
65% of the Total, PR Newswire (Apr. 28, 2022), available at https://
www.prnewswire.com/news-releases/huge-cloud-market-still-growing-at-
34-per-year-amazon-microsoft_google-now-account-for-65-of-the-
total-301535935.html (estimating as of Q1 2022 that the breakdown
is: Amazon Web Services (AWS): 33%; Microsoft Azure: 22%; Google
Cloud: 10%).
\677\ Id.
\678\ For example, see Microsoft Azure, Regulation Systems
Compliance and Integrity (SCI) Cloud Implementation Guide (2019),
available at https://azure.microsoft.com/mediahandler/files/resourcefiles/microsoft-azure-regulation-systems-compliance-and-integrity-sci-cloud-implementation-guide/AzureRegSCIGuidance.pdf; or
Google Cloud, U.S. Securities & Exchange Commission Regulation
Systems Compliance & Integrity (Regulation SCI) (Dec. 2021),
available at https://services.google.com/fh/files/misc/sec_regulation_sci_gcp_whitepaper.pdf.
---------------------------------------------------------------------------
[[Page 23235]]
Both new and existing SCI entities may have existing agreements
with third-party providers that govern the obligations and expectations
as between an SCI entity and a third-party provider it utilizes. These
documents may not currently be consistent with the SCI entity's
requirements under the proposed amendments Regulation SCI. Some SCI
entities may currently rely on a third-party provider's standard
contract or SLA, which may not been drafted with Regulation SCI's
requirements in mind. Similarly, some existing agreements between the
SCI entity and a third-party provider may provide the third-party
provider with the contractual right to be able to make decisions that
would negatively impact an SCI entity's obligations in the third-party
provider's ``commercially reasonable discretion.'' Likewise, existing
agreements may include defined terms that differ from those under the
proposed amendments.
Regardless of their size, SCI entities typically enter into
contracts with third-party providers to perform a specific function for
a given time frame at a set price. At the conclusion of a contract, it
may be renewed if both parties are satisfied. Because prices typically
increase over time, there may be some need to negotiate a new fee for
continued service. Negotiations also occur if additional services are
requested from a given third-party provider. In the instance where
additional services are required mid-contract, for example, due to
increased regulatory requirements, the third-party provider may be able
to separately bill for the extra work that it must incur to provide the
additional service, particularly if that party is in a highly
concentrated market for that service and can wield market power.
Alternatively, the service provider may be forced to absorb the
additional cost until the contract can be renegotiated. This may be the
case because that condition is specified in the contract with the SCI
entity.
Request for Comment
95. The Commission requests that commenters provide relevant data
on the number of third-party providers available to SCI entities by
their types of services they offer or by the types of systems, such as
critical SCI systems, SCI systems, and indirect SCI systems.
96. To what extent do third-party providers compete with each other
for SCI entities?
c. SCI Review
With respect to business continuity and disaster recovery plan
reviews, FINRA Rule 4370 requires a broker-dealer to conduct an annual
review of its business continuity plan. FINRA has observed that some
broker-dealers \679\ engaged in annual testing to evaluate the
effectiveness of their business continuity plans.\680\ With respect to
broker-dealer reporting to their boards regarding cybersecurity
policies and procedures and cybersecurity incidents, the board
reporting frequency ranged from quarterly to ad-hoc among the firms
FINRA reviewed.\681\ Approximately two-thirds of the broker-dealers
(68%) examined in a 2015 survey had an individual explicitly assigned
as the firm's CISO which might suggest extensive executive leadership
engagement.
---------------------------------------------------------------------------
\679\ FINRA did not disclose the number or identity of the firms
but it is likely that larger firms have more robust systems and
practices given their greater resources.
\680\ See FINRA, 2019 Report on Examination Findings and
Observations: Business Continuity Plans (BCPs), supra note 600.
\681\ See Report on Cybersecurity Practices, supra note 621. At
a number of firms, the board received annual cybersecurity-related
reporting while other firms report on a quarterly basis. A number of
firms also provide ad hoc reporting to the board in the event of
major cybersecurity events.
---------------------------------------------------------------------------
d. Current SCI Industry Standards
As of 2015, the majority of broker-dealers reported utilizing one
or more frameworks with respect to cybersecurity \682\ either mapping
directly to the standard or using it as reference point. Some of the
standards such as COBIT may have broad application to various areas of
IT but it is unclear to what extent broker-dealers utilize such
standards beyond cybersecurity.
---------------------------------------------------------------------------
\682\ See supra note 622. Among the firms that were part of the
FINRA sweep, nearly 90% used one or more of the NIST, ISO or ISACA
frameworks or standards. More specifically, 65% of the respondents
reported that they use the ISO 27001/27002 standard while 25% use
COBIT. Some firms use combinations of these standards for various
parts of their cybersecurity programs. The COBIT standard, for
example, is focused more on information technology governance than
cybersecurity per se. In addition, several firms underscored the
utility of the PCI Standard as well as the SANS Top 20.
---------------------------------------------------------------------------
Also, each of the two exempt clearing agencies (Euroclear Bank SA/
NV, and Clearstream Banking, S.A.) publish disclosure framework
reports,\683\ that purport to describe the policies and procedures
relating to the 24 principles and five responsibilities set forth in
the Principles for Financial Market Infrastructures (PFMI) published by
CPSS and IOSCO.\684\ The PFMI establishes new international standards
for financial market infrastructures (FMIs) including payment systems
that are systemically important, central securities depositories,
securities settlement systems, central counterparties and trade
repositories and prescribes the form and content of the disclosures
expected of financial market infrastructures. Most relevant, principle
17 on operational risk offers guidelines on policies and procedures to
identify, monitor, and manage operational risks, vulnerabilities, and
threats; capacity planning; stress testing; systems development and
testing methodology; business continuity and disaster recovery planning
and testing; vendor risk management; and board supervision of risk
management, etc.
---------------------------------------------------------------------------
\683\ Clearstream, Principles for financial market
infrastructures: Disclosure Framework (Dec. 23, 2020), available at
https://www.clearstream.com/resource/blob/1386778/3458c1c468e5f40ddf5dc970e8da4af2/cpmi-iosco-data.pdf; Euroclear
Bank, Disclosure Framework CPMI IOSCO 2020 (June 2020), available at
https://www.euroclear.com/content/dam/euroclear/About/business/PA005-Euroclear-Bank-Disclosure-Framework-Report.pdf.
\684\ Bank for International Settlements (BIS), Principles for
Financial Market Infrastructures: Disclosure Framework and
Assessment Methodology (Dec. 2012), available at https://www.bis.org/cpmi/publ/d106.pdf.
---------------------------------------------------------------------------
e. Penetration Testing
Current SCI entities are required to conduct penetration testing as
part of its SCI review \685\ once every three years.\686\ Among the new
SCI entities, two SBSDRs that are currently registered as SDRs are
subject to CFTC's rules, which require conducting penetration testing
of the systems with the scope of those rules at least once every year.
---------------------------------------------------------------------------
\685\ Specifically, paragraph (b)(1) of Rule 1003 currently
requires that ``[p]enetration test reviews of the network,
firewalls, and production systems shall be conducted at a frequency
of not less than once every three years. . .''. Rule 1003(b)(1).
\686\ See SCI Adopting Release, supra note 1, at 72344.
---------------------------------------------------------------------------
4. Other Affected Parties
In addition to new and existing SCI entities, the proposed
amendments may indirectly affect other parties, namely third-party
service providers to which SCI systems functionality is outsourced. As
discussed in depth above, an SCI entity may decide to outsource certain
functionality to, or utilize the support or services of, a third-party
provider (which would include both affiliated providers as well as
vendors unaffiliated with the SCI entity) for a variety of reasons,
including cost efficiencies,
[[Page 23236]]
increased automation, particular expertise, or functionality that the
SCI entity does not have in-house. Based on Commission staff
experience, the Commission believes that these third-party providers,
play a growing role with respect to SCI systems and indirect SCI
systems, and the Commission anticipates that third-party providers will
likely arise to provide other types of functionality, service, or
support to SCI entities that are not contemplated yet today.\687\
---------------------------------------------------------------------------
\687\ It has long been recognized that the financial services
industry is increasingly relying on service providers through
various forms of outsourcing. See, e.g., Bank for International
Settlements, Outsourcing in Financial Services (Feb. 15, 2005),
available at https://www.bis.org/publ/joint12.htm. Recent estimates
suggest that the aggregate contract value of outsourcing in the
financial services industry is on the order of $10 to $20 billion.
See, e.g., Business Wire, Insights on the Finance and Accounting
Outsourcing Global Market to 2026 (Jan. 14, 2022), available at
https://www.businesswire.com/news/home/20220114005440/en/Insights-
on-the-Finance-and-Accounting-Outsourcing-Global-Market-to-2026_-
Featuring-Accenture-Capgemini-and-Genpact-Among-Others_-
ResearchAndMarkets.com.
---------------------------------------------------------------------------
Due to data limitations, we are unable to quantify or characterize
in much detail the structure of these various service provider
markets.\688\ The Commission lacks specific information on the exact
extent to which third-party service providers are retained, the
specific services they provide, and the costs for those services beyond
the estimates discussed above for cloud service providers. We also do
not have information about the market for these services, including the
competitiveness of such markets. We request information from commenters
on the services related to SCI systems and indirect systems provided by
third parties to new and existing SCI entities, the costs for those
services, and the nature of the market for these services.
---------------------------------------------------------------------------
\688\ Although certain regulatory filings may shed a limited
light on the use of third-party service providers, we are unaware of
any data sources that provide detail on the overall picture for each
of the new and existing SCI entities.
---------------------------------------------------------------------------
C. Analysis of Benefits and Costs of Proposed Amendments
The proposed amendments both expand the scope of Regulation SCI to
reach new entities and also strengthen existing requirements in
Regulation SCI that would apply to both old and new entities. This
section explores the benefits and costs of these changes. First, we
discuss the general benefits and costs of the proposed amendments to
Regulation SCI. Next, we discuss the expansion of Regulation SCI to
certain new SCI entities and the rationale for it. Finally, we analyze
the specific benefits and costs of applying each provision of amended
Regulation SCI to each of the proposed new SCI entities and current SCI
entities.\689\ The Commission encourages commenters to identify,
discuss, analyze, and supply relevant data, information, or statistics
regarding the benefits and costs.
---------------------------------------------------------------------------
\689\ For purposes of measuring the benefits and costs of the
proposed rule on both existing and new SCI entities, this analysis
assumes that market participants are compliant with existing
applicable Commission, FINRA, CFTC, and other applicable rules,
including those requiring registration and the rules and regulations
applicable to such registered entities. To the extent that some
entities engaged in activities including crypto asset securities are
not, but should be, FINRA or Commission registered entities, they
may incur additional costs to comply with existing registration
obligations that are distinct from the costs associated with the
proposed rule amendments and are not discussed in this analysis.
Similarly, any benefits from coming into compliance with existing
registration obligations are also not discussed in this analysis.
For such entities, we expect the benefits and costs specifically
associated with the proposed rule amendments to be same as those
described below for existing and new SCI entities that are currently
registered.
---------------------------------------------------------------------------
The Commission is providing both a qualitative assessment and
quantified estimates, including ranges, of the potential economic
effects of the proposal where feasible. The overall magnitude of the
economic effects will depend, in part, on the extent to which the new
and current SCI entities already have in place practices that are
aligned with the requirements of Regulation SCI, including the proposed
amendments. New SCI entities' costs of implementing Regulation SCI
could also differ with the number and size of their systems affected.
In many cases it is difficult to quantify the economic effects,
particularly those beyond the costs estimated in the Paperwork
Reduction Act analysis. As explained in more detail below, the
Commission in certain cases does not have, and does not believe it can
reasonably obtain, data or information necessary to quantify certain
effects. For instance, the Commission finds it impracticable to
quantify many of the benefits associated with amended Regulation SCI.
Indeed, we lack information that would allow us to predict the
reduction in frequency and severity of SCI events or the specific cost
savings that might arise from avoiding the harm Regulation SCI is
designed to prevent. Further, even in cases where the Commission has
some data, quantification is not practicable due to the number and type
of assumptions necessary to quantify certain economic effects, which
render any such quantification unreliable. The Commission requests that
commenters provide relevant data and information to assist the
Commission in quantifying the economic consequences of proposed
amendments to Regulation SCI.
1. General Benefits and Costs of Proposed Amendments
Regulation SCI promotes the capacity, integrity, resiliency,
availability, and security of SCI systems, as well as transparency
about systems problems when they do occur, and thereby promote
investors' confidence in market transactions. SCI events can today have
broad impacts because of the growth of electronic trading, which allows
increased volumes of securities transactions in a broader range of
asset classes, at increasing speed, by a variety of trading platforms;
\690\ changes in the way SCI entities employ technology, including the
increasing importance of third-party service providers to ensure
reliable, resilient, and secure systems; \691\ a significant increase
in cybersecurity events across all types of companies, including SCI
entities; \692\ and an evolution of the threat environment.\693\ A
joint report from the World Economic Form and Deloitte states that
``new interconnections and collective dependencies on certain critical
providers significantly contribute to the number of vulnerable nodes
that could threaten and exploit the financial system's essential
functions.'' \694\
---------------------------------------------------------------------------
\690\ See section I and supra note 3.
\691\ See sections III.B, III.B.2.a.
\692\ See section III.B.3.
\693\ See id.
\694\ See World Economic Forum, Beneath the Surface: Technology-
Driven Systemic Risks and the Continued Need for Innovation (Oct.
28, 2021) at 14, available at https://www.weforum.org/reports/beneath-the-surface-technology-driven-systemic-risks-and-the-continued-need-for-innovation/; see also Henning Soller, et al.,
Innovative Technologies in Financial Institutions: Risk as a
Strategic Issue, McKinsey Digital (Sep. 25, 2020), available at:
https://www.mckinsey.com/business-functions/mckinsey-digital/our-insights/tech-forward/innovative-technologies-in-financial-institutions-risk-as-a-strategic-issue.
---------------------------------------------------------------------------
Expanding Regulation SCI to new SCI entities will help to ensure
that the core technology systems of these newly designated SCI entities
are robust, resilient, and secure--especially for those entities that
have not already adopted comparable measures on their own--and would
also help to improve Commission oversight of the core technology of key
entities in the U.S. securities markets.\695\
---------------------------------------------------------------------------
\695\ For example, some expert views suggest that current SCI
entities' compliance with Regulation SCI likely prepared those
entities to be more resilient and more prepared to face times of
increased volatility--beyond what their prudent business practices
may have allowed. For example, one industry publication notes that
even as financial firms ``updated their [business continuity
planning] after the Sept. 11, 2001, terrorist attacks and superstorm
Hurricane Sandy in 2012, when these events exposed cracks in Wall
Street's contingency plans,'' they were still ``more prepared during
COVID-19 thanks to Regulation SCI for Systems, Compliance and
Integrity.'' See, e.g., Is Remote Trading Leading to a Paradigm
Shift on the Trading Desk?, supra note 2. Similarly, a senior
executive at FINRA stated in an interview that he found most
surprising the resiliency of the market during COVID-19 and said ``a
lot of credit goes to the SEC for [the market's resiliency] with
respect to adopting [Regulation SCI].'' FINRA, Podcast: Market
Structure & COVID-19: Handling Increased Volatility and Volumes, at
24:38-25:08 (Apr. 28, 2020), available at https://www.finra.org/media-center/finra-unscripted/market-structure-covid19-coronavirus
(featuring an interview with FINRA's then-Executive VP of Market
Regulation and Transparency Services, Tom Gira).
---------------------------------------------------------------------------
[[Page 23237]]
The Commission is also proposing amendments to update Regulation
SCI in order to strengthen its requirements. These amendments would
benefit markets and market participants by reducing the likelihood,
severity, and duration of market disruptions arising from systems
issues, among both current and new SCI entities, whether such events
may originate from natural disasters, third-party provider service
outages, cybersecurity events, hardware or software malfunctions, or
any other sources.\696\ Decreasing the number of trading interruptions
can improve price discovery and liquidity because such interruptions
interfere with the process through which relevant information gets
incorporated into security prices and, may thereby, temporarily disrupt
liquidity flows.\697\ Trading interruptions in one security can also
affect securities trading in other markets. For example, an
interruption in the market for index options and other securities that
underlie derivatives securities could harm the price discovery process
for derivatives securities, and liquidity flows between the stock
market and derivatives markets could be restricted. For this reason,
market-based incentives alone are unlikely to result in optimal
provision of SCI-related services. In this context, having plans and
procedures in place to prepare for and respond to system issues is
beneficial,\698\ and the proposed amendments to Regulation SCI would
help ensure that the infrastructure of the U.S. securities markets
remains robust, resilient, and secure. A well-functioning financial
system is a public good.
---------------------------------------------------------------------------
\696\ For example, the Ponemon Institute's 2016 Cost of Data
Center Outages report estimates the average cost per minute of an
unplanned outage was $8,851 for the average data center the
Institute surveyed in 2016. See Ponemon Institute, 2016 Cost of Data
Center Outages 14 (Jan. 19, 2016) available at https://www.vertiv.com/globalassets/documents/reports/2016-cost-of-data-center-outages-11-11_51190_1.pdf. Also, although it is difficult to
estimate the total cost of a cyberattack at an SCI entity, a
potential effect of a cyberattack involving an SCI entity is a data
breach. According to the IBM's 2022 Cost of a Data Breach report,
the average cost of a data breach in the United States is $9.44
million, and the report added that ``[f]or 83% of companies, it's
not if a data breach will happen, but when. Usually more than
once.'' See IBM, 2022 Cost of a Data Breach, available at https://
www.ibm.com/reports/data-
breach#:~:text=Average%20cost%20of%20a%20data,million%20in%20the%2020
20%20report. Relatedly, another study reports that in 2020 the
average loss in the financial services industry was $18.3 million
per company per incident. The average cost of a financial services
data breach was $5.85 million. See Jennifer Rose Hale, The Soaring
Risks of Financial Services Cybercrime: By the Numbers, Diligent
(Apr. 9, 2021), available at https://www.diligent.com/insights/financial-services/cybersecurity/#.
\697\ See Osipovich, Alexander, NYSE Glitch Causes Erroneous
Prices in Hundreds of Stocks, Wall St. J. (online edition) (Jan. 24,
2023), available at https://www.wsj.com/articles/dozens-of-nyse-stocks-halted-in-opening-minutes-after-wild-price-swings-11674585962
(retrieved from Factiva database).
\698\ For example, according to the IBM Report, in the context
of system issues arising from cybersecurity events, having an
incident response plan and ``testing that plan regularly can help
[each firm] proactively identify weaknesses in [its] cybersecurity
and shore up [its] defenses'' and ``save millions in data breach
costs.'' See 2022 Cost of a Data Breach, supra note 696. See also
Alex Asen et al., Are You Spending Enough on Cybersecurity (Feb. 19,
2020), available at https://www.bcg.com/publications/2019/are-you-spending-enough-cybersecurity (noting ``[a]s the world becomes ever
more reliant on technology, and as cybercriminals refine and
intensify their attacks, organizations will need to spend more on
cybersecurity'').
---------------------------------------------------------------------------
The Commission recognizes that the proposed amendments to
Regulation SCI would impose costs on SCI entities, as well as costs on
certain members, participants, customers (in the case of SCI broker-
dealers), or third-party providers of SCI entities. The majority of
these costs would be direct compliance costs, which are discussed in
detail below for each requirement of proposed Regulation SCI. For
current SCI entities, these costs would relate to the areas of
Regulation SCI that are being amended. For new SCI entities, the costs
would relate to complying with the entirety of Regulation SCI,
including the proposed amendments. For current SCI entities, these
costs may be mitigated to the extent the SCI entity's current business
practices are already consistent with the proposed requirements, and
if, as a result of compliance, the SCI entity avoids the costs
associated with a systems failure or breach. Likewise, for new SCI
entities, these costs may be mitigated to the extent the SCI entity's
current business practices are already consistent with the requirements
of Regulation SCI, including the proposed amendments, and if, as a
result of compliance, the SCI entity avoids the costs associated with a
systems failure or breach.
Some portion of compliance costs could be economic transfers. This
may be the case if compliance with a particular provision entails
making use of certain third-party providers, and the market for third-
party provider services is not itself competitive.\699\ In such a case,
third-party providers would make economic profits from the services
they offer and the fees they charge, and some of the services fees
charged would be economic transfers from SCI entities to third-party
providers.
---------------------------------------------------------------------------
\699\ See, e.g., Yoon-Ho Alex Lee, SEC Rules, Stakeholder
Interests, and Cost-Benefit Analysis, 10 Mkts L.J. 311 (2015),
available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2541805 (retrieved from SSRN Elsevier
database; Yoon-Ho Alex Lee, The Efficiency Criterion of Securities
Regulation: Investor Welfare or Total Surplus?, 57 Ariz. L. Rev. 85
(2015), available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2406032 (retrieved from SSRN Elsevier
database.
---------------------------------------------------------------------------
The proposed amendments could have other potential costs. For
example, entities covered by the proposed rule frequently would need to
make systems changes to comply with new and amended rules and
regulations under Federal securities laws and SRO rules. For entities
that meet the definition of SCI entity, because they would need to
comply with the proposed amendments when they make systems changes, the
proposed amendments could increase the costs and time needed to make
systems changes to comply with new and amended rules and regulations.
The Commission requests comment on the nature of such additional costs
and time.
Request for Comment
The Commission requests comment on all aspects of the Overall
Benefits and Costs of Proposed Amendments discussion. In addition, the
Commission is requesting comment on the following specific aspects of
the discussion:
97. For new SCI entities, what activities do you currently perform
(either because you are required to or you have chosen to voluntarily)
that are already consistent with the requirements of Regulation SCI?
98. For new SCI entities and current SCI entities, can compliance
with Regulation SCI result in the benefits the Commission describes in
the analysis?
99. Are commenters aware of any data that can be used to quantify
any aspects of benefits?
100. The Commission seeks commenters' views regarding the
prospective costs, as well as the potential benefits, of applying
Regulation SCI to SBSDRs. Are there characteristics specific to SBSDRS
or the SBS market that would make applying Regulation SCI broadly or
any specific provision or proposed new provision Regulation SCI
challenging for
[[Page 23238]]
SBSDRs? How much time would an SBSDR reasonably need to come into
compliance with Regulation as proposed? Commenters should quantify the
costs of applying Regulation SCI to SBSDRs, to the extent possible.
Commenters are urged to address specifically each requirement of
Regulation SCI and note whether it would be reasonable to apply each
such requirement to SBSDRs and what the benefits and costs of such
application would be.
101. For current SCI entities, what activities do you currently
perform that are already consistent with the proposed amendments that
seek to strengthen the obligations of SCI entities?
102. Are the Commission's estimates of incremental compliance costs
owing to these proposed reasonable? Please note that the Commission
does not purport to estimate the total costs of all activities SCI
entities will perform in promoting the capacity, integrity, resiliency,
availability, and security of their automated systems. The Commission's
estimates pertain only to the increase in costs that will arise
directly as a result of having to comply with the specific provisions
of the proposed rules to the extent the covered entity has not already
been performing such activities on its own or pursuant to other
relevant rules or regulations.
103. What activities do you currently perform that go beyond the
proposed amendments to Regulation SCI?
104. For current SCI entities, will compliance with the proposed
amendments to Regulation SCI result in performing activities that go
significantly above and beyond their current approach to promoting the
capacity, integrity, resiliency, availability, and security of their
automated systems? In other words, will these new rules require a
significant rearranging of their resources beyond what they are already
complying with voluntarily?
105. What are the costs of Regulation SCI? Are commenters aware of
any data that can be used to quantify any aspects of costs?
2. Expansion to New SCI Entities
The Commission proposes to expand the definition of SCI entity to
encompass SBSDRs, certain broker-dealers, and additional clearing
agencies exempted from registration. These entities are key market
participants that play a significant role in the U.S. securities
markets and, in the event of a systems issues, they have the potential
to impact investors, the overall market, or the trading of individual
securities. Under the proposed amendments, the new SCI entities would
become subject to all provisions of Regulation SCI, including the
provisions that the Commission proposes to amend for SCI entities, as
discussed in section III.C of this release. We discuss in this section
the entities to which Regulation SCI would be extended, including the
rationale for doing so. The benefits and costs associated with applying
each of the Regulation SCI requirements to these entities are
subsequently discussed in section V.D.3.
The Commission preliminarily estimates that as a result of the
proposed amendments to the definition of ``SCI entity'' in Rule 1000,
there would be a total of 21 new SCI entities that would become subject
to the requirements of Regulation SCI. These include 2 SBSDRs, 17 SCI
broker-dealers, and 2 exempt clearing agencies.\700\ Generally,
inclusion of these new SCI entities in the amended definition is
expected to help ensure systems resiliency at such entities and reduce
the potential for incidents at these entities to have broad, disruptive
effects across the securities markets and for investors. Furthermore,
applying Regulation SCI to these entities increases market protections
by establishing these obligations under the Exchange Act so that the
Commission may enforce them directly and examine for compliance and
provides a uniform requirement for all SCI entities.
---------------------------------------------------------------------------
\700\ The Commission is estimating 23 new SCI entities in the
PRA section based on the PRA's forward-looking requirement to
account for persons to whom a collection of information is addressed
by the agency within any 12-month period. But for purposes of the
Economic Analysis, this section analyzes the baseline of existing
entities that will be new SCI entities and then predicts the cost to
those entities if the rule were to be adopted. Accordingly the
Economic Analysis assumes 21, rather than 23, new SCI entities.
---------------------------------------------------------------------------
a. SBSDRs
Currently, two SBSDRs are registered with the Commission and are
subject to Rule 13n-6. The SBSDRs registered with the Commission are
also registered with the CFTC as swap data repositories (SDRs) and
accordingly, with respect to systems of concern to the CFTC, are
subject to CFTC rules and regulations related to swap data
repositories, including the CFTC's System Safeguards rule.
Systems failures at SBSDRs can limit access to data, call into
question the integrity of data, and prevent market participants from
being able to report transaction data, and receive transaction data,
and thereby have a large impact on market confidence, risk exposure,
and market efficiency. For example, were an SBSDR to experience a
systems issue, market participants could be prevented from receiving
timely information regarding accurate prices for individual SBSs--such
as aggregate market exposures to referenced entities (instruments),
positions taken by individual entities or groups, and data elements
necessary for a person to determine the market value of the
transaction.\701\ This could contribute to market instability.
---------------------------------------------------------------------------
\701\ See Access to Data Obtained by Security-Based Swap Data
Repositories, Securities Exchange Act Release No. 78716 (Aug. 29,
2016), 81 FR 60585, 60594, 60605-6 (Sep. 2, 2016). In that release,
the Commission estimates that approximately 300 relevant authorities
may make requests for data from security-based swap data
repositories.
---------------------------------------------------------------------------
Having SBSDRs comply with Regulation SCI would reduce the risk of
system issues at SBSDRs and allow continued transparency and access to
data. As noted above in the baseline, SBSDRs are currently subject to
Rule 13n-6, which requires an SBSDR to ``establish, maintain, and
enforce written policies and procedures reasonably designed to ensure
that its systems provide adequate levels of capacity, integrity,
resiliency, availability, and security.'' However, as described in
detail below, the requirements of Regulation SCI that go beyond those
required in Rule 13n-6--such as policies and procedures that include
specific elements for infrastructure planning, up-to-date system
development and testing methodology, regular systems reviews and
testing, BC/DR planning, monitoring for SCI events, and standards to
facilitate successful collection, processing, and dissemination of
market data--should deliver benefits beyond those currently achieved
through Rule 13n-6.
The coverage of SBSDRs under the proposed amendments to Regulation
SCI would augment the current principles-based requirements for
policies and procedures on operational risk with detailed, more
specific requirements to help ensure that SBSDR market systems are
robust, resilient, and secure and that policies and procedures in place
at SBSDRs meet requirements necessary to maintain the robustness of
critical systems.
b. SCI Broker-Dealers
The Commission proposes to include certain broker-dealers--to be
referred to as ``SCI broker-dealers''--in the definition of SCI entity.
This expansion would be limited to broker-dealers that exceed one or
more size thresholds. The first proposed threshold is a total assets
test. This test scopes within Regulation SCI any broker-dealers with
five percent
[[Page 23239]]
(5%) or more of the total assets \702\ of all security brokers and
dealers during at least two of the four preceding calendar quarters
ending March 31, June 30, September 30, and December 31. The second
proposed threshold is a transaction activity test. This test scopes
within Regulation SCI any broker-dealer that transacted ten percent
(10%) or more of the total average daily dollar volume by applicable
reporting entities during at least four of the preceding six calendar
months in any of the following asset classes: NMS stocks, exchange-
listed options contracts, Agency Securities, or U.S. Treasury
Securities.
---------------------------------------------------------------------------
\702\ See supra note 169.
---------------------------------------------------------------------------
The Commission proposes to limit the definition of ``SCI systems''
for an SCI broker-dealer that qualifies as an SCI entity that satisfies
only one or more transaction activity thresholds.\703\ Specifically,
only those systems that relate to the asset class for which the trading
activity threshold is met (i.e., NMS stocks, exchange-listed options
contracts, Treasury Securities, or Agency Securities) would be ``SCI
systems'' or ``indirect SCI systems.'' \704\ Broker-dealers may have
multiple business lines and transact in different types of securities,
and the proposal reflects the Commission's preliminary conclusion that
systems related to asset classes that do not meet the rule's
transaction activity threshold are unlikely to pose risk to the
maintenance of fair and orderly markets if the systems with respect to
that type of security were unavailable (assuming the systems for the
distinct asset class are separate) relative to the burden of complying
with the regulation's more stringent requirements.
---------------------------------------------------------------------------
\703\ See section III.A.2.b(iv).
\704\ See section III.A.2.b(iv). As explained above in section
III.A.2.b.v, although crypto asset securities are not a separately
enumerated asset class for the volume threshold, the SCI systems and
indirect SCI systems pertaining to crypto asset securities that are
NMS stocks, exchange-listed options, U.S. Treasury Securities, or
Agency securities would be subject to Regulation SCI, including as
it is proposed to be amended, as discussed in section III. C, with
respect to the asset class for which the SCI broker-dealer satisfies
the threshold.
---------------------------------------------------------------------------
In contrast, no such limitation applies to an SCI broker-dealer
that qualifies as an SCI entity because it satisfies the total assets
threshold. In this case, broker-dealers that qualify as SCI entities
due to the total assets threshold are subject to Regulation SCI
requirements for all of its applicable systems, regardless of the asset
classes such systems relate to.\705\ As discussed in section
III.A.2.b.iii, this approach with respect to the total assets threshold
takes into consideration the multiple roles that the largest broker-
dealers play in the U.S. securities markets. Not only do some of the
largest broker-dealers generate liquidity in multiple types of
securities, but many also operate multiple types of trading platforms.
Entities with assets at this level also take risks that they may seek
to hedge across asset classes, in some cases using ``central risk
books'' for that and other purposes, and engage in routing substantial
order flow to other trading venues. For these reasons, the Commission
believes that systems issues at firms having assets at this level could
have the potential to impact investors, the overall market, and the
trading of individual securities, following a systems failure in any
market in which they operate.
---------------------------------------------------------------------------
\705\ As explained above, any system of an SCI broker-dealer
meeting the total asset threshold that pertains to any type of
security, including crypto asset securities, that meets the
definition of SCI systems or indirect SCI systems would be covered
by Regulation SCI.
---------------------------------------------------------------------------
The Commission estimates that there would be 17 SCI broker-dealers,
five of which would satisfy both the total assets threshold and at
least one of the transaction activity thresholds, and twelve others of
which would satisfy at least one of the transaction activity
thresholds.\706\ As discussed in section V.B.1.b.i, figure 6 (Panel A)
shows the distribution of all registered broker-dealer firms between Q4
2021 and Q3 2022 by level of total assets. Figure 6 (Panel B)
represents the distribution of all registered broker-dealer firms by
percentage of aggregate total assets.\707\ It shows that five firms
accounted for roughly half of broker-dealer aggregate total assets and
thus each could pose a substantial risk to the maintenance of fair and
orderly markets in the event of a systems issue. During all four
quarters from Q4 2021 to Q3 2022, all five firms reported to the
Commission, on Form X-17A-5 (Sec. 249.617), total assets in an amount
that equals five percent (5%) or more of the total assets of all
security brokers and dealers.\708\ Figures 7 through 10 represent the
distribution by level of transaction activity as measured by average
daily dollar volume \709\ (Panel A) and the distribution of firms by
percentage of transaction activity \710\ (Panel B) for each of four
asset classes including NMS stocks, exchange-listed options, U.S.
Treasury Securities, and Agency Securities respectively.\711\ These
figures clearly show that a few firms consistently accounted for a
significant percentage of transaction activity over the six month
period and thus each could pose a substantial risk to the maintenance
of fair and orderly markets in the event of a systems issue. During at
least four months of the six month period, six NMS stocks trading
firms, six exchange-listed options contracts trading firms, four U.S.
Treasury Securities trading firms, and six Agency Securities trading
firms transacted average daily dollar volume in an amount that equals
ten percent (10%) or more of the total average daily dollar of the
corresponding markets. Most of these firms transacted more than ten
percent (10%) during all six months.\712\
---------------------------------------------------------------------------
\706\ See section III.A.2.b(iv).
\707\ Panel A and Panel B in figure 6 show the same information
as in figure 1 in section V.B.1.b.i., but with 5% threshold lines
added. The threshold line in Panel A shows the average of 5% of
aggregate total assets in each quarter from Q4 2021 to Q3 2022.
\708\ Each of these firms would satisfy the proposed total
assets thresholds for an ``SCI broker-dealer''. See section
III.A.2.b.iii (discussing proposed thresholds for an ``SCI broker-
dealer'').
\709\ These measures are described in more detail in section
III.A.2.b.iii.
\710\ Id.
\711\ Panel A and Panel B in figures 7 through 10 show the same
information as in figures 2 through 5 in section V.B.1.b.i., but
with 10% threshold lines added. The threshold line in each Panel A
shows the average of 10% of aggregate average daily dollar volume
reported to the plan processors (SIPs) of the CTA/CQ Plans and
Nasdaq UTP Plan, OPRA Plan, or FINRA TRACE in each respective asset
class from Jan. 2022 to June 2022. The threshold line in each Panel
B equals 10%.
\712\ Each of these firms would satisfy the proposed transaction
activity thresholds for an ``SCI broker-dealer''. See section
III.A.2.b.iii (discussing proposed thresholds for an ``SCI broker-
dealer'').
---------------------------------------------------------------------------
These large broker-dealers, by virtue of the total assets or
transaction activity each represents over a period of time, play a
significant role in the orderly functioning of U.S. securities markets.
If such a broker-dealer was adversely affected by a system issue, then
the impact could not only affect the broker-dealer's own customers, but
also disrupt the overall market, by compromising or removing
significant liquidity from the market, interrupting the price discovery
process, or indirectly contributing to capacity issues at other broker-
dealers.\713\
---------------------------------------------------------------------------
\713\ See section III.A.2.b(iv).
---------------------------------------------------------------------------
Application of Regulation SCI is expected to reduce the likelihood
of system issues at these largest broker-dealers as well as mitigate
the effects of any such event. While it is possible that these broker-
dealers may have systems in place due to market-based incentives, there
are reasons to believe that these incentives may be insufficient.
First, as mentioned in section V.C.1, a well-functioning financial
system is a public good.\714\ Second, investment in SCI
[[Page 23240]]
systems takes the form of a hidden-action problem. As such, due to
principal-agent conflict, it may not be possible for customers or
counterparties to observe the degree of investment in SCI systems and
thus to provide market-based discipline from underinvestment. In this
case, a broker-dealer's investment in SCI systems would offer benefits
to customers and counterparties who might incur switching costs to find
a different broker if a substantial systems issue occurred. These
benefits are likely to be especially high for market participants who
rely on a single counterparty (such as is sometimes the case in
Treasury securities and prime brokerage relationships), and for retail
investors who have invested in the relationship with a single retail
broker.
---------------------------------------------------------------------------
\714\ Since broker-dealers are not compensated for the positive
impact that their systems investments have on other entities, they
lack sufficient incentives to invest on others' behalf. See, for
instance, Mazaher Kianpour et al., Advancing the concept of
cybersecurity as a public good, 116 Simulation Modeling Practice and
Theory 102493 (2022).
---------------------------------------------------------------------------
BILLING CODE 8011-01-P
[GRAPHIC] [TIFF OMITTED] TP14AP23.005
[GRAPHIC] [TIFF OMITTED] TP14AP23.006
[[Page 23241]]
[GRAPHIC] [TIFF OMITTED] TP14AP23.007
[GRAPHIC] [TIFF OMITTED] TP14AP23.008
[GRAPHIC] [TIFF OMITTED] TP14AP23.009
[[Page 23242]]
BILLING CODE 8011-01-C
c. Additional Exempt Clearing Agencies
The proposed amendments would expand the scope of exempt clearing
agencies covered by Regulation SCI to include two new exempt clearing
agencies: Euroclear Bank SA/NV and Clearstream Banking, S.A. These
exempt clearing agencies are not currently subject to Regulation SCI
because Regulation SCI was initially limited to those exempt clearing
agencies that were ``subject to ARP'' and these exempt clearing
agencies are not subject to ARP. At the time it adopted Regulation SCI,
the Commission stated it was taking a measured approach in applying
requirements primarily to entities already covered under the ARP
Inspection Program.\715\
---------------------------------------------------------------------------
\715\ SCI Adopting Release, supra note 1, at 72259.
---------------------------------------------------------------------------
The exempt clearing agencies not subject to ARP that the Commission
proposes to scope into Regulation SCI provide CSD functions for
transactions in U.S. securities between U.S. and non-U.S. persons using
similar technologies as registered clearing agencies that are subject
to Regulation SCI.\716\ The technology systems that underpin operations
of these exempt clearing agencies are critical systems that centralize
and automate clearance and settlement functions for the global
financial markets.\717\ Such systems concentrate risk in the clearing
agency.\718\ A disruption to a clearing agency's operations, or failure
on the part of a clearing agency to meet its obligations, could
therefore serve as a source of contagion, resulting in significant
costs not only to the clearing agency itself and its participants but
also to other market participants across the U.S. financial
system.\719\ For example, an SCI event could cause a delay or
disruption in the settlement process with respect to certain
securities, leading to a decrease in liquidity. Trading firms could be
unwilling or unable to enter into new positions should prior trades
suffer settlement timing delays requiring posting of additional margin
at clearing agencies and the assumption of additional risk by trading
firms.
---------------------------------------------------------------------------
\716\ See section III.A.2.c.
\717\ See section III.A.2.c.
\718\ See generally Albert J. Menkveld & Guillaume Vuillemey,
The Economics of Central Clearing, 13 Ann. Rev. Fin. Econ. 153
(2021), available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3957021 (retrieved from SSRN Elsevier
database). See also Paolo Saguato, Financial Regulation, Corporate
Governance, and the Hidden Costs of Clearinghouses, 82 Ohio St. L.J.
1071, 1074-75 (2022), available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3269060 (retrieved from SSRN Elsevier
database) (``[T]he decision to centralize risk in clearinghouses
made them critical for the stability of the financial system, to the
point that they are considered not only too-big-to-fail, but also
too-important-to-fail institutions.'').
\719\ See generally Dietrich Domanski, et al., Central Clearing:
Trends and Current Issues, BIS Q. Rev. (Dec. 2015), available at
https://www.bis.org/publ/qtrpdf/r_qt1512g.pdf (describing links
between CCP financial risk management and systemic risk); Darrell
Duffie, et al., Policy Perspectives on OTC Derivatives Market
Infrastructure, Fed. Res. Bank N.Y. Staff Rep. No. 424, at 9 (Mar.
2010), available at https://ssrn.com/abstract=1534729 (retrieved
from SSRN Elsevier database) (``If a CCP is successful in clearing a
large quantity of derivatives trades, the CCP is itself a
systemically important financial institution. The failure of a CCP
could suddenly expose many major market participants to losses. Any
such failure, moreover, is likely to have been triggered by the
failure of one or more large clearing agency participants, and
therefore to occur during a period of extreme market fragility.'');
Craig Pirrong, The Inefficiency of Clearing Mandates, Policy
Analysis No. 655, at 11-14, 16-17, 24-26 (July 2010), available at
https://www.cato.org/pubs/pas/PA665.pdf (stating, among other
things, that ``CCPs are concentrated points of potential failure
that can create their own systemic risks,'' that ``[a]t most,
creation of CCPs changes the topology of the network of connections
among firms, but it does not eliminate these connections,'' that
clearing may lead speculators and hedgers to take larger positions,
that a CCP's failure to effectively price counterparty risks may
lead to moral hazard and adverse selection problems, that the main
effect of clearing would be to ``redistribute losses consequent to a
bankruptcy or run,'' and that clearing entities have failed or come
under stress in the past, including in connection with the 1987
market break); Glenn Hubbard et al., Report of the Task Force on
Financial Stability 96, Brookings Inst.(June 2021), available at
https://www.brookings.edu/wp-content/uploads/2021/06/financial-stability_report.pdf (``In short, the systemic consequences from a
failure of a major CCP, or worse, multiple CCPs, would be severe.
Pervasive reforms of derivatives markets following 2008 are, in
effect, unfinished business; the systemic risk of CCPs has been
exacerbated and left unaddressed.''); Froukelien Wendt, Central
Counterparties: Addressing their Too Important to Fail Nature (IMF
Working Paper No. 15/21, Jan. 2015), available at https://www.imf.org/external/pubs/ft/wp/2015/wp1521.pdf (assessing the
potential channels for contagion arising from CCP
interconnectedness); Manmohan Singh, Making OTC Derivatives Safe--A
Fresh Look (IMF Working Paper No. 11/66, Mar. 2011), at 5-11,
available at https://www.imf.org/external/pubs/ft/wp/2011/wp1166.pdf
(retrieved from SSRN Elsevier database) (addressing factors that
could lead central counterparties to be ``risk nodes'' that may
threaten systemic disruption).
---------------------------------------------------------------------------
Notably, Euroclear Bank SA/NV and Clearstream Banking, S.A. are
already subject to Europe's CSDR, which has Operational Risk rules
(Article 45) that includes many requirements that may align with those
in Regulation SCI.\720\ Additionally, the Commission exemptive order
for one of the exempt clearing agencies requires certain provisions
that are consistent with those in Regulation SCI.
---------------------------------------------------------------------------
\720\ The two exempt clearing agencies may also be subject to
the EU Regulation, the Digital Operational Resilience Act (DORA),
which went into effect in 2015: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0595.
---------------------------------------------------------------------------
3. Specific Benefits and Costs of Regulation SCI Requirements for All
SCI Entities
a. Rule 1001--Policies and Procedures
Rule 1001(a) through (c) sets forth requirements relating to the
written policies and procedures that SCI entities are required to
establish, maintain, and enforce. New SCI entities will need to comply
with these requirements for the first time. In addition, the Commission
is proposing to amend portions of Rule 1001(a), which will affect
existing SCI entities as well. We discuss the benefits and costs of
applying existing provisions to new SCI entities, as well as the
benefits and costs of the amendments for both new and existing
entities, below. We also discuss below the economic effects of these
changes specific to the new SCI entities.
i. Benefits
(1) Provisions Applicable Only to New SCI Entities
Rule 1001 requires certain policies and procedures for SCI
entities. We consider here the provisions under Rule 1001 that we are
not amending and therefore will only have an impact on SCI entities,
relative to the baseline. We separately consider the provisions that we
propose to amend in the following section, for both new and existing
SCI entities.
(i) Capacity, Integrity, Resiliency, Availability, and Security (Rule
1001(a)(1), (a)(2)(i) Through (iv), (vi), and (vii))
Rule 1001(a)(1) requires that each SCI entity establish, maintain,
and enforce written policies and procedures reasonably designed to
ensure that its SCI systems and, for purposes of security standards,
indirect SCI systems, have levels of capacity, integrity, resiliency,
availability, and security, adequate to maintain the SCI entity's
operational capability and promote the maintenance of fair and orderly
markets. Rule 1001(a)(2)(i) through (iv), (vi), and (vii) prescribe
certain minimum requirements for an SCI entity's policies and
procedures. The Commission is not amending paragraphs (a)(1) and
(a)(2)(i) through (iv), (vi), or (vii), and therefore current SCI
entities will not be affected whereas new SCI entities will become
subject to these provisions for the first time.
Generally, the requirements to establish policies and procedures in
Rule 1001(a)(1) should help ensure more robust systems that help reduce
the risk and incidence of systems issues affecting the markets by
imposing requirements on new entities that are
[[Page 23243]]
not currently subject to Regulation SCI and by covering systems and
events that are not currently within the scope of existing regulations
and current practices.\721\ In addition, the required policies and
procedures may help new SCI entities recover more quickly from SCI
events that do occur.
---------------------------------------------------------------------------
\721\ The potential adverse effects of systems failures are
described in section V.C.2. for each type of new SCI entity.
Benefits to new SCI entities from a reduction in the risk and
incidents of systems issues would arise from a reduction in these
adverse effects.
---------------------------------------------------------------------------
Application of Rule 1001(a)(2)(i) through (iv), (vi), and (vii) to
the new SCI entities is expected to benefit securities markets and
market participants by leading to the establishment, maintenance, and
enforcement of policies and procedures for these entities related to
current and future capacity planning; periodic stress testing; systems
development and testing methodology; and reviews and testing to
identify vulnerabilities; standards for market data collection,
processing, and dissemination; and monitoring to identify potential
systems problems. These requirements should reduce the risk and
incidence of systems issues, such as systems disruptions and systems
intrusions. This, in turn, could reduce interruptions in the price
discovery process and liquidity flows. Systems issues that directly
inhibit execution facilities, order matching, and dissemination of
market data could cause slow executions or delayed orders, or cause
inoperability of an SCI entity for a period of time. If executions were
delayed by a systems disruption in an SCI system related to a trading,
order routing, clearance and settlement, or market data system, given
the magnitude of the transaction activity in which SCI entities
consistently engage, the delay could have cascading effects disruptive
to the broader market.\722\
---------------------------------------------------------------------------
\722\ See supra note 197.
---------------------------------------------------------------------------
In addition, Rule 1001(a)(2)(vi) provides that an SCI entity's
policies and procedures must include standards that result in systems
being designed, developed, tested, maintained, operated, and surveilled
in a manner that facilitates the successful collection, processing, and
dissemination of market data. Rule 1001(a)(2)(vi) is expected to help
ensure that timely and accurate market data are made available by new
SCI entities. Market participants rely on market data in a variety of
ways, including for making markets, formulating trading algorithms, and
placing orders, among others. Although new SCI entities currently
facilitate the successful collection, processing, and dissemination of
market data, improvements in timeliness and accuracy of the generation
of market data inputs would help further ensure pricing efficiencies
and uninterrupted liquidity flows in markets.
Similarly, by requiring policies and procedures for monitoring
systems to identify potential SCI events, Rule 1001(a)(2)(vii) may help
ensure that new SCI entities identify potential SCI events, which could
allow them to prevent some SCI events from occurring or to take timely
appropriate corrective action after the occurrence of SCI events. As
discussed above, reducing the frequency and duration of SCI events or
reducing the duration of SCI events that disrupt markets would reduce
pricing inefficiencies and promote price discovery and liquidity.
In general, setting forth policies and procedures with regard to
capacity planning, stress testing, systems development and testing
methodology, and reviews and testing to identify vulnerabilities could
yield benefits to market participants and new SCI entities, including a
potential reduction in the likelihood, duration, or severity of SCI
events, thus helping to contain losses from these events, as described
above.\723\ Capacity planning and stress testing are necessary to help
an SCI entity determine its systems' ability to process transactions in
an accurate, timely, and efficient manner, and thereby help ensure
market integrity. Development and testing systems are important in
ensuring the reliability and resiliency of SCI systems. The potential
adverse effects of systems failures are described in section V.C.2. for
each type of new SCI entity. More reliable and resilient systems should
help reduce the occurrence of SCI events and improve systems uptime for
the new SCI entities, and thus possibly result in a reduction in losses
due to SCI events and a reduction in these adverse effects.
Furthermore, the use of inadequately tested software in production
could result in substantial losses to market participants if it does
not function as intended. For instance, if software malfunctions, it
might not execute or route orders as intended and also could have
unintended effects on quoted prices and the actual prices at which
orders execute. Additionally, if a system's capacity thresholds are
improperly estimated, it may become congested, resulting in higher
indirect transaction costs due to lower execution quality (e.g.,
decrease in order fill rates).
---------------------------------------------------------------------------
\723\ See section V.D.1.
---------------------------------------------------------------------------
The Commission recognizes that the new SCI entities are subject to
existing policies and procedures obligations as discussed in the
baseline. Pursuant to those obligations, the new SCI entities may
already engage in practices that are similar to certain requirements
under Regulation SCI. To the extent that the existing policies and
procedures are similar to those reflected in Regulation SCI, the
magnitude of the costs and benefits discussed above that stem from the
application of those policies and procedures will be correspondingly
reduced. However, costs and benefits that arise from obligations under
Regulation SCI that differ from those existing obligations, such as
reporting to the Commission will be maintained.
While some of the existing regulations that apply to the proposed
new SCI entities may be consistent with or similar to the policy and
procedure requirements of Regulation SCI discussed in this section, the
Commission believes it is nevertheless appropriate to apply these
policy and procedure requirements to the new SCI entities and doing so
would benefit participants in the securities markets in which these
entities operate. Applying Regulation SCI to these entities increases
market protections by establishing these obligations under the Exchange
Act so that the Commission may enforce them directly and examine for
compliance and provides a uniform mandatory requirement that will
ensure their continued application.
In addition, some new SCI entities may already be voluntarily
implementing policies and procedures consistent with the requirements
of Regulation SCI. The magnitude of the benefits (and associated costs,
as discussed below) from the policy and procedure requirements in Rule
1001(a)(1) and (a)(2)(i) through (iv), (vi), and (vii) for the new SCI
entities (and the costs, as discussed below), will therefore depend on
the extent to which their current operations already align with the
rule's requirements, given both existing regulation and current
practice. However, the Commission believes the application of
Regulation SCI is still necessary. For example, while SBSDRs that also
function as SDRs in the swap markets, may currently apply the CFTC
rules to their securities-based swap markets as well as their swaps
markets, the CFTC rules only apply to their swap market SDR systems.
Therefore, applying Regulation SCI to SBSDRs would help to ensure that
the systems relevant to the securities markets are subject to a
requirement to have levels of capacity, integrity, resiliency,
availability, and security adequate to maintain their operational
capability and promote the maintenance of fair
[[Page 23244]]
and orderly markets and are subject to enhanced Commission oversight.
Additionally, with respect to SBSDRs, the requirements of
Regulation SCI are more specific and comprehensive than the principles-
based requirements of Rule 13n-6. The requirements of Regulation SCI
would thus exist and operate in conjunction with Rule 13n-6, helping
ensure that SBSDR market systems are robust, resilient, and secure and
enhancing Commission oversight of the these systems.
Similarly, application of Regulation SCI to broker-dealers would
complement existing requirements and enhance the policies and
procedures already in place for these entities. For example, the Market
Access Rule prescribes specific controls and procedures around a
broker-dealer entering orders on an exchange or ATS, but the policy and
procedure requirements of Regulation SCI are broader in scope and are
designed to ensure that the key technology pervasive and important to
the functioning of the U.S. securities markets is robust, resilient,
and secure. Further, the SCI review requirement obligates an SCI entity
to assess the risks of its systems and effectiveness of its technology
controls at least annually, identify weaknesses, and ensure compliance
with the safeguards of Regulation SCI. In addition, with respect to the
requirements concerning the collection, processing, and dissemination
of market data, Regulation SCI extends beyond existing requirements to
include SCI systems directly supporting proprietary market data, which
will provide additional benefits to market participants. Further while
Rule 17a-3 has a notification requirement when a broker-dealer fails to
make and keep current the records required by that Rule, Regulation SCI
more directly addresses mitigating the impact of technology failures
with respect to SCI systems and indirect SCI systems (which include
systems that are not used to make and keep current the records required
by Rule 17a-3) and requires notifications to the Commission for a
different set of events--systems intrusions, systems compliance issues,
and systems disruptions--than the notification requirements of 17 CFR
240.17a-11 (``Rule 17a-11'').
Likewise, while FINRA Rule 4370 requires broker-dealers to maintain
business contingency and disaster recovery plans, it does not include
the requirement that the business continuity and disaster recovery
plans be reasonably designed to achieve next business day resumption of
trading and two-hour resumption of critical SCI systems following a
wide-scale disruption, nor does it require the functional and
performance testing and coordination of industry or sector-testing of
such plans, which are instrumental in achieving the goals of Regulation
SCI with respect to SCI entities.
Finally, with respect to the exempt clearing agencies not subject
to ARP, subjecting these entities to the policy and procedure
requirements of Regulation SCI will ensure that uniform, minimum
requirements regarding capacity, integrity, resiliency, availability,
and security applies to all exempt clearing agencies. Although some of
the conditions underlying the exemptive orders for the two exempt
clearing agencies that would be subject to Regulation SCI under the
proposed amendments may be consistent with Regulation SCI's policy and
procedure requirements, the conditions vary across the agencies and in
their similarity to the Regulation SCI requirements. As these exempt
clearly agencies and other entities that they interact with become more
technologically innovative and interconnected, applying a uniform,
minimum set of requirements will improve the Commission's oversight and
better ensure the resiliency of the markets in which they operate.
Overall, applying the specific and comprehensive requirements set
forth in Rule (a)(2)(i) through (iv), (vi), and (vii) of Regulation SCI
to the new SCI entities would create a uniform, mandatory framework
under the Commission's oversight thereby furthering the goals of
Regulation SCI to strengthen the technology infrastructure of the U.S.
securities markets and improve its resilience.
(ii) Systems Compliance (Rule 1001(b))
Rule 1001(b)(1) requires each SCI entity to establish, maintain,
and enforce written policies and procedures reasonably designed to
ensure that its SCI systems operate in a manner that complies with the
Exchange Act and the rules and regulations thereunder, and the entity's
rules and governing documents, as applicable. Rule 1001(b)(2)(i)
through (iv) provides that an SCI entity's policies and procedures
under Rule 1001(b)(1) must include, at a minimum: (i) testing of all
SCI systems and any changes to SCI systems prior to implementation;
(ii) a system of internal controls over changes to SCI systems; (iii) a
plan for assessments of the functionality of SCI systems designed to
detect systems compliance issues, including by responsible SCI
personnel and by personnel familiar with applicable provisions of the
Exchange Act and the rules and regulations thereunder and the SCI
entity's rules and governing documents; and (iv) a plan of coordination
and communication between regulatory and other personnel of the SCI
entity, including by responsible SCI personnel, regarding SCI systems
design, changes, testing, and controls designed to detect and prevent
systems compliance issues.
These provisions remain unchanged and do not create any new
requirement for current SCI entities. New SCI entities, however, would
become subject to these provisions for the first time. The Commission
recognizes that new SCI entities currently take various measures to
ensure that their systems operate in a manner that complies with
relevant laws and rules. The specific requirements of Rule 1001(b) will
further ensure that new SCI entities operate their SCI systems in
compliance with the Exchange Act and relevant rules. For example, the
tests under Rule 1001(b)(2)(i) should help new SCI entities to identify
potential compliance issues before new systems or systems changes are
implemented; the internal controls under 17 CFR 242.1001(b)(2)(ii)
(``Rule 1001(b)(2)(ii)'') should help to ensure that new SCI entities
remain vigilant against compliance challenges when changing their
systems and resolve potential noncompliance before the changes are
implemented; and the systems assessment plans under 17 CFR
242.1001(b)(2)(iii) (``Rule 1001(b)(2)(iii)'') and the coordination and
communication plans under Rule 1001(b)(2)(iv) should help technology,
regulatory, and other relevant personnel of new SCI entities to work
together to prevent compliance issues, and to promptly identify and
address compliance issues if they occur.\724\ To the extent that new
SCI entities operate market regulation and market surveillance systems,
and to the extent that compliance with Rule 1001(b) reduces the
occurrence of systems compliance issues, Rule 1001(b) should advance
investor protection.\725\
---------------------------------------------------------------------------
\724\ See SCI Adopting Release, at 72422.
\725\ See id. at 72410 and 72422; see also section III.A.2.b.ii
(policies and procedures, including those for system compliance, are
expected to strengthen broker-dealers' operational capabilities
independent of any specific SCI event affecting their technology
supporting trading, clearance and settlement, order routing, market
data, market regulation, and market surveillance).
---------------------------------------------------------------------------
(iii) Responsible SCI Personnel (17 CFR 242.1001(c)(1) (``Rule
1001(c)(1)''))
Rule 1001(c)(1) requires an SCI entity to establish, maintain, and
enforce reasonably designed written policies and procedures that
include the criteria
[[Page 23245]]
for identifying responsible SCI personnel, the designation and
documentation of responsible SCI personnel, and escalation procedures
to quickly inform responsible SCI personnel of potential SCI events.
This provision remains unchanged and does not create any new
requirement for current SCI entities. New SCI entities, however, will
become subject to this provision for the first time.
Requiring policies and procedures to identify and designate
responsible SCI personnel and to establish escalation procedures to
quickly inform such personnel of potential SCI events should help to
effectively determine whether an SCI event occurred and what
appropriate actions should be taken without unnecessary delay. As such,
Rule 1001(c)(1) is expected to reduce the duration of SCI events as new
SCI entities become aware of them and take appropriate corrective
actions more quickly. The reduction in the duration of SCI events would
benefit markets and their participants as it would promote pricing
efficiency and price discovery.
The Commission recognizes that the new SCI entities currently have
certain regulatory obligations that may align with certain requirements
of Rule 1001(c)(1), as described in the baseline, and in addition the
new SCI entities may already be voluntarily implementing policies and
procedures that may align with certain requirements of Rule 1001(c)(1).
For example, SBSDRs and exempt clearing agencies may have policies and
procedures that identify roles and responsibilities for key personnel
as well as appropriate escalation procedures including designation and
documentation of responsible personnel as noted above.\726\ Likewise,
as discussed above,\727\ broker-dealers may have policies and
procedures for designating employees with specific roles and
responsibilities and escalation procedures documented in their incident
response plans. As discussed above, the extent of these benefits (and
related costs, as discussed below) would depend in part on how closely
the existing policies and procedures of the new SCI entities align with
the specific requirements of Rule 1000(c)(1).
---------------------------------------------------------------------------
\726\ See sec. V.B.1.a.ii and V.B.1.c.ii.
\727\ See section V.B.1.b.ii.
---------------------------------------------------------------------------
(iv) Periodic Reviews of Policies and Procedures and Prompt Remedial
Actions (Rule 1001(a)(3), (b)(3), (c)(2))
Rule 1001(a)(3), (b)(3), and (c)(2) require each SCI entity to
periodically review the effectiveness of the policies and procedures
required under Rule 1001(a) through (c) related to capacity, integrity,
resiliency, availability, and security; systems compliance; and
responsible SCI personnel, respectively, and to take prompt action to
remedy deficiencies in such policies and procedures. These provisions
remain unchanged since the adoption of Regulation SCI in 2014, but new
SCI entities will become subject to them for the first time.
Requiring periodic review of the policies and procedures and
remedial actions to address any deficiencies in the policies and
procedures would help to ensure that new SCI entities maintain robust
policies and procedures and update them when necessary so that the
benefits of Rule 1001(a) through (c) as discussed in section V.C.1
should continue to be realized. For example, Rule 1001(a)(3), (b)(3),
and (c)(2) should help to decrease the number of trading interruptions
due to system issues in new SCI entities. It should lead to fewer
interruptions in the price discovery process \728\ and liquidity flows,
thus, may result in fewer periods with pricing inefficiencies. Further,
because interruptions in liquidity flows and the price discovery
process in one security can affect securities trading in other markets,
reducing trading interruptions could have broad effects.
---------------------------------------------------------------------------
\728\ The price discovery process involves trading--buyers and
sellers arriving at a transaction price for a specific asset at a
given time. Thus, generally, any trading interruptions would
interfere with the price discovery process.
---------------------------------------------------------------------------
As with the other requirements of Regulation SCI previously
discussed, the Commission acknowledges that the new SCI entities are
subject to existing regulations, and the extent of the benefits (and
costs, as discussed below) will depend on how closely their current
policies and procedures align with the requirements for review and
remedial action under Rule 1001(a)(3), (b)(3), and (c)(2). The SBSDRs
registered with the Commission are registered with the CFTC as swap
data repositories (SDRs) and, with respect to systems of concern to the
CFTC, are subject to CFTC's rules that require these entities to
conduct periodic reviews of automated systems and business continuity-
disaster recovery capabilities.\729\ While such entities may apply the
CFTC rules to the entirety of their repositories, the CFTC rules do not
apply to the SBSDR and its security-based swap related systems.
Therefore, applying Rule 1001(a)(3), (b)(3), and (c)(2) to SBSDRs would
ensure periodic reviews of the effectiveness of policies and procedures
specifically related to SCI systems and create a uniform, mandatory
framework under the Commission's oversight.
---------------------------------------------------------------------------
\729\ See 17 CFR 49.24(j); 17 CFR 49.24(m); 17 CFR 49.24(b)(3).
---------------------------------------------------------------------------
Similarly, SCI broker-dealers also are required under FINRA Rule
4370 to conduct an annual review of the business continuity and
disaster recovery plans.\730\ Further, as noted above, the two exempt
clearing agencies are required to report at least on an annual basis to
the competent authority regarding their compliance with CSDR, including
on their operational risk management framework and systems and their
information security framework.\731\ The exempt clearing agencies must
also periodically test and review the operational arrangements and
policies and procedures with users. Additionally, the exemptive order
for one of the exempted clearing agencies requires a review of policies
and procedures and reporting on the status of policies and procedures
to the Commission. To the extent that that the broker-dealers and the
exempt clearing agencies increase the scope of the review of their
policies and procedures related to capacity, integrity, resiliency,
availability, and security; systems compliance; and responsible SCI
personnel, and take prompt action to remedy deficiencies, the exempt
clearing agencies, broker-dealers and their customers will benefit from
application of Rule 1001(a)(3), (b)(3), and (c)(2) and create a
uniform, mandatory framework under the Commission's oversight.
---------------------------------------------------------------------------
\730\ See sec. V.B.1.b.ii.
\731\ See sec. V.B.1.c.ii.
---------------------------------------------------------------------------
(2) Amended Provisions Applicable to Current and New SCI Entities
The Commission is proposing to amend Rule 1001(a)(2)(v)--to add to
that provision a requirement that business continuity and disaster
recovery plans be reasonably designed to address the unavailability of
any third-party provider that provides functionality, support, or
service to the SCI entity without which there would be a material
impact on any of its critical SCI systems--and add several new
provisions in Rule 1001(a)(2), including proposed Rule 1001(a)(2)(viii)
(systems classifications and lifecycle management programs); proposed
Rule 1001(a)(2)(ix) (third-party provider management program); proposed
Rule 1001(a)(2)(x) (a program to prevent the unauthorized access to
such systems and information residing therein); and proposed Rule
1001(a)(2)(xi) (identification of the relevant current industry
standard claimed as a safe harbor, if any). In addition, we are
[[Page 23246]]
proposing to amend Rule 1001(a)(4) to clarify that policies and
procedures that are consistent with current SCI industry standards
provide a safe harbor with respect to the requirement that such
policies and procedures be reasonably designed. These amendments would
impact both new and existing SCI entities.
(i) Business Continuity and Disaster Recovery Plans (Rule
1001(a)(2)(v))
Rule 1001(a)(2)(v) currently requires SCI entities' policies and
procedures to set forth business continuity and disaster recovery plans
that include maintaining backup and recovery capabilities sufficiently
resilient and geographically diverse and that are reasonably designed
to achieve next business day resumption of trading and two-hour
resumption of critical SCI systems following a wide-scale disruption.
The Commission is proposing to also require that such plans are
reasonably designed to address the unavailability of any third-party
provider that provides functionality, support, or service to the SCI
entity, without which there would be a material impact on any of its
critical SCI systems.
With respect to the existing requirements that will remain
unchanged, these would only affect new SCI entities and not create any
new requirement for current SCI entities. Requiring business continuity
and disaster recovery plans increases the likelihood that the markets
in which they participate will continue to function, and SCI systems
can resume operation in a timely manner, even when there are
significant outages to SCI systems. Rule 1001(a)(2)(v), among other
things, is expected to help ensure prompt resumption of all critical
SCI systems, which in turn is expected to help minimize interruptions
in trading and clearance and settlement after a wide-scale disruption.
Notably, in the case of a wide-scale disruption, multiple SCI entities
may be affected by the same incident at the same time. Given that U.S.
securities market infrastructure is concentrated in relatively few
areas, such as New York City, New Jersey, and Chicago, maintaining
backup and recovery capabilities that are geographically diverse could
facilitate resumption in trading and critical SCI systems following
wide-scale market disruptions.\732\ Reducing the frequency and duration
of trading interruptions would promote pricing efficiency, price
discovery, and liquidity flows in markets.
---------------------------------------------------------------------------
\732\ As discussed in section III.C.2, the geographic diversity
of data center sites is an important consideration even where an SCI
entity uses CSPs as its business continuity and disaster recovery
service providers.
---------------------------------------------------------------------------
With respect to the new requirement on the unavailability of third-
party providers, both new and current SCI entities will be affected.
Financial institutions, including SCI entities, have become
increasingly dependent on third parties--such as cloud service
providers--to operate their businesses and provide their services.\733\
The proposed requirement for business continuity and disaster recovery
plans to address the unavailability of any third-party provider would
help ensure that SCI entities are appropriately prepared for
contingencies relating to a third-party provider with respect to
critical SCI systems., including the potential for an extended outage,
if, for example the third-party provider goes into bankruptcy or
dissolves, or if it breaches its contract and decides to suddenly,
unilaterally, and/or permanently cease to provide the SCI entity's
critical SCI systems with functionality, support, or service.
---------------------------------------------------------------------------
\733\ See supra sec. V.B.4. and note 687.
---------------------------------------------------------------------------
The Commission understands that some new SCI entities are already
subject to similar requirements and may already have policies and
procedures that may align with Rule 1001(a)(2)(v),\734\ while others
may need to make more significant changes to their current policies,
procedures and practices. As discussed above, the extent of the
benefits (and costs, as discussed below) will depend on how closely the
new SCI entities' current policies and procedures align with the
requirements of 1001(a)(2)(v), including the proposed amendment. With
respect to SBSDRs, which are also registered as SDRs with the CFTC, the
CFTC's System Safeguard rule sets forth requirements for swap data
repositories to establish and maintain emergency procedures,
geographically diverse \735\ backup facilities, and a business
continuity-disaster recovery plan that allows for the timely recovery
and resumption of next day operations following the disruption. While
such entities may apply the CFTC rules to the entirety of their
repositories, the CFTC rules do not apply to the SBSDR and its
security-based swap related systems. Therefore, Rule 1001(a)(2)(v)
would help ensure SBSDR's have in place for their SCI systems business
continuity and disaster recovery plans that meet the minimum
requirements set forth in the rule and create a uniform, mandatory
framework under the Commission's oversight. The proposed amendment
would ensure that these plans specifically address the unavailability
of any third-party provider that provides functionality, support, or
service to the SBSDR's SCI systems, without which there would be a
material impact on any of its critical SCI systems.
---------------------------------------------------------------------------
\734\ See sections III.A.2.a.ii, III.A.2.b.ii, III.A.2.c.i.,
V.B.1.a.ii, V.B.1.b.ii, and V.B.1.c.ii.
\735\ SDRs deemed critical by the CFTC require geographically
diverse backup facilities and staff.
---------------------------------------------------------------------------
SCI broker-dealers are likewise required to create and maintain a
written business continuity plan under FINRA Rule 4370.\736\ Currently
required business continuity public disclosure statements \737\
generally indicate that some backup systems are geographically diverse,
but limited information is disclosed with respect to a specific
timeline for resumption of service in the event of a disruption.
Similarly, these required business continuity public disclosure
statements generally do not provide information on specific BC/DR plans
to address the unavailability of any third-party provider, as would be
required under the proposed amendment. Applying the requirements of
Rule 100(a)(2)(v) to broker-dealers may reduce the frequency and
duration of trading interruptions, which would promote pricing
efficiency, price discovery, and liquidity flows in markets. Further,
the proposed amendment to Rule 1001(a)(2)(v) would help ensure broker-
dealers have business continuity and disaster recovery plans in place
to address the unavailability of any third-party provider that provides
functionality, support, or service to the SCI systems.
---------------------------------------------------------------------------
\736\ See section V.B.1.b.ii.
\737\ While broker-dealers are required to provide a brief
summary disclosure statement regarding their BCPs to customers, they
do not disclose the actual BCP. Based on a review of 2021 and 2022
BCP disclosure statements, firms often do not provide any detail on
operational capacity to meet demand surges or any specific
timeframes for resumption of service.
---------------------------------------------------------------------------
Finally, as discussed above, the exempt clearing agencies are
currently required to maintain a business continuity policy and
disaster recovery plan that ensures two hour resumption of critical
operations and geographically diverse backup systems and monitor and
test it at least annually.\738\ The exempt clearing agencies are also
required to address the unavailability of any critical third-party
provider.\739\ Application of Rule 1000(a)(2)(v), including the
proposed amendment, would help ensure exempt clearing agencies have
business continuity and disaster recovery plans in place to address the
unavailability of any third-
[[Page 23247]]
party provider that provides functionality, support, or service to the
SCI systems and thus would likely incrementally reduce the frequency
and duration of trading interruptions and promote pricing efficiency,
price discovery, and liquidity flows in markets.
---------------------------------------------------------------------------
\738\ See sec. V.b.1.e.ii.
\739\ Id.
---------------------------------------------------------------------------
(ii) Systems Classification and Lifecycle Management (Proposed Rule
1001(a)(2)(viii))
Proposed Rule 1001(a)(2)(viii) provides that an SCI entity's
policies and procedures must provide for the maintenance of a written
inventory and classification of all SCI systems, critical SCI systems,
and indirect SCI systems as such, and a program with respect to the
lifecycle management of such systems, including the acquisition,
integration, support, refresh, and disposal of such systems, as
applicable. This is a new provision and applies to both current SCI
entities and new SCI entities.
A foundational and essential step for an SCI entity to be able to
meet its obligations under Regulation SCI is to be able to clearly
identify the different types of its systems that are subject to
differing obligations under Regulation SCI. Reasonably designed systems
classification and lifecycle management policies and procedures, which
include vulnerability and patch management, reduce the risk of SCI
system defects and operational issues. The systems classification
requirement would promote more efficient and timely compliance with the
remaining provisions of Regulation SCI. The lifecycle management
requirement would also ensure that sensitive information (including
software configuration info, middleware, etc.) is not inadvertently
revealed, potentially compromising the security of an SCI entity's data
and network--and would further enhance the systems' integrity,
resiliency, and security. The Commission understands that one of the
first steps many current SCI entities would take to comply with
Regulation SCI is to develop a classification of their systems in
accordance with the definitions of each type of system in SCI, but not
all SCI entities maintain such a list. Accordingly, the extent of the
benefits described above will depend on whether existing entities have
taken such steps and how closely they align with the proposed
requirements.
With respect to new SCI entities, broker-dealers are required to
maintain policies and procedures per Regulation S-P and S-ID, as
discussed above.\740\ In two Commission exam sweeps, the Commission
staff observed that most broker-dealers already inventory, catalog, and
classify the risks of their systems and had a process in place for
ensuring regular system maintenance, including the installation of
software patches to address security vulnerabilities.\741\ Furthermore,
identification of mission critical systems is required by FINRA rule
4370. Accordingly, there would be an incremental benefit (and cost)
from applying this particular provision of Regulation SCI to the
broker-dealers. Additionally, the practice of inventorying and
classifying systems might also encourage the firm to invest in
supplemental security measures to reduce the number of indirect SCI
systems, which would result in an incremental and upfront or short-term
cost.
---------------------------------------------------------------------------
\740\ See sec. V.B.1.b.ii.
\741\ Id.
---------------------------------------------------------------------------
As discussed in section V.B.1.c.ii, exempt clearing agencies are
required by CSDR to prepare a list with all the processes and
activities that contribute to the delivery of the services they
provide; and identify and create an inventory of all the components of
their IT systems that support the processes and activities. This likely
would represent an incremental benefit (and cost). Additionally, the
practice of inventorying and classifying systems might also encourage
the firm to invest in supplemental security measures to reduce the
number of indirect SCI systems to reduce the long-time compliance
burden which would result in an incremental and upfront or short-term
cost.
(iii) Third-Party Provider Management (Proposed Rule 1001(a)(2)(ix))
Proposed Rule 1001(a)(2)(ix) concerns policies and procedures for
effective third-party provider management and would newly apply to both
existing and new SCI entities. As discussed above, financial
institutions have been increasingly outsourcing parts of their
services.\742\ When a market participant chooses to outsource a
particular component of its operation to a third-party vendor, the
vendor may offer components of services (of certain quality) at a
cheaper rate than the market participant can supply on its own or where
the market participant may lack the expertise or ability to provide
them. If this is done properly and with full information, it can result
in an efficient outcome without compromising the service quality below
what is required under Regulation SCI.
---------------------------------------------------------------------------
\742\ See supra sec. V.B.4. and note 687.
---------------------------------------------------------------------------
But in some cases, if there is information asymmetry--especially
with respect to service quality--market dynamics among SCI entities
result on the provision of sub-optimal services. This may be the case
for a number of reasons, including imperfect communication between the
SCI entity and its third-party provider. First, a third-party provider
providing its service to an SCI entity may lack the knowledge of the
level of resiliency and capacity the SCI entity must maintain. Second,
an SCI entity may lack the knowledge of the robustness of the third-
party provider's operation. Third, the market for these services may
not be competitive, and an SCI entity looking to outsource these
services may not have other comparable choices. Failure to ensure that
policies and procedures are adequate to reduce these risks may result
in unidentified security weaknesses, the inability to analyze potential
security events, and delayed business continuity and disaster recovery.
Proposed Rule 1001(a)(2)(ix) would require each SCI entity to have
a program to manage and oversee third-party providers that provide
functionality, support or service, directly or indirectly, for its SCI
systems and, for purposes of security standards, its indirect SCI
systems. Each SCI entity would be required to undertake a risk-based
assessment of each third-party provider's criticality to the SCI
entity, including analyses of third-party provider concentration, of
key dependencies if the third-party provider's functionality, support,
or service were to become unavailable or materially impaired, and of
any potential security, including cybersecurity, risks posed. The
Commission believes that specifically requiring each SCI entity to
undertake a risk-based assessment of each of its third-party providers'
criticality to the SCI entity will help it more fully understand the
risks and vulnerabilities of utilizing each third-party provider, and
provide the opportunity for the SCI entity to better prepare in advance
for contingencies should the provider's functionality, support, or
service become unavailable or materially impaired.
Again, the extent of these benefits may depend on whether an SCI
entities' existing practices, and applicable regulations, are
consistent with the requirements of proposed Rule 1001(a)(2)(ix). As
noted above, SBSDRS that are dually registered as SDRs with the CFTC
are also subject to the CFTC
[[Page 23248]]
System Safeguards rule, which requires a SDR to undertake program of
risk analysis and oversight of outsourcing and vendor management
affecting its operations and automated systems.\743\ A dual-registered
entity's outsourced systems for processing SDR data might also be SCI
systems if such systems also process SBSDR data. Accordingly, an SDR's
adherence to the System Safeguard Rule's provision for vendor
management and outsourcing is reasonably likely to reduce the benefit
(and the cost, as discussed below) of complying with proposed Rule
1001(a)(2)(ix).
---------------------------------------------------------------------------
\743\ 17 CFR 49.24(b)(6).
---------------------------------------------------------------------------
Similarly, as discussed above, broker-dealers are already subject
to general vendor management obligations in accordance with FINRA Rule
3110 and obligations under Regulation S-P \744\ and thus some of their
current practices may be consistent with some of the requirements of
Rule 1001(a)(ix). However, those rules are different in scope and
purpose than the proposed amendment to Regulation SCI.\745\ For
example, while FINRA rules already require initial and ongoing due
diligence, third-party provider contract review and ongoing third-party
risk assessment, proposed Rule 1001(a)(2)(ix) also requires an
additional risk-based assessment of each third-party provider's
criticality to the SCI entity. Accordingly, proposed Rule
1001(a)(2)(ix) may restrict usage of particular third-party providers,
if and when they are unwilling or unable to comply with Regulation
SCI's third-party provider requirements.
---------------------------------------------------------------------------
\744\ See supra sec. V.B.1.b.ii.
\745\ See sec. III.A.2.b.ii. and III.D.
---------------------------------------------------------------------------
Finally, as discussed in V.B.1.c.ii, the two exempt clearing
agencies are required by CSDR to have arrangements for the selection
and substitution of IT third-party service providers and proper
controls and monitoring tools which seems within the scope of proposed
Rule 1001(a)(2)(ix) initial and ongoing due diligence provisions. The
exempt clearing agencies are also required to identify critical
utilities providers and critical service providers that may pose risks
to tier operations due to dependency on them which seems within the
scope of ongoing third-party risk assessment. In light of the existing
requirements for exempt clearing agencies discussed in the baseline,
any benefits (and associated costs, as discussed below) from the
proposed amendment are likely to be relatively small with respect to
critical service providers. However, the benefit would likely be larger
with respect to non-critical service providers where the requirements
are less specific.
(iv) Security (Proposed Rule 1001(a)(2)(x))
Since the adoption of Regulation SCI in 2014, the financial system
has become more digitized and consequently cybersecurity has become a
significant concern for financial firms, investors, and regulatory
authorities.\746\ In addition, the COVID-19 pandemic and accelerated
move to working from home increased the demand for digital services and
reliance of SCI entities on third-party providers including CSPs.
Moving the majority of activities to the online or digitized
environment has increased the risk of cybersecurity events.\747\
According to the Bank for International Settlements, the financial
sector had the second-largest share of COVID-19-related cybersecurity
events between March and June 2020.\748\ The Commission is proposing a
new paragraph (a)(2)(x) of Rule 1001 that would require policies and
procedures of SCI entities include a program to prevent the
unauthorized access to SCI systems and, for purposes of security
standards, indirect SCI systems and information residing therein. This
would be a new provision and would apply to both current SCI entities
and new SCI entities.
---------------------------------------------------------------------------
\746\ See supra sec. III.C.3.
\747\ I[ntilde]aki Aldasoro et al., COVID-19 and Cyber Risk in
the Financial Sector, BIS Bull. No. 37 (Jan. 14, 2021), available at
https://www.bis.org/publ/bisbull37.pdf.
\748\ Id. The health sector is ranked first in term of the
cyberattacks.
---------------------------------------------------------------------------
The Commission anticipates that the primary benefit of the proposed
rule would be to ensure that all SCI entities, including the new SCI
entities, have policies and procedures to enhance their preparedness
against cybersecurity threats. The proposed requirements to develop
policies and procedures that are specifically designed to prevent the
unauthorized access to SCI systems and information residing therein,
would better protect SCI entities against cybersecurity threats. Such
policies and procedures can strengthen the security surrounding their
information systems and the data contained within, aiding in the
prevention of unauthorized access; minimizing the damage from
cybersecurity events; and improving incident recovery time.
Another significant benefit is that any such unauthorized access
should be reported to the Commission. Thus, this rule, together with
the Commission notification requirement in Rule 1002(b), as amended,
will help the Commission better understand which entities are most
affected by cybersecurity events, what the current trends may be, and
provide the Commission with information that may aid in subsequent
guidance or rulemaking to further strengthen the affected entities from
future cybersecurity events and disruptions to their business
operations. Indeed, as we stated in section B.2.a, it is the
Commission's understanding that current SCI entities have been
reporting de minimis system intrusions on a quarterly basis, rather
than immediately, as permitted under the current requirements of
Regulation SCI. Current SCI entities are not required to report
attempted intrusions.
The extent of these benefits will depend on how consistent the
existing policies and procedures of both current and new SCI entities
are with the requirements of proposed Rule 1001(a)(2)(x). The
Commission believes that many existing SCI entities already have most
or all of such policies and procedures in place as part of their
security protocols; thus the benefits (and the associated costs) of
applying the proposed Rule 1001(a)(2)(x) may be reduced.
Among new SCI entities, both registered SBSDRs have stated they
have policies and procedures addressing access management.\749\ To the
extent that SBSDRs already have access management policies and
procedures that are aligned with the requirements of proposed Rule
1001(a)(2)(x), the proposed rule would offer limited benefits. Further,
as discussed in section V.B.1.b.ii, broker-dealers are required to
maintain policies and procedures addressing security issues per
Regulation S-P and S-ID, although those regulations and the required
policies and procedures are different in scope and purpose. The extent
of the benefits of proposed Rule 1001(a)(2)(x) would thus depend on how
consistent the broker-dealer's current policies and procedures are with
the requirements of the proposed Rule.
---------------------------------------------------------------------------
\749\ 17 CFR 49.24(b)(2). See Security-Based Swap Data
Repositories; ICE Trade Vault, LLC; Notice of Filing of Application
for Registration as a Security-Based Swap Data Repository, available
at https://www.sec.gov/rules/other/2021/34-91331.pdf; Security-Based
Swap Data Repositories; DTCC Data Repository (U.S.), LLC; Notice of
Filing of Application for Registration as a Security-Based Swap Data
Repository, available at https://www.sec.gov/rules/other/2021/34-91071.pdf.
---------------------------------------------------------------------------
As discussed in section V.B.1.c.ii, the two exempt clearing
agencies are required to maintain information security frameworks
describing mechanisms to detect and prevent cyber-attacks and a plan in
response to cyber-attacks. The information security
[[Page 23249]]
framework includes among other requirements access controls to the
system and adequate safeguards against intrusions and data misuse.
Therefore, proposed Rule 1001(a)(2)(x) may offer only limited
incremental benefits.\750\
---------------------------------------------------------------------------
\750\ See section V.B.1.c.ii.
---------------------------------------------------------------------------
(v) Current SCI Industry Standards (Proposed Rule 1001(a)(2)(xi)) and
Safe Harbor for Policies and Procedures Consistent With SCI Industry
Standards (Rule 1001(a)(4))
Proposed Rule 1001(a)(2)(xi) would provide that an SCI entity's
policies and procedures must include an identification of the current
SCI industry standard(s) with which each such policy and procedure is
consistent, if any. This requirement would be applicable if the SCI
entity is taking advantage of the safe harbor provision, Rule
1001(a)(4). We are also proposing to amend the text of Rule 1001(a)(4),
which deems an SCI entity's policies and procedures under Rule 1001(a)
to be reasonably designed if they are consistent with current SCI
industry standards, to make clear that its reference to and definition
of ``current SCI industry standards'' provides a safe harbor for SCI
entities with respect to their Rule 1001(a) policies and procedures.
Proposed Rule 1001(a)(2)(xi) and the amendment to Rule 1001(a)(4) would
apply to both current SCI entities and new SCI entities.
Rule 1001(a)(4) specifically states that compliance with current
SCI industry standards is not the exclusive means to comply with the
requirements of Rule 1001(a). Therefore, Rule 1001(a)(4) provides
flexibility to allow each SCI entity to determine how to best meet the
requirements in Rule 1001(a), taking into account, for example, its
nature, size, technology, business model, and other aspects of its
business. SCI entities can choose the technology standards that best
fit with their business, promoting efficiency. The ability of SCI
entities to rely on widely recognized technology standards, if they
choose to do so, will provide guidance to SCI entities on policies and
procedures that would meet the articulated standard of being
``reasonably designed to ensure that their systems have levels of
capacity, integrity, resiliency, availability, and security, adequate
to maintain their operational capability and promote the maintenance of
fair and orderly markets.''
In addition, the flexibility of this requirement leaves room for
industry-wide innovation, while encouraging each SCI entity to conform
to an industry standard that is most appropriate for itself given the
entity's scope of operation and particular characteristics. These
standards currently in place may require protocols that go beyond the
level that would have been chosen by an entity that is driven by
profit-maximizing or cost-saving motives. Furthermore, as industry
standards continue to evolve, Regulation SCI helps to ensure that SCI
entities are motivated to adhere to the changing standards that reflect
the changes in market conditions and technology. The Commission
understands that many existing SCI entities rely on industry standards,
typically by adhering to a specific industry standard or combination of
industry standards for a particular technology area or by using
industry standards as guidance in designing policies and procedures.
Thus, overall benefits and costs to existing SCI entities will be
incremental, and the benefits and costs are likely to be greater for
entities that do not already rely on industry standards and lesser for
entities that already adhere closely to industry standards.
Among new entities, both SBSDR entities are also registered with
the CFTC as SDRs, and as such are subject to the CFTC's System
Safeguard rule in their capacity as SDRs. The System Safeguard rule
requires SDRs to follow generally accepted standards and best practices
with respect to the development, operation, reliability, security, and
capacity of automated systems.\751\ While not required, it is likely
that dual-registered SDRs/SBSDRs are following these requirements for
SBSDRs given the CFTC requirements for SDRs. Therefore, it is likely
that SBSDRs already have policies and procedures consistent with
existing industry standards.
---------------------------------------------------------------------------
\751\ See 17 CFR 49.24.
---------------------------------------------------------------------------
As discussed above, broker-dealers are required to have certain
policies and procedures pursuant to Regulation S-P and S-ID.\752\ The
2015 FINRA report on cybersecurity practices observed that broker-
dealers reported relying on industry standards with respect to
cybersecurity requirements, typically by adhering to a specific
industry standard or combination of industry standards or by using
industry standards as a reference point for designing policies and
procedures.\753\ To the extent that any broker-dealers do not rely on
industry standards or only selectively, applying Rule 1001(a)(4) and
proposed Rule 1001(a)(2)(xi) will likely increase broker-dealer
adherence to industry standards and improve overall compliance with
Rule 1001.
---------------------------------------------------------------------------
\752\ See sec. V.B.1.b.ii.
\753\ See section V.B.1.b.ii.
---------------------------------------------------------------------------
As discussed in section V.B.1.c.ii, the two exempt clearing
agencies are required by CSDR to rely on internationally recognized
technical standards and industry best practices with respect to its IT
systems. As such, it is likely that they already have policies and
procedures that are consistent with one or more industry standards. The
proposed amendment may have some incremental benefit and improve
overall compliance with Rule 1001.
ii. Costs
The policies and procedures requirements of Regulation SCI would
impose certain compliance costs on new SCI entities, which are expected
to change at least some of their current practices to comply. In
addition, the proposed amendments to certain provisions in Rule 1001
would impose additional costs on new and existing SCI entities. We
discuss these costs below.
(1) Compliance Costs for New SCI Entities
Some of the new SCI entities are already subject to existing
regulatory requirements that are similar to the requirements in Rule
1001, including the proposed amendments. To the extent these entities
already have policies and procedures that are consistent with the Rule
1001 requirements, they could incur lower costs to comply with the
requirements of Rule 1001 than entities without such existing policies
and procedures. Similarly, the compliance costs associated with Rule
1001 may vary across SCI entities depending on the degree to which
their current voluntary practices are already consistent with the
requirements of Rule 1001.The compliance costs of Rule 1001 may further
depend on the complexity of SCI entities' systems (e.g., the compliance
costs will be higher for SCI entities with more complex systems). They
may also depend, to a large extent, on the scale as well as the
relative criticality of a given SCI entity's systems. We discuss below
the costs for new SCI entities to comply with Rule 1001, including the
proposed amendments; this includes PRA costs as well as additional
compliance costs.
First, with respect to PRA costs, the Commission estimates total
initial costs of approximately $13.4 million and annual costs of
approximately $3.5
[[Page 23250]]
million for all new SCI entities.\754\ In addition to the compliance
costs estimated as part of the PRA analysis, the Commission
acknowledges there may, in some cases, be other compliance costs. In
the SCI Adopting Release, the Commission formed estimates of non-PRA
compliance costs for complying with Rule 1001(a) and (b),\755\ which
are instructive for determining such costs now for the new SCI
entities. The Commission believed then, and continues to do so now,
that the costs of complying with Rule 1001(c) are fully captured in the
PRA cost estimates. The Commission's estimates then were based on
extensive discussions with industry participants as well as information
contained in the comment letters submitted during the rulemaking
process. After carefully considering all comments, the Commission
concluded that to comply with all requirements underlying the policies
and procedures required by Rule 1001(a) and (b), other than paperwork
burdens, on average, each SCI entity will incur an initial cost of
between approximately $320,000 and $2.4 million and an ongoing annual
cost of between approximately $213,600 and $1.6 million.\756\ Adjusted
for inflation since 2014, the initial cost would be between
approximately $407,000 and $3.1 million, and the ongoing annual cost
would be between approximately $272,000 and $2.0 million.\757\
---------------------------------------------------------------------------
\754\ See section IV.D.7. These are the estimated costs to
comply with Rule 1001(a) through (c). For purposes of this Economic
Analysis, there are two fewer entities than under the PRA analysis,
lowering these estimated costs. See supra note 700.
\755\ According to the 2014 adopting release, these non-PRA
compliance costs include, for example, establishing current and
future capacity planning estimates, capacity stress testing,
reviewing and keeping current systems development and testing
methodology, regular reviews and testing to detect vulnerabilities,
testing of all SCI systems and changes to SCI systems prior to
implementation, implementing a system of internal controls,
implementing a plan for assessments of the functionality of SCI
systems, implementing a plan of coordination and communication
between regulatory and other personnel of the SCI entity, including
by responsible SCI personnel, designed to detect and prevent systems
compliance issues, and hiring additional staff. See SCI Adopting
Release, supra note 1, at 72416 n. 1939.
\756\ Id.
\757\ SEC inflation calculations are based on annual GDP price
index data from Table 1.1.4. in the National Income and Product
Accounts from the Bureau of Economic Analysis, and on inflation
projections from The Budget and Economic Outlook: 2023 to 2033,
published by the Congressional Budget Office in February 2023.
---------------------------------------------------------------------------
In the 2014 adopting release, the Commission acknowledged that its
cost estimates reflect a high degree of uncertainty because the
compliance costs may depend on the complexity of SCI entities' systems
(e.g., the compliance costs will be higher for SCI entities with more
complex systems). The initial compliance costs associated with Rule
1001 could also vary across SCI entities depending on the degree of
that their current practices are already consistent with the
requirements of Rule 1001.\758\ The Commission explained the difficulty
of gauging the degree to which an SCI entity was already taking
measures consistent with Regulation SCI, which would affect the
compliance costs with respect to Rule 1001. These considerations
continue to apply to the Commission's estimate of any non-PRA costs for
new SCI entities, which span multiple markets and vary a great deal in
terms of the services they provide and the operations they perform.
These new SCI entities face different baselines depending on the
applicable regulatory requirements that they are subject to and the
market practices each SCI entity has been following.
---------------------------------------------------------------------------
\758\ These estimates in the SCI Adopting Release were in turn
based on the preliminary estimates included in the SCI Proposing
Release, supra note 14, at 18171. However, one important assumption
the SCI Proposing Release made was to assume that certain SCI
entities ``already [had or had] begun implementation of business
continuity and disaster recovery plans that include maintaining
backup and recovery capabilities sufficiently resilient and
geographically diverse to ensure next business day resumption of
trading and two-hour resumption of clearance and settlement services
following a wide-scale disruption.'' Id. at note 633. In the SCI
Adopting Release, however, in order to accommodate the cost
considerations of those SCI entities that did not already have
geographically diverse backup facilities, the Commission estimated
the average cost to be approximately $1.5 million annually for such
SCI entities. See SCI Adopting Release, supra note 1, at 72420. In
the section discussing Rule 1001(a)(2)(v) below, the Commission
estimates the comparable estimate to be between $1.5 million and
$1.8 million. This additional estimate range only applies to SCI
entities that do not already have geographically diverse backup
facilities and would be in addition to the non-paperwork burden
estimates discussed in the current section.
---------------------------------------------------------------------------
Given these considerations, the Commission believes that the
estimates from 2014 are still appropriate estimates for the non-PRA
costs associated with Rule 1001(a) and (b) of Regulation SCI without
the proposed amendments for the new SCI entities. There are reasons to
believe that these ranges should be increased for inflation \759\ and
technological changes since 2014, such as greater interconnectivity,
that have expanded the scope for testing, leading to greater costs.
However, there are also reasons to believe that as of 2023 these ranges
may have come down.
---------------------------------------------------------------------------
\759\ For example, GDP Price Index data from the Bureau of
Economic Analysis (BEA) and projections from the Congressional
Budget Office show that, economy-wide, prices increased by about 27%
from 2014 to 2023.
---------------------------------------------------------------------------
First, some components of costs may be lower in 2023 because of
technological improvements since 2014.\760\ Second, the experience of
the current 47 SCI entities complying with Regulation SCI since 2014
has likely generated a useful industry knowledge base for new SCI
entities, including common practices, industry standards, and cost-
saving measures. From this perspective, the cost of learning would be
lower, including the start-up cost. Third, the Commission understands
that many financial institutions that are not subject to Regulation SCI
have voluntarily begun to conform to one or more industry standards and
adopted written policies and procedures related to ensuring capacity,
integrity, resiliency, availability, and security of their systems.
Indeed, the Commission understands--based on the Commission's
discussions with industry participants--that the changes in the
market--including greater automation and interconnectivity and an
overall need to expand the scope of testing--have already incentivized
many SCI entities to improve their internal protocols and to increase
their technology expenditures. For example, the growing risk of
cybersecurity events has already led many corporate executives to
significantly increase their cybersecurity budgets.\761\ From this
perspective, although the overall security and IT spending may have
increased manifold for SCI entities over the years, the Commission
estimates that the magnitude of compliance costs owing to the adoption
of Regulation SCI
[[Page 23251]]
for new SCI entities, over and above their current expenses, may not
necessarily have increased significantly as a result since 2014.
---------------------------------------------------------------------------
\760\ See Matt Rosoff, Why is Tech Getting Cheaper?, weforum.org
(Oct. 16, 2015), available at https://www.weforum.org/agenda/2015/10/why-is-tech-getting-cheaper/. For example, price has been
dropping for cloud computing services over the last years. See Jean
Atelsek, et al., Major Cloud Providers and Customers Face Cost and
Pricing Headwinds, spglobal.com (May 10, 2022), available at https://www.spglobal.com/marketintelligence/en/news-insights/research/major-cloud-providers-and-customers-face-cost-and-pricing-headwinds;
see also David Friend, The Coming Era of Simple, Fast, Incredibly
Cheap Cloud Storage, Cloudtweaks.com (Nov. 15, 2022, 9:12 a.m.),
available at https://cloudtweaks.com/2018/02/fast-incredibly-cheap-cloud-storage/ (describing the significant price drop for cloud
storage as of 2018, and explaining that ``the prices for cloud
storage are heading in the same direction.''). These trends may be
reversing. See Jean Atelsek, et al., (``Rising energy costs and
supply chain woes threaten to push up costs for the cloud
hyperscalers in building and operating their data centers;
therefore, cloud infrastructure prices are poised to increase.'');
Frederic Lardinois, Google Cloud Gets More Expensive, TechCrunch+
(Mar. 14, 2022, 11:54 p.m.), available at https://techcrunch.com/2022/03/14/inflation-is-real-google-cloud-raises-its-storage-prices/
.
\761\ For example, according to one source, as of 2020, ``55% of
enterprise executives [were planning] to increase their
cybersecurity budgets in 2021 and 51% are adding full-time cyber
staff in 2021.'' Louis Columbus, The Best Cybersecurity Predictions
for 2021 Roundup, Forbes.com (Dec. 15, 2020), available at https://www.forbes.com/sites/louiscolumbus/2020/12/15/the-best-cybersecurity-predictions-for-2021-roundup/?sh=6d6db8b65e8c.
---------------------------------------------------------------------------
Taking these varied considerations into account, the Commission
estimates that, adjusted for inflation since 2014, the 2014 figures
remain reasonable ranges for non-PRA costs associated with Rule 1001(a)
and (b) in 2023, without accounting for the proposed amendments in Rule
1001(a). In other words, the Commission estimates that a new SCI entity
in 2023 will incur an initial non-PRA cost of between approximately
$407,000 and $3.1 million and an ongoing annual non-PRA cost of between
approximately $272,000 and $2.0 million to comply with the original
provisions of Regulation SCI from 2014.
To account for the proposed amendments, the Commission
preliminarily estimates that, based on staff experience with current
SCI entities' compliance practices, the non-PRA cost of complying with
the amended provisions could be up to approximately 20% of the
estimated non-PRA cost for complying with the original (i.e.,
unamended) Rule 1001(a). Accordingly, the Commission estimates that a
new SCI entity would incur an additional initial cost of between
approximately $81,000 and $611,000 and an additional ongoing annual
cost of between approximately $54,000 and $407,000 to comply with the
amended provisions of Rule 1001(a).\762\ Combined with the non-PRA
costs estimates above for complying with the rest of Rule 1001(a) and
(b), a new SCI entity will incur an additional initial non-PRA cost of
between approximately $489,000 and $3.7 million \763\ and an additional
ongoing annual non-PRA cost of between approximately $326,000 and $2.4
million, plus the PRA costs estimated above.\764\ The Commission
estimates that, in the aggregate, all new SCI entities will incur a
total initial non-PRA cost of between approximately $10.3 million and
$77.0 million to comply with the policies and procedures required by
Rule 1001(a) and (b).\765\ In addition, the Commission estimates that,
in the aggregate, new SCI entities will incur total annual ongoing non-
PRA cost of between approximately $6.9 million and $51.3 million.\766\
Depending on the price-sensitivity of their customers and the
availability of alternative providers, new SCI entities may pass on
some of these costs to their customers.\767\
---------------------------------------------------------------------------
\762\ These figures are 20% of the range from the Regulation SCI
Adopting Release, adjusted for inflation from 2014 to 2023.
\763\ These figures are 120% of the range from the Adopting
Release of Regulation SCI, adjusted for inflation since 2014.
\764\ These figures are approximately 120% of the range from the
Adopting Release of Regulation SCI, adjusted for inflation since
2014.
\765\ The Commission currently estimates there are 23 new SCI
entities, two of which are excluded from the economic analysis as
explained above. The range of $10.3 million and $77.0 million
represents 21 times the per-entity initial cost range from the
Regulation SCI Adopting Release, adjusted for inflation since 2014.
\766\ The range of $6.9 million and $51.3 million represents 21
times the per-entity ongoing annual cost range from the Regulation
SCI Adopting Release, adjusted for inflation since 2014.
\767\ See, e.g., Jonathan Baker, Orley Ashenfelter, David
Ashmore & Signe-Mary McKernan, Identifying the Firm-Specific Cost
Pass-Through Rate, Federal Trade Commission. Bureau of Economics 1
(1998), available at https://www.ftc.gov/sites/default/files/documents/reports/identifying-firm-specific-cost-pass-through-rate/wp217.pdf.
---------------------------------------------------------------------------
In addition, with respect to the periodic reviews required by Rule
1001(a)(3), (b)(3), and (c)(2), there may be additional indirect costs
if an SCI entity takes prompt or unplanned remedial action following
the discovery of deficiencies in its policies and procedures.
Specifically, the new SCI entities may need to delay or shift their
resources away from profitable projects and reallocate their resources
towards taking prompt or unplanned remedial actions required by the
rules. It is nevertheless difficult to assess such indirect costs
imposed on SCI entities because the Commission lacks information
necessary to provide a reasonable estimate and such indirect costs will
be circumstance-specific.
(2) Compliance Costs for Existing SCI Entities
Existing SCI entities should incur new costs only to comply with
the proposed amendments to Rule 1001(a). With respect to PRA costs, the
Commission estimates total initial costs of approximately $8.2 million
and annual costs of approximately $1.1 million for all current SCI
entities.\768\ For non-PRA costs associated with these amendments, the
Commission estimates that the non-PRA cost of complying with the
amended provisions could be up to approximately 20% of the estimated
non-PRA cost for complying with the original (i.e., unamended) Rule
1001(a), as explained above. Accordingly, the Commission estimates that
an existing SCI entity would incur an additional initial non-PRA cost
of between approximately $81,000 and $611,000 and an additional ongoing
annual non-PRA cost of between approximately $54,000 and $407,000 to
comply with the amended provisions of Rule 1001(a).\769\ The Commission
in turn estimates that, in the aggregate, current SCI entities will
incur a total initial non-PRA cost of between approximately $3.8
million and $28.7 million to comply with the policies and procedures
required by Rule 1001(a) and (b).\770\ In addition, the Commission
estimates that, in the aggregate, current SCI entities will incur total
annual ongoing non-PRA cost of between approximately $2.6 million and
$19.1 million.\771\
---------------------------------------------------------------------------
\768\ See section IV.D.7. These include costs for existing
entities to comply only with Rule 1001(a), and for new entities to
comply with Rule 1001(a) through (c).
\769\ These figures are 20% of the range from the Regulation SCI
Adopting Release, adjusted for inflation since 2014.
\770\ The Commission currently estimates there are 47 current
SCI entities. The range of $3.8 million and $28.7 million represents
47 times the per-entity cost range from the SCI Adopting Release,
adjusted for inflation since 2014.
\771\ The range of $2.6 million and $19.1 million represents 47
times the per-entity cost range from the SCI Adopting Release,
adjusted for inflation since 2014.
---------------------------------------------------------------------------
(3) Other Costs for All SCI Entities and Other Affected Parties
Proposed Rule 1001(a)(2)(ix) could raise costs of third-party
service providers insofar as they may have to renegotiate contracts and
change the terms of their services to accommodate the requirements of
SCI entities. SCI entities could also incur costs in enforcing their
third-party provider management program. In particular, to the extent
that accommodating the terms and conditions that would be demanded by
SCI entities under proposed Rule 1001(a)(2)(ix) would be costly to
third-party service providers, SCI entities could face higher prices
from third-party providers, though any change in prices would also
depend upon market conditions (such as the level of competition amongst
third-party service providers for the type of services sought after by
the SCI entity, the relative bargaining power of the SCI entity in
negotiations with third-party service providers, new entry into the
market for third-party services, and willingness of service providers
to absorb costs or pass costs to other customers).
Request for Comment
106. For current SCI entities, do you agree that the Commission's
specified ranges reasonably capture the non-paperwork burden costs
owing to Rule 1001(a) and (b) that you have incurred above and beyond
amounts you were already spending to ensure your SCI systems' capacity,
integrity, resiliency, availability, and security under the existing
requirements of Regulation SCI?
[[Page 23252]]
107. For new SCI entities, do you agree that the Commission's
specified ranges reasonably capture the non-paperwork burden costs
owing to Rule 1001(a) and (b) that you expect to incur above and beyond
the amounts you were already spending to ensure your SCI systems'
capacity, integrity, resiliency, availability, and security under the
existing requirements of Regulation SCI?
108. For current and new SCI entities, do you agree that the
Commission's specified ranges for the non-paperwork cost of complying
with the proposed amendments to Rule 1001(a) and (b), at 20 percent of
the specified ranges for Rule 1001(a) and (b), reasonably capture such
costs that you expect to incur, above and beyond amounts you are
already spending to ensure your SCI systems' capacity, integrity,
resiliency, availability, and security owing to the proposed
amendments?
109. If you are a current SCI entity and currently inventory and
classification of all SCI systems, critical SCI systems, and indirect
SCI systems, how does your activity differ from the requirements of the
rule proposal? What have been the benefits and costs of this activity?
110. If you are a current SCI entity and have a program with
respect to the lifecycle management of SCI systems, does it address the
acquisition, integration, support, refresh, and disposal of such
systems, as applicable? How does your activity differ from the
requirements of the rule proposal? What have been the benefits and
costs of this activity?
111. If you are a current SCI entity and you currently have a
third-party provider management program to ensure that your SCI systems
contractors perform their work in accordance with the requirements of
Regulation SCI, how does your activity differ from the requirements of
the rule proposal? What have been the benefits and costs of this
activity?
112. If you are a current SCI entity and you currently require an
initial and periodic review of contracts with service providers for
consistency with your obligations under Regulation SCI, how does your
activity differ from the requirements of the rule proposal? What have
been the benefits and costs of this activity?
113. If you are a current or proposed SCI entity and you currently
conduct a risk-based assessment of each third-party provider's
criticality, to your operations, how does your activity differ from the
requirements of the rule proposal? What have been the benefits and
costs of this activity?
114. If you are a current SCI entity and your policies and
procedures include a program to prevent the unauthorized access to SCI
systems and information residing therein, how does your activity differ
from the requirements of the rule proposal? What have been the benefits
and costs of this activity?
115. The Commission requests that commenters provide relevant data
and analysis to assist us in determining the economic consequences of
the proposed amendments related to third-party providers' management.
In particular, the Commission requests data and analysis regarding the
costs SCI entities and third-party providers may incur, and benefits
they may receive, from the proposed amendments.
116. Do you agree with the Commission's analysis of the benefits of
the proposed amendments related to third-party providers' management?
Why or why not? Please explain in detail.
117. Do you agree with the Commission's analysis of the costs of
the proposed amendments related to third-party providers' management?
Why or why not? Please explain in detail.
b. Rule 1002--Corrective Action, Commission Notification, and
Information Dissemination
Regulation SCI requires SCI entities to take appropriate corrective
actions in response to SCI events (Rule 1002(a)), notify the Commission
of SCI events (Rule 1002(b)), and disseminate information regarding
certain major SCI events to all members or participants of an SCI
entity and certain other SCI events to affected members or participants
(Rule 1002(c)). Rule 1000, in turn, defines SCI events to include
systems disruptions, systems compliance issues, and systems intrusions.
The Commission is proposing two amendments that affect these
provisions. First, it is proposing to expand the definition of systems
intrusion in Rule 1000. Second, it is proposing to amend Rule
1002(b)(5) to eliminate the exception to the reporting requirement for
de minimis systems intrusions and instead require the reporting of all
systems intrusions, whether de minimis or not, within the time frames
specified in paragraphs (b)(1) through (4).
New SCI entities will need to comply with these requirements of
Rules 1000 and 1002, and their proposed amendments, for the first time.
Existing SCI entities will need to apply the new definition of systems
intrusion in Rule 1000 to the requirements of Rule 1002, including the
amendments to Rule 1002(c). We discuss below the benefits and costs of
these provisions and amendments for new and existing SCI entities.
i. Benefits
(1) Rule 1000--Definition of SCI Events
In general, the definition of SCI event (and its component parts)
in Rule 1000 circumscribe the scope of the substantive requirements in
Rule 1002. Therefore, many of the costs and benefits associated with
the definitions are incorporated in the discussion of the substantive
requirements. The benefits associated with scoping the substantive
requirements for Rule 1002 through the specific definitions of systems
disruption, systems compliance issue, and systems intrusion are
discussed at length in the 2014 SCI Adopting Release \772\ and would
apply to the new SCI entities. We summarize those benefits here and
discuss the benefits for both new and current SCI entities resulting
from expanding the definition of systems intrusion.
---------------------------------------------------------------------------
\772\ See SCI Adopting Release, supra note 1, at 72423-27.
---------------------------------------------------------------------------
Systems Disruption. Rule 1000 of Regulation SCI currently defines a
``systems disruption'' as an event in an SCI entity's SCI systems that
disrupts, or significantly degrades, the normal operation of an SCI
system. This definition would remain unchanged. As the Commission noted
in 2014, the definition sets forth a standard that SCI entities can
apply in a wide variety of circumstances to determine in their
discretion whether a systems issue should be appropriately categorized
as a systems disruption. The inclusion of systems disruptions in the
definition of SCI event, along with the requirements Rule 1002 should
help effectively reduce the severity and duration of events for new SCI
entities that harm pricing efficiency, price discovery, and liquidity
and help Commission oversight of the securities markets.
Systems Compliance Issues. Under Rule 1000, a systems compliance
issue is an event at an SCI entity that has caused any SCI system of
such entity to operate in a manner that does not comply with the Act
and the rules and regulations thereunder or the entity's rules or
governing documents, as applicable. The Commission stated in 2014 that
inclusion of systems compliance issues in the definition of SCI event
and the resulting applicability of the Commission reporting,
information dissemination, and recordkeeping requirements are important
to help ensure that SCI
[[Page 23253]]
systems are operated by SCI entities in compliance with the Exchange
Act, rules thereunder, and their own rules and governing documents.
System Intrusion. Rule 1000 of Regulation SCI currently defines a
``systems intrusion'' as any unauthorized entry into the SCI systems or
indirect SCI systems of an SCI entity. The Commission is proposing to
expand the definition of systems intrusions to include any
cybersecurity attack that disrupts, or significantly degrades, the
normal operation of an SCI system. This revision includes cybersecurity
events that cause disruption on an SCI entity's SCI systems or indirect
SCI systems, whether or not the event resulted in an entry into or
access to such systems. In addition, the proposed revised definition
would include any significant attempted unauthorized entry into the SCI
systems or indirect SCI systems of an SCI entity, as determined by the
SCI entity pursuant to established reasonable written criteria. This
revision is intended to capture unsuccessful, but significant, attempts
to enter an SCI entity's SCI systems or indirect SCI systems. The
definition, including the proposed amendments, will apply to new SCI
entities for the first time while the proposed amendments will apply to
existing SCI entities.
In the SCI Adopting Release, the Commission discussed the benefits
of including a system intrusion in the definition of an SCI event for
which the requirements of Rule 1002 apply. These same benefits extend
to the new SCI entities. Specifically, the Commission stated that
unauthorized access, destruction, and manipulation of SCI systems and
indirect SCI systems could adversely affect the markets and market
participants because intruders could force systems to operate in
unintended ways that could create significant disruptions in securities
markets. Therefore, the inclusion of systems intrusions in the
definition of SCI events can help reduce the risk of such adverse
effects for new SCI entities.
The proposed changes, which would apply to new and current SCI
entities, would update the definition to include additional types of
incidents that are currently considered to be cybersecurity events that
are not included in the current definition. If an incident meets the
definition, it must then comply with the requirements for corrective
action, Commission notice, and information dissemination in Rule 1002.
The proposed changes to the definition would thus ensure that the
Commission and its staff are made aware when an SCI entity is the
subject of a significant cybersecurity threat, including those that may
be ultimately unsuccessful, which would provide important information
regarding threats that may be posed to other entities in the securities
markets, including other SCI entities. Because such cybersecurity
events can cause serious harm and disruption to an SCI entity's
operations, the Commission believes that the definition of systems
intrusion should be broadened to include cybersecurity events that may
not entail actually entering or accessing the SCI entity's SCI systems
or indirect SCI systems, but still cause disruption or significant
degradation, as well as significant attempted unauthorized entries. By
requiring SCI entities to submit SCI filings for these new types of
systems intrusions, the Commission believes that the revised definition
of systems intrusion would also provide the Commission and its staff
more complete information to assess the security status of the SCI
entity, and also assess the impact or potential impact that
unauthorized activity could have on the security of the SCI entity's
affected systems as well on other SCI entities and market participants.
(2) Rule 1002--Corrective Action, Commission Notice, Information
Dissemination
As noted, Rule 1002 prescribes certain required actions for SCI
entities upon any responsible SCI personnel having a reasonable basis
to conclude that an SCI event has occurred. The requirements of Rule
1002(a) and (c) remain substantively unchanged from current Regulation
SCI except additional events are scoped into the Rules for existing SCI
entities through the proposed expanded definition of systems intrusion.
These provisions will therefore primarily affect new SCI entities. We
discuss generally the benefits of the expanded definition above and do
not repeat those here.\773\
---------------------------------------------------------------------------
\773\ The SCI Adopting Release considered the benefits and costs
of the specific definitions for each type of SCI event. See SCI
Adopting Release, supra note 1, at 72404-08. Those costs and
benefits remain the same for new SCI entities to which these
definitions would apply and are not repeated here, except with
respect to the definition of systems intrusions, which the
Commission proposes to amend. To the extent that the primary effect
of these definitions is realized through the requirements in Rule
1002 to take corrective action, notify the Commission, and
disseminate information, we discuss the effects of applying those
requirements on new SCI entities below.
---------------------------------------------------------------------------
Corrective Action (Rule 1002(a)). Rule 1002(a) requires an SCI
entity to begin to take appropriate corrective action upon any
responsible SCI personnel having a reasonable basis to conclude that an
SCI event has occurred. Rule 1002(a) also requires corrective action to
include, at a minimum, mitigating potential harm to investors and
market integrity resulting from the SCI event, and devoting adequate
resources to remedy the SCI event as soon as reasonably practicable.
Thus, it would not be appropriate for an SCI entity to delay the start
of corrective action once its responsible SCI personnel have a
reasonable basis to conclude that an SCI event has occurred, and the
SCI entity would be required to focus on mitigating potential harm to
investors and market integrity resulting from the SCI event and
devoting adequate resources to remedy the SCI event as soon as
reasonably practicable. This provision remains unchanged for existing
SCI entities, except to the extent they must comply with the
requirements for additional events scoped in under the expanded
definition of systems intrusion, as noted above. For both current and
new SCI entities, the benefits of expanding the definition to include
certain types of systems intrusions that are not covered by Regulation
SCI would include a potential reduction in the length or severity of
systems disruptions caused by these types of intrusions and would thus
reduce the negative effects of those interruptions on the SCI entity
and on market participants.
The corrective action requirement of Regulation SCI will likely
reduce the length of systems disruptions, systems compliance issues,
and systems intrusions, and thus reduce the negative effects of those
interruptions on the SCI entity and market participants. Additionally,
to the extent that corrective action could involve wide-scale systems
upgrades, some SCI entities may potentially seek to accelerate capital
expenditures, for example, by updating their systems with newer
technology earlier than they might have otherwise to comply with
Regulation SCI. As such, Rule 1002(a) could further help ensure that
SCI entities invest sufficient resources as soon as reasonably
practicable to address systems issues.
New SCI entities will become subject to Rule 1002(a) for the first
time. The Commission believes that new SCI entities already have a
variety of procedures in place to take corrective actions when system
issues occur. However, Rule 1002(a) may require modifications to those
existing practices in part because the rule specifies the
[[Page 23254]]
timing and enumerates certain goals for corrective action.\774\
---------------------------------------------------------------------------
\774\ See SCI Adopting Release, supra note 1, at 72423.
---------------------------------------------------------------------------
Commission Notification (Rule 1002(b)). Rule 1002(b) requires an
SCI entity to notify the Commission of the SCI event immediately upon
any responsible SCI personnel having a reasonable basis to conclude
that an SCI event has occurred. Within 24 hours of any responsible SCI
personnel having a reasonable basis to conclude that an SCI event has
occurred, an SCI entity is required to submit to the Commission a more
detailed written notification, on a good faith, best efforts basis,
pertaining to the SCI event. Until such time as the SCI event is
resolved and the SCI entity's investigation of the SCI event is closed,
the SCI entity is required to provide updates regularly, or at such
frequency as requested by a representative of the Commission. The SCI
entity is also required to submit a detailed final written notification
after the SCI event is resolved and the SCI entity's investigation of
the event is closed (and an additional interim written notification, if
the SCI event is not resolved or the investigation is not closed within
a specified period of time). Finally, paragraph (b)(5) currently
provides an exception to the reporting requirements of paragraphs
(b)(1) through (4) for de minimis SCI events, and SCI entities are
currently required to submit a summary to the Commission with respect
to systems disruptions and systems intrusions only on a quarterly
basis. The Commission is proposing to amend this provision to require
SCI entities to exclude systems intrusions from this exception so that
SCI entities will need to report systems intrusions, whether de minimis
or not, within the time frames specified in paragraphs (b)(1) through
(4). This would eliminate quarterly reporting for de minimis systems
intrusions. Thus, for current SCI entities, the difference concerns the
time frame for, and manner of, reporting de minimis systems intrusions
while new SCI entities will be subject to the entire Commission
notification regime for the first time.
For the new SCI entities, Rule 1002(b) as a whole would enhance the
effectiveness of Commission oversight of the operation of these
entities. For example, SCI events notification results in greater
transparency for the Commission, including ensuring that the Commission
has a view into problems at particular SCI entities for regulatory
purposes as well as perspective on the effect of a single problem to
the market at-large.\775\ Further, the requirements of submitting
notifications pertaining to the SCI events to the Commission, set forth
by Rule 1002(b), could help prevent systems failures from being
dismissed as momentary issues, because notification would help focus
the SCI entity's attention on the issue and encourage allocation of SCI
entity resources to resolve the issue as soon as reasonably
practicable.
---------------------------------------------------------------------------
\775\ See SCI Adopting Release, supra note 1, at 72424 (citing
letter by David Lauer).
---------------------------------------------------------------------------
Both new and current SCI entities would be subject to the new
reporting requirements under the proposed revisions to Rule 1001(b)(5).
These revisions eliminate the need for entities to determine if an
intrusion (which should be rare and also may be difficult to assess)
meets the de minimis threshold before it notifies the Commission, and
instead would require reporting to the Commission for all systems
intrusions at the time of the event, which will provide more timely
information to the Commission. This may result in more frequent
reporting for systems intrusions while also eliminating quarterly
reporting of systems intrusions, as compared to the baseline.
Information Dissemination (Rule 1002(c)). Rule 1002(c) currently
requires an SCI entity to disseminate information regarding certain
major SCI events to all of its members or participants and certain
other SCI events to affected members or participants. Specifically,
promptly after any responsible SCI personnel having a reasonable basis
to conclude that an SCI event has occurred, an SCI entity is required
to disseminate certain information regarding the SCI event. When
certain additional information becomes known, the SCI entity is
required to promptly disseminate such information to those members or
participants (or, as proposed, in the case of an SCI broker-dealer,
customers) of the SCI entity that any responsible SCI personnel has
reasonably estimated may have been affected by the SCI event. Until the
SCI event is resolved, the SCI entity is required to provide regular
updates on the required information. In the case of a major SCI event,
where the impact is most likely to be felt by many market participants,
dissemination of information to all members, participants, or
customers, as applicable, of the SCI entity is required. A major SCI
event is defined to mean an SCI event that has any impact on a critical
SCI system or a significant impact on the SCI entity's operations or on
market participants.
The information dissemination requirement currently does not apply
to SCI events to the extent that they relate to market regulation or
market surveillance systems and de minimis SCI events. The Commission
is proposing to add to these exceptions for the information
dissemination requirement, a systems intrusion that is a significant
attempted unauthorized entry into the SCI systems or indirect SCI
systems. Accordingly, Rule 1002(c) remains mostly unchanged for
existing SCI entities, except to the extent they must comply with the
requirements for additional events scoped in under the expanded
definition of systems intrusion (the benefits of which are discussed
above) and except for systems intrusions that are significant attempted
unauthorized entries, which are exempted from the information
dissemination requirements. New SCI entities, however, will become
subject to the information dissemination requirements for the first
time.
Rule 1002(c) is expected to help market participants--specifically
the members, participants, or customers, as applicable of new SCI
entities estimated to be affected by an SCI event and, in the case of
major SCI events, all members, participants, or customers of a new SCI
entity--to better evaluate the operations of SCI entities by requiring
certain information about the SCI event to be disclosed. Furthermore,
increased awareness of SCI events through information disseminated to
members, participants, or customers, as applicable, should provide new
SCI entities additional incentives to maintain robust systems and
minimize the occurrence of SCI events. More robust SCI systems and the
reduction in the occurrence of SCI events at new SCI entities could
reduce interruptions in price discovery processes and liquidity flows.
For example, in 2014, a commenter stated that sharing information about
hardware failures, systems intrusions, and software glitches will alert
others in the industry about such problems and help reduce system-wide
costs of diagnosing problems, as well as result in improved responses
to technology problems.\776\
---------------------------------------------------------------------------
\776\ See SCI Adopting Release, supra note 1, at 72426 n. 931
(citing letter from James Angel).
---------------------------------------------------------------------------
With respect to the new exception for significant attempted
unauthorized entries, which impacts new and existing SCI entities, the
Commission is concerned that disseminating information about
unsuccessful attempted entries to members or
[[Page 23255]]
participants of an SCI entity would create unnecessary distractions,
particularly since the SCI entity's security controls were able, in
fact, to repel the cybersecurity event. In addition, disseminating
information regarding unsuccessful intrusions could result in the
threat actors being unnecessarily alerted that they have been detected,
which could make it more difficult to identify the attackers and halt
their efforts on an ongoing, more permanent basis.
The Commission recognizes that many of the new SCI entities are
currently subject to other regulatory requirements to maintain policies
and procedures that address the provisions required by these rules, as
discussed in detail above.\777\ Similarly, some existing SCI entities
engage in current market practices consistent with the expanded
definition of systems intrusion.
---------------------------------------------------------------------------
\777\ See sections III.A.2.a.ii, III.A.2.b.ii, III.A.2.c.i.,
V.B.1.a.ii, V.B.1.b.ii, and V.B.1.c.ii.
---------------------------------------------------------------------------
The benefits from the policy and procedure requirements in Rule
1002(a) through (c) for the new SCI entities (and the costs, as
discussed below), will therefore depend on the extent to which their
current operations already align with the rule's requirements, given
both existing regulation and current practice.
While some of the existing regulations that apply to the proposed
new SCI entities may be consistent with or similar to the policy and
procedure requirements of Regulation SCI discussed in this section, the
Commission believes it is nevertheless appropriate to apply these
policy and procedure requirements to the new SCI entities and that
doing so would benefit participants in the securities markets in which
these entities operate.
Overall, applying the specific and comprehensive requirements set
forth in Rule 1002(a) through (c) of Regulation SCI to the new SCI
entities would enhance and build on any existing policies and
procedures, thereby furthering the goals of Regulation SCI to
strengthen the technology infrastructure of the U.S. securities markets
and improve its resilience.
ii. Costs
We discuss below the costs of complying with the requirements of
Rule 1002, applying the definitions in Rule 1000, including the amended
definition of systems intrusion. Because the definitions themselves
have no associated costs, all of the costs associated with the amended
definition flow through the substantive requirements. New SCI entities
will need to comply with these requirements for the first time whereas
costs for the existing SCI entities are attributed to the expanded
definition of systems intrusion and the amendment to Rule 1002(b)(5).
Relative to the current practice and baseline, the proposed rule
expansion of the definition of the intrusion would likely result in
more frequent reporting by the SCI entities to the Commission, which is
reflected in the costs estimates below.
Corrective Action (Rule 1002(a)). Rule 1002(a) could impose
modestly higher costs for new SCI entities in responding to SCI events
relative to their current practice. In the PRA analysis, the Commission
estimates those costs as approximately $1.2 million in initial and $0.4
million in annual costs.\778\ Furthermore, if Regulation SCI reduces
the frequency and severity of SCI events in the future, the cost of
corrective action could similarly decline over time. Nevertheless, the
Commission lacks data regarding the degree to which Regulation SCI will
reduce the frequency and severity of SCI events at new SCI entities.
---------------------------------------------------------------------------
\778\ See section IV.D.7. For purposes of this Economic
Analysis, there are two fewer entities than under the PRA analysis,
lowering these estimated costs. See supra note 700.
---------------------------------------------------------------------------
In addition, if a new SCI entity is required to take corrective
action sooner than it might have without the requirements of Regulation
SCI, this may impose indirect costs (i.e., opportunity costs) to such
SCI entities because they may have to delay or reallocate their
resources away from profitable projects and direct their resources
toward taking corrective action required by the rule. It is difficult
to assess indirect costs imposed on new SCI entities without having
comprehensive and detailed information on the value of the potential
foregone projects of those SCI entities. The facts and circumstances of
each specific SCI event will be different.
Existing SCI entities may incur new costs associated with
corrective action for additional systems intrusions scoped in under the
expanded definition. The Commission estimates a one-time total cost of
approximately $0.5 million for all existing SCI entities to update
their procedures to account for additional types of systems
intrusions.\779\
---------------------------------------------------------------------------
\779\ See section IV.D.2.b, IV.D.7.
---------------------------------------------------------------------------
To the extent new SCI entities currently undertake correction
action consistent with the Rule 1002(a) requirements, they could incur
lower PRA costs to comply with the requirements of Rule 1002(a) than
entities without such existing requirements. Similarly, to the extent
many existing SCI entities currently undertake corrective action
consistent with the expanded definition of systems intrusion, they
could incur lower PRA costs to comply with the amended requirements of
Rule 1002(a) than entities without such existing requirements.
Notification of SCI Events (Rule 1002(b)). The compliance costs
associated with Rule 1002(b) are attributed to the paperwork burden of
Commission notifications of SCI events, including recordkeeping and
submission of quarterly reports with respect to de minimis SCI events,
as applicable. For new SCI entities, these costs include costs to
comply with the notification requirements, as amended, for the first
time. Existing SCI entities would incur costs complying with the
amendment to Rule 1002(b)(5) as well as the costs associated with
notification for new events scoped in under the expanded definition of
systems intrusions. These are discussed in detail in section IV.
For Rule 1002(b)(1), the Commission estimates approximately $0.1
million in initial and annual costs for existing and new SCI entities
alike.\780\ For Rule 1002(b)(2), the Commission estimates approximately
$1.3 million in initial and annual costs for existing SCI entities and
$1.5 million in initial and annual costs for new SCI entities.\781\ For
Rule 1002(b)(3), the Commission estimates approximately $0.2 million in
initial and annual costs for existing SCI entities and $0.2 million in
initial and annual costs for new SCI entities.\782\ For Rule
1002(b)(4), the Commission estimates approximately $2.0 million in
initial and annual costs for existing SCI entities and $2.3 million in
initial and annual costs for new SCI entities.\783\ Finally, for Rule
1002(b)(5), the Commission estimates a savings for existing SCI
entities, as noted above, and approximately $1.2 million in initial and
annual costs for new SCI entities.\784\
---------------------------------------------------------------------------
\780\ See section IV.D.7; see also supra note 700.
\781\ See id.
\782\ Id.
\783\ Id.
\784\ Id.
---------------------------------------------------------------------------
To the extent new SCI entities currently provide notification
consistent with the Rule 1002(b) requirements, they could incur lower
PRA costs to comply with the requirements of Rule 1002(b) than entities
without such existing practices.
Information Dissemination (Rule 1002(c)). While some new SCI
entities currently provide their members or participants and, in some
cases, market
[[Page 23256]]
participants or the public more generally, with notices of certain
systems issues (e.g., system outages), Rule 1002(c) may impose new
requirements that they have not currently implemented. As such, the
requirements of Rule 1002(c) will impose costs--which are attributed to
paperwork burdens--on new SCI entities with respect to preparing,
drafting, reviewing, and making the information available to members or
participants, or, in the case of an SCI broker-dealer, customers. For
new SCI entities the Commission estimates approximately $1.3 million in
costs, initially and annually, for disseminating information about SCI
events and systems affected, as required by Rule 1002(c)(1).\785\ For
new entities, the Commission also estimates approximately $1.6 million
in initial costs and $0.4 million in annual costs to develop processes
to identify the nature of a critical system, major SCI event, or a de
minimis SCI event for purposes of disseminating this information.\786\
---------------------------------------------------------------------------
\785\ See section IV.D.7. For purposes of this Economic
Analysis, there are two fewer entities than under the PRA analysis,
lowering these estimated costs. See supra note 700.
\786\ See section IV.D.2.d, IV.D.7; see also supra note 700.
---------------------------------------------------------------------------
Existing SCI entities may incur new costs associated with
information dissemination for additional systems intrusions scoped in
under the expanded definition. The Commission estimates approximately
$0.7 million in initial and annual PRA costs for existing SCI entities,
and $0.4 million in initial and annual costs for new SCI entities, for
disseminating information about system intrusions as required by the
proposed revisions to Rule 1002(c)(2).\787\ These costs are discussed
in more detail in section IV.
---------------------------------------------------------------------------
\787\ See section IV.D.7; supra note 700.
---------------------------------------------------------------------------
To the extent new SCI entities currently disseminate information
consistent with the Rule 1002(c) requirements, they could incur lower
PRA costs to comply with the requirements of Rule 1002(c) than entities
without such existing requirements. Similarly, to the extent many
existing SCI entities currently disseminate information consistent with
the expanded definition of systems intrusion, they could incur lower
PRA costs to comply with the amended requirements of Rule 1002(c) than
entities without such existing practices.
Identification of Nature of System or Event. To comply with the
requirements of Rule 1002, SCI entities need to identify certain types
of events and systems issues, including whether the event is de
minimis. Current SCI entities would already have such processes in
place to comply with the existing requirements of Regulation SCI. The
Commission understands that many new SCI entities likely already have
some internal procedures for determining the severity of a systems
issue.
As a new SCI entity must determine whether an SCI event has
occurred and whether it is a de minimis SCI event, Rule 1002 may impose
one-time implementation costs on new SCI entities associated with
developing a process or modifying its existing process to ensure that
they are able to quickly and correctly make such determinations, as
well as ongoing costs in reviewing the adopted process. As explained in
detail in section IV, we estimate new SCI entities would incur an
initial PRA cost of $1,641,024 and an ongoing annual PRA cost of
$362,418 to develop these processes.
To the extent new SCI entities currently have a process in place
for identifying certain types of events and system issues consistent
with the relevant Rule 1002 requirements, they could incur lower PRA
costs to comply with the relevant requirements of Rule 1002 than
entities without such existing requirements.
c. Rule 1003--Material Systems Changes and SCI Review
i. Reports to the Commission (Rule 1003(a))
Rule 1003(a)(1) requires an SCI entity to provide quarterly reports
to the Commission describing completed, ongoing, and planned material
systems changes to its SCI systems and the security of indirect SCI
systems, during the prior, current, and subsequent calendar quarters.
Rule 1003(a)(1) also requires an SCI entity to establish reasonable
written criteria for identifying a change to its SCI systems and the
security of its indirect SCI systems as material. Rule 1003(a)(2)
requires an SCI entity to promptly submit a supplemental report to
notify the Commission of a material error in or material omission from
a previously submitted report. These requirements remain unchanged. New
SCI entities, however, will become subject to them for the first time.
We discuss the benefits and costs of applying these provisions to new
SCI entities below.
(1) Benefits
The notification requirement would be beneficial because it permits
the Commission and its staff to have up-to-date information regarding
an SCI entity's systems development progress and plans, to aid in
understanding the operations and functionality of the systems, and any
material changes thereto, without requiring SCI entities to submit a
notification to the Commission for each material systems change.\788\
---------------------------------------------------------------------------
\788\ See SCI Adopting Release, supra note 1, at 72337-38.
---------------------------------------------------------------------------
The Commission recognizes that some of the new SCI entities are
currently subject to other material systems change notification
requirements and that most, if not all, new SCI entities have some
internal processes for documenting systems changes as discussed in
detail above.\789\ Accordingly, the Commission notification
requirements in Rule 1003(a) would be new for most but not all of the
new SCI entities.
---------------------------------------------------------------------------
\789\ See sections III.A.2.a.ii, III.A.2.b.ii, III.A.2.c.i.,
V.B.1.a.ii, V.B.1.b.ii, and V.B.1.c.ii.
---------------------------------------------------------------------------
The benefits from the policy and procedure requirements in Rule
1003(a) for the new SCI entities (and the costs, as discussed below),
will therefore depend on the extent to which their current operations
already align with the rule's requirements, given both existing
regulation and current practice.
While some of the existing regulations that apply to the proposed
new SCI entities may be consistent with or similar to the policy and
procedure requirements of Regulation SCI discussed in this section, the
Commission believes it is nevertheless appropriate to apply these
policy and procedure requirements to the new SCI entities and doing so
would benefit participants in the securities markets in which these
entities operate. Overall, applying the specific and comprehensive
requirements set forth in Rule 1003(a) of Regulation SCI to the new SCI
entities would complement any existing requirements and enhance any
reporting of material systems changes already in place for these
entities.
Costs
The compliance costs of Rule 1003(a) primarily entail costs
associated with preparing and submitting Form SCI in accordance with
the instructions thereto. The initial and ongoing PRA cost estimates
associated with preparing and submitting Form SCI with regard to
material systems changes under Rule 1003(a)(1) and (2) are discussed in
detail in section V. The Commission does not expect Rule 1003(a) would
impose significant costs on SCI entities other than those discussed in
section IV. For new SCI entities, the Commission estimates
approximately $1.0 million in initial PRA costs and $0.3 million in
annual PRA costs to establish
[[Page 23257]]
reasonable written criteria for identifying material changes to SCI
systems and to the security of indirect SCI systems.\790\ For new SCI
entities, the Commission also estimates approximately $3.6 million
initially and annually in PRA costs associated with material system
change notices.\791\ The Commission acknowledges that the actual cost
for each new entity may differ depending on their existing processes
for documenting system changes and whether the necessary information is
readily available. The Commission does not expect Rule 1003(a) to
impose significant costs on new SCI entities besides the costs
discussed here. To the extent new SCI entities are currently subject to
other material systems change notification regulatory requirements and
have existing processes for documenting systems changes that align with
the Rule 1003(a) requirements, they could incur lower costs to comply
with the requirements of Rule 1003(a) than entities without such
existing requirements.
---------------------------------------------------------------------------
\790\ See section IV.D.7. For purposes of this Economic
Analysis, there are two fewer entities than under the PRA analysis,
lowering these estimated costs. See supra note 700.
\791\ Id.
---------------------------------------------------------------------------
ii. Annual SCI Review (Rules 1000 and 1003(b))
Rule 1003(b) requires SCI entities to conduct an annual SCI review
and works in conjunction with the definition of ``SCI review'' from
Rule 1000. Under the current definition, SCI review includes ``(1) A
risk assessment with respect to such systems of an SCI entity; and (2)
An assessment of internal control design and effectiveness of its SCI
systems and indirect SCI systems to include logical and physical
security controls, development processes, and information technology
governance, consistent with industry standards.'' \792\ Rule 1003(b)(1)
then requires an annual SCI review, ``provided, however, that (i)
Penetration test reviews . . . shall be conducted at a frequency of not
less than once every three years; and (ii) Assessment of SCI systems
directly supporting market regulation or market surveillance shall be
conducted at a frequency based upon the risk assessment conducted as
part of the SCI review, but in no case less than once every three
years.'' \793\ Rule 1003(b)(2) and (3) require each SCI entity to
submit its annual SCI review report to, respectively, ``senior
management of the SCI entity for review'' and ``to the Commission and
to the board of director of the SCI entity, or the equivalent of such
board'' within specified time frames.\794\
---------------------------------------------------------------------------
\792\ 17 CFR 242.1000.
\793\ 17 CFR 242.1003(b)(1).
\794\ 17 CFR 242.1003(b)(2) and (3).
---------------------------------------------------------------------------
The Commission proposes to make changes to the definition of ``SCI
review.'' Specifically, under the proposed amendment, ``SCI review''
would include, for both SCI systems and indirect SCI systems, an annual
assessment, using appropriate risk management methodology, of risks
related to capacity, integrity, resiliency, availability, and security,
and internal control design and operating effectiveness, and annual
penetration test reviews (increased from at least one review every
three years), and a review of third-party provider management risks and
controls. Rule 1003(b) would also be amended to require more specific
information to be included in the SCI review report, including a list
of the controls reviewed and a description of each such control; the
findings of the SCI review, including, at a minimum, assessments of the
risks described above; a summary, including the scope of testing and
resulting action plan, of each penetration test review; and a
description of each deficiency and weakness identified by the SCI
review. In addition, the revisions would make mandatory that a response
from senior management to the report is included when it is submitted
to the Commission and board, whereas previously the language appeared
permissive.
(1) Benefits
The SCI review requirement would have SCI entities assess the
relative strengths and weaknesses of their systems which may help, in
turn, improve systems and reduce the number of SCI events. The
reduction in occurrence of SCI events could reduce interruptions in the
price discovery process and liquidity flows, as discussed above. In
addition, the efficiency of the Commission's oversight (e.g.,
inspection) of SCI entities' systems would be enhanced.
The proposed increase in the frequency of penetration testing
reviews, which applies to both new and existing SCI entities, should
better prepare SCI entities against cyber threats, which are increasing
in numbers and becoming more sophisticated. For this reason, the
proposed amendment is expected to further strengthen the security,
integrity, and resilience of all SCI entities. Having an annual
penetration testing requirement can help SCI entities reduce the
likelihood of costly data breaches.\795\ For instance, according to one
industry source, RSI Security, a penetration test ``can measure [the
entity's] system's strengths and weaknesses in a controlled environment
before [the entity has] to pay the cost of an extremely damaging data
breach.'' \796\
---------------------------------------------------------------------------
\795\ See, e.g., Mirza Asrar Baig, How Often Should You
Pentest?, Forbes.com (Jan. 22, 2021), available at https://www.forbes.com/sites/forbestechcouncil/2021/01/22/how-often-should-you-pentest/?sh=b667999573c6.
\796\ RSI Security, What is the Average Cost of Penetration
Testing?, RSI Security Blog (Mar. 5, 2020), available at https://
blog.rsisecurity.com/what-is-the-average-cost-of-penetration-
testing/#:~:text=Penetration%20testing%20can%20cost%20anywhere,that%2
0of%20a%20large%20company.
---------------------------------------------------------------------------
The requirement to review third-party provider management risks and
controls will work in conjunction with the proposed amendment to Rule
1001(a)(2) requiring inclusion of a third-party provider management.
The additional benefit of requiring an annual review of third-party
provider management risks and controls is to ensure the benefits
provided by the amendment to Rule 1001(a)(2) are properly realized and
further increasing the likelihood that third-party providers provide
functionality, support or services that are consistent with the
requirements of Regulation SCI.
The Commission understands that many existing SCI entities have
already adopted practices that may align with some of the provisions of
the proposed amendment to Rule 1003(b).
The Commission also understands that many new SCI entities
currently undertake annual systems reviews and that senior management
and/or the board of directors or a committee thereof reviews reports of
such reviews as discussed in detail above.\797\ However, the scope of
the systems reviews, and the level of senior management and/or board
involvement in such reviews, can vary.
---------------------------------------------------------------------------
\797\ See sections III.A.2.a.ii, III.A.2.b.ii, III.A.2.c.i.,
V.B.1.a.ii, V.B.1.b.ii, and V.B.1.c.ii.
---------------------------------------------------------------------------
The benefits from the policy and procedure requirements in Rule
1003(b) for the new SCI entities (and the costs, as discussed below)
and the benefits from the amended policy and procedure requirements in
Rule 1003(b) for the existing SCI entities, will therefore depend on
the extent to which their current operations already align with the
rule's requirements, given both existing regulation and current
practice.
For example, with respect to broker-dealers, prior Commission and
FINRA exam results indicate that many if not most large broker-dealers
conduct risk assessments of internal control design and effectiveness.
Additionally, some
[[Page 23258]]
broker-dealers provide annual cybersecurity reports to the board. The
Commission understands that nearly all large broker-dealers conduct
penetration testing \798\ of systems considered critical although not
all firms conduct such testing annually. Many of these current market
practices align with the policy and procedure requirements of
Regulation SCI discussed in this section.
---------------------------------------------------------------------------
\798\ Supra note 619. According to FINRA's 2018 RCA, 100% of
higher revenue firms include penetration testing as a component in
their overall cybersecurity program. Other factors these firms
consider in evaluating the relevance of penetration testing include
the degree to which they manage or store confidential or critical
data such as trading strategies, customer PII, information about
mergers and acquisitions or confidential information from other
entities (for example, in the case of clearing firms).
---------------------------------------------------------------------------
While some of the existing regulations that apply to the proposed
new SCI entities or current market practices may be consistent with or
similar to some of the policy and procedure requirements of Regulation
SCI discussed in this section, the Commission believes it is
nevertheless appropriate to apply these policy and procedure
requirements to the new SCI entities and that doing so would benefit
participants in the securities markets in which these entities operate.
Overall, applying the specific and comprehensive requirements set
forth in Rule 1003(b) of Regulation SCI to the new SCI entities would
enhance and build on any existing policies and procedures, thereby
furthering the goals of Regulation SCI to strengthen the technology
infrastructure of the U.S. securities markets and improve its
resilience.
(2) Costs
New SCI entities will incur costs to comply with the review
requirements for the first time, and existing SCI entities will incur
costs to comply with the amended provisions. The initial and ongoing
paperwork burden associated with conducting an SCI review, submitting a
report of the SCI review to senior management of the SCI entity for
review, and submitting a report of the SCI review and the response by
senior management to the Commission and to the board of directors of
the SCI entity or the equivalent of such board is discussed in detail
in section IV. For existing SCI entities, the Commission estimates
approximately $7.4 million in initial and annual costs, while for new
SCI entities the Commission estimates approximately $9.6 million in
initial and annual costs.\799\ The paperwork burden estimates provided
here for new SCI entities include the costs of complying with the
proposed amended versions of the Rule, namely the proposed additional
requirements for conducting the SCI review, the requirement that SCI
entities include more specific information in their SCI review reports,
and related recordkeeping.\800\
---------------------------------------------------------------------------
\799\ See section IV.D.7. For purposes of this Economic
Analysis, there are two fewer entities than under the PRA analysis,
lowering these estimated costs. See supra note 700.
\800\ See section IV.D.3.
---------------------------------------------------------------------------
To the extent new SCI entities currently undertake annual systems
reviews and that senior management and/or the board of directors or a
committee thereof reviews reports of such reviews consistent with the
Rule 1003(a) requirements, they could incur lower PRA costs to comply
with the requirements of Rule 1003(a) than entities without such
existing practices. Similarly, to the extent many existing SCI entities
have already adopted practices that are consistent with some of the
provisions of the proposed amendment to Rule 1003(b), they could incur
lower PRA costs to comply with the requirements of Rule 1003(a) than
entities without such existing practices.
With respect to the increased frequency for the penetration test
review, this requirement will impose non-paperwork compliance costs in
addition to those captured by the PRA estimates for both new and
existing SCI entities. For example, RSI Security explains that
penetration testing ``can cost anywhere from $4,000-$100,000,'' and
``[o]n average, a high quality, professional [penetration testing] can
cost from $10,000-$30,000.'' \801\ RSI Security, however, was clear
that the magnitudes of these costs can vary with size, complexity,
scope, methodology, types, experience, and remediation measures.\802\
Another source estimates a ``high-quality, professional [penetration
testing to cost] between $15,000-$30,000,'' while emphasizing that
``cost varies quite a bit based on a set of variables.'' \803\ This is
in line with a third source, which states that ``[a] true penetration
test will likely cost a minimum of $25,000.'' \804\ The Commission
preliminarily believes that the cost of penetration testing will range
between $25,000 and $100,000 for new and existing SCI entities, in
light of the complexity and scope required, although the costs may be
somewhat lower depending on the frequency with which such testing and
review are currently conducted by new and existing SCI entities. The
Commission acknowledges the non-paperwork costs of the proposed
increase in the frequency of a penetration test review, and seeks
feedback on these costs.
---------------------------------------------------------------------------
\801\ See RSI Security, supra note 796.
\802\ See id.
\803\ Gary Glover, How Much Does a Pentest Cost?,
Securitymetrics Blog (Nov. 15, 2022, 8:36 a.m.), available at
https://www.securitymetrics.com/blog/how-much-does-pentest-cost.
\804\ Mitnick Security, What Should You Budget for a Penetration
Test? The True Cost, Mitnick Security Blog, (Jan. 29, 2021, 5:13
a.m.), available at https://www.mitnicksecurity.com/blog/what-should-you-budget-for-a-penetration-test-the-true-cost.
---------------------------------------------------------------------------
Request for Comment
118. For current and proposed SCI entities, how often do you
(already) perform penetration testing and how much does it cost?
d. Rule 1004--Business Continuity and Disaster Recovery Plan Testing
Rule 1004(b) requires the testing of an SCI entity's business
continuity and disaster recovery plans at least once every 12 months.
Rule 1004(a) and (b) require participation in such testing by those
members or participants that an SCI entity reasonably determines are,
taken as a whole, the minimum number necessary for the maintenance of
fair and orderly markets in the event of the activation of its BC/DR
plans. Rule 1004(c) requires an SCI entity to coordinate such testing
on an industry- or sector-wide basis with other SCI entities.\805\ The
Commission is proposing to amend Rule 1004 to require that third-party
providers also participate in such testing. Therefore, for current SCI
entities, the difference is to include third-party providers in its
testing. For new SCI entities, the entire provision is a new
obligation. We discuss below the benefits and costs of applying this
provision, including the proposed amendments, to new and existing SCI
entities.
---------------------------------------------------------------------------
\805\ One avenue for coordinating such testing is through
SIFMA's voluntary Industry-Wide Business Continuity Test. See SIFMA,
Industry-Wide Business Continuity Test (Oct. 15, 2022), available at
https://www.sifma.org/resources/general/industry-wide-business-continuity-test/.
---------------------------------------------------------------------------
i. Benefits
As discussed above, requiring the new SCI entities to test their
BC/DR plans would likely improve backup infrastructure and lead to
fewer market-wide shutdowns, which should help facilitate continuous
liquidity flows in markets, reduce pricing errors, and thus improve the
quality of the price discovery process.\806\ Moreover, Rule 1004 would
help ensure fair and orderly markets in the event of the activation of
BC/DR plans.
---------------------------------------------------------------------------
\806\ See sec. V.C.1.; see also SCI Adopting Release, supra note
1, at 72429.
---------------------------------------------------------------------------
In addition, for both new and existing SCI entities, the proposed
requirement to establish standards for the
[[Page 23259]]
designation of third-party providers and their participation in the
currently scheduled functional and performance testing of the operation
of BC/DR plans will help those SCI entities ensure that their efforts
to develop effective BC/DR plans are not undermined by a lack of
participation by third-party providers that the SCI entity believes are
necessary to the successful activation of such plans.
Although the Commission finds it impracticable to quantify these
benefits in dollar terms,\807\ the Commission believes it would be
helpful to consider the cost of an unplanned outage. For example, the
Commission considers a reduced occurrence of a potential outage as a
benefit of complying with Regulation SCI. As discussed above, one
source of cost estimates for an unplanned outage is the Ponemon
Institute's 2016 Cost of Data Center Outages report.\808\ According to
the report, the total cost per minute of an unplanned outage was $8,851
for the average data center the Institute surveyed in 2016.\809\ This
implies a cost of $531,060 per hour of an unplanned outage at the
time.\810\ Moreover, outages themselves can also last far longer than
one hour. For example, natural disasters, such as hurricanes, can often
lead to lengthy outages lasting 200 to 400 hours.\811\ Taken together,
this data suggests potentially significant benefits to having an
adequate policy and procedure in place to ensure business continuity
and disaster relief plans for SCI entities.
---------------------------------------------------------------------------
\807\ As discussed in section V.D.1. multiple factors would
affect the harm to the overall economy from an unplanned outage at
an SCI entity.
\808\ See supra note 696.
\809\ Id. at 14.
\810\ The report also showed that this figure was increasing
over time. The same figure was $5,617/min in 2010 and $7,908/min in
2013. See id.
\811\ See Data Foundry, How Much Should You Spend On Business
Continuity and Disaster Recovery (Dec. 12, 2019), available at
https://www.datafoundry.com/blog/much-spend-business-continuity-disaster-recovery.
---------------------------------------------------------------------------
The benefits from the BC/DR requirements in Rule 1004 for the
current and new SCI entities (and the costs, as discussed below) will
depend on the extent to which their current operations already align
with the rule's requirements, given both existing regulation and
current practice. Based on discussion with industry participants, the
Commission understands that some existing SCI entities already require
third-party service provider participation in testing despite not being
required to do so currently under Regulation SCI. For these SCI
entities, there may be incremental benefits from making the third-party
service provider participation a requirement under the Regulation and
ensuring that they continue to include these parties in such testing
going forward.
Some new SCI entities, either due to existing regulatory
requirements or on their own volition, also already require some of
their members or participants, as well as third-party providers, to
participate in performance testing of BC/DR plans or offer the
opportunity to do so on a voluntary basis, although such participation
may be limited in nature (e.g., testing for connectivity to backup
systems). However, existing requirements for the new SCI entities may
differ from the requirements of Rule 1004. For example, FINRA Rule 4370
does not require the functional and performance testing and
coordination of industry or sector-testing of such plans.
With respect to SBSDRs, the requirements of Regulation SCI are more
specific and comprehensive in terms of testing business continuity and
disaster recovery plans than the principles-based requirements of Rule
13n-6. The requirements of Regulation SCI would thus exist and operate
in conjunction with Rule 13n-6 and help ensure that SBSDR market
systems are robust, resilient, and secure and enhance Commission
oversight of these systems. Moreover, to the extent the systems of
SBSDRs that relate to the securities-based swap markets function
separately (or could function separately in the future) from the
systems of SDRs that relate to the swaps markets, applying Rule 1004 to
these entities would help to ensure effective testing of BC/DR plans
for the specific systems relevant to the securities markets and would
subject these systems to enhanced Commission oversight.
Similarly, the Commission recognizes that exempt clearing agencies
that this rule proposal would newly scope into Regulation SCI are
currently required to have BC/DR plans and test them at least annually
with the participation of customers, critical utilities, critical
service providers, other clearing agencies, other market
infrastructures, and any other institution with which interdependencies
have been identified in the business continuity policy. Overall,
applying the specific and comprehensive requirements set forth in Rule
1004 would complement existing requirements and enhance the BC/DR plans
tests already in place for these entities.
ii. Costs
The mandatory testing of SCI entity BC/DR plans, including backup
systems, as required under amended Rule 1004, will result in costs to
SCI entities. For current SCI entities, the increase in the cost would
come from the requirement to include designated third-party providers
in when testing their BC/DR plans--to the extent they have not been
doing so. In addition, because the proposed requirements of Rule 1004
would require participation by various other parties, including
designated members, participants, and other third parties, these
parties may also bear costs of Rule 1004. We discuss these various
costs below.
Costs to New and Existing SCI Entities. It is the Commission's
understanding that some new SCI entities already engage with their
members, participants or customers, as applicable, or third-party
providers when testing BC/DR plans. Furthermore, as mentioned above,
market participants, including new SCI entities, already coordinate
certain BC/DR plans testing to an extent. However, Rule 1004 mandates
participation in testing for new SCI entities that do not currently
participate, requires coordination when testing BC/DR plans, and
requires their members, market participants, or their third-party
providers participate.
In particular, Rule 1004 requires SCI entities to designate their
members, participants, or third-party providers to participate in BC/DR
plans testing and to coordinate such testing with other SCI entities on
an industry- or sector-wide basis. The requirement of member,
participant, or third-party provider designation in BC/DR plans testing
under Rule 1004 may impose new costs even for those that currently have
BC/DR plan testing, as an SCI would have to allocate resources towards
initially establishing and later updating standards for the designation
of its members and participants and third-party providers for testing.
For example, systems reconfiguration for functional and performance
testing and establishing an effective coordinated test script could be
a complex process and result in additional costs, but it is an
important first step in establishing robust and effective BC/DR plans
testing. Furthermore, the requirement to coordinate industry- or
sector-wide testing would impose additional administrative costs
because an SCI entity would be required to notify its members,
participants, or third-party providers and also organize, schedule, and
manage the coordinated testing.
Many of the costs associated with Rule 1004 are costs estimated in
the PRA in section IV. For existing SCI entities the Commission
estimates approximately $1.4 million in initial costs and $0.5 million
in annual costs,
[[Page 23260]]
while for new SCI entities the Commission estimates approximately $3.2
million in initial costs and $1.1 million in annual costs.\812\ In
addition to the PRA costs, the Commission believes that new SCI
entity's may incur non-paperwork costs associated with the mandatory
testing of BC/DR plans, including backup systems; however, the
Commission finds it impracticable to provide a quantified estimate of
these specific non-paperwork costs for new SCI entities because the
Commission does not have detailed information regarding the current
level of engagement by members or participants in BC/DR testing and the
associated costs, or the details of the BC/DR testing that new SCI
entities would implement pursuant to Rule 1004.
---------------------------------------------------------------------------
\812\ See section IV.D.4. For purposes of this Economic
Analysis, there are two fewer entities than under the PRA analysis,
lowering these estimated costs. See supra note 700.
---------------------------------------------------------------------------
In addition, both new and existing SCI entities may incur costs
beyond the PRA costs to comply with the requirement that third-party
providers be included in the testing requirement. The Commission
acknowledges that there will be significant variations in incremental
cost for new and existing SCI entities beyond the costs of complying
with the rest of the testing requirements, depending on the
relationship of each SCI entity with the third-party provider and the
need to revise any contractual agreement between them. But in any
situation where a third-party provider is already required to provide a
continuous service plan (such as 24/7 connectivity), the incremental
cost of having the third-party provider participate in the BC/DR
testing should be modest. To the extent existing and new SCI entities
already have BC/DR plan testing that align with the Rule 1004
requirements, they could incur lower costs to comply with the
requirements of Rule 1004 than entities without such existing BC/DR
plan testing.
Costs to SCI Entity Members, Participants, and Third-Party
Providers. Rule 1004 will also impose costs on SCI entity designated
members, participants and third-party providers. Although members,
participants, and third-party providers will incur costs as a result of
Rule 1004, those that are likely to be designated to participate in
business continuity and disaster recovery plans testing are those that
conduct a high level of activity with the SCI entity or those that play
an important role for the SCI entity and who are more likely to have
already established connections to the SCI entity's backup site. It is
the Commission's understanding that most of the larger members,
participants, and third-party providers already have established
connectivity with the SCI entity's backup site and already monitor and
maintain such connectivity, and thus the additional connectivity costs
imposed by Rule 1004 would be modest to these members or
participants.\813\ The Commission, however, finds it impracticable to
provide a quantified estimate of the specific costs for SCI entity
members, participants or third-party providers associated with the
mandatory testing required by Rule 1004 as such data or information is
not required to be provided by SCI entities to the Commission under
Regulation SCI. Nevertheless, the Commission preliminarily believes,
for similar reasons as provided in the section discussing non-paperwork
burden estimates for Rule 1001(a) and (b), that the figures from 2014
remain reasonable approximations for new SCI entities in 2023, after
adjusting for inflation since 2014.\814\
---------------------------------------------------------------------------
\813\ See SCI Adopting Release, supra note 1, at 72430.
\814\ After adjusting for inflation since 2014, the cost of BD/
DR plan testing ranges from approximately $31,000 to $76,000 per
year, per member or participant. The aggregate annual cost for
designated members and participants to participate in BC/DR testing
is approximately $84.0 million after adjusting for inflation since
2014.
---------------------------------------------------------------------------
Because SCI entities have an incentive to limit the imposition of
the cost and burden associated with testing to the minimum necessary to
comply with the rule, given the option, most SCI entities would likely,
in the exercise of reasonable discretion, prefer to designate the
fewest number of members, participants, or third-party providers to
participate in testing and meet the requirements of the rule, than to
designate more.
The Commission believes that the cost associated with Rule 1004 is
unlikely to induce the designated members or participants to reduce the
number of SCI entities through which they trade and adversely affect
price competitiveness in markets. As noted above, the Commission also
recognizes that costs to some SCI entity members, participants, or
third-party providers associated with Rule 1004 could vary depending on
the BC/DR plans being tested, and to the extent they participate. Based
on industry sources, the Commission understands that most of the larger
members or participants of SCI entities already maintain connectivity
with the backup systems of SCI entities.\815\ However, the Commission
understands that there is a lower incidence of smaller members or
participants maintaining connectivity with the backup sites of SCI
entities. As such, the Commission believes that the compliance costs
associated with Rule 1004 would be higher for those members,
participants, or third-party providers that are designated for testing
by SCI entities who would need to invest in additional infrastructure
to participate in such testing.\816\
---------------------------------------------------------------------------
\815\ SCI Adopting Release, supra note 1, at 72430.
\816\ Id.
---------------------------------------------------------------------------
As discussed above, Rule 1001(a) does not require backup facilities
of SCI entities fully duplicate the features of primary
facilities.\817\ Further as discussed in section IV.B.6, SCI entity
members, participants, or third-party providers are not required by
Regulation SCI to maintain the same level of connectivity with the
backup sites of an SCI entity as they do with the primary sites. In the
event of a wide-scale disruption in the securities markets, the
Commission acknowledges that SCI entities and their members,
participants, or third-party providers may not be able to provide the
same level of service as on a normal trading day. However, when BC/DR
plans are in effect due to a wide-scale disruption in the securities
markets, the requirements of Rule 1004 should help ensure adequate
levels of service and pricing efficiency, to facilitate trading and
maintain fair and orderly markets without imposing excessive costs on
SCI entities and market participants by requiring them to maintain the
same connectivity with the backup systems as with the primary
sites.\818\
---------------------------------------------------------------------------
\817\ SCI Adopting Release, supra note 1, at 72353.
\818\ See id.
---------------------------------------------------------------------------
Request for Comment
119. If you are a current or proposed SCI entity and you currently
require any of your service providers to participate in your scheduled
business continuity or disaster recovery testing, how does your
activity differ from the requirements of the rule proposal? What have
been the benefits and costs of this activity?
120. If you are a current or proposed SCI entity and your business
continuity or disaster recovery plans address the unavailability of
your third-party providers, how does your activity differ from the
requirements of the rule proposal? What have been the benefits and
costs of this activity?
e. Rules 1005 Through 1007--Recordkeeping and Electronic Filing
Rules 1005 through 1007 relate to recordkeeping requirements,
filing and submission requirements, and
[[Page 23261]]
requirements for service bureaus. SCI entities are required by Rule
1005 of Regulation SCI to make, keep, and preserve certain records
related to their compliance with Regulation SCI.\819\ Rule 1006 of
Regulation SCI provides for certain requirements relating to the
electronic filing on Form SCI, of any notification, review,
description, analysis, or report to the Commission required to be
submitted under Regulation SCI.\820\ Rule 1007 of Regulation SCI
requires a written undertaking when records are required to be filed or
kept by an SCI entity under Regulation SCI, or are prepared or
maintained by a service bureau or other recordkeeping service on behalf
of the SCI entity.\821\
---------------------------------------------------------------------------
\819\ See 17 CFR 242.1005. Rule 1005(a) of Regulation SCI
relates to recordkeeping provisions for SCI SROs, whereas Rule
1005(b) relates to the recordkeeping provision for SCI entities
other than SCI SROs.
\820\ See 17 CFR 242.1006.
\821\ See 17 CFR 242.1007.
---------------------------------------------------------------------------
Rule 1005(c) currently requires that the recordkeeping period
survives even if an SCI entity ceases to do business or ceases to be
registered under the Exchange Act. The Commission proposes to amend
Rule 1005(c) so that this record retention provision also applies to an
SCI entity that remains in business as a registered entity but
``otherwise [ceases] to be an SCI entity.'' Therefore, for existing SCI
entities, this is the only difference from the current recordkeeping
requirement in Rule 1005(c). For new SCI entities, all of the
requirements in Rules 1005 through 1007 are new obligations. We discuss
below the benefits and costs of applying these provisions to new and
existing SCI entities.
i. Benefits
The Commission believes that Rules 1005 and 1007 would allow
Commission staff to inspect and examine the new SCI entities for their
compliance with Regulation SCI, and would increase the likelihood that
Commission staff can identify conduct inconsistent with Regulation SCI.
Preserved information should provide the Commission with an additional
source to help determine the causes and consequences of one or more SCI
events and better understand how such events may have impacted trade
execution, price discovery, liquidity, and investor participation.
Consequently, the Commission believes that the requirements of Rules
1005 and 1007 would help ensure compliance of the new SCI entities with
Regulation SCI and help realize the potential benefits (e.g., better
pricing efficiency, price discovery, and liquidity flows) of the
regulation.
Rule 1006 requires SCI entities to electronically file all written
information to the Commission on Form SCI.\822\ Rule 1006 would provide
a uniform manner in which the Commission receives--and SCI entities
provide--written notifications, reviews, descriptions, analyses, or
reports required by Regulation SCI. Rule 1006 should add efficiency for
the new SCI entities in drafting and submitting the required reports,
and for the Commission in reviewing, analyzing, and responding to the
information provided.
---------------------------------------------------------------------------
\822\ Except for notifications submitted pursuant to Rule
1002(b)(1) and (3).
---------------------------------------------------------------------------
The Commission recognizes that all of the new SCI entities are
currently subject to the Commission and other regulatory recordkeeping
requirements.\823\ However, records relating to Regulation SCI may not
be specifically addressed in the recordkeeping requirements of certain
rules. The benefits from the recordkeeping requirements in Rules 1005
and 1007 for the new SCI entities (and the costs, as discussed below),
will therefore depend on the extent to which their current operations
already align with the rule's requirements, given both existing
regulation and current practice.
---------------------------------------------------------------------------
\823\ See, e.g., 17 CFR 240.17a-3 and 240.17a-4, applicable to
broker-dealers.
---------------------------------------------------------------------------
The proposed amendment to Rule 1005(c) will apply to new and
existing SCI entities. Although many SCI events may be resolved in a
short time frame, there may be other SCI events that may not be
discovered for an extended period of time after their occurrences, or
may take significant periods of time to fully resolve. In such cases,
having an SCI entity's records available after it has ceased to be an
SCI entity or be registered under the Exchange Act would add to the
scope of historical records available for review in the event of an SCI
event. This is a particular issue for entities whose coverage under the
rule might vary over time, depending on when the entities--or their
systems--meet the rule's coverage thresholds. For these entities,
uniform record retention periods will also facilitate comparative
review of risk and compliance trends. These benefits will be limited if
entities and systems of entities tend to continue meeting coverage
requirements over time, without a break in coverage.
ii. Costs
The recordkeeping requirements of Rules 1005 and 1007 will impose
additional costs, including a one-time cost to set up or modify an
existing recordkeeping system to comply with Rules 1005 and 1007. The
initial and ongoing compliance costs associated with the recordkeeping
requirements are attributed to paperwork burdens, which are discussed
in section IV above.\824\
---------------------------------------------------------------------------
\824\ When monetized, the paperwork burden associated with all
recordkeeping requirements would result in approximately $278,460
initially and $40,950 annually for all new SCI entities in the
aggregate. The Commission estimates that a New SCI Entity other than
an SCI SRO will incur a one-time cost of $900 for information
technology costs for purchasing recordkeeping software, for a total
of $18,900. See section IV.D.7. For purposes of this Economic
Analysis, there is two fewer entities than under the PRA analysis,
lowering these estimated costs. See supra note 700.
---------------------------------------------------------------------------
With respect to Rule 1006, all costs associated with Form SCI are
attributed to the paperwork burdens discussed in section IV. For
existing SCI entities the Commission estimates approximately $21.0
million in initial costs and $12.0 million in annual costs, while for
new SCI entities the Commission estimates approximately $41.7 million
in initial costs and $25.8 million in annual costs.\825\
---------------------------------------------------------------------------
\825\ See section IV.D.7; supra note 700.
---------------------------------------------------------------------------
Every new SCI entity will be required to have the ability to
electronically submit Form SCI through the EFFS system, and every
person designated to sign Form SCI will be required to have an
electronic signature and a digital ID. The Commission believes that
this requirement will not impose an additional burden on new SCI
entities, as these entities likely already prepare documents in an
electronic format that is text searchable or can readily be converted
into a format that is text searchable.
The Commission also believes that many new SCI entities currently
have the ability to access the EFFS system and electronically submit
Form SCI, such that the requirement to submit Form SCI electronically
will not impose significant new implementation or ongoing costs.\826\
The Commission also believes that some of the persons who will be
designated to sign Form SCI already have digital IDs and the ability to
provide an electronic signature. To the extent that some persons do not
have digital IDs, the additional cost to obtain and maintain digital
IDs is accounted for in the paperwork burden, discussed in section IV
above.\827\
---------------------------------------------------------------------------
\826\ The initial and ongoing costs associated with various
electronic submissions of Form SCI for the new SCI entities are
discussed in the Paperwork Reduction Act section above. See supra
section IV.D.6.
\827\ See id.
---------------------------------------------------------------------------
[[Page 23262]]
D. Efficiency, Competition, and Capital Formation Analysis
As previously discussed in section C, the proposed amendments to
Regulation SCI would reduce the impact of market disruptions arising as
a result of natural disasters, third-party provider service outages,
cybersecurity events, hardware or software malfunctions. We expect that
the proposed amendments will reduce the frequency, severity, and
duration of systems issues that occur in the context of these events,
and will thus decrease the number of trading interruptions. The
proposed amendments will thus improve market efficiency, price
discovery, and liquidity, because trading interruptions interfere with
the process through which information gets incorporated into security
prices. In addition, by reducing trading interruptions, the proposed
amendments will have beneficial effects across markets, because of the
interconnectedness of securities markets. For example, an interruption
in the market for equity securities could harm the price discovery
process in the options markets, reducing the flow of liquidity across
markets. As a result, we expect the proposed amendments, if adopted,
would improve price efficiency in securities markets.\828\
---------------------------------------------------------------------------
\828\ See sections V.D.1 and V.D.3.
---------------------------------------------------------------------------
Prices that accurately convey information about fundamental value
improve the efficiency with which capital is allocated across projects
and firms, thus promoting capital formation. In addition, we expect the
proposed amendments to encourage capital formation by reinforcing
investors' confidence in market transactions.
The proposed amendments to Regulation SCI could affect competition
among SCI entities because the compliance costs could differ among SCI
entities. For example, current SCI entities are expected to face
smaller incremental compliance costs than new SCI entities. New SCI
entities that have been subject to similar regulations could also face
smaller incremental compliance costs than those who have not. Even
among new SCI entities, certain provisions can be more costly for some
than others. For example, the initial compliance costs of the systems
resumption requirements could differ among new SCI entities.
Specifically, as mentioned above, Rule 1004's BC/DR testing
requirements may require greater incremental costs for smaller SCI
entities that have not already been engaged in BC/DR testing. Lastly,
some of the new SCI entities may already have practices that are
aligned with at least some of the requirements under amended Regulation
SCI compared to the baseline, reducing their incremental compliance
costs.
In addition to competition among SCI entities, the compliance costs
imposed by the proposed amendments to Regulation SCI could have an
effect on competition where SCI entities and non-SCI entities compete,
such as in the markets for trading services (e.g., broker-dealers).
Specifically, since non-SCI entities do not have to incur the
compliance costs associated with Regulation SCI, SCI entities could
find it difficult to pass on their own compliance costs to investors or
customers without losing investors or customers to non-SCI entities.
This would adversely affect the profits of SCI entities. That said, by
expanding the set of SCI entities, the proposed amendments would ensure
that, where there is currently competition between existing SCI
entities and the new entities under this proposed rule then these
competing entities are subject to similar SCI compliance requirements.
The proposed threshold-based tests for scoping a broker-dealer into
Regulation SCI could bring about a potential unintended effect of
deterring growth among broker-dealers and discouraging potential
benefits of scale economies. For example, to the extent a certain
broker-dealer may take otherwise-unwanted steps to keep its trading
volumes or asset level low, or spin off entities and not realize scale
economies, all for the purpose of avoiding being subject to regulation,
this can be inefficient for the economy. Likewise, the proposal to
apply regulation SCI to all exempt clearing agencies would mean that
any entity that seeks to become a clearing agency will automatically be
subject to Regulation SCI and will thus bear the associated compliance
cost.
The compliance costs associated with Rule 1004 could raise barriers
to entry and affect competition among members or participants of SCI
entities. Specifically, to the extent that members or participants
could be subject to designation in BC/DR plan testing and could incur
additional compliance costs, the member or participant designation
requirement of Rule 1004 could raise barriers to entry. In addition, as
discussed above, the compliance costs of the rule will likely be higher
for smaller members or participants of SCI entities compared to larger
members or participants of SCI entities. The adverse effect on
competition may be mitigated to some extent, as the most likely members
or participants to be designated for testing are larger members or
participants who already maintain connectivity with an SCI entity's
backup systems. Further, the adverse effect on competition for smaller
members or participants could be partially mitigated to the extent that
larger firms, which are members of multiple SCI entities, could incur
additional compliance costs as these larger member firms could be
subject to multiple designations for business continuity and disaster
recovery plan testing.\829\
---------------------------------------------------------------------------
\829\ Id. at 72433.
---------------------------------------------------------------------------
E. Reasonable Alternatives
In formulating our proposal, we have considered various
alternatives. Those alternatives are discussed below and we have also
requested comments on certain of these alternatives.
1. Limiting the Scope of the Regulation SCI Provisions for New SCI
Entities
The Commission has considered whether all of the obligations set
forth in Regulation SCI should apply to the new SCI entities or whether
only certain requirements should be imposed, such as those requiring
written policies and procedures, notification of systems problems,
business continuity and disaster recovery testing, and penetration
testing.\830\ For example, the Commission has considered if SBSDRs
should be subject to full Regulation SCI requirements, similar to SCI
plan processors, or should be subject to only some of the Regulation
SCI requirements, given differing levels of automation and stages of
regulatory development of the SBS market.
---------------------------------------------------------------------------
\830\ Such an approach is similar to that taken regarding the
competing consolidators in Market Data Consolidator rule. The Market
Data Consolidator rule subjects competing consolidators that do not
meet the earning thresholds to some, but not all, obligations that
apply to competing consolidators. 17 CFR 242.614.
---------------------------------------------------------------------------
The Commission believes that these alternatives would reduce some
of the benefits as well as some of the costs compared to the proposed
rules. The lower costs from limiting the Regulation SCI requirements,
such as periodic reviews of policies and procedures or Commission
notification, for some new entities could result in lower barriers to
entry and could increase competition in the relevant markets compared
to the proposed rules. However, taking into consideration the large
size of the new SCI entities and, therefore, their externalities on
some other SCI entities in case of system failure, the Commission
believes these effects on the competition may not be significant enough
to warrant forgoing benefits
[[Page 23263]]
(such as timely notifications to the Commission) in addition to the
reduced effectiveness of the regulation. Moreover, not requiring
specific SCI requirements for certain new SCI entities would likely
result in less uniform treatment across current and new SCI entities
performing similar functions.\831\
---------------------------------------------------------------------------
\831\ See supra section III.A.2.
---------------------------------------------------------------------------
2. Mandating Compliance With Current SCI Industry Standards
The Commission has considered the alternative of mandating
compliance with current SCI industry standards. This alternative would
require that the policies and procedures of SCI entities required under
Rule 1001(a) comply with ``current SCI industry standards'' rather than
simply making such compliance a safe harbor under Rule 1001(a)(4).\832\
This alternative would ensure that an SCI entity have policies and
procedures consistent with current SCI industry standards. These
standards likely have the advantage of economy of scale as several
entities in that industry adopted the standards and thus the standards
benefit from more innovative efficiencies than in-house standards.
Moreover, mapping policies and procedures to the industry standard
would help facilitate the Commission's inspection and enforcement
capabilities.
---------------------------------------------------------------------------
\832\ Proposed Rule 1000(a)(4) defines ``current SCI industry
standards'' as ``information technology practices that are widely
available to information technology professionals in the financial
sector and issued by an authoritative body that is a U.S.
governmental entity or agency, association of U.S. governmental
entities or agencies, or widely recognized organization.''
---------------------------------------------------------------------------
Based on Commission staff experience, however, this alternative
would not be an appropriate solution for all SCI entities. One reason
is that given the differences exhibited by various SCI entities and the
complexity of each SCI entity's operations, it may not be suitable for
each one to find a current SCI industry standard that suits its needs
without substantial modification and customization. To this extent, the
Commission sees a great value in allowing each SCI entity to customize
its policies and procedures to address the specific operational risks
it faces. It is the Commission's understanding that a number of current
SCI entities have developed and implemented policies and procedures
largely based on industry standards, but they have also customized them
based on the size, risks, and unique characteristics of SCI entities.
For this reason, mandating compliance with a current SCI industry
standard may be an inefficient approach. For the larger and more
complex-structured SCI entities, losing flexibility to design systems
or develop policies and procedures by mandating the industry standards
could also result in less effective policies and procedures or
adversely affect integrity, resiliency, availability, or security of
SCI systems.
3. Requiring Diversity of Back-Up Plan Resources
With respect to critical SCI systems, the Commission has considered
mandating multi-vendor backups. This alternative would require that SCI
entities that utilize third-party providers to operate critical SCI
systems have geographically diverse backup systems that are operated by
a different third-party provider (e.g., multi-cloud). As previously
discussed, there can be significant advantages for an entity moving its
systems from an on-premises, internally run data center to cloud
service providers (CSPs), which may include cost efficiencies,
automation, increased security, and resiliency, and the ability to
leverage the opportunity to reengineer or otherwise update their
systems and applications to run more efficiently.\833\
---------------------------------------------------------------------------
\833\ See section III.C.2.
---------------------------------------------------------------------------
However, each SCI entity is obligated to satisfy the requirements
of Regulation SCI for systems operated on behalf the SCI entity by a
third party. This necessarily requires an individualized assessment of
the costs and risks associated with managing the CSP relationship, and
determining that the CSPs' backup and recovery capabilities are
sufficiently resilient, geographically diverse, and reasonably designed
to achieve timely recovery following a wide-scale disruption.\834\
Further, while reducing the risk of over-reliance on a single vendor
and the chance of system failures-for example, due to the same
vulnerabilities within a vendor--a multi-cloud strategy would add
additional costs including negotiation, contract, deployment, and
management costs; and it is the Commission's understanding that multi-
cloud architecture could introduce more complexity and, accordingly,
operational and cybersecurity risks into the SCI back-up systems.\835\
In place of a prescriptive alternative of mandating multi-vendor
backups, the Commission is proposing, in Rule 1001(a)(2)(v) and (ix), a
more flexible approach under which each SCI entity must consider CSPs
and other third-party providers as part of a risk-based assessment of
the providers' criticality and their role in the entity's business
continuity and disaster recovery planning.
---------------------------------------------------------------------------
\834\ See id.
\835\ For example, security breach possibilities could increase
because of the interconnection of SCI systems between multi cloud
providers.
---------------------------------------------------------------------------
4. Penetration Testing Frequency
With respect to the penetration testing frequency, the Commission
has considered requiring longer (e.g., every 2 years) or shorter
(quarterly, every 6 months) frequencies for penetration testing, rather
than the currently proposed annual (a reduction from the current rule
of every three years). When the Commission adopted Regulation SCI in
2014, the Commission decided to require penetration test reviews ``not
less than once every three years in recognition of the potentially
significant costs that may be associated with the performance of such
tests.'' \836\ Nevertheless, as mentioned above, markets have changed
since the adoption of Regulation SCI. In particular, cybersecurity has
become a more pervasive concern for all types of businesses, including
SCI entities. In addition, the Commission understands that industry
practices with respect to penetration testing has evolved such that
tests occur on a much more frequent basis, as businesses confront the
threat of cybersecurity events on a wider scale. To this extent, the
Commission has considered whether penetration testing should be
conducted at least once quarterly, every 6 months, or every 2 years.
---------------------------------------------------------------------------
\836\ SCI Adopting Release, supra note 1, at 72344.
---------------------------------------------------------------------------
The Commission understands industry practices generally tend to
recommend at least one penetration test review a year. Requiring
penetration test reviews more frequently could further strengthen
security and reduce cybersecurity events at SCI entities. Nevertheless,
the Commission believes that requiring all SCI entities to conduct such
reviews more than once every year may be too much of a drain on the
institution's resources, due to the estimated cost of $10,000 to
$30,000 per test,\837\ and given the wide scope of annual testing to be
conducted as part of an annual review under proposed Rule 1003(b).\838\
Moreover, while some entities may need to perform multiple tests each
year on different components of their environment, for other entities a
requirement for multiple tests may be counterproductive, if the testing
cycle
[[Page 23264]]
does not provide time to implement security investments.
---------------------------------------------------------------------------
\837\ See section V.D.3.c.
\838\ See proposed Rules 1000, 1001(a)(2)(iv) (penetration
testing as part of an annual review under Rule 1003(b) must include
testing of ``network, firewalls, and production systems, including
of any vulnerabilities of . . . SCI systems and indirect SCI
systems,'' including vulnerabilities ``pertaining to internal and
external threats, physical hazards, and natural or manmade
disasters'').
---------------------------------------------------------------------------
5. Attestation for Critical SCI System Vendors
Given the importance of critical SCI systems and SCI entities'
increasing reliance on third-party providers, the Commission has
considered requiring attestation (such as by an SCI entity's chief
executive officer or general counsel) that contracts with third-party
providers for critical SCI systems comply with the SCI entity's
obligations under Regulation SCI. Such an attestation requirement would
further ensure that SCI entities are negotiating contract terms with
third-party providers for critical SCI systems in a manner that is
consistent with Regulation SCI's requirements. However, an attestation
requirement for each such contract may have limited value, and may be
overly time-consuming and resource-intensive, relative to the value of
the attestation requirement.
The value of an attestation requirement will be limited, given that
proposed Rule 1001(a)(2)(ix) would require each SCI entity to have a
program to manage and oversee third-party providers, or to the extent
that they already provide attestations to their customers (which, in
turn, may vary to the degree that they are in competition with like
entities). At the same time, an attestation requirement may have
significant costs.
For SCI entities these costs may include the direct costs of
updating their oversight processes in order to ensure that their
attestations are accurate and in compliance; training their in-house
personnel on the third-party service provider's methods for operating
critical IT systems; and conducting oversight of the service provider's
subcontractors as well as oversight of the service provider itself. SCI
entities may also incur costs if they move critical system functions
in-house or consolidate vendors to reduce the risk or burden of the
attestation requirement, which could result in lower-quality or less
efficient services. Furthermore, requiring the attestation by SCI
entity's senior officers could increase the due diligence cost of the
attestation requirement. Senior officers making attestations may
require additional liability insurance, higher compensation or lower
incentive pay as a share of overall compensation. Finally, the service
providers themselves may face increased costs as part of their efforts
to help the SCI entity make the relevant attestation, including
contract renegotiation costs, upgrading operations, and responding to
information requests from the SCI entity. These costs, in turn, might
be passed to the SCI entity and ultimately to its participants,
members, or customers.
The Commission believes the additional costs could be
disproportionate to the benefits of an attestation requirement. For
these reasons, the Commission has decided against including an
attestation requirement.
6. Transaction Activity Threshold for SCI Broker-Dealers
With respect to the transaction activity threshold used to scope
broker-dealers within Regulation SCI as discussed in section III.A.2.b,
the Commission has considered as an alternative whether to set a higher
(more limited) or lower (more expansive) threshold than the proposed
10% threshold. For example, the Commission has considered if only
broker-dealers with transaction activity thresholds above 15% should be
included as SCI broker-dealers \839\ but determined that this would
fail to scope within Regulation SCI some of the largest and most
significant broker-dealers that pose technological vulnerabilities and
risks to the maintenance of fair and orderly markets. This would have
the effect of decreasing costs moderately for broker-dealers no longer
within the scope of Regulation SCI at the expense of a significant
decrease in benefits otherwise associated with the improvements to fair
and orderly markets, as described above.
---------------------------------------------------------------------------
\839\ The Commission believes that the proposed threshold of 5%
of total assets is a reasonable approach to identifying the largest
broker-dealers. See section III.A.2.b.iii (discussing proposed
thresholds for an ``SCI broker-dealer''). The Commission has
considered as an alternative to further scope in the broker-dealers
with transaction activity thresholds above 15%. Regulation SCI would
only be applicable to an estimated ten broker-dealers based on the
analysis of data which include broker-dealer FOCUS Report Form X-
17A-5 Schedule II filings from Q4 2021 to Q3 2022. Also for
additional detail on the calculation of total assets of all security
broker-dealers, see supra note 127. Data also include Consolidated
Audit Trail (CAT) data from Jan. 2022 to June 2022, the plan
processors (SIPs) of the CTA/CQ Plans and Nasdaq UTP Plan. CTA Plan,
available at https://www.ctaplan.com; Nasdaq UTP Plan, available at
https://www.utpplan.com, Options Price Reporting Authority (OPRA)
data, TRACE for Treasury Securities data from Jan. 2022 to June
2022, regulatory TRACE data from Jan. 2022 to June 2022, and FINRA
TRACE.
---------------------------------------------------------------------------
Similarly, the Commission has also considered whether all broker-
dealers with transaction activity thresholds above 5% should be
included as SCI broker-dealers,\840\ but determined that this would
scope within Regulation SCI several broker-dealers that are not among
the most significant broker-dealers that pose technological
vulnerabilities and risks to the maintenance of fair and orderly
markets. This would have the effect of increasing costs for marginal
firms without a comparable increase in benefits associated with an
improvement of fair and orderly markets.
---------------------------------------------------------------------------
\840\ The Commission believes that the proposed threshold of 5%
of total assets is a reasonable approach to identifying the largest
broker-dealers. See section III.A.2.b.iii (discussing proposed
thresholds for an ``SCI broker-dealer''). The Commission has
considered as an alternative to further scope in the broker-dealers
with transaction activity thresholds above 5%. Regulation SCI would
only be applicable to an estimated 29 broker-dealers based on the
analysis of data which include broker-dealer FOCUS Report Form X-
17A-5 Schedule II filings from Q4 2021 to Q3 2022. Also for
additional detail on the calculation of total assets of all security
broker-dealers, see supra note 127. Data also include Consolidated
Audit Trail (CAT) data from Jan. 2022 to June 2022, the plan
processors (SIPs) of the CTA/CQ Plans and Nasdaq UTP Plan. CTA Plan,
available at https://www.ctaplan.com; Nasdaq UTP Plan, available at
https://www.utpplan.com, Options Price Reporting Authority (OPRA)
data, TRACE for Treasury Securities data from Jan. 2022 to June
2022, regulatory TRACE data from Jan. 2022 to June 2022, and FINRA
TRACE.
---------------------------------------------------------------------------
In addition, with respect to the transaction activity threshold
used to scope broker-dealers within Regulation SCI as discussed in
section III.A.2.b, the Commission has also considered as an alternative
whether to apply the proposed 10% threshold to principal trades only,
rather than all transactions. Accordingly, the Commission considered
whether to include as an SCI entity any registered broker-dealer that,
irrespective of the size of its balance sheet, consistently trades for
its own account at a substantially high level in certain enumerated
asset classes, scaled as a percentage of total average daily dollar
volume, as reported by applicable reporting organizations. Under the
alternative, ten broker-dealer firms \841\ would have been scoped in as
``SCI broker-dealers,'' which are among the 17 ``SCI broker-dealers''
subject to the proposed Regulation SCI.
---------------------------------------------------------------------------
\841\ The estimated ten broker-dealer firms are based on the
analysis of data which include broker-dealer FOCUS Report Form X-
17A-5 Schedule II filings from Q4 2021 to Q3 2022. Also for
additional detail on the calculation of total assets of all security
broker-dealers, see supra note 127. Data also include Consolidated
Audit Trail (CAT) data from Apr. 2022 to Sept. 2022, the plan
processors (SIPs) of the CTA/CQ Plans and Nasdaq UTP Plan. CTA Plan,
available at https://www.ctaplan.com; Nasdaq UTP Plan, available at
https://www.utpplan.com, Options Price Reporting Authority (OPRA)
data, TRACE for Treasury Securities data from Apr. 2022 to Sept.
2022, regulatory TRACE data from Apr. 2022 to Sept. 2022, and FINRA
TRACE.
---------------------------------------------------------------------------
This alternative approach to the transaction activity threshold
would identify those broker-dealers that
[[Page 23265]]
generate significant liquidity in specified types of securities markets
and could also be considered a proxy for those that also engage in
substantial agency trading and other business. Because the alternative
would also scope in fewer broker-dealers as SCI entities, this
alternative would also impose fewer total costs compared to the
proposed approach.
However, the Commission preliminarily believes that limiting the
extension of Regulation SCI to broker-dealers that engage in
significant trading activity for their own account in one or more of
the enumerated asset classes and generate significant liquidity on
which fair and orderly markets rely would fail to acknowledge the
substantial role that executing brokers acting as agents also play in
the markets. Accordingly, the alternative approach would fail to scope
within Regulation SCI some of the largest and most significant broker-
dealers that pose technological vulnerabilities and risks to the
maintenance of fair and orderly markets. In the Commission's view,
using all transaction activity rather than limiting the analysis to
principal trades is a more appropriate measure for estimating the
significance of a broker-dealer's footprint in the markets and the
effect that its sudden unavailability could have on the fair and
orderly market functioning.
Thus, while the alternative would likely scope in fewer broker-
dealers as SCI entities, and thus reduce the aggregate costs of
extending Regulation SCI, compared to the proposal, it would also limit
the extensive benefits, discussed above, associated with applying
Regulation SCI to additional broker-dealers that play a critical role
in the market.
7. Limitation on Definition of ``SCI Systems'' for SCI Broker-Dealers
Additionally, the Commission considered leaving the original
definition of ``SCI systems'' unrevised such that any broker-dealer
that were to only meet or exceed the trading activity threshold of 10%
for any asset class would have been subject to Regulation SCI
requirements for all of its systems, not only those systems with
respect to the type of securities for which an SCI broker-dealer
satisfies the trading activity threshold. Leaving the definition
unrevised would scope in SCI broker-dealer systems with respect to
classes of securities with a lower volume of trading, for which system
unavailability is less likely to pose a risk to the maintenance of fair
and orderly markets. This would have the effect of increasing costs for
SCI broker-dealers with limited trading activity in one or more other
cases of securities, while yielding a potential benefit in terms of
risk reduction with respect to the maintenance of fair and orderly
markets.
VI. Regulatory Flexibility Act Certification
The Regulatory Flexibility Act (``RFA'') \842\ requires Federal
agencies, in promulgating rules, to consider the impact of those rules
on small entities. Section 603(a) \843\ of the Administrative
Procedures Act,\844\ as amended by the RFA, generally requires the
Commission to undertake a regulatory flexibility analysis of all
proposed rules, or proposed rule amendments, to determine the impact of
such rulemaking on ``small entities.'' \845\ Section 605(b) of the RFA
states that this requirement shall not apply to any proposed rule or
proposed rule amendment which, if adopted, would not have a significant
economic impact on a substantial number of small entities.\846\
---------------------------------------------------------------------------
\842\ 5 U.S.C. 601 et seq.
\843\ 5 U.S.C. 603(a).
\844\ 5 U.S.C. 551 et seq.
\845\ Although section 601(b) of the RFA defines the term
``small entity,'' the statute permits agencies to formulate their
own definitions. The Commission has adopted definitions for the term
``small entity'' for purposes of Commission rulemaking in accordance
with the RFA. Those definitions, as relevant to this proposed
rulemaking, are set forth in 17 CFR 240.0-10 (``Rule 0-10'').
\846\ See 5 U.S.C. 605(b).
---------------------------------------------------------------------------
A. ``Small Entity'' Definitions
For purposes of Commission rulemaking in connection with the RFA, a
small entity includes an exchange that has been exempt from the
reporting requirements of Rule 601 under Regulation NMS, and is not
affiliated with any person (other than a natural person) that is not a
small business or small organization. A small entity also includes a
broker-dealer with total capital (net worth plus subordinated
liabilities) of less than $500,000 on the date in the prior fiscal year
as of which its audited financial statements were prepared pursuant to
17 CFR 240.17a-5(d) (``Rule 17a-5(d)'' under the Exchange Act),\847\
or, if not required to file such statements, a broker-dealer with total
capital (net worth plus subordinated liabilities) of less than $500,000
on the last business day of the preceding fiscal year (or in the time
that it has been in business, if shorter); and is not affiliated with
any person (other than a natural person) that is not a small business
or small organization. Furthermore, a small entity includes a
securities information processor that: (1) had gross revenues of less
than $10 million during the preceding fiscal year (or in the time it
has been in business, if shorter); (2) provided service to fewer than
100 interrogation devices or moving tickers at all times during the
preceding fiscal year (or in the time that it has been in business, if
shorter); and (3) is not affiliated with any person (other than a
natural person) that is not a small business or small organization
under 17 CFR 240.0-10.\848\ A small entity additionally includes a
clearing agency that (1) Compared, cleared and settled less than $500
million in securities transactions during the preceding fiscal year (or
in the time that it has been in business, if shorter); (2) had less
than $200 million of funds and securities in its custody or control at
all times during the preceding fiscal year (or in the time that it has
been in business, if shorter); and (3) is not affiliated with any
person (other than a natural person) that is not a small business or
small organization as defined in 17 CFR 240.0-10.\849\
---------------------------------------------------------------------------
\847\ 17 CFR 240.17a-5(d).
\848\ 17 CFR 240.0-10(g).
\849\ 17 CFR 240.0-10(d).
---------------------------------------------------------------------------
B. Current SCI Entities
Currently, SCI entities comprise SCI SROs, SCI ATSs, plan
processors, SCI competing consolidators, and certain exempt clearing
agencies. The Commission believes that none of these entities would be
considered small entities for purposes of the RFA.
1. SCI SROs
As discussed in section II.B.1 above, Regulation SCI currently
applies to SCI SROs, which is defined as any national securities
exchange, registered securities association, or registered clearing
agency, or the Municipal Securities Rulemaking Board; provided however,
that for purposes of 17 CFR 242.1000, the term SCI self-regulatory
organization shall not include an exchange that is notice registered
with the Commission pursuant to 15 U.S.C. 78f(g) or a limited purpose
national securities association registered with the Commission pursuant
to 15 U.S.C. 78o-3(k).\850\ Currently, there are 35 SCI SROs.
---------------------------------------------------------------------------
\850\ See 17 CFR 242.1000.
---------------------------------------------------------------------------
Based on the Commission's existing information about the entities
that are subject to proposed Regulation SCI, the Commission believes
that SCI SROs would not fall within the definition of ``small entity''
as described above.
As stated, the Commission has defined a ``small entity'' as an
exchange that has been exempt from the reporting requirements of Rule
601 of Regulation NMS and is not affiliated with any
[[Page 23266]]
person (other than a natural person) that is not a small business or
small organization.\851\ None of the national securities exchanges
registered under section 6 of the Exchange Act that would be subject to
the proposed rule and form is a ``small entity'' for purposes of the
RFA.
---------------------------------------------------------------------------
\851\ See paragraph (e) of Rule 0-10.
---------------------------------------------------------------------------
There is only one national securities association (FINRA), and the
Commission has previously stated that it is not a small entity as
defined by 13 CFR 121.201.\852\
---------------------------------------------------------------------------
\852\ See, e.g., Securities Exchange Act Release No. 62174 (May
26, 2010), 75 FR 32556, 32605 n.416 (June 8, 2010) (``FINRA is not a
small entity as defined by 13 CFR 121.201.'').
---------------------------------------------------------------------------
As stated, a small entity includes, when used with reference to a
clearing agency, a clearing agency that: (1) compared, cleared, and
settled less than $500 million in securities transactions during the
preceding fiscal year; (2) had less than $200 million of funds and
securities in its custody or control at all times during the preceding
fiscal year (or at any time that it has been in business, if shorter);
and (3) is not affiliated with any person (other than a natural person)
that is not a small business or small organization.\853\
---------------------------------------------------------------------------
\853\ See paragraph (d) of Rule 0-10.
---------------------------------------------------------------------------
Based on the Commission's existing information about the clearing
agencies currently registered with the Commission, the Commission
preliminarily believes that such entities exceed the thresholds
defining ``small entities'' set out above. While other clearing
agencies may emerge and seek to register as clearing agencies, the
Commission preliminarily does not believe that any such entities would
be ``small entities'' as defined in Exchange Act Rule 0-10.
2. The MSRB
The Commission's rules do not define ``small business'' or ``small
organization'' for purposes of entities like the MSRB. The MSRB does
not fit into one of the categories listed under the Commission rule
that provides guidelines for a defined group of entities to qualify as
a small entity for purposes of Commission rulemaking under the
RFA.\854\ The RFA in turn, refers to the Small Business Administration
(``SBA'') in providing that the term ``small business'' is defined as
having the same meaning as the term ``small business concern'' under
section 3 of the Small Business Act.\855\ The SBA provides a
comprehensive list of categories with accompanying size standards that
outline how large a business concern can be and still qualify as a
small business.\856\ The industry categorization that appears to best
fit the MSRB under the SBA table is Professional Organization. The SBA
defines a Professional Organization as an entity having average annual
receipts of less than $15 million. Within the MSRB's 2021 Annual Report
the organization reported total revenue exceeding $35 million for
fiscal year 2021.\857\ The Report also stated that the organization's
total revenue for fiscal year 2020 exceeded $47 million.\858\ The
Commission is using the SBA's definition of small business to define
the MSRB for purposes of the RFA and has concluded that the MSRB is not
a ``small entity.''
---------------------------------------------------------------------------
\854\ See Rule 0-10.
\855\ See 5 U.S.C. 601(3).
\856\ See 13 CFR 121.201. See also SBA, Table of Small Business
Size Standards Marched to North American Industry Classification
System Codes, available at https://www.sba.gov/sites/default/files/files/Size_Standards_Table.pdf (outlining the list of small business
size standards within 13 CFR 121.201).
\857\ See MSRB, 2021 Annual Report, 16, available at https://msrb.org/-/media/Files/Resources/MSRB-2021-Annual-Report.ashx.
\858\ Id.
---------------------------------------------------------------------------
3. SCI ATSs
As discussed in section II.B.1 above, Regulation SCI currently
applies to SCI ATSs (which are required to be registered as broker-
dealers) that during at least four of the preceding six calendar
months: (1) Had with respect to NMS stocks: (i) Five percent (5%) or
more in any single NMS stock, and one-quarter percent (0.25%) or more
in all NMS stocks, of the average daily dollar volume reported by
applicable transaction reporting plans, which represents the sum of all
reported bought and all reported sold dollar volumes; or (ii) One
percent (1%) or more in all NMS stocks of the average daily dollar
volume reported by applicable transaction reporting plans, which
represents the sum of all reported bought and all reported sold dollar
volumes; or (2) Had with respect to equity securities that are not NMS
stocks and for which transactions are reported to a self-regulatory
organization, five percent (5%) or more of the average daily dollar
volume as calculated by the self-regulatory organization to which such
transactions are reported. All NMS stock and non-NMS stock ATSs are
required to register as broker-dealers.
There are seven SCI ATS currently. As stated, a small entity also
includes a broker-dealer with total capital (net worth plus
subordinated liabilities) of less than $500,000 on the date in the
prior fiscal year as of which its audited financial statements were
prepared pursuant to Rule 17a-5(d) under the Exchange Act,\859\ or, if
not required to file such statements, a broker-dealer with total
capital (net worth plus subordinated liabilities) of less than $500,000
on the last business day of the preceding fiscal year (or in the time
that it has been in business, if shorter); and is not affiliated with
any person (other than a natural person) that is not a small business
or small organization. Applying this test for broker-dealers, the
Commission believes that none of the SCI ATSs currently trading were
operated by a broker-dealer that is a ``small entity.''
---------------------------------------------------------------------------
\859\ 17 CFR 240.17a-5(d).
---------------------------------------------------------------------------
Plan Processors
As discussed in section II.B.1 above, Regulation SCI currently
applies to plan processors, which are ``any self-regulatory
organization or securities information processor acting as an exclusive
processor in connection with the development, implementation and/or
operation of any facility contemplated by an effective national market
system plan.'' \860\ Currently, there are two plan processors subject
to Regulation SCI.
---------------------------------------------------------------------------
\860\ See 17 CFR 242.1000; 17 CFR 242.600(b)(67).
---------------------------------------------------------------------------
The current plan processors are SIAC a subsidiary of NYSE Group,
Inc., and Nasdaq Stock Market LLC, a subsidiary of Nasdaq, Inc. In
addition, even if other entities do become plan processors, the
Commission preliminarily believes that most, if not all, plan
processors would be large business entities or subsidiaries of large
business entities, and that every plan processor (or its parent entity)
would have gross revenues in excess of $10 million and provide service
to 100 or more interrogation devices or moving tickers. Therefore, the
Commission preliminarily believes that none of the current plan
processors or potential plan processors would be considered small
entities.
SCI Competing Consolidators
As discussed in section II.B.1 above, Regulation SCI currently
applies to SCI competing consolidators. While no SCI competing
consolidators have yet to register, as discussed in the adopting
release for the Market Data Infrastructure rule, the Commission
estimates, and continues to estimate, that up to 10 entities will
register as competing consolidators.\861\
---------------------------------------------------------------------------
\861\ See Market Data Infrastructure Adopting Release, supra
note 24, at 18808.
---------------------------------------------------------------------------
As discussed in the Market Data Infrastructure final rule, ``based
on the Commission's information about the 10 potential entities the
Commission
[[Page 23267]]
estimates may become competing consolidators, the Commission believes
that all such entities will exceed the thresholds defining `small
entities' set out above.'' \862\ The Commission continues to believe
this analysis is accurate, and that ``[c]ompeting consolidators will be
participating in a sophisticated business that requires significant
resources to compete effectively.'' \863\ Accordingly, the Commission
believes that any such registered competing consolidators will exceed
the thresholds for ``small entities'' set forth in 17 CFR 240.0-10.
---------------------------------------------------------------------------
\862\ Id.
\863\ Id. at 18808-09.
---------------------------------------------------------------------------
Exempt Clearing Agencies
As discussed in section II.B.1 above, Regulation SCI currently
applies to certain clearing agencies, specifically, exempt clearing
agencies subject to ARP. There are currently 3 exempt clearing agencies
subject to Regulation SCI, and the Commission estimates that Regulation
SCI will apply to two more if the proposed rules are finalized. The
Commission believes that all the clearing agencies, both those to which
Regulation SCI currently applies and those to which it will, exceed the
thresholds defining `small entities' set out above.
C. Proposed SCI Entities
The proposed expansion of the definition of the term ``SCI entity''
would include SBSDRs and SCI broker-dealers, as well as additional
clearing agencies exempted from registration. The Commission
preliminarily believes that none of these would be considered small
entities for purposes of the RFA.
1. SBSDRs
As discussed in section III.A.2.a above, in 2015, the Commission
established a regulatory framework for SBSDRs, under which SBSDRs are
registered securities information processors and disseminators of
market data in the SBS market. There are currently two registered
SBSDRs that would be subject to Regulation SCI.
The two currently registered SBSDRs are subsidiaries of large
business entities.\864\ In addition, even if other entities do register
as SBSDRs, for purposes of Commission rulemaking, the Commission
believes that none of the SBSDRs will be considered small
entities.\865\
---------------------------------------------------------------------------
\864\ See supra note 111.
\865\ See SBSDR Adopting Release, supra note 96, 80 FR 14548-49
(providing that in the Proposing Release, the Commission stated that
it did not believe that any persons that would register as SBSDRs
would be considered small entities. The Commission stated that it
believed that most, if not all, SBSDRs would be part of large
business entities with assets in excess of $5 million and total
capital in excess of $500,000. As a result, the Commission certified
that the proposed rules would not have a significant impact on a
substantial number of small entities and requested comments on this
certification. The Commission did not receive any comments that
specifically addressed whether 17 CFR 240.13n-1 through 240.13n-12
(``Rules 13n-1 through 13n-12'') and Form SBSDR would have a
significant economic impact on small entities. Therefore, the
Commission continues to believe that Rules 13n-1 through 13n-12 and
Form SBSDR will not have a significant economic impact on a
substantial number of small entities. Accordingly, the Commission
hereby certifies that, pursuant to 5 U.S.C. 605(b), Rules 13n-1
through 13n-12, Form SBSDR will not have a significant economic
impact on a substantial number of small entities.).
---------------------------------------------------------------------------
2. SCI Broker-dealers
As discussed in section III.A.2.b above, the proposed definition of
an SCI broker-dealer would be a broker or dealer registered with the
Commission pursuant to section 15(b) of the Exchange Act which: (1) in
at least two of the four preceding calendar quarters, ending March 31,
June 30, September 30, and December 31, reported to the Commission, on
Form X-17A-5 (Sec. 249.617), total assets in an amount that equals
five percent (5%) or more of the total assets of all security brokers
and dealers; or (2) during at least four of the preceding six calendar
months: (i) with respect to transactions in NMS stocks, transacted
average daily dollar volume in an amount that equals ten percent (10%)
or more of the average daily dollar volume reported by or pursuant to
applicable effective transaction reporting plans, provided, however,
that for purposes of calculating its activity in transactions effected
otherwise than on a national securities exchange or on an alternative
trading system, the broker-dealer shall exclude transactions for which
it was not the executing party; or (ii) with respect to transactions in
exchange-listed options contracts, transacted average daily dollar
volume in an amount that equals ten percent (10%) or more of the
average daily dollar volume reported by an applicable effective
national market system plan; or (iii) with respect to transactions in
U.S. Treasury Securities, transacted average daily dollar volume in an
amount that equals ten percent (10%) or more of the total average daily
dollar volume made available by the self-regulatory organizations to
which such transactions are reported; or (iv) with respect to
transactions in Agency securities, transacted average daily dollar
volume in an amount that equals ten percent (10%) or more of the total
average daily dollar volume made available by the self-regulatory
organizations to which such transactions are reported.\866\
---------------------------------------------------------------------------
\866\ Such broker-dealer would not be required to comply with
the requirements of Regulation SCI until six months after the SCI
broker-dealer satisfied either threshold for the first time.
---------------------------------------------------------------------------
The Commission preliminarily estimates that 17 entities would
satisfy one or more of these thresholds. Applying the test for broker-
dealers stated above, the Commission believes that none of the
potential SCI broker-dealers would be considered small entities.
3. Exempt Clearing Agencies
For the purposes of Commission rulemaking, a small entity includes,
when used with reference to a clearing agency, a clearing agency that:
(1) compared, cleared, and settled less than $500 million in securities
transactions during the preceding fiscal year; (2) had less than $200
million of funds and securities in its custody or control at all times
during the preceding fiscal year (or at any time that it has been in
business, if shorter); and (3) is not affiliated with any person (other
than a natural person) that is not a small business or small
organization.\867\
---------------------------------------------------------------------------
\867\ See paragraph (d) of Rule 0-10.
---------------------------------------------------------------------------
Based on the Commission's existing information about the clearing
agencies currently exempted from registration with the Commission, the
Commission preliminarily believes that such entities exceed the
thresholds defining ``small entities'' set out above. While other
clearing agencies may emerge and seek to register as clearing agencies,
the Commission preliminarily does not believe that any such entities
would be ``small entities'' as defined in Exchange Act Rule 0-10.
D. Certification
For the foregoing reasons, the Commission certifies that the
proposed amendments to Rules 1000, 1001, 1002, 1003, 1004, and 1005,
and Form SCI if adopted, would not have a significant economic impact
on a substantial number of small entities for purposes of the RFA.
The Commission invites commenters to address whether the proposed
rules would have a significant economic impact on a substantial number
of small entities, and, if so, what would be the nature of any impact
on small entities. The Commission requests that commenters provide
empirical data to support the extent of such impact.
Statutory Authority
Pursuant to the Exchange Act, 15 U.S.C. 78a et seq., and
particularly, sections 2, 3, 5, 6, 11A, 13, 15, 15A, 17,
[[Page 23268]]
17A, and 23(a) thereof (15 U.S.C. 78b, 78c, 78e, 78f, 78k-1, 78m, 78o,
78o-3, 78q, 78q-1, and 78w(a)), the Commission proposes amendments to
Regulation SCI under the Exchange Act and Form SCI under the Exchange
Act, and to amend Regulation ATS under the Exchange Act, and 17 CFR
parts 242 and 249.
List of Subjects in 17 CFR Parts 242 and 249
Brokers, Reporting and recordkeeping requirements, Securities.
For the reasons stated in the preamble, title 17, chapter II of the
Code of Federal Regulations is proposed to be amended as follows:
PART 242--REGULATIONS M, SHO, ATS, AC, NMS, AND SBSR AND CUSTOMER
MARGIN REQUIREMENTS FOR SECURITY FUTURES
0
1. The authority citation for part 242 continues to read as follows:
Authority: 15 U.S.C. 77g, 77q(a), 77s(a), 78b, 78c, 78g(c)(2),
78i(a), 78j, 78k-1(c), 78l, 78m, 78n, 78o(b), 78o(c), 78o(g),
78q(a), 78q(b), 78q(h), 78w(a), 78dd-1, 78mm, 80a-23, 80a-29, and
80a-37.
0
2. Amend Sec. 242.1000 by:
0
a. Adding in alphabetical order the definitions of ``Agency Security''
and ``Exempt clearing agency'';
0
b. Removing the definition of ``Exempt clearing agency subject to
ARP'';
0
c. Adding in alphabetical order the definitions of ``Registered
security-based swap data repository'' and ``SCI broker-dealer'';
0
d. Revising the definitions of ``SCI entity'', ``SCI review'', ``SCI
systems'', and ``Systems intrusion''; and
0
e. Adding in alphabetical order the definition of ``U.S. Treasury
Security''.
The additions and revisions read as follows:
Sec. 242.1000 Definitions.
* * * * *
Agency Security means a debt security issued or guaranteed by a
U.S. executive agency, as defined in 5 U.S.C. 105, or government-
sponsored enterprise, as defined in 2 U.S.C. 622(8).
* * * * *
Exempt clearing agency means an entity that has received from the
Commission an exemption from registration as a clearing agency under
section 17A of the Exchange Act.
* * * * *
Registered security-based swap data repository means any security-
based swap data repository, as defined in 15 U.S.C. 78c(a)(75), that is
registered with the Commission pursuant to 15 U.S.C. 78m(n) and Sec.
240.13n-1 of this chapter.
* * * * *
SCI broker-dealer means a broker or dealer registered with the
Commission pursuant to section 15(b) of the Exchange Act, which:
(1) In at least two of the four preceding calendar quarters, ending
March 31, June 30, September 30, and December 31, reported to the
Commission, on Form X-17A-5 (Sec. 249.617 of this chapter), total
assets in an amount that equals five percent (5%) or more of the total
assets of all security brokers and dealers. For purposes of this
paragraph (1), total assets of all security brokers and dealers shall
mean the total assets, as calculated and made publicly available by the
Board of Governors of the Federal Reserve, or any subsequent provider
of such information, for the associated preceding calendar quarter; or
(2) During at least four of the preceding six calendar months:
(i) With respect to transactions in NMS stocks, transacted average
daily dollar volume in an amount that equals ten percent (10%) or more
of the average daily dollar volume reported by or pursuant to
applicable effective transaction reporting plans, provided, however,
that for purposes of calculating its activity in transactions effected
otherwise than on a national securities exchange or on an alternative
trading system, the broker-dealer shall exclude transactions for which
it was not the executing party;
(ii) With respect to transactions in exchange-listed options
contracts, transacted average daily dollar volume in an amount that
equals ten percent (10%) or more of the average daily dollar volume
reported by an applicable effective national market system plan;
(iii) With respect to transactions in U.S. Treasury Securities,
transacted average daily dollar volume in an amount that equals ten
percent (10%) or more of the total average daily dollar volume made
available by the self-regulatory organizations to which such
transactions are reported; or
(iv) With respect to transactions in Agency Securities, transacted
average daily dollar volume in an amount that equals ten percent (10%)
or more of the total average daily dollar volume made available by the
self-regulatory organizations to which such transactions are reported.
(3) Provided, however, that such SCI broker-dealer shall not be
required to comply with the requirements of Regulation SCI until six
months after the end of the quarter in which the SCI broker-dealer
satisfied paragraph (1) of this definition for the first time or six
months after the end of the month in which the SCI broker-dealer
satisfied paragraph (2) of this definition for the first time.
* * * * *
SCI entity means an SCI self-regulatory organization, SCI
alternative trading system, plan processor, exempt clearing agency, SCI
competing consolidator, SCI broker-dealer, or registered security-based
swap data repository.
* * * * *
SCI review means a review, following established and documented
procedures and standards, that is performed by objective personnel
having appropriate experience to conduct reviews of SCI systems and
indirect SCI systems, and which review, using appropriate risk
management methodology, contains:
(1) With respect to each SCI system and indirect SCI system of the
SCI entity, assessments performed by objective personnel of:
(i) The risks related to the capacity, integrity, resiliency,
availability, and security;
(ii) Internal control design and operating effectiveness, to
include logical and physical security controls, development processes,
systems capacity and availability, information technology service
continuity, and information technology governance, consistent with
industry standards; and
(iii) Third-party provider management risks and controls; and
(2) Penetration test reviews performed by objective personnel of
the network, firewalls, and production systems, including of any
vulnerabilities of its SCI systems and indirect SCI systems identified
pursuant to Sec. 242.1001(a)(2)(iv);
(3) Provided, however, that assessments of SCI systems directly
supporting market regulation or market surveillance shall be conducted
at a frequency based upon the risk assessment conducted as part of the
SCI review, but in no case less than once every three years.
* * * * *
SCI systems means all computer, network, electronic, technical,
automated, or similar systems of, or operated by or on behalf of, an
SCI entity that, with respect to securities, directly support trading,
clearance and settlement, order routing, market data, market
regulation, or market surveillance; provided, however, that with
respect to an SCI broker-dealer that satisfies only the requirements of
paragraph (2) of the definition of ``SCI
[[Page 23269]]
broker-dealer,'' such systems shall include only those systems with
respect to the type of securities for which an SCI broker-dealer
satisfies the requirements of paragraph (2) of the definition.
* * * * *
Systems intrusion means any:
(1) Unauthorized entry into the SCI systems or indirect SCI systems
of an SCI entity;
(2) Cybersecurity event that disrupts, or significantly degrades,
the normal operation of an SCI system; or
(3) Significant attempted unauthorized entry into the SCI systems
or indirect SCI systems of an SCI entity, as determined by the SCI
entity pursuant to established reasonable written criteria.
U.S. Treasury Security means a security issued by the U.S.
Department of the Treasury.
0
3. Amend Sec. 242.1001 by revising paragraph (a) to read as follows:
Sec. 242.1001 Obligations related to policies and procedures of SCI
entities.
(a) Capacity, integrity, resiliency, availability, and security.
(1) Each SCI entity shall establish, maintain, and enforce written
policies and procedures reasonably designed to ensure that its SCI
systems and, for purposes of security standards, indirect SCI systems,
have levels of capacity, integrity, resiliency, availability, and
security, adequate to maintain the SCI entity's operational capability
and promote the maintenance of fair and orderly markets.
(2) Policies and procedures required by paragraph (a)(1) of this
section shall include, at a minimum:
(i) The establishment of reasonable current and future
technological infrastructure capacity planning estimates;
(ii) Periodic capacity stress tests of such systems to determine
their ability to process transactions in an accurate, timely, and
efficient manner;
(iii) A program to review and keep current systems development and
testing methodology for such systems;
(iv) Regular reviews and testing, as applicable, of such systems,
including backup systems, to identify vulnerabilities pertaining to
internal and external threats, physical hazards, and natural or manmade
disasters;
(v) Business continuity and disaster recovery plans that include
maintaining backup and recovery capabilities sufficiently resilient and
geographically diverse and that are reasonably designed to achieve next
business day resumption of trading and two-hour resumption of critical
SCI systems following a wide-scale disruption; and that are reasonably
designed to address the unavailability of any third-party provider that
provides functionality, support, or service to the SCI entity without
which there would be a material impact on any of its critical SCI
systems;
(vi) Standards that result in such systems being designed,
developed, tested, maintained, operated, and surveilled in a manner
that facilitates the successful collection, processing, and
dissemination of market data;
(vii) Monitoring of such systems to identify potential SCI events;
(viii) The maintenance of a written inventory and classification of
all SCI systems, critical SCI systems, and indirect SCI systems as
such, and a program with respect to the lifecycle management of such
systems, including the acquisition, integration, support, refresh, and
disposal of such systems, as applicable;
(ix) A program to manage and oversee third-party providers that
provide functionality, support or service, directly or indirectly, for
any such systems, including: initial and periodic review of contracts
with such third-party providers for consistency with the SCI entity's
obligations under Regulation SCI; and a risk-based assessment of each
third-party provider's criticality to the SCI entity, including
analyses of third-party provider concentration, of key dependencies if
the third-party provider's functionality, support, or service were to
become unavailable or materially impaired, and of any potential
security, including cybersecurity, risks posed;
(x) A program to prevent the unauthorized access to such systems
and information residing therein; and
(xi) An identification of the current SCI industry standard(s) with
which each such policy and procedure is consistent, if any.
(3) Each SCI entity shall periodically review the effectiveness of
the policies and procedures required by this paragraph (a), and take
prompt action to remedy deficiencies in such policies and procedures.
(4) For purposes of this paragraph (a), such policies and
procedures shall be deemed to be reasonably designed if they are
consistent with current SCI industry standards, which shall be composed
of information technology practices that are widely available to
information technology professionals in the financial sector and issued
by an authoritative body that is a U.S. governmental entity or agency,
association of U.S. governmental entities or agencies, or widely
recognized organization. Compliance with such current SCI industry
standards as a safe harbor, however, shall not be the exclusive means
to comply with the requirements of paragraph (a) of this section.
* * * * *
0
4. Amend Sec. 242.1002 by:
0
a. In paragraph (b)(4)(ii)(B), removing the words ``or participants''
and adding in their place ``participants, or, in the case of an SCI
broker-dealer, customers'';
0
b. Revising paragraph (b)(5) and (c)(3);
0
c. In paragraph (c)(4)(i), removing the ``or'' after the semicolon;
0
d. In paragraph (c)(4)(ii), removing the period and adding in its place
``; or''; and
0
e. Adding paragraph (c)(4)(iii).
The revision and additions read as follows:
Sec. 242.1002 Obligations related to SCI events.
* * * * *
(b) * * *
(5) The requirements of paragraphs (b)(1) through (4) of this
section shall not apply to any systems disruption or systems compliance
issue that has had, or the SCI entity reasonably estimates would have,
no or a de minimis impact on the SCI entity's operations or on market
participants. For such events, each SCI entity shall:
(i) Make, keep, and preserve records relating to all such systems
disruptions or systems compliance issues; and
(ii) Submit to the Commission a report, within 30 calendar days
after the end of each calendar quarter, containing a summary
description of such systems disruptions, including the SCI systems
affected by such systems disruptions during the applicable calendar
quarter.
(c) * * *
(3) The information required to be disseminated under paragraphs
(c)(1) and (2) of this section promptly after any responsible SCI
personnel has a reasonable basis to conclude that an SCI event has
occurred, shall be promptly disseminated by the SCI entity to those
members, participants, or, in the case of an SCI broker-dealer,
customers of the SCI entity that any responsible SCI personnel has
reasonably estimated may have been affected by the SCI event, and
promptly disseminated to any additional members, participants, or, in
the case of an SCI broker-dealer, customers that any responsible SCI
personnel subsequently reasonably estimates may have been affected by
the SCI event; provided, however, that for major SCI events, the
information required to be disseminated under paragraphs (c)(1) and (2)
of this section shall be promptly disseminated by the
[[Page 23270]]
SCI entity to all of its members, participants, or, in the case of an
SCI broker-dealer, customers.
(4) * * *
(iii) A systems intrusion that is a significant attempted
unauthorized entry into the SCI systems or indirect SCI systems of an
SCI entity.
0
5. Amend Sec. 242.1003 by revising paragraph (b) to read as follows:
Sec. 242.1003 Obligations related to systems changes; SCI review.
* * * * *
(b) SCI review. Each SCI entity shall:
(1) Conduct an SCI review of the SCI entity's compliance with
Regulation SCI not less than once each calendar year for each calendar
year during which it was an SCI entity for any part of such calendar
year;
(2) Submit a report of the SCI review required by paragraph (b)(1)
of this section to senior management of the SCI entity for review no
more than 30 calendar days after completion of such SCI review. Such
report of the SCI review shall include:
(i) The dates the SCI review was conducted and the date of
completion;
(ii) The entity or business unit of the SCI entity performing the
review;
(iii) A list of the controls reviewed and a description of each
such control;
(iv) The findings of the SCI review with respect to each SCI system
and indirect SCI system, which shall include assessments of: the risks
related to the capacity, integrity, resiliency, availability, and
security; internal control design and operating effectiveness; and an
assessment of third-party provider management risks and controls;
(v) A summary, including the scope of testing and resulting action
plan, of each penetration test review conducted as part of the SCI
review; and
(vi) A description of each deficiency and weakness identified by
the SCI review; and
(3) Submit to the Commission, and to the board of directors of the
SCI entity or the equivalent of such board, the report of the SCI
review required by paragraph (b)(2) of this section, together with the
date the report was submitted to senior management and the response of
senior management to such report, within 60 calendar days after its
submission to senior management of the SCI entity.
Sec. 242.1004 [Amended]
0
6. Amend Sec. 242.1004 by:
0
a. In the section heading, adding ``, and third-party providers'' to
the end of the heading;
0
b. In paragraph (a), after the word ``participants'', adding ``, and
third-party providers''; and
0
c. In paragraph (b), after both instances of the word ``participants''
adding ``, and third-party providers''.
Sec. 242.1005 [Amended]
0
7. Amend Sec. 242.1005 in paragraph (c) by:
0
a. Between ``business'' and ``ceasing,'' removing the ``or'' and adding
a comma in its place; and
0
b. Immediately before ``an SCI entity'' adding ``or otherwise ceasing
to be an SCI entity,''.
PART 249--FORMS, SECURITIES EXCHANGE ACT OF 1934
0
8. The general authority citation for part 249 continues to read as
follows:
Authority: 15 U.S.C. 78a et seq. and 7201 et seq.; 12 U.S.C.
5461 et seq.; 18 U.S.C. 1350; Sec. 953(b) Pub. L. 111-203, 124 Stat.
1904; Sec. 102(a)(3) Pub. L. 112-106, 126 Stat. 309 (2012), Sec. 107
Pub. L. 112-106, 126 Stat. 313 (2012), Sec. 72001 Pub. L. 114-94,
129 Stat. 1312 (2015), and secs. 2 and 3 Pub. L. 116-222, 134 Stat.
1063 (2020), unless otherwise noted.
* * * * *
0
9. Revise Form SCI (referenced in Sec. 249.1900).
Note: Form SCI is attached as Appendix A to this document. Form
SCI will not appear in the Code of Federal Regulations.
By the Commission.
Dated: March 15, 2023.
J. Matthew DeLesDernier,
Deputy Secretary.
Appendix A--Form SCI
Securities and Exchange Commission
Washington, DC 20549
Form SCI
Page 1 of ___
File No. SCI-{name{time} -
YYYY-###
SCI Notification and Reporting by: {SCI entity name{time}
Pursuant to Rules 1002 and 1003 of Regulation SCI under the
Securities Exchange Act of 1934
[ballot] Initial
[ballot] Withdrawal
Section I: Rule 1002--Commission Notification of SCI Event
A. Submission Type (select one only)
[ballot] Rule 1002(b)(1) Initial Notification of SCI event
[ballot] Rule 1002(b)(2) Notification of SCI event
[ballot] Rule 1002(b)(3) Update of SCI event: ####
[ballot] Rule 1002(b)(4) Final Report of SCI event
[ballot] Rule 1002(b)(4) Interim Status Report of SCI event
If filing a Rule 1002(b)(1) or Rule 1002(b)(3) submission,
please provide a brief description:
-----------------------------------------------------------------------
-----------------------------------------------------------------------
-----------------------------------------------------------------------
B. SCI Event Type(s) (select all that apply)
[ballot] Systems compliance issue;
[ballot] Systems disruption
[ballot] Systems intrusion
C. General Information Required for (b)(2) filings.
(1) Has the Commission previously been notified of the SCI event
pursuant to 1002(b)(1)? yes/no
(2) Date/time SCI event occurred: mm/dd/yyyy hh:mm am/pm
(3) Duration of SCI event: hh:mm, or days
(4) Please provide the date and time when a responsible SCI
personnel had reasonable basis to conclude the SCI event occurred:
mm/dd/yyyy hh:mm am/pm
(5) Has the SCI event been resolved? yes/no
(a) If yes, provide date and time of resolution: mm/dd/yyyy hh:mm
am/pm
(6) Is the investigation of the SCI event closed? yes/no
(a) If yes, provide date of closure: mm/dd/yyyy
(7) Estimated number of market participants potentially affected by
the SCI event: ####
(8) Is the SCI event a major SCI event (as defined in Rule 1000)?
yes/no
D. Information about impacted systems:
Name(s) of system(s):
-----------------------------------------------------------------------
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Type(s) of system(s) impacted by the SCI event (check all that
apply):
[ballot] Trading
[ballot] Clearance and settlement
[ballot] Order routing
[ballot] Market data
[ballot] Market regulation
[ballot] Market surveillance
[ballot] Indirect SCI systems (please describe):
-----------------------------------------------------------------------
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Are any critical SCI systems impacted by the SCI event (check all
that apply)? Yes/No
(1) Systems that directly support functionality relating to:
[ballot] Clearance and settlement systems of clearing agencies
[ballot] Openings, reopenings, and closings on the primary listing
market
[ballot] Trading halts
[ballot] Initial public offerings
[ballot] The provision of consolidated market data
[ballot] Exclusively-listed securities
(2) [ballot] Systems that provide functionality to the securities
markets for which the availability of alternatives is significantly
limited or nonexistent and without which there would be a material
impact on fair and orderly markets (please describe):
-----------------------------------------------------------------------
-----------------------------------------------------------------------
-----------------------------------------------------------------------
Section II: Periodic Reporting (select one only)
A. Quarterly Reports: For the quarter ended: mm/dd/yyyy
[ballot] Rule 1002(b)(5)(ii): Quarterly report of systems
disruptions with no or a de minimis impact.
[[Page 23271]]
[ballot] Rule 1003(a)(1): Quarterly report of material systems
changes
[ballot] Rule 1003(a)(2): Supplemental report of material systems
changes
B. SCI Review Reports
[ballot] Rule 1003(b)(3): Report of SCI review, together with the
response of senior management
Date of completion of SCI review: mm/dd/yyyy
Date of submission of SCI review to senior management: mm/dd/yyyy
Section III: Contact Information
Provide the following information of the person at the {SCI
entity name{time} prepared to respond to questions for this
submission:
First Name:
Last Name:
Title:
E-Mail:
Telephone:
Fax:
Additional Contacts (Optional)
First Name:
Last Name:
Title:
E-Mail:
Telephone:
Fax:
First Name:
Last Name:
Title:
E-Mail:
Telephone:
Fax:
Section IV: Signature
Confidential treatment is requested pursuant to Rule 24b-2(g).
Additionally, pursuant to the requirements of the Securities
Exchange Act of 1934, {SCI Entity name{time} has duly caused this
{notification{time} {report{time} to be signed on its behalf by
the undersigned duly authorized officer:
Date:
By (Name)
Title (______)
``Digitally Sign and Lock Form''
------------------------------------------------------------------------
------------------------------------------------------------------------
Exhibit 1: Rule 1002(b)(2) Within 24 hours of any responsible
Notification of SCI Event. Add/ SCI personnel having a reasonable
Remove/View. basis to conclude that the SCI
event has occurred, the SCI entity
shall submit a written notification
pertaining to such SCI event to the
Commission, which shall be made on
a good faith, best efforts basis
and include:
(a) a description of the SCI event,
including the system(s) affected;
and
(b) to the extent available as of
the time of the notification:
the SCI entity's current
assessment of the types and
number of market participants
potentially affected by the SCI
event; the potential impact of
the SCI event on the market; a
description of the steps the SCI
entity has taken, is taking, or
plans to take, with respect to
the SCI event; the time the SCI
event was resolved or timeframe
within which the SCI event is
expected to be resolved; and any
other pertinent information
known by the SCI entity about
the SCI event.
Exhibit 2: Rule 1002(b)(4) Final When submitting a final report
or Interim Report of SCI Event. pursuant to either Rule
Add/Remove/View. 1002(b)(4)(i)(A) or Rule
1002(b)(4)(i)(B)(2), the SCI entity
shall include:
(a) a detailed description of:
the SCI entity's assessment of
the types and number of market
participants affected by the SCI
event; the SCI entity's
assessment of the impact of the
SCI event on the market; the
steps the SCI entity has taken,
is taking, or plans to take,
with respect to the SCI event;
the time the SCI event was
resolved; the SCI entity's
rule(s) and/or governing
document(s), as applicable, that
relate to the SCI event; and any
other pertinent information
known by the SCI entity about
the SCI event;
(b) a copy of any information
disseminated pursuant to Rule
1002(c) by the SCI entity to
date regarding the SCI event to
any of its members,
participants, or, in the case of
an SCI broker-dealer, customers;
and
(c) an analysis of parties that
may have experienced a loss,
whether monetary or otherwise,
due to the SCI event, the number
of such parties, and an estimate
of the aggregate amount of such
loss.
When submitting an interim report
pursuant to Rule
1002(b)(4)(i)(B)(1), the SCI entity
shall include such information to
the extent known at the time.
Exhibit 3: Rule 1002(b)(5)(ii) The SCI entity shall submit a
Quarterly Report of DeMinimis SCI report, within 30 calendar days
Events. Add/Remove/View. after the end of each calendar
quarter, containing a summary
description of systems disruptions
that have had, or the SCI entity
reasonably estimates would have, no
or a de minimis impact on the SCI
entity's operations or on market
participants, including the SCI
systems affected by such systems
disruptions during the applicable
calendar quarter.
Exhibit 4: Rule 1003 (a) Quarterly When submitting a report pursuant to
Report of Systems Changes. Add/ Rule 1003(a)(1), the SCI entity
Remove/View. shall provide a report, within 30
calendar days after the end of each
calendar quarter, describing
completed, ongoing, and planned
material changes to its SCI systems
and the security of indirect SCI
systems, during the prior, current,
and subsequent calendar quarters,
including the dates or expected
dates of commencement and
completion. An SCI entity shall
establish reasonable written
criteria for identifying a change
to its SCI systems and the security
of indirect SCI systems as material
and report such changes in
accordance with such criteria.
When submitting a report pursuant to
Rule 1003(a)(2), the SCI entity
shall provide a supplemental report
of a material error in or material
omission from a report previously
submitted under Rule 1003(a)(1).
Exhibit 5: Rule 1003(b)(3) Report The SCI entity shall provide the
of SCI review. Add/Remove/View. report of the SCI review, together
with the date the report was
submitted to senior management and
the response of senior management
to such report, within 60 calendar
days after its submission to senior
management of the SCI entity.
Exhibit 6: Optional Attachments. This exhibit may be used in order to
Add/Remove/View. attach other documents that the SCI
entity may wish to submit as part
of a Rule 1002(b)(1) initial
notification submission or Rule
1002(b)(3) update submission.
------------------------------------------------------------------------
General Instructions for Form SCI
A. Use of the Form
Except with respect to notifications to the Commission made
pursuant to Rule 1002(b)(1) or updates to the Commission made
pursuant to Rule 1002(b)(3), any notification, review, description,
analysis, or report required to be submitted pursuant to Regulation
SCI under the Securities Exchange Act of 1934 (``Act'') shall be
filed in an electronic format through an electronic form filing
system (``EFFS''), a secure website operated by the Securities and
Exchange Commission (``Commission''). Documents attached as exhibits
filed through the EFFS system must be in a text-searchable format
without the use of optical character recognition. If, however, a
portion of a Form SCI submission (e.g., an image or diagram) cannot
be made available in a text-searchable format, such portion may be
submitted in a non-text searchable format.
B. Need for Careful Preparation of the Completed Form, Including
Exhibits
This form, including the exhibits, is intended to elicit
information necessary for Commission staff to work with SCI entities
to ensure the capacity, integrity, resiliency, availability,
security, and compliance of their automated systems. An SCI entity
must provide all the information required by the form, including the
exhibits, and must present the information in a clear and
comprehensible manner. A filing that is incomplete or similarly
deficient may be returned to the SCI entity. Any filing so returned
shall for all purposes be deemed not to have been filed with the
Commission. See also Rule 0-3 under the Act (17 CFR 240.0-3).
C. When To Use the Form
Form SCI is comprised of six types of required submissions to
the Commission pursuant to Rules 1002 and 1003. In addition, Form
SCI permits SCI entities to submit to the Commission two additional
types of submissions pursuant to Rules 1002(b)(1) and 1002(b)(3);
however, SCI entities are not required to use Form SCI for these two
types of submissions to the Commission. In filling out Form SCI, an
SCI
[[Page 23272]]
entity shall select the type of filing and provide all information
required by Regulation SCI specific to that type of filing.
The first two types of required submissions relate to Commission
notification of certain SCI events:
(1) ``Rule 1002(b)(2) Notification of SCI Event'' submissions
for notifications regarding systems disruptions, systems compliance
issues, or systems intrusions (collectively, ``SCI events''), other
than any systems disruption or systems compliance issue that has
had, or the SCI entity reasonably estimates would have, no or a de
minimis impact on the SCI entity's operations or on market
participants; and
(2) ``Rule 1002(b)(4) Final or Interim Report of SCI Event''
submissions, of which there are two kinds (a final report under Rule
1002(b)(4)(i)(A) or Rule 1002(b)(4)(i)(B)(2); or an interim status
report under Rule 1002(b)(4)(i)(B)(1)).
The other four types of required submissions are periodic
reports, and include:
(1) ``Rule 1002(b)(5)(ii)'' submissions for quarterly reports of
systems disruptions which have had, or the SCI entity reasonably
estimates would have, no or a de minimis impact on the SCI entity's
operations or on market participants;
(2) ``Rule 1003(a)(1)'' submissions for quarterly reports of
material systems changes;
(3) ``Rule 1003(a)(2)'' submissions for supplemental reports of
material systems changes; and
(4) ``Rule 1003(b)(3)'' submissions for reports of SCI reviews.
Required Submissions for SCI Events
For 1002(b)(2) submissions, an SCI entity must notify the
Commission using Form SCI by selecting the appropriate box in
Section I and filling out all information required by the form,
including Exhibit 1. 1002(b)(2) submissions must be submitted within
24 hours of any responsible SCI personnel having a reasonable basis
to conclude that an SCI event has occurred.
For 1002(b)(4) submissions, if an SCI event is resolved and the
SCI entity's investigation of the SCI event is closed within 30
calendar days of the occurrence of the SCI event, an SCI entity must
file a final report under Rule 1002(b)(4)(i)(A) within five business
days after the resolution of the SCI event and closure of the
investigation regarding the SCI event. However, if an SCI event is
not resolved or the SCI entity's investigation of the SCI event is
not closed within 30 calendar days of the occurrence of the SCI
event, an SCI entity must file an interim status report under Rule
1002(b)(4)(i)(B)(1) within 30 calendar days after the occurrence of
the SCI event. For SCI events in which an interim status report is
required to be filed, an SCI entity must file a final report under
Rule 1002(b)(4)(i)(B)(2) within five business days after the
resolution of the SCI event and closure of the investigation
regarding the SCI event. For 1002(b)(4) submissions, an SCI entity
must notify the Commission using Form SCI by selecting the
appropriate box in Section I and filling out all information
required by the form, including Exhibit 2.
Required Submissions for Periodic Reporting
For 1002(b)(5)(ii) submissions, an SCI entity must submit
quarterly reports of systems disruptions which have had, or the SCI
entity reasonably estimates would have, no or a de minimis impact on
the SCI entity's operations or on market participants. The SCI
entity must select the appropriate box in Section II and fill out
all information required by the form, including Exhibit 3.
For 1003(a)(1) submissions, an SCI entity must submit its
quarterly report of material systems changes to the Commission using
Form SCI. The SCI entity must select the appropriate box in Section
II and fill out all information required by the form, including
Exhibit 4.
Filings made pursuant to Rule 1002(b)(5)(ii) and Rule 1003(a)(1)
must be submitted to the Commission within 30 calendar days after
the end of each calendar quarter (i.e., March 31st, June 30th,
September 30th and December 31st) of each year.
For 1003(a)(2) submissions, an SCI entity must submit a
supplemental report notifying the Commission of a material error in
or material omission from a report previously submitted under Rule
1003(a). The SCI entity must select the appropriate box in Section
II and fill out all information required by the form, including
Exhibit 4.
For 1003(b)(3) submissions, an SCI entity must submit its report
of its SCI review, together with the date the report was submitted
to senior management and the response of senior management to such
report, to the Commission using Form SCI. A 1003(b)(3) submission is
required within 60 calendar days after the report of the SCI review
has been submitted to senior management of the SCI entity. The SCI
entity must select the appropriate box in Section II and fill out
all information required by the form, including Exhibit 5.
Optional Submissions
An SCI entity may, but is not required to, use Form SCI to
submit a notification pursuant to Rule 1002(b)(1). If the SCI entity
uses Form SCI to submit a notification pursuant to Rule 1002(b)(1),
it must select the appropriate box in Section I and provide a short
description of the SCI event. Documents may also be attached as
Exhibit 6 if the SCI entity chooses to do so. An SCI entity may, but
is not required to, use Form SCI to submit an update pursuant to
Rule 1002(b)(3). Rule 1002(b)(3) requires an SCI entity to, until
such time as the SCI event is resolved and the SCI entity's
investigation of the SCI event is closed, provide updates pertaining
to such SCI event to the Commission on a regular basis, or at such
frequency as reasonably requested by a representative of the
Commission, to correct any materially incorrect information
previously provided, or when new material information is discovered,
including but not limited to, any of the information listed in Rule
1002(b)(2)(ii). If the SCI entity uses Form SCI to submit an update
pursuant to Rule 1002(b)(3), it must select the appropriate box in
Section I and provide a short description of the SCI event.
Documents may also be attached as Exhibit 6 if the SCI entity
chooses to do so.
D. Documents Comprising the Completed Form
The completed form filed with the Commission shall consist of
Form SCI, responses to all applicable items, and any exhibits
required in connection with the filing. Each filing shall be marked
on Form SCI with the initials of the SCI entity, the four-digit
year, and the number of the filing for the year (e.g., SCI Name-
YYYY-XXX).
E. Contact Information; Signature; and Filing of the Completed Form
Each time an SCI entity submits a filing to the Commission on
Form SCI, the SCI entity must provide the contact information
required by Section III of Form SCI. Space for additional contact
information, if appropriate, is also provided.
All notifications and reports required to be submitted through
Form SCI shall be filed through the EFFS. In order to file Form SCI
through the EFFS, SCI entities must request access to the
Commission's External Application Server by completing a request for
an external account user ID and password. Initial requests will be
received by contacting (202) 551-5777. An email will be sent to the
requestor that will provide a link to a secure website where basic
profile information will be requested. A duly authorized individual
of the SCI entity shall electronically sign the completed Form SCI
as indicated in Section IV of the form. In addition, a duly
authorized individual of the SCI entity shall manually sign one copy
of the completed Form SCI, and the manually signed signature page
shall be preserved pursuant to the requirements of Rule 1005.
F. Withdrawals of Commission Notifications and Periodic Reports
If an SCI entity determines to withdraw a Form SCI, it must
complete Page 1 of the Form SCI and indicate by selecting the
appropriate check box to withdraw the submission.
G. Paperwork Reduction Act Disclosure
This collection of information will be reviewed by the Office of
Management and Budget in accordance with the clearance requirements
of 44 U.S.C. 3507. An agency may not conduct or sponsor, and a
person is not required to respond to, a collection of information
unless it displays a currently valid control number. The Commission
estimates that the average burden to respond to Form SCI will be
between one and 125 hours, depending upon the purpose for which the
form is being filed. Any member of the public may direct to the
Commission any comments concerning the accuracy of this burden
estimate and any suggestions for reducing this burden.
Except with respect to notifications to the Commission made
pursuant to Rule 1002(b)(1) or updates to the Commission made
pursuant to Rule 1002(b)(3), it is mandatory that an SCI entity file
all notifications, reviews, descriptions, analyses, and reports
required by Regulation SCI using Form SCI. The Commission will keep
the information collected pursuant to Form SCI confidential to the
extent permitted by law. Subject to the provisions of the Freedom of
[[Page 23273]]
Information Act, 5 U.S.C. 522 (``FOIA''), and the Commission's rules
thereunder (17 CFR 200.80(b)(4)(iii)), the Commission does not
generally publish or make available information contained in any
reports, summaries, analyses, letters, or memoranda arising out of,
in anticipation of, or in connection with an examination or
inspection of the books and records of any person or any other
investigation.
H. Exhibits
List of exhibits to be filed, as applicable:
Exhibit 1: Rule 1002(b)(2)--Notification of SCI Event. Within 24
hours of any responsible SCI personnel having a reasonable basis to
conclude that the SCI event has occurred, the SCI entity shall
submit a written notification pertaining to such SCI event to the
Commission, which shall be made on a good faith, best efforts basis
and include: (a) a description of the SCI event, including the
system(s) affected; and (b) to the extent available as of the time
of the notification: the SCI entity's current assessment of the
types and number of market participants potentially affected by the
SCI event; the potential impact of the SCI event on the market; a
description of the steps the SCI entity has taken, is taking, or
plans to take, with respect to the SCI event; the time the SCI event
was resolved or timeframe within which the SCI event is expected to
be resolved; and any other pertinent information known by the SCI
entity about the SCI event.
Exhibit 2: Rule 1002(b)(4)--Final or Interim Report of SCI
Event. When submitting a final report pursuant to either Rule
1002(b)(4)(i)(A) or Rule 1002(b)(4)(i)(B)(2), the SCI entity shall
include: (a) a detailed description of: the SCI entity's assessment
of the types and number of market participants affected by the SCI
event; the SCI entity's assessment of the impact of the SCI event on
the market; the steps the SCI entity has taken, is taking, or plans
to take, with respect to the SCI event; the time the SCI event was
resolved; the SCI entity's rule(s) and/or governing document(s), as
applicable, that relate to the SCI event; and any other pertinent
information known by the SCI entity about the SCI event; (b) a copy
of any information disseminated pursuant to Rule 1002(c) by the SCI
entity to date regarding the SCI event to any of its members,
participants, or, in the case of an SCI broker-dealer, customers;
and (c) an analysis of parties that may have experienced a loss,
whether monetary or otherwise, due to the SCI event, the number of
such parties, and an estimate of the aggregate amount of such loss.
When submitting an interim report pursuant to Rule
1002(b)(4)(i)(B)(1), the SCI entity shall include such information
to the extent known at the time.
Exhibit 3: Rule 1002(b)(5)(ii)--Quarterly Report of De Minimis
SCI Events. The SCI entity shall submit a report, within 30 calendar
days after the end of each calendar quarter, containing a summary
description of systems disruptions that have had, or the SCI entity
reasonably estimates would have, no or a de minimis impact on the
SCI entity's operations or on market participants, including the SCI
systems affected by such SCI events during the applicable calendar
quarter.
Exhibit 4: Rule 1003(a)--Quarterly Report of Systems Changes.
When submitting a report pursuant to Rule 1003(a)(1), the SCI entity
shall provide a report, within 30 calendar days after the end of
each calendar quarter, describing completed, ongoing, and planned
material changes to its SCI systems and the security of indirect SCI
systems, during the prior, current, and subsequent calendar
quarters, including the dates or expected dates of commencement and
completion. An SCI entity shall establish reasonable written
criteria for identifying a change to its SCI systems and the
security of indirect SCI systems as material and report such changes
in accordance with such criteria. When submitting a report pursuant
to Rule 1003(a)(2), the SCI entity shall provide a supplemental
report of a material error in or material omission from a report
previously submitted under Rule 1003(a); provided, however, that a
supplemental report is not required if information regarding a
material systems change is or will be provided as part of a
notification made pursuant to Rule 1002(b).
Exhibit 5: Rule 1003(b)(3)--Report of SCI Review. The SCI entity
shall provide the report of the SCI review, together with the date
the report was submitted to senior management and the response of
senior management to such report, within 60 calendar days after its
submission to senior management of the SCI entity.
Exhibit 6: Optional Attachments. This exhibit may be used in
order to attach other documents that the SCI entity may wish to
submit as part of a Rule 1002(b)(1) initial notification submission
or Rule 1002(b)(3) update submission.
I. Explanation of Terms
Critical SCI systems means any SCI systems of, or operated by or
on behalf of, an SCI entity that: (1) directly support functionality
relating to: (i) clearance and settlement systems of clearing
agencies; (ii) openings, reopenings, and closings on the primary
listing market; (iii) trading halts; (iv) initial public offerings;
(v) the provision of market data by a plan processor; or (vi)
exclusively-listed securities; or (2) provide functionality to the
securities markets for which the availability of alternatives is
significantly limited or nonexistent and without which there would
be a material impact on fair and orderly markets.
Indirect SCI systems means any systems of, or operated by or on
behalf of, an SCI entity that, if breached, would be reasonably
likely to pose a security threat to SCI systems.
Major SCI event means an SCI event that has had, or the SCI
entity reasonably estimates would have: (1) any impact on a critical
SCI system; or (2) a significant impact on the SCI entity's
operations or on market participants.
Responsible SCI personnel means, for a particular SCI system or
indirect SCI system impacted by an SCI event, such senior manager(s)
of the SCI entity having responsibility for such system, and their
designee(s).
SCI entity means an SCI self-regulatory organization, SCI
alternative trading system, plan processor, exempt clearing agency,
SCI competing consolidator, SCI broker-dealer, or registered
security-based swap data repository.
SCI event means an event at an SCI entity that constitutes: (1)
a systems disruption; (2) a systems compliance issue; or (3) a
systems intrusion.
SCI review means a review, following established and documented
procedures and standards, that is performed by objective personnel
having appropriate experience to conduct reviews of SCI systems and
indirect SCI systems, and which review, using appropriate risk
management methodology, contains: (1) with respect to each SCI
system and indirect SCI system of the SCI entity, assessments
performed by objective personnel of: (A) the risks related to
capacity, integrity, resiliency, availability, and security; (B)
internal control design and operating effectiveness, to include
logical and physical security controls, development processes,
systems capacity and availability, information technology service
continuity, and information technology governance, consistent with
industry standards; and (C) third party provider management risks
and controls; and (2) penetration test reviews performed by
objective personnel of the network, firewalls, and production
systems, including of any vulnerabilities of its SCI systems and
indirect SCI systems identified pursuant to paragraph Sec.
242.1001(a)(2)(iv); (3) provided, however, that assessments of SCI
systems directly supporting market regulation or market surveillance
shall be conducted at a frequency based upon the risk assessment
conducted as part of the SCI review, but in no case less than once
every three years.
SCI systems means all computer, network, electronic, technical,
automated, or similar systems of, or operated by or on behalf of, an
SCI entity that, with respect to securities, directly support
trading, clearance and settlement, order routing, market data,
market regulation, or market surveillance; provided, however, that
with respect to an SCI broker-dealer that satisfies only the
requirements of paragraph (2) of the definition of ``SCI broker-
dealer,'' such systems shall include only those systems with respect
to the type of securities for which an SCI broker-dealer satisfies
the requirements of paragraph (2) of the definition.
Systems Compliance Issue means an event at an SCI entity that
has caused any SCI system of such entity to operate in a manner that
does not comply with the Act and the rules and regulations
thereunder or the entity's rules or governing documents, as
applicable.
Systems Disruption means an event in an SCI entity's SCI systems
that disrupts, or significantly degrades, the normal operation of an
SCI system.
[[Page 23274]]
Systems Intrusion means any: (1) unauthorized entry into the SCI
systems or indirect SCI systems of an SCI entity; (2) cybersecurity
event that disrupts, or significantly degrades, the normal operation
of an SCI system; or (3) significant attempted unauthorized entry
into the SCI systems or indirect SCI systems of an SCI entity, as
determined by the SCI entity pursuant to established reasonable
written criteria.
[FR Doc. 2023-05775 Filed 4-13-23; 8:45 am]
BILLING CODE 8011-01-P