Regulation Systems Compliance and Integrity, 18083-18186 [2013-05888]
Download as PDFAgencies
[Federal Register Volume 78, Number 57 (Monday, March 25, 2013)] [Proposed Rules] [Pages 18083-18186] From the Federal Register Online via the Government Printing Office [www.gpo.gov] [FR Doc No: 2013-05888] [[Page 18083]] Vol. 78 Monday, No. 57 March 25, 2013 Part III Securities and Exchange Commission ----------------------------------------------------------------------- 17 CFR Parts 242 and 249 Regulation Systems Compliance and Integrity; Proposed Rule ��Federal Register / Vol. 78 , No. 57 / Monday, March 25, 2013 / Proposed Rules�� [[Page 18084]] ----------------------------------------------------------------------- SECURITIES AND EXCHANGE COMMISSION 17 CFR Parts 242 and 249 [Release No. 34-69077; File No. S7-01-13] RIN 3235-AL43 Regulation Systems Compliance and Integrity AGENCY: Securities and Exchange Commission. ACTION: Proposed rule and form; proposed rule amendment. ----------------------------------------------------------------------- SUMMARY: The Securities and Exchange Commission (``Commission'') is proposing Regulation Systems Compliance and Integrity (``Regulation SCI'') under the Securities Exchange Act of 1934 (``Exchange Act'') and conforming amendments to Regulation ATS under the Exchange Act. Proposed Regulation SCI would apply to certain self-regulatory organizations (including registered clearing agencies), alternative trading systems (``ATSs''), plan processors, and exempt clearing agencies subject to the Commission's Automation Review Policy (collectively, ``SCI entities''), and would require these SCI entities to comply with requirements with respect to their automated systems that support the performance of their regulated activities. DATES: Comments should be submitted on or before May 24, 2013. ADDRESSES: Interested persons should submit comments by any of the following methods: Electronic Comments [ssquf] Use the Commission's Internet comment form (https://www.sec.gov/rules/proposed.shtml); or [ssquf] Send an email to rule-comments@sec.gov. Please include File Number S7-01-13 on the subject line; or [ssquf] Use the Federal eRulemaking Portal (https://www.regulations.gov). Follow the instructions for submitting comments. Paper Comments [ssquf] Send paper comments in triplicate to Elizabeth M. Murphy, Secretary, Securities and Exchange Commission, 100 F Street NE., Washington, DC 20549-1090. All comment letters should refer to File No. S7-01-13. This file number should be included on the subject line if email is used. To help us process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's Internet Web site (https://www.sec.gov/rules/proposed.shtml). Comments are also available for public inspection and copying in the Commission's Public Reference Room, 100 F Street NE., Washington, DC 20549 on official business days between the hours of 10 a.m. and 3 p.m. All comments received will be posted without change; we do not edit personal information from submissions. You should submit only information that you wish to make publicly available. FOR FURTHER INFORMATION CONTACT: Heidi Pilpel, Special Counsel, Office of Market Supervision, at (202) 551-5666, Sara Hawkins, Special Counsel, Office of Market Supervision, at (202) 551-5523, Jonathan Balcom, Special Counsel, Office of Market Supervision, at (202) 551- 5737, Yue Ding, Attorney, Office of Market Supervision, at (202) 551- 5842, Dhawal Sharma, Attorney, Office of Market Supervision, at (202) 551-5779, Elizabeth C. Badawy, Senior Accountant, Office of Market Supervision, at (202) 551-5612, and Gordon Fuller, Senior Special Counsel, Office of Market Operations, at (202) 551-5686, Division of Trading and Markets, Securities and Exchange Commission, 100 F Street NE., Washington, DC 20549-7010. SUPPLEMENTARY INFORMATION: Proposed Regulation SCI would supersede and replace the Commission's current Automation Review Policy (``ARP''), established by the Commission's two policy statements, each titled ``Automated Systems of Self-Regulatory Organizations,'' issued in 1989 and 1991.\1\ Regulation SCI also would supersede and replace aspects of those policy statements codified in Rule 301(b)(6) under the Exchange Act,\2\ applicable to significant-volume ATSs.\3\ Proposed Regulation SCI would require SCI entities to establish written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets, and that they operate in the manner intended. It would also require SCI entities to mandate participation by designated members or participants in scheduled testing of the operation of their business continuity and disaster recovery plans, including backup systems, and to coordinate such testing on an industry- or sector-wide basis with other SCI entities. In addition, proposed Regulation SCI would require notices and reports to be provided to the Commission on a new proposed Form SCI regarding, among other things, SCI events and material systems changes, and would require SCI entities to take corrective action upon any responsible SCI personnel becoming aware of SCI events. SCI events would be defined to include systems disruptions, systems compliance issues, and systems intrusions. The proposed regulation would further require that information regarding certain types of SCI events be disseminated to members or participants of SCI entities. In addition, proposed Regulation SCI would require SCI entities to conduct a review of their systems by objective personnel at least annually, and would require SCI entities to maintain certain books and records. The Commission also is proposing to modify the volume thresholds in Regulation ATS \4\ for significant-volume ATSs, apply them to SCI ATSs (as defined below), and move this standard from Regulation ATS to proposed Regulation SCI. --------------------------------------------------------------------------- \1\ See Securities Exchange Act Release Nos. 27445 (November 16, 1989), 54 FR 48703 (November 24, 1989) (``ARP I Release'' or ``ARP I'') and 29185 (May 9, 1991), 56 FR 22490 (May 15, 1991) (``ARP II Release'' or ``ARP II'' and, together with ARP I, the ``ARP policy statements''). \2\ See 17 CFR 242.301(b)(6). See also Securities Exchange Act Release No. 40760 (December 8, 1998), 63 FR 70844 (December 22, 1998) (``ATS Release''). \3\ See infra note 26. \4\ 17 CFR 242.300-303 (``Regulation ATS''). --------------------------------------------------------------------------- Table of Contents I. Background A. History and Evolution of the Automation Review Policy Inspection Program B. Evolution of the Markets Since the Inception of the ARP Inspection Program C. Successes and Limitations of the Current ARP Inspection Program D. Recent Events II. Proposed Codification and Enhancement of ARP Inspection Program III. Proposed Regulation SCI A. Overview B. Proposed Rule 1000(a): Definitions Establishing the Scope of Regulation SCI 1. SCI Entities 2. Definition of SCI Systems and SCI Security Systems 3. SCI Events a. Systems Disruption b. Systems Compliance Issue c. Systems Intrusion d. Dissemination SCI events 4. Material Systems Changes C. Proposed Rule 1000(b): Obligations of SCI Entities 1. Policies and Procedures to Safeguard Capacity, Integrity, Resiliency, Availability, and Security a. Proposed Rule 1000(b)(1)(i) b. Proposed Rule 1000(b)(1)(ii) 2. Systems Compliance 3. SCI Events--Action required; Notification a. Corrective Action [[Page 18085]] b. Commission Notification c. Dissemination of Information to Members or Participants 4. Notification of Material Systems Changes 5. Review of Systems 6. Periodic Reports 7. Proposed Rule 1000(b)(9): SCI Entity Business Continuity and Disaster Recovery Plans Testing Requirements for Members or Participants D. Proposed Rule 1000(c)-(f): Recordkeeping, Electronic Filing on Form SCI, and Access 1. Recordkeeping Requirements 2. Electronic Submission of Reports, Notifications, and Other Communications on Form SCI 3. Access to the Systems of an SCI Entity E. New Proposed Form SCI 1. Notice of SCI Events Pursuant to Proposed Rule 1000(b)(4) 2. Notices of Material Changes Pursuant to Proposed Rule 1000(b)(6) 3. Reports Submitted Pursuant to Rule 1000(b)(8) 4. Notifications of Member or Participant Designation Standards and List of Designees Pursuant to Proposed Rule 1000(b)(9) 5. Other Information and Electronic Signature F. Request for Comment on Applying Proposed Regulation SCI to Security-Based Swap Data Repositories and Security-Based Swap Execution Facilities G. Solicitation of Comment Regarding Potential Inclusion of Broker-Dealers, Other than SCI ATSs, and Other Types of Entities IV. Paperwork Reduction Act V. Economic Analysis A. Background B. Economic Baseline C. Consideration of Costs and Benefits, and the Effect on Efficiency, Competition, and Capital Formation D. Request for Comment on Economic Analysis VI. Consideration of Impact on the Economy VII. Regulatory Flexibility Act Certification VIII. Statutory Authority and Text of Proposed Amendments I. Background A. History and Evolution of the Automation Review Policy Inspection Program Section 11A(a)(2) of the Exchange Act,\5\ enacted as part of the Securities Acts Amendments of 1975 (``1975 Amendments''),\6\ directs the Commission, having due regard for the public interest, the protection of investors, and the maintenance of fair and orderly markets, to use its authority under the Exchange Act to facilitate the establishment of a national market system for securities in accordance with the Congressional findings and objectives set forth in Section 11A(a)(1) of the Exchange Act.\7\ Among the findings and objectives in Section 11A(a)(1) is that ``[n]ew data processing and communications techniques create the opportunity for more efficient and effective market operations'' \8\ and ``[i]t is in the public interest and appropriate for the protection of investors and the maintenance of fair and orderly markets to assure * * * the economically efficient execution of securities transactions.'' \9\ In addition, Sections 6(b), 15A, and 17A(b)(3) of the Exchange Act impose obligations on national securities exchanges, national securities associations, and clearing agencies, respectively, to be ``so organized'' and ``[have] the capacity to * * * carry out the purposes of [the Exchange Act].'' \10\ --------------------------------------------------------------------------- \5\ 15 U.S.C. 78k-1(a)(2). \6\ Public Law 94-29, 89 Stat. 97 (1975). \7\ 15 U.S.C. 78k-1(a)(1). \8\ Section 11A(a)(1)(B) of the Exchange Act, 15 U.S.C. 78k- 1(a)(1)(B). \9\ Section 11A(a)(1)(C)(i) of the Exchange Act, 15 U.S.C. 78k- 1(a)(1)(C)(i). Further, the Senate Committee Report accompanying the 1975 Amendments states further that a paramount objective of a national market system is ``the maintenance of stable and orderly markets with maximum capacity for absorbing trading imbalances without undue price movements.'' Senate Comm. On Banking, Housing and Urban Affairs, Report to accompany S. 249, Sen. Rep. 94-75, 94th Cong., 1st Sess. at 7 (1975). \10\ See Sections 6(b)(1), 15A(b)(2), and 17A(b)(3) of the Exchange Act, 15 U.S.C. 78f(b)(1), 78o-3(b)(2), 78q-1(b)(3), respectively. See also Section 2 of the Exchange Act, 15 U.S.C. 78b, and Section 19 of the Exchange Act, 15 U.S.C. 78s. --------------------------------------------------------------------------- For over two decades, Commission staff has worked with SROs to assess their automated systems under the Commission's ARP inspection program (``ARP Inspection Program''), a voluntary information technology review program created in response to the October 1987 market break.\11\ In 1989, the Commission published ARP I, its first formal policy statement regarding steps that SROs should take in connection with their automated systems.\12\ In ARP I, the Commission discussed the development by SROs of automated execution, market information, and trade comparison systems to accommodate increased trading activity from the 1960s through the 1980s.\13\ The Commission acknowledged improvements in efficiency during that time period, but noted that the October 1987 market break had exposed that automated systems remained vulnerable to operational problems during extreme high volume periods. The Commission also expressed concern about the potential for systems failures to negatively impact public investors, broker-dealer risk exposure, and market efficiency.\14\ The Commission further stated in ARP I that market movements should be ``the result of market participants' changing expectations about the direction of the market for a particular security, or group of securities, and not the result of investor confusion or panic resulting from operational failures or delays in SRO automated trading or market information systems.'' \15\ The Commission issued ARP I as a result of these concerns, and stated that SROs should ``establish comprehensive planning and assessment programs to test systems capacity and vulnerability.'' \16\ In particular, the Commission recommended that each SRO should: (1) Establish current and future capacity estimates for its automated order routing and execution, market information, and trade comparison systems; (2) periodically conduct capacity stress tests to determine the behavior of automated systems under a variety of simulated conditions; and (3) contract with independent reviewers to assess annually whether these systems could perform adequately at their estimated current and future capacity levels and have adequate protection against physical threat.\17\ In addition, ARP I [[Page 18086]] called for each SRO to have its automated systems reviewed annually by an ``independent reviewer.'' \18\ --------------------------------------------------------------------------- \11\ See ARP I, supra note 1, 54 FR 48706. \12\ See ARP I, supra note 1, 54 FR 48705-48706, stating that SROs should ``take certain steps to ensure that their automated systems have the capacity to accommodate current and reasonably anticipated future trading volume levels and respond to localized emergency conditions.'' In ARP I, the Commission also defined the terms ``automated systems'' and ``automated trading systems'' to refer ``collectively to computer systems for listed and OTC equities, as well as options, that electronically route orders to applicable market makers and systems that electronically route and execute orders, including the data networks that feed the systems * * * [and encompass] systems that disseminate transaction and quotation information and conduct trade comparisons prior to settlement, including the associated communication networks.'' See id. at n. 21. See also id. at n. 26 (stating that the Commission may suggest expansion of the ARP I policy statement to cover ``other SRO computer-driven support systems for, among other things, clearance and settlement, and market surveillance, if the Commission finds it necessary to ensure the maintenance of fair and orderly markets''). \13\ See id. at 48705. \14\ See id. at 48705. The Commission noted that problems encountered by trading systems during the October 1987 market break included: (i) Inadequate computer capacity causing queues of unprocessed orders to develop that, in turn, resulted in significant delays in order execution; (ii) inadequate contingency plans to accommodate increased order traffic; (iii) delays in the transmission of transaction reports to both member firms and markets; and (iv) delays in order processing. \15\ See id. at 48705. \16\ See id. at 48705-48706. \17\ See id. at 48706-48707. With respect to capacity estimates and testing, the Commission urged SROs to institute procedures for stress testing using ``standards generally set by the computer industry,'' and report the results of stress testing to Commission staff. The Commission also requested comment on whether it should mandate specific standards for the SROs to follow, and if so, what those standards should be. See id. With respect to vulnerability of systems to external and internal threat, the Commission requested in ARP I that SROs assess the susceptibility of automated systems to computer viruses, unauthorized use, computer vandalism, and failures as result of catastrophic events (such as fire, power outages, and earthquakes), and promptly notify Commission staff of any instances in which unauthorized persons gained or attempted to gain access to SRO systems, and follow up with a written report of the problem, its cause, and the steps taken to prevent a recurrence. \18\ See id. --------------------------------------------------------------------------- In 1991, the Commission published ARP II.\19\ In ARP II, the Commission further articulated its views on how SROs should conduct independent reviews.\20\ ARP II stated that such reviews and analysis should: ``(1) Cover significant elements of the operations of the automation process, including the capacity planning and testing process, contingency planning, systems development methodology and vulnerability assessment; (2) be performed on a cyclical basis by competent and independent audit personnel following established audit procedures and standards; and (3) result in the presentation of a report to senior SRO management on the recommendations and conclusions of the independent reviewer, which report should be made available to Commission staff for its review and comment.'' \21\ --------------------------------------------------------------------------- \19\ See ARP II Release, 56 FR 22490, supra note 1. \20\ See id. \21\ See id. at 22491. In ARP II the Commission also explained that, in its view, ``a critical element to the success of the capacity planning and testing, security assessment and contingency planning processes for [automated] systems is obtaining an objective review of those planning processes by persons independent of the planning process to ensure that adequate controls and procedures have been developed and implemented.'' Id. --------------------------------------------------------------------------- In addition, ARP II addressed how SROs should notify the Commission of material systems changes and significant systems problems. Specifically, ARP II stated that SROs should notify Commission staff of significant additions, deletions, or other changes to their automated systems on an annual and an as-needed basis, as well as provide real- time notification of unusual events, such as significant outages involving automated systems.\22\ Further, in ARP II, the Commission again suggested development of standards to meet the ARP policy statements, stating that ``the SROs, and other interested parties should begin the process of exploring the establishment of (1) standards for determining capacity levels for the SROs' automated trading systems; (2) generally accepted computer security standards that would be effective for SRO automated systems; and (3) additional standards regarding audits of computer systems.'' \23\ --------------------------------------------------------------------------- \22\ See id. at 22491. \23\ See id. --------------------------------------------------------------------------- The current ARP Inspection Program was developed by Commission staff to implement the ARP policy statements,\24\ and has garnered participation by all active registered clearing agencies, all registered national securities exchanges, the Financial Industry Regulatory Authority (``FINRA''), the only registered national securities association, one exempt clearing agency, and one ATS.\25\ In 1998, the Commission adopted Regulation ATS which, among other things, imposed by rule certain aspects of ARP I and ARP II on significant- volume ATSs.\26\ Thereafter, administration of these aspects of Regulation ATS was incorporated into the ARP Inspection Program. --------------------------------------------------------------------------- \24\ While participation in the ARP Inspection Program is voluntary, the underpinnings of ARP I and ARP II are rooted in Exchange Act requirements. See supra notes 5-10 and accompanying text. \25\ See infra note 91 and accompanying text. One ATS currently complies voluntarily with the ARP Inspection Program. However, ARP staff has conducted ARP inspections of other ATSs over the course of the history of the ARP Inspection Program. See also infra notes, 134-135 and accompanying text. \26\ See Rule 301(b)(6) of Regulation ATS, 17 CFR 242.301(b)(6). With regard to systems that support order entry, order routing, order execution, transaction reporting, and trade comparison, Regulation ATS requires significant-volume ATSs to: establish reasonable current and future capacity estimates; conduct periodic capacity stress tests of critical systems to determine their ability to accurately, timely and efficiently process transactions; develop and implement reasonable procedures to review and keep current system development and testing methodology; review system and data center vulnerability to threats; establish adequate contingency and disaster recovery plans; perform annual independent reviews of systems to ensure compliance with the above listed requirements and perform review by senior management of reports containing the recommendations and conclusions of the independent review; and promptly notify the Commission of material systems outages and significant systems changes. See Rule 301(b)(6)(ii) of Regulation ATS, 17 CFR 242.301(b)(6)(ii). Regulation ATS defines significant- volume ATSs as ATSs that, during at least 4 of the preceding 6 calendar months, had: (i) with respect to any NMS stock, 20 percent or more of the average daily volume reported by an effective transaction reporting plan; (ii) with respect to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, 20 percent or more of the average daily volume as calculated by the self-regulatory organization to which such transactions are reported; (iii) with respect to municipal securities, 20 percent or more of the average daily volume traded in the United States; or (iv) with respect to corporate debt securities, 20 percent or more of the average daily volume traded in the United States. See Rule 301(b)(6)(i) of Regulation ATS, 17 CFR 242.301(b)(6)(i). --------------------------------------------------------------------------- Under the ARP Inspection Program, staff in the Commission's Division of Trading and Markets (``ARP staff'') conduct inspections of ARP entity systems, attend periodic technology briefings presented by ARP entity staff, monitor the progress of planned significant system changes, and respond to reports of system failures, disruptions, and other systems problems of ARP entities. An ARP inspection typically includes ARP staff review of information technology documentation, testing of selected controls, and interviews with information technology staff and management of the ARP entity.\27\ --------------------------------------------------------------------------- \27\ ARP inspections are typically conducted independently from the inspections and examinations of SROs, ATSs, and broker-dealers conducted by staff in the Commission's Office of Compliance Inspections and Examinations (``OCIE'') for compliance with the federal securities laws and rules thereunder. --------------------------------------------------------------------------- Just as markets have become increasingly automated and information technology programs and practices at ARP entities have changed, ARP inspections also have evolved considerably over the past 20 years. Today, the ARP Inspection Program covers nine general inspection areas, or information technology ``domains:'' application controls; capacity planning; computer operations and production environment controls; contingency planning; information security and networking; audit; outsourcing; physical security; and systems development methodology.\28\ The goal of an ARP inspection is to evaluate whether an ARP entity's controls over its information technology resources in each domain are consistent with ARP and industry guidelines,\29\ as identified by ARP staff from a variety of information technology publications that ARP staff believes reflect industry standards for securities market participants. --------------------------------------------------------------------------- \28\ Each domain itself contains subcategories. For example, ``contingency planning'' includes business continuity, disaster recovery, and pandemic planning, among other things. \29\ The domains covered during an ARP inspection depend in part upon whether the inspection is a regular inspection or a ``for- cause'' inspection. Typically, however, to make the most efficient use of resources, a single ARP inspection will cover fewer than nine domains. --------------------------------------------------------------------------- Most recently, these publications have included, among others, publications issued by the Federal Financial Institutions Examination Council (``FFIEC'') and the National Institute of [[Page 18087]] Standards and Technology (``NIST'').\30\ ARP staff has also relied on the 2003 Interagency White Paper on Sound Practices to Strengthen the Resiliency of the U.S. Financial System \31\ and the 2003 Policy Statement on Business Continuity Planning for Trading Markets.\32\ Since 2003, however, the Commission has not issued formal guidance on which publications establish the most appropriate guidelines for ARP entities. At the conclusion of an ARP inspection, ARP staff typically issues a report to the ARP entity with an assessment of its information technology program with respect to its critical systems, including any recommendations for improvement. --------------------------------------------------------------------------- \30\ Other examples of publications that ARP staff has referred to include those issued by the Center for Internet Security (https://benchmarks.cisecurity.org/en-us/?route=downloads.benchmarks); Information Systems Audit and Control Association (Control Objections for Information Technology Framework, available at: https://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Online.aspx); Defense Information Systems Agency, Security Technical Implementation Guides (available at https://iase.disa.mil/stigs/); and Government Accountability Office (Federal Information System Controls Audit Manual (February 2009), available at: https://www.gao.gov/assets/80/77142.pdf). \31\ See Securities Exchange Act Release No. 47638 (April 7, 2003), 68 FR 17809 (April 11, 2003) (Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial Systems) (``2003 Interagency White Paper''). \32\ See Securities Exchange Act Release No. 48545 (September 25, 2003), 68 FR 56656 (October 1, 2003) (Policy Statement: Business Continuity Planning for Trading Markets) (``2003 Policy Statement on Business Continuity Planning for Trading Markets''). --------------------------------------------------------------------------- Another significant aspect of the ARP Inspection Program relates to the monitoring of planned significant systems changes and reports of systems problems at ARP entities. As noted above, ARP II stated that SROs should notify Commission staff of significant additions, deletions, or other changes to their automated systems on an annual and an as-needed basis, as well as provide real-time notification of unusual events, such as significant outages involving automated systems.\33\ Likewise, Regulation ATS requires significant-volume ATSs to promptly notify the Commission of material systems outages and significant systems changes.\34\ --------------------------------------------------------------------------- \33\ See supra note 22 and accompanying text. \34\ See 17 CFR 242.301(b)(6)(ii)(G). See also supra note 26. --------------------------------------------------------------------------- In addition to the Commission's ARP policy statements and Rule 301(b)(6) of Regulation ATS, Commission staff has provided guidance to ARP entities on how the staff believes they should report planned systems changes and systems issues to the Commission. For example, in 2001, Commission staff sent a letter to the SROs and other participants in the ARP Inspection Program to clarify what should be considered a ``significant system change'' and a ``significant system outage'' for purposes of reporting systems changes and problems to Commission staff.\35\ Further, in 2009, Commission staff sent a letter to the national securities exchanges and FINRA expressing the staff's view that SROs are obligated to ensure that their systems' operations comply with the federal securities laws and rules and the SRO's rules, and that failure to satisfy this obligation could lead to sanctions under Section 19(h)(1) of the Exchange Act.\36\ Unlike ARP I, ARP II, and Rule 301(b)(6) of Regulation ATS, the 2001 Staff ARP Interpretive Letter and 2009 Staff Systems Compliance Letter were not issued by the Commission and constitute only staff guidance. Proposed Regulation SCI, if adopted, would consolidate and supersede all such staff guidance, as well as the Commission's ARP policy statements and Rule 301(b)(6) of Regulation ATS. --------------------------------------------------------------------------- \35\ In June 2001, staff from the Division of Market Regulation sent a letter to the SROs and other participants in the ARP Inspection Program regarding Guidance for Systems Outage and System Change Notifications (``2001 Staff ARP Interpretive Letter''), advising them that the staff considers a significant system change to include: (i) Major systems architectural changes; (ii) reconfiguration of systems that cause a variance greater than five percent in throughput or storage; (iii) introduction of new business functions or services; (iv) material changes in systems; (v) changes to external interfaces; (vi) changes that could increase susceptibility to major outages; (vii) changes that could increase risks to data security; (viii) a change that was, or will be, reported or referred to the entity's board of directors or senior management; or (ix) changes that may require allocation or use of significant resources. The 2001 Staff ARP Interpretive Letter also advised that Commission staff considers a ``significant system outage'' to include an outage that results in: (i) Failure to maintain service level agreements or constraints; (ii) disruption of normal operations, including switchover to back-up equipment with no possibility of near-term recovery of primary hardware; (iii) loss of use of any system; (iv) loss of transactions; (v) excessive back-ups or delays in processing; (vi) loss of ability to disseminate vital information; (vii) communication of an outage situation to other external entities; (viii) a report or referral of an event to the entity's board of directors or senior management; (ix) a serious threat to systems operations even though systems operations are not disrupted; or (x) a queuing of data between system components or queuing of messages to or from customers of such duration that a customer's normal service delivery is affected. The 2001 Staff ARP Interpretive Letter is available at https://www.sec.gov/divisions/marketreg/sroautomation.shtml. \36\ In December 2009, staff from the Division of Trading and Markets and Office of Compliance Inspections and Examinations sent a letter (``2009 Staff Systems Compliance Letter'') to each national securities exchange and FINRA reminding each of its obligation to ensure that its systems' operations are consistent with the federal securities laws and rules and the SRO's rules, and clarifying the staff's expectations regarding SRO systems compliance. The 2009 Staff Systems Compliance Letter also expressed the staff's view that SROs and other participants in the ARP Inspection Program should have effective written policies and procedures for systems development and maintenance that provide for adequate regulatory oversight, including testing of system changes, controls over system changes, and independent audits. The 2009 Staff Systems Compliance Letter also expressed the staff's expectation that, if an SRO becomes aware of a system function that could lead or has led to a failure to comply with the federal securities laws or rules, or the SRO's rules, the SRO should immediately take appropriate corrective action including, at a minimum, devoting adequate resources to remedy the issue as soon as possible, and notifying Commission staff and (if appropriate) the public of the compliance issue and efforts to rectify it. The 2009 Staff Systems Compliance Letter was sent to BATS, BATS-Y, CBOE, C2, CHX, EDGA, EDGX, FINRA, ISE, Nasdaq, Nasdaq OMX BX, Nasdaq OMX Phlx, NSX, NYSE, NYSE MKT (f/k/a NYSE Amex), NYSE Arca. See infra notes 47 and 51. --------------------------------------------------------------------------- In addition, OCIE conducts inspections of SROs, as part of the Commission's oversight of them. Unlike ARP inspections, however, which focus on information technology controls, OCIE primarily conducts risk- based examinations of securities exchanges, FINRA, and other SROs to evaluate whether they and their member firms are complying with the Exchange Act and the rules thereunder, as well as SRO rules. Examples of OCIE risk-based examination areas include: governance, regulatory funding, trading regulation, member firm examination programs, disciplinary programs for member firms, and exchange programs for listing compliance. In 2011, OCIE conducted baseline assessments of all of the national securities exchanges then operating. These assessments included these areas, among others, but did not include examinations of the exchanges' systems, as systems inspections are conducted under the ARP Inspection Program.\37\ As part of the Commission's oversight of the SROs, OCIE also reviews systems compliance issues reported to Commission staff. The information gained from OCIE's review of reported systems compliance issues helps to inform its examination risk- assessments for SROs. --------------------------------------------------------------------------- \37\ See text accompanying notes 24-29. --------------------------------------------------------------------------- B. Evolution of the Markets Since the Inception of the ARP Inspection Program Since the inception of the ARP Inspection Program more than two decades ago, the securities markets have experienced sweeping changes, evolving from a collection of relatively few, mostly manual markets, to a larger number and broader variety of trading centers that are almost completely automated, and dependent upon sophisticated technology and extremely [[Page 18088]] fast and interconnected systems. Regulatory developments, such as Regulation NMS,\38\ decimalization,\39\ Regulation ATS,\40\ and the Order Handling Rules,\41\ also have impacted the structure of the markets by, among other things, mandating and providing incentives that encourage automation and speed. Although some markets today retain trading floors and accommodate some degree of manual interaction, these markets also have implemented electronic trading for their products. In stock markets, for example, in almost all cases, the volume of electronic trading dominates any residual manual activity.\42\ In addition, in recent years, the new trading systems developed by existing or new exchanges and ATSs rely almost exclusively on fully- electronic, automated technology to execute trades.\43\ As a result, the overwhelming majority of securities transactions today are executed on such automated systems.\44\ A primary driver and catalyst of this transformation has been the continual evolution of technologies for generating, routing, and executing orders. These technologies have dramatically improved the speed, capacity, and sophistication of the trading functions that are available to market participants.\45\ The increased speed and capacity of automated systems in the current market structure has contributed to surging message traffic.\46\ --------------------------------------------------------------------------- \38\ 17 CFR 242.600-612. See also Securities Exchange Act Release No. 51808 (June 9, 2005), 70 FR 37496 (June 29, 2005). \39\ See Securities Exchange Act Release No. 42360 (January 28, 2000), 65 FR 5003 (February 2, 2000). \40\ 17 CFR 242.300-303. See also ATS Release, supra note 2. \41\ Securities Exchange Act Release No. (September 6, 1996), 61 FR 48290 (September 12, 1996). See also Concept Release on Equity Market Structure, supra note 42, at 3594. \42\ See, e.g., Securities Exchange Act Release No. 61358 (January 14, 2010), 75 FR 3594, 3594-95 (January 21, 2010) (Concept Release on Equity Market Structure). See also Securities Exchange Act Release No. 58845 (October 24, 2008), 73 FR 64379 (October 29, 2008) (SR-NYSE-2008-46) (order approving NYSE's New Market Model, an electronic trading system with floor-based components). \43\ See, e.g., Securities Exchange Act Release Nos. 62716 (August 13, 2010), 75 FR 51295 (August 19, 2010) (order approving the exchange registration application of BATS-Y Exchange, Inc.); 61698 (March 12, 2010), 75 FR 13151 (March 18, 2010) (order approving the exchange registration applications of EDGA Exchange Inc. and EDGX Exchange Inc.); 57478 (March 12, 2008), 73 FR 14521 (March 18, 2008) (order approving a proposed rule change, as amended, by the NASDAQ Stock Market LLC to establish rules governing the trading of options on the NASDAQ Options Market). \44\ For example, less than 30 percent of stock trading takes place on listing exchanges as orders are dispersed to more than 50 competing venues, almost all of which are fully electronic. See, e.g., https://www.batstrading.com/market_summary. See also Concept Release on Equity Market Structure, supra note 42, for a more detailed discussion of equity market structure. \45\ For example, the speed of trading has increased to the point that the fastest traders now measure their latencies in microseconds. See Concept Release on Equity Market Structure, supra note 42, at 3598. \46\ See, e.g., ``Climbing Mount Message: How Exchanges are Managing Peaks,'' Markets Media (posted on June 29, 2012), available at: https://marketsmedia.com/climbing-mount-message-exchanges-managing-peaks/ (noting that message volumes across U.S. exchanges hit a daily peak of 4.47 million messages per second). --------------------------------------------------------------------------- In addition to these changes, there has been an increase in the number of trading venues, particularly for equities. No longer is trading in equities dominated by one or two trading venues. Today, 13 national securities exchanges trade equities, with no single stock exchange having an overall market share of greater than twenty percent of consolidated volume for all NMS stocks,\47\ but each with a protected quotation \48\ that may not be traded through by other markets.\49\ ATSs, including electronic communications networks (``ECNs'') and dark pools, as well as broker-dealer internalizers, also execute substantial volumes of securities transactions.\50\ Each of these trading venues is connected with the others through a vast web of linkages, including those that provide connectivity, routing services, and market data. The number of venues trading options has likewise grown, with 11 national securities exchanges currently trading options, up from five as recently as 2004.\51\ --------------------------------------------------------------------------- \47\ See, e.g., market volume statistics reported by BATS Exchange, Inc., available at: https://www.batstrading.com/market_summary (no single national securities exchange executed more than 20 percent of volume in NMS stocks during the 5-day period ending February 7, 2013). The following national securities exchanges have equities trading platforms: (1) BATS Exchange, Inc. (``BATS''); (2) BATS Y-Exchange, Inc. (``BATS-Y''); (3) Chicago Board Options Exchange, Incorporated (``CBOE''); (4) Chicago Stock Exchange, Inc. (``CHX''); (5) EDGA Exchange, Inc. (``EDGA''); (6) EDGX Exchange, Inc. (``EDGX''); (7) NASDAQ OMX BX, Inc. (``Nasdaq OMX BX''); (8) NASDAQ OMX PHLX LLC (``Nasdaq OMX Phlx''); (9) NASDAQ Stock Market LLC (``Nasdaq''); (10) National Stock Exchange, Inc. (``NSX''); (11) New York Stock Exchange LLC (``NYSE''); (12) NYSE MKT LLC (``NYSE MKT''); and (13) NYSE Arca, Inc. (``NYSE Arca''). \48\ A ``protected quotation'' is defined by Regulation NMS as a quotation in an NMS stock that (i) is displayed by an automated trading center; (ii) is disseminated pursuant to an effective national market system plan; and (iii) is an automated quotation that is the best bid or best offer of a national securities exchange, the best bid or best offer of The Nasdaq Stock Market, Inc., or the best bid or best offer of a national securities association other than the best bid or best offer of The Nasdaq Stock Market, Inc. See Rule 600(b)(57)-(58) of Regulation NMS, 17 CFR 242.600(b)(57)-(58). \49\ See Rule 611(a)(1) of Regulation NMS, 17 CFR 242.601(a)(1). \50\ See Concept Release on Equity Market Structure, supra note 42. \51\ The following venues trade options today: (1) BATS Exchange Options Market; (2) Boston Options Exchange LLC (``BOX''); (3) C2 Options Exchange, Incorporated (``C2''); (4) CBOE; (5) International Securities Exchange, LLC (``ISE''); (6) Miami International Securities Exchange, LLC (``MIAX''); (7) NASDAQ Options Market; (8) NASDAQ OMX BX Options; (9) Nasdaq OMX Phlx; (10) NYSE Amex Options; and (11) NYSE Arca. --------------------------------------------------------------------------- The increased number of trading venues, dispersal of trading volume, and the resulting reliance on a variety of automated systems and intermarket linkages have increased competition and thus investor choice, but have also increased the complexity of the markets and the challenges for market participants seeking to manage their information technology programs and to ensure compliance with Commission rules.\52\ These changes have also substantially heightened the potential for systems problems originating from any number of sources to broadly affect the market. Given the increased interconnectedness of the markets, a trading venue may not always recognize the true impact and cost of a problem that originates with one of its systems. --------------------------------------------------------------------------- \52\ For example, one important type of linkage in the current market structure was created to comply with legal obligations to protect against trade-throughs as required by Rule 611 of Regulation NMS under the Exchange Act, 17 CFR 242.611. A trade-through is the execution of a trade at a price inferior to a protected quotation for an NMS stock. Importantly, Rule 611 applies to all trading centers, not just those that display protected quotations. Trading center is defined broadly in Rule 600(b)(78) of Regulation NMS to include, among others, all exchanges, all ATSs (including ECNs and dark pools), all OTC market makers, and any other broker-dealer that executes orders internally, whether as agent or principal. See Concept Release on Equity Market Structure, supra note 42, at 3601. --------------------------------------------------------------------------- C. Successes and Limitations of the Current ARP Inspection Program While the Commission generally considers the ARP Inspection Program to have been successful in improving the automated systems of the SROs and other entities participating in the program over the past 20 years, the Commission is mindful of its limitations. For example, because the ARP Inspection Program is established pursuant to Commission policy statements, rather than Commission rules,\53\ the Commission's ability to assure compliance with ARP standards with certainty or adequate thoroughness is limited. In particular, the Commission may not be able to fully address major or systemic market problems at all entities that would meet the proposed definition of SCI entity. Further, the Government Accountability Office [[Page 18089]] (``GAO'') has identified the voluntary nature of the ARP Inspection Program as a limitation of the program and recommended that the Commission make compliance with ARP guidelines mandatory.\54\ --------------------------------------------------------------------------- \53\ As discussed in infra Section III.B.1, no ATS currently meets the volume thresholds in Rule 301(b)(6) of Regulation ATS. \54\ See GAO, Financial Market Preparedness: Improvements Made, but More Action Needed to Prepare for Wide-Scale Disasters, Report No. GAO-04-984 (September 27, 2004). GAO cited instances in which the GAO believed that entities participating in the ARP Inspection Program failed to adequately address or implement ARP staff recommendations as the reasoning behind its recommendation to make compliance with ARP guidelines mandatory. As noted in supra Section I.A, the obligations underlying the policy statements are statutorily mandated. --------------------------------------------------------------------------- The Commission believes that the continuing evolution of the securities markets to the current state, where they have become almost entirely electronic and highly dependent on sophisticated trading and other technology (including complex regulatory and surveillance systems, as well as systems relating to the provision of market data, intermarket routing and connectivity, and a variety of other member and issuer services), has posed challenges for the ARP Inspection Program. Accordingly, the Commission believes that the guidance in the ARP policy statements should be updated and formalized, and that clarity with respect to a variety of important matters, including regarding appropriate industry practices, notice to the Commission of all SCI events and to members or participants of SCI entities of certain systems problems, Commission access to systems, and procedures designed to better ensure that SRO systems comply with the SRO's own rules, would improve the Commission's oversight capabilities. Furthermore, given the importance of ensuring that an SRO's trading and other systems are operated in accordance with its rules, the Commission believes that improvements in SRO procedures could help to ensure that such systems are operating in compliance with relevant rules, and to promptly identify and address any instances of non-compliance.\55\ --------------------------------------------------------------------------- \55\ Section 19(b)(1) of the Exchange Act requires each SRO to file with the Commission any proposed rule or any proposed change in, addition to, or deletion from the rules of such SRO (a ``proposed rule change''), accompanied by a concise general statement of the basis and purpose of such proposed rule change, and provides that no proposed rule change shall take effect unless approved by the Commission or otherwise permitted in accordance with the provisions of this section. See 15 U.S.C. 78s(b)(1). An SRO's failure to file a proposed rule change when required would be a violation of Section 19(b)(1). --------------------------------------------------------------------------- D. Recent Events In the Commission's view, recent events further highlight why rulemaking in this area may be warranted. On May 6, 2010, according to a report by the staffs of the Commission and the Commodity Futures Trading Commission (``CFTC''), the prices of many U.S.-based equity products experienced an extraordinarily rapid decline and recovery, with major equity indices in both the futures and securities markets, each already down over four percent from their prior day close, suddenly plummeting a further five to six percent in a matter of minutes before rebounding almost as quickly.\56\ According to the May 6 Staff Report, many individual equity securities and exchange traded funds suffered similar price declines and reversals within a short period of time, falling 5, 10, or even 15 percent before recovering most, if not all, of their losses.\57\ The May 6 Staff Report stated that some equities experienced even more severe price moves, both up and down, with over 20,000 trades in more than 300 securities executed at prices more than 60 percent away from their values just moments before.\58\ --------------------------------------------------------------------------- \56\ See Findings Regarding The Market Events Of May 6, 2010, Report Of The Staffs Of The CFTC And SEC To The Joint Advisory Committee On Emerging Regulatory Issues, September 30, 2010 (``May 6 Staff Report''). \57\ See id. \58\ These trades subsequently were broken by the exchanges and FINRA. See id. --------------------------------------------------------------------------- Among the key findings in the May 6 Staff Report was that the interaction between automated execution programs and algorithmic trading strategies can quickly erode liquidity and result in disorderly markets, and that concerns about data integrity, especially those that involve the publication of trades and quotes to the consolidated tape, can contribute to pauses or halts in many automated trading systems and in turn lead to a reduction in general market liquidity.\59\ According to the May 6 Staff Report, the events of May 6, 2010 clearly demonstrate the importance of data in today's world of fully automated trading strategies and systems, and that fair and orderly markets require the maintenance of high standards for robust, accessible, and timely market data.\60\ --------------------------------------------------------------------------- \59\ See id. at 78. \60\ See id. at 8. --------------------------------------------------------------------------- Both before and after the May 6, 2010 incident, individual markets have also experienced other systems-related issues. In February 2011, NASDAQ OMX Group, Inc. revealed that hackers had penetrated certain of its computer networks, though Nasdaq reported that at no point did this intrusion compromise Nasdaq's trading systems.\61\ In October 2011, the Commission sanctioned EDGX and EDGA, two national securities exchanges, and their affiliated broker, Direct Edge ECN LLC, for violations of federal securities laws arising from systems incidents.\62\ In the Direct Edge Order, the Commission noted that the ``violations occurred against the backdrop of weaknesses in Respondents' systems, processes, and controls.'' \63\ --------------------------------------------------------------------------- \61\ See announcement by Nasdaq OMX (February 5, 2011), available at: https://www.nasdaq.com/includes/announcement-2-5-11.aspx (accessed May 20, 2011). See also Devlin Barrett, ``Hackers Penetrate NASDAQ Computers,'' Wall St. J., February 5, 2011, at A1; Devlin Barrett et al., ``NASDAQ Confirms Breach in Network,'' Wall St. J., February 7, 2011, at C1. \62\ See Securities Exchange Act Release No. 65556, In the Matter of EDGX Exchange, Inc., EDGA Exchange, Inc. and Direct Edge ECN LLC (settled action: October 13, 2011), available at: https://www.sec.gov/litigation/admin/2011/34-65556.pdf (``Direct Edge Order''); see also Commission News Release, 2011-208, ``SEC Sanctions Direct Edge Electronic Exchanges and Orders Remedial Measures to Strengthen Systems and Controls'' (October 13, 2011). EDGX, EDGA, and their affiliated routing broker, Direct Edge ECN LLC (dba DE Route), consented to an Order Instituting Administrative and Cease-and-Desist Proceedings Pursuant to Sections 19(h) and 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing Remedial Sanctions and a Cease-and-Desist Order. \63\ See Direct Edge Order, supra note 62, at 3. --------------------------------------------------------------------------- More recently, in 2012, systems issues hampered the initial public offerings of BATS Global Markets, Inc. and Facebook, Inc.\64\ On March 23, 2012, BATS announced that a ``software bug'' caused BATS to shut down the IPO of its own stock, BATS Global Markets, Inc.\65\ On May 18, 2012, issues with Nasdaq's trading systems delayed the start of trading in the high-profile IPO of Facebook, Inc. and some market participants experienced delays in notifications over whether orders had been filled.\66\ --------------------------------------------------------------------------- \64\ See also infra note 334 and accompanying text. \65\ See ``BATS BZX Exchange Post-Mortem'' by BATS, March 23, 2012, available at: www.batstrading.com/alerts (accessed July 2, 2012). \66\ See ``Post-Mortem for NASDAQ issues related to the Facebook Inc. (FB) IPO Cross on Friday, May 18, 2012'' by NASDAQ, May 18, 2012, available at: https://www.nasdaqtrader.com/TraderNews.aspx?id=ETA2012-20 (accessed July 2, 2012). --------------------------------------------------------------------------- While these are illustrative high-profile examples, they are not the only instances of disruptions and other systems problems experienced by SROs and ATSs.\67\ Moreover, the risks [[Page 18090]] associated with cybersecurity, and how to protect against systems intrusions, are increasingly of concern to all types of entities, including public companies.\68\ --------------------------------------------------------------------------- \67\ The Commission notes that outages have occurred on foreign markets recently as well. See, e.g., Kana Inagaki and Kosaku Narioka, ``Tokyo Tackles Trading Glitch,'' Wall St. J., February 2, 2012; and Neil Shah and Carrick Mellenkamp, ``London Exchange Paralyzed by Glitch,'' Wall St. J., September 9, 2008, Europe Business News. See also discussion in infra Section III.C.1.b regarding business continuity planning during October 2012 due to Superstorm Sandy. \68\ See, e.g., CF Disclosure Guidance: Topic No. 2, Cybersecurity (October 13, 2011), available at: https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm (providing the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents). --------------------------------------------------------------------------- On October 2, 2012, the Commission conducted a roundtable entitled ``Technology and Trading: Promoting Stability in Today's Markets'' (``Roundtable'').\69\ The Roundtable examined the relationship between the operational stability and integrity of the securities market and the ways in which market participants design, implement, and manage complex and interconnected trading technologies.\70\ Panelists offered their views on how market participants could prevent, or at least mitigate, technology errors as well as how error response could be improved. --------------------------------------------------------------------------- \69\ See Securities Exchange Act Release No. 67802 (September 7, 2012), 77 FR 56697 (September 13, 2012) (File No. 4-652). A webcast of the Roundtable is available at: www.sec.gov/news/otherwebcasts/2012/ttr100212.shtml. \70\ See Securities Exchange Act Release No. 67725 (August 24, 2012), 77 FR 52766 (August 30, 2012) (File No. 4-652). The Roundtable included panelists from academia, clearing agencies, national securities exchanges, broker-dealers, and other organizations. Panelists for the first panel were: Dr. Nancy Leveson, Professor of Aeronautics and Astronautics and Engineering Systems, MIT (``MIT''); Sudhanshu Arya, Managing Director, ITG (``ITG''); Chris Isaacson, Chief Operating Officer, BATS Exchange (``BATS''); Dave Lauer, Market Structure and HFT Consultant, Better Markets, Inc. (``Better Markets''); Jamil Nazarali, Head of Citadel Execution Services, Citadel (``Citadel''); Lou Pastina, Executive Vice President--NYSE Operations, NYSE (``NYSE''); Christopher Rigg, Partner--Financial Services Industry, IBM (``IBM''); and Jonathan Ross, Chief Technology Officer, GETCO LLC (``Getco''). Panelists for the second panel were: Dr. M. Lynne Markus, Professor of Information and Process Management, Bentley University (``Bentley''); David Bloom, Head of UBS Group Technology (``UBS''); Chad Cook, Chief Technology Officer, Lime Brokerage LLC (``Lime''); Anna Ewing, Executive Vice President and Chief Information Officer, Nasdaq; Albert Gambale, Managing Director and Chief Development Officer, Depository Trust and Clearing Corp. (``DTCC''); Saro Jahani, Chief Information Officer, Direct Edge (``DE''); and Lou Steinberg, Chief Technology Officer, TD Ameritrade (``TDA''). See Technology and Trading: Promoting Stability in Today's Markets Roundtable -- Participant Bios, available at: https://www.sec.gov/news/otherwebcasts/2012/ttr100212-bios.htm. The Roundtable was announced on August 3, 2012, following a report by Knight Capital Group, Inc. (``Knight'') that, on August 1, 2012, it ``experienced a technology issue at the opening of trading at the NYSE * * * [which was] related to Knight's installation of trading software and resulted in Knight sending numerous erroneous orders in NYSE-listed securities into the market * * * Knight * * * traded out of its entire erroneous trade position, which * * * resulted in a realized pre-tax loss of approximately $440 million.'' See Knight Capital Group Provides Update Regarding August 1st Disruption To Routing In NYSE-listed Securities (August 2, 2012), available at: https://www.knight.com/investorRelations/pressReleases.asp?compid=105070&releaseID=1721599. Although the Knight incident highlights the importance of the integrity of broker-dealer systems, the focus of the Roundtable was not limited to broker-dealers. But see infra Section III.G, soliciting comment regarding the potential inclusion of broker- dealers, other than SCI ATSs, in the proposed definition of SCI entity. --------------------------------------------------------------------------- Although the discussion was wide-ranging, several themes emerged, with panelists generally agreeing that areas of focus across the industry should be on adherence to best practices, improved quality assurance, more robust testing, increased pre-trade and post-trade risk controls, real-time monitoring of systems, and improved communications when systems problems occur. The panelists also discussed whether there should be regulatory or other mandates for quality standards and industry testing, and whether specific mechanisms, such as ``kill switches,'' \71\ would be useful to protect the markets from technology errors and to advance the goal of bolstering investor confidence in the markets.\72\ Several panelists also stated that, given the frequency of coding changes in the current market environment, testing of software changes should be far more robust.\73\ --------------------------------------------------------------------------- \71\ The term ``kill switch'' is a shorthand expression used by market participants, including Roundtable participants and Roundtable commenters, to refer to mechanisms pursuant to which one or more limits on trading could be established by a trading venue for its participants that, if exceeded, would authorize the trading venue to stop accepting incoming orders from such participant. See also infra note 76 and accompanying text. \72\ With regard to quality assurance in particular, Roundtable panelists differed on the role of third parties in providing quality assurance, with some panelists believing that, given the difficulty for an outside party to understand the complex systems of trading firms and other market participants, such a role should be performed by internal staff who are better able to understand such systems, with other panelists opining that there it was critical that independent parties provide quality assurance. \73\ Panelists urging greater testing in general and industry testing in particular included those from BATS, Better Markets, DE, ITG, Getco, Nasdaq, NYSE, and TDA. --------------------------------------------------------------------------- In addition to the Roundtable panels, the Commission solicited comment with respect to the Roundtable's topics, and received statements from some of the Roundtable panelists, as well as comment letters from the public.\74\ Many comment letters specifically recommended improved testing as a way to aid error prevention.\75\ In addition, several commenters expressed support for a ``kill-switch'' mechanism that would permit exchanges or other market centers to terminate a firm's trading activity if such activity was posing a threat to market integrity.\76\ --------------------------------------------------------------------------- \74\ See https://www.sec.gov/comments/4-652/4-652.shtml, listing and publishing all comment letters received by the Commission with respect to the Roundtable. The letters received cover a broad array of topics, some of which are unrelated to proposed Regulation SCI. This proposing release discusses and references the following letters when relevant to the discussion of proposed Regulation SCI: Letter dated September 5, 2012, from James J. Angel, Ph.D., CFA, Georgetown University and the Wharton School, University of Pennsylvania (``Angel''); Letter dated September 27, 2012, from Eric Swanson, BATS Global Markets, Inc.; Letter dated October 2, 2012, from Dave Lauer, Market Structure and HFT Consultant, Better Markets (``Better Markets''); Letter dated October 1, 2012, from Jamil Nazarali, Citadel (``Citadel''); Letter dated October 23, 2012, from Scott Goebel, Senior Vice President and General Counsel, Fidelity Management & Research Company (``Fidelity''); Letter dated November 1, 2012, from Arsalan Shahid, Program Director, Financial Information Forum (``FIF''); Letter dated October 19, 2012, from Courtney Doyle McGuinn, Operations Director, FIX Protocol Ltd. (``FIX''); Letter dated October 1, 2012, from Elizabeth K. King, Head of Regulatory Affairs, GETCO LLC (``Getco''); Letter dated October 18, 2012, from Adam Nunes, President, Hudson River Trading LLC (``Hudson''); Letter dated September 23, 2012, from Patrick J. Healy, CEO, Issuer Advisory Group LLC (``IAG''); Letter dated October 23, 2012, from Karrie McMillan, General Counsel, Investment Company Institute (``ICI''); Letter dated October 22, 2012, from James P. Selway III, Managing Director, Head of Liquidity Management, and Sudhanshu Arya, Managing Director, Head of Technology for Liquidity Management, ITG Inc. (``ITG''); Letter dated September 28, 2012, from Joseph M. Mecane, NYSE Euronext; Richard G. Ketchum, FINRA; Eric Noll, Nasdaq OMX, Inc.; Christopher A. Isaacson, BATS Global Markets, Inc.; Bryan Harkins, DirectEdge; David Herron, Chicago Stock Exchange; Murray Pozmanter, The Depository Trust & Clearing Corporation; Bank of America Merrill Lynch; Citadel LLC; Citigroup Global Markets Inc.; Deutsche Bank Securities Inc.; GETCO; Goldman, Sachs & Co/Goldman Sachs Execution and Clearing; IMC Chicago LLC; ITG, Inc.; Jane Street; J.P. Morgan Securities LLC; RBC Capital Markets, LLC; RGM Advisors, LLC; Two Sigma Securities; UBS Securities LLC; Virtu Financial; Wells Fargo Securities (``Industry Working Group''); Letter dated September 25, 2012, from R. T. Leuchtkafer (``Leuchtkafer''); Letter dated August 14, 2012, from Stuart J. Kaswell, Executive Vice President, Managing Director & General Counsel, Managed Funds Association (``MFA''); Letter dated October 1, 2012, from Richard Gorelick, RGM Advisors, Cameron Smith, Quantlab, and Peter Nabicht, Allston Trading (``RGM''); Letter dated September 28, 2012, from Nasser A. Sharara, Managing Director, Product Management, Raptor Trading Systems (``Raptor''); Letter dated October 1, 2012, from Lou Steinberg, Managing Director, Chief Technology Officer, TDA (``TDA''); Letter dated October 24, 2012, from David Weisberger, Executive Principal, Two Sigma Securities, LLC (``Two Sigma''). \75\ See, e.g., letters from Angel, BATS, Better Markets, Citadel, Fidelity, FIF, FIX, Getco, Hudson, IAG, ICI, ITG, Industry Working Group, Leuchtkafer, MFA, RGM, and Two Sigma, supra note 74. Some of these commenters specifically urged greater integration testing and stated that testing with exchanges and other market centers under simulated market conditions were necessary in today's extremely fast and interconnected markets. One commenter (Angel) suggested that exchanges operate completely from their backup data centers one day each year to test such systems and market participants' connectivity to them. \76\ See, e.g., letters from Angel, BATS, Citadel, FIF, Getco, IAG, Industry Working Group, MFA, RGM, and Raptor, supra note 74. See also letters from Fidelity, FIX, Hudson and ITG, supra note 74, submitted after the Roundtable, suggesting possible approaches for establishing kill switch criteria. See also supra note 71, describing the use of the term ``kill switch'' in this release. --------------------------------------------------------------------------- [[Page 18091]] The Commission believes that the information presented at the Roundtable and received from commenters, as broadly outlined above, highlights that quality standards, testing, and improved error response mechanisms are among the issues needing very thoughtful and focused attention in today's securities markets.\77\ In formulating proposed Regulation SCI, the Commission has considered the information and views discussed at the Roundtable and received from commenters. --------------------------------------------------------------------------- \77\ The Commission notes that Roundtable panelists and commenters offering their views and suggestions generally did so in the context of discussing the market as a whole, rather than focusing on the roles and regulatory status of different types of market participants. However, some commented on the utility of the ARP Inspection Program and suggested that it could be expanded. See, e.g., letter from Leuchtkafer, supra note 74. In addition, the panelists from Getco, Nasdaq, and NYSE also suggested that ARP could be expanded, with the panelist from NYSE in particular advocating that the applicability of any new ARP-related regulations not be limited to SROs. One commenter suggested that the Commission update and formalize the ARP Inspection Program before extending it to other market participants. See letter from Fidelity, supra note 74. This commenter added further that, if the ARP program is extended to other market participants, it should not include a requirement that broker-dealers submit certain information, such as algorithmic code changes, for independent review. See also infra Section III.G, soliciting comment on whether the requirements of proposed Regulation SCI should apply, in whole or in part, to broker-dealers or a subset thereof. --------------------------------------------------------------------------- Most recently, the U.S. national securities exchanges closed for two business days in the wake of Superstorm Sandy, a major storm that hit the East Coast of the United States during October 2012, and which caused significant damage in lower Manhattan, among other places.\78\ Press reports stated that, while the markets planned to open on the first day of the storm (with the NYSE planning to operate under its contingency plan as an electronic-only venue),\79\ after consultation with market participants, including the Commission and its staff, and in light of concerns over the physical safety of personnel and the possibility of technical issues, the national securities exchanges jointly decided not to open for trading on October 29 and October 30, 2012.\80\ The market closures occurred even though the securities industry's annual test of how trading firms, market operators and their utilities could operate through an emergency using backup sites, backup communications, and disaster recovery facilities occurred on October 27, 2012, just two days before the storm.\81\ According to press reports, the test did not uncover issues that would preclude markets from opening two days later with backup systems, if they so chose.\82\ In addition, NYSE's contingency plan was tested seven months prior to the storm, though press reports indicate that a large number of NYSE members did not participate.\83\ The Commission also has considered the impact of Superstorm Sandy on the securities markets, particularly with respect to business continuity planning and testing, in formulating proposed Regulation SCI. --------------------------------------------------------------------------- \78\ See ``NYSE to Remain Open for Trading While Physical Trading Floor and New York Building Close in Accordance with Actions Taken by City and State Officials,'' (October 28, 2012) (``NYSE Floor Closure Statement''), available at: https://www.nyse.com/press/1351243407197.html; and ``NYSE Euronext Statement on Closure of U.S. Markets on Monday Oct. 29 and Pending Confirmation on Tuesday, Oct. 30, 2012,'' (October 28, 2012) (``NYSE Closure Statement''), available at: https://www.nyse.com/press/1351243418010.html. \79\ The NYSE had initially planned to act pursuant to NYSE Rule 49 (Emergency Powers), which permits a designated official of the NYSE, in the event of an emergency (as defined in Section 12(k)(7) of the Exchange Act), to designate NYSE Arca to receive and process bids and offers and to execute orders on behalf of the NYSE. See ``NYSE Contingency Trading Plan in effect for Monday, October 29, 2012,'' (October 28, 2012) (``Market Operations Update''), available at: https://markets.nyx.com/nyse/trader-updates/view/11503. The Commission approved NYSE Rule 49 on December 16, 2009. See Securities Exchange Act Release No. 61177 (December 16, 2009), 74 FR 68643 (December 28, 2009) (SR-NYSE-2009-105) (approving proposed rule change by the NYSE relating to the designation of NYSE Arca as the NYSE's alternative trading facility in an emergency). \80\ See, e.g., ``A giant storm and the struggle over closing Wall Street,'' October 31, 2012, available at: https://www.reuters.com/article/2012/10/31/us-storm-sandy-nyse-insight-idUSBRE89T0F920121031. See also, e.g., NYSE Closure Statement, supra note 78. \81\ See, e.g., ``Storm Over Wall Street Going Dark,'' November 12, 2012, available at: https://www.tradersmagazine.com/news/storm-over-wall-street-going-dark-110526-1.html. \82\ See id. See also https://www.sifma.org/services/bcp/industry-testing. \83\ See id. and NYSE Floor Closure Statement, supra note 78. --------------------------------------------------------------------------- II. Proposed Codification and Enhancement of ARP Inspection Program In the Commission's view, the convergence of several developments-- the evolution of the markets to become significantly more dependent upon sophisticated automated systems, the limitations of the existing ARP Inspection Program, and the lessons of recent events--highlight the need to consider an updated and formalized regulatory framework for ensuring that the U.S. securities trading markets develop and maintain systems with adequate capacity, integrity, resiliency, availability, and security, and reinforce the requirement that such systems operate in compliance with the Exchange Act. The Commission is proposing new Regulation SCI because the Commission preliminarily believes that it would further the goals of the national market system and reinforce Exchange Act obligations to require entities important to the functioning of the U.S. securities markets to carefully design, develop, test, maintain, and surveil systems integral to their operations. Proposed Regulation SCI would replace the two ARP policy statements. Although proposed Regulation SCI would codify in a Commission rule many of the principles of the ARP policy statements with which SROs and other participants in the ARP Inspection Program are familiar, the proposed rule would apply to more entities than the current ARP Inspection Program and would place obligations not currently included in the ARP policy statements on entities subject to the rule. Specifically, proposed Regulation SCI would apply to ``SCI entities,'' a term that would include ``SCI SROs,'' ``SCI ATSs,'' ``plan processors,'' and ``exempt clearing agencies subject to ARP.'' \84\ --------------------------------------------------------------------------- \84\ Each of these terms is discussed in detail in Section III.B.1 below. --------------------------------------------------------------------------- Further, to help ensure that the proposed rule covers key systems of SCI entities, the proposed rule would define (for purposes of Regulation SCI) the term ``SCI systems'' to mean those systems of, or operated by or on behalf of, an SCI entity that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance. In addition, the term ``SCI security systems'' would include systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to such systems.\85\ The proposed rule also would define several other terms intended to specify what types of systems changes and problems (``SCI events'') the Commission considers to be most significant and, therefore, preliminarily believes should be covered by the proposed rule's requirements. --------------------------------------------------------------------------- \85\ See infra Section III.B.2 for a discussion of the proposed definitions of SCI systems and SCI security systems. --------------------------------------------------------------------------- In addition, proposed Regulation SCI would specify the obligations SCI entities would have with respect to covered systems and SCI events. Specifically, proposed Regulation SCI would require that each SCI entity: (1) [[Page 18092]] Establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets; (2) establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended; (3) respond to SCI events with appropriate corrective action; (4) report SCI events to the Commission and submit follow-up reports, as applicable; (5) disseminate information regarding certain SCI events to members or participants of the SCI entity; (6) report material systems changes to the Commission; (7) conduct an SCI review of its systems not less than once each calendar year; (8) submit certain periodic reports to the Commission, including a report of the SCI review, together with any response by senior management; (9) mandate participation by designated members or participants in scheduled testing of the operation of the SCI entity's business continuity and disaster recovery plans, including backup systems, and coordinate such testing on an industry- or sector-wide basis \86\ with other SCI entities; and (10) make, keep, and preserve records relating to the matters covered by Regulation SCI, and provide them to Commission representatives upon request. The proposal also would require that an SCI entity submit all required written notifications and reports to the Commission electronically using new proposed Form SCI. --------------------------------------------------------------------------- \86\ See infra Section III.C.7 for a discussion of the terms industry-wide and sector-wide. --------------------------------------------------------------------------- III. Proposed Regulation SCI A. Overview The purpose of proposed Regulation SCI is to enhance the Commission's regulatory supervision of SCI entities and thereby further the goals of the national market system by helping to ensure the capacity, integrity, resiliency, availability, and security, and enhance compliance with federal securities laws and regulations, of automated systems relating to the U.S. securities markets through the formalization of standards to which their automated systems would be held, and a regulatory framework for ensuring more effective Commission oversight of these systems. Proposed Rule 1000(a) sets forth several definitions designed to establish the scope of the new rule. Proposed Rule 1000(b) sets forth the obligations that would be imposed on SCI entities with respect to systems and systems issues. Proposed Rules 1000(c)-(f) set forth recordkeeping and electronic filing requirements and address certain other related matters. B. Proposed Rule 1000(a): Definitions Establishing the Scope of Regulation SCI A series of definitions set forth in proposed Rule 1000(a) relate to the scope of proposed Regulation SCI. These include the definitions for ``SCI entity,'' ``SCI systems,'' ``SCI security systems,'' ``SCI event,'' ``systems disruption,'' ``systems compliance issue,'' ``systems intrusion,'' ``dissemination SCI event,'' and ``material systems change.'' 1. SCI Entities Although the ARP policy statements are rooted in Exchange Act requirements, the ARP Inspection Program has developed without the promulgation of Commission rules applicable to SROs or plan processors. Under the ARP Inspection Program, Commission staff conducts inspections of SROs to assess the capacity, integrity, resiliency, availability, and security of their systems. These inspections also have historically included the systems of entities that process and disseminate quotation and transaction data on behalf of the Consolidated Tape Association System (``CTA Plan''), Consolidated Quotation System (``CQS Plan''), Joint Self-Regulatory Organization Plan Governing the Collection, Consolidation, and Dissemination of Quotation and Transaction Information for Nasdaq-Listed Securities Traded on Exchanges on an Unlisted Trading Privileges Basis (``Nasdaq UTP Plan''), and Options Price Reporting Authority (``OPRA Plan'').\87\ The ARP Inspection Program has also included one exempt clearing agency.\88\ Pursuant to Rule 301(b)(6) of Regulation ATS, certain aspects of the ARP policy statements apply mandatorily to significant-volume ATSs, as they are currently defined under Regulation ATS.\89\ However, because no ATSs currently meet the significant-volume thresholds specified in Rule 301(b)(6) of Regulation ATS,\90\ compliance with the ARP Inspection Program is not mandatory at this time for any ATS.\91\ Proposed Regulation SCI would provide mandatory uniform requirements for ``SCI entities.'' Proposed Rule 1000(a) would define ``SCI entity'' as an ``SCI self-regulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP.'' The proposed rule also would define each of these terms for the purpose of designating specifically the entities that the Commission preliminarily believes should be subject to the rule. --------------------------------------------------------------------------- \87\ See ARP I Release, supra note 1, at n. 8 and n. 17. Each of the CTA Plan, CQS Plan, Nasdaq UTP Plan, and OPRA Plan, is a ``national market system plan'' (``NMS Plan'') as defined under Rule 600(a)(43) of Regulation NMS under the Exchange Act, 17 CFR 242.600(a)(43). Rule 600(a)(55) of Regulation NMS under the Exchange Act, 17 CFR 242.600(a)(55), defines a ``plan processor'' as ``any self-regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective national market system plan.'' Section 3(a)(22)(B) of the Exchange Act, 15 U.S.C. 78c(22)(B), defines ``exclusive processor'' to mean ``any securities information processor or self-regulatory organization which, directly or indirectly, engages on an exclusive basis on behalf of any national securities exchange or registered securities association, or any national securities exchange or registered securities association which engages on an exclusive basis on its own behalf, in collecting, processing, or preparing for distribution or publication any information with respect to (i) transactions or quotations on or effected or made by means of any facility of such exchange or (ii) quotations distributed or published by means of any electronic system operated or controlled by such association.'' As a processor involved in collecting, processing, and preparing for distribution transaction and quotation information, the processor of each of the CTA Plan, CQS Plan, Nasdaq UTP Plan, and OPRA Plan meets the definition of ``exclusive processor;'' and because each acts as an exclusive processor in connection with an NMS Plan, each also meets the definition of ``plan processor'' under Rule 600(a)(55) of Regulation NMS, as well as proposed Rule 1000(a) of Regulation SCI. For ease of reference, an NMS Plan having a current or future ``plan processor'' is referred to herein as an ``SCI Plan.'' The Commission notes that not every processor of an NMS Plan would be a ``plan processor,'' as proposed to be defined in Rule 1000(a), and therefore not every processor of an NMS Plan would be an SCI entity subject to the requirements of proposed Regulation SCI. For example, the processor of the Symbol Reservation System associated with the National Market System Plan for the Selection and Reservation of Securities Symbols (File No. 4-533) would not be a ``plan processor'' subject to Regulation SCI because it does not meet the ``exclusive processor'' statutory definition, as it is not involved in collecting, processing, and preparing for distribution transaction and quotation information. \88\ See infra notes 133-135 and accompanying text. \89\ See 17 CFR 242.301(b)(6). See also supra note 26. \90\ 17 CFR 242.301(b)(6). \91\ One ATS currently participates voluntarily in the ARP Inspection Program, though, in the past, other ATSs have also participated in the ARP Inspection Program. --------------------------------------------------------------------------- Proposed Rule 1000(a) would define the term ``SCI self-regulatory organization.'' The definition of ``SCI self-regulatory organization,'' or ``SCI SRO,'' would be consistent with the definition of ``self- regulatory organization'' set forth in Section 3(a)(26) of the Exchange Act,\92\ and [[Page 18093]] would cover all national securities exchanges registered under Section 6(b) of the Exchange Act,\93\ registered securities associations,\94\ registered clearing agencies,\95\ and the Municipal Securities Rulemaking Board (``MSRB'').\96\ The definition would, however, exclude an exchange that lists or trades security futures products that is notice-registered with the Commission as a national securities exchange pursuant to Section 6(g) of the Exchange Act, as well as any limited purpose national securities association registered with the Commission pursuant to Exchange Act Section 15A(k).\97\ Accordingly, the definition of SCI SRO in proposed Rule 1000(a) would mandate that all national securities exchanges registered under Section 6(b) of the Exchange Act, all registered securities associations, all registered clearing agencies, and the MSRB, comply with Regulation SCI.\98\ --------------------------------------------------------------------------- \92\ See 15 U.S.C. 78c(a)(26): ``The term `self-regulatory organization' means any national securities exchange, registered securities association, or registered clearing agency, or (solely for purposes of sections 19(b), 19(c), and 23(b) of this title) the Municipal Securities Rulemaking Board established by section 15B of this title.'' See infra note 96. \93\ Currently, these registered national securities exchanges are: (1) BATS; (2) BATS-Y; (3) BOX; (4) CBOE; (5) C2; (6) CHX; (7) EDGA; (8) EDGX; (9) ISE; (10) MIAX; (11) Nasdaq OMX BX; (12) Nasdaq OMX Phlx; (13) Nasdaq; (14) NSX; (15) NYSE; (16) NYSE MKT; and (17) NYSE Arca. \94\ FINRA is the only registered national securities association. \95\ Currently, there are seven clearing agencies (Depository Trust Company (``DTC''); Fixed Income Clearing Corporation (``FICC''); National Securities Clearing Corporation (``NSCC''); Options Clearing Corporation (``OCC''); ICE Clear Credit; ICE Clear Europe; and CME) with active operations that are registered with the Commission. See also infra notes 133-135 and accompanying text. The Commission notes that it recently adopted Rule 17Ad-22, which requires registered clearing agencies to have effective risk management policies and procedures in place. See Securities Exchange Act Release No. 68080 (October 22, 2012), 77 FR 66220 (November 2, 2012). Among other things, Rule 17Ad-22(d)(4) requires that registered clearing agencies ``[i]dentify sources of operational risk and minimize them through the development of appropriate systems, controls, and procedures; implement systems that are reliable, resilient and secure, and have adequate, scalable capacity; and have business continuity plans that allow for timely recovery of operations and fulfillment of a clearing agency's obligations.'' In its adopting release, the Commission stated that Rule 17Ad-22(d)(4) ``* * * complements the existing guidance provided by the Commission in its Automation Review Policy Statements and the Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System.'' Similarly, the Commission preliminarily believes that proposed Regulation SCI, to the extent it addresses areas of risk management similar to those addressed by Rule 17Ad-22(d)(4), complements Rule 17Ad-22(d)(4). See also infra note 203. \96\ 15 U.S.C. 78c(a)(26). See also supra note 92. Historically, the ARP Inspection Program has not included the MSRB, but instead has focused on entities having trading, quotation and transaction reporting, and clearance and settlement systems more closely connected to the equities and options markets. In considering the entities that should be subject to proposed Regulation SCI, the Commission preliminarily believes that it would be appropriate to apply proposed Regulation SCI to all SROs (subject to the exception noted in infra note 97), of which the MSRB is one, particularly given the fact that the MSRB is the only SRO relating to municipal securities and is the sole provider of consolidated market data for the municipal securities market. Specifically, in 2008, the Commission amended Rule 15c2-12 to designate the MSRB as the single centralized disclosure repository for continuing municipal securities disclosure. In 2009, the MSRB established the Electronic Municipal Market Access system (``EMMA''). EMMA now serves as the official repository of municipal securities disclosure, providing the public with free access to relevant municipal securities data, and is the central database for information about municipal securities offerings, issuers, and obligors. Additionally, the MSRB's Real-Time Transaction Reporting System (``RTRS''), with limited exceptions, requires municipal bond dealers to submit transaction data to the MSRB within 15 minutes of trade execution, and such near real-time post-trade transaction data can be accessed through the MSRB's EMMA Web site. While pre-trade price information is not as readily available in the municipal securities market, the Commission's Report on the Municipal Securities Market also recommends that the Commission and MSRB explore the feasibility of enhancing EMMA to collect best bids and offers from material ATSs and make them publicly available on fair and reasonable terms. See Report on the Municipal Securities Market (July 31, 2012), available at: https://www.sec.gov/news/studies/2012/munireport073112.pdf. \97\ See 15 U.S.C. 78f(g); 15 U.S.C. 78o-3(k). These entities are security futures exchanges and the National Futures Association, for which the CFTC serves as their primary regulator. The Commission preliminarily believes that it would be appropriate to defer to the CFTC regarding the systems integrity of these entities. \98\ For any SCI SRO that is a national securities exchange, any facility of such national securities exchange, as defined in Section 3(a)(2) of the Exchange Act, 15 U.S.C. 78c(a)(2), also would be covered because such facilities are included within the definition of ``exchange'' in Section 3(a)(1) of the Exchange Act, 15 U.S.C. 78c(a)(1). --------------------------------------------------------------------------- Proposed Rule 1000(a) would define the term ``SCI alternative trading system,'' or ``SCI ATS,'' as an alternative trading system, as defined in Sec. 242.300(a), which during at least four of the preceding six calendar months, had: (1) With respect to NMS stocks--(i) five percent or more in any single NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan, or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan; (2) with respect to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, five percent or more of the average daily dollar volume as calculated by the self-regulatory organization to which such transactions are reported; or (3) with respect to municipal securities or corporate debt securities, five percent or more of either--(i) the average daily dollar volume traded in the United States, or (ii) the average daily transaction volume traded in the United States.\99\ --------------------------------------------------------------------------- \99\ Proposed Regulation SCI includes specific quantitative requirements, such as proposed Rule 1000(a), which would include numerical thresholds in the definition of SCI ATS. The Commission recognizes that the specificity of each such quantitative threshold could be read by some to imply a definitive conclusion based on quantitative analysis of that threshold and its alternatives. The numerical thresholds in the definition of SCI ATS have not been derived from econometric or mathematical models. Instead, they reflect a preliminary assessment by the Commission, based on qualitative and some quantitative analysis, of the likely economic consequences of the specific quantitative thresholds proposed to be included in the definition. There are a number of challenges presented in conducting such a quantitative analysis in a robust fashion as discussed in this section. Accordingly, the selection of the particular quantitative thresholds for the definition of SCI ATS reflects a qualitative and preliminary quantitative assessment by the Commission regarding the appropriate thresholds. In making such assessments and, in turn, selecting the proposed quantitative thresholds, the Commission has reviewed data from OATS and other sources. The Commission emphasizes that it invites comment, including relevant data and analysis, regarding all aspects of the various quantitative standards reflected in the proposed rules. --------------------------------------------------------------------------- As proposed, ATSs would be covered if they met the proposed thresholds for at least four of the preceding six months, which the Commission preliminarily believes is an appropriate time period over which to evaluate the trading volume of an ATS.\100\ The Commission preliminarily believes that this time period would help ensure that the standards are not so low as to capture ATSs whose volume would still be considered relatively low, but, for example, that may have had an anomalous increase in trading on a given day or small number of days. --------------------------------------------------------------------------- \100\ The proposed measurement period would remain unchanged from the period currently in Rule 301(b)(6) of Regulation ATS. --------------------------------------------------------------------------- The proposed definition would modify the thresholds currently appearing in Rule 301(b)(6) of Regulation ATS that apply to significant-volume ATSs.\101\ Specifically, the proposed definition would: Use average daily dollar volume thresholds, instead of an average daily share volume threshold, for ATSs that trade NMS stocks or equity securities that are not NMS stocks (``non-NMS stocks''); use alternative average daily dollar and transaction volume-based tests for ATSs that trade municipal securities or corporate debt securities; lower the volume thresholds applicable to ATSs for each category of asset class; and move the proposed thresholds to Rule 1000(a) of proposed Regulation SCI. In particular, with respect to NMS stocks, the Commission proposes to [[Page 18094]] change the volume threshold from 20 percent of average daily volume in any NMS stock such that an ATS that trades NMS stocks that meets either of the following two alternative threshold tests would be subject to the requirements of proposed Regulation SCI: (i) Five percent or more in any NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan; or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan. This change is designed to ensure that proposed Regulation SCI is applied to an ATS that could have a significant impact on the NMS stock market as a whole, as well as an ATS that could have a significant impact on a single NMS stock and some impact on the NMS stock market as a whole at the same time.\102\ Specifically, by imposing both a single NMS stock threshold and an all NMS stocks threshold in (i) above, proposed Regulation SCI would not apply to an ATS that has a large volume in a small NMS stock and little volume in all other NMS stocks. Based on data collected from FINRA's Order Audit Trail System (``OATS data'') for one week of trading in May 2012,\103\ the Commission preliminarily believes that approximately 10 ATSs trading NMS stocks would exceed the proposed thresholds and fall within the definition of SCI entity, accounting for approximately 87 percent of the dollar volume market share of all ATSs trading NMS stocks. --------------------------------------------------------------------------- \101\ 17 CFR 242.301(b)(6). See also supra note 26. \102\ Under the proposed thresholds, inactive ATSs would not be included in the definition of SCI ATS. The Commission has considered barriers to entry and the promotion of competition in setting the threshold (see discussion at infra Section V.C.4.b) such that new ATSs trading NMS stocks would be able to commence operations without, at least initially, being required to comply with--and thereby not incurring the costs associated with--proposed Regulation SCI. If the proposed thresholds are adopted, a new ATS could engage in limited trading in any one NMS stock or all NMS stocks, until it reached an average daily dollar volume of five percent or more in any one NMS stock and 0.25 percent or more in all NMS stocks, or one percent in all NMS stocks, over four of the preceding six months. Because a new ATS could begin trading in NMS stocks for at least three months (i.e., less than four of the preceding six months), and conduct such trading at any dollar volume level without being subject to proposed Regulation SCI, and would have to exceed the specified volume levels for the requisite period to become so subject, the Commission preliminarily believes that these proposed thresholds should not prevent a new ATS entrant from having the opportunity to initiate and develop its business. \103\ Commission staff analyzed OATS data for the week of May 7- 11, 2012, a week with average market activity and no holidays or shortened trading days, and thus intended to be a representative trading week. However, because the OATS data analysis does not consider trading volume over a six-month period and does not base the threshold test on four out of the preceding six calendar months as prescribed in proposed Rule 1000(a), it may overestimate the number of ATSs that would meet the proposed thresholds. For example, a large block trade during a single week could skew an ATS's numbers upward from what would be observed over the course of the four months with the highest volumes during a six-month period, particularly with respect to the proposed single-stock threshold. In addition, because the OATS data does not identify all ATSs and does not identify some ATSs uniquely, some ATSs may not be accounted for in the estimated number of ATSs that would meet the proposed threshold. Nevertheless, the Commission believes the analysis of OATS data offers useful insights. --------------------------------------------------------------------------- The Commission notes that its analysis of the OATS data does not reveal an obvious threshold level above which a particular subset of ATSs may be considered to have a significant impact on individual NMS stocks or the overall market, as compared to another subset of ATSs. The Commission preliminarily believes that inclusion of the proposed dual dollar volume threshold is appropriate to help prevent an ATS from avoiding the requirements of proposed Regulation SCI by circumventing one of the two threshold tests. The Commission also preliminarily believes that a threshold that accounts for 87 percent of the dollar volume market share of all ATSs trading NMS stocks is a reasonable level that would not exclude new entrants to the ATS market.\104\ Moreover, the Commission preliminarily believes the proposed thresholds would appropriately include ATSs having NMS stock dollar volume comparable to the NMS stock dollar volume of the equity exchanges that are SCI SROs and therefore covered by proposed Regulation SCI.\105\ --------------------------------------------------------------------------- \104\ The Commission preliminarily believes that the remaining 13 percent of the dollar volume of all ATSs trading NMS stocks is limited to trading conducted on small and new ATSs. See also supra note 102. \105\ For example, based on trade and quotation data published by NYSE Euronext for the period July 1, 2012 through December 31, 2012, the national securities exchanges with the smallest market shares in NMS stocks (based on average daily dollar volume) had market shares slightly above and, in one case, below, the proposed 0.25 percent threshold in all NMS stocks (the market shares of CBOE, NSX, and NYSE MKT were approximately 0.44 percent, 0.27 percent, and 0.06 percent, respectively). Further, all national securities exchanges that trade NMS stocks had at least 5 percent or more of the average daily dollar volume in at least one NMS stock, with most exceeding such threshold for multiple NMS stocks. --------------------------------------------------------------------------- Since the time that the Commission originally adopted Regulation ATS, the equity markets have evolved significantly, resulting in an increase in the number of trading centers and a reduction in the concentration of trading activity.\106\ As such, even smaller trading centers, such as certain ATSs, now collectively represent a significant source of liquidity for NMS stocks and, by comparison, no single registered securities exchange executes more than 20 percent of volume in NMS stocks.\107\ Given these developments in market structure, the Commission preliminarily believes that setting the average daily dollar volume threshold for NMS stocks at five percent in any NMS stock and 0.25 percent in all NMS stocks, or one percent in all NMS stocks, is appropriate to help ensure that entities that have determined to participate (in more than a limited manner) in the national market system as markets that bring buyers and sellers together, are subject to the requirements of proposed Regulation SCI. In addition, the Commission preliminarily believes that it is appropriate to propose average daily dollar volume thresholds for NMS stocks, rather than average daily share volume thresholds, because, by using dollar volume, the price level of a stock will not skew an ATS's inclusion or exclusion from the definition of SCI entity, as may be the case when using share volume, and the use of dollar thresholds may better reflect the economic impact of trading activity.\108\ --------------------------------------------------------------------------- \106\ See supra notes 47-51 and accompanying text. \107\ See supra note 47. \108\ For example, if a threshold is based on the average daily share volume in all NMS stocks, an ATS that transacts in a stock that has recently been through a stock split could experience a significant increase in its share volume (or, for reverse stock splits, a decrease in its share volume), whereas the dollar value transacted would remain the same. --------------------------------------------------------------------------- In sum, the Commission preliminarily believes that the proposed dollar volume thresholds for NMS stocks would further the goals of the national market system by ensuring that ATSs that meet the thresholds are subject to the same baseline standards as other SCI entities for systems capacity, integrity, resiliency, availability, and security. With respect to non-NMS stocks, municipal securities, and corporate debt securities, the Commission is proposing to lower the current thresholds in Rule 301(b)(6) of Regulation ATS. Specifically, the Commission is proposing to reduce the standard from 20 percent to five percent for these types of securities,\109\ the same percentage threshold for such types of securities that triggers the fair access provisions of Rule 301(b)(5) of Regulation ATS.\110\ The Commission preliminarily believes that ATSs that trade non-NMS stocks, municipal securities, and corporate debt securities above the proposed [[Page 18095]] thresholds are those that play a significant role in the market for such securities and thus preliminarily believes that the proposed thresholds are appropriately designed. --------------------------------------------------------------------------- \109\ See proposed Rule 1000(a). As discussed in this Section III.B.1, the thresholds in proposed Rule 1000(a) would be based on average daily dollar or transaction volume. \110\ See Rule 301(b)(5) of Regulation ATS under the Exchange Act. 17 CFR 242.301(b)(5). --------------------------------------------------------------------------- With respect to non-NMS stocks for which transactions are reported to a self-regulatory organization, the Commission proposes to lower the threshold to five percent or more of the average daily dollar volume as calculated by the self-regulatory organization to which such transactions are reported. Using data from the first six months of 2012, the Commission believes that an ATS executing transactions in non-NMS stocks at a level exceeding five percent of the average daily dollar volume traded in the United States would be executing trades at a level exceeding $31 million daily.\111\ Based on data collected from Form ATS-R for the second quarter of 2012, the Commission estimates that two ATSs would exceed this threshold and fall within the definition of SCI entity. The Commission requests comment on the accuracy of these estimates. --------------------------------------------------------------------------- \111\ Source: Data provided by OTC Markets. --------------------------------------------------------------------------- With respect to municipal securities and corporate debt securities, the Commission proposes to lower the threshold to five percent or more of either: (i) The average daily dollar volume \112\ traded in the United States; or (ii) the average daily transaction volume traded in the United States. The Commission preliminarily believes that this two- pronged threshold is appropriate for the debt market, as it should capture both ATSs that are focused on retail orders and facilitate a relatively greater number of trades with relatively lower dollar values, as well as those ATSs that are focused on institutional orders and facilitate a relatively lower number of trades with relatively greater dollar values. The Commission preliminarily believes that both of these thresholds are important in identifying ATSs that play a significant role in the debt markets for executing both retail- and institutional-sized trades.\113\ --------------------------------------------------------------------------- \112\ As with the proposed measures for ATSs that trade NMS stocks or non-NMS stocks, the Commission is proposing to use average daily dollar volume for debt securities, which the Commission preliminarily believes is the measure most commonly used when analyzing daily trading volume in the debt markets. \113\ Most corporate and municipal bond trades are small (i.e., less than $100,000), but small trades do not account for most of the dollar volume in these markets. See, e.g., Edwards, Amy K., Harris, Lawrence and Piwowar, Michael S., Corporate Bond Market Transaction Costs and Transparency, Journal of Finance, Vol. 62, No. 3 (June 2007) and Lawrence E. Harris and Michael S. Piwowar, Secondary Trading Costs in the Municipal Bond Market, J.FIN. (June 2006). An ATS that specializes in large trades may account for a small portion of the trades but a large portion of the dollar volume. Likewise, an ATS that specializes in small trades may account for a small portion of the dollar volume but a large portion of the trades. Therefore, a systems disruption, systems compliance issue, or systems intrusion in either of these ATS types could potentially disrupt a large portion of the market. As the Commission stated in the ATS Release, ``many of the same concerns about the trading of equity securities on alternative trading systems apply equally to the trading of fixed income securities on alternative trading systems. Specifically, it is important that markets with significant portions of the volume in particular instruments have adequate systems capacity, integrity, and security, regardless of whether those instruments are equity securities or debt securities. Similarly, as electronic systems for debt grow, it will become increasingly important for the fair operation of our markets for market participants to have fair access to significant market centers in debt securities. One of the consequences of the growing role of alternative trading systems in the securities markets generally is that debt securities are increasingly being traded on these systems, similar to the way equity securities are traded.'' See ATS Release, supra note 2, at 70862. --------------------------------------------------------------------------- Using data from the first six months of 2012, the Commission believes that an ATS executing transactions in municipal securities at a level exceeding five percent of the average daily dollar volume traded in the United States would be executing trades at a level of at least approximately $550 million daily,\114\ and that an ATS executing transactions in municipal securities at a level exceeding five percent of the average daily transaction volume traded in the United States would be executing an average of at least approximately 1,900 transactions daily.\115\ Based on data collected from Form ATS-R for the second quarter of 2012, the Commission preliminarily believes that currently no ATSs executing transactions in municipal securities would exceed the proposed average daily dollar volume threshold and fall within the definition of SCI entity pursuant to that proposed prong. ATSs are not required to report transaction volume data for municipal securities on Form ATS-R. However, based on discussions with industry sources, the Commission preliminarily believes that three ATSs executing transactions in municipal securities would likely exceed the proposed average daily transaction volume threshold.\116\ The Commission requests comment on the accuracy of these estimates. --------------------------------------------------------------------------- \114\ For the period of January 1, 2012 to June 30, 2012, the average daily dollar volume of trades was over $11 billion. See https://emma.msrb.org/marketactivity/ViewStatistics.aspx (accessed January 30, 2013). Five percent of this amount is approximately $550 million. \115\ For the period of January 1, 2012 to June 30, 2012, the average daily transaction volume was approximately 39,000. See https://emma.msrb.org/marketactivity/ViewStatistics.aspx (accessed January 30, 2013). Five percent of this amount is approximately 1,900 trades. \116\ See, e.g., the Commission's Report on the Municipal Securities Market, supra note 96 at n.715. The Commission preliminarily believes that the three ATSs that would likely exceed the proposed average daily transaction volume threshold for municipal securities are the same three ATSs that would likely exceed the corresponding threshold for corporate debt securities. See infra note 119. --------------------------------------------------------------------------- Using data from the first six months of 2012, the Commission believes that an ATS executing transactions in corporate debt at a level exceeding five percent of the average daily dollar volume traded in the United States would be executing trades at a level of at least approximately $900 million daily,\117\ and that an ATS executing transactions in corporate debt at a level exceeding five percent of the average daily transaction volume traded in the United States would be executing an average of at least approximately 2,100 transactions daily.\118\ Based on data collected from Form ATS-R for the second quarter of 2012, the Commission preliminarily believes that currently no ATSs executing transactions in corporate debt would exceed the proposed average daily dollar volume threshold and fall within the definition of SCI entity pursuant to that proposed prong. ATSs are not required to report transaction volume data for corporate debt on Form ATS-R. However, based on discussions with industry sources, the Commission preliminarily believes that three ATSs executing transactions in corporate debt would likely exceed the proposed average daily transaction volume threshold.\119\ The Commission requests comment on the accuracy of these estimates. --------------------------------------------------------------------------- \117\ For the period of January to June 2012, the average daily dollar volume was approximately $18 billion. Five percent of this amount is approximately $900 million. See U.S. Bond Market Trading Volume, available at: https://www.sifma.org/research/statistics.aspx. \118\ Source: Corporate bond transactions reported to TRACE from January through June 2012, excluding instruments subject to Rule 144A and April 6, 2012 (short trading day). \119\ As noted above, the Commission preliminarily believes that the three ATSs that would likely exceed the proposed average daily transaction volume threshold for corporate debt securities are the same three ATSs that would likely exceed the corresponding threshold for municipal securities. See supra note 116. --------------------------------------------------------------------------- The Commission is proposing these numerical thresholds as a preliminary best estimate of when a market is of sufficient significance to the trading of the relevant asset class (i.e., NMS stocks, non-NMS stocks, municipal securities, and corporate debt securities) as to warrant the protections and obligations of proposed Regulation SCI. As noted [[Page 18096]] above,\120\ the numerical thresholds in the definition of SCI ATS have not been derived from econometric or mathematical models. Instead, they reflect a preliminary assessment by the Commission, based on qualitative and some quantitative analysis, of the likely economic consequences of the specific quantitative thresholds proposed to be included in the definition. The Commission recognizes that there may reasonably be differing views as to what the threshold levels for inclusion should be and thus the Commission solicits comment on the appropriateness of the proposed threshold levels. --------------------------------------------------------------------------- \120\ See supra note 99. --------------------------------------------------------------------------- The Commission recognizes that it is proposing numerically higher thresholds for non-NMS stocks, municipal securities, and corporate debt securities as compared to NMS stocks (five percent, as compared to one percent in all NMS stocks). While the Commission preliminarily believes that similar concerns about the trading of NMS stocks on ATSs apply to the trading of non-NMS stocks and debt securities on ATSs (namely, that markets with significant portions of the volume in particular instruments have adequate systems capacity, integrity, resiliency, availability, and security), the Commission notes that it has traditionally provided special safeguards with regard to NMS stocks in its rulemaking efforts relating to market structure.\121\ --------------------------------------------------------------------------- \121\ See, e.g., Regulation NMS, 17 CFR 242.600-612; Securities Exchange Act Release No. 51808 (June 9, 2005), 70 FR 27496 (June 29, 2005). --------------------------------------------------------------------------- Further, in part due to the greater availability of, and reliance on, electronic trading for NMS stocks, the trading of such securities is generally more accessible to a wider range of investors and has resulted in increases in electronic trading volumes relative to 15 years ago, as compared to other markets, such as the debt markets, which still largely rely on manual trading. Because the degree of automation and electronic trading is generally lower in markets that trade non-NMS stocks and debt securities than in the markets that trade NMS stocks, the Commission preliminarily believes that a systems issue at an SCI entity that trades non-NMS stocks or debt securities would not have as significant an impact as readily as a systems issue at an SCI entity that trades NMS stocks. Therefore, the Commission preliminarily believes there is less need in the markets for those securities for more stringent thresholds that would trigger the requirements of proposed Regulation SCI.\122\ For example, the most recent widely publicized issues involving systems problems and disruptions in the securities markets have generally all been related to NMS stocks.\123\ The Commission also believes that imposition of a threshold that is set too low in markets that lack automation could have the unintended effects of discouraging automation in these markets and discouraging new entrants into these markets. For these reasons, the Commission preliminarily believes that it is appropriate at this time to apply a different threshold to ATSs trading NMS stocks than those ATSs trading non-NMS stocks, municipal securities, and corporate debt securities. --------------------------------------------------------------------------- \122\ See also discussion in infra Section V.C.3.c. \123\ See, e.g., supra notes 61-66 and accompanying text. --------------------------------------------------------------------------- Under Proposed Rule 1000(a), the term ``plan processor'' would have the meaning set forth in Rule 600(b)(55) of Regulation NMS, which defines ``plan processor'' as ``any self-regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective national market system plan.'' \124\ As noted above, the ARP Inspection Program has developed to include the systems of the plan processors of the four current SCI Plans.\125\ Any entity selected as the processor of an SCI Plan is responsible for operating and maintaining computer and communications facilities for the receipt, processing, validating, and dissemination of quotation and/or last sale price information generated by the members of such plan.\126\ Although an entity selected as the processor of an SCI Plan acts on behalf of a committee of SROs, such entity is not required to be an SRO, nor is it required to be owned or operated by an SRO.\127\ The Commission believes, however, that the systems of such entities, because they deal with key market data, form the ``heart of the national market system,'' \128\ and should be subject to the same systems standards as SCI SROs, and proposes to include ``plan processors'' in the definition of SCI entity.\129\ --------------------------------------------------------------------------- \124\ See 17 CFR 242.600(b)(55). \125\ See supra note 87, defining the term ``SCI Plan'' and discussing plan processors. \126\ See, e.g., CTA Plan Section V(d) and CQS Plan Section V(d), available at: https://www.nyxdata.com/cta; see also OPRA Plan, Section V, available at: https://www.opradata.com/pdf/opra_plan.pdf; and Nasdaq UTP Plan Section IV, available at: https://www.utpplan.com. \127\ Pursuant to Section 11A of the Exchange Act (15 U.S.C. 78k-1), and Rule 609 of Regulation NMS thereunder (17 CFR 242.609), such entities, as ``exclusive processors,'' are required to register with the Commission as securities information processors on Form SIP. See 17 CFR 249.1001 (Form SIP, application for registration as a securities information processor or to amend such an application or registration). \128\ See Concept Release on Equity Market Structure, supra note 42, at 3600 (quoting H.R. Rep. No. 94-229, 94th Cong., 1st Sess. 93 (1975)). \129\ See supra note 87. --------------------------------------------------------------------------- Pursuant to its terms, each SCI Plan is required to periodically review its selection of its processor, and may in the future select a different processor for the SCI Plan than its current processor.\130\ The proposed inclusion of ``plan processors'' in the definition of SCI entity is designed to ensure that the processor for an SCI Plan, regardless of its identity, is independently subject to the requirements of proposed Regulation SCI. Thus, the proposed definition would cover any entity selected as the processor for a current or future SCI Plan.\131\ The Commission preliminarily believes that it is important for such plan processors to be subject to the requirements of proposed Regulation SCI because of the important role they serve in the national market system: Operating and maintaining computer and communications facilities for the receipt, processing, validating, and dissemination of quotation and/or last sale price information generated by the members of the plan.\132\ --------------------------------------------------------------------------- \130\ See CTA Plan Section V(d) and CQS Plan Section V(d), available at: https://www.nyxdata.com/cta; OPRA Plan Section V, available at: https://www.opradata.com/pdf/opra_plan.pdf; and Nasdaq UTP Plan Section V, available at: https://www.utpplan.com. \131\ Currently, the Securities Industry Automation Corporation (``SIAC'') is the processor for the CTA Plan, CQS Plan, and OPRA Plan and Nasdaq is the processor for the Nasdaq UTP Plan. SIAC is wholly owned by NYSE Euronext. Both SIAC and Nasdaq are registered with the Commission as securities information processors, as required by Section 11A(b)(1) of the Exchange Act, 15 U.S.C. 78k- 1(b)(1), and in accordance with Rule 609 of Regulation NMS thereunder, 17 CFR 242.609. The Commission preliminarily believes that the proposed definition of plan processor also would include any entity selected and acting as exclusive processor of a future NMS plan, such as that contemplated by the Commission's rules to create a consolidated audit trail. See Securities Exchange Act No. 67457 (July 18, 2012), 77 FR 45722 (August 1, 2012) (``Consolidated Audit Trail Adopting Release''). \132\ See supra note 126 and accompanying text. --------------------------------------------------------------------------- Under proposed Rule 1000(a), the term ``exempt clearing agency subject to ARP'' would mean ``an entity that has received from the Commission an exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to the Commission's Automation Review Policies, or any Commission regulation that supersedes or replaces such policies.'' This proposed definition of [[Page 18097]] ``exempt clearing agency subject to ARP'' presently would apply to one entity, Global Joint Venture Matching Services--US, LLC (``Omgeo'').\133\ --------------------------------------------------------------------------- \133\ On April 17, 2001, the Commission issued an order granting Omgeo an exemption from registration as a clearing agency subject to certain conditions and limitations in order that Omgeo might offer electronic trade confirmation and central matching services. See Global Joint Venture Matching Services--US, LLC; Order Granting Exemption from Registration as a Clearing Agency, Securities Exchange Act Release No. 44188 (April 17, 2001), 66 FR 20494 (April 23, 2001) (File No. 600-32) (``Omgeo Exemption Order''). Because the Commission granted it an exemption from clearing agency registration, Omgeo is not a self-regulatory organization. See id. at 20498, n.41. --------------------------------------------------------------------------- Among the operational conditions required by the Commission in the Omgeo Exemption Order were several that directly related to the ARP policy statements.\134\ For the same reasons that it required Omgeo to abide by the conditions relating to the ARP policy statements set forth in the Omgeo Exemption Order, the Commission preliminarily believes it would be appropriate that Omgeo (or any similarly situated exempt clearing agency) should be subject to the requirements of proposed Regulation SCI, and thus is proposing to include any ``exempt clearing agency subject to ARP'' as explained above, within the definition of SCI entity.\135\ --------------------------------------------------------------------------- \134\ These conditions required Omgeo to, among other things: Provide the Commission with an audit report addressing all areas discussed in the Commission ARP policy statements; provide annual reports prepared by competent, independent audit personnel in accordance with the annual risk assessment of the areas set forth in the ARP policy statements; report all significant systems outages to the Commission; provide advance notice of any material changes made to its electronic trade confirmation and central matching services; and respond and require its service providers to respond to requests from the Commission for additional information relating to its electronic trade confirmation and central matching services, and provide access to the Commission to conduct inspections of its facilities, records and personnel related to such services. See id. \135\ In the Omgeo Exemption Order, the Commission stated that, ``[b]ecause these conditions are designed to promote interoperability, the Commission intends to require substantially the same conditions of other Central Matching Services that obtain an exemption from registration as a clearing agency.'' See id. --------------------------------------------------------------------------- Request for Comment 1. The Commission requests comment generally on the proposed definition of SCI entity and its constituent parts. Do commenters believe that entities of the type that would satisfy the proposed definition of SCI entity play significant roles in the U.S. securities markets such that they should be subject to proposed Regulation SCI? Why or why not? 2. Do commenters believe the scope of the proposed definition of SCI SRO is appropriate? Does the proposed definition of SCI SRO include types of entities that should not be subject to the proposed requirements, or exclude types of entities that should be subject to the proposed requirements? If so, please identify such types of entities and explain why they should or should not be included in the definition of SCI entity or SCI SRO. Should the definition of ``SCI self-regulatory organization'' include exchanges notice-registered with the Commission pursuant to 15 U.S.C. 78f(g) or a limited purpose national securities association registered with the Commission pursuant to 15 U.S.C. 78o-3(k)? Do commenters believe that it is appropriate to defer to the CFTC regarding the systems compliance and integrity of such entities? Why or why not? 3. Do commenters believe that the proposed definition of ``SCI alternative trading system'' is appropriate? Why or why not? Do commenters believe that the proposed volume thresholds for the different asset classes under the proposed definition of SCI ATS are appropriate? Specifically, are the proposed average daily dollar volume thresholds of five percent or more in any NMS stock and 0.25 percent or more in all NMS stocks, or one percent or more in all NMS stocks, appropriate? Would higher or lower daily dollar volume thresholds for NMS stocks be more appropriate? \136\ Please explain and provide data in support. Alternatively, would a different threshold measurement be more appropriate (e.g., transaction volume, share volume, etc.)? If so, which and at what threshold level? \137\ Please explain and provide data in support. --------------------------------------------------------------------------- \136\ For example, based on data from FINRA's Order Audit Trail System, if the threshold were instead to be set at five percent or more in any NMS stock and 0.5 percent or more in all NMS stocks, the Commission preliminarily estimates that approximately nine ATSs would satisfy the thresholds, accounting for approximately 84 percent of the dollar-volume market share of all ATSs trading NMS stocks (i.e., not including NMS stocks traded on SROs). If the threshold were instead to be set at five percent or more in any NMS stock and one percent or more in all NMS stocks, the Commission preliminarily estimates that approximately three ATSs would satisfy the thresholds, accounting for approximately 38 percent of the market share. Further, if the threshold were instead to be set at 0.25 percent in all NMS stocks, the Commission preliminarily estimates that approximately ten ATSs would satisfy the threshold. If the threshold were instead to be set at 0.5 percent in all NMS stocks, the Commission preliminarily estimates that approximately nine ATSs would satisfy the threshold. \137\ For example, based on data collected from Form ATS-R for the second quarter of 2012 and consolidated NMS stock share volume from the first six months of 2012, if the threshold were instead to be set at 0.25 percent of average daily NMS stock consolidated share volume, the Commission preliminarily estimates that approximately 15 ATSs would satisfy the threshold, accounting for approximately 14 percent of the total average daily consolidated share volume. If the threshold were instead to be set at 0.5 percent of average daily NMS stock consolidated share volume, the Commission preliminarily estimates that approximately 12 ATSs would satisfy the threshold, accounting for approximately 13 percent of the total average daily consolidated share volume. If the threshold were instead to be set at one percent of average daily NMS stock consolidated share volume, the Commission preliminarily estimates that approximately 6 ATSs would satisfy the threshold, accounting for approximately nine percent of the total average daily consolidated share volume. Based on consolidated NMS stock share volume from the first six months of 2012, the Commission estimates that the equity securities exchanges with the smallest volume each account for approximately 0.2 percent to 0.4 percent of the total average daily consolidated share volume. --------------------------------------------------------------------------- 4. The Commission notes that, unlike the threshold levels applicable to NMS stocks currently in Rule 301(b)(6) of Regulation ATS, the proposed thresholds for NMS stocks are based on average daily dollar volume in an individual NMS stock and/or all NMS stocks. Do commenters believe that these are appropriate standards? Why or why not? If not, what should be the appropriate standard, and why? Do commenters believe the proposed thresholds of five percent or more in any NMS stock and 0.25 percent or more in all NMS stocks would prevent a situation in which an ATS that has a large volume in one NMS stock and little volume in other NMS stocks would be covered by proposed Regulation SCI? How common is it for an ATS to trade illiquid NMS stocks without also trading more liquid NMS stocks? Please provide any data relevant to this question. 5. Should the SCI ATS thresholds be triggered only with respect to certain NMS stocks, for example, only with respect to the most liquid NMS stocks? If so, how should the Commission define the ``most liquid'' NMS stocks? For example, should the thresholds be triggered only for the 500 most liquid NMS stocks? The 100 most liquid NMS stocks? Another amount? Why or why not? Please describe your reasoning. Further, what would be the appropriate threshold measurement (e.g., average daily share volume, average daily dollar volume, or another measurement)? Please explain. 6. Is the proposed five percent threshold level appropriate for non-NMS stocks, municipal securities (approximately $550 million in daily dollar volume or 1,900 in daily transaction volume based on data from the first six months of 2012), and corporate debt securities (approximately $900 million in daily dollar volume or 2,100 in daily transaction volume based [[Page 18098]] on data from the first six months of 2012)? Why or why not? Please explain and provide data in support. If not, what should be the appropriate thresholds and why? 7. As with NMS stocks, the proposed five percent thresholds for non-NMS stocks are to be calculated by reference to daily dollar volume, though the proposed threshold would only be with reference to all such stocks (as opposed to average daily dollar volume in individual NMS stocks and/or all NMS stocks). Do commenters believe that this is the appropriate standard for non-NMS stocks? Why or why not? 8. Do commenters agree with the Commission's assessment that there is less automation among markets that trade non-NMS stocks, municipal securities, and corporate debt securities as compared to markets that trade NMS stocks? Why or why not? What is the current level of automation in these markets? 9. Do commenters believe that there should be different thresholds for NMS stocks than non-NMS stocks, municipal securities, and corporate debt securities? Why or why not? Do commenters believe that the proposed two-pronged thresholds are appropriate for municipal securities and corporate debt securities? Why or why not? Would the proposed two-pronged approach be relevant or appropriate for securities other than municipal and corporate debt securities? Why or why not? 10. Do commenters believe that the Commission's estimates of the current number of ATSs that would meet the proposed thresholds are accurate? Why or why not? If not, please provide any data or estimates that commenters believe would more accurately reflect the number of ATSs that would meet the proposed thresholds. 11. The Commission is also considering whether it should instead adopt a definition for SCI ATS that is based solely on a single type of threshold measurement (such as average daily dollar volume), which would be simpler and provide consistency across different asset classes, rather than the differing types of threshold tests for NMS stocks, non-NMS stocks, municipal securities, and corporate debt securities currently proposed. In particular, the Commission is considering whether it would be appropriate to solely use a threshold based on a percentage of average daily dollar volume for all asset classes. Would a threshold based on a percentage of average daily dollar volume be an appropriate single measure that the Commission should use for all asset classes (i.e., NMS stocks, non-NMS stocks, municipal securities, and corporate debt securities) within the definition of SCI ATS? Why or why not? If so, would it be appropriate for the Commission to adopt the same dollar volume threshold measurement that applies for all of the asset classes? Why or why not? Please explain. If so, what would be an appropriate threshold measurement? For example, would five percent of the asset class's total average daily dollar volume be appropriate? Should the measurement be higher or lower? Please be specific and explain. Or, rather than a threshold measurement that is based on a percentage of the asset class's total average daily dollar volume, would a fixed average daily dollar volume threshold, such as $500 million, be appropriate? If so, should such a threshold be higher or lower than $500 million? Why or why not? Should such a fixed dollar threshold be different for different asset classes? Why or why not? If so, what should such thresholds be for each asset class? Please be specific. What are the advantages and disadvantages of a percentage-based threshold versus a fixed dollar threshold? Please explain. 12. Would it be appropriate for the Commission to adopt a single dollar volume threshold measurement that applies across all asset classes? For example, if an ATS trades both municipal securities and corporate debt securities, should its trading volume in both asset classes be aggregated to determine whether it exceeded the threshold measurement? Why or why not? 13. The proposed SCI ATS thresholds are to be calculated by reference to executions ``during at least four of the preceding six calendar months,'' the measurement period and method that is currently used in Regulation ATS. Do commenters believe this is the appropriate time frame and method to be included in Regulation SCI? Why or why not? If not, is there a more appropriate approach? If so, what should it be and why? 14. With respect to calculating the proposed thresholds for securities other than NMS stocks (i.e., non-NMS stocks, municipal securities, and corporate debt securities), would ATSs have available appropriate data with which to determine whether the proposed thresholds have been met? FINRA, through its OTC Reporting Facility and its Trade Reporting and Compliance Engine (``TRACE'') \138\ facility, collects data on transactions in non-NMS stocks and corporate debt securities, and the MSRB collects data on transactions in municipal securities. Do commenters believe that FINRA, the MSRB, or another appropriate entity should be required to disseminate data in a format and frequency sufficient to enable ATSs to determine if they have met the proposed thresholds? Is there another mechanism or structure that could provide data in a format and frequency sufficient to enable ATSs to determine whether the proposed thresholds have been met? Please explain. --------------------------------------------------------------------------- \138\ TRACE is an automated system that, among other things, accommodates reporting and dissemination of transaction reports for over-the-counter secondary market transactions in eligible fixed income securities, in accordance with the FINRA Rule 6700 series. --------------------------------------------------------------------------- 15. Are there ATSs or types of ATSs that would satisfy the proposed definition of SCI ATS that commenters believe should not be subject to proposed Regulation SCI? If so, please explain. Are there ATSs or types of ATSs that would not satisfy the proposed definition of SCI ATS that commenters believe should be subject to proposed Regulation SCI? If so, please explain. For example, should ATSs that execute transactions in U.S. treasuries and/or repurchase agreements be subject to proposed Regulation SCI? Why or why not? If a parent company owns multiple ATSs for a given asset class (e.g., NMS stocks), should the trading volumes of these ATSs be aggregated for purposes of determining whether the ATSs exceed the proposed thresholds? Why or why not? If so, how should such aggregation work? What are the advantages or disadvantages of such an approach? Please explain. 16. Do commenters believe that, for purposes of Regulation SCI, the proposed definition of plan processor is appropriate? Why or why not? Is it appropriate to limit the definition of plan processor to entities within the meaning of plan processor in Rule 600(b)(55) of Regulation NMS? Why or why not? Do commenters believe the proposed definition is sufficiently clear? Are there any other entities similar to the plan processors of SCI Plans that commenters believe should be made subject to the requirements of proposed Regulation SCI? If so, please describe and explain why. 17. Do commenters believe that the proposed definition of ``exempt clearing agency subject to ARP'' is appropriate? Why or why not? Are there other exempt clearing agencies that should be included in the proposed definition of SCI entity? Why or why not? Is it appropriate to limit the definition of SCI entity with respect to exempt clearing agencies to those with exemptions that [[Page 18099]] contain conditions that relate to the Commission's Automation Review Policies or any Commission regulation that supersedes or replaces such policies? Why or why not? 18. What are the current practices of the proposed SCI entities with respect to the subject matter covered by the ARP policy statements? How many of them have practices that are consistent with ARP? How do they differ? Please be specific. 2. Definition of SCI Systems and SCI Security Systems The Commission is proposing that Regulation SCI cover the systems of SCI entities, which would include both SCI systems and, where applicable, SCI security systems. Proposed Rule 1000(a) would define the term ``SCI systems'' to mean ``all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity, whether in production, development, or testing, that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance,'' and the term ``SCI security systems'' to mean ``any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems.'' Thus, for purposes of all of the provisions of proposed Regulation SCI, the proposed definition of SCI systems would cover all systems of an SCI entity that directly support trading, clearance and settlement, order routing, market data, regulation, and surveillance. In addition, the proposed definition of SCI security systems is designed to cover other types of systems if they share network resources with SCI systems and, if breached, would be reasonably likely to pose a security threat to SCI systems. Unlike SCI systems, only certain provisions of proposed Regulation SCI would apply to SCI security systems.\139\ --------------------------------------------------------------------------- \139\ Specifically, under proposed Rule 1000(a), SCI security systems are included in the proposed definitions of ``material systems change,'' ``responsible SCI personnel,'' ``SCI review,'' and ``systems intrusion.'' For purposes of security standards, proposed Rule 1000(b)(1) would also apply to SCI security systems. In addition, with respect to systems intrusions, proposed Rules 1000(b)(3)-(5) would apply to SCI security systems. Further, because of the definitions of material systems change and SCI review, proposed Rules 1000(b)(6) and (7) would apply to SCI security systems. Finally, proposed Rules 1000(c) and (f), relating to recordkeeping and access, respectively, would apply to SCI security systems. --------------------------------------------------------------------------- The Commission preliminarily believes that the proposed definition of SCI systems would reach those systems traditionally considered to be core to the functioning of the U.S. securities markets, namely trading, clearance and settlement, order routing, market data, regulation, and surveillance systems.\140\ The proposed definition would also apply to, for example, such systems of exchange-affiliated routing brokers that are facilities of national securities exchanges or such systems operated on behalf of national securities exchanges. It would also apply to regulatory systems,\141\ including systems for the regulation of the over-the-counter market, systems used to carry out regulatory services agreements, and similar future systems, including the Consolidated Audit Trail repository.\142\ In addition, if an SCI entity contracts with a third party to operate its systems (such as those that use execution algorithms) on behalf of the SCI entity, such systems would also be covered by the proposed definition of SCI systems if they directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance. Therefore, systems covered by the proposed definition of SCI systems would not be limited only to those owned by the SCI entity, but also could include those operated by or on behalf of the SCI entity. --------------------------------------------------------------------------- \140\ See ARP I, supra note 1. \141\ SCI entities that are obligated to comply with Section 31 of the Exchange Act (15 U.S.C. 78ee), and Rule 31 thereunder (17 CFR 240.31), employ various systems to generate, process, transmit, or store electronic messages related to securities transactions. Such systems may include matching engines, transaction data repositories, trade reporting systems, and clearing databases. \142\ See Consolidated Audit Trail Adopting Release, supra note 131. --------------------------------------------------------------------------- Based on Commission staff's experience with the ARP Inspection Program, the Commission believes that some SCI systems of SCI entities may in some cases be highly interconnected with SCI security systems because the SCI systems and SCI security systems share network resources. As a result, the Commission is concerned that a security issue or systems intrusion with respect to SCI security systems would be reasonably likely to cause an SCI event with respect to SCI systems. Because certain SCI security systems of an SCI entity may present likely vulnerable entry points to an SCI entity's network, the Commission preliminarily believes that it is important that the provisions of proposed Regulation SCI relating to security standards and systems intrusions apply to SCI security systems.\143\ --------------------------------------------------------------------------- \143\ See supra note 139. --------------------------------------------------------------------------- The proposed definition of SCI security systems does not identify the types of systems that would be covered, but rather describes them in terms of their connectivity and potential ability to undermine the integrity of SCI systems. However, examples of SCI security systems that could be highly interconnected with SCI systems and therefore be reasonably likely to pose a threat to SCI systems may include systems pertaining to corporate operations (e.g., systems that support web- based services, administrative services, electronic filing, email capability and intranet sites, as well as financial and accounting systems) that are typically accessed by an array of users (e.g., employees or executives of the SCI entity) authorized to view non- public information. In certain cases, such systems would likely offer insight into the vulnerabilities of an SCI entity if they were, for example, accessed by a hacker. The Commission is concerned that the breach of such systems would likely lead to disruption of an SCI entity's general operations and, ultimately, its market-related activities. Similarly, systems by which an SCI entity provides a service to issuers, participants, or clients (e.g., transaction services, infrastructure services, and data services) may be accessed by employees or other representatives of the issuer, participant, or client organization, and may, in some instances, provide a point of access (and thus share network resources) to an SCI entity's SCI systems. Accordingly, the Commission is proposing that the term SCI security systems include any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems, but only for the limited provisions of proposed Regulation SCI noted above.\144\ --------------------------------------------------------------------------- \144\ See id. --------------------------------------------------------------------------- In light of the above concerns, the proposed definitions of SCI systems and SCI security systems together are intended to reach all of the systems that would be reasonably likely to impact an SCI entity's operational capability and the maintenance of fair and orderly markets, rather than reaching solely SCI systems. Because of the dependence of today's securities markets on highly sophisticated electronic trading and other technology, including complex regulatory and surveillance systems, as well as systems relating to clearance and settlement, the provision of market data, and order routing, the Commission preliminarily believes that the proposed definitions of SCI systems and SCI security systems are appropriate to help ensure the capacity, integrity, resiliency, availability, and security of an SCI entity's systems. [[Page 18100]] Request for Comment 19. The Commission requests comment generally on the proposed definitions of SCI systems and SCI security systems. 20. Do commenters believe that the proposed definitions appropriately capture the scope of systems of SCI entities that would be reasonably likely to impact the protection of investors and the maintenance of fair and orderly markets? Specifically, do the proposed definitions of SCI systems and SCI security systems capture the components of the critical systems infrastructure of SCI entities in a comprehensive manner? Are the proposed definitions sufficiently clear? 21. Are there any systems of SCI entities that should be included but would not be captured by the proposed definitions? Please explain. Are there any systems of SCI entities that should be excluded from the proposed definitions? Please explain. 22. By including in the proposed definition of ``SCI systems'' those systems operated ``on behalf of'' an SCI entity, systems operated by a third party under contract from an SCI entity and systems operated by affiliates of an SCI entity that are utilized by such SCI entity would also be included in the proposed definition of SCI systems. Do commenters agree that such systems should be included? Please explain. Should the requirements under proposed Regulation SCI apply differently to systems that are operated on behalf of an SCI entity? Why or why not? Please explain. 23. Do commenters agree with the proposal to distinguish between SCI systems and SCI security systems for purposes of triggering the various provisions of proposed Regulation SCI? For example, are the requirements that would apply to SCI security systems appropriate? Why or why not? If not, which requirements of proposed Regulation SCI should apply to SCI security systems and why? Should the requirements under proposed Regulation SCI apply differently to different types of systems, as proposed? Or, should SCI security systems be subject to all of the requirements of proposed Regulation SCI? Why or why not? 24. Alternatively, should SCI security systems be excluded entirely from the application of proposed Regulation SCI? Why or why not? The Commission is proposing its approach to distinguish between SCI systems and SCI security systems because it preliminarily believes that the interconnected nature of technology infrastructure today creates the potential for systems other than SCI systems to expose vulnerable points of entry that could lead to a security breach or intrusion into SCI systems. In light of this potential, the Commission is proposing, as discussed further below, that the following provisions of proposed Regulation SCI apply to the SCI security systems of an SCI entity: (1) For purposes only of the policies and procedures relating to systems security, proposed Rule 1000(b)(1) would apply to its SCI security systems; (2) proposed Rules 1000(b)(3)-(5) (relating to SCI events and taking corrective action, Commission notification, and dissemination of information to members or participants, respectively) would apply to SCI security systems only with respect to systems intrusions; and (3) proposed Rule 1000(b)(6) would require an SCI entity to report a material systems change in a SCI security system only to the extent that it materially affects the security of such system.\145\ --------------------------------------------------------------------------- \145\ See infra Sections III.C.1, III.C.3, and III.C.4. In addition, the scope of the applicability of proposed Rules 1000(b)(7), 1000(b)(8), and 1000(c)-(f) to SCI security systems would be determined by the provisions of the proposed Rules 1000(b)(1), and (3)-(6). See infra Sections III.C.5, III.C.6, and D. --------------------------------------------------------------------------- 25. The goal of this proposed approach is to ensure that SCI systems, as the core systems of an SCI entity, are adequately secure and protected from systems intrusions. However, the Commission recognizes that there may be alternative ways to achieve this goal, including those that do not extend the scope of the proposed rule beyond the core systems that are defined as ``SCI systems,'' and that focus the Commission's oversight on those systems. For example, one alternative would be to limit the scope of the proposed rule to SCI systems, but clarify that policies and procedures reasonably designed to ensure that SCI systems have adequate levels of security necessarily would require an assessment of security vulnerabilities created by other systems that share network resources with SCI systems, and appropriate steps to address those vulnerabilities. Specifically, under such an alternative, the defined term ``SCI security systems,'' and all references to them and any associated obligations, would be eliminated from the proposed rule text described herein, and clarifying guidance would be provided with respect to the security of SCI systems as noted above. With such an alternative, consideration also would need to be given to whether or not an SCI entity should notify the Commission (and potentially its members or participants) of a systems intrusion with respect to these non-SCI systems, or a systems change that materially impacts the security of such systems. Accordingly, the Commission solicits commenters' views on this or any other potential alternative approaches that would not include a definition of SCI security systems within the scope of the proposed rule. 26. If the Commission were to determine to eliminate the proposed definition of SCI security systems from proposed Regulation SCI, what would be the likely effect of such elimination on the ability of proposed Regulation SCI to ensure that SCI systems are adequately secure and protected from systems intrusions? Please explain. Specifically, if the Commission eliminated the proposed definition of SCI security systems from proposed Regulation SCI, and its direct oversight of systems that share network resources with SCI systems, would the Commission's ability to assure adequate security for SCI systems be materially weakened? Why or why not? Would such an alternative reduce compliance burdens for SCI entities, and improve the efficiency of Commission oversight without materially undermining its effectiveness? 27. If the Commission were to determine to eliminate the proposed definition of SCI security systems from proposed Regulation SCI, would it be appropriate, for example, for the Commission to interpret the requirement of proposed Rule 1000(b)(1) that would require an SCI entity to have ``policies and procedures reasonably designed to ensure that its SCI systems have levels of * * * security * * * adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets'' to require that an SCI entity's SCI systems be protected from security threats by other systems with which they share network resources? Why or why not? Please explain. 28. If the Commission were to determine to eliminate the proposed definition of SCI security systems from proposed Regulation SCI, should the Commission still require an SCI entity to report to the Commission an intrusion into any system (and not just SCI systems) of an SCI entity? Why or why not? If the Commission were to determine to eliminate the proposed definition of SCI security systems from proposed Regulation SCI, should the Commission require an SCI entity to notify members and participants of an intrusion into any system of an SCI entity? Why or why not? If the Commission were to determine to eliminate the proposed definition of SCI [[Page 18101]] security systems from proposed Regulation SCI, are there any other changes to the rule that would be appropriate? What are they, and why would they be appropriate? Please describe in detail. 3. SCI Events Pursuant to the current ARP policy statements and Regulation ATS, a key element of the ARP Inspection Program has been to encourage ARP participants to notify Commission staff of significant systems disruptions so that the staff can work with the affected entity to help ensure that the disruption is addressed promptly and effectively, and that appropriate steps are taken to reduce the likelihood of future problems. Commission staff has previously sought to provide guidance and clarification on what should be considered a ``significant system outage'' for purposes of reports to Commission staff. Specifically, in the 2001 Staff ARP Interpretive Letter, Commission staff provided examples of situations for which an outage is deemed significant and thus should be reported.\146\ The examples listed in that letter included: (1) Outages resulting in a failure to maintain any service level agreements or constraints; (2) disruptions of normal operations, e.g., switchover to back-up equipment with zero hope of near-term recovery of primary hardware; (3) the loss of use of any system; (4) the loss of transactions; (5) outages resulting in excessive back-ups or delays in processing; (6) the loss of ability to disseminate vital information; (7) outage situations communicated to other external entities; (8) events that are (or will be) reported or referred to the entity's board of directors or senior management; (9) events that threaten systems operations even though systems operations are not disrupted; for example, events that cause the entity to implement a contingency plan; and (10) the queuing of data between system components or queuing of messages to or from customers of such duration that a customer's usual and customary service delivery is affected.\147\ --------------------------------------------------------------------------- \146\ See 2001 Staff ARP Interpretive Letter, supra note 35. \147\ See id. --------------------------------------------------------------------------- The Commission believes that guidance in the 2001 Staff ARP Interpretive Letter regarding what constitutes a significant systems outage has been useful over the years to the entities that received the 2001 Staff ARP Interpretive Letter, but understands that Commission action in this area would help SROs and other entities by providing definitive guidance through a formal rulemaking process that includes notice and comment. Furthermore, the Commission believes the term ``significant systems outage'' in plain usage denotes a category of systems problems that is considerably narrower than those the Commission believes could pose risks to the securities markets and market participants. Therefore, the Commission proposes to specify the types of events that would be required to be reported to the Commission and the types of systems problems that would trigger notice requirements on the part of an SCI entity. Specifically, the Commission is proposing to define the term ``SCI event'' in Rule 1000(a) as ``an event at an SCI entity that constitutes: (1) A systems disruption; (2) a systems compliance issue; or (3) a systems intrusion.'' As discussed in detail below, the proposed rule would define each of these terms used in the proposed definition of SCI event. a. Systems Disruption The Commission proposes that the term ``systems disruption'' be defined to mean ``an event in an SCI entity's SCI systems that results in: (1) A failure to maintain service level agreements or constraints; (2) a disruption of normal operations, including switchover to back-up equipment with near-term recovery of primary hardware unlikely; (3) a loss of use of any such system; (4) a loss of transaction or clearance and settlement data; (5) significant back-ups or delays in processing; (6) a significant diminution of ability to disseminate timely and accurate market data; or (7) a queuing of data between system components or queuing of messages to or from customers of such duration that normal service delivery is affected.'' The proposed definition is similar, but not identical, to the definition of ``significant systems outage'' in the 2001 Staff ARP Interpretive Letter.\148\ --------------------------------------------------------------------------- \148\ See supra note 35. The Commission believes that the term ``systems disruption'' is a more appropriate term to describe the types of events captured within the proposed definition and thus is proposing to use the term ``systems disruption,'' rather than the term ``systems outage,'' the term used in the ARP Inspection Program. --------------------------------------------------------------------------- As proposed, a systems disruption would be an event in an SCI entity's SCI systems that manifests itself as a problem measured by reference to one or more of seven elements. The first proposed element, a failure to maintain service level agreements or constraints, is unchanged from the 2001 Staff ARP Interpretive Letter. This would include, for example, a failure or inability of the SCI entity to honor its contractual obligations to provide a specified level or speed of service to users of its SCI systems. A trading market could, for example, contract to maintain its trading system without delays over a specific threshold, e.g., 100 milliseconds, and its failure to honor that obligation would thus be a systems disruption. The second proposed element, ``a disruption of normal operations, including switchover to back-up equipment with near-term recovery of primary hardware unlikely'' differs from the element in the 2001 Staff ARP Interpretive Letter (disruption of normal operations, e.g., switchover to back-up equipment with zero hope of near-term recovery of primary hardware). This modification is intended to convey that the Commission preliminarily believes that an SCI entity should be required to notify Commission staff of a SCI systems problem that involves a switchover to backup equipment, even if a determination that no recovery is possible has not been made because the probability that such switchover may continue indefinitely is significant. The Commission also intends that this proposed element, a ``disruption of normal operations,'' would capture problems with SCI systems such as programming errors, testing errors, systems failures, or if a system release is backed out after it is implemented in production. The third proposed element, ``a loss of use of any such system,'' is unchanged from the 2001 Staff ARP Interpretive Letter and would cover situations in which an SCI system is broken, offline, or otherwise out of commission. For example, the Commission intends that a failure of primary trading or clearance and settlement systems, even if immediately replaced by backup systems without any disruption to normal operations, would be covered under this third proposed element. The Commission preliminarily believes the language of the fourth proposed element, ``a loss of transaction or clearance and settlement data,'' is more precise than the language in the 2001 Staff ARP Interpretive Letter, which lists ``loss of transactions'' as an example of a systems outage. Similarly, the language of the fifth and sixth proposed elements is intended to be more precise than the comparable language in the fifth and sixth examples enumerated in the 2001 Staff ARP Interpretive Letter. The Commission is not at this time proposing to quantify what would constitute a ``significant back-up or delay in processing'' or a ``significant diminution of ability to disseminate timely and accurate market data'' because it preliminarily believes that the varying circumstances that [[Page 18102]] could give rise to such events, and the range of SCI systems potentially impacted, make precise quantification impractical.\149\ These proposed elements are intended to include, for example, circumstances in which a problem with an SCI system results in a slowdown or disruption of operations that would adversely affect customers, impair quotation or price transparency, or impair accurate and timely regulatory reporting. Instances in which message traffic is throttled (i.e., slowed) by an SCI entity for any market participant, without a corresponding provision in the SCI entity's rules, user agreements, or governing documents, as applicable, would also be covered here.\150\ Further, the Commission preliminarily believes that if customers or systems users, for example, have complained or inquired about a slowdown or disruption of operations, including, for example, a slowdown or disruption in their receipt of market data, then such circumstance would be indicative of a problem at an SCI entity that results in ``significant back-ups or delays in processing'' or a ``significant diminution of ability to disseminate timely and accurate market data,'' that should be considered a ``systems disruption.'' The fifth and sixth elements of the proposed definition of systems disruption are also intended to cover the entry, processing, or transmission of erroneous or inaccurate orders, trades, price-reports, other information in the securities markets or clearance and settlement systems, or any other significant deterioration in the transmission of market data in an accurate, timely, and efficient manner. For example, it is possible that an SCI system of an SCI entity that disseminates market data could, as a result of a programming or testing error in another system of the SCI entity, be overwhelmed with erroneous market data to such an extent that the SCI entity's SCI systems are no longer able to disseminate market data in a timely and accurate manner. --------------------------------------------------------------------------- \149\ The Commission is, however, soliciting comment on whether it would be appropriate to adopt quantitative criteria in connection with the definition of ``systems disruption.'' \150\ However, if an SCI entity's rules or governing documents provided for such throttling in specified scenarios as a part of normal operations, such throttling would not be covered as such a situation would not represent an unexpected back-up or delay in processing but rather would be part of the SCI entity's normal operation. --------------------------------------------------------------------------- Finally, the seventh proposed element, ``a queuing of data between system components or queuing of messages to or from customers of such duration that normal service delivery is affected,'' is proposed to be included because the Commission preliminarily believes that queuing of data between system components of SCI systems is often a warning signal of significant disruption of normal system operations. Although the 2001 Staff ARP Interpretive Letter lists ``a report or referral of an event to the entity's board of directors or senior management'' and ``an outage situation communicated to other external entities'' as examples of a significant systems outage, the Commission is not proposing to include such reports or communications in the definition of systems disruption because it preliminarily believes these examples are more likely to be indicia of whether information about a systems disruption or other systems problem warrants dissemination to the SCI entity's members or participants.\151\ Further, although the 2001 Staff ARP Interpretive Letter lists ``a serious threat to systems operations even though systems operations are not disrupted'' as an example of a significant systems outage, the Commission has not included that example as an element in the proposed definition of systems disruption because it preliminarily believes that such a threat would more likely be indicative of a systems intrusion or systems compliance issue.\152\ --------------------------------------------------------------------------- \151\ See infra Section III.B.4.d, discussing whether an SCI event is a ``dissemination SCI event.'' \152\ See infra Sections III.B.3.b and III.B.3.c, discussing the proposed definition of systems compliance issue and systems intrusion, respectively. --------------------------------------------------------------------------- Request for Comment 29. The Commission requests comment generally on the proposed definition of ``systems disruption.'' Do commenters believe that it is appropriate to limit the proposed definition of ``systems disruption'' to SCI systems? Why or why not? Do commenters believe the proposed definition of ``systems disruption'' is too broad? Why or why not? Please explain. 30. Do commenters believe that there should be minimum thresholds associated with the circumstances specified in any elements of the proposed definition of systems disruption--e.g., quantitative criteria describing when an event fitting the description of one of the elements of the proposed definition would meet the definition of SCI event? If so, what should such minimum thresholds be and to which elements of the definition of ``systems disruption'' should such minimum thresholds apply? Please explain. Should systems disruptions affecting different types of SCI systems be treated differently? For example, should trading systems have a different quantitative criteria than systems dedicated to surveillance? Please be specific with respect to which categories of SCI systems might deserve different treatment, and what such quantitative criteria might be and why. 31. Do commenters believe the term ``transaction or clearance and settlement data,'' as used in paragraph (4) of the proposed definition of ``systems disruption,'' is appropriate? Why or why not? Should other types of data be included, in addition to transaction and clearance and settlement data? For example, should customer account data, regulatory data, and/or audit trail data be included? Why or why not? 32. Do commenters believe that there should be exceptions to the proposed definition of systems disruption? If so, what should such exceptions be and why? For example, should the proposed definition of systems disruption include a de minimis exception? If so, what types of systems problems should be considered de minimis and what criteria should be used to determine whether a systems problem is de minimis? Should the proposed definition of systems disruption include a materiality threshold? If so, what types of systems problems should be considered material and what criteria should be used to determine whether a systems problem is material? Should the definition of systems disruption exclude regular planned outages occurring during the normal course of business? 33. Should the proposed definition be expanded, narrowed, or otherwise modified in any way? For example, should the proposed definition include quantitative criteria that establish a minimum deviation from normal performance levels, such as a tenfold increase or greater in latency for queuing of data, for an event to be considered an SCI event? Would a minimum deviation of 100 milliseconds from normal system performance levels be an appropriate indication of system degradation? Or, would a larger or smaller deviation be more appropriate? Why or why not? For example, would the choice of a specific threshold help to balance the tradeoff between the costs of over-reporting systems disruptions and the costs of failing to report systems disruptions that could lead to significant negative consequences? Should different quantitative criteria be used across different SCI systems? For example, a limited pause in the operations of a clearing system may not raise the same issues as a similar pause in the operation of a market data feed. If commenters believe that different criteria should be maintained, please be specific and provide examples of what [[Page 18103]] the appropriate minimum deviations should be for such systems. 34. Are there other types of circumstances that should be included that are not part of the proposed definition? If so, please describe and explain. For example, if an SCI SRO or SCI ATS suspects a technology error originating from a third party (such as an SCI SRO's member firm or an SCI ATS's subscriber) that has the potential to disrupt the market, should that type of discovery be included in the definition of systems disruption? Why or why not? Is there additional guidance that commenters would find helpful to determine whether an event would meet the proposed definition of systems disruption? 35. How often do SCI entities currently experience systems disruptions? b. Systems Compliance Issue The Commission proposes that the term ``systems compliance issue'' be defined as ``an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the federal securities laws and rules and regulations thereunder or the entity's rules or governing documents, as applicable.'' \153\ Circumstances covered by the proposed definition would include, for example, situations in which a lack of communication between an SCI SRO's information technology staff and its legal or regulatory staff regarding SCI systems design or requisite regulatory approvals resulted in one or more SCI systems operating in a manner not in compliance with the SCI SRO's rules and, thus, in a manner other than how the users of the SCI SRO's SCI systems, as well as market participants generally, have been informed that such systems would operate. Another example of a systems compliance issue could arise when a change to an SCI system is made by information technology staff that results in the system operating in a manner that fails to comply with the federal securities laws and rules thereunder. --------------------------------------------------------------------------- \153\ As discussed in infra Section III.C.2, one of the elements of the safe harbor in proposed Rule 1000(b)(2)(ii)(A) would require that an SCI entity establish policies and procedures that provide for ongoing monitoring of SCI systems functionality to detect whether SCI systems are operating in the manner intended. This element would require that each SCI entity establish parameters for detection of a systems compliance issue, and is not intended to suggest one set of parameters for all SCI entities. --------------------------------------------------------------------------- The phrase ``operate in a manner that does not comply with * * * the entity's rules or governing documents'' would mean that an SCI entity is operating in a manner that does not comply with the entity's applicable rules and other documents, whether or not filed with the Commission. Generally, such rules or other documents are made available to the public and/or to members, clients, users, and/or participants in the SCI entity.\154\ Specifically, for an SCI SRO, this phrase would include operating in a manner that does not comply with the SCI SRO's rules as defined in the Exchange Act and the rules thereunder.\155\ For a plan processor, this phrase would include operating in a manner that does not comply with an applicable effective national market system plan. For an SCI ATS or exempt clearing agency subject to ARP, this phrase would include operating in a manner that does not comply with documents such as subscriber agreements and any rules provided to subscribers and users and, for ATSs, described in their Form ATS filings with the Commission.\156\ --------------------------------------------------------------------------- \154\ For example, each SCI SRO is required to publish its rules on its publicly available Web site. See 15 U.S.C. 78s(b)(2)(E). Each plan processor is also required to post amendments to its national market system plan on its Web site. See 17 CFR 242.608. Subscriber agreements and other similar documents that govern operations of SCI ATSs and exempt clearing agencies subject to ARP are generally not publicly available, but are provided to subscribers and users of such entities. \155\ The rules of an SCI SRO are defined in Sections 3(a)(27) and (28) of the Exchange Act to include, among other things, its constitution, articles of incorporation, and bylaws. See 15 U.S.C. 78c(a)(27)-(28). See also Exchange Act Rule 19b-4(c), 17 CFR 240.19b-4(c). \156\ See 17 CFR 242.301(b) for a description of the filing requirements for ATSs. --------------------------------------------------------------------------- Request for Comment 36. The Commission requests comment generally on the proposed definition of ``systems compliance issue.'' Do commenters believe it would be appropriate to define ``systems compliance issue'' to mean any instance in which an SCI system operates in a manner that does not comply with the federal securities laws and rules and regulations thereunder, or the entity's rules or governing documents, as applicable? Why or why not? If the proposed definition is not appropriate, what would be an appropriate definition? Do commenters believe that it is appropriate to limit the proposed definition of ``systems compliance issue'' to SCI systems? Why or why not? Please explain. 37. Do commenters believe that there should be exceptions to the proposed definition of systems compliance issue? If so, what should such exceptions be and why? For example, should the proposed definition of systems compliance issue include a de minimis exception? If so, what types of systems compliance issues should be considered de minimis and what criteria should be used to determine whether a systems compliance issue is de minimis? Should the proposed definition of systems compliance issue include a materiality threshold? If so, what types of systems compliance issues should be considered material and what criteria should be used to determine whether a systems compliance issue is material? 38. Do commenters believe other types of documents or agreements should be included in the definition? If so, please specify the types of documents or agreements and explain why. 39. How often do SCI entities currently experience systems compliance issues? c. Systems Intrusion The Commission proposes that ``systems intrusion'' be defined as ``any unauthorized entry into the SCI systems or SCI security systems of an SCI entity.'' The proposed definition is intended to cover all unauthorized entry into SCI systems or SCI security systems by outsiders, employees, or agents of the SCI entity, regardless of whether the intrusions were part of a cyber attack, potential criminal activity, or other unauthorized attempt to retrieve, manipulate or destroy data, or access or disrupt systems of SCI entities. The proposed definition of systems intrusion would cover the introduction of malware or other attempts to disrupt SCI systems or SCI security systems of SCI entities provided that such systems were actually breached. In addition, the proposed definition is intended to cover unauthorized access, whether intentional or inadvertent, by employees or agents of the SCI entity that result from weaknesses in the SCI entity's access controls and/or procedures. The proposed definition would not, however, cover unsuccessful attempts at unauthorized entry. An unsuccessful systems intrusion by definition is much less likely than a successful intrusion to disrupt the systems of an SCI entity. Moreover, because it is impossible to prevent attempted intrusions, the Commission preliminarily believes at this time that the focus of this aspect of proposed Regulation SCI should be on successful unauthorized entry. Request for Comment 40. The Commission requests comment generally on the proposed definition of ``systems intrusion.'' Is the proposed definition sufficiently clear? If not, why not? Do commenters believe that it is appropriate to apply the proposed definition of ``systems [[Page 18104]] intrusion'' to both SCI systems and SCI security systems? Why or why not? Please explain. 41. Do commenters believe it is appropriate to exclude from the proposed definition of systems intrusion an attempted intrusion that did not breach systems or networks? Why or why not? Should significant, sophisticated, repeated, and/or attempted intrusions, even if unsuccessful, be included? Why or why not? If yes, please explain what categories of attempted intrusions should be covered by the proposed rule and why. 42. Should the proposed definition of systems intrusion be expanded to include the unauthorized use or unintended release of information or data, for example, by an employee or agent of an SCI entity? Why or why not? If so, should the definition be limited to the unauthorized use of non-public or confidential information or should it apply to any unauthorized use of information or data? The Commission recognizes that including in the definition all instances of unauthorized use or unintended release of information or data may be broad and solicits comment generally on how the definition might be more narrowly defined to encompass those types of events that commenters believe would be appropriate to be included in proposed Regulation SCI. 43. How often do SCI entities currently experience known systems intrusions or known attempted systems intrusions? d. Dissemination SCI events The Commission proposes that the term ``dissemination SCI event'' be defined as ``an SCI event that is a: (1) Systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants.'' \157\ --------------------------------------------------------------------------- \157\ See proposed Rule 1000(a). --------------------------------------------------------------------------- As discussed below in Section III.C.3, proposed Rule 1000(b)(5) includes requirements for disseminating information regarding certain SCI events to members or participants.\158\ Specifically, only information relating to dissemination SCI events would be required to be disseminated to members or participants pursuant to proposed Rule 1000(b)(5).\159\ The Commission recognizes that public disclosure of each and every systems issue (such as very brief outages or minor disruptions of normal systems operations where the effects on trading, market data, and clearance and settlement are immaterial) could be counterproductive, potentially overwhelming the public with information, masking significant issues that might arise, and thus preliminarily believes that requiring the dissemination of information about dissemination SCI events to members or participants would promote dissemination of information to persons who are most directly affected by such events and who would most naturally need, want, and be able to act on the information, without creating a separate regulatory standard governing when broader public disclosure should be made. --------------------------------------------------------------------------- \158\ Proposed Rule 1000(b)(5) would require the dissemination of specified information relating to dissemination SCI events and specify the nature and timing of such dissemination, with a delay in dissemination permitted for certain systems intrusions. See infra Section III.C.3.c. \159\ See infra note 235. --------------------------------------------------------------------------- In the case of a dissemination SCI event, the Commission preliminarily believes that dissemination to members or participants of the nature of the event and the steps being taken to remedy it would be necessary to help ensure that potentially impacted market participants, and others that might be evaluating whether to use the affected systems, have basic information about the event so that they might be able to better assess what, if any, next steps they might deem prudent to take in light of the event.\160\ --------------------------------------------------------------------------- \160\ However, as discussed below, the Commission recognizes that, in the case of systems intrusions, there may be circumstances in which full prompt dissemination of information to members or participants of a systems intrusion could hinder an investigation into such an intrusion or an SCI entity's ability to mitigate it. As such, the Commission is proposing that dissemination of information for certain systems intrusions could be delayed in specified circumstances. Specifically, the Commission is proposing that an SCI entity disseminate information about a systems intrusion to its members or participants, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or SCI security systems, or an investigation of the systems intrusion, and documents the reasons for such determination. See proposed Rule 1000(b)(5)(ii) and text accompanying infra note 174. The Commission preliminarily believes, however, that an SCI entity should ultimately disseminate information regarding systems intrusions, and that the provisions of proposed Rule 1000(b)(5)(ii) permitting a delay in dissemination, if applicable, should only affect the timing of such dissemination. The Commission notes that some Roundtable panelists and commenters discussed the role that communications and disclosure should play in mitigation of risk from systems issues. For example, panelists from Citadel, DE, Nasdaq, Lime, and TDA, among others, spoke about the role of communications and management involvement in responding to errors. See discussion of Roundtable, supra Section I.D. See also text accompanying infra note 238. --------------------------------------------------------------------------- Proposed Rule 1000(a) specifies three categories of SCI events that would constitute a dissemination SCI event. First, any SCI event that is a systems compliance issue would be a dissemination SCI event.\161\ The Commission preliminarily believes that, if an SCI entity's SCI systems were operating in a manner not in compliance with the federal securities laws and rules and regulations thereunder, or the entity's rules or governing documents, as applicable, the SCI entity should be required to disseminate that information to all members or participants, i.e., the users of its SCI systems. In addition, because SCI entities that are SCI SROs or plan processors are required by the Exchange Act to comply with their rules, proposing to require dissemination of information about systems compliance issues to members or participants should help to reinforce this statutory obligation. --------------------------------------------------------------------------- \161\ See supra Section III.B.3.b, discussing the definition of ``systems compliance issue.'' --------------------------------------------------------------------------- Second, any SCI event that is a systems intrusion would also be a dissemination SCI event. The Commission preliminarily believes that a systems intrusion may represent a significant weakness in the security of an SCI entity's systems and thus warrant dissemination of information to an SCI entity's members or participants. However, because detailed information about a systems intrusion may expose an SCI entity's systems to further probing and attack, an SCI entity would only be required to provide a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved.\162\ In addition, because immediate dissemination of information about a systems intrusion may in some cases further compromise the security of the SCI entity's SCI systems or SCI security systems, or an investigation of the systems intrusion, an SCI entity in some cases may be permitted to delay the dissemination of information about such systems intrusion.\163\ --------------------------------------------------------------------------- \162\ See infra Section III.C.3.c and proposed Rule 1000(b)(5)(ii). \163\ See id. --------------------------------------------------------------------------- Finally, the Commission is proposing that any systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants would also be a dissemination SCI event. Some systems disruptions may have an immediate, obvious, and detrimental impact on market participants, hampering the ability of an SCI entity's members or participants to utilize the SCI entity's SCI systems and, in some cases, making [[Page 18105]] such systems unusable. At the same time, the Commission recognizes that disseminating information relating to a single systems disruption that results in harm or loss to one or a small number of market participants that is not significant may not warrant the cost of such dissemination. Furthermore, the Commission preliminarily believes that the proposed standard is appropriate in that it does not set a specific threshold or definition of ``significant harm or loss to market participants,'' and provides an SCI entity with reasonable discretion in estimating whether a given systems disruption has resulted, or would result, in significant harm or loss to market participants.\164\ Although the particular facts and circumstances will differ for each systems disruption, some systems disruptions would clearly result in significant harm or loss to market participants and warrant dissemination of information regarding such systems disruption to the SCI entity's members or participants, even if the harm or loss, or the potential harm or loss, is difficult to quantify. For example, if a market experiences a problem with a trading system such that order processing and execution in certain securities is halted and members are not able to confirm transactions in such securities, the Commission preliminarily believes that such a systems disruption would be a dissemination SCI event. In contrast, if a trading market or a clearing agency experienced a momentary power disruption causing a fail over to the backup data center with no customer, member, or participant impact, such SCI event would be a systems disruption requiring written notice to the Commission, but would not be a dissemination SCI event. --------------------------------------------------------------------------- \164\ The tradeoffs of setting thresholds are discussed in the Economic Analysis Section below. See infra Section V.B. --------------------------------------------------------------------------- Request for Comment 44. Do commenters believe the proposed definition of ``dissemination SCI event'' is appropriate? Why or why not? 45. Do commenters believe that a ``systems compliance issue'' should constitute a dissemination SCI event? Why or why not? Please explain. 46. Do commenters believe that a ``systems intrusion'' should constitute a dissemination SCI event? Why or why not? Please explain. 47. Do commenters believe that systems disruptions that meet the ``significant harm or loss to market participants'' standard should be included as dissemination SCI events? Why or why not? If not, what would be an appropriate threshold, and how should it be measured? Should the term ``significant harm or loss to market participants'' be further clarified or defined in the rule? Why or why not? If so, what should such clarification or definition be and why? 48. Would an alternative measurement, or group of alternative measurements, for systems disruptions, such as a 50 millisecond pause in service or some other nonmonetary measure (for example, out of memory situations, memory overloads, data loss due to an SCI system exceeding capacity limitations, excessive queuing or throttling), also be an appropriate and effective means to measure certain events about which an SCI entity should disseminate information to its members or participants? If so, what are they and why? Should any such measurements vary based on the type of SCI system involved? If so, how? Please be specific. 49. Are there any other types of systems disruptions that should be required to be disseminated to members or participants? If so, please explain why. Should, for example, information relating to a systems disruptions be required to be disseminated to members or participants if it affects a certain number of market participants? If so, how should such a level (number of market participants) be determined? 4. Material Systems Changes Rule 1000(a) of proposed Regulation SCI would define ``material systems change'' as ``a change to one or more: (1) SCI systems of an SCI entity that: (i) Materially affects the existing capacity, integrity, resiliency, availability, or security of such systems; (ii) relies upon materially new or different technology; (iii) provides a new material service or material function; or (iv) otherwise materially affects the operations of the SCI entity; or (2) SCI security systems of an SCI entity that materially affects the existing security of such systems.'' \165\ This proposed definition of ``material systems change'' is substantively similar to the definition of ``significant system change'' discussed in the ARP II Release.\166\ --------------------------------------------------------------------------- \165\ See proposed Rule 1000(a). See also infra Sections III.C.4 and III.C.6 discussing notices of material systems changes and reports of material systems changes, respectively. \166\ See ARP II Release, supra note 1, at 22592-93. See also 2001 Staff ARP Interpretive Letter, supra note 35 (citing ARP II, supra note 1, at 22492-93: ``ARP II provides a non-exclusive list of factors that should be considered in determining whether a system change is significant and should be reported. The list includes a change that: (1) Affects existing capacity or security; (2) in itself raises capacity or security issues, even if it does not affect other existing systems; (3) relies upon substantially new or different technology; (4) is designed to provide a new service or function for SRO members or their customers; or (5) otherwise significantly affects the operations of the entity.''). --------------------------------------------------------------------------- Item (1)(i) of the proposed definition of material systems change differs from item (1) in the definition in the ARP II Release of ``significant system change,'' as proposed item (1)(i) refers to changes to an SCI entity's SCI systems that affect not only capacity and security, but also integrity, resiliency, and availability.\167\ Items (1)(ii) and (1)(iii) in the proposed definition of material systems change are intended to be substantively identical to items (3) and (4) of the definition of significant system change in the 2001 Staff ARP Interpretive Letter, generally covering changes to an SCI entity's SCI systems designed to advance systems development.\168\ Proposed item (1)(iv), covering a change to an SCI entity's SCI systems that ``otherwise materially affects the operations of the SCI entity,'' is intended to require notification of major systems changes to SCI systems that are not captured by other elements of paragraph (1) of the proposed definition. Proposed item (2), covering a change to an SCI entity's SCI security systems that ``materially affects the existing security of such systems,'' is intended to ensure that significant changes that would affect the security of an SCI entity's SCI security systems (i.e., systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems) \169\ are reported to the Commission. --------------------------------------------------------------------------- \167\ Proposed item (1)(i) consolidates items (1) and (2) of the definition of material systems change in the 2001 Staff ARP Interpretive Letter. The Commission believes that the addition of integrity, resiliency, and availability aspects of SCI systems that are important in today's automated trading environments appropriately reflects the evolution of the types of systems issues since the 2001 Staff ARP Interpretive Letter. \168\ In addition, each of proposed items (1)(i) through (1)(iii) are changes that concern the adequacy of capacity estimates, testing, and security measures taken by an SCI entity, for which adequate procedures are required by proposed Rule 1000(b)(1). See infra Section III.C.1. \169\ See supra Section III.B.2 (discussing definition of SCI security system). --------------------------------------------------------------------------- Examples that the Commission preliminarily believes could be included within the proposed definition of material systems change are: Major systems architecture changes; reconfigurations of systems that would cause a variance greater than five percent in throughput or storage; the introduction of new business functions or services; changes to external interfaces; changes that could increase susceptibility to major outages; changes that could increase risks to data [[Page 18106]] security; changes that were, or would be, reported to or referred to the entity's board of directors, a body performing a function similar to the board of directors, or senior management; and changes that could require allocation or use of significant resources. These examples are cited in the 2001 Staff ARP Interpretive Letter.\170\ Based on Commission staff's experience working with SROs that have relied on the guidance provided in the 2001 Staff ARP Interpretive Letter, the Commission preliminarily believes that such examples could continue to be relevant guidance to SCI SROs as well as to other SCI entities. In addition, the Commission preliminarily believes that any systems change occurring as a result of the discovery of an actual or potential systems compliance issue, as that term would be defined in proposed Rule 1000(a), would be material. --------------------------------------------------------------------------- \170\ See supra note 35. --------------------------------------------------------------------------- Based on its experience with SROs and other entities reporting significant systems changes in the context of the ARP Inspection Program, the Commission preliminarily believes that the proposed definition of material systems change is appropriate for all SCI entities. The Commission preliminarily believes that proposed items (1)(i)-(iv) and (2), which would cover changes affecting capacity estimates, security measures, the use of new technology and new functionality, could also highlight the need for SCI entities that are SROs, when applicable, to file a proposed rule change with the Commission under Section 19(b) of the Exchange Act and SCI entities that are SROs to file proposed amendments for SCI Plans under Rule 608 of Regulation NMS.\171\ As the Commission noted in ARP II, the purpose of urging SROs to notify Commission staff of significant system changes was not to supplant or provide an alternative means for SROs to satisfy their obligations to file proposed rule changes as required by the Exchange Act.\172\ Rather, under ARP II, the Commission was primarily concerned with fulfilling its oversight responsibilities and was also interested in obtaining a full view and understanding of systems development at SROs.\173\ Likewise, the proposal to require an SCI entity to notify the Commission of material systems changes would not relieve an SCI SRO of any obligation it may have to file a proposed rule change, the participants of an SCI Plan to file a proposed amendment to such SCI Plan, or any other obligation any SCI entity may have under the Exchange Act or rules thereunder.\174\ --------------------------------------------------------------------------- \171\ Section 19(b)(1) of the Exchange Act requires an SRO to file proposed rules and proposed rule changes with the Commission in accordance with rules prescribed by the Commission. See 15 U.S.C. 78s(b)(1). Section 19(b)(1) further requires the Commission to solicit public comment on any proposed rule change filed by an SRO. See id. Rule 608(a)(1) of Regulation NMS under the Exchange Act, 17 CFR 242.608(a)(1), permits ``self-regulatory organizations, acting jointly, [to] file a national market system plan or [to] propose an amendment to an effective national market system plan.'' Rule 608(b) of Regulation NMS, 17 CFR 242.608(b), requires the Commission to publish such proposed national market system plan or national market system plan amendment for notice and comment, and, in certain situations, approve such NMS plan or plan amendment before it may become effective. \172\ See ARP II, supra note 1, at 22493. ARP II explained that because the rule change process pursuant to Section 19(b) of the Exchange Act and Rule 19b-4 thereunder ``imposes shortened timeframes for action on proposed rule changes and because not all systems changes trigger the need for changes to rules of the SROs,'' the rule change process was not providing staff with timely and complete detail on various significant systems changes occurring at the SROs. The policy of urging SROs to provide timely and accurate information on systems changes was intended as an adjunct to, and not a substitution for the rule change process. See id. \173\ See id. at 22493-94, n. 20. \174\ See infra request for comment in Section III.C.1.b, wherein the Commission solicits comment on whether SCI SROs should be required to provide notice to their members of anticipated technology deployments prior to implementation and offer their members the opportunity to test anticipated technology deployments prior to implementation. --------------------------------------------------------------------------- Request for Comment 50. The Commission requests comment generally on the proposed definition of ``material systems change.'' Is the proposed definition of material systems change clear? Should the Commission provide additional guidance on, or further define what would constitute a ``material systems change?'' Are there other factors that should be included? Please be specific and give examples of types of system changes that should be included in the proposed definition but currently are not. 51. The Commission sets forth above examples of systems changes that it preliminarily believes could be included within the proposed definition of material systems change (i.e., major systems architecture changes; reconfigurations of systems that would cause a variance greater than five percent in throughput or storage; the introduction of new business functions or services; changes to external interfaces; changes that could increase susceptibility to major outages; changes that could increase risks to data security; changes that were, or would be, reported to or referred to the entity's board of directors, a body performing a function similar to the board of directors, or senior management; and changes that could require allocation or use of significant resources). Do commenters agree each of these examples could constitute material systems changes? Why or why not? 52. Should any of the proposed factors be eliminated or refined? If so, please explain. Should material systems changes be defined to include cumulative systems changes over a specified period that might not otherwise qualify individually as a material systems change? For example, if systems changes (such as reconfigurations of systems that would cause a variance greater than five percent in throughput or storage) occurred that, on their own, each would not constitute a material systems change but, if grouped together with other similar or even identical changes (or, alternatively, that occurred repeatedly over a certain period of time such as a week or a month) could represent a material system change, should such changes together be considered a material systems change? If so, what would be the appropriate number of similar or identical systems changes that should be considered and/or what would be an appropriate time period to consider? Should all non-material systems changes count towards this threshold or should only non-material systems changes of the same or similar type count? Would cumulative changes over a week be an appropriate measurement period? Would a 30-day measurement period be appropriate? Should the period be longer or shorter? Please explain. 53. Do commenters believe that a change to the SCI systems of an SCI entity that ``materially affects the existing capacity, integrity, resiliency, availability, or security of such systems'' should constitute a material systems change as proposed? Why or why not? Should a change with respect to any of the proposed characteristics of such systems (i.e., capacity, integrity, resiliency, availability, or security) be eliminated or modified? Should any be added? Please explain. 54. Should a change to the SCI systems of an SCI entity that ``relies upon materially new or different technology'' constitute a material systems change as proposed? Why or why not? Is the phrase ``materially new or different'' sufficiently clear? If not, please explain. 55. Should a change to an SCI entity's SCI systems that ``provides a new material service or material function'' constitute a material systems change as proposed? Why or why not? Is the phrase ``a new material service or [[Page 18107]] material function'' sufficiently clear? If not, please explain. 56. Do commenters believe it is appropriate to include a change to an SCI entity's SCI systems that ``otherwise materially affects the operations of the SCI entity'' as proposed? Why or why not? Please explain. 57. Do commenters believe that a change to the SCI security systems of an SCI entity that ``materially affects the existing security of such systems'' should constitute a material systems change as proposed? Why or why not? Please explain. 58. Do commenters believe the rule should include quantitative criteria or other minimum thresholds for the effect of a change to an SCI entity's SCI systems or SCI security systems beyond which the Commission must be notified of the change? Why or why not? If so, what should such quantitative criteria or other minimum thresholds be and why? 59. How often do SCI entities currently make material systems changes? How often do SCI SROs make material systems changes and what percentage of the time are such changes filed with the Commission as proposed rule changes under Section 19 of the Exchange Act? C. Proposed Rule 1000(b): Obligations of SCI Entities Paragraph (b) of proposed Rule 1000 would set forth requirements that would apply to SCI entities relating to written policies and procedures, obligations with regard to corrective actions, reporting of SCI events to the Commission, dissemination of information relating to certain SCI events to members or participants, reporting of material systems changes, SCI reviews, and the participation of designated members or participants of SCI entities in testing the business continuity and disaster recovery plans of SCI entities. 1. Policies and Procedures To Safeguard Capacity, Integrity, Resiliency, Availability, and Security \175\ --------------------------------------------------------------------------- \175\ See infra Sections IV.D.1.a and V.B for discussions related to current practices of SCI entities. --------------------------------------------------------------------------- Proposed Rule 1000(b)(1) would require each SCI entity to establish, maintain, and enforce written policies and procedures, reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. Proposed Rule 1000(b)(1)(i) would further provide that such policies and procedures include, at a minimum: ``(A) The establishment of reasonable current and future capacity planning estimates; (B) periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (C) a program to review and keep current systems development and testing methodology for such systems; (D) regular reviews and testing of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (E) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption; and (F) standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data.'' \176\ Proposed Rule 1000(b)(1)(ii) would deem an SCI entity's policies and procedures required by proposed Rule 1000(b)(1) to be reasonably designed if they are consistent with SCI industry standards.\177\ In particular, for purposes of complying with proposed Rule 1000(b)(1), if an SCI entity has policies and procedures that are consistent with such SCI industry standards, as discussed further in Section III.C.1.b below, such policies and procedures would be deemed to be reasonably designed and thus the SCI entity would be in compliance with proposed Rule 1000(b)(1). In addition, under proposed Rule 1000(b)(1)(ii), compliance with the identified SCI industry standards would not be the exclusive means to comply with the requirements of proposed Rule 1000(b)(1). --------------------------------------------------------------------------- \176\ See proposed Rule 1000(b)(1)(i)(A)-(F). \177\ See infra Section III.C.1.b. --------------------------------------------------------------------------- a. Proposed Rule 1000(b)(1)(i) Proposed Rule 1000(b)(1) would require that an SCI entity have policies and procedures that address items (i)(A)-(F) for its SCI systems and, for purposes of security standards, SCI security systems. Items (A)-(C) enumerated in proposed Rule 1000(b)(1)(i) are substantively the same as the requirements of Rule 301(b)(6)(ii)(A)-(C) of Regulation ATS, applicable to significant-volume alternative trading systems, and trace their origin to the ARP I Release.\178\ With respect to SCI systems and, as applicable, SCI security systems, proposed item (A), which would require an SCI entity to establish, maintain, and enforce policies and procedures for the establishment of reasonable current and future capacity planning estimates, and proposed item (B), which would require an SCI entity to establish, maintain, and enforce policies and procedures for periodic capacity stress tests of such systems, would help an SCI entity determine its systems' ability to process transactions in an accurate, timely, and efficient manner, and thereby help ensure market integrity. Proposed item (C), which would require an SCI entity to establish, maintain, and enforce policies and procedures that include a program to review and keep current systems development and testing methodology for such systems, would help ensure that the SCI entity continues to monitor and maintain systems capacity and availability. --------------------------------------------------------------------------- \178\ See 17 CFR 242.301(b)(6)(ii)(A)-(C); see also ARP I Release, supra note 1, at 48706-07. --------------------------------------------------------------------------- Proposed item (D), which would require an SCI entity to establish, maintain, and enforce policies and procedures to review and test regularly such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters, would likewise assist an SCI entity in ascertaining whether its SCI systems and SCI security systems are and remain sufficiently secure and resilient. Unlike Rule 301(b)(6)(ii)(D) of Regulation ATS, proposed item (D) includes ``manmade disasters'' in the list of vulnerabilities an SCI entity would be required to consider and protect against. The Commission proposes to add ``manmade disasters'' to be clear that acts of terrorism and sabotage--threats that some SCI entities have faced in recent history \179\--are threats that an SCI entity must prepare for in reviewing and testing its systems and operations. --------------------------------------------------------------------------- \179\ See, e.g., supra note 61. --------------------------------------------------------------------------- Proposed items (B), (C), and (D) would each require, among other things, the establishment of policies and procedures relating to various aspects of systems testing, including capacity stress tests, testing methodology, and tests for systems vulnerabilities to internal and external threats, physical hazards, and natural or manmade disasters, respectively. The Commission preliminarily believes that, to help ensure an effective testing regime, such [[Page 18108]] policies and procedures would need to address when testing with members, participants, and other market participants would be appropriate.\180\ --------------------------------------------------------------------------- \180\ See also the Commission's request for comment in infra Sections III.C.1.b and III.C.7, on whether proposed Regulation SCI should be more prescriptive regarding testing standards and requirements in light of comments on testing made by Roundtable panelists and commenters, and the closure of the national securities exchanges in the wake of Superstorm Sandy, as discussed in the text accompanying supra notes 78-83. --------------------------------------------------------------------------- Proposed item (E), which would require SCI entities to establish, maintain, and enforce policies and procedures for business continuity and disaster recovery plans, is substantially similar to a requirement in Rule 301(b)(6)(ii) of Regulation ATS and ARP I.\181\ However, proposed item (E) would further require SCI entities to have plans for maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption. The proposed resiliency and geographic diversity requirement is designed particularly to help ensure that an SCI entity would be able to continue operations from the backup site during a wide-scale disruption resulting from natural disasters, terrorist activity, or other significant events. For example, the Commission preliminarily believes that backup sites should not rely on the same infrastructure components (e.g., transportation, telecommunications, water supply, and electric power) used by the primary site.\182\ The proposed next business day trading resumption standard reflects the Commission's preliminary view that an SCI entity, being part of the critical infrastructure of the U.S. securities markets, should have plans to limit downtime caused by a wide-scale disruption to less than one business day.\183\ Likewise, the proposed two-hour resumption standard for clearance and settlement services, which traces its origin to the 2003 Interagency White Paper,\184\ reflects the Commission's preliminary view that an SCI entity that is a registered clearing agency or an ``exempt clearing agency subject to ARP'' should have contingency plans to avoid a scenario in which failure to settle transactions by the end of the day could present systemic risk to the markets.\185\ --------------------------------------------------------------------------- \181\ See 17 CFR 242.301(b)(6)(ii)(E); ARP I Release, supra note 1, at 48706. \182\ See 2003 Interagency White Paper, supra note 31. As discussed further below in Section III.C.1.b, proposed Rule 1000(b)(1) would require an SCI entity to have policies and procedures that are ``reasonably designed'' and ``adequate to maintain [its] operational capability and promote the maintenance of fair and orderly markets.'' Proposed Rule 1000(b)(1)(i)(E) would require that such policies and procedures include ``business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse,'' (emphasis added) to ensure next business day or two-hour resumption as applicable, following a wide-scale disruption. While ``sufficient'' geographic diversity would be a required element of reasonably designed business continuity and disaster recovery plans, the proposed rule does not specify any particular minimum distance or geographic location that would be necessary to achieve the requisite level of geographic diversity. Instead, the proposed rule focuses on the ability to achieve the goal of resuming business within the applicable time frame in the wake of a wide-scale disruption. As noted above, the Commission also preliminarily believes that an SCI entity should have a reasonable degree of flexibility to determine the precise nature and location of its backup site depending on the particular vulnerabilities associated with those sites, and the nature, size, technology, business model, and other aspects of its business. \183\ Standards with respect to resilient and geographically remote back-up sites and resumption of operations are discussed in the 2003 Interagency White Paper and the 2003 Policy Statement on Business Continuity Planning for Trading Markets, and these publications are proposed to be designated as industry standards in the context of contingency planning. See 2003 Interagency White Paper, supra note 31 and 2003 Policy Statement on Business Continuity Planning for Trading Markets, supra note 32. In addition, the 2003 Policy Statement on Business Continuity Planning for Trading Markets urged SRO markets and ECNs to ``have a business continuity plan that anticipates the resumption of trading * * * no later than the next business day following a wide-scale disruption.'' See supra note 32, at 56658. \184\ See supra note 31. See also infra note 195, discussing further the 2003 Interagency White Paper. \185\ The Commission believes that all clearing agencies that would be subject to proposed Regulation SCI (i.e., all of the registered clearing agencies and the current ``exempt clearing agency subject to ARP'') currently strive to adhere to this standard. --------------------------------------------------------------------------- Proposed item (F) would require SCI entities to have standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data. As the Commission previously noted, when Congress mandated a national market system in 1975, it emphasized that the systems for collecting and distributing consolidated market data would ``form the heart of the national market system.'' \186\ As a result of consolidated market data, the public has ready access to a comprehensive, accurate, and reliable source of information for the prices and volume of any NMS stock at any time during the trading day.\187\ This information helps to ensure that the public is aware of the best displayed prices for a stock, no matter where they may arise in the national market system.\188\ It also enables investors to monitor the prices at which their orders are executed and assess whether their orders received best execution.\189\ Further, as noted above, one of the findings of the May 6 Staff Report is that ``fair and orderly markets require that the standards for robust, accessible, and timely market data be set quite high.'' \190\ The Commission believes that the accurate, timely and efficient processing of data is similarly important to the proper functioning of the securities markets. For example, if a clearing agency were not able to process data accurately, settlements could potentially be impacted. Similarly, if an exchange does not process trades accurately, erroneous executions could occur. --------------------------------------------------------------------------- \186\ See Concept Release on Equity Market Structure, supra note 42, at 3600 (quoting H.R. Rep. No. 94-229, 94th Cong., 1st Sess. 93 (1975)). \187\ See id. \188\ See id. \189\ See id. The benefits of consolidated market data discussed here are true for the options markets as well. \190\ See May 6 Staff Report, supra note 56, at 8. --------------------------------------------------------------------------- Consistent with these goals and Congress's statement, proposed item (F) would be a new requirement that has no precedent in either Rule 301(b)(6) of Regulation ATS or the ARP policy statements and would require SCI entities to have ``standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data.'' \191\ The Commission preliminarily believes that proposed item (F) would assist an SCI entity in ensuring that its market data systems are designed to maintain market integrity. --------------------------------------------------------------------------- \191\ This proposed requirement is consistent with Rule 603(a) of Regulation NMS, which states that any ``* * * broker or dealer with respect to information for which it is the exclusive source, that distributes information with respect to quotations for or transactions in an NMS stock to a securities information processor shall do so on terms that are fair and reasonable.'' In adopting Regulation NMS, the Commission stated that Rule 603(a) ``prohibits an SRO or broker-dealer from transmitting data to a vendor or user any sooner than it transmits the data to a Network processor.'' Rule 603(a) by its terms applies only to NMS stocks. See supra note 121. See also 17 CFR 242.603(a). --------------------------------------------------------------------------- b. Proposed Rule 1000(b)(1)(ii) Proposed Rule 1000(b)(1) would generally require that each SCI entity's policies and procedures be reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, ``have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance [[Page 18109]] of fair and orderly markets.'' As discussed above, proposed Rule 1000(b)(1)(i) would also require that an SCI entity have policies and procedures that address items (A)-(F). The Commission notes that SCI entities that are ARP participants have been applying the ARP I principles underlying proposed Rule 1000(b)(1)(i)(A)-(F) for many years. However, while the items enumerated in proposed Rule 1000(b)(1)(i)(A)-(F) identify the areas that would be required to be addressed by an SCI entity's policies and procedures, the Commission is not proposing to prescribe the specific policies and procedures an SCI entity must follow to comply with the requirements of proposed Rule 1000(b)(1). Instead, the Commission intends to, and preliminarily believes that the proposed requirements as written would, provide SCI entities sufficient flexibility, based on the nature, size, technology, business model, and other aspects of their business, to identify appropriate policies and procedures that would meet the articulated standard, namely that they be reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. However, the Commission also preliminarily believes that it would be helpful to SCI entities to provide additional guidance about one way in which they might elect to satisfy this general standard in proposed Rule 1000(b)(1). Therefore, the Commission is proposing Rule 1000(b)(1)(ii), which would provide that, for purposes of complying with proposed Rule 1000(b)(1), an SCI entity's policies and procedures would be deemed to be reasonably designed, and thus satisfy the requirements of proposed Rule 1000(b)(1), if they are consistent with current SCI industry standards. Proposed Rule 1000(b)(1)(ii) further states that such SCI industry standards shall be: (A) comprised of information technology practices that are widely available for free to information technology professionals in the financial sector; and (B) issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. Proposed Rule 1000(b)(1)(ii) would additionally provide that compliance with the SCI industry standards identified in the proposal would not be the exclusive means to comply with the requirements of paragraph (b)(1). As noted above, the Commission intends to, and preliminarily believes that the proposed requirements as written would, provide SCI entities sufficient flexibility, based on the nature, size, technology, business model, and other aspects of their business, to identify appropriate policies and procedures to comply with proposed Rule 1000(b)(1). The Commission is proposing this approach because it preliminarily believes that providing additional guidance on the types of industry standards that would satisfy the requirements of proposed Rule 1000(b)(1) could assist an SCI entity in determining how to best allocate resources to maintain its systems' operational capability, and promote the maintenance of fair and orderly markets.\192\ The Commission acknowledges that current industry standards applicable to SCI entities have been developed in a number of areas to help ensure that systems have adequate capacity, integrity, resiliency, availability, and security. Accordingly, the current SCI industry standards that would be deemed to be reasonably designed for purposes of proposed Rule 1000(b)(1) are not limited to the SCI industry standards discussed and contained in the publications identified in Table A below, but rather may be found in a variety of publications, issued by a range of sources. The Commission acknowledges that an SCI entity's choice of a current SCI industry standard in a given domain or subcategory thereof may be different than those contained in the publications identified in Table A. Further, some of the identified standards may be more relevant for some SCI entities than others, based on the nature and amount of their respective activities. Thus, the Commission's proposed approach is designed to provide a non-exclusive method of compliance. --------------------------------------------------------------------------- \192\ See infra Sections V.B and V.C, discussing market failures and the anticipated economic benefits of proposed Regulation SCI. Each SCI entity, to the extent it seeks to rely on SCI industry standards in complying with proposed Rule 1000(b)(1), would have discretion to identify those industry standards that provide an appropriate way for it to comply with the requirements set forth in the rule, given its technology, business model, and other factors. --------------------------------------------------------------------------- The Commission preliminarily believes that the publications set forth in Table A below \193\ contain examples of SCI industry standards that an SCI entity may elect to look to in establishing its policies and procedures under proposed Rule 1000(b)(1). However, as proposed Rule 1000(b)(1)(ii) makes clear, compliance with such current SCI industry standards would not be the exclusive means to comply with the requirements of proposed Rule 1000(b)(1). Thus, as proposed, written policies and procedures that are consistent with the relevant examples of SCI industry standards contained in the publications identified in Table A, would be deemed to be ``reasonably designed'' for purposes of proposed Rule 1000(b)(1). The publications identified in Table A cover nine inspection areas, or ``domains,'' that have evolved over the past 20 years of the ARP Inspection Program and that are relevant to SCI entities' systems capacity, integrity, resiliency, availability, and security, namely: Application controls; capacity planning; computer operations and production environment controls; contingency planning; information security and networking; audit; outsourcing; physical security; and systems development methodology. --------------------------------------------------------------------------- \193\ Each of these publications would meet the proposed criteria that they be: (i) Information technology practices that are widely available for free to information technology professionals in the financial sector; and (ii) issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. See proposed Rules 1000(b)(1)(ii). --------------------------------------------------------------------------- The publications included in Table A set forth industry standards that the Commission understands are currently used by information technology and audit professionals in the financial and government sectors. These industry standards have been issued primarily by NIST and FFIEC. NIST, an agency within the U.S. Department of Commerce, has issued special publications regarding information technology systems. The FFIEC is a U.S. intergovernmental body that prescribes uniform principles and practices for the examination of certain financial institutions by U.S. regulators, and has issued publications on numerous topics, including development and acquisition of applications, computer operations, outsourcing technology, business continuity planning, information security, and internal audits.\194\ In addition to these standards issued by FFIEC and NIST, financial regulatory agencies, including the Commission, provided guidance on business continuity and disaster recovery plans [[Page 18110]] in the 2003 Interagency White Paper \195\ and the 2003 Policy Statement on Business Continuity Planning for Trading Markets.\196\ --------------------------------------------------------------------------- \194\ The federal agencies represented on the FFIEC are the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, Office of the Comptroller of the Currency, and the Consumer Financial Protection Bureau. \195\ See 2003 Interagency White Paper, supra note 31. In the 2003 Interagency White Paper, which was issued jointly by the Commission, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency, the agencies identified a broad consensus on three important business continuity objectives: (1) Rapid recovery and timely resumption of critical operations following a wide-scale disruption; (2) rapid recovery and timely resumption of critical operations following the loss or inaccessibility of staff in at least one major operating location; and (3) a high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible. See id. at 17811. The agencies also identified sound practices for core clearing and settlement organizations and firms that play significant roles in critical financial markets. They stated that in this context, ``core clearing and settlement organizations'' consist of market utilities that provide clearing and settlement services for critical financial markets or act as large-value payment system operators and present systemic risk to the markets should they be unable to perform. ``Firms that play significant roles in critical financial markets'' refers to organizations whose participation in one or more critical financial markets is significant enough that their failure to settle their own or their customers' material pending transactions by the end of the day could present systemic risk to the markets. The sound practices address the risks of a wide-scale disruption and strengthen the resilience of the financial system. They also reduce the potential that key market participants will present systemic risk to one or more critical markets because primary and back-up processing facilities and staffs are concentrated within the same geographic region. The sound practices are as follows. First, identify clearing and settlement activities in support of critical financial markets. These activities include the completion of pending large-value payments; clearance and settlement of material pending transactions; meeting material end-of-day funding and collateral obligations necessary to ensure the performance of pending large-value payments and transactions; and updating records of accounts. Second, determine appropriate recovery and resumption objectives for clearing and settlement activities in support of critical markets. In this regard, core clearing and settlement organizations are expected to develop the capacity to recover and resume clearing and settlement activities within the business day on which the disruption occurs with the overall recovery goal of two hours after an event. Third, maintain sufficient geographically dispersed resources to meet recovery and resumption objectives. The 2003 Interagency White Paper states that back-up arrangements should be as far away from the primary site as necessary to avoid being subject to the same set of risks as the primary location and should not rely on the same infrastructure components used by the primary site. Fourth, routinely use or test recovery and resumption arrangements. This includes regular tests of internal recovery and resumption arrangements as well as cross-organization tests to ensure the effectiveness and compatibility of recovery and resumption strategies within and across critical markets. See id. at 17811-13. \196\ See supra note 32. The Commission's policy statement applies more broadly to all ``SRO markets'' and ECNs, not just those that play ``significant roles in critical financial markets,'' as discussed in the 2003 Interagency White Paper. Each SRO market and ECN is expected to (1) have in place a business continuity plan that anticipates the resumption of trading in the securities traded by that market no later than the next business day following a wide- scale disruption; (2) maintain appropriate geographic diversity between primary and back-up sites in order to assure resumption of trading activities by the next business day; (3) assure the full resilience of shared information streams, such as the consolidated market data stream generated for the equity and options markets; and (4) confirm the effectiveness of the back-up arrangements through testing. See id. at 56658. --------------------------------------------------------------------------- Also included in Table A is a publication issued by the Institute of Internal Auditors (``IIA''). The IIA is an international professional association that has developed and published guidance setting forth industry best practices in internal auditing for internal audit professionals. It has more than 175,000 members in 165 countries and territories around the world.\197\ IIA is also a credentialing organization, awarding the Certified Internal Auditor (CIA), Certified Government Auditing Professional (CGAP), Certified Financial Services Auditor (CFSA), Certification in Control Self-Assessment (CCSA), and Certification in Risk Management Assurance (CRMA) certifications to those who meet the requirements.\198\ The Commission preliminarily believes these factors support identification of IIA as an authoritative body that is a widely recognized organization. --------------------------------------------------------------------------- \197\ See IIA's 2011 Annual Report, available at: https://na.theiia.org/about-us/Pages/Annual-Reports.aspx. \198\ See id. --------------------------------------------------------------------------- In addition, one of the publications identified in Table A is issued by the Security Benchmarks division of the Center for Internet Security (``CIS''). The CIS is a not-for-profit organization focused on enhancing the cybersecurity readiness and response of public and private sector entities. The CIS Security Benchmarks division facilitates the development of industry best practices for security configuration, tools for measuring information security status, and resources to assist entities in making security investment decisions.\199\ Its members include commercial organizations, academic organizations, government agencies, and security service, consulting, and software organizations.\200\ According to the CIS, its benchmarks are regularly referred to by U.S. government agencies for compliance with information security rules and regulations.\201\ The Commission preliminarily believes these factors support a determination that CIS is an authoritative body that is a widely recognized organization. --------------------------------------------------------------------------- \199\ See https://benchmarks.cisecurity.org/en-us/?route=default.about. \200\ See https://benchmarks.cisecurity.org/en-us/?route=membership. \201\ The CIS states that its benchmarks are widely accepted by U.S. government agencies for compliance with the Federal Information Security Management Act (FISMA), Gramm-Leach-Bliley Act, Sarbanes- Oxley Act, The Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other the regulatory requirements for information security. See https://benchmarks.cisecurity.org/en-us/?route=membership. --------------------------------------------------------------------------- Table A lists the publication(s) that the Commission has preliminarily identified as SCI industry standard(s) in each domain that an SCI entity, taking into account its nature, size, technology, business model, and other aspects of its business, could, but is not required to, use to establish, maintain, and enforce reasonably designed policies and procedures that satisfy the requirements of proposed Rule 1000(b)(1). Thus, the Commission is proposing that the industry standards contained in the publications identified in Table A be one example of ``current SCI industry standards'' for purposes of proposed Rule 1000(b)(1), and requests commenters' views on the appropriateness of each publication identified in Table A as a ``current SCI industry standard.'' Each listed publication is identified with specificity, and includes the particular publication's date, volume number, and/or publication number, as the case may be. Thus, to the extent an SCI entity seeks to rely on SCI industry standards for purposes of complying with proposed Rule 1000(b)(1)(ii), the Commission intends SCI entities that establish policies and procedures based on the SCI industry standards contained in the publications set forth in Table A to enforce written policies and procedures, taking into account their nature, size, technology, business model, and other aspects of their business, consistent with relevant standards, even if the issuing organization were to subsequently update a given industry practice, until such time as the list of SCI industry standards were to be updated, as discussed below.\202\ Of course, SCI entities could elect to use standards contained in the publications other than those identified on Table A to satisfy the requirements of proposed Rule 1000(b)(1)\\. --------------------------------------------------------------------------- \202\ See discussion in this Section III.C.1.b following Table A below. \203\ The Commission recently adopted a similar contingency planning practice in Rule 17Ad-22(d)(4) that requires registered clearing agencies to have policies and procedures designed to identify sources of operational risk and minimize those risks through the development of appropriate systems controls and procedures. See Securities Exchange Act Release No. 68080 (October 22, 2012), 77 FR 66220 (November 2, 2012). See also supra note 95. [[Page 18111]] Table A--Publications Relating to Industry Standards in 9 Domains ---------------------------------------------------------------------------------------------------------------- Domain Industry standards ---------------------------------------------------------------------------------------------------------------- Application Controls............................................. NIST DRAFT Security and Privacy Controls for Federal Information Systems and Organizations (Special Publication 800-53 Rev. 4) available at: https://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf. Capacity Planning................................................ FFIEC, Operations IT Examination Handbook (July 2004), available at: https://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Operations.pdf. Computer Operations and Production Environment Controls.......... NIST DRAFT Security and Privacy Controls for Federal Information Systems and Organizations (Special Publication 800-53 Rev. 4), available at: https://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf. Contingency Planning (BCP) \203\................................. NIST Contingency Planning Guide for Federal Information Systems (Special Publication 800- 34 Rev. 1), available at: https://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf. 2003 Interagency White Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System, Securities Exchange Act Release No. 47638 (April 8, 2003), 68 FR 17809 (April 11, 2003), available at: https://www.sec.gov/news/studies/34-47638.htm. 2003 Policy Statement on Business Continuity Planning for Trading Markets, Securities Exchange Act Release No. 48545 (September 25, 2003), 68 FR 56656 (October 1, 2003), available at: https://www.sec.gov/rules/policy/34-48545.htm. Information Security and Networking.............................. NIST DRAFT Security and Privacy Controls for Federal Information Systems and Organizations (Special Publication 800-53 Rev. 4), available at: https://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf. NIST Guidelines on Security and Privacy in Public Cloud Computing (Special Publication 800-144), available at: https://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf. The Center for Internet Security Configuration Benchmarks, available at: https://benchmarks.cisecurity.org/en-us/?route=downloads.benchmarks. Audit............................................................ FFIEC, Audit IT Examination Handbook (August 2003), available at: https://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Audit.pdf. IIA, The Role of Internal Auditing in Enterprise-wide Risk Management, available at: https://www.theiia.org/iia and https://www.theiaa.org/index. Outsourcing...................................................... FFIEC, Outsourcing Technology Services IT Examination Handbook (June 2004), available at: https://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_OutsourcingTechnologyServices.pdf. Physical Security................................................ NIST DRAFT Security and Privacy Controls for Federal Information Systems and Organizations (Special Publication 800-53 Rev. 4), available at: https://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf. Systems Development Methodology.................................. NIST Security Considerations in the System Development Life Cycle (Special Publication 800-64 Rev. 2), available at: https://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf. ---------------------------------------------------------------------------------------------------------------- As noted above, each of the publications listed in Table A is intended to identify information technology practices that are widely available for free to information technology professionals in the financial sector and are issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. Although the industry standards contained in the publications identified in Table A above are intended as an appropriate initial set of industry standards under proposed Regulation SCI, the Commission does not seek to foreclose the development, whether by the Commission or otherwise, of a set of industry standards that is more focused on the specific businesses and systems of SCI entities.\204\ In such a case, the Commission preliminarily believes that it would be appropriate to use the industry standards contained in the publications listed in Table A as a starting point for such development. --------------------------------------------------------------------------- \204\ Standards issued by the Commission itself would meet the proposed criteria in that they would be: (i) Comprised of information technology practices that are widely available for free to information technology professionals in the financial sector; and (ii) issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. --------------------------------------------------------------------------- Further, the Commission recognizes that systems and technologies are continually evolving. As such, the standards identified in this proposal would likely be updated from time to time by the organizations issuing them. However, the Commission also preliminarily believes that, following its initial identification of one set of SCI industry standards, it may be appropriate to update the identified set of standards from time to time through the periodic issuance of Commission staff guidance. Accordingly, the Commission preliminarily believes it would be appropriate for Commission staff, from time to time, to issue notices to update the list of previously identified set of SCI industry standards after receiving appropriate input from interested persons.\205\ The Commission preliminarily believes that this approach would provide the public, including SCI entities and other market participants, an opportunity to comment on newly proposed SCI industry standards. However, until such time as Commission staff were to update the identified set of SCI industry standards, the then-current set of SCI industry standards would be the standards referred to in proposed Rule 1000(b)(1)(ii) of Regulation SCI. --------------------------------------------------------------------------- \205\ As noted in the request for comment section below, the Commission solicits comment on the ways in which appropriate input from interested persons should be obtained for updating the SCI industry standards. --------------------------------------------------------------------------- As noted above, proposed Rule 1000(b)(1)(ii) would require that any SCI industry standards be: (i) Comprised of information technology practices that are widely available for free to information technology professionals in the financial sector; and (ii) issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or a widely recognized organization. [[Page 18112]] Request for Comment 60. The Commission requests comment generally on proposed Rule 1000(b)(1). Do commenters believe the proposed scope of required policies and procedures is appropriate? Why or why not? Please explain. 61. Do commenters believe that it is appropriate to apply the requirements of proposed Rule 1000(b)(1) to SCI systems and, for purposes of security standards, to SCI security systems? Why or why not? Please explain. 62. Do commenters believe the enumeration of the items in proposed Rule 1000(b)(1)(i)(A)-(F) that are to be addressed in the required policies and procedures is appropriate? Why or why not? Specifically, is the proposal to require that such policies and procedures include the establishment of reasonable current and future capacity planning estimates, as provided in proposed Rule 1000(b)(1)(i)(A), appropriate? Why or why not? 63. Should the Commission specify the interval (e.g., monthly or quarterly) at which SCI entities would be required to conduct periodic capacity stress tests of relevant systems, as provided in proposed Rule 1000(b)(1)(i)(B)? Should such periodic tests be limited to a subset of systems? If so, for which systems should such tests be required and why would that limitation be appropriate? 64. Should the Commission require SCI entities to have a program to review and keep current systems development and testing methodology, as proposed to be required in proposed Rule 1000(b)(1)(i)(C)? Why or why not? 65. Should the Commission specify the interval at which SCI entities would be required to conduct reviews and tests of SCI systems and SCI security systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters, as provided in proposed Rule 1000(b)(1)(i)(D)? Why or why not? And, if so, what would be appropriate intervals and why? 66. The Commission notes that items (i)(B), (C), and (D) would each require the establishment of policies and procedures for: Testing of capacity, testing methodology, and testing for vulnerabilities, respectively. The Commission also notes that the need for improved testing was a recurring theme during the Roundtable and discussed in several comment letters.\206\ The Commission requests comment on whether the testing policies and procedures requirements in proposed Rule 1000(b)(1)(i)(B), (C), and (D) would be sufficiently comprehensive to foster development of the types of testing that Roundtable panelists and commenters recommended. Why or why not? Please be specific. Should the Commission require certain types of testing by SCI entities? Why or why not? Please be specific. If so, what specific types of testing should the Commission require in proposed Regulation SCI? Please describe in detail. --------------------------------------------------------------------------- \206\ See text accompanying supra note 72, discussing recommendations by Roundtable panelists and commenters to lower rates of error in software development by improving testing opportunities and participation in testing by member firms. See also text accompanying supra note 180. --------------------------------------------------------------------------- 67. Should the Commission require SCI entities to have, and make available to their members or participants, certain infrastructure or mechanisms that would aid industry-wide testing or direct testing with an SCI entity, such as test facilities or test symbols? Why or why not? If so, please specify what types of infrastructures or mechanisms should be required. 68. Should the Commission require industry-wide testing for certain types of anticipated technology deployments? \207\ Why or why not? If so, what should be the criteria for identifying anticipated technology deployments that warrant mandatory industry-wide testing and which market participants should be required to participate? Please explain in detail. --------------------------------------------------------------------------- \207\ See also infra Section III.C.7 (discussing, among other things, the requirement of proposed Rule 1000(b)(9)(ii) that an SCI entity coordinate the testing of the SCI entity's business continuity and disaster recovery plans, including its backup systems, with other SCI entities). --------------------------------------------------------------------------- 69. Should the Commission require SCI entities to mandate that their members or participants participate in direct testing with such SCI entities for certain types of anticipated technology deployments by the members or participants? \208\ Why or why not? If so, what should be the criteria for identifying anticipated technology deployments that warrant mandatory testing with an SCI entity? Should the Commission identify such criteria, or should SCI entities identify such criteria? Please explain. --------------------------------------------------------------------------- \208\ See also infra Section III.C.7 (discussing, among other things, the requirement of proposed Rule 1000(b)(9)(i) that an SCI entity require participation by designated members or participants in scheduled functional and performance testing of the operation of the SCI entity's business continuity and disaster recovery plans, including its backup systems). --------------------------------------------------------------------------- 70. Similarly, would proposed item (i)(E), regarding policies and procedures for business continuity and disaster recovery plans, be sufficiently comprehensive to foster the establishment of the types of contingency plans discussed by Roundtable panelists and Roundtable commenters, such as predetermined communication plans, escalation procedures, and/or kill switches? \209\ Why or why not? Should proposed Regulation SCI expressly require that an SCI entity's contingency plans include such details? \210\ Why or why not? Please explain. Should SCI entities' contingency plans and the testing of such plans be required to account for specific types of disaster or threat scenarios, such as an extreme volume surge, the failure of a major market participant, and/or a terrorist or cyber attack? Why or why not? Please explain. If so, what other types of scenarios should such plans take into account? Please be specific. --------------------------------------------------------------------------- \209\ See discussion of Roundtable in supra Section I.D. The Commission is not proposing at this time any requirements related to kill switches. \210\ See also infra Section III.C.3.a, discussing proposed Rule 1000(b)(3), which would require an SCI entity, upon any responsible SCI personnel becoming aware of an SCI event, to begin to take appropriate corrective action, including, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable, and the associated request for comment. --------------------------------------------------------------------------- 71. There was considerable discussion at the Roundtable about kill switches, with several panelists advocating the kill switch proposal outlined in the Industry Working Group comment letter,\211\ while others expressed concerns.\212\ The Commission is not proposing at this time any requirements related to kill switches. However, do commenters believe that the implementation of kill switches, as outlined in the Industry Working Group comment letter, would assist SCI entities in maintaining the integrity of their systems? Why or why not? If so, how, if at all, should the Commission foster the development of coordinated contingency plans among SCI SROs and SCI ATSs that would include such a kill switch mechanism? --------------------------------------------------------------------------- \211\ See letter from Industry Working Group, supra note 74 and accompanying text. \212\ See, e.g., letter from TDA, supra note 74. --------------------------------------------------------------------------- 72. Should the Commission include the criteria of geographic diversity in the requirement relating to business continuity and disaster recovery plans in proposed Rule 1000(b)(1)(i)(E)? Why or why not? Please explain. Should the Commission specify minimum standards for ``geographically diverse'' in proposed Rule 1000(b)(1)(i)(E)? Why or why not? If so, what would be an appropriate standard? 73. Is the next business day resumption of trading following a wide-scale disruption requirement in [[Page 18113]] proposed Rule 1000(b)(1)(i)(E) appropriate? Why or why not? Is the two- hour resumption of clearance and settlement services following a wide- scale disruption an appropriate requirement for an SCI entity that is a registered clearing agency or ``exempt clearing agency subject to ARP?'' Why or why not? 74. As discussed above, the U.S. national securities exchanges closed for two business days in October 2012 in the wake of Superstorm Sandy, even though the securities industry's annual test of how trading firms, market operators, and their utilities could operate through an emergency using backup sites, backup communications, and disaster recovery facilities occurred without significant incident on October 27, 2012, just two days before the storm.\213\ As discussed in greater detail below, proposed Rule 1000(b)(9) would require SCI entities to mandate participation by designated members or participants in scheduled testing of the operation of their business continuity and disaster recovery plans, including backup systems, and to coordinate such testing with other SCI entities.\214\ Are there other industry practices related to proposed Regulation SCI that should be considered further in light of the two-day closure of the U.S. securities markets during the storm? If so, what are they? For example, for SCI entities that are trading markets, should the Commission limit the extent to which an SCI entity's business continuity and disaster recovery plans may involve changing how trading may be conducted? For example, the NYSE, pursuant to its rules, initially proposed to conduct trading only electronically on October 29, 2012, using NYSE Arca systems, rather than conduct trading both electronically as well as on a physical trading floor, as it normally does.\215\ Should an SCI entity that is experiencing a wide-scale disruption be permitted to offer its members or participants an alternative that significantly differs from its usual method of operation? Please explain. What are the costs and benefits associated with each type of approach? --------------------------------------------------------------------------- \213\ See supra Section I.D. \214\ See infra Section III.C.7. \215\ See supra Section I.D. --------------------------------------------------------------------------- 75. Should business continuity and disaster recovery plans involving backup data centers be required to be tested in a live ``production'' environment on a periodic basis (e.g., annually, or at some other frequency)? Why or why not? Please explain. 76. The Commission understands that certain entities that would be defined as SCI entities (such as registered clearing agencies) are already effectively operating under business resumption requirements of less than one business day. Should the Commission consider revising the proposed next business day resumption requirement for trading to a shorter or longer period, for example, a specific number of hours less or more than one business day or within the business day for certain entities that play a significant role within the securities markets? Why or why not? Similarly, should the proposed two-hour resumption standard for clearance and settlement services be shortened or lengthened? Why or why not? 77. Following a systems disruption (including, for example, activation of an SCI entity's business continuity plan), should the Commission require user testing and certification prior to resuming operation of the affected systems? Why or why not? If so, what should the testing requirements be? Should they vary depending on the type of system(s) affected? To whom should an SCI entity certify that an affected system or group of systems is ready to resume operation? 78. Is the requirement in proposed Rule 1000(b)(1)(i)(F) for ``standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data'' appropriate? Are there other factors that the Commission should consider in determining whether standards to process data are adequate? Or, should some of the proposed standards be eliminated or modified? If so, please explain how and why. 79. Do commenters believe there are specific internal controls or other mechanisms that would reinforce the effectiveness of an SCI entity's reasonably designed policies and procedures under proposed Rule 1000(b)(1)? Why or why not? Please explain. How do SCI entities presently use specific internal controls or other mechanisms to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets? How do commenters generally view the advantages and disadvantages of specific internal controls or other mechanisms? The Commission is not proposing to prescribe specific internal controls under proposed Rule 1000(b)(1). Should the Commission propose that any particular internal controls or other mechanisms be required (for example, that a senior officer be designated to be responsible for the SCI entity's compliance with proposed Regulation SCI, or that personnel of the SCI entity certify that the SCI entity's policies and procedures are reasonably designed)? 80. Would any of the Commission's proposed requirements under proposed Rule 1000(b)(1) create inappropriate barriers to entry for new entities seeking to register with the Commission as an SRO, ATS, or plan processor? Would any of the proposed requirements inappropriately limit the growth or expansion of entities currently registered with the Commission as an SRO, ATS, or plan processor? Why or why not? 81. As noted above, the Commission proposes that policies and procedures would be deemed to be reasonably designed for purposes of proposed Rule 1000(b)(1) if they are consistent with current SCI industry standards. Do commenters agree with this approach? Why or why not? What are the advantages or disadvantages of such an approach? 82. Do commenters believe that the publications listed in Table A represent publications that are suitable for purposes of proposed Rule 1000(b)(1)(ii) and that should be the ``current SCI industry standards'' for purposes of proposed Rule 1000(b)(1)(ii)? Why or why not? If not, what publications would be appropriate? Do commenters believe that SCI entities currently follow the industry standards contained in the publications listed in Table A? 83. Are there areas within one of the nine identified domains that these publications do not cover? For example, should the Commission identify additional publications that provide industry standards for specific areas such as personnel security or information security risk management? If so, please identify any such publications that would be appropriate for the Commission to apply to SCI entities. Are there other areas that commenters believe are not covered at all by the publications listed in Table A that should be included? If so, what publications would be appropriate for such areas? Are there any areas within one of the nine identified domains that commenters believe should not be included? If so, why not? 84. Should any of the publications listed in Table A be eliminated? If so, which ones and why? Are there any publications that should be added? If so, which ones and why? Are there industry practices that apply to, or are developed by, entities related to the securities markets that should be considered? If so, what are they and why? Are there any types of SCI entities for which the proposed publications would not be appropriate? If so, which [[Page 18114]] types of entities and why? How should any such possible concerns be addressed? The Commission notes that many of the publications in Table A have been issued by either NIST or FFIEC. Do commenters believe that SCI entities generally currently follow the industry standards issued by one of these organizations more frequently than the other? If so, which one and why? Is one organization's publications more appropriate or preferable for SCI entities? If so, please explain. What are the advantages and/or disadvantages of the publications issued by each organization? 85. The Commission seeks comment on whether commenters believe that the identified publications, and the industry standards within, are adequate in terms of the detail, specificity and scope. Are there areas in which the industry standards listed in the publications in Table A should be modified to provide adequate guidance to SCI entities? If so, please explain in detail. For example, the Commission understands that many businesses, including SCI entities, now utilize cloud computing as part of their operations, and the Commission has identified industry standards with respect to cloud computing among the publications listed in Table A. However, do commenters believe that these industry standards provide an adequate level of specificity to allow an SCI entity to ascertain how to comply with such standards? Further, do the industry standards contained in the publications in Table A cover all of the relevant areas related to a particular subject area (such as cloud computing)? Similarly, the Commission notes that it has identified publications with respect to capacity planning, but that the industry standards in such publications focus primarily on continuity of operations. As such, the Commission seeks comment on whether commenters believe that the identified publications with respect to capacity planning are adequate in terms of the detail, specificity, and scope? Specifically, do these publications provide an adequate level of specificity to allow an SCI entity to ascertain how to comply with such standards, and do the industry standards cover all of the necessary areas related to a particular subject area such as capacity planning? Why or why not? As noted above, compliance with the industry standards contained in the publications on Table A would not be the exclusive means to comply with the requirements of proposed Rule 1000(b)(1). 86. Do commenters agree with the Commission's proposed policies and procedures approach to the requirements of proposed Rule 1000(b)(1)? Why or why not? If not, is there another approach that is more appropriate? If so, please describe and explain. Do commenters agree with the Commission's proposed approach to deem an SCI entity's policies and procedures to be reasonably designed if they are consistent with current SCI industry standards, as provided for in proposed Rule 1000(b)(1)(ii)? Why or why not? How do commenters believe the actions of SCI entities might differ if such a provision were not available? What are the costs and benefits of the Commission's approach ? What would be the costs and benefits of other approaches? Please explain. 87. Do commenters agree or disagree with the Commission's proposed criteria to evaluate publications suitable for inclusion on Table A as an SCI industry standard and to update such list? Do commenters agree with the proposed criteria that identified publications should be: (i) Comprised of information technology practices that are widely available for free to information technology professionals in the financial sector; and (ii) issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization? Why or why not? Are there other criteria that would be more appropriate? Should the proposed criteria allow for a publication that may be available for an incidental charge rather than being required to be available for free? Why or why not? How frequently should such list of publications be updated and revised and what should the process be to update and/or revise them? 88. Are there SCI entities for which the proposed requirements in Rule 1000(b)(1) would be inappropriate (e.g., not cost effective)? If so, please identify such type of entity or entities, or the characteristics of such entity or entities, and explain which proposed requirements would be inappropriate and why. Would cost burden be an appropriate reason to omit an SCI entity or proposed requirement generally? Alternatively, would cost burden be an appropriate reason to omit an SCI entity or proposed requirement, on a case-by-case basis, as the Commission determined to be consistent with Exchange Act requirements? 89. When the Commission adopts new rules, or when SCI SROs implement rule changes, SCI SROs and their members often need to make changes to their systems to comply with such new rules. Would the requirements of proposed Rule 1000(b)(1) add additional time to this process and would the requirements increase the amount of time SCI entities would need to adjust their systems for Commission or SCI SRO rule changes? If so, how much additional time would SCI SROs need to adjust their systems? If not, should proposed Regulation SCI or another Commission rule require SCI SROs to provide minimum advance notice to their members of anticipated technology deployments prior to the implementation of any associated new rule or rule change by the SCI SRO? Why or why not? If so, how much advance notice should be required (e.g., a few days, a week, 30 days, 60 days, some other period)? Along with any such advance notice, should SCI SROs be required to offer to its members the opportunity to test such change with the SCI SRO prior to deployment of the new technology and implementation of any associated new rule or rule change? Why or why not? Should there be a similar requirement for other types of SCI entities? Why or why not? If so, what types of entities and what sorts of requirements should be included? 90. Do commenters believe the potential additional time SCI SROs allocate to this process would result in fewer SCI events by helping to ensure that SCI SROs properly implement systems changes? Why or why not? How would the benefits and costs of such potential additional time compare? Please be as specific as possible. 91. The Commission generally solicits comments on its proposed process for updating current SCI industry standards. Do commenters believe that it would be appropriate that Commission staff, from time to time, issue notices to update the list of previously identified publications containing SCI industry standards after receiving appropriate input from interested persons? Is there a more appropriate method? If so, what would it be? If not, why not? 92. Would such a process in allow for Commission staff to receive sufficient input from the public, including experts, SCI entities, and other market participants regarding the appropriate standards it should update, and how to do so? Why or why not? 93. Would it be useful, for example, to provide notice to the public that it was focusing on a given domain or standard and seek comment on a domain-by-domain, or standard-by-standard, basis? Would it be useful for the Commission to set up a committee to advise Commission staff on such standards? If so, which groups or types of market participants should be represented on such a committee and [[Page 18115]] why? Is there any other process that the Commission or its staff should use to help it obtain useful input? Would it be appropriate to instead require SROs, for example, to submit an NMS plan under Rule 608 of Regulation NMS that contained standards? Why or why not? 94. If the Commission, its staff, or another entity seeks to develop a set of standards that is more focused on the specific businesses and systems of SCI entities, do commenters agree that the industry standards contained in the publications listed in Table A would be appropriate to be used as a starting point for this effort? Why or why not? If not, what publication(s) should be used as a starting point? Please describe in detail and explain. 95. Do commenters believe it would be feasible to establish industry standards through means other than identification through Table A? For example, should SCI entities take the lead in developing such standards? Why or why not? If so, how should the process be organized and what parameters should be put in place to facilitate the process? For example, should SCI entities jointly develop industry standards that apply to all SCI entities or should the various types of SCI entities (e.g., national securities exchanges, ATSs, plan processors, clearing agencies) work separately to develop their own standards? Should one or more industry organizations take the lead in developing such standards? If so, which ones, and why? Should any such standards identified by the SCI entities and/or industry organizations be formally approved or disapproved by the Commission as part of any such process? 2. Systems Compliance Proposed Rule 1000(b)(2)(i) would require each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and the entity's rules and governing documents, as applicable.\216\ Whereas proposed Rule 1000(b)(1) concerns the robustness of the SCI entity's SCI systems and SCI security systems--i.e., such systems' capacity and resiliency against failures and security threats--proposed Rule 1000(b)(2) concerns the SCI entity's establishment of policies and procedures reasonably designed to ensure the operational compliance of an SCI entity's SCI systems with applicable laws, rules, and the SCI entity's governing documents. Diligent discharge of this proposed obligation to establish, maintain, and enforce written policies and procedures would establish the organizational framework for an SCI entity to meet its other obligations under proposed Regulation SCI. In particular, with respect to SCI SROs, compliance with proposed Rule 1000(b)(2)(i) should help to ensure that SCI SROs comply with Section 19(b)(1) of the Exchange Act, which requires each SRO to file with the Commission copies of any proposed rule or any proposed change in, addition to, or deletion from the rules of the SRO.\217\ Therefore, compliance with this proposed requirement may help ensure not only that SCI SROs operate in compliance with the Exchange Act, but also help reinforce existing processes for filing SRO rule changes in order to better assist market participants and the public in understanding how the SCI systems of SCI SROs are intended to operate.\218\ --------------------------------------------------------------------------- \216\ See supra Section III.B.3.b, discussing the definition of ``systems compliance issue.'' \217\ See 15 U.S.C. 78s(b)(1). \218\ SCI SROs would similarly be assisted in meeting their obligations to file plan amendments to SCI Plans under Rule 608 of Regulation NMS. --------------------------------------------------------------------------- Because of the complexity of SCI systems and the breadth of the federal securities laws and rules and regulations thereunder and the SCI entities' rules and governing documents, the Commission preliminarily believes that it would be appropriate to provide an explicit safe harbor for SCI entities and their employees in order to provide greater clarity as to how they can ensure that their conduct will comply with this provision. Therefore, the Commission is proposing Rules 1000(b)(2)(ii) and (iii), which would provide a safe harbor from liability under proposed Rule 1000(b)(2)(i) for SCI entities and persons employed by SCI entities, respectively, as further described below. Specifically, proposed Rule 1000(b)(2)(ii) would provide that an SCI entity would be deemed not to have violated proposed Rule 1000(b)(2)(i) if: (A) the SCI entity has established and maintained policies and procedures reasonably designed to provide for: (1) Testing of all SCI systems and any changes to such systems prior to implementation; (2) periodic testing of all such systems and any changes to such systems after their implementation; (3) a system of internal controls over changes to such systems; (4) ongoing monitoring of the functionality of such systems to detect whether they are operating in the manner intended; (5) assessments of SCI systems compliance performed by personnel familiar with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable; and (6) review by regulatory personnel of SCI systems design, changes, testing, and controls to prevent, detect, and address actions that do not comply with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable; (B) the SCI entity has established and maintained a system for applying such policies and procedures which would reasonably be expected to prevent and detect, insofar as practicable, any violations of such policies and procedures by the SCI entity or any person employed by the SCI entity; and (C) the SCI entity: (1) has reasonably discharged the duties and obligations incumbent upon the SCI entity by such policies and procedures, and (2) was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. The Commission preliminarily believes that, if an SCI entity establishes and maintains policies and procedures reasonably designed to provide for the items in proposed Rule 1000(b)(2)(ii)(A)(1)-(6), such policies and procedures would meet the requirement articulated in proposed Rule 1000(b)(2)(i). Specifically, the Commission preliminarily believes that items (1) and (2), which, for purposes of qualifying for the safe harbor, would require SCI entities to have policies and procedures requiring the testing of SCI systems and changes to such systems before they are put into production and periodically thereafter, should help SCI entities to identify potential problems before such problems have the ability to impact markets and investors. Items (3) and (4), which, for purposes of qualifying for the safe harbor, would require a system of internal controls over changes to SCI systems and ongoing monitoring of the functionality of such systems, would provide a framework for SCI entities seeking to bring newer, faster, and more innovative SCI systems online. In conjunction with ongoing monitoring, the Commission preliminary believes the policies and procedures proposed to be required in items (3) and (4) for purposes of qualifying for the safe harbor, would help prevent SCI systems becoming noncompliant resulting from, for example, inattention or failure to review compliance with established written policies and procedures. [[Page 18116]] Further, the Commission preliminarily believes that item (5) (which, for purposes of qualifying for the safe harbor, would require that an SCI entity establish, maintain, and enforce written policies and procedures for assessments of SCI systems compliance by personnel familiar with applicable federal securities laws, rules and regulations thereunder, and the SCI entity's rules and governing documents), in conjunction with item (6) (which, for purposes of qualifying for the safe harbor, would require policies and procedures directing that regulatory personnel review SCI systems design, changes, testing, and controls), would help foster coordination between the information technology and regulatory staff of an SCI entity so that SCI events and other issues related to an SCI entity's SCI systems would be more likely to be addressed by a team of staff in possession of the requisite range of knowledge and skills to help ensure compliance with the SCI entity's obligations under proposed Regulation SCI. Insofar as an SCI entity follows them to qualify for the safe harbor, proposed items (5) and (6) also are intended to help to ensure that an SCI entity's business interests do not undermine regulatory, surveillance, and compliance functions and, more broadly, the requirements of the federal securities laws, during the development, testing, implementation, and operation processes for SCI systems. Thus, proposed items (1)-(6) together, insofar as SCI entities follow them to qualify for the safe harbor, are meant to promote the development and implementation of policies and procedures consistent with the functioning of SCI systems of SCI entities as planned and as described by the SCI entity's rules and governing documents, as well as in compliance with applicable federal securities laws and rules.\219\ --------------------------------------------------------------------------- \219\ See supra note 154-156 and accompanying text. --------------------------------------------------------------------------- In addition to establishing and maintaining the policies and procedures described in proposed Rule 1000(b)(2)(ii)(A)(1)-(6), to qualify for the safe harbor, an SCI entity would also be required to satisfy two additional requirements. First, under proposed Rule 1000(b)(2)(ii)(B), it would be required to have established and maintained a system for applying such policies and procedures which would reasonably be expected to prevent and detect, insofar as practicable, any violations of such policies and procedures by the SCI entity or any person employed by the SCI entity. In addition, under proposed Rule 1000(b)(2)(ii)(C), the SCI entity would be required to: (1) Have reasonably discharged the duties and obligations incumbent upon it by such policies and procedures; and (2) have been without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. To the extent an SCI entity seeks to qualify for the safe harbor, the elements of proposed Rules 1000(b)(2)(ii)(B) and (C) would require not only that its policies and procedures are reasonably designed to achieve SCI systems compliance, as described in items (A)(1)-(6) above, but also that, as part of such policies and procedures, the SCI entity establishes and maintains a system for applying those policies and procedures, and enforces its policies and procedures, in a manner that would reasonably allow it to prevent and detect violations of the policies and procedures. Proposed Rules 1000(b)(2)(ii)(B) and (C) are also designed to ensure that the SCI entity reasonably discharges duties and obligations incumbent upon it by such policies and procedures and is without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. In addition, proposed Rule 1000(b)(2)(iii) would provide a safe harbor from liability for individuals. Specifically, proposed Rule 1000(b)(2)(iii) would provide that a person employed by an SCI entity shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity has reasonably discharged the duties and obligations incumbent upon such person by such policies and procedures, and was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. The Commission preliminarily believes that the safe harbor for individuals under proposed Rule 1000(b)(2)(iii) would appropriately provide protection from liability under Rule 1000(b)(2) to employees of SCI entities who reasonably conduct their assigned responsibilities under the SCI entity's policies and procedures and do not have reasonable cause to believe the policies and procedures were not being complied with in any material respect. In this regard, an SCI entity would not be deemed to violate proposed Rule 1000(b)(2)(i) merely because it experienced a systems compliance issue, and could take advantage of the safe harbor for SCI entities if it satisfied the elements enumerated in proposed Rule 1000(b)(2)(ii).\220\ Likewise, an employee of an SCI entity, including an employee involved in the design or implementation of policies and procedures under the rule, would not be deemed to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of proposed Rule 1000(b)(2)(i) merely because the SCI entity at which he or she worked experienced a systems compliance issue, whether or not the employee was able to take advantage of the safe harbor for individuals under proposed Rule 1000(b)(2)(iii). --------------------------------------------------------------------------- \220\ The language of proposed Rules 1000(b)(2)(ii)(B) and (C) is drawn in significant part from language in Section 15(b)(4)(E) of the Exchange Act, 15 U.S.C. 78o(b)(4)(E), which generally provides a safe harbor from liability for failure to supervise, with a view to preventing violations of the securities laws, another person who is subject to his or her supervision and who commits such a violation. --------------------------------------------------------------------------- Request for Comment 96. The Commission requests comment generally on all aspects of proposed Rule 1000(b)(2). Do commenters believe that it is appropriate to limit the application of the requirements of proposed Rule 1000(b)(2)(i) to SCI systems? Why or why not? Please explain. Do commenters agree with the requirements of the proposed safe harbor for SCI entities? Why or why not? Specifically, with respect to proposed Rule 1000(b)(2)(ii)(A)(1), which would include in the safe harbor a requirement that each SCI entity establish and maintain written policies and procedures that provide for testing of all SCI systems and any changes to such systems prior to implementation, should certain types of SCI systems be excluded from the proposed requirement? If so, please specify which types and explain. 97. Should the Commission specify the interval at which SCI entities would be required to conduct the periodic testing of all SCI systems contemplated by the safe harbor under proposed Rule 1000(b)(2)(ii)(A)(2)? Why or why not? And if so, what would be an appropriate interval? Should certain types of SCI systems be tested on a more or less frequent basis? If so, please specify which types and explain. 98. With respect to proposed Rule 1000(b)(2)(ii)(A)(3), which would include in the safe harbor a requirement that an SCI entity establish and maintain written policies and procedures that provide for a system of internal controls over changes to SCI [[Page 18117]] systems, should the Commission specify minimum standards for internal controls? If so, please explain why, as well as what such standards should be. 99. With respect to proposed Rule 1000(b)(2)(ii)(A)(4), which would include in the safe harbor a requirement that an SCI entity establish and maintain written policies and procedures that provide for ongoing monitoring of the functionality of SCI systems to detect whether they are operating in the manner intended, should the Commission specify the frequency with which the monitoring of such systems' functionality should occur? If so, please explain. Should the Commission require different monitoring frequencies depending on the type of SCI system? Why or why not? If so, what should they be? Please explain. 100. For purposes of the safe harbor and proposed Rule 1000(b)(2)(ii)(A)(5), do commenters believe the Commission should require that the assessments of SCI systems compliance be performed by persons having specified qualifications? Why or why not? If so, what would be appropriate and/or necessary qualifications for such personnel? 101. Proposed Rule 1000(b)(2)(ii)(A)(6) would include in the safe harbor a requirement that each SCI entity establish and maintain policies and procedures that provide for review by regulatory personnel of SCI systems design, changes, testing, and controls to prevent, detect, and address actions that are not in compliance with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable. Do commenters believe, for purposes of qualifying for the safe harbor, the roles and allocations of responsibility for personnel in proposed Rules 1000(b)(2)(ii)(A)(5) and (6) are appropriate? Why or why not? 102. Do commenters agree that in order for an SCI entity to qualify for the safe harbor from liability under proposed Rule 1000(b)(2)(i), it should, in addition to establishing and maintaining the policies and procedures described in proposed Rule 1000(b)(2)(ii)(A)(1)-(6), be required to establish and maintain a system for applying such policies and procedures which would reasonably be expected to prevent and detect, insofar as practicable, any violations of such policies and procedures by the SCI entity or any person employed by the SCI entity? Why or why not? To qualify for the safe harbor from liability under proposed Rule 1000(b)(2)(i), should an SCI entity be further required to: have reasonably discharged the duties and obligations incumbent upon the SCI entity by such policies and procedures; and be without reasonable cause to believe that such policies and procedures were not being complied with in any material respect? Why or why not? Please explain. 103. Do commenters agree with the requirements for the proposed safe harbor for individuals in proposed Rule 1000(b)(2)(iii), which would provide that a person employed by an SCI entity shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity: has reasonably discharged the duties and obligations incumbent upon such person by such policies and procedures; and was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect? Why or why not? Should a similar safe harbor be available to individuals other than persons employed by SCI entities? Why or why not? Please explain. 104. Do commenters agree with the Commission's proposed policies and procedures approach to the requirements of proposed Rule 1000(b)(2)? Why or why not? If not, is there another approach that is more appropriate? If so, please describe and explain. As discussed above, the Commission is proposing to include safe harbor provisions in proposed Rule 1000(b)(2) for SCI entities and employees of SCI entities. The Commission preliminarily believes that, in the context of proposed Regulation SCI, this approach may be appropriate to provide clarity and guidance to SCI entities and SCI entity employees on one method to comply with the proposed general standard in proposed Rule 1000(b)(2)(i). The Commission solicits commenters' views on the Commission's proposed approach. Specifically, do commenters agree with the Commission's proposed approach to provide safe harbors for SCI entities and employees of SCI entities from liability under proposed Rule 1000(b)(2)(i)? Why or why not? How do commenters believe the actions of SCI entities or behavior of employees of SCI entities might differ if the safe harbors under proposed Rule 1000(b)(2) were not available? What are the costs and benefits of the Commission's approach to provide safe harbors? What would be the costs and benefits of other approaches? Please explain. 105. Do commenters believe there are specific internal controls or other mechanisms that would reinforce the effectiveness of an SCI entity's reasonably designed policies and procedures under proposed Rule 1000(b)(2)? Why or why not? Please explain. How do SCI entities presently use specific internal controls or other mechanisms to ensure that their systems operate in a manner that complies with the federal securities laws and rules and regulations thereunder and their rules and governing documents, as applicable? How do commenters generally view the advantages and disadvantages of specific internal controls or other mechanisms? The Commission is not proposing to prescribe specific internal controls related to compliance with proposed Rule 1000(b)(2). Should the Commission propose that any particular internal controls or other mechanisms be required (for example, that a senior officer be designated to be responsible for the SCI entity's compliance with proposed Regulation SCI, or that personnel of the SCI entity certify that the SCI entity's policies and procedures are reasonably designed)? 3. SCI Events--Action Required; Notification Proposed Rule 1000(b)(3)-(5) would govern the actions an SCI entity must take upon any responsible SCI personnel becoming aware of an SCI event, whether it be a systems disruption, systems compliance issue, or systems intrusion.\221\ --------------------------------------------------------------------------- \221\ See supra Section III.B.3 for a discussion of the proposed definition of systems disruption, systems compliance issue, and systems intrusion. --------------------------------------------------------------------------- a. Corrective Action Proposed Rule 1000(b)(3) would require an SCI entity, upon any responsible SCI personnel becoming aware of an SCI event, to begin to take appropriate corrective action including, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. The Commission is proposing this requirement to make clear that, upon learning of an SCI event, an SCI entity would be required to take the steps necessary to remedy the problem or problems causing the SCI event and mitigate the effects of the SCI event, if any, on customers, market participants and the securities markets. Proposed Rule 1000(a) would define ``responsible SCI personnel'' to mean, for a particular SCI system or SCI security system impacted by an SCI event, any personnel, whether an [[Page 18118]] employee or agent, of an SCI entity having responsibility for such system. The proposed definition is intended to include any personnel used by the SCI entity that has responsibility for the specific system(s) impacted by a given SCI event. Thus, such personnel would include, for example, any technology, business, or operations staff with responsibility for such systems. With respect to systems compliance issues, such personnel would also include regulatory, legal, or compliance personnel with legal or compliance responsibility for such systems. In addition, such ``responsible SCI personnel'' would not be limited to managerial or senior-level employees of the SCI entity. For example, the proposed definition is intended to include a junior systems analyst responsible for monitoring the operations or testing of an SCI system or SCI security system. The proposed definition would also include not only applicable employees of the SCI entity, but applicable agents of the SCI entity as well. Thus, for example, if an SCI entity were to contract the monitoring of the operations of a given SCI system to an external firm, the proposed definition of ``responsible SCI personnel'' would include the personnel of such firm that were responsible for the monitoring. The proposed definition, however, is not intended to include all personnel of an SCI entity. For example, personnel of the SCI entity who have no responsibility for any SCI system or SCI security system of an SCI entity are not intended to be included in the proposed definition. b. Commission Notification Proposed Rule 1000(b)(4) would address the obligation of an SCI entity to notify the Commission upon any responsible SCI personnel becoming aware of an SCI event.\222\ Proposed Rule 1000(b)(4)(i) would require an SCI entity, upon any responsible SCI personnel \223\ becoming aware of a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion (``immediate notification SCI event''), to notify the Commission of such SCI event, which may be done orally or in writing (e.g., by email). Proposed Rule 1000(b)(4)(ii) would require an SCI entity to submit a written notification pertaining to any SCI event to the Commission within 24 hours of any responsible SCI personnel becoming aware of the SCI event. Proposed Rule 1000(b)(4)(iii) would require an SCI entity to submit to the Commission continuing written updates on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until such time as the SCI event is resolved.\224\ --------------------------------------------------------------------------- \222\ Proposed Rule 1000(b)(5), addressed in Section III.C.3.c below, would address whether and when an SCI entity would be required to disseminate information regarding an SCI event to its members or participants. \223\ See supra III.C.3.a (discussing definition of ``responsible SCI personnel''). \224\ See supra Section III.B.3.d, for a discussion of dissemination SCI events. --------------------------------------------------------------------------- Proposed Rule 1000(b)(4) also would require that any written notification to the Commission made pursuant to proposed Rules 1000(b)(4)(ii) or 1000(b)(4)(iii) be made electronically on new proposed Form SCI (Sec. 249.1900), and include all information as prescribed in Form SCI and the instructions thereto.\225\ To help ensure that the Commission and its staff receive all information known by the SCI entity relevant to aiding the Commission's understanding of an SCI event, proposed Rule 1000(b)(4)(iv) would provide that a written notification under proposed Rule 1000(b)(4)(ii) must include all pertinent information known about an SCI event, including: (1) A detailed description of the SCI event; (2) the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; (3) the potential impact of the SCI event on the market; and (4) the SCI entity's current assessment of the SCI event, including a discussion of the SCI entity's determination regarding whether the SCI event is a dissemination SCI event or not.\226\ In addition, to the extent available as of the time of the initial notification, Exhibit 1 would require inclusion of the following information: (1) A description of the steps the SCI entity is taking, or plans to take, with respect to the SCI event; (2) the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; (3) a description of the SCI entity's rule(s) and/or governing documents, as applicable, that relate to the SCI event; and (4) an analysis of the parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss.\227\ --------------------------------------------------------------------------- \225\ New proposed Form SCI is discussed in detail in Section III.E below. \226\ See proposed Rule 1000(b)(4)(iv)(A)(1). \227\ See proposed Rule 1000(b)(4)(iv)(A)(2). --------------------------------------------------------------------------- Proposed Rule 1000(b)(4)(iv)(B) would require an SCI entity to update any of the pertinent information contained in previous written notifications, including any information required by proposed Rule 1000(b)(4)(iv)(A)(2) that was not available at the time of initial submission. Subsequent notifications would be required to update any of the pertinent information previously provided until the SCI event is resolved. Proposed Rule 1000(b)(4)(iv)(C) would further require an SCI entity to provide a copy of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity's publicly available Web site. The Commission preliminarily believes an SCI entity's obligation to notify the Commission of significant SCI events should begin upon any responsible SCI personnel becoming aware of an SCI event. Thus, for all immediate notification SCI events, an SCI entity would be required to notify the Commission of the SCI event. Such notification could be made orally (e.g., by telephone) or in a written form (e.g., by email). The Commission preliminarily believes that, by not prescribing the precise method of communication for an initial notification of an immediate notification SCI event under proposed Rule 1000(b)(4)(i), SCI entities would have the needed flexibility to determine the most appropriate method.\228\ Further, if the responsible SCI personnel became aware of such an SCI event outside of normal business hours, the SCI entity would still be required to notify the Commission at that time rather than, for example, the start of the next business day. For all SCI events, including immediate notification SCI events, an SCI entity would be required to submit a written notification pertaining to such SCI event to the Commission on Form SCI, and follow up with regular written updates until the SCI event is resolved. Even if an SCI entity had notified the Commission of an immediate notification SCI event in writing as would be permitted under proposed Rule 1000(b)(4)(i), the SCI entity would still be required to submit a separate written notification on Form SCI pursuant to proposed Rule 1000(b)(4)(ii).\229\ --------------------------------------------------------------------------- \228\ The Commission expects that it would establish a telephone hotline, designated email accounts, or similar arrangements, to enable receipt of notifications of immediate notification SCI events. \229\ See proposed Rule 1000(b)(4)(iv), which would require that written notifications under 1000(b)(4)(ii) be submitted on Form SCI, and which would not provide for the ability of SCI entities to submit a written notification of an immediate notification SCI event on Form SCI. --------------------------------------------------------------------------- [[Page 18119]] The Commission preliminarily believes that the proposed notification requirement for immediate notification SCI events, the proposed 24-hour time frame for submission of written notices, and the proposed continuing update requirement, are appropriately tailored to help the Commission and its staff quickly assess the nature and scope of an SCI event, and help the SCI entity identify the appropriate response to the SCI event, including ways to mitigate the impact of the SCI event on investors and promote the maintenance of fair and orderly markets. These requirements would help to ensure not only that the Commission and its staff are kept apprised of such SCI events, including their causes and their effect on the markets, but also that the Commission is aware of the steps and resources necessary to correct such SCI events, mitigate their effects on other SCI entities and the market, and prevent recurrence to the extent possible. The Commission also preliminarily believes that the proposal to require an SCI entity to update the Commission regularly regarding an SCI event, or at such frequency as reasonably requested by a representative of the Commission, until the SCI event is resolved, provides appropriate flexibility to the Commission to request additional information as necessary, depending on the facts and circumstances of the SCI event and the SCI entity's progress in resolving it. At the same time, the Commission recognizes that the information required to be provided to it by an SCI entity about an immediate notification SCI event under proposed Rule 1000(b)(4)(i) would represent the SCI entity's initial assessment of the SCI event, and that even the written notification on Form SCI required under proposed Rule 1000(b)(4)(ii) may, in some cases, be a preliminary assessment of the SCI event for which the SCI entity may still be in the process of analyzing and assessing the precise facts and circumstances related to the SCI event. Thus, the Commission is proposing to only require that SCI entities provide certain key information for the written notification required under proposed Rule 1000(b)(4)(ii),\230\ and only provide certain additional details ``to the extent available as of the time of the notification.'' \231\ In addition, the Commission's proposal allows for the SCI entity to subsequently ``update any information previously provided regarding the SCI event, including any information required by paragraph (b)(4)(iv)(A)(2) which was not available at the time of the notification made pursuant to paragraph (b)(4)(ii).'' \232\ --------------------------------------------------------------------------- \230\ See proposed Rule 1000(b)(4)(iv)(A)(1). \231\ See proposed Rule 1000(b)(4)(iv)(A)(2). \232\ See proposed Rule 1000(b)(4)(iv)(B). --------------------------------------------------------------------------- Comprehensive reporting of all SCI events would facilitate the Commission's regulatory oversight of the national securities markets. The proposed reporting requirements should provide the Commission with an aggregate and comprehensive set of data on SCI events, a significant improvement over the current state of administration, whereby SCI entities report events through multiple methods and with varying consistency.\233\ The aggregated data that would result from the reporting of SCI events would also permit the Commission to analyze such data, e.g., to examine the most common types of events and the types of systems most often affected. This ability to more efficiently analyze a comprehensive set of data would help the Commission to carry out its oversight responsibilities because it would help the Commission identify more effectively, for example, areas of persistent or recurring problems across the systems of all SCI entities. --------------------------------------------------------------------------- \233\ Currently, there is no Commission rule specifically requiring SCI entities to notify the Commission of systems problems in writing or in a specific format. Nevertheless, voluntary communications of systems problems to Commission staff occur in a variety of ways, including by telephone and email. The Commission notes that proposed Rule 1000(b)(4) would impose a new reporting requirement on SCI entities, regardless of whether they currently voluntarily notify the Commission of SCI events on an ad hoc basis. As such, the Commission preliminarily believes that a history of voluntarily reporting such events to the Commission would not lessen the future burden of reporting such events to the Commission on Form SCI as required under proposed Rule 1000(b)(4). --------------------------------------------------------------------------- As discussed in greater detail below, the Commission also preliminarily believes that submission of required notifications by SCI entities by filing Form SCI in an electronic format would be less burdensome and a more efficient filing process for SCI entities and the Commission than the submission of such notices in non-standardized ad hoc formats, as they are currently provided under the ARP Program.\234\ --------------------------------------------------------------------------- \234\ See infra Section III.D.2 discussing proposed Rule 1000(d), requiring electronic filings on new proposed Form SCI, and Section III.E, discussing information proposed to be required to be submitted on new Form SCI. See also infra note 235 and accompanying text. --------------------------------------------------------------------------- c. Dissemination of Information to Members or Participants \235\ --------------------------------------------------------------------------- \235\ The requirements relating to dissemination of information relating to dissemination SCI events to members or participants proposed to be included in Regulation SCI relate solely to Regulation SCI. Nothing in proposed Regulation SCI should be construed as superseding, altering, or affecting the reporting obligations of SCI entities under other federal securities laws or regulations. Accordingly, in the case of an SCI event, SCI entities subject to the public company reporting requirements of Section 13 or Section 15(d) of the Exchange Act would need to ensure compliance with their disclosure obligations pursuant to those provisions (including, for example, with respect to Regulation S-K and Forms 10-K, 10-Q and 8-K) in addition to their disclosure and reporting obligations under Regulation SCI. See, e.g., CF Disclosure Guidance: Topic No. 2, Cybersecurity (October 13, 2011), available at: https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. As an additional example, nothing in proposed Regulation SCI should be construed as superseding the obligations such SCI entities may have under Regulation FD. --------------------------------------------------------------------------- Proposed Rule 1000(b)(5) would require information relating to dissemination SCI events to be disseminated to members or participants, and specify the nature and timing of such disseminations, with a limited delay permitted for certain systems intrusions, as discussed further below.\236\ Proposed Rule 1000(b)(5)(i)(A) would require that an SCI entity, promptly after any responsible SCI personnel \237\ becomes aware of a dissemination SCI event other than a systems intrusion, disseminate to its members or participants the following information about such SCI event: (1) The systems affected by the SCI event; and (2) a summary description of the SCI event. In addition, proposed Rule 1000(b)(5)(i)(B) would require an SCI entity to further disseminate to its members or participants, when known: (1) A detailed description of the SCI event; (2) the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and (3) a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. Proposed Rule 1000(b)(5)(i)(C) would further require an SCI entity to provide regular updates to members or participants on any of the information required to be disseminated under proposed Rules 1000(b)(5)(i)(A) and (i)(B). --------------------------------------------------------------------------- \236\ See supra Section III.B.3.d for a discussion of dissemination SCI events. \237\ See supra III.C.3.a (discussing definition of ``responsible SCI personnel''). --------------------------------------------------------------------------- For the disseminations of information to members or participants to be meaningful, the Commission preliminarily believes it would be necessary for an SCI entity to describe the SCI event in sufficient detail to enable a member or participant to determine whether and how it was affected by the SCI event and make appropriate decisions based on that determination. For example, the Commission preliminarily believes that a general statement that a systems disruption occurred that impacted trading for a certain period of time would not be sufficient. The [[Page 18120]] dissemination of information should, for example, specify with particularity such information as necessary to provide readers meaningful context with regard to the issue, which may include but is not limited to, details relating to, if applicable: the magnitude of the issue (such as estimates with respect to the number of shares affected, numbers of stocks affected, and total dollar volumes of the affected trades); the specific system(s) or part of the system(s) that caused the issue; the Commission and SCI entity rule(s) that relate most directly to the issue; the specific time periods in which the issue occurred, including whether the issue may be ongoing; and the specific names of the securities affected. The Commission preliminarily believes these proposed items, which concern the timing, nature, and foreseeable possible consequences of a systems problem, comprise the appropriate minimum detail that a member or participant would need to assess whether an SCI event affected or would potentially affect that member or participant, and would assist members and participants in making investment or business decisions based on disclosed facts rather than on speculation regarding, for example, the cause of a market disruption.\238\ --------------------------------------------------------------------------- \238\ See supra note 160, referring to Roundtable panelists suggesting that communication and disclosure are important elements of risk mitigation. --------------------------------------------------------------------------- The Commission preliminarily believes that it is appropriate to require that the information specified by proposed Rule 1000(b)(5)(i)(A) be disseminated by the SCI entity to its members or participants promptly after any responsible SCI personnel becomes aware of an applicable dissemination SCI event. The Commission also preliminarily believes that it is appropriate to require the further dissemination of information specified by proposed Rule 1000(b)(5)(i)(B) ``when known'' by the SCI entity. These requirements reflect the Commission's preliminary view that, given the sensitivities of such dissemination of information, it is important that, before information is shared with the SCI entity's members or participants, the SCI entity be given a reasonable amount of time to gather, confirm, and preliminarily analyze facts regarding a dissemination SCI event. The Commission preliminarily believes that the value of dissemination of information to an SCI entity's members or participants in these circumstances is enhanced when the SCI entity has taken an appropriate amount of time to ensure that the information it is sharing with its members or participants is accurate, such that incorrect information does not cause or exacerbate market confusion. At the same time, the Commission preliminarily believes that it is important that basic information about dissemination SCI events, such as those items required by proposed Rule 1000(b)(5)(i)(A), be made available to members or participants promptly. The proposed requirement relating to dissemination of information to members or participants of dissemination SCI events, other than systems intrusions as specified in proposed Rule 1000(b)(5)(i), is intended to aid members or participants of SCI entities in determining whether their trading activity has been or might be impacted by the occurrence of an SCI event at an SCI entity, so that they could consider that information in making trading decisions, seeking corrective action or pursuing remedies, or taking other responsive action. Further, the requirement to disseminate information regarding dissemination SCI events could provide an incentive for SCI entities to devote more resources and attention to improving the integrity and compliance of their systems and preventing the occurrence of SCI events. Proposed Rule 1000(b)(5)(ii) would provide a limited exception to the proposed requirement of prompt dissemination of information to members or participants for certain systems intrusions.\239\ Proposed Rule 1000(b)(5)(ii) would require an SCI entity, promptly after any responsible SCI personnel becomes aware of a systems intrusion, to disseminate to its members or participants a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion was resolved or an estimate of when the systems intrusion is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or SCI security systems, or an investigation of the systems intrusion, and documents the reasons for such determination.\240\ The Commission preliminarily believes that information relating to all dissemination SCI events, including systems intrusions, should be disseminated to members or participants, but that there may be circumstances in which such dissemination of information relating to a systems intrusion should be delayed, for example, to avoid compromising the investigation or resolution of a systems intrusion.\241\ If an SCI entity determines to delay the dissemination of information to members or participants relating to a systems intrusion, it would be required to make an affirmative determination and document the reasons for such determination that such dissemination would likely compromise the security of its SCI systems or SCI security systems, or an investigation of the systems intrusion. If it cannot make such a determination, or at whatever point in time such a determination no longer applies, information relating to the systems intrusion would be required to be disseminated to the SCI entity's members or participants. --------------------------------------------------------------------------- \239\ As noted in supra note 235, the requirements relating to information disseminations to members or participants proposed to be included in Regulation SCI, including the proposal to permit an SCI entity to delay such dissemination for certain systems intrusions, relate solely to Regulation SCI. Nothing in proposed Regulation SCI should be construed as superseding, altering, or affecting the reporting obligations of SCI entities under other federal securities laws or regulations. \240\ Unlike proposed Rule 1000(b)(5), proposed Rule 1000(b)(4) (relating to Commission notification), discussed above in Section III.C.3.b, would not provide for a delay in reporting any systems intrusions to the Commission. \241\ See supra note 239. --------------------------------------------------------------------------- The information required to be disseminated to members or participants for systems intrusions by proposed Rule 1000(b)(5)(ii) is not as extensive as that required to be disseminated to members or participants for other types of dissemination SCI events. The Commission is sensitive to the fact that dissemination of too much detailed information regarding a systems intrusion may provide hackers or others seeking unauthorized entry into the systems of an SCI entity with insights into the potential vulnerabilities of the SCI entity's systems. At the same time, the occurrence of a systems intrusion may reveal a weakness in the SCI systems or SCI security systems of the SCI entity that warrants dissemination of information about such event to the SCI entity's members or participants. Proposed Rule 1000(b)(5)(ii) is therefore intended to strike an appropriate balance by requiring dissemination to members or participants, which may be delayed when necessary, of key summary information about a given systems intrusion. Request for Comment 106. The Commission requests comment on all aspects of proposed Rules 1000(b)(3), (4), and (5). 107. Do commenters believe the proposed definition of ``responsible SCI personnel'' in proposed Rule 1000(a) is appropriate? Why or why not? Please [[Page 18121]] explain. Is the proposed definition sufficiently clear? If not, why not? Should the proposed definition only apply to personnel of a given seniority, such as managerial personnel or officers of an SCI entity? Why or why not? Should the proposed definition include both employees and agents of an SCI entity? Why or why? 108. As proposed to be required by Rule 1000(b)(3), do commenters believe the Commission should require an SCI entity, upon any responsible SCI personnel becoming aware of an SCI event, to begin to take appropriate corrective action including, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable? If not, why not? Should the proposed requirement that an SCI entity take corrective action be triggered by something other than awareness of an SCI event? If so, what would be an appropriate trigger, and why? 109. In addition to requiring an SCI entity to take appropriate corrective action, should the Commission also require an SCI entity to have written policies and procedures regarding how it should respond to SCI events, such as an incident response plan that, for example, would lay out in advance of any SCI event the courses of action, responsibilities of personnel, chains of command, or similar information regarding how the SCI entity and its personnel should respond to various SCI event scenarios? Why or why not? Would such a requirement be useful? What would be the potential costs and benefits of such a requirement? Would SCI entities be able to meet the requirements of proposed Rule 1000(b)(3) without developing such response plans? \242\ Why or why not? Do SCI entities have such plans in place today? If so, please describe. --------------------------------------------------------------------------- \242\ See also supra Section III.C.1.a (requesting comment on proposed Rule 1000(b)(1)(i)(E) regarding policies and procedures for development of business continuity plans and on whether the Commission and/or SCI SROs should propose rules governing how such plans are tested). --------------------------------------------------------------------------- 110. With respect to proposed Rule 1000(b)(4), do commenters believe the proposal to require an SCI entity to report all SCI events to the Commission is appropriate? 111. Are there SCI events that should not be required to be reported to the Commission? If so, what are they, and why should reporting of such SCI events not be required? Or, as an alternative, would it be appropriate for the Commission to require SCI entities to keep and preserve the documentation relating to certain types of SCI events without sending that documentation to the Commission? Why or why not? If so, how would commenters recommend the Commission distinguish between SCI events that should be reported to the Commission and those that should only be subject to a recordkeeping requirement? What do commenters believe might be the advantages or disadvantages of such an alternative approach? Do commenters believe proposed Rule 1000(b)(4) may require the reporting of types of issues or types of information that may not be critical to the goals of proposed Regulation SCI? Please be specific and describe such situations. 112. What criteria do ARP participants currently use for reporting ARP events? How many SCI events would an SCI entity expect to report each year? 113. For immediate notification SCI events, is the initial notification requirement in proposed Rule 1000(b)(4)(i) to the Commission appropriate? Why or why not? If so, should this requirement apply to such SCI events that occur outside normal business hours as well? If not, what should be the requirement? Should the Commission require a different notification procedure for immediate notifications that might occur outside normal business hours? What are the advantages and disadvantages of different methods of immediate notifications? Please describe. Do commenters agree that those systems disruptions that the SCI entity reasonably estimates would have a material impact on its operations or on market participants should be subject to the immediate notification requirement? Why or why not? Please explain. Do commenters agree that all systems compliance issues should be subject to the immediate notification requirement? Why or why not? Do commenters agree that all systems intrusions should be subject to the immediate notification requirement? Why or why not? Should additional types of SCI events be subject to the immediate notification requirement? If so, which types of SCI events? Please be specific. 114. Do commenters agree with the proposed 24-hour written notification requirement for all SCI events? 115. Do commenters believe it is appropriate to require that written updates be submitted regularly until an SCI event is resolved, or at such frequency as reasonably requested by a representative of the Commission? 116. Do commenters believe the proposed required dissemination of information to an SCI entity's members or participants regarding dissemination SCI events set forth in proposed Rule 1000(b)(5) are appropriate? If not, why not? Do commenters believe that requiring the dissemination of information about dissemination SCI events to members or participants would promote dissemination of information to persons who are most directly affected by such events? Why or why not? With respect to proposed Rule 1000(b)(5), should any of the proposed requirements relating to dissemination of information to members or participants be eliminated or modified? \243\ Please explain. What other information, if any, should be required to be disseminated to members or participants? Please explain. Could these proposed requirements have any negative or unintended impact on the market or market participants? If so, please explain. --------------------------------------------------------------------------- \243\ See also infra Section III.E.1, discussing proposed Exhibit 3 to Form SCI, which would require that an SCI entity provide a copy of any information disseminated to date regarding an SCI event to its members or participants or on the SCI entity's publicly available Web site. --------------------------------------------------------------------------- 117. Do commenters agree with the timing requirements contained in proposed Rule 1000(b)(5)? Do commenters agree that the initial dissemination of information to members or participants should be required promptly after an SCI entity's responsible SCI personnel becomes aware of a dissemination SCI event, as would be required by proposed Rule 1000(b)(5)(i)(A)? Do commenters believe that more specific timing requirements would be more appropriate? If so, what should such requirements be? Should there be a specific time period requirement with respect to subsequent updates on the status of the dissemination SCI event? Why or why not? For example, should there be a requirement that an SCI entity provide updates daily or weekly? If so, what additional specificity should be included? 118. Do commenters believe it is appropriate to permit an SCI entity to delay the dissemination of information to members or participants for certain systems intrusions as proposed in Rule 1000(b)(5)(ii)? Should an SCI entity be required to immediately disseminate information to members or participants regarding a systems intrusion, with delays permitted only when the Commission specifically authorizes the delay? Why or why not? Should the proposed rule impose a maximum period of time that an SCI entity may delay its dissemination of information to members or participants for certain systems intrusions? Why or why not? If [[Page 18122]] so, what should such a maximum period of time be and should the rule set forth a specific maximum time period applicable to all instances? Please explain. 119. Are there types of dissemination SCI events that should not be required to be disseminated to members or participants? If so, what are they, and why should it not be required? 120. Should dissemination of information to members or participants of any types of dissemination SCI events, other than those that are systems intrusions, be delayed? If so, please describe the types of SCI events and explain why. In addition, please describe the time period within which commenters believe such types of dissemination SCI events should be disseminated and why such time period would be appropriate. 121. For any types of dissemination SCI events for which commenters believe information should either not be required to be disseminated to members or participants or be permitted to have a delay in dissemination in certain circumstances (such as for systems intrusions), what might be the impact of such non-dissemination or delay in dissemination with respect to different types of market participants? 122. Are there SCI entities for which the proposed requirements in Rules 1000(b)(3), (b)(4), and (b)(5) would not be appropriate (e.g., not cost-effective)? If so, please identify such entity or entities, or the characteristics of such entity or entities, and explain which proposed requirements would be inappropriate and why. Is the fact that they might not be cost-effective an appropriate reason to omit them generally for those SCI entities, or on a case-by-case basis, as the Commission determined to be consistent with Exchange Act requirements? 123. What are the current practices of SCI entities with respect to the dissemination of information about systems issues to members or participants? What type of information do SCI entities currently disseminate? Please describe. 4. Notification of Material Systems Changes Proposed Rule 1000(b)(6) addresses notification to the Commission regarding planned material systems changes,\244\ which the Commission believes is important to help ensure it has information about important changes at an SCI entity that may affect the SCI entity's ability to effectively oversee the operations of its systems. Proposed Rule 1000(b)(6) would require an SCI entity, absent exigent circumstances, to notify the Commission in writing at least 30 calendar days before implementation of any planned material systems changes including a description of the planned material systems changes as well as the expected dates of commencement and completion of implementation of such changes. A written notification to the Commission made pursuant to paragraph (b)(6) would be required to be made electronically on Form SCI and include all information as prescribed in Form SCI and the instructions thereto.\245\ --------------------------------------------------------------------------- \244\ See supra Section III.B.4 (discussing the proposed definition of material systems change). \245\ See infra Section III.E.2, discussing proposed new Form SCI and electronic submission of the notices required by proposed Rule 1000(b)(6). --------------------------------------------------------------------------- The Commission preliminarily believes that the proposed 30 calendar day requirement regarding pre-implementation written notification to the Commission of planned material systems changes would be an appropriate time period. The Commission has found through its experience with the current ARP Inspection Program that this amount of advance notice typically is needed to allow Commission staff to effectively monitor technology developments associated with a planned material systems change. A shorter timeframe might not provide sufficient time for Commission staff to understand the impact of the systems change; a longer time frame might unnecessarily interfere with SCI entities' flexibility in planning and implementing systems changes. If exigent circumstances existed, or if the information previously provided to the Commission regarding any planned material systems change has become materially inaccurate, the SCI entity would be required to notify the Commission, either orally or in writing, with any oral notification to be memorialized within 24 hours after such oral notification by a written notification, as early as reasonably practicable.\246\ The existence of exigent circumstances would be determined by the SCI entity and might exist where, for example, a systems compliance issue or systems intrusion were discovered that requires immediate corrective action to ensure compliance with the Exchange Act and the rules and regulations thereunder, and/or the SCI entity's own rules and procedures. In such cases, it would not be prudent or desirable to delay corrective action simply to permit the 30 calendar days' advance notice required in non-exigent circumstances. In addition, there may be circumstances where the information previously provided to the Commission regarding a material systems change has become materially inaccurate. For example, if a material systems change's expected implementation completion date were to be substantially delayed because of an inability to procure systems components, or due to difficulties in systems programming, an update to reflect this development would enable the Commission to make further inquiry (as appropriate) in order to understand the potential consequences of the delay. Similarly, an update would be required if the SCI entity were to decide to significantly alter the scope of its planned material systems change. --------------------------------------------------------------------------- \246\ See proposed Rule 1000(b)(6)(ii). --------------------------------------------------------------------------- The Commission notes further that, in such cases, an SCI entity might separately be obligated to notify the Commission or its members or participants pursuant to proposed Rules 1000(b)(4) and (5), as discussed above.\247\ --------------------------------------------------------------------------- \247\ See supra Section III.B.3. --------------------------------------------------------------------------- Request for Comment 124. The Commission requests comment generally on proposed Rule 1000(b)(6). Is the proposed requirement to notify the Commission in advance of implementation of material systems changes appropriate? 125. Should the Commission provide additional guidance on, or define, what constitutes ``exigent circumstances'' that would obviate the need for advance notification? If so, what information, clarification, or definition would be helpful, and why? 126. Do commenters believes that an SCI entity should be required to provide updated information to the Commission regarding a planned material systems change if the information previously provided to the Commission regarding such change were to become materially inaccurate? Why or why not? 127. Do commenters believe that the proposed notification requirements would discourage an SCI entity from making necessary systems changes? Why or why not? 128. Is the proposed requirement that an SCI entity report all material systems changes too broad or too narrow? Why or why not? Should all material systems changes be reported to the Commission? If not, which systems changes should be excluded? Do commenters believe the proposed rule should specify quantitative criteria or other minimum thresholds for the effect of a change to an SCI entity's systems on the entity's capacity, security, and operations, beyond which the SCI entity would be [[Page 18123]] required to notify the Commission of the change? 129. Do commenters believe it is appropriate for the Commission to require a standardized format for disclosing planned material systems changes on new proposed Form SCI? If not, why not? What would be a better approach? 130. Are there SCI entities for which the proposed requirements in Rule 1000(b)(6) would not be appropriate (e.g., cost-effective)? If so, please identify such entity or entities, or the characteristics of such entity or entities, and explain which proposed requirements would be inappropriate and why. If they are not cost-effective, would that be an appropriate reason to omit them generally for those SCI entities, or on a case-by-case basis, as the Commission determined to be consistent with Exchange Act requirements? 131. How often do SCI entities make material systems changes? 5. Review of Systems Proposed Rule 1000(b)(7) would require an SCI entity to conduct an SCI review of the SCI entity's compliance with Regulation SCI not less than once each calendar year, and submit a report of the SCI review to senior management of the SCI entity no more than 30 calendar days after completion of such SCI review. Proposed Rule 1000(a) would define the term ``SCI review'' to mean a review, following established procedures and standards, that is performed by objective personnel having appropriate experience in conducting reviews of SCI systems and SCI security systems, and which review contains: (1) A risk assessment with respect to such systems of the SCI entity; and (2) an assessment of internal control design and effectiveness to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards.\248\ In addition, such review would be required to include penetration test reviews of the SCI entity's network, firewalls, development, testing and production systems at a frequency of not less than once every three years.\249\ The proposed requirement for an annual SCI review would formalize a practice in place under the current ARP Inspection Program in which SROs conduct annual systems reviews following established audit procedures and standards that result in the presentation of a report to senior SRO management on the recommendations and conclusions of the review.\250\ --------------------------------------------------------------------------- \248\ See infra discussion of proposed Rule 1000(b)(8). See also supra publications listed in Table A, Domain: Audit. \249\ See proposed Rule 1000(a). \250\ See supra notes 17-21 and accompanying text. Although ARP policy statements used the term ``independent,'' the Commission is using the term ``objective'' in proposed Regulation SCI to distinguish the meaning of ``objective'' from the meaning of ``independent,'' which may be considered a term of art in the context of financial accounting audits. --------------------------------------------------------------------------- The risk assessment with respect to SCI entity's systems and assessment of internal control design and effectiveness should help an SCI entity assess the effectiveness of its information technology practices and determine where to best devote resources, including identifying instances in which the SCI entity was not in compliance with the policies and procedures required by proposed Rules 1000(b)(1) and (2). The penetration test reviews of the SCI entity's network, firewalls, and development, testing and production systems should help an SCI entity evaluate the system's security and resiliency in the face of attempted and successful systems intrusions. In requiring a frequency of not less than once every three years for penetration test reviews, the Commission seeks to balance the frequency of such tests with the costs associated with performing the tests.\251\ --------------------------------------------------------------------------- \251\ See infra Section IV.D.2.d (estimating, among other things, the cost of conducting SCI reviews, including penetration test reviews). --------------------------------------------------------------------------- For such assessments and reviews to be effective, the Commission preliminarily believes that it is important that they be conducted by objective personnel having appropriate experience performing such types of reviews. The Commission is not proposing a definition of the term ``objective,'' but preliminarily believes that to satisfy the criterion that an SCI review be conducted by ``objective personnel,'' it should be performed by persons who have not been involved in the development, testing, or implementation of the systems being reviewed.\252\ The Commission preliminarily believes that persons who were not involved in the process for development, testing, or implementation of such systems would likely be in a better position to identify weaknesses and deficiencies that were not identified in the development, testing, and implementation stages. As proposed, the SCI review could be performed by personnel of the SCI entity (e.g., an SCI entity's internal audit department) or an external firm with objective personnel. --------------------------------------------------------------------------- \252\ See also supra ARP II note 1 at 22492 n.9. --------------------------------------------------------------------------- In addition, proposed Rule 1000(b)(7) would require an SCI entity to submit a report of the SCI review to senior management of the SCI entity no more than 30 calendar days after completion of such SCI review.\253\ The proposed 30-day time frame is based on the Commission's experience with the current ARP Inspection Program that an entity is able within 30 calendar days to consider the review and prepare a report for senior management consideration prior to submission to the Commission. --------------------------------------------------------------------------- \253\ This proposed requirement would formalize a recommendation under the current ARP Inspection Program. See supra note 21 and accompanying text. --------------------------------------------------------------------------- Request for Comment 132. The Commission requests comment on all aspects of proposed Rule 1000(b)(7). Is the proposed definition of ``SCI review'' appropriate? Why or why not? And, if not, what would be an appropriate definition? 133. Is the proposed scope of the SCI review appropriate? Why or why not? Is it sufficiently clear? Why or why not? Should the SCI review include, as proposed in Rule 1000(a), an assessment of internal control design and effectiveness to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards? Why or why not? Should it include, as proposed in Rule 1000(a), penetration test reviews of the SCI entity's network, firewalls, development, testing and production systems? Is the proposed frequency of such penetration test reviews (i.e., not less than once every three years) appropriate? Why or why not? Should it be more or less frequent? Why or why not? 134. Do commenters agree with the proposed requirement that the review be performed by persons with appropriate experience conducting reviews of SCI systems and SCI security systems? Should the Commission define how it would evaluate whether a person or persons performing the review would satisfy the proposed requirement that they have appropriate systems review experience? Are there any credentials or specific qualifications that the Commission should require or specify as meeting the requirement? For example, should the Commission specify that a review be conducted by a Certified Information System Auditor (CISA) or GIAC Systems and Network Auditor (GSNA) certification? \254\ --------------------------------------------------------------------------- \254\ For further information regarding these certifications, see, e.g., https://www.isaca.org/Certification/CISA-Certified-Information-Systems-Auditor/What-is-CISA/Pages/default.aspx and https://www.giac.org/certifications. --------------------------------------------------------------------------- [[Page 18124]] 135. Should the term ``objective personnel'' be defined or further clarified? If so, what should be such definition? 136. Are there other elements that should be included in the scope of the SCI review? If so, which ones? For example, should the review include an assessment of the systems' compliance with the federal securities laws and rules and regulations thereunder or the entity's rules or governing documents as applicable? Why or why not? 137. Under what circumstances do SCI entities presently use outside consultants or other third parties to review their systems and controls? When such outside reviews are conducted, what is the scope and the stated purpose? How do outside reviews compare to internal reviews by audit or other staff in terms of scope or other factors? What are the considerations used by SCI entities in determining whether and when to engage outside consultants? How do commenters generally view the advantages and disadvantages of internal v. external reviews? The Commission is not proposing at this time any requirements related to third party reviews. Should the Commission propose to require that SCI review be conducted by third parties? 138. What are the current practices of SCI entities with respect to reviews of their SCI systems and SCI security systems? How often are such reviews conducted? Who conducts such reviews? What do such reviews entail? What types of assessments or tests are included in such reviews? Do such reviews include penetration test reviews? Please describe. 139. Do commenters agree with the proposal to require an SCI entity to submit a report of the SCI review to senior management of the SCI entity no more than 30 calendar days after completion of such SCI review? Why or why not? Is the 30-day time frame reasonable? Would a shorter or longer time period be more appropriate, such as 20, 45, or 60 days? If so, what should such a time period be and why? Please explain. 6. Periodic Reports Proposed Rule 1000(b)(8)(i) would require an SCI entity to submit to the Commission a report of the SCI review required by paragraph (b)(7), together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. The proposed requirement to submit a report of the SCI review required by paragraph (b)(7), together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity, is designed to ensure that the senior management of the SCI entity is aware of any issues with its systems and promptly establishes plans for resolving such issues. The Commission preliminarily believes that the report would also help ensure that the Commission and its staff receive the report and any management response in a timely manner,\255\ would help to ensure that the Commission is aware of areas that may warrant more focused attention during its inspections (i.e., which SCI entities would already have identified for itself through its SCI review), and would allow the Commission to review the SCI entity's progress in resolving any systems issues. Further, the proposed requirement to submit the annual report within 60 calendar days after its submission to senior management is based on the Commission's experience with the current ARP Inspection Program that 60 calendar days after completion of an annual review or report is a sufficient period of time to enable senior management to consider such review or report before submitting it to the Commission. --------------------------------------------------------------------------- \255\ See infra Section III.E.3 and General Instructions to the Form, explaining that, ``within 60 calendar days after its submission to senior management of the SCI entity, the SCI entity shall attach [as Exhibit 5] the report of the SCI review of the SCI entity's compliance with Regulation SCI, together with any response by senior management.'' --------------------------------------------------------------------------- In addition, proposed Rule 1000(b)(8)(ii) would require each SCI entity to submit a report within 30 calendar days after the end of June and December of each year containing a summary description of the progress of any material systems change during the six-month period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of implementation of such changes. The proposed requirement to submit these semi-annual reports within 30 calendar days of the end of each semi-annual period is designed to ensure that the Commission would have regularly updated information with respect to the status of ongoing material systems changes that were originally reported pursuant to proposed Rule 1000(b)(6).\256\ This proposed requirement would formalize a practice in place under the current ARP Inspection Program in which senior information technology, audit, and compliance staff of certain SROs prepare such reports in advance of meeting with Commission staff periodically throughout the year to present and discuss recently completed systems projects and proposed systems projects. Further, the proposed requirement to submit the semi-annual report within 30 calendar days after the end of the applicable semi-annual period is based on the Commission's experience with the current ARP Inspection Program that 30 calendar days after completion of a report is a sufficient time period to enable senior management to consider such report before submitting it to the Commission. The Commission is proposing to require these reports to be submitted to the Commission on a semi-annual basis because the proposal would separately require information relating to planned material systems changes to be submitted (absent exigent circumstances or when information regarding any planned material systems change becomes materially inaccurate) at least 30 calendar days before their implementation \257\ and thus requiring an ongoing summary report more frequently would not, in the Commission's preliminary view, be necessary. On the other hand, the Commission is concerned that a longer period of time (such as on an annual basis) would permit significant updates and milestones relating to systems changes to occur without notice to the Commission. --------------------------------------------------------------------------- \256\ As discussed above in supra Section III.C.4, proposed Rule 1000(b)(6)(ii) would require SCI entities to provide the Commission with an update if the information it previously provided to the Commission regarding any planned material systems change had become materially inaccurate. \257\ See proposed Rule 1000(b)(6); see supra notes 244-247 and accompanying text. --------------------------------------------------------------------------- Pursuant to proposed Rule 1000(b)(8)(iii), the reports required to be submitted to the Commission by proposed Rule 1000(b)(8) would be required to be submitted electronically as prescribed in Form SCI and the instructions thereto.\258\ --------------------------------------------------------------------------- \258\ See infra Section III.E discussing new proposed Form SCI and its contemplated use by SCI entities to submit reports and other required information to the Commission electronically in a standardized format with attachments when and as required. --------------------------------------------------------------------------- Request for Comment 140. Do commenters believe it would be appropriate to require SCI entities to submit a report of an SCI review to the Commission within 60 calendar days of its submission to senior management of the SCI entity? Should the Commission lengthen or shorten the time period for submission? Why or why not? If so, what is an appropriate period? [[Page 18125]] 141. Is the proposed requirement to submit semi-annual reports on material systems changes necessary or appropriate? Do commenters believe it would be appropriate to require each SCI entity to submit a semi-annual report within 30 calendar days after the end of each semi- annual period containing a description of the progress of any material systems change during the applicable semi-annual period and the date, or expected date, of completion of implementation? Should the Commission lengthen or shorten the 30-day period for submission? Is the semi-annual submission requirement appropriate or should these reports be required to be submitted more or less frequently? If so, please state what such frequency should be and why. 142. Are there any other reports the Commission should require of SCI entities? If so, please explain. 143. Are there SCI entities for which the proposed requirements in Rule 1000(b)(8) would not be cost-effective? If so, please identify such entity or entities, or the characteristics of such entity or entities. For proposed requirements that commenters believe would not be cost-effective, would that be an appropriate reason to omit them generally for those SCI entities, or on a case-by-case basis, as the Commission determines to be consistent with Exchange Act requirements? 7. Proposed Rule 1000(b)(9): SCI Entity Business Continuity and Disaster Recovery Plans Testing Requirements for Members or Participants The Commission is proposing Rule 1000(b)(9), which would address testing of SCI entity business continuity and disaster recovery plans, including backup systems, by SCI entity members or participants. Specifically, proposed Rule 1000(b)(9)(i) would require an SCI entity, with respect to its business continuity and disaster recovery plans, including its backup systems, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency as specified by the SCI entity, at least once every 12 months. Proposed Rule 1000(b)(9)(ii) would further require an SCI entity to coordinate such testing on an industry- or sector-wide basis with other SCI entities. Proposed Rule 1000(b)(9)(iii) would require each SCI entity to designate those members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans, to participate in the testing of such plans. Proposed Rule 1000(b)(9)(iii) would also require each SCI entity to notify the Commission of such designations and its standards for designation on Form SCI and promptly update such notification after any changes to its designations or standards.\259\ --------------------------------------------------------------------------- \259\ The proposed rule does not specify when the Commission would need to be notified about the designations and standards because SCI entities would be required to provide an initial notification at such point as when proposed Regulation SCI were effective, and subsequent updates only promptly after its designations and/or standards changed. --------------------------------------------------------------------------- The Commission preliminarily believes that the testing participation requirement in proposed Rule 1000(b)(9) would help an SCI entity to ensure that its efforts to develop effective business continuity and disaster recovery plans are not undermined by a lack of participation by its members or participants that the SCI entity believes would be necessary to the success of such plans if they were to be put into effect. The Commission further preliminarily believes that the appropriate standard for measuring whether a business continuity and disaster recovery plans can be activated successfully is whether such activation would likely result in the maintenance of fair and orderly markets, a goal Congress found important in adopting Section 11A of the Exchange Act.\260\ --------------------------------------------------------------------------- \260\ See Section 11A(a)(1)(C) and (a)(2), 15 U.S.C. 76k- 1(a)(1)(C) and (a)(2). --------------------------------------------------------------------------- The 2003 Interagency White Paper, which underlies the requirement in proposed Rule 1000(b)(1)(i)(E) pertaining to business continuity and disaster recovery plans,\261\ identifies three important business continuity objectives that would apply to SCI entities: (1) Rapid recovery and timely resumption of critical operations following a wide- scale disruption; (2) rapid recovery and timely resumption of critical operations following the loss or inaccessibility of staff in at least one major operating location; and (3) a high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible.\262\ The 2003 Interagency White Paper also states that it is a ``sound practice'' for organizations to ``routinely use or test recovery and resumption arrangements.'' \263\ Further, the Commission's 2003 Policy Statement on Business Continuity Planning for Trading Markets states, among other things, that market centers, including SROs, are to: (1) Have in place a business continuity plan that anticipates the resumption of trading in the securities traded by that market no later than the next business day following a wide-scale disruption; (2) maintain appropriate geographic diversity between primary and back-up sites in order to assure resumption of trading activities by the next business day; and (3) confirm the effectiveness of the backup arrangements through testing.\264\ SCI entities that currently participate in the ARP Inspection Program are familiar with the standards identified in the 2003 Interagency White Paper and the Commission's 2003 Policy Statement on Business Continuity Planning for Trading Markets. --------------------------------------------------------------------------- \261\ The 2003 Interagency White Paper is included in Table A as a proposed SCI industry standard. See supra Section III.C.1.b. \262\ See supra note 195. \263\ See id. \264\ See supra notes 32 and 196. --------------------------------------------------------------------------- As noted above,\265\ the experience of the equities and options markets in the wake of Superstorm Sandy demonstrates the importance of not only an SCI entity itself being able to operate following an event that triggers its business continuity and disaster recovery plans, but also that the members or participants of the SCI entity be able to conduct business with such SCI entity when its business continuity and disaster recovery plans have been activated. The Commission preliminarily believes that, even if an SCI entity is able to operate following an event that triggers its business continuity and disaster recovery plans, unless there is effective participation by certain of its members or participants in the testing of such plans, the objective of ensuring resilient and available markets in general,\266\ and the maintenance of fair and orderly markets in particular, would not be achieved. Accordingly, the Commission preliminarily believes that it is appropriate to require SCI entities to designate members or participants they believe are necessary to the successful activation of their business continuity and disaster recovery plans, including backup systems, and require them to participate in the testing of such plans. --------------------------------------------------------------------------- \265\ See supra notes 78-83 and accompanying text. \266\ See proposed Rule 1000(b)(1) (requiring SCI entities to have policies and procedures relating to, among other things, resiliency and availability) and supra Section III.C.1. --------------------------------------------------------------------------- Under the proposed rule, each SCI entity would need to schedule, and require their designated members or participants to participate in, scheduled ``functional and performance testing'' \267\ of the entity's business continuity and [[Page 18126]] disaster recovery plans. Such functional and performance testing should include not only testing of connectivity, but also testing of an SCI entity's systems, such as order entry, execution, clearance and settlement, order routing, and the transmission and/or receipt of market data, as applicable, to determine if they can operate as contemplated by its business continuity and disaster recovery plans. --------------------------------------------------------------------------- \267\ As commonly understood, functional testing examines whether a system operates in accordance with its specifications, whereas performance testing examines whether a system is able to perform under a particular workload. --------------------------------------------------------------------------- Proposed Rule 1000(b)(9)(i) would require that testing of an SCI entity's business continuity and disaster recovery plans occur at least once every 12 months. This proposed requirement reflects the Commission's preliminary view that the testing of business continuity and disaster recovery plans, including backup systems, must occur regularly if such plans are to be effective when an actual disaster or disruption occurs. The Commission preliminarily believes that its proposed required testing frequency of at least once every 12 months is the minimum frequency that would be consistent with seeking to ensure that testing is meaningful and effective.\268\ However, the proposed rule would not prevent an SCI entity from conducting testing and requiring participation by members or participants in such testing more frequently than once every 12 months, if the SCI entity believes it is necessary or if, for example, it materially modifies its business continuity and disaster recovery plans. --------------------------------------------------------------------------- \268\ Consistent with the frequency of testing under proposed Rule 1000(b)(9), the Securities Industry and Financial Markets Association coordinates an industry-wide business continuity test each year in October. See https://www.sifma.org/services/bcp/industry-testing. See also supra notes 81-82 and accompanying text. --------------------------------------------------------------------------- Proposed Rule 1000(b)(9)(i) would also provide an SCI entity with discretion to determine the precise manner and content of the testing. Thus, for example, the SCI entity would have discretion to determine, for example, the duration of the testing, the sample size of transactions tested, the scenarios tested, and the scope of the test. The Commission preliminarily believes that SCI entities are in the best position to structure the details of the test in a way that would maximize its utility. Although proposed Rule 1000(b)(9)(i) would give SCI entities discretion to determine the precise manner and content of the testing, the Commission is also proposing Rule 1000(b)(9)(ii), which would require an SCI entity to coordinate its testing on an industry- or sector-wide basis with other SCI entities.\269\ The proposed coordination requirement is designed to enhance the value of testing by requiring SCI entities to work together to schedule and conduct the testing in as efficient and effective a manner as possible. Given that trading in the U.S. securities markets today is dispersed among a wide variety of exchanges, ATSs, and other trading venues, and is often conducted through sophisticated algorithmic trading strategies that access many trading platforms simultaneously, the Commission preliminarily believes that requiring SCI entities to coordinate testing is necessary to ensure the goal of achieving robust and effective business continuity and disaster recovery plans, because it would result in testing under more realistic market conditions. In addition, the Commission is cognizant that situations that trigger implementation of an SCI entity's business continuity and disaster recovery plans are often not limited in scope to a single SCI entity, but may affect multiple, or even all, SCI entities at the same time. Thus, proposed Rule 1000(b)(9)(ii)'s requirement is designed to foster better coordination and cooperation across the securities industry such that the markets, investors, and all market participants may benefit from more efficient and meaningful testing. Further, the Commission preliminarily believes that it would be more cost-effective for market participants to participate in the testing of the business continuity and disaster recovery plans of SCI entities on an industry- or sector- wide basis because such coordination would likely reduce duplicative testing efforts. --------------------------------------------------------------------------- \269\ Thus, to satisfy the requirement of proposed Rule 1000(b)(9)(ii), an SCI entity could coordinate its testing with all SCI entities, or an appropriate subset of them, such as by asset class(es) (NMS stocks, non-NMS stocks, municipal debt, corporate bonds, options) or type of SCI entity (national securities exchanges, clearing agencies, plan processors). --------------------------------------------------------------------------- While proposed Rule 1000(b)(9)(ii) would require SCI entities to coordinate testing on an industry- or sector-wide basis, it would provide discretion to SCI entities to determine how to best meet this requirement because the Commission preliminarily believes that SCI entities currently are best suited to find the most efficient and effective way to test. Of course, as noted above, each SCI entity may require its members or participants to participate in additional testing beyond the industry- or sector-wide testing under proposed Rule 1000(b)(9)(ii). Proposed Rule 1000(b)(9)(iii) would require each SCI entity to designate those members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans, to participate in the testing of such plans. In addition, proposed Rule 1000(b)(9)(iii) would require each SCI entity to provide to the Commission on Form SCI its standards for determining which members or participants are necessary for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans and promptly update such notification following any changes to such standards. The Commission believes that the viability of an SCI entity's business continuity and disaster recovery plans, and the usefulness of its backup systems, depend upon the ability of such members or participants to be ready, able, and willing to use such systems during an actual disaster or disruption. The proposed requirement that designated members or participants be required to test such plans in advance reflects the Commission's preliminary view that the proposed testing would enhance the value of SCI entities' business continuity and disaster recovery plans, and thereby advance the goal of achieving resilient and available markets.\270\ --------------------------------------------------------------------------- \270\ See supra note 266. --------------------------------------------------------------------------- For SCI SROs, proposed Rule 1000(b)(9)(iii) would require SRO rules pursuant to Section 19(b) of the Exchange Act, setting forth the standards for designation. For an SCI ATS or an exempt clearing agency subject to ARP, the requirement in proposed Rule 1000(b)(9)(iii) would be satisfied by setting forth such standards in its internal procedures, as well as any subscriber or similar agreement, as applicable. For an SCI entity that is a plan processor, proposed Rule 1000(b)(9)(iii) would require an amendment to the applicable SCI Plan pursuant to Rule 608 of Regulation NMS, setting forth such standards. Further, proposed Rule 1000(b)(9)(iii) would require each SCI entity to provide to the Commission on Form SCI the list of designated members or participants and promptly update such notification following any changes to the designations.\271\ --------------------------------------------------------------------------- \271\ As discussed in infra Section III.E, Form SCI would also require SCI entities to attach the relevant provision of their rules (for SCI SROs), SCI Plans (for plan processors) or subscriber or similar agreements (for SCI ATSs and exempt clearing agencies subject to ARP) that require designated members or participants to participate in the testing required by proposed Rule 1000(b)(9). --------------------------------------------------------------------------- Request for Comment 144. The Commission requests comment generally on proposed Rule 1000(b)(9). [[Page 18127]] 145. Do commenters believe the proposal to require an SCI entity, with respect to its business continuity and disaster recovery plans, including its backup systems, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency as specified by the SCI entity, is appropriate? Why or why not? Is the proposed requirement that SCI entities require participation in ``functional and performance testing'' appropriate? Why or why not? Is the term ``functional and performance testing'' clear? If not, why not and what would be a better description of the nature of the proposed required testing? 146. Do commenters believe it is appropriate to require that such testing occur at least once every 12 months? Why or why not? Would another minimum interval for such testing, such as bi-annually, semi- annually, or quarterly, be more appropriate? Please explain. Would it be appropriate to also require such testing to occur following a material change to the SCI entity's business continuity and disaster recovery plans? Why or why not? If yes, would it be appropriate to require such testing within 90 days of the material change? Why or why not? Would another time period be more appropriate? If so, what should such time period be? 147. Should the Commission give SCI entities discretion in designating the members or participants that must participate in the testing of the business continuity and disaster recovery plans? Why or why not? Should the Commission instead specify standards for such designation? If so, what should the standards be based on? For example, should the standards be based on the size, volume traded or cleared, and/or geographic proximity of a member or participant to the SCI entity's backup systems? Why or why not? Should only members or participants that execute or clear transactions above a certain volume threshold and/or that account for a certain percentage of trading volume on the SCI entity be required to participate? Why or why not? If so, what should be such threshold or thresholds (e.g., 0.5 percent, 1 percent, 5 percent)? Should an SCI entity be required to mandate participation in testing by some other subset of members or participants? For example, should such subset comprise members or participants that account for a certain percentage of trading in each or all of the equities, options, or fixed-income markets traded through the SCI entity? Why or why not? If so, what should be such threshold (e.g., 0.5 percent, 1 percent, 5 percent)? Or, should testing be mandated only for certain types of market participants (e.g., market makers, clearing broker-dealers, retail broker-dealers)? If so, for which types of market participants should testing be mandatory and why? Please explain. Alternatively, should all members or participants of an SCI entity (or certain types of SCI entities, e.g., plan processors) be required to participate in the testing of its business continuity and disaster recovery plans? Why or why not? 148. Do commenters believe those members or participants that would likely be designated by SCI entities under proposed Rule 1000(b)(9)(iii) currently have the ability, including the infrastructure, to participate in the required testing? Do commenters believe all members or participants of SCI entities currently have the ability, including the infrastructure, to participate in such testing? What would be the costs and benefits to a member or participant of an SCI entity to participate in such testing, including for such member or participant to establish and maintain connectivity to an SCI entity's backup systems? What would be the economic effect of this proposed rule, particularly with regard to a member or participant? Please describe in detail and provide data to support your views if possible. 149. Should an SCI entity be required to notify the Commission on Form SCI of its standards for designating members or participants for testing and its list of designated members or participants? Why or why not? Should an SCI entity be required to promptly update such Commission notification if its standards for designation or list of designated members or participants change? Why or why not? Is there a more appropriate time period for updating Commission notifications (e.g., 7 days following a change, 30 days following a change, quarterly)? Please explain. 150. Proposed Rule 1000(b)(9)(i) would require each SCI entity to mandate participation by designated members or participants in ``functional and performance testing'' of its business continuity and disaster recovery plans, including its backup systems, but would leave to the discretion of the SCI entity the details regarding the manner of testing. Should the Commission be more prescriptive with respect to such testing? For example, should the Commission require that SCI entities periodically operate from their backup facilities during regular trading hours? Why or why not? Please explain. Are there other details that the Commission should prescribe in relation to the proposed rule? If so, please explain. 151. Proposed Rule 1000(b)(9)(ii) would require SCI entities to coordinate testing on an industry- or sector-wide basis, but would not specify how or the parameters. Do commenters believe it is appropriate to leave such discretion to SCI entities? Why or why not? Are the terms ``industry-wide'' and ``sector-wide'' clear? Should the Commission define these terms? If so, what would be appropriate definitions? Would such an approach foster the creation of meaningful, efficient testing of business continuity and disaster recovery plans across SCI entities and their members or participants? Why or why not? If not, what would be a more appropriate approach? Should the Commission require a minimum number of SCI entities needed to satisfy the coordination requirement of proposed Rule 1000(b)(9)(ii)? Or should that requirement only be satisfied if all SCI entities (or all SCI entities within a sector of the industry) participate? Why or why not? Should the Commission mandate a minimum list of actions that SCI entities must take to satisfy the requirement of proposed Rule 1000(b)(9)(ii)? If so, what actions should be required and why? If not, why not? 152. Should the Commission require SCI entities to submit reports on the results of their testing of business continuity and disaster recovery plans or reports of any systems testing that was not successful? If not, why not? If so, should such reports be required to be submitted within a specified time frame or in a specified manner or format? Please explain. In addition, should the Commission require SCI entities to submit reports on systems testing opportunities required of or made available to members or subscribers and the extent to which such members or subscribers participate in such opportunities? 153. Would proposed Rule 1000(b)(9) enhance investor confidence in the integrity of the U.S. securities markets? Why or why not? Please explain. What would be the costs associated with proposed Rule 1000(b)(9)? What would be the benefits? Please be specific. What would be the potential competitive impacts of proposed Rule 1000(b)(9), including impacts on small members or small participants? To the extent possible, please provide data to support your views. 154. To help ensure that the goals of an SCI entity's business continuity and disaster recovery plans are achieved, should the Commission impose other requirements (in addition to the mandatory testing participation [[Page 18128]] requirement in proposed Rule 1000(b)(9)) on the members or participants of SCI entities? \272\ For example, proposed Rule 1000(b)(1)(i)(E) would require that an SCI entity's business continuity and disaster recovery plans allow for ``maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading.'' Should the Commission require SCI entities to mandate that some or all of their members or participants be able to meet the next business day resumption of trading standards for SCI entities in proposed Rule 1000(b)(1)(i)(E)? Why or why not? If not all, which members or participants should be required to meet such resumption of trading standards? For example, should an SCI entity require members or participants that execute transactions above a certain volume threshold and/or that account for a certain percentage of trading on the SCI entity to meet such resumption of trading standards? Why or why not? If so, what should be such threshold or thresholds? --------------------------------------------------------------------------- \272\ See also infra Section III.G (soliciting comment on whether broker-dealers, other than SCI ATSs, should be subject to some or all of the additional system safeguard rules that are proposed for SCI entities). --------------------------------------------------------------------------- 155. Are there other requirements that SCI entities should mandate for their members or participants to help SCI entities meet their obligations under proposed Regulation SCI? If so, what are they? Please describe. For example, should the Commission also require each SCI entity to mandate that its members or participants maintain continuous connectivity with the SCI entity's backup data centers? Why or why not? If not all, which members or participants should be required to maintain continuous connectivity with the SCI entity's backup data centers? For example, should an SCI entity require members or participants designated under proposed Rule 1000(b)(9)(iii), or that execute transactions above a certain volume threshold and/or that account for a certain percentage of trading on the SCI entity, to maintain such connectivity? Why or why not? If so, what should be such threshold or thresholds? D. Proposed Rule 1000(c)-(f): Recordkeeping, Electronic Filing on Form SCI, and Access 1. Recordkeeping Requirements The Commission notes that many SCI entities are already subject to recordkeeping requirements,\273\ but that records relating to systems review and testing may not be specifically addressed in certain current recordkeeping rules. Accordingly, the Commission is proposing Rule 1000(c) to specifically address recordkeeping requirements for SCI entities with respect to records relating to Regulation SCI compliance. --------------------------------------------------------------------------- \273\ See, e.g., 17 CFR 240.17a-1, applicable to SCI SROs; 17 CFR 240.17a-3, 17a-4, applicable to broker-dealers; and 17 CFR 242.301-303, applicable to ATSs. It has been the experience of the Commission that SCI entities presently subject to the ARP Inspection Program (nearly all of whom are SCI SROs that are also subject to the record keeping requirements of Rule 17a-1(a)) do generally keep and preserve the types of records that would be subject to the requirements of proposed Rule 1000(c). Nevertheless, the Commission preliminarily believes that Regulation SCI's codification of these preservation practices will support an accurate, timely, and efficient inspection and examination process and help ensure that all types of SCI entities keep and preserve such records. --------------------------------------------------------------------------- Proposed Rule 1000(c)(1) would require each SCI SRO to make, keep, and preserve all documents relating to its compliance with Regulation SCI, as prescribed by Rule 17a-1 under the Exchange Act.\274\ Rule 17a- 1(a) under the Exchange Act requires every national securities exchange, national securities association, registered clearing agency, and the MSRB to keep and preserve at least one copy of all documents, including all correspondence, memoranda, papers, books, notices, accounts, and other such records as shall be made and received by it in the course of its business as such and in the conduct of its self- regulatory activity.\275\ In addition, Rule 17a-1(b) requires these entities to keep all such documents for a period of not less than five years, the first two years in an easily accessible place, subject to the destruction and disposition provisions of Rule 17a-6.\276\ Rule 17a-1(c) requires these entities, upon request of any representative of the Commission, to promptly furnish to the possession of Commission representatives copies of any documents required to be kept and preserved by it pursuant to Rule 17a-1(a) and (b).\277\ The Commission believes that the breadth of Rule 17a-1 under the Exchange Act is such that it would require SCI SROs to make, keep, and preserve records relating to their compliance with proposed Regulation SCI should the Commission adopt Regulation SCI. Thus, the Commission proposes to cross-reference Rule 17a-1 in proposed Regulation SCI to be clear that it intends all SCI entities to be subject to the same recordkeeping requirements regarding compliance with proposed Regulation SCI. --------------------------------------------------------------------------- \274\ 17 CFR 240.17a-1. \275\ See 17 CFR 240.17a-1(a). Such records would, for example, include copies of incident reports and the results of systems testing. \276\ See 17 CFR 240.17a-1(b). Rule 17a-6(a) under the Exchange Act states: ``Any document kept by or on file with a national securities exchange, national securities association, registered clearing agency or the Municipal Securities Rulemaking Board pursuant to the Act or any rule or regulation thereunder may be destroyed or otherwise disposed of by such exchange, association, clearing agency or the Municipal Securities Rulemaking Board at the end of five years or at such earlier date as is specified in a plan for the destruction or disposition of any such documents if such plan has been filed with the Commission by such exchange, association, clearing agency or the Municipal Securities Rulemaking Board and has been declared effective by the Commission.'' 17 CFR 240.17a-6(a). \277\ See 17 CFR 240.17a-1(c). --------------------------------------------------------------------------- For SCI entities that are not SCI SROs (i.e., SCI ATSs, plan processors, and exempt clearing agencies subject to ARP), the Commission is proposing broad recordkeeping requirements relating to compliance with proposed Regulation SCI that are consistent with those applicable to SROs under Rule 17a-1 under the Exchange Act. Thus, the Commission is proposing Rule 1000(c)(2), which would require SCI entities other than SCI SROs to: (i) Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and SCI security systems; (ii) keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; \278\ and (iii) upon request of any representative of the Commission, promptly furnish to the possession of such representative copies of any documents required to be kept and preserved by it pursuant to (i) and (ii) above. --------------------------------------------------------------------------- \278\ The proposed five-year and two-year time frames would be the same as those applicable to SCI SROs pursuant to Rule 17a-1 under the Exchange Act, and the Commission preliminarily believes it would be appropriate for all SCI entities to be subject to the same time frame requirements. --------------------------------------------------------------------------- Proposed Rule 1000(c)(3), applicable to all SCI entities, would require each SCI entity, upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, to take all necessary action to ensure that records required to be made, kept, and preserved by proposed Rule 1000(c) would be accessible to the Commission or its representatives for the remainder of the period required by proposed Rule 1000(c). For example, an SCI entity could fulfill its obligations under proposed Rule 1000(c)(3) by delivering [[Page 18129]] such records, immediately prior to deregistration, to a repository or other similar entity and by making all necessary arrangements for such records to be readily accessible to the Commission or its representative, for inspection and examination for the duration of the requirement under proposed Rule 1000(c)(3). The Commission preliminarily believes that its ability to examine for and enforce compliance with proposed Regulation SCI could be hampered if an SCI entity were not required to adequately provide accessibility for the full proposed retention period. In addition, while many SCI events may occur, be discovered, and be resolved in a short time frame, there may be other SCI events that may not be discovered until months or years after their occurrences, or may take significant periods of time to fully resolve. In such cases, having an SCI entity's records available even after it has ceased to do business or be registered under the Exchange Act would be beneficial. Because SCI events have the potential to negatively impact investor decisions, risk exposure, and market efficiency, the Commission also preliminarily believes that its ability to oversee the securities markets could be undermined if it is unable to review records to determine the causes and consequences of one or more SCI events experienced by an SCI entity that deregisters or ceases to do business. This information would provide an additional tool to help the Commission reconstruct important market events and better understand how such events impacted investor decisions, risk exposure, and market efficiency. Proposed Rule 1000(e) would provide that, if the records required to be made or kept by an SCI entity under proposed Regulation SCI were prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity would be required to ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service, signed by a duly authorized person at such service bureau or other recordkeeping service. The written undertaking would be required to include an agreement by the service bureau designed to permit the Commission and its representatives to examine such records at any time or from time to time during business hours, and to promptly furnish to the Commission and its representatives true, correct, and current electronic files in a form acceptable to the Commission or its representatives or hard copies of any, all, or any part of such records, upon request, periodically, or continuously and, in any case, within the same time periods as would apply to the SCI entity for such records. The preparation or maintenance of records by a service bureau or other recordkeeping service would not relieve an SCI entity from its obligation to prepare, maintain, and provide the Commission and its representatives with access to such records. Proposed Rule 1000(e) is substantively the same as the requirement applicable to broker-dealers under Rule 17a-4(i) of the Exchange Act.\279\ --------------------------------------------------------------------------- \279\ 17 CFR 240.17a-4(i). --------------------------------------------------------------------------- The Commission is proposing this requirement for SCI entities to prevent the inability of the Commission to obtain required SCI entity records because they are held by a third party that may not otherwise have an obligation to make such records available to the Commission. In addition, the requirement that SCI entities obtain from such third parties a written undertaking would help ensure that such service bureau or other recordkeeping service is aware of this obligation with respect to records relating to proposed Regulation SCI. The Commission preliminarily believes that it is appropriate to include this requirement in proposed Regulation SCI to help ensure that the Commission would have prompt and efficient access to all required records, including those housed at a service bureau or any other recordkeeping service.\280\ --------------------------------------------------------------------------- \280\ See 17 CFR 240.17a-4(i) (records preserved or maintained by a service bureau). --------------------------------------------------------------------------- Request for Comment 156. The Commission requests comment on all aspects of proposed Rule 1000(c). Specifically, do SCI entities currently make, keep, and preserve the types of records that would be required to be made, kept, and preserved by proposed Rule 1000(c)? Are there any records that could be important to make, keep, and preserve that would not be captured under proposed Rule 1000(c) or the existing recordkeeping requirements for SROs under Rule 17a-1? If so, please explain and identify the records. Should any of the records subject to proposed Rule 1000(c) not be required? If so, please explain and identify the records. Should the Commission require SCI entities to furnish records to Commission representatives electronically in a tagged data format (e.g., XML, XBRL, or similar structured data formats which may be tagged)? The Commission notes that a tagged data format would have the benefit of permitting records to be organized and searched more easily, and thereby enable more efficient analyses, but that there would also be costs associated with implementing a tagged data format requirement. Do commenters believe the benefits of using a tagged data format would justify the costs? Why or why not? Please explain. If so, should any particular electronic format be mandated? If so, please describe. 157. Should the Commission lengthen or shorten the proposed periods for SCI entities to keep and preserve records? If so, by how much and why? Is it appropriate for an SCI entity, prior to ceasing to do business or ceasing to be regulated under the Exchange Act, to be required to ensure that its records are accessible in some way to the Commission and its representatives? Why or why not? What practical steps do commenters envision an SCI entity taking to comply with this proposed requirement? 158. The Commission requests comment on all aspects of proposed Rule 1000(e). Specifically, would the written undertaking required by proposed Rule 1000(e) be sufficient to help ensure that the Commission and its representatives would be able to obtain and examine true, correct, and current records of SCI entities? Why or why not? Are the provisions of proposed Rule 1000(e) an appropriate means of addressing any potential problems with access to books and records at service bureaus? Why or why not? Are there alternatives that the Commission should consider with respect to recordkeeping requirements for SCI entities? If so, please explain your reasoning. 2. Electronic Submission of Reports, Notifications, and Other Communications on Form SCI Proposed Rule 1000(d) provides that, except with respect to notifications to the Commission under proposed Rule 1000(b)(4)(i) (Commission notification of certain SCI events), and oral notifications to the Commission under proposed Rule 1000(b)(6)(ii) (Commission notification of certain material systems changes), any notification, review, description, analysis, or report required to be submitted to the Commission under proposed Regulation SCI must be submitted electronically and contain an electronic signature. This proposed requirement is intended to provide a uniform manner in which the Commission would receive--and SCI entities would provide--written [[Page 18130]] notifications, reviews, descriptions, analyses, or reports made pursuant to proposed Regulation SCI. The Commission preliminarily believes that such standardization would guide SCI entities in completing such submissions and make it easier and more efficient for them to draft and submit such required reports. Additionally, the standardization would make it easier and more efficient for the Commission to promptly review, analyze, and respond, as necessary, to the information proposed to be provided.\281\ The electronic signature requirement is consistent with the intention of the Commission to receive documents that can be readily accessed and processed electronically. --------------------------------------------------------------------------- \281\ This proposed requirement is consistent with electronic- reporting standards set forth in other Commission rules under the Exchange Act, such as Rule 17a-25 (Electronic Submission of Securities Transaction Information by Exchange Members, Brokers, and Dealers). See 17 CFR 240.17a-25. --------------------------------------------------------------------------- Proposed Rule 1000(d) also would require that submissions by SCI entities be filed electronically on new proposed Form SCI, in accordance with the instructions contained in Form SCI.\282\ The Commission's proposal contemplates the use of an online filing system, similar to the electronic form filing system (``EFFS'') currently used by SCI SROs to submit Form 19b-4 filings, through which an SCI entity would be able to file a completed Form SCI.\283\ Based on the widespread use and availability of the Internet, the Commission preliminarily believes that filing Form SCI in an electronic format would be less burdensome and a more efficient filing process for SCI entities and the Commission, as it is likely to be less expensive and cumbersome than mailing and filing paper forms to the Commission. --------------------------------------------------------------------------- \282\ See proposed Rule 1000(d) and infra Section III.E. \283\ See Securities Exchange Act Release No. 50486 (October 4, 2004), 69 FR 60287 (October 8, 2004) (adopting the EFFS for use in filing Form 19b-4). --------------------------------------------------------------------------- Request for Comment 159. The Commission requests comment on all aspects of proposed Rule 1000(d). Do commenters believe that the electronic submission requirement of proposed Rule 1000(d) is appropriate? Alternatively, would the submission of a required notification, review, description, analysis, or report via electronic mail to one or more Commission email addresses be a more appropriate way for the Commission to implement the proposed requirement? Are there other alternative methods that would be preferable? If so, please describe. Should there be any additional security requirements for such communications (e.g., password protection or encryption)? If so, please describe. Should the submissions be made in a tagged data format, e.g., XML, XBRL, or similar structured data formats which may be tagged? The Commission notes that a tagged data format would have the benefit of permitting records to be organized and searched more easily, and thereby enable more efficient analyses, but that there would also be costs associated with implementing a tagged data format requirement. Do commenters believe the benefits of using a tagged data format would justify the costs? Why or why not? Please explain. If so, should any particular electronic format be mandated? If so, please describe. 3. Access to the Systems of an SCI Entity Proposed Rule 1000(f) would require SCI entities to provide Commission representatives reasonable access to their SCI systems and SCI security systems. Thus, the proposed rule would facilitate the access of representatives of the Commission to such systems of an SCI entity either remotely or on site.\284\ Proposed Rule 1000(f) is intended to be consistent with the Commission's current authority with respect to access to records generally \285\ and help ensure that Commission representatives have ready access to the SCI systems and SCI security systems of SCI entities in order to evaluate an SCI entity's practices with regard to the requirements of proposed Regulation SCI.\286\ --------------------------------------------------------------------------- \284\ For example, with access to an SCI entity's SCI systems and SCI security systems, Commission representatives could test an SCI entity's firewalls and vulnerability to intrusions. \285\ See, e.g., Section 17(b) of the Exchange Act which states that all records of the entities listed in Section 17(a) ``are subject at any time, or from time to time, to such reasonable periodic, special, or other examinations by representatives of the Commission * * * as the Commission * * * deems necessary or appropriate in the public interest, for the protection of investors, or otherwise in furtherance of the purposes of [the Exchange Act].'' \286\ See 15 U.S.C. 78q(b). The Commission believes proposed Rule 1000(f) also is authorized by Sections 11A, 6(b)(1), 15A(b)(2), and 17A(b)(3)(A) of the Exchange Act, among others. See supra notes 9-11 and accompanying text. --------------------------------------------------------------------------- Request for Comment 160. The Commission requests comment generally on proposed Rule 1000(f). Are there restrictions that should be placed on the proposed access that would still allow the Commission and its representatives to be able to evaluate an SCI entity's practices with regard to the requirements of proposed Regulation SCI? If so, what should such restrictions be and why? Please describe. E. New Proposed Form SCI The Commission is proposing that the notices, reports, and other information required to be provided to the Commission pursuant to proposed Rules 1000(b)(4), (6), (8), and (10) of Regulation SCI be submitted electronically on new proposed Form SCI. Proposed Form SCI would solicit information through a series of questions designed to elicit short-form answers and also would require SCI entities to provide information and/or reports in narrative form by attaching specified exhibits. All filings on proposed Form SCI would require that an SCI entity identify itself and indicate the basis for submitting Form SCI, whether a: notification or update notification regarding an SCI event pursuant to proposed Rule 1000(b)(4); notice of a planned material systems change pursuant to proposed Rule 1000(b)(6); submission of a required report pursuant to proposed Rule 1000(b)(8); or notification of an SCI entity's standards for designation of members or participants to participate in required testing and the identity of such designated members or participants pursuant to proposed Rule 1000(b)(9). A filing on Form SCI required by proposed Rules 1000(b)(4), (6), (8), or (9) would require that an SCI entity provide additional information on attached exhibits, as discussed below. 1. Notice of SCI Events Pursuant to Proposed Rule 1000(b)(4) As discussed above, proposed Rule 1000(b)(4)(i) would require an SCI entity, upon any responsible SCI personnel becoming aware of a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion, to notify the Commission of such SCI event. Proposed Rule 1000(b)(4)(ii) would require an SCI entity, upon any responsible SCI personnel becoming aware of any SCI event, to notify the Commission of the SCI event in writing within 24 hours. Proposed Rule 1000(b)(4)(iii) would require continuing written updates on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until such time as the SCI event is resolved. Proposed Rule 1000(b)(4)(iv) would direct an SCI entity to submit the required notifications on Form SCI. Further, proposed Rule 1000(b)(4)(iv) and new proposed Form SCI would specify the particular information an [[Page 18131]] SCI entity would be required to provide to the Commission to comply with the Commission notification requirements of proposed Rules 1000(b)(4)(ii) and 1000(b)(4)(iii). As such, proposed Rule 1000(b)(4) would specify when and how notices would be required to be filed, and it and new proposed Form SCI would address the content of required notices. For a written notification to the Commission of an SCI event under proposed Rule 1000(b)(4)(ii), new proposed Form SCI would require that an SCI entity indicate that the filing is being made pursuant to proposed Rule 1000(b)(4)(ii) and provide the following information in a short, standardized format: (i) Whether the filing is a Rule 1000(b)(4)(ii) notification or Rule 1000(b)(4)(iii) update of an SCI event; (ii) the SCI event type(s) (i.e., systems compliance issue, systems intrusion, and/or systems disruption); (iii) whether the event is a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants; (iv) if so, whether the Commission has been notified of the SCI event; (v) whether the SCI event has been resolved; (vi) the date/time the SCI event started; (vii) the duration of the SCI event; (viii) the date and time when responsible SCI personnel became aware of the SCI event; (ix) the estimated number of market participants impacted by the SCI event; (x) the type(s) of systems impacted; \287\ and (xi) if applicable, the type of systems disruption.\288\ In addition, proposed Form SCI would require attachment of Exhibit 1, providing a narrative description of the SCI event, including: (1) A detailed description of the SCI event; (2) the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; (3) the potential impact of the SCI event on the market; and (4) the SCI entity's current assessment of the SCI event, including a discussion of the SCI entity's determination regarding whether the SCI event is a dissemination SCI event or not.\289\ In addition, to the extent available as of the time of the initial notification, Exhibit 1 would require inclusion of the following information: (1) A description of the steps the SCI entity is taking, or plans to take, with respect to the SCI event; (2) the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; (3) a description of the SCI entity's rule(s) and/or governing documents, as applicable, that relate to the SCI event; and (4) an analysis of the parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss.\290\ --------------------------------------------------------------------------- \287\ The types of systems listed on proposed Form SCI track the types of systems that make up the proposed definitions of ``SCI system'' and ``SCI security system'' in proposed Rule 1000(a). \288\ The types of systems disruptions listed on proposed Form SCI track the provisions of the proposed definition of ``system disruption'' in proposed Rule 1000(a) and include, with respect to SCI systems: (1) A failure to maintain service level agreements or constraints; (2) a disruption of normal operations, including switchover to back-up equipment with near-term recovery of primary hardware unlikely; (3) a loss of use of any such system; (4) a loss of transaction or clearance and settlement data; (5) significant back-ups or delays in processing; (6) a significant diminution of ability to disseminate timely and accurate market data; or (7) a queuing of data between system components or queuing of messages to or from customers of such duration that normal service delivery is affected. \289\ See proposed Rule 1000(b)(4)(iv)(A)(1). \290\ See proposed Rule 1000(b)(4)(iv)(A)(2). --------------------------------------------------------------------------- Proposed Rule 1000(b)(4)(iii) would require an SCI entity to provide continuing written updates regularly for each SCI event, or at such frequency as reasonably requested by a representative of the Commission, until such time as the SCI event is resolved.\291\ Proposed Form SCI would require that an SCI entity indicate that it is providing such written update pursuant to Rule 1000(b)(4)(iii) and attach such update as Exhibit 2 to Form SCI. --------------------------------------------------------------------------- \291\ See proposed Rule 1000(b)(4)(iv)(B). --------------------------------------------------------------------------- If any of the foregoing information is not available for inclusion on Exhibit 1 as of the date of the initial notification, the SCI entity would be required to provide such information when it becomes available on Exhibit 2. The information proposed to be required in narrative format in Exhibit 1, and if applicable, Exhibit 2, is intended to elicit a fuller description of the SCI event, and would require an SCI entity to provide detail and context not easily conveyed in short-form responses. Proposed Form SCI would further require attachment of Exhibit 3, providing a copy in pdf or html format of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity's publicly available Web site.\292\ --------------------------------------------------------------------------- \292\ See proposed Rule 1000(b)(4)(iv)(C). --------------------------------------------------------------------------- The Commission preliminarily believes that the proposed items of information required to be disclosed by an SCI entity on Exhibit 1 within 24 hours of any of its responsible SCI personnel becoming aware of an SCI event, or when available, on Exhibit 2, would help the Commission and its staff quickly assess the nature and scope of an SCI event, and help the SCI entity identify the appropriate response to the SCI event, including ways to mitigate the impact of the SCI event on investors and promote the maintenance of fair and orderly markets. 2. Notices of Material Changes Pursuant to Proposed Rule 1000(b)(6) Proposed Rule 1000(b)(6) would require an SCI entity to notify the Commission of planned material systems changes on proposed Form SCI 30 calendar days in advance of such change, unless exigent circumstances exist or information previously provided regarding a material systems change has become materially inaccurate, necessitating notice regarding a material systems change with less than 30 calendar days' notice. To implement this requirement, proposed Form SCI would require an SCI entity to indicate on Form SCI that it is filing a planned material systems change notification, provide the date of the planned material systems change, indicate whether exigent circumstances exist or if the information previously provided to the Commission regarding any planned material systems change has become materially inaccurate, and, if so, whether the Commission has been notified orally, and attach as Exhibit 4 a description of the planned material systems change as well as the expected dates of commencement and completion of implementation of such changes, or, if applicable, a material systems change that has already been made due to exigent circumstances. 3. Reports Submitted Pursuant to Rule 1000(b)(8) Proposed Rule 1000(b)(8) would require an SCI entity to submit to the Commission: (i) A report of the SCI review required by proposed Rule 1000(b)(7), together with any response by senior management, within 60 calendar days after submission of the SCI review to senior management; and (ii) a report within 30 calendar days after the end of June and December of each year containing a summary description of the progress of any material systems change during the six-month period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of implementation of such changes. For filings of the reports of SCI reviews, proposed Form SCI would require an SCI entity to indicate on Form SCI that it is filing a report of SCI review, indicate the date of completion of the SCI review, and date of submission of the SCI review to senior management of the SCI entity. The report of the SCI review required by [[Page 18132]] proposed Rule 1000(b)(7), together with any response by senior management, would be required to be submitted as Exhibit 5 to proposed Form SCI. For filings of the semi-annual reports of material systems changes, proposed Form SCI would require an SCI entity to indicate on Form SCI that it is filing a semi-annual report of material systems changes, and attach the semi-annual report as Exhibit 6 to proposed Form SCI. 4. Notifications of Member or Participant Designation Standards and List of Designees Pursuant to Proposed Rule 1000(b)(9) Proposed Rule 1000(b)(9) would require an SCI entity to notify the Commission of its standards for designating members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of the SCI entity's business continuity and disaster recovery plans, to participate in the testing of such plans as well as a list of members or participants designated in accordance with such standards, and prompt updates following any changes to such standards and designations. Form SCI would require such information to be submitted as Exhibit 7 to Form SCI. Thus, an SCI SRO would be required to attach any relevant provisions of its rules, an SCI ATS or exempt clearing agency subject to ARP would be required to attach its relevant internal processes or other documents, and a plan processor would be required to attach the relevant provisions of its SCI Plan. The Commission preliminarily believes that the proposed mechanism of submitting the reports, notices, and other information required by proposed Rules 1000(b)(4), (6), (8), and (10) by attaching them as exhibits to Form SCI would be an efficient manner for providing such information to the Commission and its staff, and that it would be more cost-effective for SCI entities as well as the Commission than requiring the submission in a paper format or using an electronic method that differs from that proposed. 5. Other Information and Electronic Signature In addition to the foregoing, proposed Form SCI would require an SCI entity to provide Commission staff with point of contact information for systems personnel and regulatory personnel responsible for addressing an SCI event, including the name, title, telephone number and email address of such persons. Proposed Form SCI would also require the SCI entity to designate on the form contact information for a senior officer of the SCI entity responsible for matters concerning the submission of such Form SCI. Finally, proposed Form SCI would require an electronic signature to help ensure the authenticity of the Form SCI submission. The Commission preliminarily believes these proposed requirements would expedite communications between Commission staff and an SCI entity and help to ensure that only personnel authorized by the SCI entity are submitting required filings and working with Commission staff to address an SCI event or systems issue promptly and efficiently. To the extent that the Commission receives confidential information pursuant to these reports and submissions, such information would be kept confidential, subject to the provisions of applicable law.\293\ --------------------------------------------------------------------------- \293\ See, e.g., 5 U.S.C. 552 (Exemption 4 of the Freedom of Information Act provides an exemption for ``trade secrets and commercial or financial information obtained from a person and privileged or confidential.'' 5 U.S.C. 552(b)(4). Exemption 8 of the Freedom of Information Act provides an exemption for matters that are ``contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions.'' 5 U.S.C. 552(b)(8)). --------------------------------------------------------------------------- Request for Comment 161. The Commission requests comment on all aspects of proposed Form SCI. Do commenters believe proposed Form SCI would capture the information necessary to assist the Commission in obtaining relevant information about SCI events to mitigate the effects of such events on investors and the public? Specifically, do commenters believe that the proposal to elicit the following information on Form SCI within 24 hours of any responsible SCI personnel becoming aware of an SCI event is appropriate: (i) Whether the filing is a Rule 1000(b)(4)(ii) notification or Rule 1000(b)(4)(iii) update of an SCI event; (ii) the SCI event type(s) (i.e., systems compliance issue, systems intrusion, and/or systems disruption); (iii) whether the event is a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants; (iv) if so, whether the Commission has been notified of the SCI event; (v) whether the SCI event has been resolved; (vi) the date/time the SCI event started; (vii) the duration of the SCI event (viii) the date and time when responsible SCI personnel became aware of the SCI event; (ix) the estimated number of market participants impacted by the SCI event; (x) the type(s) of systems impacted; and (xi) if applicable, the type of systems disruption. 162. Do commenters believe that all relevant information relating to a systems disruption, systems compliance issue, or systems intrusion would be captured on proposed Form SCI? If not, what additional information should be included on proposed Form SCI? For example, should proposed Form SCI require that an SCI entity specifically identify market participants that may have been affected by the SCI event? Why or why not? 163. Do commenters believe the proposed information required to be provided to the Commission regarding SCI events in the 24-hour notification on Exhibit 1 is appropriate? Do commenters believe that the proposal to require an update notification on Exhibit 2, and the information required to be provided for such updates, are appropriate? Why or why not? 164. Commenters that believe the information proposed to be required on Form SCI, whether in short form or in narrative form on proposed Exhibits 1 and 2, is not appropriate should explain their reasoning and suggest alternatives, as appropriate. Should any information proposed to be required be eliminated? Should any other information be required? Please describe and explain. 165. Do commenters believe the required contents of proposed Exhibit 3 are appropriate (i.e., a copy in pdf or html format of any information disseminated to an SCI entity's members or participants or on the SCI entity's publicly available Web site)? If not, why not? 166. Do commenters believe submission of proposed Form SCI and attachment of Exhibits 4, 5, 6, and 7 regarding material systems changes, SCI reviews, and notifications of standards for designations and designees for the testing of an SCI entity's business continuity and disaster recovery plans, is an appropriate method for SCI entities to provide this information to the Commission? If not, why not? Should any information proposed to be required be eliminated? Should any other information be required? Please explain. 167. Is the proposal to require contact information for systems, regulatory, and senior officer appropriate? Should any information proposed to be required be eliminated? Is there any other type of information that proposed Form SCI should require? Is the proposal to require an electronic signature appropriate? If not, why not? 168. Would proposed Form SCI contain enough information so that the Commission and its staff would be able [[Page 18133]] to accurately analyze SCI events, material changes to systems, and all other required filings? 169. Upon receiving information submitted as part of an SCI entity's electronic filing, it is the Commission's objective that such information be easily analyzed, searched, and manipulated. The Commission has designed proposed Form SCI with this objective in mind, particularly with the uniform requirements on the front of the form. The Commission, however, is cognizant that certain information, particularly with respect to the information required on the various exhibits to the proposed form, may not be as easily analyzed, searched, or manipulated. The Commission seeks comment as to whether it should mandate that proposed Form SCI as a whole, including the proposed exhibits, employ a particular structured data format that would allow the Commission and its staff to analyze, search, and manipulate the form's information. At the same time, the Commission recognizes that employing a particular tagged data format may potentially reduce the flexibility afforded to such entities to collect and report data in a manner that is more efficient and cost effective for them. The Commission requests comments as to whether there may be tagged data formats that are sufficiently flexible and that are accepted and used throughout the industry, such as XML, XBRL, or another structured data format that could be used for proposed Form SCI. Are there different standard data formats currently in use depending on the type of SCI entity that would enable the Commission to achieve its goals? If so, what are they? Should the SCI entity have the flexibility to specify the acceptable data format for submitting information? Why or why not? Do commenters have concerns with proposed Regulation SCI requiring the use of a tagged data format, such as XML, XBRL, or some other structured data format that may be tagged, to report data? If so, what are they? Are there any licensing fees or other costs associated with the use of tagged data formats, such as XML, XBRL, or similar structured data formats that may be tagged? If so, what action should the Commission take, if any, to help ensure wide availability of a common data format by all participants? F. Request for Comment on Applying Proposed Regulation SCI to Security- Based Swap Data Repositories and Security-Based Swap Execution Facilities On July 21, 2010, the President signed the Dodd-Frank Act into law.\294\ The Dodd-Frank Act was enacted, among other things, to promote the financial stability of the United States by improving accountability and transparency of the nation's financial system.\295\ Title VII of the Dodd-Frank Act provides the Commission and the CFTC with the authority to regulate over-the-counter (``OTC'') derivatives. --------------------------------------------------------------------------- \294\ The Dodd-Frank Wall Street Reform and Consumer Protection Act (Pub. L. 111-203, H.R. 4173) (``Dodd-Frank Act''). \295\ See Public Law 111-203 Preamble. --------------------------------------------------------------------------- 1. Proposed System Safeguard Rules for SB SDRs and SB SEFs Section 763 of the Dodd-Frank Act amends the Exchange Act by adding various new statutory provisions to govern the regulation of various entities, including security-based swap data repositories and security- based swap execution facilities.\296\ Under the authority of Section 13(n) of the Exchange Act, applicable to SB SDRs, and Section 3D(d) of the Exchange Act, applicable to SB SEFs, the Commission recently proposed rules for these entities with regard to their automated systems' capacity, resiliency, and security.\297\ Specifically, in the SB SDR Proposing Release and the SB SEF Proposing Release, respectively, the Commission proposed Rule 13n-6 and Rule 822 under the Exchange Act, which would set forth the requirements for these entities with regard to their automated systems' capacity, resiliency, and security.\298\ In each release, the Commission stated that it was proposing standards comparable to the standards applicable to SROs, including exchanges and clearing agencies, and other registrants, pursuant to the Commission's ARP standards.\299\ --------------------------------------------------------------------------- \296\ See Public Law 111-203, Section 763 (adding Sections 13(n), 3C, and 3D of the Exchange Act). The Dodd-Frank Act also directs the Commission to harmonize to the extent possible Commission regulation of SB SDRs and SB SEFs with CFTC regulation of swap data repositories (``SDRs'') and swap execution facilities (``SEFs'') under the CFTC's jurisdiction, an endeavor that Commission staff is undertaking as it seeks to move the SB SDR and SB SEF proposals toward adoption. See Public Law 111-203, Section 712, directing the Commission, before commencing any rulemaking with regard to SB SDRs or SB SEFs, to consult and coordinate with the CFTC for purposes of assuring regulatory consistency and comparability to the extent possible. \297\ See Securities Exchange Act Release Nos. 63347 (November 19, 2010), 75 FR 77306 (December 10, 2010) (proposing new Rule 13n-6 under the Exchange Act applicable to SB SDRs) (``SB SDR Proposing Release''); 63825 (February 2, 2011), 76 FR 10948 (February 28, 2011) (proposing new Rule 822 under the Exchange Act applicable to SB SEFs) (``SB SEF Proposing Release,'' together with the SB SDR Proposing Release, the ``SBS Releases''). See also Public Law 111- 203, Section 761(a) (adding Section 3(a)(75) of the Exchange Act) (defining the term ``security-based swap data repository''), and Section 761(a) (adding Section 3(a)(77) of the Exchange Act) (defining the term ``security-based swap execution facility''). \298\ See SB SDR Proposing Release and SB SEF Proposing Release, supra note 297. \299\ See SB SDR Proposing Release, supra note 293, at 77332 and SB SEF Proposing Release, supra note 297, at 10987. --------------------------------------------------------------------------- Proposed Rules 13n-6 and 822, applicable to SB SDRs and SB SEFs, respectively, would require these entities, ``with respect to those systems that support or are integrally related to the performance of its activities'' to ``establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its systems provide adequate levels of capacity, resiliency, and security.'' \300\ Under proposed Rules 13n-6 and 822, such policies and procedures, at a minimum, would require these SB SDRs and SB SEFs to: (i) Establish reasonable current and future capacity estimates; (ii) conduct periodic capacity stress tests of critical systems to determine such systems' ability to process transactions in an accurate, timely, and efficient manner; (iii) develop and implement reasonable procedures to review and keep current their system development and testing methodologies; (iv) review the vulnerability of their systems and data center computer operations to internal and external threats, physical hazards, and natural disasters; and (v) establish adequate contingency and disaster recovery plans.\301\ Proposed Rules 13n-6 and 822 would further require SB SDRs and SB SEFs to submit, on an annual basis, an ``objective review'' of their systems to the Commission within 30 calendar days of its completion; \302\ notify the Commission in writing of material systems outages; and notify the Commission in writing at least 30 calendar days before implementation of any planned material systems changes. --------------------------------------------------------------------------- \300\ See SB SDR Proposing Release, 75 FR 77370 and SB SEF Proposing Release, 76 FR 11064, supra note 297. \301\ Id. \302\ Such review may be performed internally if an external firm reports on the objectivity, competency, and work performance with respect to the internal review. --------------------------------------------------------------------------- To date, the Commission has received two comment letters from one commenter in response to proposed Rule 13n-6 \303\ and four comment letters [[Page 18134]] in response to proposed Rule 822.\304\ Both comment letters on proposed Rule 13n-6 expressed support for the proposed rule.\305\ Two commenters on proposed Rule 822 expressed support for the proposed rule.\306\ Two other commenters on proposed Rule 822 suggested modifications, including that the Commission (1) require SB SEFs to establish policies and procedures reasonably designed to prevent any provision in a valid swap transaction from being invalidated or modified through the utilization of, or execution on, a SB SEF; \307\ and (2) provide for the implementation of the system safeguards requirements on a staged basis.\308\ --------------------------------------------------------------------------- \303\ See Letter from Larry E. Thompson, General Counsel, The Depository Trust & Clearing Corporation to Elizabeth M. Murphy, Secretary, Commission, dated January 24, 2011 (``DTCC SB SDR Letter 1''); and Letter from Larry E. Thompson, General Counsel, Depository Trust & Clearing Corporation to Mary Shapiro, Chairman, Commission, dated June 3, 2011 (``DTCC SB SDR Letter 2''). \304\ See Letter from American Benefits Counsel to Elizabeth M. Murphy, Secretary, Commission, dated April 8, 2011 (``ABC SB SEF Letter''); Letter from Nancy C. Gardner, Executive Vice President & General Counsel, Markets Division, Thomson Reuters to Elizabeth M. Murphy, Secretary, Commission, dated April 4, 2011 (``Thomson SB SEF Letter''); Letter from Stephen Merkel, Chairman, Wholesale Markets Brokers' Association Americas to Elizabeth M. Murphy, Secretary, Commission, dated April 4, 2011 (``WMBAA SB SEF Letter''); and Letter from Robert Pickel, Executive Vice Chairman, International Swaps and Derivatives Association, and Kenneth E. Bentsen, Jr., Executive Vice President, Public Policy and Advocacy, Securities Industry and Financial Markets Association to Elizabeth M. Murphy, Secretary, Commission, dated April 4, 2011 (``ISDA SIFMA SB SEF Letter''). \305\ See DTCC SB SDR Letter 1, supra note 304, at 3; DTCC SB SDR Letter 2, supra note 304, at 4 (recommending that SB SDRs ``maintain multiple levels of operational redundancy and data security''). \306\ See Thomson SB SEF Letter, supra note 304, at 8; WMBAA SB SEF Letter, supra note 304, at 24. \307\ See ABC SB SEF Letter, supra note 304, at 10. \308\ See ISDA SIFMA SB SEF Letter, supra note 304, at 12 (noting that the system safeguard requirements would require time and systems expertise to implement fully). --------------------------------------------------------------------------- 2. Proposed System Safeguard Rules for SB SDRs and SB SEFs as Compared to Proposed Regulation SCI As noted above, proposed Regulation SCI is intended to build upon and update the Commission's ARP standards,\309\ which were the basis for proposed Rules 13n-6 and 822 for SB SDRs and SB SEFs, respectively. Although proposed Rules 13n-6 and 822 have much in common with proposed Regulation SCI, they differ in scope and detail from proposed Regulation SCI in a number of ways. Among the differences are certain provisions in proposed Regulation SCI that proposed Rules 13n-6 and 822 do not include. Specifically, as discussed above, proposed Regulation SCI would: (i) Define the terms ``SCI systems'' and ``SCI security systems;'' \310\ (ii) specifically require the establishment, maintenance, and enforcement of written policies and procedures reasonably designed to ensure that SCI systems and, for purposes of security standards, SCI security standards, have levels of capacity, integrity, resiliency, availability, and security adequate to maintain an SCI entity's operational capability and promote the maintenance of fair and orderly markets; \311\ (iii) require SCI entities to establish policies and procedures regarding standards that result in systems designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; (iv) require SCI entities to establish, maintain, and enforce reasonably designed written policies and procedures to ensure that SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and, as applicable, the entity's rules and governing documents; (v) require SCI entities to take corrective action, including devoting adequate resources, to remedy an SCI event as soon as reasonably practicable; \312\ (vi) require SCI entities to have backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading following a wide scale disruption; (vii) require an annual SCI review of the SCI entity's compliance with proposed Regulation SCI and the reporting of such review to the Commission; (viii) require an SCI entity, with respect to its business continuity and disaster recovery plans, including its backup systems, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans at specified intervals, and to coordinate such required testing with other SCI entities; (ix) require all SCI events to be reported to the Commission, and certain types of SCI events to be disseminated to an SCI entity's members or participants; and (x) establish semi-annual reporting obligations for planned material systems changes. In addition, proposed Regulation SCI would establish a system for submitting required notices, reports, and other information to the Commission on proposed new Form SCI. Each of these proposed requirements goes beyond the explicit requirements in proposed Rules 13n-6 and 822. --------------------------------------------------------------------------- \309\ See supra Sections I and II. \310\ See proposed Rule 1000(a), which would define ``SCI systems'' as ``all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity, whether in production, development, or testing, that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance,'' and ``SCI security systems'' as ``any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems.'' \311\ While proposed Rule 13n-6 did not specifically include such a requirement for SB SDRs, the SB SDR Proposing Release stated that ``[a]s a general matter, the Commission preliminarily believes that, if an SDR's policies and procedures satisfy industry best practices standards, then these policies and procedures would be adequate.'' See SB SDR Proposing Release, supra note 297, at 77333. See also SB SEF Proposing Release, supra note 297, at 10988. \312\ See proposed Rule 1000(a), defining ``SCI event'' as an event at an SCI entity that constitutes: (1) A systems disruption; (2) a systems compliance issue; or (3) a systems intrusion. --------------------------------------------------------------------------- 3. Consideration of Applying the Requirements of Proposed Regulation SCI to SB SDRs and/or SB SEFs If the Commission were to adopt Rules 13n-6 and 822 as proposed in the SBS Releases and also adopt Regulation SCI as proposed herein, there would be differences, as noted above, between the obligations imposed on SB SDRs and SB SEFs with respect to system safeguards on the one hand and the obligations imposed on SCI entities on the other. Therefore, the Commission solicits comment on whether it should propose to apply the requirements of proposed Regulation SCI, in whole or in part, to SB SDRs and/or SB SEFs. In providing views on whether the Commission should propose to apply proposed Regulation SCI to SB SDRs and/or SB SEFs, commenters are encouraged to consider the discussion regarding each provision of proposed Regulation SCI that is set forth in Sections III.B through III.E above. Should the Commission to decide to propose to apply the requirements of proposed Regulation SCI to such entities, the Commission would issue a separate release discussing such a proposal. In enacting Title VII of the Dodd-Frank Act, Congress judged it important to increase the transparency and oversight of the OTC derivatives market. In addition, in proposing Regulation SB SEF, the Commission noted that SB SEFs are intended to ``lead to a more robust, transparent, and competitive environment for the market for security- based swaps (``SBS'' or ``SB swaps'').'' \313\ Similarly, in proposing rules for SB SDRs, the Commission [[Page 18135]] noted that ``SDRs may be especially critical during times of market turmoil, both by giving relevant authorities information to help limit systemic risk and by promoting stability through enhanced transparency'' and that, ``[b]y enhancing stability in the SBS market, SDRs may also indirectly enhance stability across markets, including equities and bond markets.'' \314\ --------------------------------------------------------------------------- \313\ See SB SEF Proposing Release, supra note 297, at 11035. \314\ See SB SDR Proposing Release, supra note 297, at 77307. --------------------------------------------------------------------------- The Commission notes that it may or may not be appropriate to apply the requirements of proposed Regulation SCI to SB SDRs and SB SEFs. In particular, SB SDRs will play an important role in limiting systemic risk and promoting the stability of the SBS market. SB SDRs also would serve as information disseminators \315\ in a manner similar to plan processors in the equities and options markets that, under this proposal, would be subject to the requirements of proposed Regulation SCI. SB SEFs would function as trading markets, and in that respect could be viewed as analogous to national securities exchanges and SCI ATSs, both of which function as trading markets and are included in the proposed definition of SCI entity.\316\ The Commission preliminarily believes that the same types of concerns and issues that have resulted in the Commission previously publishing its ARP policy statements,\317\ developing its ARP Inspection Program,\318\ adopting certain aspects of the ARP policy statements under Regulation ATS,\319\ and, ultimately, proposing Regulation SCI,\320\ may similarly apply to SB SDRs and SB SEFs. In proposing Rule 13n-6, the Commission noted that systems failures can limit access to data, call into question the integrity of data, and prevent market participants from being able to report transaction data, and thereby have a large impact on market confidence, risk exposure, and market efficiency.\321\ Similarly, in proposing Rule 822, the Commission noted that the proposed system safeguard requirements for SB SEFs are designed to prevent and minimize the impact of systems failures that might negatively impact the stability of the SB swaps market.\322\ At the same time, because the Commission recognizes that there may be differences between the markets for the types of securities that would be covered by proposed Regulation SCI and the SBS market, including differing levels of automation and stages of regulatory development, the Commission requests comment on whether it would be appropriate to propose to apply the requirements of proposed Regulation SCI to SB SDRs and/or SB SEFs. As discussed further below, the Commission also requests comment on whether, if commenters believe proposed Regulation SCI should apply to SB SDRs and/or SB SEFs, the system safeguard rules currently proposed for SB SDRs and SB SEFs in the SBS Releases should, if adopted, be replaced, at some point in the future, by the requirements proposed in this release and, if so, how. --------------------------------------------------------------------------- \315\ See Securities Exchange Act Release No. 63346 (November 19, 2010), 75 FR 75208, 75227 (December 2, 2010) (proposing Regulation SBSR). \316\ See SB SEF Proposing Release, supra note 297, at 10987, n.246 (``Because SB SEFs would be an integral part of the market for SB swaps, and therefore an integral part of the national market system, the Commission believes that it is appropriate to model a SB SEF's rules on system safeguards on ARP.''). \317\ See supra notes 1 and 12-18 and accompanying text. \318\ See supra notes 25-26 and accompanying text. \319\ See supra note 26 and accompanying text. \320\ See supra Section I.B. \321\ See SB SDR Proposing Release, supra note 297, at 77332. \322\ See SB SEF Proposing Release, supra note 297, at 10987. --------------------------------------------------------------------------- 170. Are the SBS markets sufficiently similar to the markets within which the proposed SCI entities operate such that it would be appropriate to apply the same system safeguard requirements to SB SDRs and/or SB SEFs that would be applicable to SCI entities? Why or why not? Do commenters believe that there are characteristics of the SBS markets that the Commission should consider to support its applying different system safeguard rules to SB SDRs and/or SB SEFs than to SCI entities? If so, what are those characteristics, and why should different rules apply to SB SDRs and/or SB SEFs? If not, why not? 171. If the Commission were to propose to apply some or all of the provisions of proposed Regulation SCI to SB SDRs and/or SB SEFs, should the Commission propose to apply the provisions of proposed Regulation SCI differently to SB SDRs versus SB SEFs? For example, should the Commission propose to apply some or all of the provisions of proposed Regulation SCI to SB SDRs but not SB SEFs or vice versa? Why or why not? 172. What effect, if any, would there be of having SB SDRs and/or SB SEFs subject to different system safeguard rules than those proposed for SCI entities? Would there be any short term and/or long term impact of SB SDRs and/or SB SEFs being subject to different system safeguard rules than those proposed for SCI entities? For example, if SB SEFs were subject to different system safeguard rules than those proposed for SCI entities, would there be an impact on competition between SB SEFs and national securities exchanges that trade SB swaps? Please describe any expected impact on competition. Are there any provisions in proposed Regulation SCI that, if applied to SB SEFs, would create barriers to entry that could preclude small SB SEFs (e.g., those that do not exceed a specified volume or liquidity threshold) from entering the SBS market? 173. The Commission also requests comment on whether it should propose to apply all provisions of proposed Regulation SCI to SB SDRs and/or SB SEFs or just those provisions comparable to the proposed system safeguard rules for SB SDRs or SB SEFs. 174. Should the Commission, if it were to propose to apply some or all of the provisions of proposed Regulation SCI to SB SDRs and/or SB SEFs, propose that SB SEFs and/or SB SDRs have written policies and procedures reasonably designed to ensure that their SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain their operational capability and promote the maintenance of fair and orderly markets? Why or why not? If the Commission were to propose such a requirement for SB SDRs and/or SB SEFs, should SCI industry standards for SB SDRs and/or SB SEFs be different from those proposed for SCI entities? If so, please explain why. What are the industry standards that should apply to SB SEFs and/ or SB SDRs? Please be as specific as possible and explain why a particular industry standard would be appropriate. 175. Do the characteristics of the SBS market support a need for a mandatory requirement that SB SDRs and/or SB SEFs maintain backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading (for SB SEFs) or data repository services (for SB SDRs) following a wide scale disruption? Why or why not? 176. Should the Commission propose to require SB SEFs and/or SB SDRs to establish written policies and procedures regarding standards that result in systems designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data? Why or why not? 177. Should the Commission propose to require SB SEFs and/or SB SDRs to establish, maintain, and enforce policies and procedures reasonably designed to ensure that their SCI systems operate in the manner intended, including in a [[Page 18136]] manner that complies with federal securities laws and rules and regulations thereunder and, as applicable, the entity's rules and governing documents, as proposed for SCI entities in Rule 1000(b)(2)(i)? Why or why not? Should the Commission propose a safe harbor from liability for SB SEFs and/or SB SDRs and their respective employees if they satisfy the elements of a safe harbor, similar to those for SCI entities in proposed Rules 1000(b)(2)(ii) and (iii)? Why or why not? 178. Should the Commission propose to require SB SEFs and/or SB SDRs, with respect to their business continuity and disaster recovery plans, including their backup systems, to require participation by designated participants in scheduled functional and performance testing of the operation of such plans at specified intervals, and to coordinate such required testing with other SB SEFs and/or SB SDRs, as proposed for SCI entities in Rule 1000(b)(9)? Why or why not? 179. With regard to the reporting and information dissemination requirements in proposed Rules 1000(b)(4) and Rule 1000(b)(5) of Regulation SCI, would it be appropriate to propose that an SB SDR and/ or SB SEF be required to report all SCI events to the Commission, and disseminate information relating to dissemination SCI events to their participants? Why, or why not? If not, on what basis should SB SDRs and/or SB SEFs be distinguished from other SCI entities? 180. Should SB SDRs and/or SB SEFs be required to provide notice of, and file semi-annual reports for, material systems changes with the Commission, as proposed for SCI entities in Rules 1000(b)(6) and (b)(8)? Why or why not? 181. Should SB SDRs and/or SB SEFs be required to undertake an annual SCI review of systems and submit to the Commission a report of such review, together with any response of senior management, as proposed for SCI entities in Rule 1000(b)(7) and (8)? Why or why not? 182. Should SB SDRs and/or SB SEFs be required to submit any required notices, reports, and other information to the Commission on proposed new Form SCI? Why, or why not? 183. If the Commission were to determine that it would be appropriate to propose to apply some or all of the requirements of proposed Regulation SCI to SB SDRs and/or SB SEFs, should the Commission propose to apply such requirements of proposed Regulation SCI to all SB SDRs? To all SB SEFs? Are there distinctions that should be made between different types of SB SDRs (or SB SEFs) such that some requirements of proposed Regulation SCI might be appropriate for some SB SDRs (or SB SEFs) but not others? If so, what are those distinctions and what are those requirements? For example, should any requirements be based on criteria such as number of transactions or notional volume reported to a SB SDR or executed on a SB SEF? If so, what would be an appropriate threshold for any such criteria, and why? 184. Alternatively, given the nascent stage of regulatory development of the SBS markets, would it be appropriate to create a category under proposed Regulation SCI such as ``new SB SCI entity'' that would, for example, be applicable to SB SDRs and/or SB SEFs for a certain period of time after such entities become registered with the Commission? If so, what period of time would be appropriate (e.g., one year, three years, or some other period)? Should there be other criteria for an SB SEF (or SB SDR) to be considered a new SB SCI entity? If so, what should be the criteria for inclusion? Would market share, number of transactions, and/or notional volume be appropriate criteria? If so, at what level should the criteria thresholds be set, and why? If not, why not? How should the requirements of proposed Regulation SCI differ for such ``new SB SCI entities?'' 185. The Commission notes that, if it were to adopt proposed Regulation SCI and proposed Rules 13n-6 and 822, the system safeguard rules applicable to SB SDRs and SB SEFs would diverge from those applicable to SCI entities, as well as from those the CFTC has adopted for SDRs and may adopt for SEFs.\323\ What negative effects, if any, do commenters believe would result from disparity in the: (1) Commission's system safeguard rules applicable to SB SDRs and/or SB SEFs; (2) requirements of Regulation SCI applicable to SCI entities; and (3) CFTC's system safeguard rules applicable to SDRs and SEFs? --------------------------------------------------------------------------- \323\ As noted above, SDRs and SEFs, entities similar to SB SDRs and SB SEFs, respectively, are subject to the CFTC's jurisdiction. The CFTC's system safeguards rules for SDRs, and those proposed for SEFs differ from those rules that the Commission is proposing in Regulation SCI. See 76 FR 54538 (September 1, 2011) (adopting 17 CFR part 49, Swap Data Repositories: Registration Standards, Duties and Core Principles, Effective October 31, 2011); 76 FR 1214 (January 7, 2011) (proposing 17 CFR part 37, Core Principles and Other Requirements for Swap Execution Facilities). For example, for SDRs, the CFTC requires same day recovery for ``critical SDRs'' whereas proposed Regulation SCI would require next business day recovery for trading services (and two-hour recovery for clearing and settlement services). See CFTC Rule 49.24. --------------------------------------------------------------------------- 186. The Commission seeks commenters' views on all aspects of whether to propose to apply Regulation SCI to SB SDRs and/or SB SEFs, taking into account the possibility that any final Commission action on proposed Rules 13n-6 and 822 could occur prior to any final Commission action on proposed Regulation SCI. The Commission seeks commenters' views on whether a proposal to extend the requirements of proposed Regulation SCI to SB SDRs and/or SB SEFs would be beneficial to help to promote the integrity, capacity, resiliency, availability, and security of their systems. The Commission notes that having comparable system safeguard requirements may be appropriate for SB SDRs and/or SB SEFs if, as noted above, the same types of concerns and issues that have resulted in the Commission previously publishing its ARP policy statements, developing its ARP Inspection Program, adopting certain aspects of the ARP policy statements under Regulation ATS, and, ultimately, proposing Regulation SCI, also apply to SB SDRs and/or SB SEFs. 187. The Commission is particularly interested in commenters' views on the different benefits and costs associated with applying proposed Regulation SCI to SB SDRs and/or SB SEFs versus the costs and benefits of applying proposed Rules 13n-6 and 822 to SB SDRs and SB SEFs, respectively. In the SBS Proposing Releases, the Commission provided aggregate estimates of the costs of its proposed rules governing SB SDRs and SB SEFs. The SB SDR Proposing Release provided an aggregate initial cost estimate of approximately $214,913,592 to be incurred by prospective SB SDRs and an aggregate ongoing annualized cost estimate of approximately $140,302,120, both of which estimates took account of proposed Rule 13n-6.\324\ [[Page 18137]] Similarly, the SB SEF Proposing Release provided an aggregate initial cost estimate of approximately $41,692,900 and an aggregate ongoing annualized cost estimate of approximately $22,342,700 to be incurred by prospective SB SEFs, both of which estimates took account of proposed Rule 822.\325\ --------------------------------------------------------------------------- \324\ See SB SDR Proposing Release, supra note 297, at 77364. In the SB SDR Proposing Release, the Commission estimated that the paperwork burden associated with proposed Rule 13n-6 would come from preparing and implementing policies associated with SB SDR duties, data collection and maintenance, automated systems and direct electronic access, and from preparing reports and reviews. See id. at 77345-46. The Commission estimated that there would be up to 10 SB SDRs subject to the proposed SB SDR rules. See id. at 77355. Based on the information in the SB SDR Proposing Release, the Commission estimated that the aggregate burden on an estimated 10 SB SDRs to prepare and implement the policies and procedures under Rule 13n-6 would be 2100 hours along with 500 hours of outside legal services at $400 an hour, and that the aggregate annual burden on such SB SDRs to maintain such policies would be an additional 600 hours. See id. at 77349. Based on the information in the SB SDR Proposing Release, the Commission estimated that the annual aggregate burden on SB SDRs to promptly notify the Commission and submit a written description and analysis of outages and any remedial measures would be 154 hours and the aggregate annual burden on SB SDRs to notify the Commission of planned material system changes would be 1200 hours. See id. at 77349-50. The Commission estimated that the aggregate annual burden on SB SDRs to submit an objective review would be 8250 hours and $900,000. See id. at 77350. \325\ See SB SEF Proposing Release, supra note 297, at 11034. In the SB SEF Proposing Release, the Commission estimated that the paperwork burden associated with Rule 822 would come from rule writing requirements under Rule 822(a)(1), and from reporting requirements under Rules 822(a)(2), 822(a)(3), and 822(a)(4). See id. at 11017-19. The Commission also estimated that there would be up to 20 SB SEFs subject to the proposed SB SEF rules. See id. at 11023. Based on the information in the SB SEF Proposing Release, the Commission estimated that the aggregate burden on an estimated 20 SB SEFs to draft rules to implement Rule 822 would be 200 hours, see id. at 11026, and that the aggregate annual burden on an estimated 20 SB SEFs to comply with the reporting requirements under Rule 822 would be 19,208 hours and $1,800,000. See id. at 11029. --------------------------------------------------------------------------- If the Commission were to propose to apply Regulation SCI to SB SDRs and/or SB SEFs, it preliminarily believes that the initial potential costs of such application could differ from the costs to be incurred by SCI entities that currently participate in the ARP Inspection Program on a per entity basis, as described in Sections IV and V below. This is because prospective SB SDRs and prospective SB SEFs, unlike those entities, are not now subject to the ARP Inspection Program and its standards.\326\ However, the Commission preliminarily believes that the initial potential costs of such application to SB SDRs and SB SEFs, on a per entity basis, could be equivalent to those costs estimated below in Sections IV and V with respect to SCI entities that currently do not participate in the ARP Inspection Program. Further, as noted above, the SBS Releases have accounted for potential costs to be incurred by SB SDRs and SB SEFs in implementing the proposed system safeguard requirements in Rules 13n-6 and 822, respectively and, as discussed above, the requirements in proposed Regulation SCI could be incremental to those already proposed in Rules 13n-6 and 822. The Commission therefore preliminarily believes that, if it were to decide to propose to apply some or all of the requirements of proposed Regulation SCI to SB SDRs and/or SB SEFs, the costs of applying proposed Regulation SCI to SB SDRs and/or SB SEFs would be incremental to the costs associated with proposed Rules 13n-6 and 822. --------------------------------------------------------------------------- \326\ As stated in the SB SDR Proposing Release, ``[t]he Commission believes that persons currently operating as SDRs may have developed and implemented aspects of the proposed rules already,'' and that ``the Commission does not believe that the one- time cost of [enhancements to their information technology systems] will be significant.'' See supra note 297, at 77358. --------------------------------------------------------------------------- 188. The Commission seeks commenters' views regarding the prospective costs, as well as the potential benefits, of proposed Regulation SCI to SB SDRs and/or SB SEFs. Commenters should quantify the costs of applying proposed Regulation SCI to SB SDRs and/or SB SEFs, to the extent possible. As noted above, commenters are urged to address specifically each requirement of proposed Regulation SCI and note whether it would be reasonable to propose to apply each such requirement to SB SDRs and/or SB SEFs and what the benefits and costs of such application would be. 4. Timing and Implementation Considerations As noted above, the Commission has proposed rules providing a regulatory framework for SB SDRs and SB SEFs, but has not yet adopted final rules governing these entities. To date, the Commission has not received any comments with respect to the timing of the implementation of proposed Rule 13n-6 \327\ but has received one comment in connection with the timing of the implementation of proposed Rule 822.\328\ --------------------------------------------------------------------------- \327\ The Commission, however, has received comments that suggest a phase-in approach to the proposed SB SDR rules generally may be appropriate. These comments generally indicate that a phase- in approach would be necessary to enable existing swap data repositories and other market participants to make the necessary changes to their operations. See, e.g., Letter in response to a joint public roundtable conducted by Commission and CFTC staff on implementation issues raised by Title VII of the Dodd-Frank Act on May 2 and 3, 2011, from The Financial Services Roundtable, available on the Commission's Web site at: https://www.sec.gov/comments/4-625/4625-1.pdf (stating that ``it may be prudent to have different portions of a single rulemaking proposal take effect at different times and with due consideration of steps that are preconditions to other steps,'' suggesting, as an example, that ``a requirement to designate a CCO should be implemented quickly, but that the CCO be given time to design, implement, and test the compliance system before any requirement to certify as to the compliance system becomes effective'' and supporting a phase-in approach ``that recognizes the varying levels of sophistication, resources and scale of operations within a particular category of market participant''). \328\ See ISDA SIFMA SB SEF Letter at 12 (``Many of the proposed rules will pose significant operational and administrative hurdles for market participants and SB SEFs. For example, the proposed rules have requirements for system safeguards that will require time and systems expertise to implement fully. We strongly suggest that SB SEFs be allowed to adopt the rules on a staged basis so that the basic functioning of the SB SEF and the market can be established before all requirements are imposed.''). As with the proposed SB SDR rules, the Commission has received general comments suggesting that a phase-in approach for all SB SEF Rules may be generally appropriate. See, e.g., Thomson SB SEF Letter at 8 (stating that ``in order to ensure the proper operation of these markets, it may be necessary for the SEC to adopt a phased-in approach and we would urge avoiding over-hasty rulemaking which could result in unintended consequences for the markets and the broader economy''). --------------------------------------------------------------------------- Although the Commission has issued a policy statement regarding the anticipated sequencing of the compliance dates of final rules to be adopted by the Commission for certain provisions of Title VII of the Dodd-Frank Act,\329\ the precise timing for adoption of or compliance with any final rules relating to SB SDRs or SB SEFs, or for adoption of or compliance with proposed Regulation SCI, is not known at this time. In addition, as the Title VII Implementation Policy Statement notes, any final rules for SB SDRs and SB SEFs potentially would be considered by the Commission at different times.\330\ As such, specifying the precise timing and ordering of the implementation of any requirements of proposed Regulation SCI, or Rules 13n-6 and 822, to SB SDRs and/or SB SEFs is difficult to predict, should the Commission determine to proposed to apply some or all of the requirements of proposed Regulation SCI to SB SDRs and/or SB SEFs, or adopt Rules 13n-6 and 822 to SB SDRs and SB SEFs, respectively. --------------------------------------------------------------------------- \329\ See Securities Exchange Act Release No. 67177 (June 11, 2012), 77 FR 35625 (June 14, 2012) (Statement of General Policy on the Sequencing of the Compliance Dates for Final Rules Applicable to Security-Based Swaps Adopted Pursuant to the Securities Exchange Act of 1934 and the Dodd-Frank Wall Street Reform and Consumer Protection Act) (``Title VII Implementation Policy Statement''). \330\ See id. at 35629 (noting that the rules pertaining to the registration and regulation of SB SDRs are in the second category of rules, whereas the rules pertaining to the registration and regulation of SB SEFs are in the fifth category of rules). --------------------------------------------------------------------------- 189. Nonetheless, the Commission requests comment on what--if the Commission were to propose to apply some or all of the requirements of proposed Regulation SCI to SB SDRs and/or SB SEFs--would be the most appropriate way to implement such requirements for SB SDRs and/or SB SEFs. For example, should the Commission seek to implement such requirements for SB SDRs and/or SB SEFs within the same timeframe as those entities currently defined as SCI entities under the proposal? Alternatively, should the applicability of some or all of Regulation SCI to SB SDRs and/or SB SEFs be phased in over time? If so, what provisions of proposed Regulation SCI should be phased in and [[Page 18138]] what would be an appropriate phase-in period? Should there be different phase-in schedules for different SB SDRs and/or SB SEFs? Why or why not? If yes, how would the SB SDRs and/or SB SEFs be selected for different phase-in schedules? Please be specific. 190. Do commenters believe that, because the Commission's actions to implement the regulatory framework for the SB swaps market are still in progress, the Commission should not propose to apply the requirements of Regulation SCI to SB SDRs and/or SB SEFs at the same time as SCI entities, but instead should adopt the system safeguard provisions of proposed Rules 13n-6 and 822 and reconsider such requirements in the future after the SB swaps market and the Commission's regulation of such market and its participants has developed further? Why or why not? What would be the impact of this approach for SB SDRs and/or SB SEFs? 191. As discussed in the SBS Releases,\331\ the system safeguards requirements in proposed Rules 13n-6 and 822 have their origins in the Commission's ARP standards. Though they differ in scope and detail, the provisions of proposed Regulation SCI likewise trace their origin to the Commission's ARP standards.\332\ If the Commission were to adopt final rules for SB SDRs and/or SB SEFs before it were to adopt Regulation SCI, and if the Commission were to decide to propose to apply some or all of the requirements of proposed Regulation SCI to SB SDRs and/or SB SEFs, should the Commission require SB SDRs and/or SB SEFs to comply with the requirements of the system safeguards rules in proposed Rules 13n-6 and 822 \333\ first, and apply the requirements of Regulation SCI to SB SDRs and/or SB SEFs at a specific date in the future? If the Commission were to adopt Rules 13n-6 and 822 prior to adoption of proposed Regulation SCI, and if the Commission were to decide to propose to apply some or all of the requirements of proposed Regulation SCI to SB SDRs and/or SB SEFs, should the Commission delay implementation of Rules 13n-6 and 822 and instead request that SB SDRs and/or SB SEFs comply with the Commission's voluntary ARP Inspection Program until such time as the Commission were to propose and adopt Regulation SCI for SB SDRs and SB SEFs? --------------------------------------------------------------------------- \331\ See supra note 299 and accompanying text. \332\ See supra notes 310-312 and accompanying text. \333\ See supra notes 298-302 and accompanying text. --------------------------------------------------------------------------- G. Solicitation of Comment Regarding Potential Inclusion of Broker- Dealers, Other than SCI ATSs, and Other Types of Entities 1. Policy Considerations As discussed above, the requirements of proposed Regulation SCI would apply to national securities exchanges, registered securities associations, registered clearing agencies, the MSRB, SCI ATSs, plan processors, and exempt clearing agencies subject to ARP. They would not apply to other types of market participants, such as market makers or other broker-dealers. This proposed scope of the definition of SCI entity in part reflects the historical reach of the ARP policy statements (which apply, for example, to national securities exchanges) and existing Rule 301 of Regulation ATS (which applies systems safeguard requirements to certain ATSs). Recent events have highlighted the significance of systems integrity of a broader set of market participants than those proposed to be included within the definition of SCI entity.\334\ Also, some broker-dealers have grown in size and importance to the market in recent years. For example, many orders are internalized by OTC market makers, one subset of broker-dealers, who handle a large portion of order flow in the market.\335\ The Commission recognizes that systems disruptions, systems compliance issues, and systems intrusions at broker-dealers, including for example OTC market makers and clearing broker-dealers, could pose a significant risk to the market. Such an occurrence could impact all orders being handled by a broker-dealer, which can be significant for larger broker-dealers. If a given broker- dealer handles a large portion of order flow and suddenly experiences a systems disruption or systems intrusion, the disruption or intrusion could cause ripple effects. For example, a systems issue at one broker- dealer could result in confusion about whether orders are handled correctly or whether the systems issue at the broker-dealer could have caused capacity issues elsewhere.\336\ --------------------------------------------------------------------------- \334\ For example, on August 1, 2012, Knight Capital Group, Inc. (``Knight'') reported that it ``experienced a technology issue at the opening of trading at the NYSE * * * [which was] related to Knight's installation of trading software and resulted in Knight sending numerous erroneous orders in NYSE-listed securities into the market * * *. Knight has traded out of its entire erroneous trade position, which has resulted in a realized pre-tax loss of approximately $440 million.'' See Knight Capital Group Provides Update Regarding August 1st Disruption To Routing In NYSE-listed Securities (August 2, 2012), available at: https://www.knight.com/investorRelations/pressReleases.asp?compid=105070&releaseID=1721599. Among other things, Knight provides market making services in U.S. equities and U.S. options; institutional sales and trading services; electronic execution services; and corporate and other services. See Knight Operating Subsidiaries, available at: https://www.knight.com/ourFirm/operatingSubsidiaries.asp. Knight also operates two registered ATSs, Knight Match and Knight Bond Point. See Knight Match, available at: https://www.knight.com/electronicExecutionServices/knightMatch.asp; Knight BondPoint, available at: https://www.knight.com/electronicExecutionServices/knightBondpoint.asp; and Alternative Trading Systems Active Filers as of April 30, 2012, available at: https://www.sec.gov/foia/ats/atslist0412.pdf. \335\ See Concept Release on Equity Market Structure, supra note 42, at 3600 (stating: ``OTC market makers, for example, appear to handle a very large percentage of marketable (immediately executable) order flow of individual investors that is routed by retail brokerage firms. A review of the order routing disclosures required by Rule 606 of Regulation NMS of eight broker-dealers with significant retail customer accounts reveals that nearly 100% of their customer market orders are routed to OTC market makers.'') \336\ For example, if an e-market-maker handling 20 percent of message traffic experiences a systems issue, the order flow could be diverted elsewhere, including to entities that are unable to handle the increase in message traffic, resulting in a disruption to that entity's systems as well. Similarly, a broker-dealer accidentally could run a test during live trading and flood markets with message traffic such that those markets hit their capacity limits, resulting in a disruption. --------------------------------------------------------------------------- The Commission is not at this time proposing to include some classes of registered broker-dealers (other than SCI ATSs) in the definition of SCI entity. Were the Commission to decide to propose to apply the requirements of proposed Regulation SCI to such entities, the Commission would issue a separate release discussing such a proposal. Rule 15c3-5, requiring brokers or dealers with market access to implement risk management controls and supervisory procedures to limit risk, already seeks to address certain risks posed to the markets by broker-dealer systems. Specifically, in 2010 when the Commission adopted Rule 15c3-5 regarding risk management controls and supervisory procedures for brokers or dealers with market access,\337\ the Commission stated that [[Page 18139]] ``broker-dealers, as the entities through which access to markets is obtained, should implement effective controls reasonably designed to prevent errors or other inappropriate conduct from potentially causing a significant disruption to the markets'' and that ``risk management controls and supervisory procedures that are not applied on a pre-trade basis or that, with certain limited exceptions, are not under the exclusive control of the broker-dealer, are inadequate to effectively address the risks of market access arrangements, and pose a particularly significant vulnerability in the U.S. national market system.'' \338\ --------------------------------------------------------------------------- \337\ See Securities Exchange Act Release No. 63241 (November 3, 2010), 75 FR 69792 (November 15, 2010) (``Market Access Release''). Rule 15c3-5(a)(1) defines ``market access'' to mean: (i) access to trading in securities on an exchange or ATS as a result of being a member or subscriber of the exchange or ATS, respectively; or (ii) access to trading in securities on an ATS provided by a broker- dealer operator of an ATS to a non-broker-dealer. See 17 CFR 240.15c3-5(a)(1). In adopting Rule 15c3-5(a)(1), the Commission stated that ``the risks associated with market access * * * are present whenever a broker-dealer trades as a member of an exchange or subscriber to an ATS, whether for its own proprietary account or as agent for its customers, including traditional agency brokerage and through direct market access or sponsored access arrangements.'' See Market Access Release at 69798. As such, the Commission stated that ``to effectively address these risks, Rule 15c3-5 must apply broadly to all access to trading on an Exchange or ATS.'' See id. \338\ Id. at 69794. --------------------------------------------------------------------------- Pursuant to Rule 15c3-5, a broker or dealer with market access, or that provides a customer or any other person with access to an exchange or ATS through use of its market participant identifier or otherwise, must establish, document, and maintain a system of risk management controls and supervisory procedures reasonably designed to manage the financial, regulatory, and other risks of this business activity.\339\ Rule 15c3-5 also specifies the baseline standards for financial and regulatory risk management controls and supervisory procedures.\340\ The financial risk management controls and supervisory procedures must be reasonably designed to systematically limit the financial exposure of the broker or dealer that could arise as a result of market access.\341\ The regulatory risk management controls and supervisory procedures must be reasonably designed to ensure compliance with all regulatory requirements.\342\ --------------------------------------------------------------------------- \339\ See 17 CFR 240.15c3-5(b). Certain broker-dealers are exempt from some of the requirements under Rule 15c3-5. See id. \340\ See 17 CFR 240.15c3-5(c). \341\ See 17 CFR 240.15c3-5(c)(1). Such financial risk management controls and supervisory procedures must be reasonably designed to: (i) Prevent the entry of orders that exceed appropriate pre-set credit or capital thresholds in the aggregate for each customer and the broker or dealer, and where appropriate, more finely-tuned by sector, security or otherwise by rejecting orders if such orders would exceed the applicable credit or capital thresholds; and (ii) prevent the entry of erroneous orders, by rejecting orders that exceed appropriate price or size parameters, on an order-by-order basis or over a short period of time, or that indicate duplicative orders. See 17 CFR 240.15c3-5(c)(1). \342\ See 17 CFR 240.15c3-5(c)(2). Such regulatory risk management controls and supervisory procedures must be reasonably designed to: (i) Prevent the entry of orders unless there has been compliance with all regulatory requirements that must be satisfied on a pre-order entry basis; (ii) prevent the entry of orders for securities for a broker or dealer, customer, or other person if such person is restricted from trading those securities; (iii) restrict access to trading systems and technology that provide market access to persons and accounts pre-approved and authorized by the broker or dealer; and (iv) assure that appropriate surveillance personnel receive immediate post-trade execution reports that result from market access. See 17 CFR 240.15c3-5(c)(2). --------------------------------------------------------------------------- Under the approach set out by Rule 15c3-5, broker-dealers with market access are responsible in the first instance for establishing and maintaining appropriate risk management controls, including with respect to their systems. Although Rule 15c3-5 takes a different and more limited approach with broker-dealers than proposed Regulation SCI does with SCI entities, the requirements in Rule 15c3-5 are designed to address some of the same concerns regarding systems integrity discussed in this proposal. As an example of reasonable risk control under Rule 15c3-5, the Commission stated, ``a system-driven, pre-trade control designed to reject orders that are not reasonably related to the quoted price of the security would prevent erroneously entered orders from reaching the securities markets, * * * should lead to fewer broken trades and thereby enhance the integrity of trading on the securities markets.'' \343\ --------------------------------------------------------------------------- \343\ See Market Access Release, supra note 337, at 69794. --------------------------------------------------------------------------- In light of recent events, however, the Commission believes that it is appropriate to consider whether some types or categories of broker- dealers other than SCI ATSs should also be subject to some or all of the additional system safeguard rules that are proposed for SCI entities. Such broker-dealers could include, for example, OTC market makers (either all or those that execute a significant volume of orders), exchange market makers (either all or those that trade a significant volume on exchanges), order entry firms that handle and route order flow for execution (either all or those that handle a significant volume of investor orders), clearing broker-dealers (either all or those that engage in a significant amount of clearing activities), and large multi-service broker-dealers that engage in a variety of order handling, trading, and clearing activities. 2. Request for Comment 192. As noted above, at this time, the Commission is not proposing to apply Regulation SCI to broker-dealers other than SCI ATSs or to other types of entities that are not covered by the definition of SCI entity. Were the Commission to decide to propose to apply the requirements of Regulation SCI to such entities, the Commission would issue a separate release discussing such a proposal. Nevertheless, the Commission is soliciting comment generally on whether it should apply the requirements of proposed Regulation SCI, in whole or in part, to such entities. Specifically: 193. What are the current practices of broker-dealers in relation to the requirements of proposed Regulation SCI? \344\ Would the current practices of broker-dealers that provide market access and comply with Rule 15c3-5 change if they were also subject to proposed Regulation SCI? Why or why not? If so, how? Are there broker-dealers who do not provide the services that would require compliance with Rule 15c3-5? If so, how do the practices of those broker-dealers compare to the requirements of proposed Regulation SCI? --------------------------------------------------------------------------- \344\ As noted above, one ATS currently voluntarily participates in the ARP Inspection Program. See supra note 91. --------------------------------------------------------------------------- 194. In Section VI.B.2 below, the Commission discusses potential market failures that may explain why market solutions cannot solve the problems that proposed Regulation SCI is intended to address. Does the market for broker-dealer services, including client services, market maker services, or market access services, suffer from market failures that limit the ability of the market to solve the issues that proposed Regulation SCI is intended to address? For example, are broker-dealers' clients able to easily switch broker-dealers, and how often do clients use more than one broker-dealer simultaneously (e.g., for redundancy in case of a problem at a given broker-dealer)? Are broker-dealers subject to more market discipline than SCI entities? Please explain. Conversely, does a lack of transparency regarding events like SCI events limit this market discipline? Why or why not? 195. Given the stated goals and purpose of proposed Regulation SCI and its various provisions,\345\ what are commenters' views on whether the scope of the proposed rules should be expanded to cover broker- dealers, or certain categories of broker-dealers? For example, what are commenters' views on the impact to overall market integrity or the protection of investors if an OTC market maker was no longer able to operate due to a systems disruption, systems compliance issue, or a systems intrusion? Or an exchange market maker? Or a clearing broker- dealer? What are commenters' views on the [[Page 18140]] importance of different categories of broker-dealers to the stability of the overall securities market infrastructure, in the context of requiring them to comply with the proposed rules, in light of the stated goals and purpose of Regulation SCI? What risks do the systems of broker-dealers pose on the securities markets? --------------------------------------------------------------------------- \345\ See supra Section III. --------------------------------------------------------------------------- 196. If the Commission were to subsequently propose to apply some or all of the requirements of proposed Regulation SCI to some types or categories of broker-dealers (in addition to SCI ATSs), what types of broker-dealers should the requirements apply to and why? Are there distinctions that should be made between different types of broker- dealers (e.g., OTC market makers, exchange market makers, order entry firms, clearing broker-dealers, and multi-service broker-dealers) for this purpose? If so, what are those distinctions and which requirements should apply? 197. The Commission notes that Roundtable panelists generally did not distinguish between national securities exchanges, ATSs, and different types of broker-dealers when addressing how to improve error prevention and error response strategies. Rather, Roundtable panelists and commenters referred more generally to ``entities with market access'' and/or ``execution venues.'' \346\ In this regard, should the Commission consider expanding the application of Regulation SCI to all market centers, as that term is defined in Rule 600(b)(38) of Regulation NMS,\347\ which means any exchange market maker, OTC market maker, ATS, national securities exchange, or national securities association? \348\ Why or why not? Would an expansion of proposed Regulation SCI to include all market centers (i.e., execution venues) inappropriately exclude the broader category of entities having market access? Why or why not? Alternatively, should the Commission consider applying the requirements of proposed Regulation SCI to (a) any registered market maker or (b) any broker-dealer that offers market access that, in either case, with respect to any NMS stock, has a specified percentage of average daily dollar volume? If so, what should such a percentage be? Would the levels applicable to SCI ATSs that trade NMS stocks under proposed Rule 1000(a) of Regulation SCI be appropriate for registered market makers, broker-dealers that offer market access, or other broker-dealers? Why or why not? If not, what should such a threshold be? --------------------------------------------------------------------------- \346\ See, e.g., letter from Better Markets, supra note 74, arguing that regulators should encourage firms to adopt more robust software development practices and audit any firm with direct market access or require third-party certification and mandate minimum requirements for testing any application that has direct market access. In addition, the panelist from NYSE stated that common standards for technology deployment should apply across all execution venues. \347\ 17 CFR 242.600(b)(38). \348\ Rule 600(b)(24) defines exchange market maker to mean any member of a national securities exchange that is registered as a specialist or market maker pursuant to the rules of such exchange, and Rule 600(b)(52) defines OTC market maker to mean any dealer that holds itself out as being willing to buy from and sell to its customers, or others, in the U.S., an NMS stock for its own account on a regular or continuous basis otherwise than on a national securities exchange in amounts of less than block size. See 17 CFR 242.600(b)(24) and 17 CFR 242.600(b)(52). --------------------------------------------------------------------------- 198. If the Commission were to propose to expand the scope of proposed Regulation SCI to a subset of broker-dealers, what are commenters' views on whether, and if so, how, the various different proposed requirements of Regulation SCI should or should not apply to such entities? 199. If the Commission were to propose to expand the scope of proposed Regulation SCI to include a subset of broker-dealers, should the Commission require such broker-dealers to have written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability, and promote the maintenance of fair and orderly markets, as proposed in Rule 1000(b)(1) for SCI entities? Why or why not? Should SCI industry standards for broker- dealers be different from those proposed for SCI entities? If so, what are the standards that should apply to broker-dealers? Please be as specific as possible and explain why a particular standard would be appropriate. 200. Should the Commission require such broker-dealers to establish, maintain, and enforce policies and procedures reasonably designed to ensure that their systems operate in the manner intended, including in a manner that complies with federal securities laws and rules and regulations thereunder, as proposed in Rule 1000(b)(2)(i) for SCI entities? Why or why not? Should the Commission establish a safe harbor from liability for such broker-dealers and their respective employees if they satisfy the elements of a safe harbor, similar to those in proposed Rules 1000(b)(2)(ii) and (iii) for SCI entities and their employees? Why or why not? 201. Should the Commission require such broker-dealers, upon any of their responsible SCI personnel becoming aware of an SCI event, to begin to take appropriate corrective action including, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable, as proposed in Rule 1000(b)(3) for SCI entities? Why or why not? Should such broker-dealers' corrective action be triggered by something other than awareness of an SCI event? If so, what would be an appropriate trigger? 202. With regard to the reporting and information dissemination requirements for SCI entities in proposed Rules 1000(b)(4) and 1000(b)(5), would it be appropriate to require such broker-dealers to report all SCI events to the Commission, and disclose dissemination SCI events to their customers? 203. Should such broker-dealers be required to notify the Commission of material systems changes, as proposed in Rule 1000(b)(6) for SCI entities? Why or why not? 204. Should such broker-dealers be required to undertake an annual SCI review of their systems, as proposed in Rule 1000(b)(7) for SCI entities? Should such broker-dealers also be required to provide the Commission with reports regarding the SCI review and material systems changes, as proposed in Rule 1000(b)(8) for SCI entities? Why or why not? 205. Should such broker-dealers be required to submit any required notices, reports, and other information to the Commission on proposed new Form SCI? Why or why not? 206. Alternatively, should the Commission propose to require that each SCI SRO establish rules requiring that its members adopt written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability, and promote the maintenance of fair and orderly markets? Why or why not? Similarly, should the Commission propose to require that each SCI SRO establish rules requiring that its members adopt written policies and procedures reasonably designed to ensure that the systems of such members operate in the manner intended, including in a manner that complies with applicable federal securities laws and rules and regulations thereunder and the SCI SRO's rules? Why or why not? In either case, would such a proposal raise any competitive issues, such as between [[Page 18141]] national securities exchanges and ATSs? \349\ --------------------------------------------------------------------------- \349\ The Commission notes that all broker-dealers are members of one or more SCI SROs (such as FINRA and/or a national securities exchange), while participants on ATSs may include non-broker-dealer market participants. --------------------------------------------------------------------------- 207. In addition, should the Commission consider including other entities in the definition of SCI entity (e.g., transfer agents), thus subjecting them to some or all of the requirements under proposed Regulation SCI? If yes, to which entities should some or all of proposed Regulation SCI apply and why? If not, why not? If commenters believe other types of entities should be included in the definition of SCI entity, should the Commission include all entities of a given type in the definition? Why or why not? If not, how should the Commission distinguish those entities that should be included (e.g., size, volume, types of services performed, etc.)? Please describe and be as specific as possible. 208. If the Commission were to subsequently propose and adopt a rule applying Regulation SCI to all or certain categories of broker- dealers or other entities, what are commenters' views as to the type and scale of the costs of such application? Please explain. In addition, what are commenters' views as to the potential impact on efficiency, competition, and capital formation of such application? Please explain. IV. Paperwork Reduction Act Certain provisions of the proposal contain ``collection of information'' requirements within the meaning of the Paperwork Reduction Act of 1995 (``PRA'') \350\ and the Commission will submit them to the Office of Management and Budget (``OMB'') for review in accordance with 44 U.S.C. 3507 and 5 CFR 1320.11. The title of the new collection of information is Regulation Systems Compliance and Integrity. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. --------------------------------------------------------------------------- \350\ 44 U.S.C. 3501 et seq. --------------------------------------------------------------------------- A. Summary of Collection of Information Proposed Regulation SCI would include four categories of obligations that would require a collection of information within the meaning of the PRA. Specifically, an SCI entity would be required to: (1) Establish specified written policies and procedures, and mandate participation by designated members or participants in certain testing of the SCI entity's business continuity and disaster recovery plans; (2) provide certain notifications, disseminate certain information, and create reports; (3) take corrective actions, identify certain SCI events for which immediate Commission notification is required, and identify dissemination SCI events; and (4) comply with recordkeeping and access requirements relating to its compliance with proposed Regulation SCI. 1. Requirements To Establish Written Policies and Procedures and Mandate Participation in Certain Testing Proposed Rules 1000(b)(1) and (b)(2) would require SCI entities to establish policies and procedures with respect to various matters. Proposed Rule 1000(b)(1) would require each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. Proposed Rule 1000(b)(1)(i) specifies that such policies and procedures would be required to include, at a minimum: (A) The establishment of reasonable current and future capacity planning estimates; (B) periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (C) a program to review and keep current systems development and testing methodology for such systems; (D) regular reviews and testing of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (E) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption; and (F) standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data. Proposed Rule 1000(b)(1)(ii) states that such policies and procedures would be deemed to be reasonably designed if they are consistent with current SCI industry standards, which would be required to be: (A) Comprised of information technology practices that are widely available for free to information technology professionals in the financial sector; and (B) issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. The proposed SCI industry standards contained in the publications identified on Table A are intended to serve as standards that SCI entities could use, if they so choose, to comply with the requirements of proposed Rule 1000(b)(1), though compliance with such SCI industry standards would not be the exclusive means to comply with the requirements of proposed Rule 1000(b)(1). Proposed Rule 1000(b)(2)(i) would require each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and the entity's rules and governing documents, as applicable. An SCI entity would be deemed not to have violated proposed Rule 1000(b)(2)(i) if: (A) It has established and maintained policies and procedures reasonably designed to provide for: (1) testing of all such systems and any changes to such systems prior to implementation; (2) periodic testing of all such systems and any changes to such systems after their implementation; (3) a system of internal controls over changes to such systems; (4) ongoing monitoring of the functionality of such systems to detect whether they are operating in the manner intended; (5) assessments of SCI systems compliance performed by personnel familiar with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable; and (6) review by regulatory personnel of SCI systems design, changes, testing, and controls to prevent, detect, and address actions that do not comply with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable; (B) the SCI entity has established and maintained a system for applying such policies and procedures which would reasonably be expected to prevent and detect, insofar as practicable, any violation of such policies and procedures by the SCI entity or any person employed by the SCI entity; and (C) the SCI entity: has reasonably discharged the duties and obligations incumbent upon it by such [[Page 18142]] policies and procedures; and was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. Further, pursuant to proposed Rule 1000(b)(2)(iii), a person employed by an SCI entity would be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity: (A) Has reasonably discharged the duties and obligations incumbent upon such person by such policies and procedures; and (B) was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. Proposed Rule 1000(b)(9)(i) would require an SCI entity, with respect to its business continuity and disaster recovery plans, including its backup systems, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans in the manner and frequency as specified by the SCI entity, at least once every 12 months (e.g., for SCI SROs, by submitting proposed rule changes under Section 19(b) of the Exchange Act; for SCI ATSs, by revising membership or subscriber agreements and internal procedures; for plan processors, through an amendment to an SCI Plan under Rule 608 of Regulation NMS; and, for exempt clearing agencies subject to ARP, by revising participant agreements and internal procedures). Proposed Rule 1000(b)(9)(ii) would further require an SCI entity to coordinate such required testing on an industry- or sector-wide basis with other SCI entities. Proposed Rule 1000(b)(9)(iii) would require an SCI entity to designate members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans, to participate in the testing of such plans. It would also require the SCI entity to notify and update the Commission of its designations and standards for designation, and promptly update such notification after any changes to its designations or standards. 2. Notice, Dissemination, and Reporting Requirements for SCI Entities A number of proposed rules under Regulation SCI would require SCI entities to notify or report information to the Commission, or disseminate information to their members or participants. Proposed Rules 1000(b)(4), (b)(5), (b)(6), (b)(7), and (b)(8) each contain a notification, dissemination, or reporting requirement. Proposed Rule 1000(b)(4) would require notice of SCI events to the Commission. Proposed Rule 1000(b)(4)(i) would require an SCI entity to notify the Commission upon any responsible SCI personnel becoming aware of a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion. Proposed Rule 1000(b)(4)(ii) would require an SCI entity, within 24 hours of any responsible SCI personnel becoming aware of any SCI event, to submit a written notification to the Commission on Form SCI pertaining to such SCI event.\351\ Proposed Rule 1000(b)(4)(iv)(A) would specify that, for a notification made pursuant to proposed Rule 1000(b)(4)(ii), an SCI entity must include all pertinent information known about the SCI event, including: a detailed description of the SCI event; the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; and the SCI entity's current assessment of the SCI event, including a discussion of the determination of whether the SCI event is a dissemination SCI event or not. In addition, to the extent available as of the time of the initial notification, the notification would be required to include: a description of the steps the SCI entity is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; a description of the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and an analysis of the parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. Further, for a written notification to the Commission of an SCI event under proposed Rule 1000(b)(4)(ii), an SCI entity would be required to attach a copy of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity's publicly available Web site. --------------------------------------------------------------------------- \351\ For a written notification to the Commission of an SCI event under proposed Rule 1000(b)(4)(ii), new proposed Form SCI would require that an SCI entity indicate that the filing is being made pursuant to Rule 1000(b)(4)(ii) and provide the following information in a short, standardized format: (i) Whether the filing is a Rule 1000(b)(4)(ii) notification or Rule 1000(b)(4)(iii) update of an SCI event; (ii) the SCI event type(s) (i.e., systems compliance issue, systems intrusion, and/or systems disruption); (iii) whether the event is a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants; (iv) if so, whether the Commission has been notified of the SCI event; (v) whether the SCI event has been resolved; (vi) the date/time the SCI event started; (vii) the duration of the SCI event (viii) the date and time when responsible SCI personnel became aware of the SCI event; (ix) the estimated number of market participants impacted by the SCI event; (x) the type(s) of systems impacted; and (xi) if applicable, the type of systems disruption. --------------------------------------------------------------------------- Proposed Rule 1000(b)(4)(iii) would require an SCI entity to submit written updates on Form SCI pertaining to an SCI event to the Commission on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until such time as the SCI event is resolved. Proposed Rule 1000(b)(4)(iv)(B) specifies that, for a notification made pursuant to proposed Rule 1000(b)(4)(iii), the SCI entity would be required to update any information previously provided regarding an SCI event, including any information under proposed Rule 1000(b)(4)(iv)(A)(2) that was not available at the time of submission of a notification under proposed Rule 1000(b)(4)(ii). Further, for a written notification to the Commission of an SCI event under proposed Rule 1000(b)(4)(iii), an SCI entity would be required to attach a copy of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity's publicly available Web site. Proposed Rule 1000(b)(5) would require dissemination to members or participants of dissemination SCI events and specify the nature and timing of such required dissemination, with limited exceptions for dissemination SCI events that are systems intrusions, as discussed further below.\352\ Proposed Rule 1000(b)(5)(i)(A) would require that an SCI entity, promptly after any responsible SCI personnel becomes aware of a dissemination SCI event, disseminate to its members or participants the following information about such SCI event: (1) The systems affected by the SCI event; and (2) a summary description of the SCI event. In addition, proposed Rule 1000(b)(5)(i)(B) would require an SCI entity to, when known, further disseminate to its members or participants: (1) a detailed description of the SCI event; (2) the SCI entity's [[Page 18143]] current assessment of the types and number of market participants potentially affected by the SCI event; and (3) a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. Proposed Rule 1000(b)(5)(i)(C) would further require that an SCI entity provide regular updates to members or participants on any of the information required to be disseminated under proposed Rules 1000(b)(5)(i)(A) and (i)(B). --------------------------------------------------------------------------- \352\ As discussed above, the Commission proposes that the term ``dissemination SCI event'' be defined as ``an SCI event that is a: (1) Systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants.'' See supra Section III.B.4.d. --------------------------------------------------------------------------- Proposed Rule 1000(b)(5)(ii) would provide a limited exception to the proposed requirement of prompt dissemination to members or participants of information regarding dissemination SCI events for systems intrusion. Proposed Rule 1000(b)(5)(ii) would require an SCI entity, promptly after any responsible SCI personnel becomes aware of a systems intrusion, to disseminate to its members or participants a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or SCI security systems, or an investigation of the systems intrusion, and documents the reasons for such determination. Proposed Rule 1000(b)(6) would require an SCI entity, absent exigent circumstances, to notify the Commission on Form SCI at least 30 calendar days before implementation of any planned material systems change, including a description of the planned material systems change as well as the expected dates of commencement and completion of implementation of such change. If exigent circumstances exist, or if the information previously provided to the Commission regarding any material systems change has become materially inaccurate, an SCI entity would instead be required to notify the Commission, either orally or in writing on Form SCI, with any oral notification to be memorialized within 24 hours after such oral notification by a written notification, as early as reasonably practicable.\353\ --------------------------------------------------------------------------- \353\ Form SCI would require an SCI entity to provide the date of the planned change. The SCI entity must also specify whether exigent circumstances exist, or if the information previously provided to the Commission regarding any material systems change has become materially inaccurate, and if so, whether the Commission has been orally notified. Further, the notification must include an Exhibit 4. --------------------------------------------------------------------------- Proposed Rule 1000(b)(7) would require an SCI entity to conduct an SCI review of the entity's compliance with Regulation SCI not less than once each calendar year, and to submit a report of the SCI review to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review. Proposed Rule 1000(b)(8) contains two reporting requirements. Specifically, proposed Rule 1000(b)(8) would require an SCI entity to submit as an attachment to Form SCI: (i) A report of the SCI review required by proposed Rule 1000(b)(7), together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity; \354\ and (ii) a report within 30 calendar days after the end of June and December of each year, containing a summary description of the progress of any material systems change during the six-month period ending on June 30 or December 31, as the case may be, and the date or expected date of completion of implementation of such change.\355\ --------------------------------------------------------------------------- \354\ This report would be required to be submitted as Exhibit 5 to Form SCI. \355\ This report would be required to be submitted as Exhibit 6 to Form SCI. --------------------------------------------------------------------------- 3. Requirements To Take Corrective Actions, Identify Immediate Notification SCI Events, and Identify Dissemination SCI Events Proposed Rule 1000(b)(3) would require an SCI entity, upon any responsible SCI personnel becoming aware of an SCI event, to begin to take appropriate corrective action which would be required to include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. Given these requirements of proposed Rule 1000(b)(3), SCI entities would likely work to develop a process for ensuring that they are prepared to comply with the corrective action requirement and would likely also periodically review this process. In addition, proposed Rule 1000(a) would define a ``dissemination SCI event'' to mean an SCI event that is a: (1) Systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants. Under the proposed Commission notification and member or participant dissemination requirements of proposed Rules 1000(b)(4) and (b)(5), when an SCI event occurs, an SCI entity must determine whether an SCI event is an immediate notification SCI event or a dissemination SCI event. As such, SCI entities would likely work to develop a process for ensuring that they are able to make determinations regarding the nature of the SCI event quickly and accurately, and periodically review this process. 4. Recordkeeping Requirements Proposed Rule 1000(c) would set forth recordkeeping requirements for SCI entities. Under proposed Rule 1000(c)(1), SCI SROs would be required to make, keep, and preserve all documents relating to their compliance with Regulation SCI as prescribed in Rule 17a-1 under the Exchange Act. Under proposed Rule 1000(c)(2), each SCI entity that is not an SCI SRO would be required to make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI including, but not limited to, records relating to any changes to its SCI systems and SCI security systems, for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination. Upon request of any representative of the Commission, such SCI entities would be required to promptly furnish to the possession of such representative copies of any documents required to be kept and preserved by it under proposed Rule 1000(c)(2). Under proposed Rule 1000(c)(3), upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, an SCI entity must take all necessary action to ensure that the records required to be made, kept, and preserved by this section will be accessible to the Commission and its representatives in the manner required by proposed Rule 1000(c) and for the remainder of the period required by proposed Rule 1000(c). In addition, proposed Rule 1000(e) would provide that, if the records required to be filed or kept by an SCI entity under proposed Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity would be required to ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service and signed by a [[Page 18144]] duly authorized person at such service bureau or other recordkeeping service. B. Proposed Use of Information 1. Requirements To Establish Written Policies and Procedures and Mandate Participation in Certain Testing The proposed requirements that SCI entities establish certain written policies and procedures with respect to their systems, and that they require designated members or participants to participate in the testing of their business continuity and disaster recovery plans, would further the goals of the national market system and reinforce Exchange Act obligations by requiring entities important to the functioning of the U.S. securities markets to carefully design, develop, test, maintain, and surveil systems integral to their operations, and operate them in compliance with relevant federal securities laws and the rules and regulations thereunder, as well as their own rules and policies. 2. Notification, Dissemination, and Reporting Requirements for SCI Entities The information that would be collected pursuant to the proposed requirements for notifications, disseminations of information, and reports would assist the Commission in its oversight of SCI entities and the securities markets, help ensure the orderly operation of the U.S. securities markets, and help protect investors and the public interest. In particular, the proposed requirements that SCI entities notify the Commission of all SCI events, disseminate information to members or participants, undertake and submit to the Commission an SCI review not less than once each calendar year, and submit reports of material systems changes are designed to help ensure compliance with the other provisions of proposed Regulation SCI and accountability of SCI entities in the event of systems problems. Further, the Commission preliminarily believes that the member or participant information dissemination requirement for dissemination SCI events would make members or participants aware that their trading activity might have been or might be impacted by the occurrence of a dissemination SCI event, so that they could consider that information in making trading decisions, seeking corrective action, or pursuing remedies, among other things. The Commission also preliminarily believes that the prospect of disseminating information regarding dissemination SCI events to members or participants would provide an incentive for SCI entities to better focus on improving the integrity and compliance of their systems. 3. Requirements To Take Corrective Actions, Identify Immediate Notification Events, and Identify Dissemination SCI Events The proposed requirement that SCI entities begin to take appropriate corrective action upon any responsible SCI personnel becoming aware of an SCI event would help ensure that SCI entities dedicate adequate resources to timely address an SCI event and place an emphasis on mitigating potential harm to investors and market integrity. The proposed threshold for notification of certain SCI events to the Commission under proposed Rule 1000(b)(4)(i) would help ensure that the Commission is made aware of significant SCI events when any responsible SCI personnel becomes aware of such events. The proposed definition of dissemination SCI event would help ensure potentially impacted members or participants have basic information about SCI events so that they might be able to better assess whether they should use the services of an SCI entity.\356\ --------------------------------------------------------------------------- \356\ See infra Section III.B.3.d (discussing the threshold for dissemination SCI events). --------------------------------------------------------------------------- 5. Recordkeeping Requirements The proposed recordkeeping requirements in Rules 1000(c) and (e) would assist Commission staff during an examination of an SCI entity to assess its compliance with the proposed rules. In addition, access to the records of SCI entities would help Commission staff to carry out its oversight responsibilities of SCI entities and the securities markets. Further, the proposed recordkeeping requirements would aid SCI entities and the Commission in documenting, reviewing, and correcting any SCI event, as well as in identifying market participants that may have been harmed by such an event. C. Respondents The ``collection of information'' requirements contained in proposed Regulation SCI would apply to SCI entities, as described below. Currently, there are 26 entities that would satisfy the proposed definition of SCI SRO,\357\ 15 entities that would satisfy the proposed definition of SCI ATS,\358\ 2 entities that would satisfy the definition of plan processor,\359\ and 1 entity that would meet the definition of exempt clearing agency subject to ARP.\360\ Accordingly, the Commission estimates that there are currently 44 entities that would meet the definition of SCI entity and be subject to the collection of information requirements of proposed Regulation SCI. --------------------------------------------------------------------------- \357\ See supra notes 93-96 and accompanying text (listing 17 registered national securities exchanges, 7 registered clearing agencies, FINRA, and the MSRB). \358\ See supra Section III.B.1. \359\ See supra note 565. \360\ See supra note 133 and accompanying text. --------------------------------------------------------------------------- The Commission requests comment on the accuracy of these estimated figures. D. Total Initial and Annual Reporting and Recordkeeping Burdens As discussed above, all of the national securities exchanges, national securities associations, registered clearing agencies, and plan processors currently participate on a voluntary basis in the ARP Inspection Program.\361\ Under the ARP Inspection Program, Commission staff conducts on-site inspections and attends periodic technology briefings by staff of these entities, generally covering systems capacity and testing, review of systems vulnerability, review of planned systems development, and business continuity planning.\362\ In addition, Commission staff monitors systems failures and planned major systems changes at these entities.\363\ --------------------------------------------------------------------------- \361\ See supra Section I.A. \362\ See id. \363\ See id. --------------------------------------------------------------------------- Under proposed Regulation SCI, many of the principles of the ARP policy statements with which SCI SROs are familiar would be codified. However, because the proposed regulation would have a broader scope than the current ARP Inspection Program and would impose mandatory recordkeeping obligations on entities subject to the rules,\364\ proposed Regulation SCI would impose paperwork burdens on all SCI entities. The Commission's total burden estimates reflect the total burdens on all SCI entities, taking into account the extent to which some SCI entities already comply with some of the proposed requirements of Regulation SCI. As discussed below, the Commission preliminarily believes that the extent of these burdens will vary for different types of SCI entities. The Commission notes that the hour figures set forth in this section are the Commission's preliminary best estimate of the paperwork burden for compliance with proposed Regulation SCI based on a variety of sources, including the [[Page 18145]] Commission's experience with the current ARP Inspection Program and other similar estimated burdens for analogous rulemakings. However, the Commission recognizes that commenters may have other informed views of the actual burdens that would be imposed by these requirements and thus, the Commission solicits comment on the appropriateness and accuracy of each of the estimated burdens below. --------------------------------------------------------------------------- \364\ As discussed more fully in supra Section III.D and infra Section IV.D.4, SCI SROs are already subject to existing recordkeeping and retention requirements under Rule 17a-1 and thus the Commission believes that the proposed recordkeeping obligations would not impose any new burden on SCI SROs that is not already accounted for in the burden estimates for Rule 17a-1. --------------------------------------------------------------------------- 1. Requirements To Establish Written Policies and Procedures and Mandate Participation in Certain Testing The proposed rules that would require an SCI entity to establish policies and procedures and to mandate member or participant participation in business continuity and disaster recovery plans testing are discussed more fully in Section III.C above. a. Policies and Procedures Required by Proposed Rule 1000(b)(1) The Commission preliminarily estimates that an SCI entity that has not previously participated in the ARP Inspection Program would require an average of 210 burden hours to develop and draft policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets, as proposed to be required by Rule 1000(b)(1) of Regulation SCI (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data, which are addressed separately).\365\ The estimated 210 hours required for such entities would include the time expended to draft relevant policies and procedures and the time expended for review of the draft policies and procedures by the SCI entity's management. The Commission preliminarily believes that all SCI entities \366\ would conduct this work internally.\367\ --------------------------------------------------------------------------- \365\ This estimate is based on the Commission's experience with the ARP Inspection Program and its preliminary estimate in the SB SDR Proposing Release for a similar requirement. See SB SDR Proposing Release, supra note 297, at 77349 (estimating the number of hours it would take to draft policies and procedures reasonably designed to ensure that the SDR's systems provide adequate levels of capacity, resiliency, and security). This estimate is for the number of hours an SCI entity would require over and above the usual and customary amount of time it would devote to developing policies and procedures designed to ensure its systems' capacity, integrity, resiliency, availability, and security. These estimated burdens may vary depending on an SCI entity's business and regulatory responsibilities. \366\ The Commission estimates that there are 44 SCI entities. Of these, 29 entities currently participate in the ARP Inspection Program and 15 do not. Because the MSRB is not currently a participant in the ARP Inspection Program, the estimated burden hours for the MSRB to develop policies and procedures as required by proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) is 210 hours, which is higher than the number estimated for all other SCI SROs that currently participate in the ARP Inspection Program, as discussed below. \367\ But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. --------------------------------------------------------------------------- For SCI entities that currently participate in the ARP Inspection Program (29 entities, nearly all of which are SCI SROs \368\), the Commission preliminarily believes that in developing their policies and procedures, these entities would be starting from a baseline of fifty percent, and therefore the average paperwork burden of developing the proposed policies and procedures would be 105 burden hours.\369\ The Commission preliminarily believes that a fifty percent baseline for SCI entities that participate in the ARP Inspection Program is appropriate because, although these entities already have substantial policies and procedures in place, proposed Rule 1000(b)(1) would require these entities to devote substantial time to reviewing and revising their existing policies and procedures to ensure that they are sufficiently robust in the context of a new and expanded regulatory regime. The Commission preliminarily believes that these entities would conduct this work internally.\370\ --------------------------------------------------------------------------- \368\ 17 registered national securities exchanges + 7 registered clearing agencies + 1 national securities association + 2 plan processors + 1 exempt clearing agency subject to ARP + 1 ATS = 29 entities. \369\ In establishing this baseline estimate, the Commission has considered what the entities do today; that is, in the absence of the proposed rule. \370\ But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. --------------------------------------------------------------------------- With regard to the proposed requirement in Rule 1000(b)(1) that an SCI entity's policies and procedures include standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data, the Commission preliminarily estimates that each SCI entity would spend an average of 130 hours annually to comply with this requirement.\371\ As this proposed requirement is not currently addressed by the ARP Inspection Program, the Commission preliminarily estimates that the total initial and ongoing burden would be the same for all SCI entities and SCI entities would conduct this work internally.\372\ --------------------------------------------------------------------------- \371\ This estimate is based on the Commission's experience with the ARP Inspection Program, and includes the time necessary to program systems to meet the proposed standard. \372\ But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. --------------------------------------------------------------------------- As noted above, the Commission preliminarily believes that SCI entities would handle internally most of the work associated with establishing, maintaining, and enforcing written policies and procedures as proposed to be required by Rule 1000(b)(1). However, based on its experience with the ARP Inspection Program, the Commission preliminarily believes that SCI entities also would seek outside legal and/or consulting services in the initial preparation of such policies and procedures, and that the average cost of such outside legal and/or consulting advice would be $20,000 per respondent,\373\ for a total of $880,000 for all respondents.\374\ --------------------------------------------------------------------------- \373\ This estimate is based on the Commission's experience with the ARP Inspection Program, as well as industry sources. In addition, the Commission has considered its estimate of the cost burden under Regulation SDR in connection with the establishment of certain policies and procedures. See SB SDR Proposing Release, supra note 297, at 77349 (preliminarily estimating that it would cost $100,000 to establish, maintain, and enforce five sets of written policies and procedures, one of which requires policies and procedures reasonably designed to ensure that the SDR's systems provide adequate levels of capacity, resiliency, and security). \374\ ($20,000 outside legal cost) x (44 SCI entities) = $880,000. --------------------------------------------------------------------------- As noted above, the Commission preliminarily estimates that the average initial number of burden hours per respondent to comply with proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) would be 105 hours for SCI entities that are current ARP Inspection Program participants and 210 hours for SCI entities that are not current ARP [[Page 18146]] Inspection Program participants, for a total of 6,195 hours.\375\ In addition, the Commission preliminarily estimates that the average initial number of burden hours per respondent to comply with the requirement for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data would be 130 hours for a total of 5,720 hours for all respondents.\376\ --------------------------------------------------------------------------- \375\ The Commission preliminarily believes that an Attorney and a Compliance Manager working in collaboration would develop and draft the required policies and procedures, assisted by, and in consultation with, Senior Systems Analysts and Operational Specialists. Thus, the Commission estimates: (Compliance Manager (including Senior Management Review) at 80 hours + Attorney at 80 hours + Senior Systems Analyst at 25 hours + Operations Specialist at 25 hours) x (15 potential respondents) + (Compliance Manager (including Senior Management Review) at 40 hours + Attorney at 40 hours + Senior Systems Analyst at 12.5 hours + Operations Specialist at 12.5 hours) x (29 potential respondents) = 6,195 burden hours. \376\ Based on its experience with the ARP Inspection Program, the Commission estimates: (Compliance Attorney at 30 hours + Senior Systems Analyst at 100 hours) x (44 potential respondents) = 5,720 burden hours. --------------------------------------------------------------------------- The Commission preliminarily estimates that, once an SCI entity has drafted the policies and procedures proposed to be required by Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data), it would spend on average approximately 60 hours annually to review its written policies and procedures to ensure that they are up-to-date and to prepare any necessary new or amended policies and procedures.\377\ Using a fifty percent baseline for SCI entities that participate in the ARP Inspection Program and therefore currently review and revise policies and procedures from time to time, the Commission preliminarily estimates that the total annual ongoing burden to comply with proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) would be 30 hours per respondent for this group of respondents. The Commission therefore estimates the ongoing burden to comply with proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) to be 870 hours \378\ for SCI entities that are current ARP Inspection Program participants and 900 hours \379\ for SCI entities that are not ARP Inspection Program participants, for a total of 1,770 hours for all respondents.\380\ As noted above, the Commission preliminarily estimates that the average ongoing number of burden hours per respondent to comply with the proposed requirement for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data would be 130 hours for each respondent, for a total of 5,720 hours for all respondents.\381\ The Commission preliminarily believes that the work associated with updating the policies and procedures proposed to be required by proposed Rule 1000(b)(1) would be done internally.\382\ --------------------------------------------------------------------------- \377\ This estimate is based on the Commission's experience with the ARP Inspection Program. The Commission has also considered its preliminary estimate in the SB SDR Proposing Release for a similar requirement. See SB SDR Proposing Release, supra note 297, at 77349 (estimating the ongoing burden associated with maintaining policies and procedures reasonably designed to ensure that the SDR's systems provide adequate levels of capacity, resiliency, and security). This estimate is for the number of hours an SCI entity would require over and above the usual and customary amount of time it would devote to maintaining policies and procedures designed to ensure its systems' capacity, integrity, resiliency, availability, and security. \378\ (Compliance Manager at 15 hours + Attorney at 15 hours) x (29 potential respondents currently participating in the ARP Inspection Program) = 870 hours. \379\ (Compliance Manager at 30 hours + Attorney at 30 hours) x (15 potential respondents not currently participating in the ARP inspection Program) = 900 hours. \380\ 870 hours for SCI entities that are current ARP Inspection Program participants + 900 hours for SCI entities that are not current ARP Inspection Program participants = 1,770 burden hours. \381\ (Compliance Attorney at 30 hours + Senior Systems Analyst at 100 hours) x (44 potential respondents) = 5,720 burden hours. \382\ But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. --------------------------------------------------------------------------- b. Policies and Procedures Required by Proposed Rule 1000(b)(2) With regard to proposed Rule 1000(b)(2)(i), which would require each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and, as applicable, the entity's rules and governing documents, the Commission preliminarily believes that each SCI entity would elect to comply with the safe harbor provisions in proposed Rules 1000(b)(2)(ii) and (iii), and preliminarily estimates that each SCI entity would initially spend approximately 180 hours to design their policies and procedures accordingly. This estimate would include the time necessary to review and revise any existing policies and procedures to ensure that they satisfy the proposed safe harbor provisions, and the Commission preliminarily believes this estimate would be the same for all SCI entities.\383\ Therefore, the Commission preliminarily estimates that proposed Rule 1000(b)(2) would carry an initial one-time burden of 180 hours per respondent, for a total initial one-time burden of 7,920 hours for all respondents.\384\ The Commission also preliminarily estimates that each SCI entity that is an SRO would spend approximately 120 hours annually to review these written policies and procedures to ensure that they are up-to-date and to prepare any necessary new or amended policies and procedures, and that other types of SCI entities would spend approximately 60 hours to do this work.\385\ Therefore, the [[Page 18147]] Commission preliminarily estimates that proposed Rule 1000(b)(2) would carry an ongoing annual burden of 120 hours per SRO respondent and 60 hours per non-SRO respondent, for a total ongoing annual burden of 4,200 hours for all respondents.\386\ These estimated burdens per respondent also would include the time expended for the review of the draft policies and procedures by the SCI entity's management. --------------------------------------------------------------------------- \383\ This estimate is based on the Commission's experience with the ARP Inspection Program and OCIE examinations, which review policies and procedures of registered entities in conjunction with examinations of such entities for compliance with the federal securities laws. Although not currently explicitly required under the existing ARP Inspection Program or other laws or regulations, the Commission expects that most, if not all, SCI entities already voluntarily have certain policies and procedures in place as part of good business management and oversight to ensure that their SCI systems operate in the manner intended. However, proposed Rule 1000(b)(2)(i) would set forth specific new requirements with respect to such policies and procedures, and proposed Rules 1000(b)(2)(ii) and (iii) would specify how an SCI entity and its employees could satisfy the new requirement through safe harbors. Because proposed Rule 1000(b)(2)(i) has no analogue in the ARP Inspection Program and would create a new requirement for all SCI entities, for purposes of the PRA, the Commission preliminarily estimates that all SCI entities would elect to comply with the proposed safe harbor of proposed Rule 1000(b)(2)(ii) and be subject to the same initial burden to ensure that their policies and procedures satisfy the requirements of the proposed safe harbor. \384\ Based on its experience with OCIE examinations and the ARP Inspection Program, the Commission estimates: (Compliance Attorney at 30 hours + Senior Systems Analyst at 150 hours) x (44 potential respondents) = 7,920 burden hours. \385\ These estimates are based on the Commission's experience with the ARP Inspection Program and OCIE examinations. The Commission notes that its estimate of 120 hours for SCI SROs to annually review and update the written policies and procedures proposed to be required by Rule 1000(b)(2)(i), to satisfy the elements of the safe harbor provisions in proposed Rules 1000(b)(2)(ii) and (iii), is higher than its estimate for SCI SROs to review and update the policies and procedures proposed to be required by Rule 1000(b)(1) and its estimate for SCI entities that are not SCI SROs to review and update the policies and procedures proposed to be required by Rule 1000(b)(2)(i), to satisfy the elements of the safe harbor provisions in proposed Rules 1000(b)(2)(ii) and (iii). This higher estimate is based on the Commission's preliminary belief that the burden for SCI SROs would be greater because the rules of such entities generally change their rules with greater frequency. The Commission solicits comment on the accuracy of this information. \386\ Based on its experience with OCIE examinations and the ARP Inspection Program, the Commission estimates: (Compliance Attorney at 20 hours + Senior Systems Analyst at 100 hours) x (26 potential SCI SRO respondents) + (Compliance Attorney at 10 hours + Senior Systems Analyst at 50 hours) x (18 potential non-SCI SRO respondents) = 4,200 burden hours. --------------------------------------------------------------------------- As with proposed Rule 1000(b)(1), the Commission preliminarily believes that SCI entities would handle internally most of the work associated with establishing and maintaining written policies and procedures that are reasonably designed to ensure that their SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and, as applicable, the entity's rules and governing documents, and that meet the requirements of the proposed safe harbor provisions of proposed Rule 1000(b)(2)(ii).\387\ However, based on its experience with the ARP Inspection Program, the Commission preliminarily believes that SCI entities also would seek outside legal and/or consulting advice in the initial preparation of such policies and procedures, and that the average cost of outside legal/consulting advice would be $20,000 per respondent, for a total of $880,000 for all respondents.\388\ --------------------------------------------------------------------------- \387\ But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. \388\ ($20,000 outside legal cost) x (44 entities) = $880,000. --------------------------------------------------------------------------- c. Mandate Participation in Certain Testing Proposed Rule 1000(b)(9) would require each SCI entity, with respect to its business continuity and disaster recovery plans, including its backup systems, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans at specified intervals, and coordinate such testing on an industry- or sector-wide basis with other SCI entities. The Commission preliminarily believes that all SCI entities would be subject to this proposed requirement, and that none of these entities currently require participation by members or participants in scheduled functional and performance testing of their business continuity and disaster recovery plans, as proposed Rule 1000(b)(9) would have them require. Although SCI entities may seek to implement the proposed requirements in different ways (e.g., for SCI SROs, by submitting proposed rule changes under Section 19(b) of the Exchange Act; for SCI ATSs, by revising membership or subscriber agreements and internal procedures; for plan processors, through an amendment to an SCI Plan under Rule 608 of Regulation NMS; and, for exempt clearing agencies subject to ARP, by revising participant agreements and internal procedures), the Commission preliminarily believes that the average paperwork burden associated with the proposed rule would be the same for all SCI entities because they would likely make similar changes to their rules, agreements, procedures, or SCI Plans, and would likely take similar actions to implement and coordinate mandatory testing. Based on its experience with SCI entities, the Commission preliminarily believes that SCI entities, other than plan processors, would handle this work internally. The Commission preliminarily estimates that each SCI entity (other than plan processors) would spend approximately 130 hours initially to meet the requirements of proposed Rules 1000(b)(9)(i) and (ii). This estimate takes into consideration the requirement to mandate participation by designated members or participants in testing under proposed Rule 1000(b)(9)(i), as well as the requirement under proposed Rule 1000(b)(9)(ii) that an SCI entity coordinate required testing with other SCI entities. Specifically, the estimated 130 hours assumes that it would take an SCI entity 35 hours to write a proposed rule, or revise a membership/subscriber agreement or participant agreement, as the case may be, to establish the participation requirement for the SCI entity's designated members or participants,\389\ and an additional 95 hours of follow-up work (e.g., notice and schedule coordination) to ensure implementation. Therefore, the Commission preliminarily estimates that proposed Rules 1000(b)(9)(i) and (ii) would carry an initial burden of 130 hours per respondent, for a total initial burden of 5,460 hours for all respondents.\390\ For plan processors, the Commission preliminarily estimates that proposed Rules 1000(b)(9)(i) and (ii) would carry an initial cost of $52,000 per respondent,\391\ for a total initial cost of $104,000 hours for all plan processors.\392\ --------------------------------------------------------------------------- \389\ In establishing this estimate, the Commission considered its estimate of the burden for an SRO to file an average proposed rule change. See 2012 Rule 19b-4 collection of information revision Supporting Statement, Office of Management and Budget, available at: https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=201207-3235-002. \390\ Based on Commission staff experience in reviewing SRO proposed rule change filings and past estimates for Rule 19b-4 and Form 19b-4, the Commission estimates as follows: (Compliance Manager at 10 hours + Attorney at 15 hours + Compliance Clerk at 10 hours) x (42 potential respondents) + (Compliance Manager at 10 hours + Attorney at 15 hours + Operations Specialist at 70 hours) x (42 potential respondents) = 5,460 hours to comply with proposed Rules 1000(b)(9)(i) and (ii). \391\ 130 hours x $400 per hour for outside legal services = $52,000. See infra note 463. \392\ $52,000 x 2 plan processors = $104,000. --------------------------------------------------------------------------- The Commission also preliminarily estimates that each SCI entity (other than plan processors) would spend approximately 95 hours annually to review the written rules or requirements to ensure that they remain up-to-date and to prepare any necessary amendments and undertake necessary coordination to ensure implementation and enforcement of the requirement.\393\ Therefore, the Commission preliminarily estimates that proposed Rules 1000(b)(9)(i) and (ii) would carry an ongoing annual burden of 95 hours per respondent, for a total ongoing annual burden of 3,990 hours for all respondents.\394\ For plan processors, the Commission preliminarily estimates that proposed Rules 1000(b)(9)(i) and (ii) would carry an ongoing annual cost of $38,000 hours per respondent,\395\ for [[Page 18148]] a total ongoing annual cost of $76,000 for all plan processors.\396\ --------------------------------------------------------------------------- \393\ As noted above, the initial burden includes 35 hours to write a proposed rule, revise an agreement, or amend an SCI Plan. The Commission does not believe this 35-hour burden would be applicable on an ongoing basis. \394\ (Compliance Manager at 10 hours + Attorney at 15 hours + Operations Specialist at 70 hours) x (42 potential respondents) = 3,990 hours. See supra note 390. \395\ 95 hours x $400 per hour for outside legal services = $38,000. See infra note 463. \396\ $38,000 x 2 plan processors = $76,000. --------------------------------------------------------------------------- The Commission preliminarily estimates that each SCI entity (other than plan processors) would spend approximately 35 hours initially to meet the requirements of proposed Rule 1000(b)(9)(iii). This estimate takes into consideration the burden for an SCI entity to establish standards for designating members or participants who must participate in its business continuity and disaster recovery plans testing and file such standards with the Commission on Form SCI, as well as the burden for an SCI entity to determine, compile, and submit its list of designated members or participants on Form SCI. Specifically, the Commission estimates that each SCI entity would take 35 hours to write a proposed rule or an internal procedure, as the case may be, to establish standards for designating members or participants, to apply the standards to compile the list of designees, and to file such standards and the list of designees on Form SCI.\397\ Therefore, the Commission preliminarily estimates that proposed Rule 1000(b)(9)(iii) would carry an initial burden of 35 hours per respondent, for a total initial burden of 1,470 hours for all respondents.\398\ For plan processors, the Commission preliminarily estimates that proposed Rule 1000(b)(9)(iii) would carry an initial cost of $14,000 per respondent,\399\ for a total initial cost of $28,000 hours for all plan processors.\400\ --------------------------------------------------------------------------- \397\ In establishing this estimate, the Commission considered its estimate of the burden for an SRO to file an average proposed rule change. See 2012 Rule 19b-4 collection of information revision Supporting Statement, Office of Management and Budget, available at: https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=201207-3235-002. \398\ Based on Commission staff experience in reviewing SRO proposed rule change filings and past estimates for Rule 19b-4 and Form 19b-4, the Commission estimates as follows: (Compliance Manager at 10 hours + Attorney at 15 hours + Compliance Clerk at 10 hours) x (42 potential respondents) = 1,470 hours to comply with Rule 1000(b)(9)(iii). \399\ 35 hours x $400 per hour for outside legal services = $14,000. See infra note 463. \400\ $14,000 x 2 plan processors = $28,000. --------------------------------------------------------------------------- The Commission also preliminarily estimates that each SCI entity (other than plan processors) would spend approximately 3 hours annually to review the designation standards to ensure that they remain up-to- date and to prepare any necessary amendments, to review its list of designated members or participants, and to update prior Commission notifications with respect to the standards for designation and the list of designees.\401\ Therefore, the Commission preliminarily estimates that proposed Rule 1000(b)(9)(iii) would carry an ongoing annual burden of 3 hours per respondent, for a total ongoing annual burden of 126 hours for all respondents.\402\ For plan processors, the Commission preliminarily estimates that proposed Rule 1000(b)(9)(iii) would carry an ongoing annual cost of $1,200 hours per respondent,\403\ for a total ongoing annual cost of $2,400 for all plan processors.\404\ --------------------------------------------------------------------------- \401\ In establishing this estimate, the Commission has considered its estimate of the burden for an SRO to amend a Form 19b-4. Specifically, the Commission estimated that an amendment to Form 19b-4 would require approximately 3 hours to complete. See Securities Exchange Act Release No. 50486 (October 4, 2004), 69 FR 60287, 60294 (October 8, 2004). \402\ (Compliance Manager at 1.5 hours + Attorney at 1.5 hours) x (42 potential respondents) = 126 hours. \403\ 3 hours x $400 per hour for outside legal services = $1,200. See infra note 463. \404\ $1,200 x 2 plan processors = $2,400. --------------------------------------------------------------------------- 2. Notice, Dissemination, and Reporting Requirements for SCI Entities The proposed rules that would require an SCI entity to notify the Commission of SCI events, disseminate certain SCI events to members or participants, and submit specified reports are discussed more fully in Section III.C above. a. Notices Required by Proposed Rule 1000(b)(4) Proposed Rule 1000(b)(4) would require notice of SCI events to the Commission.\405\ The burden estimates to comply with proposed Rule 1000(b)(4) include the burdens associated with Commission notification of immediate notification SCI events and the submission of Form SCI in accordance with the instructions thereto. --------------------------------------------------------------------------- \405\ See supra note 351 and accompanying text for details regarding the content of Form SCI. Currently, there is no law or rule specifically requiring SCI entities to notify the Commission of systems problems in writing or in a specific format. Nevertheless, voluntary communications of systems problems to Commission staff occur in a variety of ways, including by telephone and email. The Commission notes that proposed Rule 1000(b)(4) would impose a new reporting requirement on SCI entities, regardless of whether they currently voluntarily notify the Commission of SCI events on an ad hoc basis. As such, the Commission preliminarily believes that a history of voluntarily reporting such events to the Commission would not lessen the future burden of reporting such events to the Commission on Form SCI as required under proposed Rule 1000(b)(4). --------------------------------------------------------------------------- Proposed Rule 1000(b)(4)(i) would require an SCI entity, upon any responsible SCI personnel becoming aware of a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion, to notify the Commission of such SCI event. As noted above, notification required by proposed Rule 1000(b)(4)(i) may be done orally or in writing. The Commission preliminarily estimates that each SCI entity would experience an average of 40 immediate notification SCI events per year.\406\ The Commission further preliminarily estimates that one-fourth of the notifications under proposed Rule 1000(b)(4)(i) would be in writing (i.e., 10 written notifications and 30 oral notifications), and that each written notification would require an in-house attorney half an hour to prepare and submit to the Commission.\407\ Thus, the Commission preliminarily estimates that the initial and ongoing burden to comply with the notification requirement of proposed Rule 1000(b)(4)(i) would be 5 hours annually per respondent, and 220 hours annually for all respondents.\408\ --------------------------------------------------------------------------- \406\ Because the threshold for immediate notification SCI events is lower than the threshold for dissemination SCI events, the estimate for the number of immediate notification SCI events is higher than the estimate for the number of dissemination SCI events (i.e., 15 dissemination SCI events). See infra notes 414 and 424 and accompanying text. \407\ The Commission preliminarily believes this estimate is appropriate because the notification required by proposed Rule 1000(b)(4)(i) would not be submitted through Form SCI, and is intended to be an immediate initial notification when responsible SCI personnel becomes aware of an immediate notification SCI event which contains only information known to the SCI entity at that time. \408\ (Attorney at 0.5 hour for each notice) x (10 notices) = 5 hours. 5 hours x (44 potential respondents) = 220 burden hours. The Commission preliminarily believes that SCI entities would handle internally the work associated with the notification requirement of proposed Rule 1000(b)(4)(i). But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. --------------------------------------------------------------------------- Proposed Rule 1000(b)(4)(ii) would require an SCI entity, within 24 hours of any responsible SCI personnel becoming aware of any SCI event, to submit a written notification to the Commission on Form SCI pertaining to such SCI event. The Commission preliminarily estimates that each SCI entity would experience an average of 65 SCI events per year.\409\ Thus, the [[Page 18149]] Commission preliminarily estimates that there would be an average of 65 SCI event notices per year for each respondent. The Commission preliminarily estimates that each notification under proposed Rule 1000(b)(4)(ii) would require an average of 20 burden hours,\410\ with a compliance manager and in-house attorney each spending approximately 10 hours in collaboration to draft, review, and submit the report. Thus, the Commission preliminarily estimates that the initial and ongoing burden to comply with the reporting requirement of proposed Rule 1000(b)(4)(ii) would be 1,300 hours annually per respondent, and 57,200 hours annually for all respondents.\411\ --------------------------------------------------------------------------- \409\ This estimate is based on Commission's experience with the ARP Inspection Program. Approximately 175 ARP incidents were reported to the Commission in 2011 by entities that currently participate in the ARP Inspection Program. Of those entities, the Commission believes that 28 would fall under the proposed definition of SCI entity (since 2011, an additional entity has become part of the ARP Inspection Program, for a total of 29 SCI entities that participate in the ARP Inspection Program). Thus, each entity reported an average of approximately 6 incidents in 2011. Because the proposed definition of ``SCI event'' is broader than the types of events covered by the current ARP Inspection Program, and SCI entities are not currently required by law or rule to report systems issues to the Commission, the Commission preliminarily believes that the number of SCI events that would be reported to the Commission would be significantly more than the number of incidents reported in 2011. The Commission acknowledges that, because these types of incidents are not required to be reported under the current ARP Inspection Program, this figure is largely an estimate and is difficult to ascertain. As such, the Commission seeks comment on the accuracy of this estimate. \410\ This estimate includes the burden for attaching an Exhibit 3 (i.e., a copy in pdf or html format of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity's publicly available Web site). This estimate is based on Commission staff experience with the ARP Inspection Program. The Commission has also considered its estimate of the burden to complete Form 19b-4. Specifically, the Commission has estimated that an SRO would spend approximately 39 hours to complete a Form 19b-4. See 2012 Rule 19b-4 collection of information revision Supporting Statement, Office of Management and Budget, available at: https://www.reginfo.gov/public/do/PRAViewDocument?ref_nbr=201207-3235-002. However, the Commission notes that, unlike Form 19b-4, the information contained in Form SCI would only be factual. As such, the Commission preliminarily believes that the amount of time for an SCI entity to complete Form SCI would be less than the amount of time for an SRO to complete Form 19b-4. \411\ (Compliance Manager at 10 hours for each notice + Attorney at 10 hours for each notice) x (65 notices) = 1,300 hours. 1,300 hours x (44 potential respondents) = 57,200 burden hours. The Commission preliminarily believes that SCI entities would handle internally the work associated with the notification requirement of proposed Rule 1000(b)(4)(ii). But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. --------------------------------------------------------------------------- Proposed Rule 1000(b)(4)(iii) would require an SCI entity to submit written updates to the Commission on Form SCI pertaining to SCI events on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until such time as the SCI event is resolved. Based on Commission staff's experience with the ARP Inspection Program, the Commission preliminarily estimates that, on average, each SCI entity would submit 5 updates per year under proposed Rule 1000(b)(4)(iii), and that each update would require an average of 3 burden hours,\412\ with a compliance manager and in-house attorney each spending approximately 1.5 hours in collaboration to draft, review, and submit the update. Thus, the Commission preliminarily estimates that the initial and ongoing burden to comply with the continuous update requirement of proposed Rule 1000(b)(4)(iii) would be 15 hours annually per respondent, and 660 hours annually for all respondents.\413\ --------------------------------------------------------------------------- \412\ This estimate includes the burden for attaching an Exhibit 3 (i.e., a copy in pdf or html format of any information disclosed to date regarding the SCI event to its members or participants or on the SCI entity's publicly available Web site). In determining this estimate, the Commission has considered its estimate of the burden for an SRO to amend a Form 19b-4. Specifically, the Commission estimated that an amendment to Form 19b-4 would require approximately 3 hours to complete. See Securities Exchange Act Release No. 50486 (October 4, 2004), 69 FR 60287, 60294 (October 8, 2004). \413\ (Compliance Manager at 1.5 hours for each update + Attorney at 1.5 hours for each update) x (5 updates) = 15 hours. 15 hours x (44 potential respondents) = 660 burden hours. The Commission preliminarily believes that SCI entities would handle internally the work associated with the reporting requirement of proposed Rule 1000(b)(4)(iii). But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. --------------------------------------------------------------------------- b. Disseminations Required by Proposed Rule 1000(b)(5) Proposed Rule 1000(b)(5) would require disseminations of information to members or participants relating to dissemination SCI events. Based on the definition of dissemination SCI event, the Commission preliminarily estimates that each SCI entity would experience an average of 14 dissemination SCI events each year that are not systems intrusions, resulting in an average of 14 member or participant dissemination per respondent per year under proposed Rule 1000(b)(5)(i).\414\ --------------------------------------------------------------------------- \414\ This estimate is based on the Commission's experience with the ARP Inspection Program. Specifically, as indicated in the Economic Analysis Section, approximately 175 ARP incidents were reported to the Commission in 2011 by entities that currently participate in the ARP Inspection Program. Of those entities, the Commission believes that 28 would fall under the proposed definition of SCI entity (since 2011, an additional entity has become part of the ARP Inspection Program, for a total of 29 SCI entities that participate in the ARP Inspection Program). Thus, each entity reported an average of approximately 6 incidents in 2011. Further, because proposed Rule 1000(a) would define an SCI event to mean a systems disruption, systems compliance issue, or systems intrusion, the scope of proposed Regulation SCI is broader than the scope of incidents reported to the ARP Inspection Program, which covers certain systems disruptions and intrusions. As such, the Commission preliminarily believes that an estimate of 14 dissemination SCI events per year per SCI entity (other than systems disruptions) is appropriate. --------------------------------------------------------------------------- Proposed Rule 1000(b)(5)(i)(A) would require an SCI entity, promptly after any responsible SCI personnel becomes aware of a dissemination SCI event other than a systems intrusion, to disseminate to its members or participants the following information about such SCI event: (1) The systems affected by the SCI event; and (2) a summary description of the SCI event. In addition to the costs for outside legal advice discussed below,\415\ the Commission estimates that each initial member or participant dissemination would require an average of 3 hours to prepare and make available to members or participants, with an in-house attorney spending approximately 2.67 hours in drafting and reviewing the dissemination, and a webmaster spending approximately 0.33 hours in making the dissemination available to members or participants.\416\ Thus, the Commission preliminarily estimates that the initial and ongoing burden to comply with the initial member or participant dissemination requirement of proposed Rule 1000(b)(5)(i)(A) would be approximately 42 hours annually per respondent, and 1,848 hours annually for all respondents.\417\ --------------------------------------------------------------------------- \415\ See infra note 428. \416\ This estimate is based on Commission staff's experience with the ARP Inspection Program. The Commission estimates that each initial member or participant dissemination would require an average of 3 hours to prepare and make available the information to members or participants, instead of 20 hours as estimated for proposed Rule 1000(b)(4)(ii), because the information required to be disseminated to members or participants would have been used for the initial written notification on Form SCI. For the same reason, the Commission preliminarily believes that an in-house attorney will prepare the dissemination, which will be made available to members or participants by the webmaster. \417\ (Attorney at 2.67 hours for each notification + Webmaster at 0.33 hour for each notification) x (14 notifications per year) = 42 hours. 42 hours x (44 potential respondents) = 1,848 burden hours. The Commission preliminarily believes that SCI entities would handle internally most of the work associated with the notification requirement of proposed Rule 1000(b)(5)(i)(A). But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. --------------------------------------------------------------------------- Proposed Rule 1000(b)(5)(i)(B) would require the SCI entity to further disseminate, when known, the following information to its members or [[Page 18150]] participants: (1) A detailed description of the SCI event; (2) the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and (3) a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. In addition to the outside costs discussed below,\418\ the Commission preliminarily estimates that each update under proposed Rule 1000(b)(5)(i)(B) would require an average of 5 hours to prepare and make available to members or participants,\419\ with an in-house attorney spending approximately 4.67 hours in drafting and reviewing the update, and a webmaster spending approximately 0.33 hour in making the update available to members or participants. Thus, the Commission preliminarily estimates that the initial and ongoing burden to comply with the update requirement of proposed Rule 1000(b)(5)(i)(B) would be approximately 70 hours annually per respondent, and 3,080 hours annually for all respondents.\420\ --------------------------------------------------------------------------- \418\ See infra note 428. \419\ The Commission estimates that each update under proposed Rule 1000(b)(5)(i)(B) would require an average of 5 hours to prepare and make available to members or participants, instead of 20 hours as estimated for proposed Rule 1000(b)(4)(ii), because the information required to be disseminated to members or participants would have been used for the initial written notification on Form SCI. \420\ (Attorney at 4.67 hours for each update + Webmaster at 0.33 hour for each update) x (14 updates per year) = 70 hours. 70 hours x (44 potential respondents) = 3,080 burden hours. This estimate is based on Commission staff's experience with the ARP Inspection Program. The Commission preliminarily believes that SCI entities would handle internally most of the work associated with the update requirement of proposed Rule 1000(b)(5)(i)(B). But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. --------------------------------------------------------------------------- Proposed Rule 1000(b)(5)(i)(C) would require an SCI entity to provide regular updates to members or participants of any information required to be disseminated under proposed Rule 1000(b)(5). As noted above, there were approximately 175 ARP incidents reported to the Commission in 2011. These incidents had durations ranging from under one minute to 24 hours, with most incidents having a duration of less than 2 hours. Based on the relatively short duration of the ARP incidents reported to the Commission in 2011, the Commission preliminarily estimates that, on average, each SCI entity would provide one regular update per year per dissemination SCI event under proposed Rule 1000(b)(5)(i)(C). In addition to the costs for outside legal advice discussed below,\421\ the Commission preliminarily estimates that each update would require an average of 1 hour to prepare and make available to members or participants,\422\ with an in-house attorney spending approximately 0.67 hour in drafting and reviewing the update, and a webmaster spending approximately 0.33 hour in making the update available to members or participants. Thus, the Commission preliminarily estimates that the initial and ongoing burden to comply with the regular update requirement of proposed Rule 1000(b)(5)(i)(C) would be approximately 14 hours annually per respondent, and 616 hours annually for all respondents.\423\ --------------------------------------------------------------------------- \421\ See infra note 428. \422\ This estimate is based on the estimated burden to complete and submit a written update for an SCI event on Form SCI. See supra note 412. The Commission estimates that each regular update to a member or participant dissemination would require an average of 1 hour to prepare and make available to members or participants, instead of 3 hours, because the information required to be provided to the Commission in the updates on Form SCI would also be used for updating the member or participation dissemination. For the same reason, the Commission preliminarily believes that an attorney will prepare the update, which will be made available by the webmaster. \423\ (Attorney at 0.67 hour for each update + Webmaster at 0.33 hour for each update) x (14 updates per year) = 14 hours. 14 hours x (44 potential respondents) = 616 burden hours. This estimate is based on Commission staff's experience with the ARP Inspection Program. The Commission preliminarily believes that SCI entities would handle internally most of the work associated with the update requirement of proposed Rule 1000(b)(5)(i)(C). But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. --------------------------------------------------------------------------- Under proposed Rule 1000(b)(5)(ii), promptly after any responsible SCI personnel becomes aware of a systems intrusion, the SCI entity would be required to disseminate to its members or participants a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or SCI security systems, or an investigation of the systems intrusion, and documents the reasons for such determination. Based on the definition of dissemination SCI event, the Commission preliminarily estimates that each SCI entity would experience an average of 1 dissemination SCI event that is a systems intrusion each year, resulting in an average of 1 member or participant dissemination per respondent per year under proposed Rule 1000(b)(5)(ii).\424\ In addition to the costs for outside legal advice discussed below,\425\ the Commission estimates that each member or participant dissemination under proposed Rule 1000(b)(5)(ii) would require an average of 3 hours to prepare and make available to members or participants, with an in-house attorney spending approximately 2.67 hours in drafting and reviewing the dissemination, and a webmaster spending approximately 0.33 hours in making the dissemination available to members or participants.\426\ Thus, the Commission preliminarily estimates that the initial and ongoing burden to comply with the member or participant dissemination requirement under proposed Rule 1000(b)(5)(ii) would be approximately 3 hours annually per respondent, and 132 hours annually for all respondents.\427\ --------------------------------------------------------------------------- \424\ Based on Commission's experience with the ARP Inspection Program, the Commission preliminarily believes each SCI entity will experience on average less than one systems intrusion per year. However, for purposes of the PRA, the Commission preliminarily estimates one systems intrusion per respondent per year. \425\ See infra note 428. \426\ This estimate includes any burden for an SCI entity to document its reason for determining that dissemination of information regarding a systems intrusion would likely compromise the security of the SCI entity's SCI systems or SCI security systems, or an investigation of the systems intrusion. This estimate is based on Commission staff's experience with the ARP Inspection Program. In determining this estimate, the Commission considered its burden estimate for proposed Rule 1000(b)(5)(i)(A) because both rules would require the dissemination of certain basic information about a dissemination SCI event. For the same reason, the Commission preliminarily believes that an in-house attorney will prepare the dissemination, which will be made available by the webmaster. \427\ (Attorney at 2.67 hours for each notification + Webmaster at 0.33 hour for each notification) x (1 notification per year) = 3 hours. 3 hours x (44 potential respondents) = 132 burden hours. The Commission preliminarily believes that SCI entities would handle internally most of the work associated with the dissemination requirement of proposed Rule 1000(b)(5)(ii). But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. --------------------------------------------------------------------------- The Commission preliminarily believes that SCI entities would internally handle most of the work associated with disseminating information on dissemination SCI events to members or participants. However, based on its experience with the ARP Inspection Program, the Commission preliminarily believes that SCI entities also would seek outside legal advice in the preparation of the disseminations required under proposed Rule 1000(b)(5), and that the average cost of outside legal advice would be [[Page 18151]] $15,000 per respondent per year, for a total of $660,000 for all respondents per year.\428\ --------------------------------------------------------------------------- \428\ ($15,000 outside legal cost) x (44 potential respondents) = $660,000. --------------------------------------------------------------------------- c. Notices Required by Proposed Rules 1000(b)(6) Proposed Rules 1000(b)(6) would require notification to the Commission on Form SCI of material systems changes. The Commission preliminarily believes this work would be conducted internally.\429\ The burden estimates to comply with proposed Rule 1000(b)(6) include the burdens associated with submission of Form SCI in accordance with the instructions thereto. --------------------------------------------------------------------------- \429\ But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. --------------------------------------------------------------------------- Specifically, proposed Rule 1000(b)(6) would require the SCI entity, absent exigent circumstances, to notify the Commission on Form SCI at least 30 calendar days before the implementation of any planned material systems change, including a description of the planned material systems change as well as the expected dates of commencement and completion of the implementation of such change.\430\ Based on its experience with the ARP Inspection Program, Commission preliminarily estimates that there would be an average of 60 planned material systems changes per respondent per year.\431\ As such, the Commission preliminarily estimates that there would be an average of 60 notifications per respondent per year, and each notification would require an average of 2 hours to prepare and submit,\432\ with an attorney spending approximately 0.33 hours and a senior systems analyst spending approximately 1.67 hours in drafting and reviewing the notification. For the 15 SCI entity respondents that do not currently participate in the ARP Inspection Program, the Commission preliminarily estimates that the initial and ongoing burden to comply with the notice requirement of proposed Rule 1000(b)(6) would be approximately 120 hours annually per respondent, and 1,800 hours annually for all respondents.\433\ Because SCI entities that currently participate in the ARP Inspection Program already notify the Commission of planned material systems changes, the Commission preliminarily estimates that these entities would be starting from a baseline of fifty percent, and that the increased burden for these 30 SCI entities would be 60 hours annually per respondent.\434\ The Commission preliminarily estimates that the total initial and ongoing burden for SCI entities that currently participate in the ARP Inspection Program would be 60 hours annually per respondent, for a total burden of 1,740 hours for all of these respondents.\435\ Thus, the total estimated initial and ongoing burden to comply with proposed Rule 1000(b)(6) would be 3,540 for all respondents.\436\ --------------------------------------------------------------------------- \430\ If exigent circumstances exist, or if the information previously provided to the Commission regarding any planned material systems change becomes materially inaccurate, the SCI entity would be required to notify the Commission, either orally or in writing, with any oral notification to be memorialized within 24 hours after such oral notification by a written notification, as early as reasonably practicable. \431\ This estimate includes instances where the information previously provided to the Commission regarding any planned material systems change becomes materially inaccurate. \432\ In estimating the burden imposed by proposed Rule 1000(b)(6), the Commission also considered its burden estimate for the same reporting requirement that was proposed for SB SEFs. Specifically, proposed Rule 822(a)(4) in the SB SEF Proposing Release would require an SB SEF to notify the Commission in writing at least 30 calendar days before the implementation of material systems changes. The Commission estimated that there would be an average of 60 notifications per respondent per year, and that each notification would require an average of 2 internal burden hours. See SB SEF Proposing Release, supra note 297, at 11029. \433\ (Attorney at 0.33 hour for each notification + Senior Systems Analyst at 1.67 hours for each notification) x (60 notifications per year) = 120 hours. 120 hours x (15 potential respondents) = 1,800 burden hours. \434\ (Attorney at 0.33 hour for each notification + Senior Systems Analyst at 1.67 hours for each notification) x (30 additional notifications per year) = 60 hours. The Commission preliminarily believes that the burden would result from the proposed broadened definitions of ``SCI systems'' and ``SCI security systems'' in Regulation SCI, as well as the shift from a voluntary to a mandatory regulatory environment. \435\ (60 burden hours) x (29 potential respondents) = 1,740 burden hours. \436\ (1,800 burden hours for SCI entities that do not currently participate in the ARP Inspection Program + 1,740 burden hours for SCI entities that currently participate in the ARP Inspection Program) = 3,540 burden hours. --------------------------------------------------------------------------- d. SCI Review Required by Proposed Rule 1000(b)(7) Proposed Rule 1000(b)(7) would require each SCI entity to conduct an SCI review of its compliance with Regulation SCI not less than once each calendar year, and submit a report of the SCI review to its senior management for review no more than 30 calendar days after completion of such SCI review. The Commission preliminarily estimates that the initial and ongoing burden of conducting an SCI review and submitting the SCI review to senior management of the SCI entity for review would be approximately 625 hours for each respondent \437\ and 27,500 hours annually for all respondents.\438\ --------------------------------------------------------------------------- \437\ This estimate is the Commission's preliminary best estimate and is based on Commission staff's experience with SCI entities participating in the ARP Inspection Program. This estimate also is the same as the Commission's burden estimate for internal audits of SB SEFs. See SB SEF Proposing Release, supra note 297, at 11028. Proposed Rule 822 in the SB SEF Proposing Release would require an SB SEF to submit to the Commission an annual objective review of the capability of its systems that support or are integrally related to the performance of its activities, provided that if a review is performed internally, an external firm shall report on the objectivity, competency, and work performance with respect to the internal review. The Commission recognizes that the annual review requirement proposed for SB SEFs is different, in certain respects, from the requirement under proposed Rule 1000(b)(7). Specifically, the scopes of the reviews are different because proposed Rule 1000(b)(7) would require an SCI review of an SCI entity's compliance with proposed Regulation SCI. Further, proposed Rule 1000(b)(7) would not require an external review of an internal SCI review. Nevertheless, the Commission preliminarily believes that these differences should not result in differences in the burden estimate for these similar internal audits. \438\ (Attorney at 80 hours + Manager Internal Auditor at 170 hours + Senior Systems Analyst at 375 hours) x (44 potential respondents) = 27,500 burden hours. --------------------------------------------------------------------------- e. Reports Required by Proposed Rule 1000(b)(8) Proposed Rule 1000(b)(8) would require each SCI entity to submit certain reports to the Commission. The burden estimates to comply with proposed Rule 1000(b)(8) include the burdens associated with submission of Form SCI in accordance with the instructions thereto. Pursuant to proposed Rule 1000(b)(8)(i), each SCI entity would be required to submit to the Commission, as an attachment to Form SCI, a report of the SCI review required by proposed Rule 1000(b)(7), together with any response by senior management of the SCI entity, within 60 calendar days after its submission to senior management of the SCI entity. The Commission estimates that each SCI entity would require 1 hour to submit the SCI review using Form SCI, for a total annual initial and ongoing burden of 44 hours for all respondents.\439\ --------------------------------------------------------------------------- \439\ (Attorney at 1 hour for each submission) x (1 submission per year) = 1 burden hour. (1 burden hour) x (44 potential respondents) = 44 burden hours. --------------------------------------------------------------------------- Proposed Rule 1000(b)(8)(ii) would require each SCI entity to submit, using Form SCI, a report within 30 calendar days after the end of June and December of each year, containing a summary description of the progress of any material systems changes during the six-month period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of their implementation. [[Page 18152]] The Commission preliminarily estimates that the initial and ongoing burden to comply with proposed Rule 1000(b)(8)(ii) would be approximately 60 hours per respondent per report or 120 hours annually,\440\ and 5,280 hours annually for all respondents.\441\ --------------------------------------------------------------------------- \440\ The Commission notes that SCI entities currently do not submit to the Commission written semi-annual notifications of material systems changes. This estimate is based on Commission staff's experience with various entities through the ARP Inspection Program. \441\ (Attorney at 10 hours for each report + Senior Systems Analyst at 50 hours for each report) x (2 reports per year) = 120 burden hours. (120 burden hours) x (43 potential respondents) = 5,280 burden hours. The Commission preliminarily believes that SCI entities would handle internally the work associated with the reporting requirement of proposed Rule 1000(b)(8)(ii). But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. --------------------------------------------------------------------------- 3. Requirements To Take Corrective Actions, Identify Immediate Notification SCI Events, and Identify Dissemination SCI Events The proposed rules that could result in SCI entities establishing additional processes for compliance with proposed Regulation SCI are discussed more fully in Section III.C above. a. Requirement To Take Corrective Actions Proposed Rule 1000(b)(3) would require an SCI entity, upon any responsible SCI personnel becoming aware of an SCI event, to begin to take corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. Based on its experience with the ARP Inspection Program, the Commission believes that entities that participate in the ARP Inspection Program already take corrective actions in response to a systems issue, and believes that other SCI entities also take corrective actions in response to a systems issue. Nevertheless, the Commission preliminarily believes that proposed Rule 1000(b)(3) would likely result in SCI entities revising their policies in this regard, which would help to ensure that their information technology staff has the ability to access systems in order to take appropriate corrective actions. As such, proposed Rule 1000(b)(3) may impose a one-time implementation burden on SCI entities associated with developing a process for ensuring that they are prepared for the corrective action requirement. Proposed Rule 1000(b)(3) also may impose periodic burdens on SCI entities in reviewing that process. The Commission preliminarily estimates that the initial burden to implement such a process would be 42 hours per SCI entity \442\ or 1,848 hours for all SCI entities.\443\ The Commission also preliminarily estimates that the ongoing burden to review such a process would be 12 hours annually per SCI entity \444\ or 528 hours annually for all SCI entities.\445\ --------------------------------------------------------------------------- \442\ This estimate is based on the Commission's burden estimate for proposed Rule 1000(b)(1) because both proposed Rule 1000(b)(1) and proposed Rule 1000(b)(3) would result in certain policies and procedures or processes. Because proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) would require the establishment of five policies and procedures at a minimum, the Commission preliminarily estimates that the initial burden to establish the process to comply with proposed Rule 1000(b)(3) would be one-fifth of the initial burden to comply with proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data), or 42 hours (210 hours / 5). Further, the Commission preliminarily estimates that the hourly breakdown between different staff of the SCI entity would be in the same ratio as the Commission's estimate for proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data)--Compliance Manager at 16 hours, Attorney at 16 hours, Senior Systems Analyst at 5 hours, and Operations Specialist at 5 hours. These estimates reflect the Commission's preliminary view that SCI entities would establish the process for compliance with proposed Rule 1000(b)(3) internally. But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. \443\ (42 hours) x (44 potential respondents) = 1,848 burden hours. \444\ This estimate is based on the Commission's burden estimate for proposed Rule 1000(b)(1) because both proposed Rule 1000(b)(1) and proposed Rule 1000(b)(3) would result in certain policies and procedures or processes. Because proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) would require the establishment and review of five policies and procedures at a minimum, the Commission preliminarily estimates that the ongoing burden to review the process to comply with proposed Rule 1000(b)(3) would be one-fifth of the ongoing burden to comply with proposed Rule 1000(b)(1) (except for policies and procedures for Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data), or 12 hours (60 hours / 5). Further, the Commission preliminarily estimates that the hourly breakdown between different staff of the SCI entity would be in the same ratio as the Commission's estimate for proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data)--Compliance Manager at 6 hours and Attorney at 6 hours. These estimates reflect the Commission's preliminary view that SCI entities would review the process for compliance with proposed Rule 1000(b)(3) internally. But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. \445\ (12 hours) x (44 potential respondents) = 528 burden hours. --------------------------------------------------------------------------- b. Requirements To Identify Immediate Notification SCI Events and Dissemination SCI Events Proposed Rule 1000(a) would define a ``dissemination SCI event'' to mean an SCI event that is a: (1) Systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants. When an SCI event occurs, an SCI entity would need to determine whether the event is an immediate notification SCI event or a dissemination SCI event, because the proposed rules would impose different obligations on SCI entities for these types of SCI events. As such, immediate notification SCI events and dissemination SCI events may impose an initial one-time implementation burden on SCI entities in developing a process to ensure that they are able to quickly and correctly make a determination regarding whether the SCI event is subject to proposed Rule 1000(b)(4)(i) or (b)(5). The definition may also impose periodic burdens on SCI entities in reviewing that process. [[Page 18153]] Because the ARP Inspection Program already provides for the reporting of ``significant system changes'' and ``significant system outages'' to Commission staff,\446\ the Commission believes that, as compared to entities that do not participate in the ARP Inspection Program, entities that currently participate in the ARP Inspection Program would already have internal processes for determining the significance of a systems issue.\447\ Therefore, the Commission preliminarily estimates that the proposed definition would impose half as much burden on entities that participate in the ARP Inspection Program as compared to entities that do not participate in the ARP Inspection Program. --------------------------------------------------------------------------- \446\ See supra notes 33 and 35 and accompanying text. \447\ The Commission recognizes that ``significant system changes'' and ``significant system outages'' differ from the proposed definitions of ``immediate notification SCI event'' and ``dissemination SCI event.'' --------------------------------------------------------------------------- For SCI entities that currently do not participate in the ARP Inspection Program, the Commission preliminarily believes that the initial burden would be 42 hours per entity \448\ or 630 hours for all such entities.\449\ For entities that currently participate in the ARP Inspection Program, the Commission preliminarily believes that the initial burden would be 21 hours \450\ per entity or 609 hours for all such entities.\451\ For SCI entities that currently do not participate in the ARP Inspection Program, the Commission preliminarily believes that ongoing burden would be 12 hours annually per entity \452\ or 180 hours for all such entities.\453\ For SCI entities that currently participate in the ARP Inspection Program, the Commission preliminarily believes that ongoing burden would be 6 hours annually \454\ per entity or 174 hours for all such entities.\455\ --------------------------------------------------------------------------- \448\ This estimate is based on the Commission's burden estimate for proposed Rule 1000(b)(1) because proposed Rule 1000(b)(1), the proposed definition of ``immediate notification SCI event,'' and the definition of ``dissemination SCI event'' would result in certain policies and procedures or processes. Because proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) would require the establishment of five policies and procedures at a minimum, the Commission preliminarily estimates that the initial burden to establish the process regarding the SCI event determinations would be one-fifth of the initial burden to comply with proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data), or 42 hours (210 hours / 5). Further, the Commission preliminarily estimates that the hourly breakdown between different staff of the SCI entity would be in the same ratio as the Commission's estimate for proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data)--Compliance Manager at 16 hours, Attorney at 16 hours, Senior Systems Analyst at 5 hours, and Operations Specialist at 5 hours. These estimates reflect the Commission's preliminary view that SCI entities would internally establish the process for determining whether an SCI event is an immediate notification SCI event or dissemination SCI event. But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. \449\ (42 hours) x (15 potential respondents) = 630 burden hours. \450\ 42 burden hours x 50% = 21 burden hours. These estimates reflect the Commission's preliminary view that SCI entities would internally establish the process for determining whether an SCI event is an immediate notification SCI event or dissemination SCI event. But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. \451\ (21 burden hours) x (29 potential respondents) = 609 burden hours. \452\ This estimate is based on the Commission's burden estimate for proposed Rule 1000(b)(1) because proposed Rule 1000(b)(1), the proposed definition of ``immediate notification SCI event,'' and the proposed definition of ``dissemination SCI event'' would result in certain policies and procedures or processes. Because proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) would require the establishment and maintenance of five policies and procedures at a minimum, the Commission preliminarily estimates that the ongoing burden to review the process regarding the SCI event determinations would be one-fifth of the ongoing burden to comply with proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data), or 12 hours (60 hours / 5). Further, the Commission preliminarily estimates that the hourly breakdown between different staff of the SCI entity would be in the same ratio as the Commission's estimate for proposed Rule 1000(b)(1) (except for policies and procedures for standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data)--Compliance Manager at 6 hours and Attorney at 6 hours. These estimates reflect the Commission's preliminary view that SCI entities would internally review the process for determining whether an SCI event is an immediate notification SCI event or dissemination SCI event. But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. \453\ (12 burden hours) x (15 potential respondents) = 180 burden hours. \454\ 12 burden hours x 50% = 6 burden hours. These estimates reflect the Commission's preliminary view that SCI entities would internally review the process for determining whether an SCI event is an immediate notification SCI event or dissemination SCI event. But see infra Section IV.D.6, requesting comment on whether some SCI entities, particularly those that do not currently participate in the ARP Inspection Program, would seek to outsource this work and what the cost to outsource this work would be. \455\ (6 burden hours) x (29 potential respondents) = 174 burden hours. --------------------------------------------------------------------------- 4. Recordkeeping Requirements As more fully discussed in Section III.D above, proposed Rule 1000(c) would specifically require SCI entities other than SCI SROs to make, keep, and preserve at least one copy of all documents relating to its compliance with proposed Regulation SCI. The Commission is not proposing a new recordkeeping requirement for SCI SROs because the documents relating to compliance with proposed Regulation SCI are subject to their existing recordkeeping and retention requirements under Rule 17a-1 under the Exchange Act.\456\ Because Rule 17a-1 under the Exchange Act requires every SRO to keep on file for a period of not less than 5 years, the first 2 years in an easily accessible place, at least one copy of all documents that it makes or receives respecting its self-regulatory activities, and that all such documents be made available for examination by the Commission and its representatives, the Commission believes that proposed Rule 1000(c) would not result in any burden that is not already accounted for in the Commission's burden estimates for Rule 17a-1. --------------------------------------------------------------------------- \456\ See 17 CFR 240.17a-1. --------------------------------------------------------------------------- For SCI entities other than SCI SROs, Regulation SCI-related records would be required to be kept for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination.\457\ Upon the request of any representative of the Commission, an SCI entity would be required to promptly furnish to the possession of such representative copies of any documents required to be kept and preserved by it pursuant to proposed Rule 1000(c). --------------------------------------------------------------------------- \457\ Under the proposal, upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, an SCI entity would be required to take all necessary action to ensure that the records required to be made, kept, and preserved by Rule 1000(c) would be accessible to the Commission and its representatives in the manner required and for the remainder of the period required by proposed Rule 1000(c). See proposed Rule 1000(c)(3). --------------------------------------------------------------------------- [[Page 18154]] For SCI entities other than SCI SROs, the Commission preliminarily estimates that the initial and ongoing burden to make, keep, and preserve records relating to compliance with proposed Regulation SCI would be approximately 25 hours annually per respondent \458\ for a total annual burden of 450 hours for all respondents.\459\ In addition, the Commission estimates that each SCI entity other than an SCI SRO would incur a one-time burden to set up or modify an existing recordkeeping system to comply with proposed Rule 1000(c). Specifically, the Commission estimates that, for each SCI entity other than an SCI SRO, setting up or modifying a recordkeeping system would create an initial burden of 170 hours and $900 in information technology costs for purchasing recordkeeping software,\460\ for a total initial burden of 3,060 hours \461\ and a total initial cost of $16,200.\462\ --------------------------------------------------------------------------- \458\ This estimate is based on the Commission's experience with examinations of registered entities, the Commission's estimated burden for an SRO to comply with Rule 17a-1, and the Commission's estimated burden for a SB SEF to keep and preserve documents made or received in the conduct of its business. Specifically, the Commission estimated 50 burden hours per respondent per year in connection with Rule 17a-1 and proposed Rule 818(a) and (b) in the SB SEF Proposing Release. See 2010 Extension of Rule 17a-1 Supporting Statement, Office of Management and Budget, available at: https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=201007-3235-003 and SB SEF Proposing Release, supra note 297, at 11029. Because the recordkeeping requirements under Rule 17a-1 and under proposed Rule 818(a) and (b) are broader than the recordkeeping requirement under proposed Rule 1000(c), the Commission preliminarily believes that an estimate of 25 burden hours per year per SCI entity is appropriate. Further, the Commission notes that this burden estimate includes the burden imposed by proposed Rule 1000(e). Specifically, proposed Rule 1000(e) would provide that, if the records required to be filed or kept by an SCI entity under proposed Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity would be required to ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service, which is signed by a duly authorized person at such service bureau or other recordkeeping service. \459\ (Compliance Clerk at 25 hours) x (18 potential respondents) = 450 burden hours. \460\ This estimate is based on the Commission's experience with examinations of registered entities and the Commission's estimated burden for an SB SEF to keep and preserve documents made or received in the conduct of its business. Specifically, the Commission estimated that setting up or modifying a recordkeeping system under proposed Rule 818 would create an initial burden of 345 hours and $1,800 in information technology costs per respondent. See SB SEF Proposing Release, supra note 297, at 11030. Because the recordkeeping requirements under proposed Rule 818 are broader than the recordkeeping requirement under proposed Rule 1000(c), the Commission preliminarily believes that the estimates of 170 initial burden hours and $900 in initial cost are appropriate. \461\ (170 burden hours) x (18 potential respondents) = 3,060 burden hours. \462\ ($900) x (18 potential respondents) = $16,200. --------------------------------------------------------------------------- The Commission preliminarily believes that proposed Rule 1000(c)(3), which would require an SCI entity, upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, to take all necessary action to ensure that the records required to be made, kept, and preserved by Rule 1000(c)(1) and Rule (c)(2) remain accessible to the Commission and its representatives in the manner and for the remainder of the period required by Rule 1000(c), would not result in any additional paperwork burden that is not already accounted for in the Commission's burden estimates for proposed Rule 1000(c)(1) and Rule 1000(c)(2). 6. Request for Comment on Extent and Cost of Outsourcing 209. The Commission's estimates of the hourly burdens discussed above reflect the Commission's preliminary view that SCI entities would conduct the work proposed to be required by proposed Rules 1000(a), 1000(b)(1), 1000(b)(2), 1000(b)(3), 1000(b)(4), 1000(b)(5), 1000(b)(6), 1000(b)(7), 1000(b)(8), and 1000(b)(9) internally. The Commission acknowledges, however, that some SCI entities, particularly smaller SCI entities, and/or SCI entities that do not currently participate in the ARP Inspection Program, may elect to outsource the work if it would be more cost effective to so do. The Commission does not at this time have sufficient information to reasonably estimate the cost to outsource the work proposed to be required by proposed Rules 1000(a), 1000(b)(1), 1000(b)(2), 1000(b)(3), 1000(b)(4), 1000(b)(5), 1000(b)(6), 1000(b)(7), 1000(b)(8), and 1000(b)(9), or the number of entities that would choose to outsource this work, for purposes of the PRA. The Commission seeks comment, however, on its preliminary view that SCI entities would conduct such work internally. Further, the Commission seeks comment on whether some SCI entities would in fact find it more cost effective to outsource the work that would be required to comply with the proposed rules, and if so, how many of these SCI entities would therefore outsource this work and at what cost. For purposes of facilitating such comment, presented below are certain preliminary assumptions and calculations regarding such potential outsourcing on which the Commission requests comment. Specifically, for purposes of soliciting comment, the Commission is assuming that it would take the same number of hours for a consultant and/or outside attorney to complete the work to be required by proposed Rules 1000(a), 1000(b)(1), 1000(b)(2), 1000(b)(3), 1000(b)(4), 1000(b)(5), 1000(b)(6), 1000(b)(7), 1000(b)(8), and 1000(b)(9), as it would take for an SCI entity to complete that work internally (using the Commission's preliminary estimates above). Further, the Commission is assuming that work would be conducted at a rate of $400 per hour.\463\ --------------------------------------------------------------------------- \463\ This is based on an estimated $400 per hour cost for outside consulting and/or legal services. This is the same estimate used for the Commission's consolidated audit trail rule. See Securities Exchange Act Release No. 67457 (July 18, 2012), 77 FR 45722 (August 1, 2012). --------------------------------------------------------------------------- Based on the forgoing assumptions, the estimated cost to outsource the work that the Commission preliminarily assumed would be done internally would be as follows: For identification of immediate notification SCI events and dissemination SCI events: The initial cost would be (a) for an SCI entity that has not participated in the ARP Inspection Program, $16,800; \464\ and (b) for an SCI entity that currently participates in the ARP Inspection Program, $8,400.\465\ The ongoing annual cost would be (a) for an SCI entity that has not participated in the ARP Inspection Program, $4,800; \466\ and (b) for an SCI entity that currently participates in the ARP Inspection Program, $2,400.\467\ --------------------------------------------------------------------------- \464\ 42 hours x $400 = $16,800. \465\ 21 hours x $400 = $8,400. \466\ 12 hours x $400 = $4,800. \467\ 6 hours x $400 = $2,400. --------------------------------------------------------------------------- For proposed Rule 1000(b)(1) except proposed Rule 1000(b)(1)(i)(F): The initial cost would be (a) for an SCI entity that has not participated in the ARP Inspection Program, $84,000; \468\ and (b) for an SCI entity that currently participates in the ARP Inspection Program, $42,000.\469\ The ongoing annual costs would be (a) for an SCI entity that has not participated in the ARP Inspection Program, $24,000; \470\ and (b) for an SCI entity that currently participates in the ARP Inspection Program, $12,000.\471\ --------------------------------------------------------------------------- \468\ 210 hours x $400 = $84,000. \469\ 105 hours x $400 = $42,000. \470\ 60 hours x $400 = $24,000. \471\ 30 hours x $400 = $12,000. --------------------------------------------------------------------------- For proposed Rule 1000(b)(1)(i)(F): The initial cost for each SCI entity would be $52,000.\472\ The ongoing [[Page 18155]] annual cost for each SCI entity would be $52,000.\473\ --------------------------------------------------------------------------- \472\ 130 hours x $400 = 52,000. \473\ 130 hours x $400 = 52,000. --------------------------------------------------------------------------- For proposed Rule 1000(b)(2): The initial cost for each SCI entity would be $72,000.\474\ The ongoing annual cost would be (a) for an SCI entity that is an SCI SRO, $48,000; \475\ and (b) for an SCI entity that is not an SCI SRO, $24,000.\476\ --------------------------------------------------------------------------- \474\ 180 hours x $400 = $72,000. \475\ 120 hours x $400 = $48,000. \476\ 60 hours x $400 = $24,000. --------------------------------------------------------------------------- For proposed Rule 1000(b)(3): The initial cost for each SCI entity would be $16,800.\477\ The ongoing annual cost for each SCI entity would be $4,800.\478\ --------------------------------------------------------------------------- \477\ 42 hours x $400 = $16,800. \478\ 12 hours x $400 = $4,800. --------------------------------------------------------------------------- For proposed Rule 1000(b)(4): The initial and the ongoing annual cost for each SCI entity would be (a) for proposed Rule 1000(b)(4)(i), $2,000; \479\ (b) for proposed Rule 1000(b)(4)(ii), $520,000; \480\ and (c) for proposed Rule 1000(b)(4)(iii), $6,000.\481\ --------------------------------------------------------------------------- \479\ 5 hours x $400 = $2,000. \480\ 1,300 hours x $400 = $520,000. \481\ 15 hours x $400 = $6,000. --------------------------------------------------------------------------- For proposed Rule 1000(b)(5): The initial and the ongoing annual cost for each SCI entity would be (a) for proposed Rule 1000(b)(5)(i)(A), $16,800; \482\ (b) for proposed Rule 1000(b)(5)(i)(B), $28,000; \483\ (c) for proposed Rule 1000(b)(5)(i)(C), $5,600; \484\ and (d) for proposed Rule 1000(b)(5)(ii), $1,200.\485\ --------------------------------------------------------------------------- \482\ 42 hours x $400 = $16,800. \483\ 70 hours x $400 = $28,000. \484\ 14 hours x $400 = $5,600. \485\ 3 hours x $400 = $1,200. --------------------------------------------------------------------------- For proposed Rule 1000(b)(6): The initial and ongoing annual cost would be (a) for SCI entities that do not currently participate in the ARP Inspection Program, $48,000; \486\ and (b) for SCI entities that currently participate in the ARP Inspection Program, $24,000.\487\ --------------------------------------------------------------------------- \486\ 120 hours x $400 = $48,000. \487\ 60 hours x $400 = $24,000. --------------------------------------------------------------------------- For proposed Rule 1000(b)(7): The initial and ongoing annual cost would be $250,000 for each SCI entity.\488\ --------------------------------------------------------------------------- \488\ 625 hours x $400 = $250,000. --------------------------------------------------------------------------- For proposed Rule 1000(b)(8): The initial and ongoing annual cost for each SCI entity would be (a) for proposed Rule 1000(b)(8)(i), $400; \489\ and (b) for proposed Rule 1000(b)(8)(ii), $48,000 for each SCI entity.\490\ --------------------------------------------------------------------------- \489\ 1 hour x $400 = $400. \490\ 120 hours x $400 = 48,000. --------------------------------------------------------------------------- For proposed Rule 1000(b)(9)(i) and (ii): The initial annual cost would be $52,000 for each SCI entity.\491\ The ongoing annual cost would be $38,000 for each SCI entity.\492\ --------------------------------------------------------------------------- \491\ 130 hours x $400 = $52,000. \492\ 95 hours x $400 = $38,000. --------------------------------------------------------------------------- For proposed Rule 1000(b)(9)(iii): The initial annual cost would be $14,000 for each SCI entity.\493\ The ongoing annual cost would be $1,200 for each SCI entity.\494\ --------------------------------------------------------------------------- \493\ 35 hours x $400 = $14,000. \494\ 3 hours x $400 = $1,200. --------------------------------------------------------------------------- 210. As discussed above, the Commission requests comment on these preliminary estimates regarding potential outsourcing and the underlying assumptions. For example, is it reasonable to assume that the number of hours for a consultant and/or outside attorney to complete the work would be the same as the number of hours for internal staff to complete the work? If not, why not? Are there certain types of SCI entities (e.g., those having relatively few employees or a smaller number of systems) that would be more likely to find it cost effective to outsource the work, either initially or an ongoing basis? Please explain. Would the cost to outsource vary depending on the extent and volume of the outsourcing, or the period of time over which such outsourcing took place? Please explain. 7. Total Paperwork Burden Under Regulation SCI Based on the foregoing, the Commission preliminarily estimates that the total one-time initial burden for all SCI entities to comply with Regulation SCI would be 133,482 hours \495\ and the total one-time initial cost would be $2.6 million.\496\ The Commission preliminarily estimates that the total annual ongoing burden for all SCI entities to comply with Regulation SCI would be 117,258 hours \497\ and the total annual ongoing cost would be $738,400.\498\ --------------------------------------------------------------------------- \495\ 133,482 hours = 26,765 (policies and procedures/mandatory testing requirements) + 100,120 (notification, dissemination, and reporting) + 3,087 (requirements to take corrective actions, identify immediate notification SCI events, and identify dissemination SCI events) + 3,510 (recordkeeping). \496\ $2.6 million = $1.9 million (policies and procedures/ mandatory testing requirements) + $660,000 (notification, dissemination, and reporting) + $16,200 (recordkeeping). \497\ 117,258 hours = 15,806 (policies and procedures/mandatory testing requirements) + 100,120 (notification, dissemination, and reporting) + 882 (requirements to take corrective actions, identify immediate notification SCI events, and identify dissemination SCI events) + 450 (recordkeeping). \498\ $738,400 = $78,400 (policies and procedures/mandatory testing requirements) + $660,000 (notification, dissemination, and reporting). --------------------------------------------------------------------------- 211. The Commission seeks comment on the collection of information burdens associated with proposed Regulation SCI. Specifically: 212. Do commenters agree with the Commission's estimate of the number of respondents required to comply with proposed Regulation SCI? Why or why not? 213. Do commenters agree with the Commission's estimate of the burden for SCI entities to comply proposed Regulation SCI? Why or why not? 214. Would there be additional burdens, beyond those described here, associated with the collection of information under proposed Regulation SCI? Please explain. 215. How much additional burden would proposed Regulation SCI impose upon those SCI entities that already are voluntarily in compliance with existing ARP Policy Statements? 216. Would SCI entities generally perform the work required by proposed Regulation SCI internally or outsource the work? E. Collection of Information Is Mandatory All collections of information pursuant to the proposed rules would be a mandatory collection of information. F. Confidentiality To the extent that the Commission receives confidential information pursuant to the reports and submissions that SCI entities would submit under proposed Form SCI, such information would be kept confidential, subject to the provisions of applicable law.\499\ --------------------------------------------------------------------------- \499\ See, e.g., 5 U.S.C. 552. Exemption 4 of the Freedom of Information Act provides an exemption for ``trade secrets and commercial or financial information obtained from a person and privileged or confidential.'' 5 U.S.C. 552(b)(4). Exemption 8 of the Freedom of Information Act provides an exemption for matters that are ``contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions.'' 5 U.S.C. 552(b)(8)). --------------------------------------------------------------------------- G. Retention Period of Recordkeeping Requirements SCI entities would be required to retain records and information under proposed Regulation SCI for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives.\500\ --------------------------------------------------------------------------- \500\ See proposed Rule 1000(c). --------------------------------------------------------------------------- H. Request for Comments 217. Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits comment to: (1) Evaluate whether the proposed collection of information is necessary for the proper performance of [[Page 18156]] the functions of the agency, including whether the information shall have practical utility; (2) evaluate the accuracy of the agency's estimate of the burden of the proposed collection of information; (3) enhance the quality, utility, and clarity of the information to be collected; and (4) minimize the burden of collection of information on those who are to respond, including through the use of automated collection techniques or other forms of information technology. Persons wishing to submit comments on the collection of information requirements should direct them to the Office of Management and Budget, Attention: Desk Officer for the Securities and Exchange Commission, Office of Information and Regulatory Affairs, Room 3208, New Executive Office Building, Washington, DC 20503; and should send a copy to Elizabeth M. Murphy, Secretary, Securities and Exchange Commission, 100 F Street NE., Washington, DC 20549-1090 with reference to File No. S7- 01-13. OMB is required to make a decision concerning the collection of information between 30 and 60 days after publication, so a comment to OMB is best assured of having its full effect if OMB receives it within 30 calendar days of publication. The Commission will submit the proposed collection of information to OMB for approval. Requests for the materials to be submitted to OMB by the Commission with regard to this collection of information should be in writing, refer to File No. S7-01-13, and be submitted to the Securities and Exchange Commission, Office of Investor Education and Advocacy, 100 F Street NE., Washington, DC 20549-0213. I. Reduced Burdens From Proposed Repeal of Rule 301(b)(6) (OMB Control Number 3235-0509) The instant proposal also would amend Regulation ATS under the Exchange Act, by removing paragraph (b)(6) of Rule 301 thereunder.\501\ Removal of Rule 301(b)(6) would eliminate certain ``collection of information'' requirements within the meaning of the PRA that the Commission has submitted to OMB in accordance with 44 U.S.C. 3507 and 5 CFR 1320.11, and that OMB has approved. The approved collection of information is titled ``Rule 301: Requirements for Alternative Trading Systems,'' and has a valid OMB control number of 3235-0509.\502\ Some of the information collection burdens imposed by Regulation ATS would be reduced by the proposed repeal of Rule 301(b)(6). Specifically, the paperwork burdens that would be eliminated by the repeal of Rule 301(b)(6) would be: (i) Burdens on ATSs associated with the requirement to make records relating to any steps taken to comply with systems capacity, integrity and security requirements under Rule 301 (estimated to be 20 hours and $2,212); \503\ and (ii) burdens on ATSs associated with the requirement to provide notices to the Commission to report systems outages (estimated to be 2.5 hours and $276.50).\504\ --------------------------------------------------------------------------- \501\ See 17 CFR 242.301(b)(6). See also Securities Exchange Act Release No. 40760 (December 8, 1998), 63 FR 70844 (December 22, 1998) (``ATS Release''). \502\ See Rule 301: Requirements for Alternative Trading Systems OMB Control No: 3235-0509 (Rule 301 supporting statement), available at: https://www.reginfo.gov. This approval has an expiration date of February 28, 2014. \503\ The Commission estimated that two alternative trading systems that register as broker-dealers and comply with Regulation ATS would trigger this requirement, and that the average compliance burden for each response would be 10 hours of in-house professional work at $316 per hour. Thus, the total compliance burden per year was estimated to be 20 hours (2 respondents x 10 hours = 20 hours). The total annualized cost burden was estimated to be $2,212 ($316 x 20 hours x 35% = $2,212). See Rule 301: Requirements for Alternative Trading Systems OMB Control No: 3235-0509 (Rule 301 supporting statement), available at: https://www.reginfo.gov. \504\ The Commission estimated that two alternative trading systems that register as broker-dealers and comply with Regulation ATS would meet the volume thresholds that trigger systems outage notice obligations approximately 5 times a year, and that the average compliance burden for each response would be .25 hours of in-house professional work at $316 per hour. Thus, the total compliance burden per year was estimated to be 2.5 hours (2 respondents x 5 responses each x .25 hours = 2.5 hours). The total annualized cost burden was estimated to be $276.50 ($316 x .25 hours per response x 10 responses x 35% = $276.50). See id. --------------------------------------------------------------------------- The Commission will submit the proposed amended collection of information to reflect these reductions to OMB for approval. Requests for the materials to be submitted to OMB by the Commission with regard to this collection of information should be in writing, refer to File No. S7-01-13, and be submitted to the Securities and Exchange Commission, Office of Investor Education and Advocacy, 100 F Street NE., Washington, DC 20549-0213. V. Economic Analysis A. Background As discussed more fully above, the Commission believes that the convergence of several developments--the evolution of the markets to become significantly more dependent upon sophisticated automated systems (driven by regulatory developments and the continual evolution of technologies for generating, routing, and executing orders), the limitations of the existing ARP Inspection Program, and the lessons of recent events (as discussed in Section I.D above)--highlight the need to consider an updated and formalized regulatory framework for ensuring that the U.S. securities trading markets develop and maintain systems with adequate capacity, integrity, resiliency, availability, and security, and reinforce the requirement that SCI systems operate in compliance with the Exchange Act. The Commission is also cognizant of the comments made at the Roundtable and the comment letters submitted in connection with the Roundtable.\505\ Proposed Regulation SCI would codify and enhance the Commission's ARP Inspection Program, as well as establish specific requirements to help ensure that the SCI systems of SCI entities operate in compliance with the federal securities laws and rules. --------------------------------------------------------------------------- \505\ See supra Section I.D. --------------------------------------------------------------------------- Specifically, proposed Regulation SCI would require each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets, as well as written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner in compliance with the federal securities laws and rules, and its own rules or governing documents, as applicable. Proposed Regulation SCI also would require SCI entities to provide certain notices and reports to the Commission on Form SCI regarding, among other things, SCI events and material systems changes. Further, proposed Regulation SCI would require SCI entities to disseminate information to members or participants relating to dissemination SCI events and to begin taking appropriate corrective action upon any responsible SCI personnel becoming aware of an SCI event. Additionally, proposed Regulation SCI would require each SCI entity to conduct an SCI review at least annually, and submit a report of such review to the Commission, together with any response by senior management. Further, proposed Regulation SCI would require an SCI entity, with respect to its business continuity and disaster [[Page 18157]] recovery plans, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans and coordinate such testing with other SCI entities. Proposed Regulation SCI would also require SCI entities to make, keep, and preserve books and records related to compliance with Regulation SCI. The Commission is sensitive to the economic effects of proposed Regulation SCI, including its costs and benefits.\506\ As discussed further below, the Commission requests comment on all aspects of the costs and benefits of the proposal, including any effects the proposed rules may have on efficiency, competition, and capital formation. --------------------------------------------------------------------------- \506\ See also supra Section III.F (requesting comment on applying proposed Regulation SCI to SB SDRs and/or SB SEFs and discussing the potential costs and benefits of applying proposed Regulation SCI to SB SDRs and/or SB SEFs). --------------------------------------------------------------------------- B. Economic Baseline As noted in Section I.A above, all registered national securities exchanges, all active registered clearing agencies, FINRA, two plan processors, one ATS, and one exempt clearing agency participate in the current ARP Inspection Program, which covers their automated systems.\507\ Under the ARP policy statements and through the ARP Inspection Program, these entities, among other things, are expected to establish current and future capacity estimates, conduct capacity stress tests, conduct annual reviews of whether affected systems can perform adequately in light of estimated capacity levels, and identify possible threats to the systems.\508\ The ARP policy statements and Commission staff letters address, among other things, independent reviews, the reporting of certain systems changes, intrusions, and outages, and the need to comply with relevant laws and rules.\509\ --------------------------------------------------------------------------- \507\ As noted above, the Commission, in the ARP I Release, defined the term ``automated systems'' to refer ``collectively to computer systems for listed and OTC equities, as well as options, that electronically route orders to applicable market makers and systems that electronically route and execute orders, including the data networks that feed the systems * * * [and encompasses] systems that disseminate transaction and quotation information and conduct trade comparisons prior to settlement, including the associated communication networks.'' See supra note 12. \508\ A more complete description of the history of the ARP Inspection Program is discussed in supra Section I.A. \509\ The ARP policy statements and Commission staff letters are discussed in supra Section I.A. --------------------------------------------------------------------------- Trading volume in the securities markets has become increasingly dispersed across a broader range of market centers in recent years,\510\ with ATSs accounting for a significant portion of volume.\511\ However, no ATSs currently meet or exceed the volume thresholds that would trigger compliance with the system safeguard requirements of Rule 301(b)(6) of Regulation ATS.\512\ Thus, while ATSs comprise a significant portion of consolidated volume, only one ATS currently participates in the ARP Inspection Program.\513\ Dark pools alone comprised approximately 13 percent of consolidated volume last spring,\514\ but also are not part of the ARP Inspection Program. Further, ATSs that trade fixed income securities, including municipal and corporate debt securities, and non-NMS stocks (also referred to as OTC equities) are not represented in the ARP Inspection Program and do not meet the current thresholds in Regulation ATS for the application of systems safeguard rules. --------------------------------------------------------------------------- \510\ See supra notes 44, 47, and 51. \511\ See supra note 50 and accompanying text. \512\ See supra Section III.B.1. \513\ See supra note 25 and accompanying text. \514\ See Nina Mehta, Dark Pools Capture Record U.S. Volume Share, Bloomberg (March 1, 2012), available at: https://rblt.com/news_details.aspx?id=187. --------------------------------------------------------------------------- Proposed Regulation SCI would apply to SROs (including national securities exchanges,\515\ national securities associations, registered clearing agencies, and the MSRB \516\), SCI ATSs,\517\ plan processors,\518\ and exempt clearing agencies subject to ARP.\519\ As such, proposed Regulation SCI would specifically cover the trading of NMS stocks, OTC equities, listed options, and debt securities. The proposed rules also would impact multiple markets for services, including the markets for trading services, listing services, regulation and surveillance services, clearing and settlement services, and market data. --------------------------------------------------------------------------- \515\ Proposed Regulation SCI would not apply to an exchange that lists or trades security futures products that is notice- registered with the Commission as a national securities exchange pursuant to Section 6(g) of the Exchange Act, including security futures exchanges. See supra note 97 and accompanying text. \516\ In 2011, the total par amount of municipal securities traded was approximately $3.3 trillion in approximately 10.4 million trades. See MSRB 2011 Fact Book at 8-9, available at: https://www.msrb.org/msrb1/pdfs/MSRB2011FactBook.pdf. \517\ See supra Section III.B.1 for the discussion of SCI ATSs. \518\ In addition, the Commission is soliciting comment on whether, and if so how, proposed Regulation SCI should apply to SB SDRs and/or SB SEFs. See supra Section III.F. \519\ See supra Section III.B.1 for the discussion of exempt clearing agencies subject to ARP. --------------------------------------------------------------------------- As indicated above, many of the entities in these service markets are currently covered by the ARP Inspection Program. Therefore, the Commission recognizes that any economic effects, including costs and benefits, should be compared to a baseline of current practices that recognizes current practices pursuant to the ARP Inspection Program and the limitations of the ARP Inspection Program discussed in Section I.C above.\520\ In addition to the ARP Inspection Program, Commission staff has provided guidance to ARP entities on certain aspects of the ARP Inspection Program (e.g., in the 2001 Staff ARP Interpretive Letter).\521\ Further, Commission staff has provided guidance on issues outside the current scope of the ARP Inspection Program (e.g., in the 2009 Staff Systems Compliance Letter), but that are proposed to be addressed by Regulation SCI.\522\ Below, the Commission provides information on the current practices related to the types of market events addressed by proposed Regulation SCI, including, where available, information the Commission may have on the frequency of such events. In addition, the Commission describes why each relevant service market may not be structured in a way as to create a competitive incentive to prevent the occurrence of these market events.\523\ --------------------------------------------------------------------------- \520\ See also supra Section I.A for the discussion of the current scope of the ARP Inspection Program. The Commission acknowledges that, to the extent current practices of SCI entities have been informed by the ARP policy statements, such practices have not been subject to a cost-benefit analysis and that the discussion herein considers only the incremental costs and benefits (i.e., compared to current practices). \521\ See 2001 Staff ARP Interpretive Letter, supra note 35. \522\ See 2009 Staff Systems Compliance Letter, supra note 36. \523\ The Commission compares current practices to each of the proposed rules in infra Section V.B.3. --------------------------------------------------------------------------- 1. SCI Events a. Systems Disruptions Currently, market participants employ a variety of measures to avoid systems disruptions for a variety of reasons, including to maintain competitive advantages, to provide optimal service to members with access to the trading and/or other services provided by the entity, to comply with legal obligations and, where applicable, to participate in the ARP Inspection Program. The range of such measures are possibly highly variable among SCI entities and within the systems employed by SCI entities. For example, matching engines are likely accorded high priority given the importance of low latency in trading. Industry standards are not codified for such entities and systems, except such as in an entity's rulebook or subscriber agreement. Typically, however, market participants follow industry standards and take measures that include weekend [[Page 18158]] system testing and internal performance monitoring. When system disruptions do occur, market participants take corrective action in the interest of remaining competitive, to provide optimal service, and to comply with legal obligations. To place the effectiveness of the current ARP Inspection Program in perspective, there were approximately 175 ARP incidents reported to the Commission in 2011. These incidents had durations ranging from under one minute to 24 hours, with most incidents having a duration of less than 2 hours. As noted above, the Commission believes that clearing systems and matching engines generally are given greater priority than other systems at SCI entities with regard to corrective action. In addition, the Commission believes that SCI entities that currently participate in the ARP Inspection Program strive to adhere to the next business day resumption standard for trading and two-hour resumption standard for clearance and settlement services, standards which the proposed rule would codify for all SCI entities. As discussed in Section I.A, participation in the ARP Inspection Program entails, among other things, conducting annual assessments of affected systems, providing notifications of significant system changes to the Commission, and reporting significant system outages to the Commission. Further, Commission staff has provided guidance to the SROs and other participants in the ARP Inspection Program on what should be considered a ``significant system change'' and a ``significant system outage'' for purposes of reporting systems changes and problems to Commission staff.\524\ As such, the Commission believes that entities that currently participate in the ARP Inspection Program have certain processes for determining whether a systems change or outage is ``significant.'' Specifically, the 2001 Staff ARP Interpretive Letter sets forth the types of outages and changes that should be reported to the Commission and the timing of reporting. Also, as discussed below, the ARP policy statements are focused on automated systems. Specifically, entities that participate in the ARP Inspection Program follow the ARP policy statements with respect to systems that directly support trading, clearance and settlement, order routing, and market data. While generally only trading, clearance and settlement, order routing, and market data systems follow the guidelines in the ARP policy statements, ARP staff inspects all the categories of systems that are included in the proposed definition of ``SCI systems.'' \525\ However, ARP staff generally inspects systems that are not directly related to trading, clearance and settlement, order routing, or market data only if they detect red flags. --------------------------------------------------------------------------- \524\ See supra note 35. \525\ See supra Section III.B.2. --------------------------------------------------------------------------- As discussed above, the ARP Inspection Program has garnered participation by all active registered clearing agencies, all registered national securities exchanges, FINRA, plan processors, one ATS, and one exempt clearing agency.\526\ Specifically, the Commission estimates that there are currently 29 SCI entities that are participants in the ARP Inspection Program.\527\ As noted, there were approximately 175 ARP incidents reported to the Commission in 2011. Although some entities provide the public with notices of outages,\528\ others may choose otherwise and are not required to do so. --------------------------------------------------------------------------- \526\ See supra Section I.A. \527\ See supra note 368. \528\ See e.g., NYSE Market Status, available at: https://usequities.nyx.com/nyse/market-status; NYSE Amex Options Outage Update, available at: https://www.nyse.com/pdfs/Trader_Update_Amex_Outage_0928.pdf; and NYSE Arca, Recap: Exchange Outage on Monday Morning March 7, 2011, available at: https://www.nyse.com/pdfs/2011037ExchangeOutageNotice.pdf. --------------------------------------------------------------------------- Further, as discussed above, pursuant to Rule 301(b)(6) of Regulation ATS, certain aspects of the ARP policy statements apply to ATSs that meet the thresholds set forth in that rule.\529\ Currently, no ATSs meet such thresholds and, as such, none are required by Commission rule to implement systems safeguard measures. The Commission recognizes that it is in the interest of every market participant that does not participate in the ARP Inspection Program to try to avoid systems disruptions. Specifically, the Commission understands that generally, ATSs, like entities that currently participate in the ARP Inspection Program, employ a variety of measures to avoid systems disruptions, including systems testing, performance monitoring, and the use of fail-over back-up systems. In fact, one ATS currently voluntarily participates in the ARP Inspection Program.\530\ However, inasmuch as the ARP Inspection Program and the testing done and other measures taken by those entities that participate in the program have been beneficial to the industry, the systems of SCI entities could still be improved. For example, contingency planning in preparation of catastrophic events has not been fully adequate, as evidenced in the wake of Superstorm Sandy, when an extended shutdown of the equities and options markets resulted from, among other things, the exchanges' belief regarding the inability of some market participants to adequately operate from the backup facilities of all market centers.\531\ Although testing protocols were in place and the chance to participate in such testing was available, not all members or participants participated in such testing.\532\ Proposed Regulation SCI would require that designated members or participants of an SCI entity participate in scheduled functional and performance testing of the operation of the SCI entity's business continuity and disaster recovery plans, including its backup systems, and further require that SCI entities coordinate the testing of such plans on an industry- or sector-wide basis with other SCI entities. The Commission preliminarily believes that these proposed requirements would mitigate the chances of similar disruptions in the future.\533\ --------------------------------------------------------------------------- \529\ Specifically, Rule 301(b)(6) of Regulation ATS applies to ATSs that, during at least four of the preceding six months, had: (A) With respect to any NMS stock, 20 percent or more of the average daily volume reported by an effective transaction reporting plan; (B) with respect to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, 20 percent or more of the average daily volume as calculated by the self-regulatory organization to which such transactions are reported; (C) with respect to municipal securities, 20 percent or more of the average daily volume traded in the United States; or (D) with respect to corporate debt securities, 20 percent or more of the average daily volume traded in the United States. See 17 CFR 242.301(b)(6)(i). \530\ See supra note 91. \531\ See supra Section I.D; see also supra Section III.C.7. \532\ See supra Section I.D. In addition, the Commission understands that the scope of testing was limited. \533\ See proposed Rule 1000(b)(9); see also supra Section III.C.7. --------------------------------------------------------------------------- b. Systems Compliance Issues Currently, systems compliance issues (as proposed to be defined in Rule 1000(a)) are not covered by the ARP Inspection Program. However, national securities exchanges are subject to Section 6(b) of the Exchange Act, which requires an exchange to be organized and to have the capacity to carry out the purposes of the Exchange Act and to comply with the provisions of the Exchange Act, the rules and regulations thereunder, and its own rules.\534\ FINRA is subject to Section 15A(b) of the Exchange Act, which requires a national securities association to be organized and have the capacity to carry out the purposes of the Exchange Act and to comply with the provisions of the [[Page 18159]] Exchange Act, the rules and regulations thereunder, the MSRB rules, and its own rules.\535\ Further, an ATS could face Commission sanctions if it fails to comply with relevant federal securities laws and rules and regulations thereunder. Events such as those described above have recently drawn attention to systems compliance issues.\536\ In part due to the fact that systems compliance issues are not part of the ARP Inspection Program, the Commission does not receive comprehensive data regarding such issues and, thus, their incidence cannot be concretely quantified. However, based on Commission staff's experience with SROs and the rule filing process, the Commission estimates that there are likely approximately seven systems compliance issues per SCI entity per year. --------------------------------------------------------------------------- \534\ See 15 U.S.C. 78f(b). \535\ See 15 U.S.C. 78o-3(b). \536\ See, e.g., supra notes 62-63 and accompanying text. --------------------------------------------------------------------------- c. Systems Intrusions In ARP I, the Commission stated its view that SROs should promptly notify Commission staff of any instances in which unauthorized persons gained or attempted to gain access to SRO systems.\537\ Market participants employ a wide variety of measures to prevent and respond to systems intrusions. Generally, market participants use measures such as firewalls to prevent systems intrusions, and use detection software to identify systems intrusions. Once an intrusion has been identified, the affected systems typically would be isolated and quarantined, and forensics would be performed. Several SCI entities have been the subject of security issues in recent years.\538\ The Commission believes that, currently, these events are rarely revealed to the public or to the members or participants of SCI entities. --------------------------------------------------------------------------- \537\ See ARP I, supra note 1. See also text accompanying supra note 17. \538\ For example, as discussed above, in February 2011, NASDAQ OMX Group, Inc. announced that hackers had penetrated certain of its computer networks. See supra note 61 and accompanying text. --------------------------------------------------------------------------- 2. Potential for Market Solutions This section discusses potential market solutions and their shortcomings. Various SCI and non-SCI entities offer and compete to provide services in markets for trading services, listing services, regulatory services, clearance and settlement services, and market data. The markets for each of these services are regulated and competitive, which may make it difficult to determine if markets are functioning well due to competitive pressure or regulation, and how much can be attributed to each. However, there are limitations to such competition and following is a discussion of some limitations that are common to all of these markets. Notwithstanding what may be the limitations to competition in each of these markets, the Commission is also mindful, in evaluating whether, and if so, how, to regulate in this space, of the need to craft rules that appropriately take into account the tradeoffs between the resulting costs and benefits, and the effects on efficiency, competition, and capital formation, that would accompany such regulation. Market participants may be unaware when SCI events disrupt transactions due to, for example, a lack of timely and consistently disseminated information about SCI events. First, providers of services that experience SCI events may lack the incentive to disclose such events. Second, other providers of services may choose to not publicly comment on the identity of providers who experienced SCI events.\539\ For example, providers of trading services may choose not to point to other providers because the next SCI event may occur on their own systems. In addition, a person or entity pointing at other providers may be exposed to litigation risks. --------------------------------------------------------------------------- \539\ The Commission notes, however, that certain providers of trading services do provide public disclosure of systems issues at another provider. For example, when one trading venue perceives that a second venue is non-responsive when orders are routed to that second venue, the first venue will declare self-help under Rule 611 of Regulation NMS, which permits the first venue to cease to route orders to the second venue in certain instances. Certain trading venues would provide public notification of self-help. See, e.g., NASDAQ Market System Status, available at: https://www.nasdaqtrader.com/Trader.aspx?id=MarketSystemStatus. --------------------------------------------------------------------------- While some SCI events may not directly impact markets, they are still an indication of the risk of SCI events at a given SCI entity. It is likely that market participants assume that services operate as promised until an SCI event occurs. Reputation and good experiences with a trading venue may cause market participants to trust its effectiveness. In the absence of problems, however, a system may be assumed to be fully functional. Once a problem occurs, market participants will update their prior assumptions and should correctly infer that the system is not as robust as previously believed. Moreover, in the case of SCI events that disrupt the entire market or large portions of it (e.g., the data outages during the flash crash on May 6, 2010), all providers of trading services may be affected at the same time and, as a result, market participants may find it challenging to identify service providers with lower risks of such SCI events. In light of the foregoing, members and participants of SCI entities would be important recipients of information disseminated about SCI events because they are the parties who would most naturally need, want, and be able to act on the information and, where applicable, share such disseminated information to other interested market participants, as discussed further below. a. Market for Trading Services Trading services are offered by entities that would meet the definition of SCI entity, including equities exchanges, options exchanges, and SCI ATSs, as well as by entities that would not be included in the proposed definition of SCI entity, such as ATSs that are not SCI ATSs, OTC market makers, and broker-dealers. As discussed above in Section I.B, there are currently 13 national securities exchanges that trade equity securities, with none having an overall market share of greater than 20 percent.\540\ There are currently 11 national securities exchanges that trade options.\541\ Of these exchanges, CBOE, ISE, and Nasdaq OMX Phlx have the most significant market share.\542\ ATSs--both ECNs and dark pools--as well as OTC market makers and broker-dealers also execute substantial volumes of stocks and bonds.\543\ --------------------------------------------------------------------------- \540\ See supra note 47 and accompanying text. These national securities exchanges are: BATS; BATS-Y; CBOE; CHX; EDGA; EDGX; Nasdaq OMX BX; Nasdaq OMX Phlx; Nasdaq; NSX; NYSE; NYSE MKT; and NYSE Arca. \541\ These national securities exchanges are: BATS Exchange Options Market; BOX; C2; CBOE; ISE; MIAX; NASDAQ Options Market; Nasdaq OMX BX Options; Nasdaq OMX Phlx; NYSE Amex Options; and NYSE Arca. \542\ Specifically, during 2012, CBOE had 26.46% of the market share, Nasdaq OMX Phlx had 19.77%, and ISE had 15.78%. Calculated using data regarding number of contracts traded from Options Clearing Corporation, available at: https://www.theocc.com/market-data/volume/. \543\ As discussed above in Section III.B.1, the Commission estimates that the proposed definition of ``SCI entity'' would capture approximately 15 SCI ATSs (10 SCI ATSs in NMS stocks, two SCI ATSs in non-NMS stocks, and three SCI ATSs in municipal securities and corporate debt securities). --------------------------------------------------------------------------- With respect to the competitive nature of the market for trading services, as well as the limitations to the competitive effects, all providers of trading services compete and have incentives to avoid systems disruptions, systems compliance issues, and systems intrusions because, for example, brokers and other entities will be inclined to route orders away from trading venues [[Page 18160]] that have frequent systems problems. Indeed, trading service providers expend resources to provide quality services and attempt to mitigate systems disruptions, systems compliance issues, and systems intrusions; however, it is not clear how to distinguish between efforts attributable to competitive pressures, rather than existing legal requirements and regulatory programs such as the ARP Inspection Program.\544\ --------------------------------------------------------------------------- \544\ See also supra Section V.B.1, noting the various reasons why SCI entities currently take action to address systems problems. --------------------------------------------------------------------------- The Commission recognizes that there may be limits with respect to the extent to which competition ameliorates systems problems associated with trading services. However, the Commission remains mindful of the need to craft rules that appropriately take into account the tradeoffs between the costs and benefits, and the effects on efficiency, competition, and capital formation, associated with any such rules. The Commission preliminarily believes that it is important for SCI entity members or participants to know about risks for SCI events at a given service provider. As discussed above, if information about SCI events is not disseminated to members or participants of SCI entities or are not attributable to specific SCI entities, market participants may misjudge the quality of trading services or otherwise make decisions without fully accounting for such risks. Furthermore, as evidenced by the extended shutdown of the equities and options markets that resulted from, among other things, the exchanges' belief regarding the inability of some market participants to adequately operate from the backup facilities of all market centers, contingency planning has not been adequate to help prevent market-wide outages.\545\ For example, as noted above, the NYSE offered its members the opportunity to participate in testing of its backup systems, but not all members chose to participate in such testing, and the Commission understands that the scope of the test was limited.\546\ --------------------------------------------------------------------------- \545\ See supra Section I.D. \546\ See supra Section I.D. See also supra notes 83 and 532 and accompanying text. --------------------------------------------------------------------------- In addition, even though there are multiple trading venues, suppliers of trading services may have limited ability to transact in particular securities (e.g., certain index options may only trade on one options exchange). As a result, competition in the market for trading services may not sufficiently mitigate the occurrence of SCI events, and there may be insufficient disclosure of information regarding the quality of trading services offered by SCI entities. b. Market for Listing Services Certain SCI entities are in the market for listing services. In this market, exchanges compete to list issuers to collect listing fees and to provide ancillary services to listed companies. The NYSE and Nasdaq are the largest U.S. exchanges in terms of the number of equity securities listed, with the NYSE and Nasdaq serving as the listing market for 3,262 and 2,691 securities, respectively, as of February 4, 2013.\547\ U.S. exchanges face competition from other U.S. exchanges and from non-U.S. exchanges. --------------------------------------------------------------------------- \547\ See NASDAQ Company List, available at: https://www.nasdaq.com/screening/company-list.aspx, for the list of companies listed on NYSE and NASDAQ. --------------------------------------------------------------------------- Competition for listings may be limited by many factors. With respect to the limitations of competitive forces in the market for listing services, first, while a company can be listed on a certain exchange, trading does not necessarily occur on that exchange. In fact, the majority of trading occurs away from the listing exchange in today's U.S. equities markets.\548\ Second, there are switching costs associated with moving a listing from one exchange to another, which may cause issuers to remain at their current exchange, even in response to the occurrence of some SCI events. Third, certain exchanges also may be considered more ``prestigious'' than others and, to this extent, they may wield market power over other exchanges when competing for issuers. As a result, these exchanges may not be properly incentivized to provide the level of service they otherwise might if they were subject to greater competition. Members and participants of SCI entities that serve as underwriters to issuers would be important recipients of information disseminated by SCI entities about dissemination SCI events, particularly if they share such information with issuers making listing decisions. --------------------------------------------------------------------------- \548\ See BATS Market Volume Summary, available at: https://www.batstrading.com/market_summary/ (displaying the dispersion of trading in equity securities, which indicates that trading occurs away from listing exchanges). --------------------------------------------------------------------------- c. Market for Regulation and Surveillance Services Regulation and surveillance are required by statutes and rules and, therefore, all regulated market participants (e.g., exchanges or ATSs) have a demand for regulation and surveillance services. Suppliers in this market may be in-house or third parties, and potentially include all of the exchanges and FINRA. Because of regulatory services agreements (``RSAs'') between FINRA and several national securities exchanges, as of February 2011, FINRA's Market Regulation Department was responsible for surveillance of 80 percent of the trading volume in U.S. equity markets and 35 percent of the volume in U.S. options markets.\549\ Also, in 2011, BATS and BATS-Y entered into RSAs with CBOE as the supplier.\550\ On the other hand, some exchanges have not entered into RSAs. --------------------------------------------------------------------------- \549\ See FINRA 2011 Annual Regulatory and Examination Priorities Letter (February 8, 2011), available at: https://www.finra.org/web/groups/industry/@ip/@reg/@guide/documents/industry/p122863.pdf. \550\ See BATS Global Markets, Inc., Amendment No. 5 to Form S- 1, dated March 21, 2012 (Registration No. 333-174166). --------------------------------------------------------------------------- There are other regulatory services arrangements in addition to RSAs. For example, in 2008, the Commission declared effective a plan for allocating regulatory responsibilities pursuant to Rule 17d-2,\551\ which among other things, allocated regulatory responsibility for the surveillance, investigation, and enforcement of Common Rules \552\ over Common NYSE Members,\553\ with respect to NYSE-listed stocks and NYSE Arca-listed stocks, to NYSE and over Common FINRA Members,\554\ with respect to NASDAQ-listed stocks, Amex-listed stocks, and any CHX solely-listed stock, to FINRA.\555\ --------------------------------------------------------------------------- \551\ See Securities Exchange Act Release No. 58536 (September 12, 2008), 73 FR 54646 (September 22, 2008). See also 17 CFR 240.17d-2 (permitting SROs to propose joint plans for the allocation of regulatory responsibilities with respect to their common members). \552\ Such rules include federal securities laws and rules promulgated by the Commission pertaining to insider trading, and the rules of the plan participants that are related to insider trading as provided on Exhibit A to a Rule 17d-2 Plan. See Agreement for the Allocation of Regulatory Responsibility of Surveillance, Investigation and Enforcement for Insider Trading pursuant to Sec. 17(d) of the Securities Exchange Act of 1934, 15 U.S.C. Sec. 78q(d), and Rule 17d-2 thereunder. \553\ Common NYSE Members include those who are members of the NYSE and of at least one of the plan participants. See id. \554\ Common FINRA Members include those who are members of FINRA and of at least one of the plan participants. See id. \555\ Participants in this plan are: BATS, BATS-Y, CBOE, CHX, EDGA, EDGX, FINRA, Nasdaq OMX BX, Nasdaq OMX Phlx, Nasdaq, NSX, NYSE, NYSE Amex, and NYSE Arca. See id. In January 2011, this Rule 17d-2 plan was amended as a result of an agreement under which FINRA assumed the responsibility for performing the market surveillance and enforcement functions previously conducted by NYSE Regulation for its U.S. equities and options markets. Under the plan, FINRA charges participants a fee for the performance of regulatory responsibilities. See Securities Exchange Act Release No. 63750 (January 21, 2011), 76 FR 4948 (January 27, 2011). There are other types of Rule 17d-2 plans, including multilateral and bilateral plans. While other SROs perform some regulatory functions under the options-related market surveillance and Regulation NMS multiparty 17d-2 plans, FINRA provides the bulk of services under all other 17d-2 plans. --------------------------------------------------------------------------- [[Page 18161]] With respect to limitations of competition that are specific to the market for regulatory and surveillance services, if investors, issuers, or other market participants become aware of SCI events by virtue of the members or participants of SCI entities sharing information they have received about dissemination SCI events, and such information suggests that an SRO has low-quality regulation and surveillance, they may avoid such venues since they may feel that their interests are not being adequately protected. In the case of an RSA, there is competition among providers of such services because the user of the service can enter into a contract with a different provider. An SRO that purchases regulatory and surveillance services pursuant to an RSA retains the ultimate responsibility and liability for its self-regulatory obligations, and has an interest in seeking a service provider that would provide a high level of regulatory and surveillance services.\556\ Since the purchaser of these services could face Commission sanctions and experience damages to their reputation for violations resulting from inadequate regulation and surveillance, providers of these services may have the incentive to ensure that they provide a high level of service. --------------------------------------------------------------------------- \556\ In contrast to an RSA, under Rule 17d-2(d) under the Exchange Act, ``[u]pon the effectiveness of such a plan or part thereof, any self-regulatory organization which is a party to the plan shall be relieved of responsibility as to any person for whom such responsibility is allocated under the plan to another self- regulatory organization to the extent of such allocation.'' 17 CFR 240.17d-2(d). --------------------------------------------------------------------------- A factor that limits competition in this market is that it is highly concentrated. As noted above, FINRA accounts for the surveillance of 80 percent of trading volume in U.S. equity markets and, although any SRO could potentially be a provider of such services, not all choose to do so, and thus there may not be many alternatives for RSAs. With respect to the market for Rule 17d-2 plans, the Commission recognizes that the level of competition may be limited, as Rule 17d-2 was intended to address regulatory duplication for broker- dealers that are members of more than one SRO, and one of which is usually FINRA. d. Market for Clearance and Settlement Services Certain SCI entities are in the market for clearance and settlement services. There are seven registered clearing agencies with active operations--DTC, FICC, NSCC, OCC, ICE Clear Credit, ICE Clear Europe, and CME \557\--as well as one exempt clearing agency.\558\ An SCI event in this market could have very disruptive and widespread effects on the financial markets. Because each clearing agency has a critical role in the operation of a particular product market, clearing agencies may already have heightened incentives to ensure that their systems have adequate levels of capacity, integrity, resiliency, availability, and security.\559\ At the same time, one of the major impediments to competition in this market is that it is highly concentrated in particular classes of securities (e.g., equities or options). This may limit incentives for clearing agencies to have levels of capacity, integrity, resiliency, availability, and security that are appropriate for their role in the securities market. Thus, for the market for clearance and settlement services, it is especially important for the Commission and clearing agency participants to have current and accurate information about SCI events to help ensure that the clearing agencies are properly incentivized to provide high-quality service. --------------------------------------------------------------------------- \557\ As noted above, active registered clearing agencies are part of the current ARP Inspection Program. See supra note 95 and accompanying text. \558\ As noted above, Omgeo is part of the current ARP Inspection Program. See supra notes 133-135 and accompanying text. \559\ See generally 2003 Interagency White Paper, supra note 31. --------------------------------------------------------------------------- e. Market for Market Data Finally, certain SCI entities provide market data. There are two different types of market data, namely consolidated data and proprietary data. As discussed above, when Congress mandated a national market system in 1975, it emphasized that the systems for collecting and distributing consolidated market data would ``form the heart of the national market system.'' \560\ Moreover, the Commission has identified certain benefits of consolidated market data, including providing the public with access to a comprehensive, accurate, and reliable source of information for NMS stocks.\561\ One of the Commission's primary concerns is that the market for consolidated data functions properly. --------------------------------------------------------------------------- \560\ See Concept Release on Equity Market Structure, supra note 42, at 3600 (quoting H.R. Rep. No. 94-229, 94th Cong., 1st Sess. 93 (1975)). \561\ See supra note 187 and accompanying text. --------------------------------------------------------------------------- Market data is a critical part of the investment and trading process.\562\ The data is needed for pre- and post-trade transparency and allows market participants to make well-informed investment and trading decisions.\563\ Indeed, based on Commission staff experience, the Commission understands that many trading algorithms make trading decisions based primarily on market data and rely on that data being current and accurate. An SCI event in connection with market data could significantly disrupt markets.\564\ --------------------------------------------------------------------------- \562\ See supra notes 187-189 and accompanying text. \563\ See id. \564\ For example, on January 3, 2013, Nasdaq reported that its securities information processor (which is the plan processor of the CQS Plan, an SCI plan) experienced ``an issue with stale data,'' which lasted approximately 10 to 15 minutes. See https://www.nasdaq.com/article/update-traders-report-technical-issue-involving-nasdaq-listed-securities-20130103-01046#.URutFaVEHmd. See also https://www.reuters.com/article/2013/01/03/exchanges-data-outage-idUSL1E9C3DQL20130103. As a result, last sale and quotation data was not available for Nasdaq-listed (``Tape C'') securities during that time. See id. Although proprietary data feeds were available, only subscribers receiving such feeds could continue trading with current market data during the outage. Market centers EDGA and EDGX temporarily suspended trading in all Tape C securities in response to the outage. See id. --------------------------------------------------------------------------- The process of collecting and disseminating consolidated quotation and transaction data is governed by the SCI plans. For securities listed on Nasdaq, data distribution is governed by the Nasdaq UTP Plan. For securities listed on NYSE, NYSE Amex, and several other exchanges, data distribution is governed by the CTA Plan and the CQS Plan. For options, data distribution is governed by the OPRA Plan. These SCI plans also oversee the collection of fees for access to the consolidated data network, and the allocation of the resulting revenue across the exchanges. Currently, there are two entities designated as plan processors by SCI plans--SIAC and Nasdaq.\565\ Due to the extreme concentration in the market segment for consolidated data, there is virtually no competition between SCI plan processors which could lead to little incentive in ensuring a high-quality product with minimal disruptions. --------------------------------------------------------------------------- \565\ See supra note 131. --------------------------------------------------------------------------- 3. Proposed Regulation SCI and Its Impact on Current Practices Proposed Regulation SCI would be a codification and enhancement of the current ARP Inspection Program. As discussed further below with respect to each of the proposed rules, proposed Regulation SCI would: (A) Be mandatory and codify many aspects of the ARP policy statements; (B) expand the scope of the ARP policy statements to other types of systems and event types; and (C) expand the scope of the ARP Inspection Program to other types of entities. [[Page 18162]] With respect to different types of systems, as discussed in more detail above, the ARP policy statements are focused on automated systems.\566\ Specifically, entities that participate in the ARP Inspection Program follow the ARP policy statements with respect to systems that directly support trading, clearance and settlement, order routing, and market data.\567\ Proposed Regulation SCI, on the other hand, would apply to more types of systems than the ARP policy statements. As discussed above, in addition to the systems covered by the ARP Inspection Program, the proposed definition of ``SCI systems'' would also include systems that directly support regulation and surveillance that are not currently part of the ARP Inspection Program. Further, the provisions of proposed Regulation SCI relating to security standards and systems intrusions would also apply to ``SCI security systems,'' which would be defined to mean any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems. --------------------------------------------------------------------------- \566\ See supra Section I.A for more discussion of the ARP policy statements and the ARP Inspection Program. According to ARP I, the term ``automated systems'' or ``automated trading systems'' means computer systems for listed and OTC equities, as well as options, that electronically route orders to applicable market makers and systems that electronically route and execute orders, including the data networks that feed the systems. The term ``automated systems'' also encompasses systems that disseminate transaction and quotation information and conduct trade comparisons prior to settlement, including the associated communication networks. Moreover, ARP I states that because lack of adequate communications capacity can be as damaging to the overall performance of an exchange during peak periods as poorly designed order processing, capacity tests of the data networks that feed the computer systems also should be conducted. See ARP I, supra note 1, at n.21. \567\ While generally only trading, clearance and settlement, order routing, and market data systems follow the guidelines in the ARP policy statements, ARP staff inspects all the categories of systems that are included in the proposed definition of ``SCI systems.'' However, ARP staff generally inspects systems that do not directly support trading, clearance and settlement, order routing, or market data only if staff detects red flags. --------------------------------------------------------------------------- Additionally, while the ARP Inspection Program and proposed Regulation SCI both cover certain types of systems disruptions \568\ and systems intrusions,\569\ proposed Regulation SCI also would cover systems compliance issues. Finally, the ARP Inspection Program includes 29 participants that are SCI entities, consisting of 17 registered national securities exchanges, seven registered clearing agencies, FINRA, two plan processors, one ATS, and one exempt clearing agency. Because no ATSs currently satisfy the thresholds in Rule 306(b)(6)(i) of Regulation ATS, no ATSs currently are subject to the systems safeguard requirements of Regulation ATS \570\ although, as noted above, one ATS voluntarily participates in the ARP Inspection Program. Proposed Regulation SCI would include all of the entities currently under the ARP Inspection Program. With respect to ATSs, proposed Regulation SCI would include an estimated 10 SCI ATSs in NMS stocks, an estimated two SCI ATSs in non-NMS stocks, an estimated three SCI ATSs in municipal securities and corporate debt securities, and one SRO (i.e., the MSRB). --------------------------------------------------------------------------- \568\ See 2001 Staff ARP Interpretive Letter, supra note 35. See also supra Section III.B.3.a for a discussion of the differences between the definition of ``significant system outage'' as used currently in the ARP Inspection Program and the proposed definition of ``systems disruption.'' \569\ See ARP I, supra note 1, at 48707 (referring to instances where unauthorized persons gained or attempted to gain access to systems). Proposed Rule 1000(a) would define ``systems intrusion'' to mean any unauthorized entry into the SCI systems or SCI security systems of the SCI entity. \570\ See 17 CFR 242.301(b)(6). --------------------------------------------------------------------------- Proposed Rules 1000(b)(4) and (b)(5) would require, respectively, that all SCI events be reported to the Commission, and that information relating to dissemination SCI events be disseminated to members or participants of an SCI entity. Proposed Rule 1000(a) would define a dissemination SCI event to mean an SCI event that is a: (1) Systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants. Under the ARP Inspection Program, only ``significant'' outages should be reported to the Commission, and there are no quantitative standards to define ``significant'' outage. Similarly, proposed Regulation SCI would not specify a quantitative standard for immediate notification SCI events or dissemination SCI events. Instead, immediate notification SCI events would include any systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems compliance issue, and any systems intrusion. With respect to dissemination SCI events, certain information about all systems compliance issues and systems intrusions would be required to be disseminated to members or participants, although information about systems intrusions in some cases could be delayed. Systems disruptions would also be dissemination SCI events, however, only if they result, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants. Proposed Rule 1000(b)(1) (Capacity, Integrity, Resiliency, Availability, and Security) addresses the capacity, integrity, resiliency, availability, and security of the systems of SCI entities. Rule 1000(b)(1) would require an SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. Proposed Rule 1000(b)(1)(i) would further require that an SCI entity's policies and procedures include the establishment of reasonable current and future capacity planning estimates, periodic capacity stress tests, a program to review and keep current systems development and testing methodology, regular reviews and testing of such systems, including backup systems, business continuity and disaster recovery plans, and standards that result in systems that facilitate the successful collection, processing, and dissemination of market data. The items in proposed Rule 1000(b)(1)(i)(A)-(E) are the same as those in the ARP Inspection Program and Rule 301(b)(6) of Regulation ATS.\571\ --------------------------------------------------------------------------- \571\ See supra Section III.C.1 for a detailed discussion of proposed Rule 1000(b)(1), including comparisons to the provisions of the ARP Inspection Program. --------------------------------------------------------------------------- Proposed Rule 1000(b)(1)(ii) would further provide that an SCI entity's policies and procedures would be deemed to be reasonably designed if they are consistent with current SCI industry standards.\572\ The Commission preliminarily believes that SCI entities would be familiar with such standards because they would be required to be widely available for free to information technology professionals in the financial sector, and must be issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization.\573\ As noted above, compliance with the identified SCI industry standards would not be the exclusive means to comply with the [[Page 18163]] requirements of proposed Rule 1000(b)(1). --------------------------------------------------------------------------- \572\ See proposed Rule 1000(b)(1)(ii). \573\ See infra text commencing at note 630, discussing examples of SCI industry standards that may originate from NIST publications and/or other publications listed in Table A, and the potential costs they may impose on SCI entities. --------------------------------------------------------------------------- Proposed Rule 1000(b)(2)(i) (Systems Compliance) is not currently part of the ARP Inspection program and would require each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and the entity's rules and governing documents, as applicable.\574\ --------------------------------------------------------------------------- \574\ However, as noted above in Section V.B.1.b, SCI entities are already required to comply with relevant laws and rules. --------------------------------------------------------------------------- Proposed Rule 1000(b)(3) (Corrective Action) would require that, upon any responsible SCI personnel becoming aware of an SCI event, an SCI entity begin to take appropriate corrective action. The Commission understands that market participants already take steps to address systems issues should they occur, but preliminarily believes that proposed Rule 1000(b)(3) may result in SCI entities incurring additional information technology costs, primarily because proposed Rule 1000(b)(3) requires each SCI entity, upon any responsible SCI personnel becoming aware of an SCI event, to begin to take appropriate corrective action. Thus, SCI entities would not be able to delay the start of taking corrective action, which in turn could result in some SCI entities potentially seeking to, for example, update their systems with newer technology earlier than they might have otherwise. As these increased costs would likely occur primarily as a result of SCI entities making usual and customary investments sooner than they would otherwise, these costs are difficult to quantify. Proposed Rule 1000(b)(4) (Commission Notification) would require that an SCI entity notify the Commission of all SCI events. Proposed Rule 1000(b)(4) would apply to more entities, systems, and types of systems issues than the ARP policy statements (or the 2001 Staff ARP Interpretive Letter) and also require more detailed reporting to the Commission.\575\ --------------------------------------------------------------------------- \575\ See discussion of proposed Rule 1000(b)(4) in supra Section III.C.4. In addition, proposed Rule 1000(d) would require, with limited exception, that any written notification, review, description, analysis, or report to the Commission be submitted electronically on Form SCI. --------------------------------------------------------------------------- Proposed Rule 1000(b)(5) (Dissemination of Information to Members or Participants) would require an SCI entity to disseminate information relating to dissemination SCI events to members or participants. Proposed Rule 1000(b)(5) would impose a new requirement that is not currently part of the ARP Inspection Program. As noted above in Section V.B.1.a, some entities provide their members or participants with notices of outages currently. However, although proposed Rule 1000(b)(5) would permit information regarding some systems intrusions to be delayed,\576\ the Commission expects that dissemination of information to members or participants about dissemination SCI events would increase significantly. --------------------------------------------------------------------------- \576\ See proposed Rule 1000(b)(5)(ii). --------------------------------------------------------------------------- With respect to proposed Rule 1000(b)(6) (Material Systems Changes), while entities may voluntarily submit similar material systems change notifications to the Commission under the ARP Inspection Program, proposed Regulation SCI would set forth more detailed requirements.\577\ Proposed Rule 1000(b)(6) would require an SCI entity to notify the Commission of planned material systems changes on proposed Form SCI at least 30 calendar days in advance of such change, unless exigent circumstances exist or information previously provided to the Commission regarding a planned material systems change has become materially inaccurate, necessitating notice regarding a material systems change with less than 30 calendar days' notice. --------------------------------------------------------------------------- \577\ See supra Sections III.C.4 and III.E.2 discussing the reporting requirements in proposed Rule 1000(b)(6). --------------------------------------------------------------------------- Proposed Rule 1000(b)(7) (SCI Review) would require an SCI entity to conduct an SCI review of its compliance with Regulation SCI at least annually, and submit a report of the SCI review to senior management of the SCI entity for review no more than 30 calendar days after completion of the SCI review. Because systems reviews have always been part of the ARP Inspection Program, the Commission believes that most SCI entities currently undertake annual systems reviews, reports of which the Commission understands are reviewed by senior management. The Commission believes, however, that the scope of the systems review undertaken by ARP entities, and senior management involvement in in such reviews, varies among ARP entities. The Commission expects that proposed Regulation SCI, which defines the parameters of an SCI review, would foster greater consistency in the approach that SCI entities take with respect to systems reviews. Proposed Rule 1000(b)(8) (Reports) would require an SCI entity to submit various reports to the Commission. Specifically, proposed Rule 1000(b)(8)(i) would require an SCI entity to submit a report of the SCI review required by proposed Rule 1000(b)(7), together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. Proposed Rule 1000(b)(8)(ii) would require an SCI entity to submit a report, within 30 calendar days after the end of June and December of each year, containing a summary description of the progress of any material systems change during the six-month period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of implementation of such changes. Such reports to be filed with the Commission pursuant to proposed Rule 1000(b)(8) would be required to be filed electronically on Form SCI. Proposed Rule 1000(b)(8) would codify current practice under the ARP Inspection Program, in which ARP entities submit reports of systems reviews and report progress on material systems changes to ARP staff. However, proposed Rule 1000(8) would specify a more detailed process for submission of such reports. Proposed Rule 1000(b)(9) (SCI Entity Business Continuity and Disaster Recovery Plans Testing Requirements for Members or Participants) is not part of the current ARP Inspection Program and would require an SCI entity, with respect to its business continuity and disaster recovery plans, including its backup systems, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency as specified by the SCI entity, at least once every 12 months. In addition, the proposed rule would require an SCI entity to coordinate such testing on an industry- or sector-wide basis with other SCI entities.\578\ Further, the proposed rule would require each SCI entity to designate those members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans, to participate in the testing of such plans. Each SCI entity would be required to notify the Commission of such designations and its standards for designation, and promptly update such notification after any changes to its designations or standards. Although nothing prevents SCI entities from doing so, the Commission currently does not mandate that members or participants of SCI entities test the business continuity and disaster recovery plans, including [[Page 18164]] backup systems, of SCI entities. This proposed rule would allow greater oversight by the Commission over the business continuity and disaster recovery capabilities of SCI entities. While the Commission believes that many SCI entities currently provide the opportunity for their members or participants to test their business continuity and disaster recovery plans, the Commission believes that few require participation by all or designated members or participants in such testing.\579\ In addition, the Commission understands that, to the extent such participation occurs, it may in many cases be limited in nature (e.g., testing for connectivity to backup systems). Finally, while the securities industry does coordinate certain testing, the Commission believes that the two-day closure of the equities and options markets in the wake of Superstorm Sandy has shown that more significant testing and better coordination of such testing could benefit market participants.\580\ --------------------------------------------------------------------------- \578\ See supra note 269 and accompanying text. \579\ See infra note 641. \580\ See supra Section I.D. --------------------------------------------------------------------------- Proposed Rules 1000(c) and (e) relate to the recordkeeping requirements under proposed Regulation SCI. As discussed above, SCI SROs already are subject to recordkeeping requirements that would apply to all documents relating to their compliance with proposed Regulation SCI.\581\ Further, entities that participate in the ARP Inspection Program currently keep records related to the ARP Inspection Program, and the Commission recognizes that all SCI entities are subject to some recordkeeping requirement. Nevertheless, with respect to SCI entities other than SCI SROs, proposed Rules 1000(c) and (e) would impose specific recordkeeping requirements with respect to documents related to compliance with Regulation SCI and thus would impose a burden on such entities. --------------------------------------------------------------------------- \581\ See supra Section III.D.1. --------------------------------------------------------------------------- Lastly, proposed Rule 1000(f) would require SCI entities to provide Commission representatives reasonable access to its SCI systems and SCI security systems to allow Commission representatives to assess the entity's compliance with proposed Regulation SCI. As discussed above, although the Commission believes that Section 17(b) of the Exchange Act already provides the Commission with authority to access the systems of SCI entities, the Commission is proposing Rule 1000(f) to highlight such authority and help ensure that Commission representatives have ready access to systems of SCI entities.\582\ --------------------------------------------------------------------------- \582\ See supra Section III.D.3. --------------------------------------------------------------------------- C. Consideration of Costs and Benefits, and the Effect on Efficiency, Competition, and Capital Formation Section 3(f) of the Exchange Act requires the Commission, whenever it engages in rulemaking pursuant to the Exchange Act and is required to consider or determine whether an action is necessary or appropriate in the public interest, to consider, in addition to the protection of investors, whether the action would promote efficiency, competition, and capital formation.\583\ In addition, Section 23(a)(2) of the Exchange Act requires the Commission, when making rules under the Exchange Act, to consider the impact such rules would have on competition.\584\ Exchange Act Section 23(a)(2) prohibits the Commission from adopting any rule that would impose a burden on competition not necessary or appropriate in furtherance of the purposes of the Exchange Act.\585\ In considering these matters, the Commission has been mindful of the history and background discussed above and has considered the impact proposed Regulation SCI would have on competition, and preliminarily believes that proposed Regulation SCI would promote efficiency, competition, and capital formation, and would not impose a burden on competition not necessary or appropriate in furtherance of the purposes of the Exchange Act. --------------------------------------------------------------------------- \583\ 15 U.S.C. 78c(f). \584\ 15 U.S.C. 78w(a)(2). \585\ 15 U.S.C. 78w(a)(2). --------------------------------------------------------------------------- 1. Summary of Benefits, Costs and Quantification While the current practices of some SCI entities already satisfy some of the requirements of proposed Regulation SCI, the Commission preliminarily believes proposed Regulation SCI could benefit the U.S. financial markets in several ways. The Commission preliminarily believes that Regulation SCI should result in fewer systems disruptions, systems compliance issues, and systems intrusions. It should also increase the information available to the Commission regarding any systems disruptions, systems compliance issues, and systems intrusions that do occur. In addition, it should increase the information available to members or participants of SCI entities regarding dissemination SCI events. As explained further below, such disseminations of information could promote the ability of market participants to assess the operation of markets because events would be more transparent. The changes also could reduce market participants' search costs, ultimately improving the ability of competition to discourage SCI events and potentially improving the allocative efficiency of capital. To the extent that Regulation SCI promotes the allocation of capital to its most efficient uses, the Commission preliminarily believes that Regulation SCI may promote capital formation.\586\ The potential economic costs of proposed Regulation SCI include compliance costs, which the Commission attempts to quantify, and other costs. Such other costs include costs associated with the increase in costs and time needed to make systems changes to comply with new and amended rules and regulations, the impact on innovation, and barriers to entry.\587\ --------------------------------------------------------------------------- \586\ The Commission notes, however, that whether there is ultimately an effect on capital formation will depend, in part, on the degree of the potential effects on allocative efficiency. \587\ See infra Section V.C.3.b. --------------------------------------------------------------------------- The Commission discusses below a number of costs and benefits that are related to proposed Regulation SCI. Many of these costs and benefits are difficult to quantify with any degree of certainty, especially as the practices of market participants are expected to evolve and appropriately adapt to changes in technology and market developments. In addition, the extent to which the proposed rule's standards and the ability to enforce such standards will help reduce the frequency and severity of SCI events is unknown. Therefore, much of the discussion is qualitative in nature but, where possible, the Commission quantifies the costs. Many, but not all, of the costs of the proposed rules involve a collection of information, and these costs and burdens are discussed in the Paperwork Reduction Act Section above.\588\ When monetized, those estimated burdens and costs for SCI entities total approximately $44 million in initial costs and approximately $37 million in annual ongoing costs. In addition, in the Economic Cost Section below,\589\ the [[Page 18165]] Commission has quantified other costs for SCI entities that total between approximately $17.6 million \590\ and $132 million \591\ in initial costs and between $11.7 million \592\ and $88 million \593\ in annual ongoing costs. When aggregated, the total quantified costs for SCI entities are estimated as between approximately $61.6 million \594\ and $176 million \595\ in initial costs and between $48.7 million \596\ and $125 million \597\ in annual ongoing costs. In addition to the costs to SCI entities, the Commission also preliminarily estimates the total costs to members or participants of SCI entities to participate in the business continuity and disaster recovery plans testing specified by proposed Rule 1000(b)(9) to be $66 million annually.\598\ Thus, the total quantified costs for SCI entities and members or participants of SCI entities are estimated as between approximately $127.6 million \599\ and $242 million \600\ in initial costs and between $114.7 million \601\ and $191 million \602\ in annual ongoing costs. A detailed discussion of other potential economic costs of the proposal, such as potential costs to the Commission and potential burdens on competition, is provided below. --------------------------------------------------------------------------- \588\ See supra Section IV. \589\ See infra Section V.C.4.a (estimating the cost for: (i) Complying with the substantive requirements that are the subject of the policies and procedures required by proposed Rules 1000(b)(1) and (2), including consistency with SCI industry standards (which, solely for purposes of this Economic Analysis, would be the proposed SCI industry standards contained in the publications identified in Table A); (2) establishing and maintaining a methodology for ensuring that the SCI entity is prepared for the corrective action requirement under proposed Rule 1000(b)(3); and (iii) establishing and maintaining a methodology for determining whether an SCI event is an immediate notification SCI event or a dissemination SCI event). \590\ See infra note 634 (estimating cost for complying with the substantive requirements underlying policies and procedures required by proposed Rules 1000(b)(1) and (2)). \591\ See infra note 635 (estimating cost for complying with the substantive requirements underlying policies and procedures required by proposed Rules 1000(b)(1) and (2)). \592\ See infra note 639 (estimating cost for complying with the substantive requirements underlying policies and procedures required by proposed Rules 1000(b)(1) and (2)). \593\ See infra note 640 (estimating cost for complying with the substantive requirements underlying policies and procedures required by proposed Rules 1000(b)(1) and (2)). \594\ $61.6 million = $44 million (PRA cost) + $17.6 million (other costs for SCI entities). \595\ $176 million = $44 million (PRA cost) + $132 million (other costs for SCI entities). \596\ $48.7 million = $37 million (PRA cost) + $11.7 million (other costs for SCI entities). \597\ $125 million = $37 million (PRA cost) + $88 million (other costs for SCI entities). \598\ See infra note 643 and accompanying text. \599\ $127.6 million = $44 million (PRA cost) + $17.6 million (other costs for SCI entities) + $66 million (costs for members or participants of SCI entities). \600\ $242 million = $44 million (PRA cost) + $132 million (other costs for SCI entities) + $66 million (costs for members or participants of SCI entities). \601\ $114.7 million = $37 million (PRA cost) + $11.7 million (other costs for SCI entities) + $66 million (costs for members or participants of SCI entities). \602\ $191 million = $37 million (PRA cost) + $88 million (other costs for SCI entities) + $66 million (costs for members or participants of SCI entities). --------------------------------------------------------------------------- 2. Economic Benefits Broadly, although the current practices of some SCI entities already satisfy some of the requirements of proposed Regulation SCI, the Commission preliminarily believes that proposed Regulation SCI would bring several overarching benefits to the securities markets. First and most significantly, the Commission preliminarily believes that proposed Regulation SCI would promote more robust systems and hence fewer systems disruptions and market-wide closures, systems compliance issues, and systems intrusions. As a result, the Commission expects fewer interruptions to SCI systems, including systems that directly support execution facilities, matching engines, and the dissemination of market data, and fewer errors with the pricing of securities, which should promote price efficiency. The Commission also expects fewer interruptions to other SCI systems, including systems that directly support regulatory systems and surveillance systems, which should help ensure compliance with relevant laws and rules. In addition, the Commission would expect fewer interruptions to SCI security systems, which should help prevent problems that could lead to disruption of an SCI entity's general operations and, ultimately, its market-related activities.\603\ --------------------------------------------------------------------------- \603\ See supra Section III.B.2, discussing the Commission's proposed definitions of SCI systems and SCI security systems. --------------------------------------------------------------------------- Second, the Commission preliminarily believes that proposed Regulation SCI would enhance the availability of relevant information to members or participants of SCI entities and promote dissemination of information to persons (i.e., members or participants of SCI entities) who are most directly affected by dissemination SCI events and who would most naturally need, want, and be able to act on the information. The increased availability of information regarding SCI events should reduce the costs to members or participants of SCI entities when evaluating SCI entities and improve their ability to make more informed decisions about whether or not to avoid dealing with entities that experience significant systems issues. This enhanced information, as well as the improved price efficiency, should lead to greater allocative efficiency of capital. Moreover, it is expected that the increased awareness of dissemination SCI events would enhance competition among SCI entities with respect to the maintenance of robust systems. Third, the Commission preliminarily believes that fewer market- wide, unscheduled shutdowns would have many of the same benefits as avoidance of temporary shutdowns, but on a greater scale. Fourth, the Commission preliminarily believes that its own ability to monitor the markets and ensure their smooth functioning would be significantly enhanced by proposed Regulation SCI. These potential benefits are discussed in more detail below in relation to each of the proposed rules. a. Rule 1000(a) Definitions In general, the definitions in Rule 1000(a) either clarify a provision or circumscribe the scope of a provision in proposed Regulation SCI. Therefore, many of the costs and benefits associated with the impacts of the definitions are incorporated in the discussion below on the costs and benefits of the substantive provisions where the definitions are used. This section contains a discussion of the benefits of the expansion in scope that are not discussed above. In summary, the Commission preliminarily believes that the proposed definition of ``SCI entity'' and ``SCI event,'' although they would broaden the scope of Regulation SCI beyond the scope of the ARP Inspection Program, are essential parts of proposed Regulation SCI. i. SCI Entities As explained above, the difference between the entities that currently participate in the ARP Inspection Program and the entities covered by proposed Regulation SCI is the inclusion of additional ATSs and the MSRB. Because no ATSs currently meet the thresholds specified in Rule 301(b)(6) of Regulation ATS, other than the one ATS that currently participates in the ARP Inspection Program, none are subject to the systems safeguard requirements under that rule even though they comprise a significant portion of consolidated volume.\604\ The Commission preliminarily believes that the inclusion of SCI ATSs under proposed Regulation SCI would help ensure that ATSs, which serve as markets to bring buyers and sellers together in the national market system, are subject to rules regarding systems capacity, integrity, resiliency, availability, security, and compliance, including those rules that could help prevent SCI events and that require Commission reporting and the dissemination of information to [[Page 18166]] members or participants of SCI entities.\605\ The Commission preliminarily believes that the inclusion of the MSRB in proposed Regulation SCI would provide benefits to the market because, as noted above, the MSRB is the only SRO relating to municipal securities and the sole provider of consolidated market data for the municipal securities market.\606\ --------------------------------------------------------------------------- \604\ As noted above, one ATS voluntarily participates in the ARP Inspection Program. See supra note 25. \605\ Proposed Regulation SCI would not expand the types of securities currently covered by the ARP Inspection Program and Rule 301(b)(6) of Regulation ATS. The Commission recognizes that although currently no ATSs are subject to the systems safeguard requirements under Rule 301(b)(6) because they do not satisfy the thresholds in that rule, the Commission estimates that approximately 15 ATSs would be subject to proposed Regulation SCI. \606\ As discussed above, in 2008, the Commission amended Rule 15c2-12 to designate the MSRB as the single centralized disclosure repository for continuing municipal securities disclosure. In 2009, the MSRB established EMMA, which serves as the official repository of municipal securities disclosure, providing the public with free access to relevant municipal securities data, and is the central database for information about municipal securities offerings, issuers, and obligors. Additionally, the MSRB's RTRS, with limited exceptions, requires municipal bond dealers to submit transaction data to the MSRB within 15 minutes of trade execution, and such near real-time post-trade transaction data can be accessed through the MSRB's EMMA Web site. See supra note 96. --------------------------------------------------------------------------- ii. Systems and SCI Events As stated above, proposed Regulation SCI would expand on current practice, would apply a broader range of systems, and would include more event types. Specifically, entities that participate in the ARP Inspection Program follow the ARP policy statements with respect to systems that directly support trading, clearance and settlement, order routing, and market data. The proposed definition of ``SCI systems'' would include the foregoing systems as well as those that directly support regulation and surveillance. The Commission preliminarily believes that including regulation and surveillance systems could help ensure the SCI entity's ability to monitor its compliance with relevant laws, rules, and its own rules, and detect any violations of such laws or rules. Further, the provisions of proposed Regulation SCI regarding systems security and intrusions also would apply to ``SCI security systems.'' \607\ Because SCI security systems may present potentially vulnerable entry points to an SCI entity's network, the Commission also preliminarily believes that it is important for proposed Regulation SCI to include those systems with respect to security standards and systems intrusions.\608\ --------------------------------------------------------------------------- \607\ See supra Section III.B.2, discussing the Commission's proposed definitions of SCI systems and SCI security systems. \608\ See id. --------------------------------------------------------------------------- By defining SCI events to include systems disruptions, systems compliance issues, and systems intrusions, proposed Regulation SCI would further assist the Commission in its oversight of SCI entities. As stated above, SCI entities already follow practices similar to parts of proposed Regulation SCI for certain systems disruptions and systems intrusions. The inclusion of systems compliance issues should help the Commission and market participants to become better informed of the efforts of the SCI entities to comply with relevant laws and rules, and their own rules as applicable, and could enhance the enforcement of such laws and rules. Further, by defining a dissemination SCI event to include a subset of SCI events (i.e., a systems compliance issue, systems intrusion, or systems disruption that would result, or the SCI entity reasonably estimates would result in significant harm or loss to market participants), proposed Regulation SCI would further assist SCI entity members or participants in their decisions regarding whether or not to utilize the systems of a given SCI entity. b. Rule 1000(b)(1)-(10) Requirements for SCI Entities The development and growth of automated electronic trading have allowed increasing volumes of securities transactions across the multitude of trading centers that constitute the U.S. national market system. These securities transactions take place within an interconnected market where systems disruptions, systems compliance issues, and systems intrusions at one market center can impact or harm trading throughout the entire national market system. Thus, there is a need for operators of significant market systems, such as SCI entities, to have in place robust systems to prevent systems issues or, in the event that systems issues occur, to recover quickly. Proposed Rule 1000(b)(1)-(2) would set forth requirements relating to written policies and procedures that SCI entities would be required to establish, maintain, and enforce. Proposed Rule 1000(b)(1) would require an SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. The rule would further provide that an SCI entity's policies and procedures must include the establishment of reasonable current and future capacity planning estimates, periodic capacity stress tests, a program to review and keep current systems development and testing methodology of such systems, regular reviews and testing of such systems, including backup systems, business continuity and disaster recovery plans, and standards that result in such systems facilitating the successful collection, processing, and dissemination of market data.\609\ As discussed above, the Commission regards SCI entities as part of the critical infrastructure of the U.S. securities markets and therefore, although proposed Rule 1000(b)(1)(i)(A)-(E) would codify certain provisions of the ARP policy statements, the Commission preliminarily believes that specifically setting forth these requirements in a Commission rule would benefit the securities markets by helping to diminish the risks and incidences of systems intrusions, systems compliance issues, and systems disruptions. Such policies and procedures should also assist in speedy recoveries from systems intrusions, systems compliance issues, and systems disruptions. Proposed Rule 1000(b)(1)(i)(F) does not have precedent in Regulation ATS or the ARP policy statements, and would require SCI entities to have standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data. The Commission preliminarily believes that this proposal should help to ensure that timely and accurate market data is available to all market participants. --------------------------------------------------------------------------- \609\ See proposed Rule 1000(b)(1)(i)(A)-(F), discussed in supra Section III.C.1.a. --------------------------------------------------------------------------- Proposed Rule 1000(b)(1)(ii) would deem an SCI entity's policies and procedures required by proposed Rule 1000(b)(1) to be reasonably designed if they are consistent with current SCI industry standards.\610\ Thus, the SCI industry standards would provide flexibility to allow each SCI entity to determine how to best meet the requirements in proposed Rule 1000(b)(1), taking into account, for example, its nature, size, technology, business model, and other aspects of its business, because compliance with SCI [[Page 18167]] industry standards would not be the exclusive means by which an SCI entity could satisfy the requirements of proposed Rule 1000(b)(1). --------------------------------------------------------------------------- \610\ Proposed SCI industry standards are contained in the publications that are set forth in Table A. See supra Section III.C.1.b. --------------------------------------------------------------------------- Proposed Rule 1000(b)(2)(i), which would require written policies and procedures reasonably designed to ensure that an SCI entity's SCI systems operate in the manner intended, should help to minimize instances where systems do not operate in compliance with the federal securities laws and rules and regulations thereunder and, as applicable, the entity's rules and governing documents. In particular, the elements of the safe harbor for SCI entities in proposed Rule 1000(b)(2)(ii)(A) relating to policies and procedures on testing and monitoring also should help to ensure, on an ongoing basis, that an SCI entity's SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and, as applicable, the entity's rules and governing documents, thus minimizing systems compliance issues and consequently the total time needed to bring a system back into compliance.\611\ In addition, the elements of the safe harbor in proposed Rule 1000(b)(2)(ii)(A) relating to policies and procedures for systems compliance assessments by personnel familiar with applicable laws and rules and systems reviews by regulatory personnel should help ensure the performance of effective compliance audits and reviews, and should help provide assurance that SCI entities are operating in compliance with applicable laws and rules. --------------------------------------------------------------------------- \611\ As noted above, the Commission recognizes that SCI entities are already required to comply with federal securities laws, rules and regulations thereunder, and their own rules. --------------------------------------------------------------------------- Proposed Rule 1000(b)(3), which would require an SCI entity to begin taking appropriate corrective action upon any responsible SCI personnel becoming aware of an SCI event, should further help ensure that SCI entities invest sufficient resources as soon as reasonably practicable to address systems intrusions, systems compliance issues, and systems disruptions.\612\ --------------------------------------------------------------------------- \612\ As noted above, the Commission believes that SCI entities already take corrective actions in response to systems issues. --------------------------------------------------------------------------- Moreover, proposed Rules 1000(b)(1)-(3) should improve price efficiency by reducing the likelihood and duration of systems issues, thereby helping to avoid the price inefficiencies that occur during times when systems disruptions, systems compliance issues, or systems intrusions can make systems unavailable or unreliable. Specifically, systems issues that could impact the accuracy or the timeliness, and thus the reliability, of market data could lead to inaccuracies in pricing and slow-down pricing, and make data less reliable. Therefore, to the extent that proposed Rules 1000(b)(1)-(3) could reduce the likelihood or duration of systems issues, they may lead to more reliable market data (because there would be less inaccuracies and the market data would be more timely), which could help improve the quality of market data. This, in turn, could enhance price efficiency in the market for market data, which then could promote allocative efficiency of capital and capital formation. Proposed Regulation SCI is intended, in part, to facilitate the Commission's ability to monitor the impact on the securities markets by SCI entities' systems that support the performance of the entities' activities. The Commission preliminarily believes that proposed Rules 1000(b)(1)-(3), as well as 1000(b)(4), would provide for more effective Commission oversight of the operation of the systems of SCI entities. Specifically, while entities that participate in the ARP Inspection Program already notify Commission staff of certain systems issues, the Commission preliminarily believes that proposed Rule 1000(b)(4), relating to Commission notification of SCI events, should further enhance the effectiveness of Commission oversight of the operation of SCI entities. Under the proposed rule, upon any responsible SCI personnel becoming aware of an immediate notification SCI event,\613\ an SCI entity would be required to notify the Commission of the SCI event. Within 24 hours of any responsible SCI personnel becoming aware of an SCI event, an SCI entity would be required to submit a written notification pertaining to such SCI event on Form SCI. Until such time as the SCI event is resolved, the SCI entity would be required to provide updates regularly, or at such frequency as requested by an authorized representative of the Commission. Although this process would represent costs to an SCI entity,\614\ the documentation of SCI events will help prevent such systems failures from being dismissed or ignored as glitches or momentary issues because it would focus the SCI entity's attention on the issue and encourage allocation of SCI entity resources to resolve the issue as soon as reasonably practicable. --------------------------------------------------------------------------- \613\ See supra Section III.C.3.b. \614\ See supra Section IV.D.2.a. --------------------------------------------------------------------------- As noted above, the Commission is concerned that members or participants of SCI entities may be unaware of the occurrence of some SCI events, and therefore may make decisions without all relevant information. Proposed Rule 1000(b)(5) would require an SCI entity, upon any responsible SCI personnel becoming aware of a dissemination SCI event other than a systems intrusion, to disseminate certain information regarding the dissemination SCI event to its members or participants.\615\ Such information would include the systems affected by the event and a summary description of the event. When known, the SCI entity would be required to further disseminate to its members or participants: a detailed description of the SCI event; its current assessment of the types and number of market participants potentially affected by the SCI event; and a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. An SCI entity also would be required to provide regular updates to members or participants regarding the disseminated information. The Commission preliminarily believes that proposed Rule 1000(b)(5) would help market participants--specifically the members or participants of SCI entities--to better evaluate the operations of SCI entities based on more readily available information. --------------------------------------------------------------------------- \615\ For a dissemination SCI event that is a systems intrusion, an SCI entity must disseminate to members or participants a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless it determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or SCI security systems, or an investigation of the systems intrusion. --------------------------------------------------------------------------- As discussed above,\616\ the Commission believes that the existing competition among the markets has not sufficiently mitigated the occurrence of certain systems problems, and thus preliminarily believes that requiring the dissemination of information about certain SCI events, as described above, to members or participants could potentially further incentivize SCI entities to create more robust systems. In addition, targeting this set of market participants (i.e., an SCI entity's members or participants) to receive information about dissemination SCI events has the benefit of providing the information to those that are most likely to need, want, and act on the information, without imposing the additional costs associated with requiring broader public dissemination. Moreover, another benefit of increased dissemination of information about dissemination SCI events to SCI entity [[Page 18168]] members or participants would be the resultant reduction in search costs for market participants when they are gathering information to make a determination with respect to the use of an entity's services. Also, proposed Rule 1000(b)(5) would require SCI entities to disseminate specified information for dissemination SCI events, which would allow market participants to more easily compare the available information from all SCI entities for which they are members or participants. The foregoing benefits would be further enhanced to the extent information relating to dissemination SCI events is shared by members or participants of SCI entities with other market participants. Lastly, because an SCI entity would be permitted to delay dissemination of information regarding a systems intrusion to members or participants if it determines that such information would likely compromise the security of its SCI systems or SCI security systems, or an investigation of the systems intrusion, proposed Rule 1000(b)(5) would not undermine the need to maintain the non-public nature of certain systems intrusions for a temporary period (until the SCI entity determines that dissemination of such information would not likely compromise the security of the SCI entity's SCI systems or SCI security systems, or an investigation of the systems intrusion). --------------------------------------------------------------------------- \616\ See supra Section V.B.2. --------------------------------------------------------------------------- In summary, because proposed Regulation SCI would, among other things, require SCI entities to provide members and participants with more information regarding their operations, the Commission preliminarily believes that SCI entities would have additional incentives to establish and maintain more robust automated systems to minimize the occurrence of SCI events. Fewer systems issues could improve pricing efficiency which, in turn, could promote allocative efficiency of capital and thus, capital formation. In addition to the Commission notification requirements under proposed Rule 1000(b)(4), the Commission preliminarily believes that proposed Rule 1000(b)(6) would enhance the Commission's oversight of the operation of SCI entities, even though entities participating in the ARP Inspection Program may already provide these types of notifications to Commission staff. Proposed Rule 1000(b)(6) would require an SCI entity to notify the Commission on Form SCI of material systems changes at least 30 calendar days before the implementation of any planned material systems change. In the case of exigent circumstances, or if the information previously provided regarding a planned material systems change becomes materially inaccurate, proposed Rule 1000(b)(6) would require oral or written notification as early as reasonably practicable. Any oral notification of planned material systems change must be memorialized within 24 hours by a written notification on Form SCI. The Commission preliminarily believes that this provision would provide the Commission and its staff advance notice and time to evaluate planned material systems changes by SCI entities, thus improving the Commission's ability to oversee SCI entities. Proposed Rule 1000(b)(7) would require an SCI entity to conduct an SCI review of its compliance with Regulation SCI not less than once each calendar year, and submit a report of the SCI review to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review. The Commission preliminarily believes that the proposal to require SCI entities to conduct an objective assessment of their systems at least annually would result in SCI entities having an improved awareness of the relative strengths and weaknesses of their systems independent of the assessment of ARP staff, which should in turn improve the value and efficiency of an ARP inspection. Proposed Rule 1000(b)(8) would require each SCI entity to submit certain periodic reports to the Commission through Form SCI, including annual reports on the SCI reviews of its compliance with Regulation SCI and semi-annual reports on the progress of material systems changes. These reports should keep the Commission informed, on an ongoing basis, by providing information with which the Commission could evaluate each SCI entity's compliance with Regulation SCI and the progress of its material systems changes. The Commission preliminarily believes that proposed Rules 1000(b)(1)-(8), taken together, should result in actual systems improvements as well as enhanced availability of relevant information regarding SCI events to the Commission and members or participants of SCI entities. This, in turn, could facilitate better decisions by market participants, which could promote allocative efficiency of capital and capital formation, potentially providing an overall benefit to the securities markets and promoting the protection of investors and the public interest. Additionally, the means by which trading is conducted may be altered as a result of Regulation SCI. For example, if an SCI entity member or participant submits orders to a particular market for execution, and subsequently learns that the execution venue's systems in use may be prone to failure, such member or participant may choose to favor another market in the future. This change would potentially enhance competition as SCI entity members or participants rely on information disseminated regarding dissemination SCI events to make more informed choices about the best venue for execution. Proposed Rule 1000(b)(9)(i) would require an SCI entity, with respect to its business continuity and disaster recovery plans, including its backup systems, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency as specified by the SCI entity, at least once every 12 months. Proposed Rule 1000(b)(9)(ii) would further require an SCI entity to coordinate such testing on an industry- or sector-wide basis with other SCI entities. The Commission expects that this proposed requirement should help ensure that the securities markets will have improved backup infrastructure and fewer market-wide shutdowns, thus helping SCI entities and other market participants to avoid lost revenues and profits that would otherwise result from such shutdowns. Further, the notifications required by proposed Rule 1000(b)(9)(iii) should keep the Commission informed, on an ongoing basis, of an SCI entity's current standards for designating members or participants and current list of designees. c. Rule 1000(c)-(f)--Recordkeeping, Electronic Filing, and Access While all SCI entities already are subject to some recordkeeping and access requirements, the Commission preliminarily believes the proposed recordkeeping and access requirements specifically related to proposed Regulation SCI would enhance the ability of the Commission to evaluate SCI entities' compliance. Specifically, proposed Rule 1000(c) would require each SCI entity, other than an SCI SRO, to make, keep, and preserve at least one copy of all documents and records relating to its compliance with Regulation SCI for a period of not less than five years.\617\ Each SCI entity also would be required to furnish such [[Page 18169]] documents to Commission representatives upon request. Further, according to proposed Rule 1000(e), if the records required to be filed or kept by an SCI entity under proposed Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity must ensure that such records are available to review by the Commission and its representatives by submitting a written undertaking by such service bureau or recordkeeping service to that effect. The Commission preliminarily believes that these proposed rules should allow Commission staff to perform efficient inspections and examinations of SCI entities for their compliance with the proposed rules, and should increase the likelihood that Commission staff may identify conduct inconsistent with the proposed rules at earlier stages in the inspection and examination process. --------------------------------------------------------------------------- \617\ As discussed above in Section III.D.1, Regulation SCI- related documents would already be included in SCI SROs' comprehensive recordkeeping requirements under Rule 17a-1 under the Exchange Act. --------------------------------------------------------------------------- Proposed Rule 1000(d) would require SCI entities to electronically submit all written information to the Commission through Form SCI (except any written notification submitted pursuant to proposed Rule 1000(b)(4)(i)). The Commission preliminarily believes that this provision would allow the Commission to receive information in a uniform electronic format with specified content, which would enhance Commission staff's ability to review and analyze submitted information. Finally, proposed Rule 1000(f) would require each SCI entity to give Commission representatives reasonable access to its SCI systems and SCI security systems to allow Commission representatives to assess its compliance with proposed Regulation SCI. The Commission preliminarily believes that this provision would enhance Commission oversight by specifically highlighting the Commission's authority to have its representatives directly access and examine SCI entities' systems to confirm their compliance with proposed Regulation SCI. The Commission preliminarily believes that these requirements would place the Commission in a stronger position to assess the risks relating to SCI entities' systems and, thus, would provide the Commission with greater ability to protect investors. The Commission also preliminarily believes that its oversight should help ensure that SCI entities are reasonably equipped to handle market demand and provide liquidity, including during periods of market distress. 3. Economic Costs a. Direct Compliance Costs The Commission recognizes that proposed Regulation SCI would impose costs on SCI entities, as well as costs on certain members or participants of SCI entities. The Commission preliminarily believes that the majority of these costs would be direct compliance costs. SCI entities would incur costs in establishing, maintaining, and enforcing policies and procedures related to systems capacity, integrity, resiliency, availability, security, and compliance.\618\ SCI entities also would incur costs in taking appropriate corrective actions upon any responsible SCI personnel becoming aware of an SCI event,\619\ notifying and updating the Commission with respect to the occurrence of SCI events,\620\ disseminating information to members or participants regarding dissemination SCI events,\621\ notifying the Commission of material systems changes,\622\ conducting SCI reviews,\623\ submitting to the Commission periodic reports,\624\ requiring designated members to participate in testing of business continuity and disaster recovery plans and coordinating such testing,\625\ and complying with recordkeeping and access requirements.\626\ --------------------------------------------------------------------------- \618\ See proposed Rules 1000(b)(1) and (2). These proposed rules would also impose costs for outside legal and/or consulting advice, as set forth in the Paperwork Reduction Act Section above. See supra Section IV. \619\ See proposed Rule 1000(b)(3). \620\ See proposed Rule 1000(b)(4). \621\ See proposed Rule 1000(b)(5). This proposed rule would also impose costs for outside legal advice, as set forth in the Paperwork Reduction Act discussion above. See supra Section IV. \622\ See proposed Rule 1000(b)(6). \623\ See proposed Rule 1000(b)(7). \624\ See proposed Rule 1000(b)(8). \625\ See proposed Rule 1000(b)(9). \626\ See proposed Rules 1000(c), (e), and (f). --------------------------------------------------------------------------- As stated above in Section IV.D, proposed Regulation SCI would codify many of the ARP policy statement principles familiar and applicable to current participants in the ARP Inspection Program. The Commission recognizes, however, that the proposed rules would apply to entities that are not currently covered by the ARP Inspection Program, and would cover areas not currently within the scope of the ARP Inspection Program. Thus, those costs are incremental relative to the current compliance cost of the ARP Inspection Program. While proposed Regulation SCI would codify the provisions of the ARP policy statements, the proposed definitions of ``SCI entity,'' ``SCI event,'' ``SCI systems,'' and ``SCI security systems'' are broader than the entities, events, and systems covered by the ARP Inspection Program and, as stated above, will include more entities, events, and systems. Specifically, proposed Rule 1000(b)(1)(i) would codify aspects of the ARP policy statements \627\ with the exception of Rule 1000(b)(1)(i)(F), which would require policies and procedures regarding standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data. In addition, because the ARP policy statements provide that SROs should promptly notify Commission staff of certain system outages and any instances in which unauthorized persons gained or attempted to gain access to their systems, proposed Rule 1000(b)(4), among other things, would codify parts of the ARP policy statements.\628\ Further, because the ARP policy statements provide that SROs should notify Commission staff of certain changes to their automated systems, proposed Rule 1000(b)(6) would codify a part of the ARP policy statements.\629\ Lastly, because the ARP policy statements provide that SROs should undertake reviews of their systems, proposed Rule 1000(b)(7), among other things, would reflect this part of the ARP policy statements. With respect to the proposed requirements that are not currently covered by the ARP Inspection Program, they include: policies and procedures in addition to those required by proposed Rule 1000(b)(1)(i)(A)-(E) that would be necessary to achieve policies and procedures reasonably designed to ensure that systems of an SCI entity have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets; policies and procedures reasonably designed to ensure the operation of SCI systems in the manner intended; the initiation of appropriate corrective actions upon any responsible SCI personnel becoming aware of an SCI event; the dissemination of information to members or participants; [[Page 18170]] requirements regarding member or participant testing; and recordkeeping and access with respect to Regulation SCI-related documents. --------------------------------------------------------------------------- \627\ Rule 301(b)(6) of Regulation ATS also contains similar requirements for ATSs that meet the thresholds in that rule. \628\ However, because of the proposed definition of ``SCI event,'' SCI entities must also report systems compliance issues to the Commission. Proposed Regulation SCI would also set forth detailed and specific requirements with respect to Commission notifications. \629\ Again, proposed Regulation SCI would also set forth more detailed and specific requirements with respect to such Commission notifications. --------------------------------------------------------------------------- Many of these incremental costs are calculated in detail in the Paperwork Reduction Act Section above, which estimates that the total one-time initial burden for all SCI entities to comply with Regulation SCI would be approximately 133,482 hours and $2.6 million, and that the total annual ongoing burden for all SCI entities to comply with Regulation SCI would be approximately 117,258 hours and $738,400. In addition to the direct cost estimates derived from the Paperwork Reduction Act burdens, the Commission preliminarily believes that SCI entities could incur costs when enforcing the policies and procedures required under proposed Rules 1000(b)(1) and (2), taking corrective action to mitigate the potential harm resulting from an SCI event under proposed Rule 1000(b)(3), and in determining whether an SCI event is an immediate notification SCI event or meets the definition of a dissemination SCI event under proposed Rule 1000(a). As discussed in detail in Section III.C.1 above, proposed Rule 1000(b)(1) would require SCI entities to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that their SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. In addition to the burden of establishing and maintaining such policies and procedures as set forth in the Paperwork Reduction Act Section above, the Commission preliminarily believes that SCI entities would incur costs in enforcing the substantive requirements that are the subject of the policies and procedures. Further, as discussed in detail in Section III.C.2 above, proposed Rule 1000(b)(2) would require SCI entities to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that their SCI systems operate in the manner intended, including in a manner that complies with federal securities laws and rules and regulations thereunder and the entity's rules and governing documents, as applicable. In addition to the burden of establishing and maintaining such policies and procedures as set forth in the Paperwork Reduction Act Section above, the Commission preliminarily believes that SCI entities would incur costs in enforcing the substantive requirements that are the subject of the policies and procedures. As noted above,\630\ NIST is an agency within the U.S. Department of Commerce that has issued numerous special publications regarding information technology systems. For example, one of the publications listed in Table A is the NIST Draft Security and Privacy Controls for Federal Information Systems and Organizations (Special Publication 800- 53 Rev. 4) (February 2012) (``NIST 800-53'').\631\ This publication is a security controls catalog providing guidance for selecting and specifying security controls for federal information systems and organizations. NIST 800-53 addresses how federal entities should achieve secure information systems, taking into account the fundamental elements of: (i) Multitiered risk management; (ii) the structure and organization of controls; (iii) security control baselines; (iv) the use of common controls and inheritance of security capabilities; (v) external environments and service providers; (vi) assurance and trustworthiness; and (vii) revisions and extensions to security controls and control baselines, among others. Although NIST 800-53 sets forth standards for federal agencies, it is also intended to serve a diverse audience of information system and information security professionals, including those having information system, security, and/or risk management and oversight responsibilities, information system development responsibilities, information security implementation and operational responsibilities, information security assessment and monitoring responsibilities, as well as commercial companies producing information technology products, systems, security- related technologies, and security services.\632\ --------------------------------------------------------------------------- \630\ See supra Section III.C.1.b. \631\ See NIST 800-53, available at: https://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf. \632\ See id. at 3. --------------------------------------------------------------------------- The Commission preliminarily believes that many SCI entities will choose to establish, maintain, and enforce policies and procedures that are consistent with the proposed SCI industry standards contained in the publications set forth in Table A for purposes of satisfying the requirements of proposed Rule 1000(b)(1). However, as noted above, compliance with the identified SCI industry standards would not be the exclusive means to comply with the requirements of proposed Rule 1000(b)(1). The Commission understands that the Table A publications, including NIST 800-53, are familiar to information technology personnel employed by many SCI entities, and that some SCI entities, particularly the SCI SROs and plan processors that participate in the ARP Inspection Program, currently adhere to all or at least some of the standards in NIST 800-53, or similar standards set forth in publications issued by other standards setting bodies, with some entities fully or nearly fully implementing such standards, while other entities may not have implemented such standards as broadly. For SCI entities that are not part of the ARP Inspection Program, while such entities may be familiar with such publications and standards generally, the Commission is not certain as to the level of compliance with such standards, and believes that there may be some such entities that are fully or nearly fully complaint, while others may have little or no compliance with such standards. With respect to the substantive systems requirements resulting from adherence to SCI industry standards (which, solely for purposes of this Economic Analysis Section, the Commission assumes to be the proposed SCI industry standards contained in the publications identified in Table A, or publications setting forth substantially similar standards) underlying proposed Rule 1000(b)(1), as noted above, the Commission believes that certain entities that would satisfy the definition of SCI entity, particularly some that currently participate in the ARP Inspection Program, already comply with some of the requirements. On the other hand, the Commission believes that some SCI entities, including some that currently participate in the ARP Inspection Program, do not currently comply with some or all of the proposed requirements. Further, although the Commission believes that each SCI entity would incur costs in complying with these requirements, the Commission believes that some entities already comply with SCI industry standards with respect to some of their systems. Moreover, the Commission acknowledges that certain SCI entities are larger or more complex than others, and that proposed Rule 1000(b)(1) would impose higher costs on larger and more complex systems. Because the Commission does not at this time have sufficient information to reasonably estimate each SCI entity's current level of compliance with the proposed SCI industry standards contained in the publications set forth in Table A, the Commission estimates a [[Page 18171]] range of average costs for each SCI entity to comply with such standards. The Commission acknowledges that some SCI entities would incur costs near the bottom of the range because their systems policies and procedures currently meet SCI industry standards (which, as noted above, solely for purposes of this Economic Analysis Section, the Commission assumes to be the proposed SCI industry standards contained in the publications identified in Table A or in substantially similar publications). On the other hand, some SCI entities would incur costs near the middle or top of the range because their systems policies and procedures do not currently meet such standards. Because the Commission lacks sufficient information regarding the current practices of all SCI entities, the Commission seeks comment on the extent to which SCI entities already have in place systems policies and procedures that would meet the proposed SCI industry standards (which, solely for purposes of this Economic Analysis Section, the Commission assumes to be the proposed SCI industry standards contained in the publications identified in Table A or in substantially similar publications). Further, unlike the Paperwork Reduction Act Section where the Commission estimates a fifty-percent baseline with respect to proposed Rule 1000(b)(1)(i)(A)-(E) for entities that currently participate in the ARP Inspection Program, the Commission preliminarily estimates the same cost range for all SCI entities for compliance with the proposed substantive requirements that are the subject of the policies and procedures. On the one hand, the Commission believes that certain SCI entities (in particular, some entities that participate in the ARP Inspection Program) may already comply with some of the substantive requirements and thus would incur less incremental cost for complying with such requirements. On the other hand, the Commission believes that some SCI entities that currently participate in the ARP Inspection Program are larger and have more complex systems than those that do not participate in the ARP Inspection Program and, therefore, would incur more incremental cost for complying with the substantive requirements. As such, the Commission preliminarily believes it is unlikely that SCI entities that do not participate in the ARP Inspection Program would incur twice the cost as SCI entities that participate in the ARP Inspection Program to comply with the substantive systems requirements underlying the policies and procedures required by proposed Regulation SCI. Based on discussion with industry participants, the Commission preliminarily estimates that, to comply with the substantive requirements that are the subject of the policies and procedures required by proposed Rules 1000(b)(1) and (2), including consistency with the SCI industry standards (which, solely for purposes of this Economic Analysis, the Commission assumes to be the proposed SCI industry standards contained in the publications identified in Table A or in substantially similar publications) in connection with proposed Rule 1000(b)(1), on average, each SCI entity would incur an initial cost of between approximately $400,000 and $3 million.\633\ Based on this average, the Commission preliminarily estimates that SCI entities would incur a total initial cost of between approximately $17.6 million \634\ and $132 million.\635\ The Commission seeks comment on the estimated average initial cost range for SCI entities to comply with the substantive requirements underlying the policies and procedures required by proposed Rules 1000(b)(1) and (2). --------------------------------------------------------------------------- \633\ The Commission preliminarily estimates a range of cost for complying with the substantive requirements that are the subject of the policies and procedures required by proposed Rules 1000(b)(1) and (2) because some SCI entities are already in compliance with some of these substantive requirements. For example, the Commission believes that many SCI SROs (e.g., certain national securities exchanges and registered clearing agencies) already have or have begun implementation of business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption. \634\ $17.6 million = ($400,000) x (44 SCI entities). \635\ $132 million = ($3 million) x (44 SCI entities). --------------------------------------------------------------------------- The preliminary cost estimates described above represent an estimated average cost range per SCI entity, and the Commission acknowledges that some of the costs to comply with the substantive requirements of proposed Rules 1000(b)(1) and (2) may be significantly higher than the estimated average for some SCI entities, while some of the costs may be significantly lower for other SCI entities. In particular, the Commission preliminarily believes that the costs associated with the requirement in proposed Rule 1000(b)(1)(i)(E) that an SCI entity have policies and procedures that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption is an area in which different SCI entities may encounter significantly different compliance costs. For example, among national securities exchanges, the Commission understands that many, though not all, national securities exchanges already have or soon expect to have backup facilities that do not rely on the same infrastructure components used by their primary facility. For those national securities exchanges that do not have such backup facilities, the cost to build and maintain such facilities may result in their compliance costs being significantly higher than those of national securities exchanges that already satisfy the proposed requirement.\636\ The application of the geographic diversity requirement to other entities, such as ATSs, under the proposed rule, would depend on the nature, size, technology, business model, and other aspects of their business. --------------------------------------------------------------------------- \636\ As noted, solely for purposes of this Economic Analysis, the Commission has assumed that the SCI industry standards would be those contained in the publications identified in Table A or in substantially similar publications. However, as proposed Rule 1000(b)(1)(ii) makes clear, compliance with such current industry standards, including the geographic diversity requirements contained in the 2003 Interagency White Paper, supra note 31, is not the exclusive means to comply with the requirements of proposed Rule 1000(b)(1). See also supra note 182. --------------------------------------------------------------------------- 218. The Commission requests commenters' views on how many SCI entities would not currently satisfy the proposed requirement relating to geographic diversity of backup sites. The Commission requests commenters' views on the costs of establishing backup sites to satisfy the proposed geographic diversity requirement, particularly for entities that currently would not satisfy the proposed requirement. In such a case, given the likely significant cost and time associated with building such backup sites, how long do commenters believe it would take for SCI entities to come into compliance with such a proposed requirement? Would it be appropriate for the Commission to allow an extended period prior to which compliance with this proposed requirement would be effective? Why or why not? If so, how long should such period be and why? Should such an extended period only be permitted for a subset of SCI entities. If so, how should such a subset be determined? Please describe. As noted above, because the Commission does not at this time have sufficient information to reasonably estimate each SCI entity's current level [[Page 18172]] of compliance with the substantive requirements underlying the policies and procedures, the Commission preliminarily estimates a range of average initial costs for each SCI entity to comply with the substantive requirements underlying the policies and procedures required by proposed Rules 1000(b)(1) and (2). Based on the estimates of the initial costs, Commission estimates a range of average ongoing cost for each SCI entity to comply with the requirements using two- thirds of the initial cost. The Commission preliminarily believes that a two-thirds estimate is appropriate because although proposed Rules 1000(b)(1) and (2) would require SCI entities to comply with certain systems requirements including, for example, establishing reasonable current and future capacity planning estimates on an ongoing basis, as well as conducting tests and reviews of their systems on an going basis, the Commission preliminarily believes that SCI entities would incur an additional initial cost to, for example, revise the underlying software code of their systems to the extent needed to bring those systems into compliance with the requirements of the proposed rules. Therefore, the Commission preliminarily estimates that, to comply with the substantive requirements that are the subject of the policies and procedures required by proposed Rules 1000(b)(1) and (2), including consistency with SCI industry standards in connection with proposed Rule 1000(b)(1), on average, each SCI entity would incur an ongoing annual cost of between approximately $267,000 \637\ and $2 million.\638\ Based on this estimated range, the Commission preliminarily estimates that SCI entities would incur a total ongoing cost of between approximately $11.7 million \639\ and $88 million.\640\ The Commission seeks comment on the estimated average ongoing cost range for SCI entities to comply with the substantive requirements underlying the policies and procedures required by proposed Rules 1000(b)(1) and (2). --------------------------------------------------------------------------- \637\ $266,667 = $400,000 (estimated initial cost to comply with the substantive requirements) x (\2/3\). \638\ $2 million = $3 million (estimated initial cost to comply with the substantive requirements) x (\2/3\). \639\ $11.7 million = ($266,667) x (44 SCI entities). \640\ $88 million = ($2 million) x (44 SCI entities). --------------------------------------------------------------------------- The mandatory testing of SCI entity business continuity and disaster recovery plans, including backup systems, as proposed to be required under proposed Rule 1000(b)(9), would place an additional burden on SCI entities. The Commission believes that some SCI entities require some or all of their members or participants to connect to their backup systems \641\ and that most, if not all, SCI entities already offer their members or participants the opportunity to test such plans, although they do not currently mandate participation by all members or participants in such testing. In addition, market participants, including SCI entities, already coordinate certain business continuity plan testing to some extent. Thus, the Commission preliminarily believes that additional costs of proposed Rule 1000(b)(9) to SCI entities would be minimal. However, for SCI entity members or participants, additional costs could be significant, and highly variable depending on the business continuity and disaster recovery plans being tested. However, based on discussions with market participants, the Commission preliminarily estimates the cost of the testing of such plans to range from immaterial administrative costs (for SCI entity members and participants that currently maintain connections to SCI entity backup systems) to a range of $24,000 to $60,000 per year per member or participant in connection with each SCI entity. Costs at the higher end of this range would accrue for members or participants who would need to invest in additional infrastructure and to maintain connectivity with an SCI entity's backup systems in order to participate in testing.\642\ The Commission is unable at this time to provide a precise cost estimate for the total aggregate cost to SCI entity members and participants of the requirements relating to proposed Rule 1000(b)(9), as it does not know how each SCI entity will determine its standards for designating members or participants that it would require to participate in the testing required by proposed Rule 1000(b)(9)(i), and thus does not know the number of members or participants at each SCI entity that would be designated as required to participate in testing, and whether such designated members and participants are those that already maintain connections to SCI entity backup systems. However, the Commission preliminarily believes that an aggregate annual cost of approximately $66 million to designated members and participants is a reasonable estimate.\643\ The Commission requests comment on these estimates and the assumptions underlying them. --------------------------------------------------------------------------- \641\ See, e.g., CBOE Rule 6.18 (requiring Trading Permit Holders to take appropriate actions as instructed by CBOE to accommodate CBOE's ability to trade options via the back-up data center); CBOE Regulatory Circular RG12-163 (stating that Trading Permit Holders are required to maintain connectivity with the back- up data center and have the ability to operate in the back-up data center should circumstances arise that require it to be used); NYSE Rule 49(b)(2)(iii) (requiring NYSE members to have contingency plans to accommodate the use of the systems and facilities of NYSE Arca, NYSE's designated backup facility). See also Securities Exchange Act Release No. 52446 (September 15, 2005), 70 FR 55435 (September 21, 2005) (approving a proposed rule change by each of DTC, FICC, and NSCC imposing fines on ``top tier'' members that fail to conduct required connectivity testing for business continuity purposes, as reflected, e.g., in NSCC Rules and Procedures, Addendum P, available at: https://www.dtcc.com/legal/rules_proc/nscc_rules.pdf). See also, e.g., BATS Rule 18.38, Nasdaq Options Rule 13, and BOX Rule 3180 (permitting each exchange to require members to participate in computer systems testing in the manner and frequency prescribed by such exchange). \642\ Based on industry sources, the Commission understands that most of the larger members or participants of SCI entities already maintain connectivity with the backup systems of SCI entities while, among smaller members or participants of SCI entities, there is a lower incidence of members or participants maintaining such connectivity. The Commission requests comment on the accuracy of this understanding. \643\ This estimate assumes that 44 SCI entities would each designate an average of 150 members or participants to participate in the necessary testing. Based on industry sources, the Commission understands that many SCI entities have between 200 and 400 members or participants, though some have more and some have fewer. In addition, the Commission preliminarily believes that is reasonable to estimate that the members or participants of SCI entities that are most likely to be designated to be required participate in testing are those that conduct a high level of activity with the SCI entity, or that play an important role for the SCI entity (such as market makers) and that such members or participants currently are likely to already maintain connectivity with an SCI entity's backup systems. Therefore, the Commission estimates the average cost for each member or participant of an SCI entity to be $10,000, which takes into account the fact that the Commission preliminarily believes that many members or participants of SCI entities that would be required to participate in such testing would already have such connectivity, and thus have minimal cost. Based on these assumptions, the Commission estimates that the total aggregate cost to all members or participants of all SCI entities to be approximately $66 million (44 SCI entities x 150 members or participants x $10,000 = $66 million). --------------------------------------------------------------------------- The Commission preliminarily believes that the corrective action to mitigate harm resulting from SCI events would impose modest incremental costs on SCI entities because in the usual course of business, SCI entities already take corrective actions in response to systems issues. Proposed Rule 1000(b)(3) supplements the existing incentives of SCI entities to correct an SCI event quickly by focusing on potential harm to investors and market integrity and by requiring SCI entities to devote adequate resources to begin to take corrective action as soon as reasonably practicable. Based on its experience with the ARP Inspection Program, the Commission believes that entities currently participating in the ARP Inspection Program already take [[Page 18173]] corrective actions in response to a systems issue, and believes that other SCI entities also take corrective actions in response to a systems issue. Nevertheless, the Commission preliminarily believes that proposed Rule 1000(b)(3) could result in modestly increased costs for SCI entities per SCI event for corrective action relative to current practice for SCI entities, as a result of undertaking corrective action sooner than they might have otherwise and/or increasing investment in newer more updated systems earlier than they might have otherwise. If, however, proposed Regulation SCI reduces the frequency and severity of SCI events, the overall costs to SCI entities of corrective action may not increase significantly from the costs incurred without proposed Regulation SCI. However, the degree to which proposed Regulation SCI will reduce the frequency and severity of SCI events is unknown. Thus, the Commission is, at this time, unable to estimate the precise impact of proposed Regulation SCI due to an SCI entity's corrective action. Thus, the Commission requests comment regarding the costs associated with proposed Regulation SCI's corrective action requirements, including what such costs would be on an annualized basis.\644\ --------------------------------------------------------------------------- \644\ See also supra Section IV.D.3 (estimating paperwork burdens associated with SCI entities developing a process for ensuring that they are prepared to take corrective action as required by proposed Rule 1000(b)(3), and reviewing that process on an ongoing basis). --------------------------------------------------------------------------- When an SCI event occurs, an SCI entity needs to determine whether the event is an immediate notification SCI event or dissemination SCI event because the proposed rule would impose different obligations on SCI entities for such events. Identifying these types of SCI events may impose one-time implementation costs on SCI entities associated with developing a process for ensuring that they are able to quickly and correctly make such determinations, as well as periodic costs in reviewing the adopted process.\645\ --------------------------------------------------------------------------- \645\ The initial and ongoing burden associated with making these determinations are discussed in the Paperwork Reduction Act Section above. See supra Section IV.D.3 (estimating burdens resulting from SCI entities determining whether an SCI event is an immediate notification SCI event or dissemination SCI event). --------------------------------------------------------------------------- The Commission notes that proposed Rule 1000(d) would require that any written notification, review, description, analysis, or report to the Commission (except any written notification submitted pursuant to proposed Rule 1000(b)(4)(i)) be submitted electronically and contain an electronic signature. This proposed rule would require that every SCI entity have the ability to submit forms electronically with an electronic signature. The Commission believes that most, if not all, SCI entities currently have the ability to access and submit an electronic form such that the requirement to submit Form SCI electronically will not impose new implementation costs. The initial and ongoing costs associated with various electronic submissions of Form SCI are discussed in the Paperwork Reduction Act Section above.\646\ --------------------------------------------------------------------------- \646\ See supra Section IV.D.2 (estimating burdens resulting from notice, dissemination, and reporting requirements for SCI entities). --------------------------------------------------------------------------- The Commission recognizes that some of the costs imposed by proposed Regulation SCI may ultimately be transferred to intermediaries, such as market participants that access national securities exchanges or clearing agencies, for example, in the form of higher fees. The Commission recognizes that, if costs relating to compliance with proposed Regulation SCI are passed on in the form of increased prices to users of SCI entities, there may be a loss of efficiency as a result of the net increase in costs to SCI entity customers. The Commission also preliminarily believes that, for some SCI entities, the cost estimates may be lower than the actual costs to be incurred, such as for entities that are not currently part of the ARP Inspection Program or that have complex automated systems. However, on balance, the Commission preliminarily believes that the incremental direct cost estimates above are appropriate. b. Other Costs The Commission recognizes that proposed Regulation SCI could have other potential costs that cannot be quantified at this time. For example, entities covered by the proposed rule frequently make systems changes to comply with new and amended rules and regulations such as rules and regulations under federal securities laws and SRO rules. The Commission recognizes that, for entities that meet the definition of SCI entities, because they must continue to comply with proposed Regulation SCI when they make systems changes, proposed Regulation SCI could increase the costs and time needed to make systems changes to comply with new and amended rules and regulations. The Commission requests comment on the nature of such additional costs and time. The Commission also considered whether proposed Regulation SCI would impact innovation in ATSs or raise barriers to entry. The Commission recognizes that, if proposed Regulation SCI were to cause SCI entities, including ATSs, to allocate resources towards ensuring they have robust systems and the personnel necessary to comply with proposed Regulation SCI's requirements and away from new features for their systems, or investing in research and development, proposed Regulation SCI may have a negative impact on innovation among such entities and thus impact competition. Similarly, if the costs of proposed Regulation SCI were to be viewed by persons considering forming new ATSs to be so onerous so as to dissuade them from starting new ATSs, competition would also be negatively impacted. To balance any concern about discouraging innovation and raising barriers to entry against the need for regulation, the Commission proposes thresholds for SCI ATSs that are designed to include only the ATSs that are most likely to have a significant impact on markets due to an SCI event, and requests comment on the thresholds.\647\ The tradeoffs associated with these thresholds are discussed in more detail below. --------------------------------------------------------------------------- \647\ See supra Section III.B.1 and supra notes 100-123 and accompanying text. --------------------------------------------------------------------------- Finally, by specifying the timing, type, and format of information to be submitted to the Commission and by requiring electronic submission of Form SCI, Commission staff should be able to more efficiently review and analyze the information submitted. It is particularly important for the Commission to be able to review and analyze filings on Form SCI efficiently because proposed Regulation SCI would require all SCI events to be reported to the Commission. The Commission is not proposing at this time to require the data to be submitted in a tagged data format (e.g., XML, XBRL, or another structured data format that may be tagged), although it has requested specific comment as to whether it should, and the costs and benefits of doing so.\648\ The Commission recognizes that it could more readily analyze filings submitted in a tagged data format than in PDF format, and the subsequent potential benefits to investors may be greater. However, these benefits are balanced against the costs to the SCI entities of submitting filings in a tagged format. --------------------------------------------------------------------------- \648\ See, e.g., request for comment in supra Section III.D.1. --------------------------------------------------------------------------- c. Scaling The Commission recognizes that the benefits of every provision of proposed Regulation SCI may not justify the costs [[Page 18174]] of the provision if every requirement applied to every SCI entity and SCI event. In particular, the Commission recognizes that applying each requirement to every SCI entity and every SCI event could adversely affect competition and efficiency. Therefore, the Commission has proposed that not all SCI events be subject to the same requirements as immediate notification SCI events and dissemination SCI events and that ATSs that do not meet the definition of SCI ATS, and broker-dealers who are not ATSs, should not be subject to same requirements as SCI entities. The discussion that follows lays out the tradeoffs associated with determining the appropriate cutoffs for determining which events are immediate notification SCI events or dissemination SCI events, and which ATSs are SCI ATSs. In sum, the Commission believes that the requirements balance the need for regulation against the potential efficiency, competition, and capital formation concerns of the regulation. In the Commission's judgment, the cost of complying with the proposed rules would not be so large as to significantly raise barriers to entry or otherwise alter the competitive landscape of the entities involved. As defined in proposed Rule 1000(a), a dissemination SCI event is an SCI event that is a: systems compliance issue; systems intrusion; or system disruption that results, or the SCI entity reasonably estimate would result, in a significant harm or loss to market participants. If the criteria for dissemination SCI events is set too low, the member or participant dissemination requirements under proposed Regulation SCI could be very costly.\649\ Therefore, the Commission carefully considered tradeoffs in defining the term dissemination SCI event. On the one hand, the definition should ensure that SCI events that have significant impacts on the markets are captured as dissemination SCI events.\650\ On the other hand, not every SCI event should be included. There are higher costs associated with dealing with dissemination SCI events as compared to SCI events that are not dissemination SCI events due to the additional requirements relating to dissemination of information to members or participants. Second, SCI entity members or participants may be provided with unnecessary information if information about too many SCI events that do not have significant impact on the markets is disseminated to members or participants. If there is excessive dissemination of insignificant events, truly important events may get hidden among others that do not have the same degree of significance or impact on the securities markets.\651\ SCI entity members or participants also may not pay attention to disseminated SCI events if an excessive number of insignificant events are disseminated and notifications about SCI events may become routine. The proposed definition of dissemination SCI event is an attempt to balance these concerns. --------------------------------------------------------------------------- \649\ As noted above, an immediate notification SCI event includes any systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion. See supra Section III.C.3.b. As with dissemination SCI events, if the criteria for immediate notification SCI events is set too low, SCI entities would incur additional costs in providing immediate notification to the Commission. \650\ With respect to immediate Commission notification, the Commission should be immediately notified of any systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion. \651\ Similarly, immediate Commission notification of only immediate notification SCI events should help the Commission focus its attention on SCI events that may potentially impact an SCI entity's operations or market participants. --------------------------------------------------------------------------- Section III.B.1 discusses the definition of ``SCI ATS'' in proposed Rule 1000(a). The proposal would replace the threshold for NMS stocks of 20 percent or more of the average daily volume in any NMS stock. The proposal bases the definition of SCI ATS on average daily dollar volume and sets the threshold at five percent or more in any single NMS stock and one-quarter percent of more in all NMS stocks, or one percent or more in all NMS stocks. The proposal changes the threshold for non-NMS stocks to at least five percent of the aggregate average daily dollar volume from twenty percent of the average daily share volume. These proposed thresholds reflect developments in equities markets that resulted in a higher number of trading venues and less concentrated trading, and are designed to ensure that the proposed rule is applied to all ATSs that trade more than a limited amount of securities and for which SCI events may cause significant impact on the overall market. The main benefit of the proposed thresholds is to bring more ATSs into the SCI ATS definition than currently subject to the systems safeguard provisions of Rule 301(b)(6) of Regulation ATS, which in turn would make them SCI entities. This would help ensure that SCI ATSs that trade a certain amount of securities are covered by the proposed regulation. The Commission recognizes the potential for a low threshold to discourage automation and innovation but, as noted below, the Commission has balanced the concerns regarding discouraging automation and innovation against the need for regulation, and preliminarily believes that innovation is unlikely to be hampered and automation is likely to continue to increase. To that extent, the proposed rule uses a two-prong approach for NMS stocks. The threshold is based on market share in individual stocks. However, it is also required that the ATS has a certain market share of the overall market in all NMS stocks to prevent an ATS from being subject to proposed Regulation SCI for meeting the five percent threshold in any single NMS stock for a micro- cap stock, but not having significant market share in all NMS stocks. As discussed above, the Commission believes that approximately 10 NMS stock ATSs and two non-NMS stock ATSs would fall within the definition of SCI ATS.\652\ --------------------------------------------------------------------------- \652\ See supra Section III.B.1. --------------------------------------------------------------------------- For municipal and corporate debt securities, the proposal would lower the threshold from 20 percent or more to five percent or more. However, the proposal contemplates a two-prong approach considering either average daily dollar volume or average daily transaction volume, and exceeding the threshold in either one would qualify an ATS as an SCI ATS. The use of the two metrics is intended to take into account the fact that ATSs in the debt securities markets may handle primarily retail trades (i.e., large transaction volume but small dollar volume) or institutional-sized trades (i.e., large dollar volume but small transaction volume). The proposed thresholds for municipal and corporate debt securities are different from the proposed thresholds for NMS stocks. This difference reflects the fact that, in the debt securities markets (i.e., municipal securities and corporate debt securities), the degree of automation and electronic trading is much lower than in the markets for NMS stocks, which the Commission preliminarily believes may reduce the need for more stringent rules and regulations. In addition, the Commission preliminarily believes that the imposition of a threshold lower than five percent on the current debt securities markets could have the unintended effect of discouraging automation in these markets and discouraging new entrants into these markets. Also, due to the large number of issues outstanding in these debt securities markets, trading volume may be extremely low in a given issue, but also may fluctuate significantly from [[Page 18175]] day to day and issue to issue. Therefore, the thresholds for debt securities consider aggregate volume instead of volume in an individual issue. As discussed above, the Commission preliminarily believes that three municipal securities and corporate debt securities ATSs would fall within the definition of SCI ATS.\653\ --------------------------------------------------------------------------- \653\ See id. --------------------------------------------------------------------------- D. Request for Comment on Economic Analysis 219. The Commission is sensitive to the potential economic effects, including the costs and benefits, of proposed Regulation SCI. The Commission has identified above certain costs and benefits associated with the proposal and requests comment on all aspects of its preliminary economic analysis.\654\ The Commission encourages commenters to identify, discuss, analyze, and supply relevant data, information, or statistics regarding any such costs or benefits. In particular, the Commission seeks comment on the following: --------------------------------------------------------------------------- \654\ The Commission has also considered the views expressed in comment letters submitted in connection with the Roundtable, as well as the views expressed by Roundtable participants. See supra Section I.C. --------------------------------------------------------------------------- 220. Do commenters agree that the release provides a fair representation of current practices and how those current practices would change under proposed Regulation SCI? Why or why not? Please be specific in your response regarding current practices and how they would change under proposed Regulation SCI. 221. Do commenters agree with the Commission's characterization of the relevant markets in which SCI entities participate, as well as the market failures identified with respect to each of the relevant markets? Why or why not? Specifically, do commenters agree with the identified level of competition in each of the relevant markets? Why or why not? 222. What is a typical market participant's general level of expectation of how well the market operates? Do market participants currently have all the information they need to make informed decisions that manage their exposure to SCI events? If not, would proposed Regulation SCI provide the needed information? Why or why not? 223. Do commenters agree with the Commission's analysis of the costs and benefits of each provision of proposed Regulation SCI, including the definitions under proposed Rule 1000(a)? Why or why not? 224. Do commenters believe that there are additional benefits or costs that could be quantified or otherwise monetized? If so, please identify these categories and, if possible, provide specific estimates or data. 225. Are there any additional benefits that may arise from proposed Regulation SCI? Or are there benefits described above that would not likely result from proposed Regulation SCI? If so, please explain these benefits or lack of benefits in detail. 226. Are there any additional costs that may arise from proposed Regulation SCI? Are there any potential unintended consequences of proposed Regulation SCI? Or are there costs described above that would not likely result from proposed Regulation SCI? If so, please explain these costs or lack of costs in detail. 227. Do the types or extent of any anticipated benefits or costs from proposed Regulation SCI differ between the different types of SCI entities? For example, do potential benefits or costs differ with respect to SCI SROs as compared to SCI ATSs? Please explain. 228. Are there methods (including any suggested by Roundtable panelists or commenters) by which the Commission could reduce the costs imposed by Regulation SCI while still achieving the goals? Please explain. 229. Does the release appropriately describe the potential impacts of proposed Regulation SCI on the promotion of efficiency, competition, and capital formation? Why or why not? 230. To the extent that there are reasonable alternatives to any of the rules under proposed Regulation SCI, what are the potential costs and benefits of those reasonable alternatives relative to the proposed rules? What are the potential impacts on the promotion of efficiency, competition, and capital formation of those reasonable alternatives? For example, what would be the effect on the economic analysis of requiring SCI entities to conduct an SCI review that requires penetration testing annually? What would be the effect on the economic analysis of requiring SCI entities to inform members and participants of all SCI events? What would be the effect on the economic analysis of requiring filing in a tagged data format (e.g., XML, XBRL, or another structured data format that may be tagged)? What would be the effect on the economic analysis of including broker-dealers, or a subset thereof, in the definition of SCI entities? 231. In addition, as noted above, the proposed requirement that an SCI entity disseminate information relating to dissemination SCI events to its members or participants is focused on disseminating information to those who need, want, and can act on the information disseminated. The Commission also preliminarily believes that this proposed requirement could promote competition and capital formation. Are there alternative mechanisms for achieving the Commission's goals while promoting competition and capital formation? Are there costs associated with this proposed approach that have not been considered? For example, would the requirement to disseminate information to members or participants about dissemination SCI events increase an SCI entity's litigation costs, or cause an SCI entity to lose business (e.g., if market participants misjudge the meaning of information disseminated about dissemination SCI events)? Would the benefits of the proposed information dissemination outweigh the costs? Why or why not? Please explain. 232. The Commission also generally requests comment on the competitive or anticompetitive effects, as well as the efficiency and capital formation effects, of proposed Regulation SCI on market participants if the proposed rules are adopted as proposed. Commenters should provide analysis and empirical data to support their views on the competitive or anticompetitive effects, as well as the efficiency and capital formation effects, of proposed Regulation SCI. 233. Finally, as stated above, proposed Rule 1000(b)(1) would require SCI entities to establish, maintain, and enforce written policies and procedures, reasonably designed to ensure that their SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. As discussed above, the Commission is proposing that an SCI entity's policies and procedures required by proposed Rule 1000(b)(1) be deemed to be reasonably designed if they are consistent with current SCI industry standards.\655\ However, the costs identified above may not fully incorporate all of the costs of adhering to initial or future SCI industry standards. For example, if a SCI industry standard is based on the standards of NIST (which issues a number of the publications listed in Table A), it could include additional requirements not otherwise required in proposed Regulation SCI such as establishment of assurance- related [[Page 18176]] controls (including, for example, conduct of integrity checks on software and firmware components, or monitoring of established secure configuration settings). Any additional requirements would likely impose costs on SCI entities. Therefore, the Commission requests comment on what benefits or costs, quantifiable or otherwise, could potentially be imposed by the identification of SCI industry standards. What are market participants' current level of compliance with the industry standards contained in the publications listed in Table A? What would be the costs to SCI entities (in addition to the cost of adhering to current practice) of the Commission identifying examples of industry standards? What would be the benefits? Please explain. --------------------------------------------------------------------------- \655\ Proposed SCI industry standards are contained in the publications identified in Table A. See supra Section III.C.1.b. --------------------------------------------------------------------------- VI. Consideration of Impact on the Economy For purposes of the Small Business Regulatory Enforcement Fairness Act of 1996, or ``SBREFA,'' \656\ the Commission must advise OMB as to whether proposed Regulation SCI constitutes a ``major'' rule. Under SBREFA, a rule is considered ``major'' where, if adopted, it results or is likely to result in: (1) An annual effect on the economy of $100 million or more (either in the form of an increase or decrease); (2) a major increase in costs or prices for consumers or individual industries; or (3) a significant adverse effect on competition, investment or innovation. --------------------------------------------------------------------------- \656\ Public Law 104-121, Title II, 110 Stat. 857 (1996) (codified in various sections of 5 U.S.C., 15 U.S.C. and as a note to 5 U.S.C. 601). --------------------------------------------------------------------------- 234. The Commission requests comment on the potential impact of proposed Regulation SCI on the economy on an annual basis, on the costs or prices for consumers or individual industries, and any potential effect on competition, investment, or innovation. Commenters are requested to provide empirical data and other factual support for their views to the extent possible. VII. Regulatory Flexibility Act Certification The Regulatory Flexibility Act (``RFA'') \657\ requires Federal agencies, in promulgating rules, to consider the impact of those rules on small entities. Section 603(a) \658\ of the Administrative Procedure Act,\659\ as amended by the RFA, generally requires the Commission to undertake a regulatory flexibility analysis of all proposed rules, or proposed rule amendments, to determine the impact of such rulemaking on ``small entities.'' \660\ Section 605(b) of the RFA states that this requirement shall not apply to any proposed rule or proposed rule amendment, which if adopted, would not have significant economic impact on a substantial number of small entities. --------------------------------------------------------------------------- \657\ 5 U.S.C. 601 et seq. \658\ 5 U.S.C. 603(a). \659\ 5 U.S.C. 551 et seq. \660\ Although Section 601(b) of the RFA defines the term ``small entity,'' the statute permits agencies to formulate their own definitions. The Commission has adopted definitions for the term ``small entity'' for purposes of Commission rulemaking in accordance with the RFA. Those definitions, as relevant to this proposed rulemaking, are set forth in Rule 0-10, 17 CFR 240.0-10. See Securities Exchange Act Release No. 18451 (January 28, 1982), 47 FR 5215 (February 4, 1982) (File No. AS-305). --------------------------------------------------------------------------- A. SCI Entities Paragraph (a) of Rule 0-10 provides that for purposes of the RFA, a small entity when used with reference to a ``person'' other than an investment company means a person that, on the last day of its most recent fiscal year, had total assets of $5 million or less.\661\ With regard to broker-dealers, small entity means a broker or dealer that had total capital of less than $500,000 on the date in the prior fiscal year as of which its audited financial statements were prepared pursuant to Rule 17a-5(d) under the Exchange Act, or, if not required to file such statements, total capital of less than $500,000 on the last business day of the preceding fiscal year (or in the time that it has been in business, if shorter), and that is not affiliated with any person that is not a small business or small organization.\662\ With regard to clearing agencies, small entity means a clearing agency that compared, cleared, and settled less than $500 million in securities transactions during the preceding fiscal year (or in the time that it has been in business, if shorter), had less than $200 million of funds and securities in its custody or control at all times during the preceding fiscal year (or in the time that it has been in business, if shorter), and is not affiliated with any person (other than a natural person) that is not a small business or small organization.\663\ With regard to exchanges, a small entity is an exchange that has been exempt from the reporting requirements of Rule 601 under Regulation NMS, and is not affiliated with any person (other than a natural person) that is not a small business or small organization.\664\ With regard to securities information processors, a small entity is a securities information processor that had gross revenue of less than $10 million during the preceding year (or in the time it has been in business, if shorter), provided service to fewer than 100 interrogation devices or moving tickers at all times during the preceding fiscal year (or in the time it has been in business, if shorter), and is not affiliated with any person (that is not a natural person) that is not a small business or small organization.\665\ Under the standards adopted by the Small Business Administration (``SBA''), entities engaged in financial investments and related activities are considered small entities if they have $7 million or less in annual receipts.\666\ --------------------------------------------------------------------------- \661\ See 17 CFR 240.0-10(a). \662\ See 17 CFR 240.0-10(c). \663\ See 17 CFR 240.0-10(d). \664\ See 17 CFR 240.0-10(e). \665\ See 17 CFR 240.0-10(g). \666\ See SBA's Table of Small Business Size Standards, Subsector 523 and 13 CFR 121.201. Such entities include firms engaged in investment banking and securities dealing, securities brokerage, commodity contracts dealing, commodity contracts brokerage, securities and commodity exchanges, miscellaneous intermediation, portfolio management, investment advice, trust, fiduciary and custody activities, and miscellaneous financial investment activities. --------------------------------------------------------------------------- Based on the Commission's existing information about the entities that will be subject to proposed Regulation SCI, the Commission preliminarily believes that SCI entities that are self-regulatory organizations (national securities exchanges, national securities associations, registered clearing agencies, and the MSRB) or exempt clearing agencies subject to ARP would not fall within the definition of ``small entity'' as described above. With regard to plan processors, which are defined under Rule 600(b)(55) of Regulation NMS to mean a self-regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective NMS plan,\667\ the Commission's definition of ``small entity'' as it relates to self-regulatory organizations and securities information processors would apply. The Commission preliminarily does not believe that any plan processor would be a ``small entity'' as defined above. With regard to SCI ATSs, because they are registered as broker-dealers, the Commission's definition of ``small entity'' as it relates to broker-dealers would apply. As stated above, the Commission preliminarily believes that approximately 15 ATSs would satisfy the definition of SCI ATSs and would be impacted by proposed Regulation SCI.\668\ The Commission preliminarily does not believe that any of these 15 SCI [[Page 18177]] ATSs would be a ``small entity'' as defined above. --------------------------------------------------------------------------- \667\ See 17 CFR 242.600(b)(55). \668\ See supra Section III.B.1, discussing the proposed definition of SCI entity. --------------------------------------------------------------------------- B. Certification For the foregoing reasons, the Commission certifies that proposed Regulation SCI would not have a significant economic impact on a substantial number of small entities for the purposes of the RFA. 235. The Commission requests comment regarding this certification. The Commission requests that commenters describe the nature of any impact on small entities and provide empirical data to illustrate the extent of the impact. VIII. Statutory Authority and Text of Proposed Amendments Pursuant to the Exchange Act, 15 U.S.C. 78a et seq., and particularly, Sections 2, 3, 5, 6, 11A, 15, 15A, 17, 17A, and 23(a) thereof, 15 U.S.C. 78b, 78c, 78e, 78f, 78k-1, 78o, 78o-3, 78q, 78q-1, and 78w(a), the Commission proposes to adopt Regulation SCI under the Exchange Act and Form SCI under the Exchange Act, and to amend Regulation ATS under the Exchange Act. List of Subjects in 17 CFR Parts 242 and 249 Securities, brokers, reporting and recordkeeping requirements. For the reasons stated in the preamble, the Commission is proposing to amend title 17, chapter II of the Code of Federal Regulations as follows: PART 242--REGULATIONS M, SHO, ATS, AC, NMS AND SCI AND CUSTOMER MARGIN REQUIREMENTS FOR SECURITY FUTURES 0 1a. The authority citation for part 242 continues to read as follows: Authority: 15 U.S.C. 77g, 77q(a), 77s(a), 78b, 78c, 78g(c)(2), 78i(a), 78j, 78k-1(c), 78l, 78m, 78n, 78o(b), 78o(c), 78o(g), 78q(a), 78q(b), 78q(h), 78w(a), 78dd-1, 78mm, 80a23, 80a-29, and 80a-37. 0 1b. The heading of part 242 is revised to read as set forth above. Sec. 242.301--[Amended] 0 2. In Sec. 242.301, remove and reserve paragraph (b)(6). 0 3. Add an undesignated center heading and Sec. 242.1000 to read as follows: Regulation SCI--Systems Compliance and Integrity Sec. 242.1000 Definitions and requirements for SCI entities (a) Definitions. For purposes of this section, the following definitions shall apply: Dissemination SCI event means an SCI event that is a: (1) Systems compliance issue; (2) Systems intrusion; or (3) Systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants. Electronic signature has the meaning set forth in Sec. 240.19b- 4(j) of this chapter. Exempt clearing agency subject to ARP means an entity that has received from the Commission an exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to the Commission's Automation Review Policies (ARP), or any Commission regulation that supersedes or replaces such policies. Material systems change means a change to one or more: (1) SCI systems of an SCI entity that: (i) Materially affects the existing capacity, integrity, resiliency, availability, or security of such systems; (ii) Relies upon materially new or different technology; (iii) Provides a new material service or material function; or (iv) Otherwise materially affects the operations of the SCI entity; or (2) SCI security systems of an SCI entity that materially affects the existing security of such systems. Plan processor has the meaning set forth in Sec. 242.600(b)(55). Responsible SCI personnel means, for a particular SCI system or SCI security system impacted by an SCI event, any personnel, whether an employee or agent, of the SCI entity having responsibility for such system. SCI alternative trading system or SCI ATS means an alternative trading system, as defined in Sec. 242.300(a), which during at least four of the preceding six calendar months, had: (1) With respect to NMS stocks: (i) Five percent (5%) or more in any single NMS stock, and one- quarter percent (0.25%) or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan; or (ii) One percent (1%) or more in all NMS stocks of the average daily dollar volume reported by an effective transaction reporting plan; (2) With respect to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, five percent (5%) or more of the average daily dollar volume as calculated by the self-regulatory organization to which such transactions are reported; (3) With respect to municipal securities, five percent (5%) or more of either: (i) The average daily dollar volume traded in the United States; or (ii) The average daily transaction volume traded in the United States; or (4) With respect to corporate debt securities, five percent (5%) or more of either: (i) The average daily dollar volume traded in the United States; or (ii) The average daily transaction volume traded in the United States. SCI entity means an SCI self-regulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP. SCI event means an event at an SCI entity that constitutes: (1) A systems disruption; (2) A systems compliance issue; or (3) A systems intrusion. SCI review means a review, following established procedures and standards, that is performed by objective personnel having appropriate experience in conducting reviews of SCI systems and SCI security systems, and which review contains: (1) A risk assessment with respect to such systems of an SCI entity; and (2) An assessment of internal control design and effectiveness to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards; provided however, that such review shall include penetration test reviews of the network, firewalls, development, testing, and production systems at a frequency of not less than once every three years. SCI security systems means any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems. SCI self-regulatory organization or SCI SRO means any national securities exchange, registered securities association, or registered clearing agency, or the Municipal Securities Rulemaking Board; provided however, that for purposes of this section, the term SCI self- regulatory organization shall not include an exchange that is notice registered with the Commission pursuant to 15 U.S.C. 78f(g) or a limited purpose national securities association registered with the Commission pursuant to 15 U.S.C. 78o-3(k). SCI systems means all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity, whether in production, development, or testing, that directly support trading, clearance and [[Page 18178]] settlement, order routing, market data, regulation, or surveillance. Systems compliance issue means an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the federal securities laws and rules and regulations thereunder or the entity's rules or governing documents, as applicable. Systems disruption means an event in an SCI entity's SCI systems that results in: (1) A failure to maintain service level agreements or constraints; (2) A disruption of normal operations, including switchover to back-up equipment with near-term recovery of primary hardware unlikely; (3) A loss of use of any such system; (4) A loss of transaction or clearance and settlement data; (5) Significant back-ups or delays in processing; (6) A significant diminution of ability to disseminate timely and accurate market data; or (7) A queuing of data between system components or queuing of messages to or from customers of such duration that normal service delivery is affected. Systems intrusion means any unauthorized entry into the SCI systems or SCI security systems of an SCI entity. (b) Requirements for SCI entities. Each SCI entity shall: (1) Capacity, Integrity, Resiliency, Availability, and Security. Establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. (i) Such policies and procedures shall include, at a minimum: (A) The establishment of reasonable current and future capacity planning estimates; (B) Periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (C) A program to review and keep current systems development and testing methodology for such systems; (D) Regular reviews and testing of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (E) Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption; and (F) Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and (ii) For purposes of this paragraph (b)(1), such policies and procedures shall be deemed to be reasonably designed if they are consistent with current SCI industry standards, which shall be: (A) Comprised of information technology practices that are widely available for free to information technology professionals in the financial sector; and (B) Issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. Compliance with such current SCI industry standards, however, shall not be the exclusive means to comply with the requirements of this paragraph (b)(1). (2) Systems Compliance. (i) Establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and the entity's rules and governing documents, as applicable. (ii) Safe harbor from liability for SCI entities. An SCI entity shall be deemed not to have violated paragraph (b)(2)(i) of this section if: (A) The SCI entity has established and maintained policies and procedures reasonably designed to provide for: (1) Testing of all such systems and any changes to such systems prior to implementation; (2) Periodic testing of all such systems and any changes to such systems after their implementation; (3) A system of internal controls over changes to such systems; (4) Ongoing monitoring of the functionality of such systems to detect whether they are operating in the manner intended; (5) Assessments of SCI systems compliance performed by personnel familiar with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable; and (6) Review by regulatory personnel of SCI systems design, changes, testing, and controls to prevent, detect, and address actions that do not comply with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable; (B) The SCI entity has established and maintained a system for applying such policies and procedures which would reasonably be expected to prevent and detect, insofar as practicable, any violations of such policies and procedures by the SCI entity or any person employed by the SCI entity, and (C) The SCI entity: (1) Has reasonably discharged the duties and obligations incumbent upon the SCI entity by such policies and procedures; and (2) Was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. (iii) Safe harbor from liability for individuals. A person employed by an SCI entity shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of paragraph (b)(2)(i) of this section if the person employed by the SCI entity: (A) Has reasonably discharged the duties and obligations incumbent upon such person by such policies and procedures; and (B) Was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. (3) Corrective Action. Upon any responsible SCI personnel becoming aware of an SCI event, begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. (4) Commission Notification. (i) Upon any responsible SCI personnel becoming aware of a systems disruption that the SCI entity reasonably estimates would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion, notify the Commission of such SCI event. (ii) Within 24 hours of any responsible SCI personnel becoming aware of any SCI event, submit a written notification pertaining to such SCI event to the Commission. (iii) Until such time as the SCI event is resolved, submit written updates pertaining to such SCI event to the Commission on a regular basis, or at [[Page 18179]] such frequency as reasonably requested by a representative of the Commission. (iv) Any written notification to the Commission made pursuant to paragraphs (b)(4)(ii) or (b)(4)(iii) of this section shall be made electronically on Form SCI (Sec. 249.1900 of this chapter), and shall include all information as prescribed in Form SCI and the instructions thereto, including: (A) For a notification made pursuant to paragraph (b)(4)(ii) of this section: (1) All pertinent information known about an SCI event, including: a detailed description of the SCI event; the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; and the SCI entity's current assessment of the SCI event, including a discussion of the determination of whether the SCI event is a dissemination SCI event or not; and (2) To the extent available as of the time of the notification: A description of the steps the SCI entity is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; a description of the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. (B) For a notification made pursuant to paragraph (b)(4)(iii) of this section, an update of any information previously provided regarding the SCI event, including any information required by paragraph (b)(4)(iv)(A)(2) of this section which was not available at the time of submission of the notification made pursuant to paragraph (b)(4)(ii) of this section. Subsequent updates shall update any information provided regarding the SCI event until the SCI event is resolved. (C) For notifications made pursuant to paragraphs (b)(4)(ii) or (b)(4)(iii) of this section, attach a copy of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity's publicly available Web site. (5) Dissemination of information to members or participants. (i)(A) Promptly after any responsible SCI personnel becomes aware of a dissemination SCI event other than a systems intrusion, disseminate to its members or participants the following information about such SCI event: (1) The systems affected by the SCI event; and (2) A summary description of the SCI event; and (B) When known, further disseminate to its members or participants: (1) A detailed description of the SCI event; (2) The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and (3) A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and (C) Provide regular updates to members or participants of any information required to be disseminated under paragraphs (b)(5)(i)(A) and (b)(5)(i)(B) of this section. (ii) Promptly after any responsible SCI personnel becomes aware of a systems intrusion, disseminate to its members or participants a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or SCI security systems, or an investigation of the systems intrusion, and documents the reasons for such determination. (6) Material Systems Changes. (i) Absent exigent circumstances, notify the Commission in writing at least 30 calendar days before implementation of any planned material systems change, including a description of the planned material systems change as well as the expected dates of commencement and completion of implementation of such changes. (ii) If exigent circumstances exist, or if the information previously provided to the Commission regarding any planned material systems change has become materially inaccurate, notify the Commission, either orally or in writing, with any oral notification to be memorialized within 24 hours after such oral notification by a written notification, as early as reasonably practicable. (iii) A written notification to the Commission made pursuant to this paragraph (b)(6) shall be made electronically on Form SCI (Sec. 249.1900 of this chapter), and shall include all information as prescribed in Form SCI and the instructions thereto. (7) SCI Review. Conduct an SCI review of the SCI entity's compliance with Regulation SCI not less than once each calendar year, and submit a report of the SCI review to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review. (8) Reports. Submit to the Commission: (i) A report of the SCI review required by paragraph (b)(7) of this section, together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity; (ii) A report, within 30 calendar days after the end of June and December of each year, containing a summary description of the progress of any material systems change during the six-month period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of implementation of such changes; and (iii) Any reports to be filed with the Commission pursuant to this paragraph (b)(8) shall be filed electronically on Form SCI (Sec. 249.1900 of this chapter), and shall include all information as prescribed in Form SCI and the instructions thereto. (9) SCI Entity Business Continuity and Disaster Recovery Plans Testing Requirements for Members or Participants. With respect to an SCI entity's business continuity and disaster recovery plans, including its backup systems: (i) Require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency as specified by the SCI entity, at least once every 12 months; and (ii) Coordinate the testing of such plans on an industry- or sector-wide basis with other SCI entities. (iii) Each SCI entity shall designate those members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans, to participate in the testing of such plans pursuant to paragraph (i) of this section. Each SCI entity shall notify the Commission of such designations and its standards for designation, and promptly update such notification after any changes to its designations or standards. A written notification made pursuant to this paragraph (b)(9)(iii) shall be made electronically on Form SCI (Sec. 249.1900 of this chapter), and shall include all information as prescribed in Form SCI and the instructions thereto. (c) Recordkeeping Requirements Related to Compliance with Regulation SCI. (1) An SCI SRO shall make, keep, and preserve all documents relating to its compliance with Regulation SCI as [[Page 18180]] prescribed in Sec. 240.17a-1 of this chapter. (2) An SCI entity that is not an SCI SRO shall: (i) Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and SCI security systems; (ii) Keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and (iii) Upon request of any representative of the Commission, promptly furnish to the possession of such representative copies of any documents required to be kept and preserved by it pursuant to paragraphs (c)(2)(i) and (c)(2)(ii) of this section. (3) Upon or immediately prior to ceasing to do business or ceasing to be registered under the Securities Exchange Act of 1934, an SCI entity shall take all necessary action to ensure that the records required to be made, kept, and preserved by this section shall be accessible to the Commission and its representatives in the manner required by this section and for the remainder of the period required by this section. (d) Electronic Submission. (1) Except with respect to notifications to the Commission made pursuant to paragraph (b)(4)(i) of this section or oral notifications to the Commission made pursuant to paragraph (b)(6)(ii) of this section, any notification, review, description, analysis, or report to the Commission required under this rule shall be submitted electronically on Form SCI (Sec. 249.1900 of this chapter) and shall contain an electronic signature; and (2) The signatory to an electronically submitted Form SCI shall manually sign a signature page or document, in the manner prescribed by Form SCI, authenticating, acknowledging, or otherwise adopting his or her signature that appears in typed form within the electronic filing. Such document shall be executed before or at the time Form SCI is electronically submitted and shall be retained by the SCI entity in accordance with paragraph (c) of this section. (e) Requirements for Service Bureaus. If records required to be filed or kept by an SCI entity under this rule are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity shall ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service, signed by a duly authorized person at such service bureau or other recordkeeping service. Such a written undertaking shall include an agreement by the service bureau to permit the Commission and its representatives to examine such records at any time or from time to time during business hours, and to promptly furnish to the Commission and its representatives true, correct, and current electronic files in a form acceptable to the Commission or its representatives or hard copies of any or all or any part of such records, upon request, periodically, or continuously and, in any case, within the same time periods as would apply to the SCI entity for such records. The preparation or maintenance of records by a service bureau or other recordkeeping service shall not relieve an SCI entity from its obligation to prepare, maintain, and provide the Commission and its representatives access to such records. (f) Access. Each SCI entity shall provide Commission representatives reasonable access to its SCI systems and SCI security systems to allow Commission representatives to assess the SCI entity's compliance with this rule. PART 249--FORMS, SECURITIES EXCHANGE ACT OF 1934 0 4. The general authority citation for part 249 continues to read in part as follows: Authority: 15 U.S.C. 78a et seq. and 7201 et seq.; 12 U.S.C. 5461 et seq.; and 18 U.S.C. 1350, unless otherwise noted. * * * * * 0 5. Add subpart T, consisting of Sec. 249.1900, to read as follows: Subpart T--Form SCI, for filing notices and reports as required by Regulation SCI. Sec. 249.1900 Form SCI, for filing notices and reports as required by Regulation SCI. Form SCI shall be used to file notice and reports as required by Sec. 242.1000 of this chapter. Note: The text of Form SCI does not, and the amendments will not, appear in the Code of Federal Regulations. General Instructions for Form SCI A. Use of the Form Except with respect to notifications to the Commission made pursuant to proposed Rule 1000(b)(4)(i) or oral notifications to the Commission made pursuant to proposed Rule 1000(b)(6)(ii), all notifications and reports required to be submitted pursuant to Rule 1000 of Regulation SCI under the Securities Exchange Act of 1934 (``Act'') shall be filed in an electronic format through an electronic form filing system (``EFFS''), a secure Web site operated by the Securities and Exchange Commission (``Commission''). B. Need for Careful Preparation of the Completed Form, Including Exhibits This form, including the exhibits, is intended to elicit information necessary for Commission staff to work with SCI self- regulatory organizations, SCI alternative trading systems, plan processors, and exempt clearing agencies subject to ARP (collectively, ``SCI entities'') to ensure the capacity, integrity, resiliency, availability, and security of their automated systems. An SCI entity must provide all the information required by the form, including the exhibits, and must present the information in a clear and comprehensible manner. Form SCI shall not be considered filed unless it complies with applicable requirements. C. When To Use the Form Form SCI is comprised of five distinct types of filings to the Commission required by Rule 1000(b). The first type of filings is ``(b)(4)'' filings for notifications regarding systems disruptions, systems compliance issues, or systems intrusions (collectively, ``SCI events''). The other four types of filings are: ``(b)(6)'' filings for notifications of planned material systems changes; ``(b)(8)(i)'' filings for reports of SCI reviews; ``(b)(8)(ii)'' filings for semi- annual reports of material systems changes; and ``(b)(9)(iii)'' filings for notifications of designations and standards under Rule 1000(b)(9). In filling out Form SCI, an SCI entity shall select the type of filing and provide all information required under Rule 1000(b) specific to that type of filing. Notifications for SCI Events For (b)(4) filings, an SCI entity must notify the Commission using Form SCI by selecting the appropriate box in Section 1 and filling out all information required by the form. Initial notifications of an SCI event require the inclusion of an Exhibit 1 and must be submitted no later than 24 hours after any responsible SCI personnel becomes aware of the SCI event. For the initial notification of an SCI event, the SCI entity must include the information required by each item under Part 1 of [[Page 18181]] Exhibit 1. To the extent available as of the time of the initial notification, the SCI entity must also include the information listed under the items under Part 2 of Exhibit 1. If the SCI entity has not provided all the information required by Part 2 of Exhibit 1, any information required by Exhibit 1 requires updating, or the SCI event has not been resolved, the SCI entity must file one or more updates regarding the SCI event by attaching an Exhibit 2. Such updates must be submitted on a regular basis, or at such frequency as reasonably requested by a representative of the Commission. The notification to the Commission regarding an SCI event is not considered complete until all information required by Exhibit 1, including all information required by Part 2 of Exhibit 1, has been submitted to the Commission. For each SCI event, an SCI entity must also attach an Exhibit 3 (which may be included with an Exhibit 1 or Exhibit 2, as the case may be) for any information disseminated regarding the SCI event to its members or participants or on the SCI entity's publicly available Web site. Other Notifications and Reports For (b)(6) filings, absent exigent circumstances, an SCI entity must notify the Commission using Form SCI at least 30 calendar days before implementation of any planned material systems change. If exigent circumstances exist, or if the information previously provided to the Commission regarding any planned material systems change has become materially inaccurate, an SCI entity must notify the Commission, either orally or in writing, with any oral notification to be memorialized within 24 hours after such oral notification by a written notification, as early as reasonably practicable. For (b)(6) filings, the SCI entity must select the appropriate box in Section 2 and fill out all information required by the form, including Exhibit 4. Exhibit 4 must include a description of the planned material systems change as well as the expected dates of commencement and completion of implementation of such change. For (b)(8)(i) filings, an SCI entity must submit its report of its SCI review to the Commission using Form SCI. A (b)(8)(i) filing must be submitted to the Commission within 60 calendar days after the SCI review has been submitted to senior management of the SCI entity. The SCI entity must select the appropriate box in Section 2 and fill out all information required by the form, including Exhibit 5. Exhibit 5 must include the report of the SCI review, together with any response by senior management. For (b)(8)(ii) filings, an SCI entity must submit its semi-annual report of material systems changes to the Commission using Form SCI. A (b)(8)(ii) filing must be submitted to the Commission within 30 calendar days after the end of June and December of each year. The SCI entity must select the appropriate box in Section 2 and fill out all information required by the form, including Exhibit 6. Exhibit 6 must include a report with a summary description of the progress of any material systems change during the six-month period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of implementation of such changes. For (b)(9) filings, an SCI entity must notify the Commission of its designations and standards under Rule 1000(b)(9). The SCI entity must select the appropriate box in Section 2 and fill out all information required by the form, including Exhibit 7. Exhibit 7 must include the SCI entity's standards for designating members or participants that it deems necessary, for the maintenance of fair and orderly markets in the event of activation of its business continuity and disaster recovery plans, to participate in the testing of such plans pursuant to Rule 1000(b)(9)(i), as well as the SCI entity's list of designated members or participants. If an SCI entity changes its designations or standards, it must promptly notify the Commission of such changes on Exhibit 7. D. Documents Comprising the Completed Form The completed form filed with the Commission shall consist of Form SCI, responses to all applicable items, and any exhibits required in connection with the filing. Each filing shall be marked on Form SCI with the initials of the SCI entity, the four-digit year, and the number of the filing for the year. E. Contact Information; Signature; and Filing of the Completed Form Each time an SCI entity submits a filing to the Commission on Form SCI, the SCI entity must provide the contact information required by Section 4 of Form SCI. The contact information for systems personnel, regulatory personnel, and a senior officer is required. Space for additional contact information, if appropriate, is also provided. All notifications and reports required to be submitted through Form SCI shall be filed through the EFFS. In order to file Form SCI through the EFFS, SCI entities must request access to the Commission's External Application Server by completing a request for an external account user ID and password. Initial requests will be received by contacting (202) 551-5777. An email will be sent to the requestor that will provide a link to a secure Web site where basic profile information will be requested. A duly authorized individual of the SCI entity shall electronically sign the completed Form SCI as indicated in Section 5 of the form. In addition, a duly authorized individual of the SCI entity shall manually sign one copy of the completed Form SCI, and the manually signed signature page shall be preserved pursuant to the requirements of Rule 1000(c). F. Paperwork Reduction Act Disclosure This collection of information will be reviewed by the Office of Management and Budget in accordance with the clearance requirements of 44 U.S.C. 3507. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid control number. The Commission estimates that the average burden to respond to Form SCI will be between one and sixty hours depending upon the purpose for which the form is being filed. Any member of the public may direct to the Commission any comments concerning the accuracy of this burden estimate and any suggestions for reducing this burden. Except with respect to notifications to the Commission made pursuant to proposed Rule 1000(b)(4)(i) or oral notifications to the Commission made pursuant to proposed Rule 1000(b)(6)(ii), it is mandatory that an SCI entity file all notifications, updates, and reports required by Regulation SCI using Form SCI. The Commission will treat as confidential all information collected pursuant to Form SCI. Subject to the provisions of the Freedom of Information Act, 5 U.S.C. 522 (``FOIA''), and the Commission's rules thereunder (17 CFR 200.80(b)(4)(iii)), the Commission does not generally publish or make available information contained in any reports, summaries, analyses, letters, or memoranda arising out of, in anticipation of, or in connection with an examination or inspection of the books and records of any person or any other investigation. G. Exhibits List of exhibits to be filed, as applicable: Exhibit 1. Notification of SCI Event. The SCI entity shall include: [[Page 18182]] Part 1: All pertinent information known about the SCI event, including: (1) A detailed description of the SCI event; (2) the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; (3) the potential impact of the SCI event on the market; and (4) the SCI entity's current assessment of the SCI event, including a discussion of the determination of whether the SCI event is a dissemination SCI event or not. Part 2: To the extent available as of the time of the notification: (1) A description of the steps the SCI entity is taking, or plans to take, with respect to the SCI event; (2) the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; (3) a description of the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and (4) an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. Exhibit 2. Update Notification of SCI Event. The SCI entity shall provide an update of any information previously provided regarding an SCI event on Exhibit 1, including any information under Part 2 of Exhibit 1 which was not available at the time of submission of Exhibit 1. Subsequent updates shall update any information provided regarding the SCI event until the SCI event is resolved. Exhibit 3. Information Disseminated. The SCI entity shall attach a copy in pdf or html format of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity's publicly available Web site. Exhibit 4. Notification of Planned Material Systems Change. The SCI entity shall, absent exigent circumstances, notify the Commission in writing at least 30 calendar days before implementation of any planned material systems change, including a description of the planned material systems change as well as the expected dates of commencement and completion of implementation of such changes. If exigent circumstances exist, or if the information previously provided to the Commission regarding any planned material systems change has become materially inaccurate, the SCI entity shall notify the Commission, either orally or in writing, with any oral notification to be memorialized within 24 hours after such oral notification by a written notification on Form SCI, as early as reasonably practicable. Exhibit 5. Report of SCI Review. Within 60 calendars days after its submission to senior management of the SCI entity, the SCI entity shall attach the report of the SCI review of the SCI entity's compliance with Regulation SCI, together with any response by senior management. Exhibit 6. Semi-Annual Report of Material Systems Changes. Within 30 calendar days after the end June and December of each year, the SCI entity shall attach the report containing a summary description of the progress of any material systems change during the six-month period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of implementation of such changes. Exhibit 7. Notification of Designations and Standards under Rule 1000(b)(9). The SCI entity shall attach: (1) Its standards for designating members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans, to participate in the testing of such plans pursuant to Rule 1000(b)(9)(i); and (2) a list of the designated members or participants, including the name and address of such members or participants. H. Explanation of Terms Dissemination SCI Event means an SCI event that is a: (1) Systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants. Material Systems Change means a change to one or more: (1) SCI systems of an SCI entity that: (i) Materially affects the existing capacity, integrity, resiliency, availability, or security of such systems; (ii) relies upon materially new or different technology; (iii) provides a new material service or material function; or (iv) otherwise materially affects the operations of the SCI entity; or (2) SCI security systems of an SCI entity that materially affects the existing security of such systems. Responsible SCI personnel means, for a particular SCI system or SCI security system impacted by an SCI event, any personnel, whether an employee or agent, of the SCI entity having responsibility for such system. SCI entity means an SCI self-regulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP. SCI event means an event at an SCI entity that constitutes: (1) A systems disruption; (2) a systems compliance issue; or (3) a systems intrusion. Systems Compliance Issue means an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the federal securities laws and rules and regulations thereunder or the entity's rules or governing documents, as applicable. Systems Disruption means an event in an SCI entity's SCI systems or procedures that results in: (1) A failure to maintain service level agreements or constraints; (2) a disruption of normal operations, including switchover to back-up equipment with near-term recovery of primary hardware unlikely; (3) a loss of use of any such system; (4) a loss of transaction or clearance and settlement data; (5) significant back-ups or delays in processing; (6) a significant diminution of ability to disseminate timely and accurate market data; or (7) a queuing of data between system components or queuing of messages to or from customers of such duration that normal service delivery is affected. Systems Intrusion means any unauthorized entry into the SCI systems or SCI security systems of the SCI entity. [See attachment--proposed Form SCI] BILLING CODE P [[Page 18183]] [GRAPHIC] [TIFF OMITTED] TP25MR13.034 [[Page 18184]] [GRAPHIC] [TIFF OMITTED] TP25MR13.035 [[Page 18185]] [GRAPHIC] [TIFF OMITTED] TP25MR13.036 [[Page 18186]] [GRAPHIC] [TIFF OMITTED] TP25MR13.037 Dated: March 8, 2013. By the Commission. Kevin M. O'Neill, Deputy Secretary. [FR Doc. 2013-05888 Filed 3-22-13; 8:45 am] BILLING CODE C
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
