Regulation Systems Compliance and Integrity, 72251-72447 [2014-27767]
Download as PDFAgencies
[Federal Register Volume 79, Number 234 (Friday, December 5, 2014)] [Rules and Regulations] [Pages 72251-72447] From the Federal Register Online via the Government Printing Office [www.gpo.gov] [FR Doc No: 2014-27767] [[Page 72251]] Vol. 79 Friday, No. 234 December 5, 2014 Part II Securities and Exchange Commission ----------------------------------------------------------------------- 17 CFR Parts 240, 242, and 249 Regulation Systems Compliance and Integrity; Final Rule ��Federal Register / Vol. 79 , No. 234 / Friday, December 5, 2014 / Rules and Regulations�� [[Page 72252]] ----------------------------------------------------------------------- SECURITIES AND EXCHANGE COMMISSION 17 CFR Parts 240, 242, and 249 [Release No. 34-73639; File No. S7-01-13] RIN 3235-AL43 Regulation Systems Compliance and Integrity AGENCY: Securities and Exchange Commission. ACTION: Final rule and form; final rule amendment; technical amendment. ----------------------------------------------------------------------- SUMMARY: The Securities and Exchange Commission (``Commission'') is adopting new Regulation Systems Compliance and Integrity (``Regulation SCI'') under the Securities Exchange Act of 1934 (``Exchange Act'') and conforming amendments to Regulation ATS under the Exchange Act. Regulation SCI will apply to certain self-regulatory organizations (including registered clearing agencies), alternative trading systems (``ATSs''), plan processors, and exempt clearing agencies (collectively, ``SCI entities''), and will require these SCI entities to comply with requirements with respect to the automated systems central to the performance of their regulated activities. DATES: Effective date: February 3, 2015. Compliance date: The applicable compliance dates are discussed in Section IV.F of this release. FOR FURTHER INFORMATION CONTACT: David Liu, Senior Special Counsel, Office of Market Supervision, at (312) 353-6265, Heidi Pilpel, Senior Special Counsel, Office of Market Supervision, at (202) 551-5666, Sara Hawkins, Special Counsel, Office of Market Supervision, at (202) 551- 5523, Yue Ding, Special Counsel, Office of Market Supervision, at (202) 551-5842, David Garcia, Special Counsel, Office of Market Supervision, at (202) 551-5681, and Elizabeth C. Badawy, Senior Accountant, Office of Market Supervision, at (202) 551-5612, Division of Trading and Markets, Securities and Exchange Commission, 100 F Street NE., Washington, DC 20549-7010. SUPPLEMENTARY INFORMATION: Regulation SCI will, with regard to SCI entities, supersede and replace the Commission's current Automation Review Policy (``ARP''), established by the Commission's two policy statements, each titled ``Automated Systems of Self-Regulatory Organizations,'' issued in 1989 and 1991.\1\ Regulation SCI also will supersede and replace aspects of those policy statements codified in Rule 301(b)(6) under the Exchange Act, applicable to significant-volume ATSs that trade NMS stocks and non-NMS stocks.\2\ Regulation SCI will require SCI entities to establish written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets, and that they operate in a manner that complies with the Exchange Act. It will also require SCI entities to mandate participation by designated members or participants in scheduled testing of the operation of their business continuity and disaster recovery plans, including backup systems, and to coordinate such testing on an industry- or sector-wide basis with other SCI entities. In addition, Regulation SCI will require SCI entities to take corrective action with respect to SCI events (defined to include systems disruptions, systems compliance issues, and systems intrusions), and notify the Commission of such events. Regulation SCI will further require SCI entities to disseminate information about certain SCI events to affected members or participants and, for certain major SCI events, to all members or participants of the SCI entity. In addition, Regulation SCI will require SCI entities to conduct a review of their systems by objective, qualified personnel at least annually, submit quarterly reports regarding completed, ongoing, and planned material changes to their SCI systems to the Commission, and maintain certain books and records. Finally, the Commission also is adopting modifications to the volume thresholds in Regulation ATS \3\ for significant-volume ATSs that trade NMS stocks and non-NMS stocks, applying them to SCI ATSs (as defined below), and moving this standard from Regulation ATS to adopted Regulation SCI for these asset classes. --------------------------------------------------------------------------- \1\ See Securities Exchange Act Release Nos. 27445 (November 16, 1989), 54 FR 48703 (November 24, 1989) (``ARP I Release'' or ``ARP I'') and 29185 (May 9, 1991), 56 FR 22490 (May 15, 1991) (``ARP II Release'' or ``ARP II'' and, together with ARP I, the ``ARP Policy Statements''). \2\ See 17 CFR 242.301(b)(6). See also Securities Exchange Act Release No. 40760 (December 8, 1998), 63 FR 70844 (December 22, 1998) (``ATS Release''). \3\ 17 CFR 242.300-303 (``Regulation ATS''). --------------------------------------------------------------------------- Table of Contents I. Introduction II. Background A. Automation Review Policy Inspection Program B. Recent Events III. Overview IV. Description of Adopted Regulation SCI and Form SCI A. Definitions Establishing the Scope of Regulation SCI--Rule 1000 1. SCI Entities a. SCI Self-Regulatory Organization or SCI SRO b. SCI Alternative Trading System c. Plan Processor d. Exempt Clearing Agency Subject to ARP 2. SCI Systems, Critical SCI Systems, and Indirect SCI Systems a. Overview b. SCI Systems c. Critical SCI Systems d. Indirect SCI Systems (Proposed as ``SCI Security Systems'') 3. SCI Events a. Systems Disruption b. Systems Compliance Issue c. Systems Intrusion B. Obligations of SCI Entities--Rules 1001-1004 1. Policies and Procedures to Achieve Capacity, Integrity, Resiliency, Availability and Security--Rule 1001(a) 2. Policies and Procedures to Achieve Systems Compliance--Rule 1001(b) 3. SCI Events: Corrective Action; Commission Notification; Dissemination of Information--Rule 1002 a. Triggering Standard b. Corrective Action--Rule 1002(a) c. Commission Notification--Rule 1002(b) d. Dissemination of Information--Rule 1002(c) 4. Notification of Systems Changes--Rule 1003(a) 5. SCI Review--Rule 1003(b) 6. SCI Entity Business Continuity and Disaster Recovery Plans Testing Requirements for Members or Participants--Rule 1004 C. Recordkeeping, Electronic Filing on Form SCI, and Access-- Rules 1005-1007 1. Recordkeeping--Rules 1005-1007 2. Electronic Filing and Submission of Reports, Notifications, and Other Communications--Rule 1006 3. Access to the Systems of an SCI Entity D. Form SCI E. Other Comments Received F. Effective Date and Compliance Dates V. Paperwork Reduction Act VI. Economic Analysis VII. Regulatory Flexibility Act Certification VIII. Statutory Authority and Text of Amendments I. Introduction The U.S. securities markets attract a wide variety of issuers and broad investor participation, and are essential for capital formation, job creation, and economic growth, both domestically and across the globe. The U.S. securities markets have been transformed by regulatory and related technological developments in recent years. They have, among other things, substantially enhanced the speed, capacity, efficiency, and sophistication of the trading functions that are available to [[Page 72253]] market participants.\4\ At the same time, these technological advances have generated an increasing risk of operational problems with automated systems, including failures, disruptions, delays, and intrusions. Given the speed and interconnected nature of the U.S. securities markets, a seemingly minor systems problem at a single entity can quickly create losses and liability for market participants, and spread rapidly across the national market system, potentially creating widespread damage and harm to market participants, including investors. --------------------------------------------------------------------------- \4\ See Securities Exchange Act Release No. 61358 (January 14, 2010), 75 FR 3594, 3598 (January 21, 2010) (Concept Release on Equity Market Structure). --------------------------------------------------------------------------- This transformation of the U.S. securities markets has occurred in the absence of a formal regulatory structure governing the automated systems of key market participants. Instead, for over two decades, Commission oversight of the technology of the U.S. securities markets has been conducted primarily pursuant to a voluntary set of principles articulated in the Commission's ARP Policy Statements,\5\ applied through the Commission's Automation Review Policy inspection program (``ARP Inspection Program'').\6\ --------------------------------------------------------------------------- \5\ While participation in the ARP Inspection Program is voluntary, the underpinnings of ARP I and ARP II are rooted in Exchange Act requirements. See infra notes 7-12 and accompanying text. \6\ See infra Section II.A (discussing the ARP Inspection Program). See also supra note 1. The ARP Inspection Program has historically been administered by the Commission's Division of Trading and Markets. In February 2014, to consolidate the inspection function of the group with the Commission's Office of Compliance Inspections and Examinations (``OCIE''), the ARP Inspection Program was transitioned to OCIE and has been renamed the Technology Controls Program (``TCP''). However, for ease of reference to the historical ARP Inspection Program, relevant portions of the SCI Proposal, and references in comment letters, this Release will continue to use the terms ARP, ARP Inspection Program, and ARP staff, unless the context otherwise requires. --------------------------------------------------------------------------- Section 11A(a)(2) of the Exchange Act,\7\ enacted as part of the Securities Acts Amendments of 1975 (``1975 Amendments''),\8\ directs the Commission, having due regard for the public interest, the protection of investors, and the maintenance of fair and orderly markets, to use its authority under the Exchange Act to facilitate the establishment of a national market system for securities in accordance with the Congressional findings and objectives set forth in Section 11A(a)(1) of the Exchange Act.\9\ Among the findings and objectives in Section 11A(a)(1) is that ``[n]ew data processing and communications techniques create the opportunity for more efficient and effective market operations'' \10\ and ``[i]t is in the public interest and appropriate for the protection of investors and the maintenance of fair and orderly markets to assure . . . the economically efficient execution of securities transactions.'' \11\ In addition, Sections 6(b), 15A, and 17A(b)(3) of the Exchange Act impose obligations on national securities exchanges, national securities associations, and clearing agencies, respectively, to be ``so organized'' and ``[have] the capacity to . . . carry out the purposes of [the Exchange Act].'' \12\ --------------------------------------------------------------------------- \7\ 15 U.S.C. 78k-1(a)(2). \8\ Pub. L. 94-29, 89 Stat. 97 (1975). \9\ 15 U.S.C. 78k-1(a)(1). \10\ Section 11A(a)(1)(B) of the Exchange Act, 15 U.S.C. 78k- 1(a)(1)(B). \11\ Section 11A(a)(1)(C)(i) of the Exchange Act, 15 U.S.C. 78k- 1(a)(1)(C)(i). \12\ See Sections 6(b)(1), 15A(b)(2), and 17A(b)(3) of the Exchange Act, 15 U.S.C. 78f(b)(1), 78o-3(b)(2), 78q-1(b)(3), respectively. See also Section 2 of the Exchange Act, 15 U.S.C. 78b, and Section 19 of the Exchange Act, 15 U.S.C. 78s. --------------------------------------------------------------------------- In March 2013, the Commission proposed Regulation Systems Compliance and Integrity (``Regulation SCI'') \13\ to require certain key market participants to, among other things: (1) Have comprehensive policies and procedures in place to help ensure the robustness and resiliency of their technological systems, and also that their technological systems operate in compliance with the federal securities laws and with their own rules; and (2) provide certain notices and reports to the Commission to improve Commission oversight of securities market infrastructure. As discussed in further detail below and in the SCI Proposal, Regulation SCI was proposed to update, formalize, and expand the Commission's ARP Inspection Program, and, with respect to SCI entities, to supersede and replace the Commission's ARP Policy Statements and rules regarding systems capacity, integrity and security in Rule 301(b)(6) of Regulation ATS.\14\ --------------------------------------------------------------------------- \13\ Securities Exchange Act Release No. 69077 (March 8, 2013), 78 FR 18083 (March 25, 2013) (``Proposing Release'' or ``SCI Proposal''). \14\ See 17 CFR 242.301(b)(6) and ATS Release, supra note 2. --------------------------------------------------------------------------- A confluence of factors contributed to the Commission's proposal of Regulation SCI and to the Commission's current determination that it is necessary and appropriate at this time to address the technological vulnerabilities, and improve Commission oversight, of the core technology of key U.S. securities markets entities, including national securities exchanges and associations, significant alternative trading systems, clearing agencies, and plan processors. These considerations include: the evolution of the markets to become significantly more dependent upon sophisticated, complex and interconnected technology; the current successes and limitations of the ARP Inspection Program; a significant number of, and lessons learned from, recent systems issues at exchanges and other trading venues,\15\ increased concerns over ``single points of failure'' in the securities markets; \16\ and the views of a wide variety of commenters received in response to the SCI Proposal. --------------------------------------------------------------------------- \15\ See Proposing Release, supra note 13, at 18085-91 for a further discussion of these developments and infra Section II.B (discussing recent events related to technology issues). In addition, prior to issuing the Proposing Release, in October 2012 the Commission convened a roundtable entitled ``Technology and Trading: Promoting Stability in Today's Markets'' (``Technology Roundtable''). The Technology Roundtable examined the relationship between the operational stability and integrity of the securities market and the ways in which market participants design, implement, and manage complex and interconnected trading technologies. See Securities Exchange Act Release No. 67802 (September 7, 2012), 77 FR 56697 (September 13, 2012) (File No. 4-652) and Technology Roundtable Transcript, available at: https://www.sec.gov/news/otherwebcasts/2012/ttr100212-transcript.pdf. A webcast of the Roundtable is available at: www.sec.gov/news/otherwebcasts/2012/ttr100212.shtml. As noted in the Proposing Release, the Commission believes that the information presented at the Technology Roundtable further highlighted that quality standards, testing, and improved response mechanisms are among the issues needing very thoughtful and focused attention in today's securities markets. See Proposing Release, supra note 13, at 18090-91 for further discussion of the Technology Roundtable. \16\ See infra Section IV.A.2.c (discussing single points of failure in the securities markets in conjunction with the adopted term ``critical SCI system''). --------------------------------------------------------------------------- The Commission received 60 comment letters on the proposal from national securities exchanges, registered securities associations, registered clearing agencies, ATSs, broker-dealers, institutional and individual investors, industry trade groups, software and technology vendors, and academics.\17\ Commenters generally supported the goals of the proposal, but as further discussed below, some expressed concern about various specific elements of the proposal, and recommended certain modifications or clarifications. --------------------------------------------------------------------------- \17\ Comments received on the proposal are available on the Commission's Web site, available at: https://www.sec.gov/comments/s7-01-13/s70113.shtml. See Exhibit A for a citation key to the comment letters cited in this release. Upon request from some commenters, the Commission extended the comment period for an additional 45 days in order to give the public additional time to comment on the matters addressed by the SCI Proposal. See Securities Exchange Act Release No. 69606 (May 20, 2013), 78 FR 30803 (May 23, 2013). --------------------------------------------------------------------------- After careful review and consideration of the comment letters, [[Page 72254]] the Commission is adopting Regulation SCI (``Rule'') and Form SCI (``Form'') with certain modifications from the SCI Proposal, as discussed below, to respond to concerns expressed by commenters and upon further consideration by the Commission of the more appropriate approach to further the goals of the national market system by strengthening the technology infrastructure of the U.S. securities markets. II. Background A. Automation Review Policy Inspection Program For over two decades, the Commission's ARP Inspection Program has helped the Commission oversee the technology infrastructure of the U.S. securities markets. This voluntary information technology review program was developed by staff of the Commission to implement the Commission's ARP Policy Statements issued in 1989 and 1991.\18\ Through these Policy Statements, the Commission articulated its views on the steps that SROs should take with regard to their automated systems, set forth recommendations for how SROs should conduct independent reviews, and provided that SROs should notify the Commission of material systems changes and significant systems problems.\19\ In 1998, the Commission adopted Regulation ATS which, among other things, imposed by rule certain aspects of the ARP Policy Statements on significant-volume ATSs.\20\ Further, Commission staff subsequently provided additional guidance regarding various aspects of the ARP Inspection Program through letters to ARP entities, including recommendations regarding reporting planned systems changes and systems issues to the Commission.\21\ --------------------------------------------------------------------------- \18\ See ARP Policy Statements, supra note 1. For a detailed discussion of the ARP Policy Statements, see Proposing Release, supra note 13, at 18085-86. \19\ See ARP Policy Statements, supra note 1. \20\ See 17 CFR 242.301(b)(6) and ATS Release, supra note 2. \21\ In June 2001, staff from the Division of Market Regulation sent a letter to the SROs and other participants in the ARP Inspection Program regarding Guidance for Systems Outage and System Change Notifications (``2001 Staff ARP Interpretive Letter''). See Proposing Release, supra note 13, at 18087, n. 35. The 2001 Staff ARP Interpretive Letter is available at: https://www.sec.gov/divisions/marketreg/sroautomation.shtml. --------------------------------------------------------------------------- Under the ARP Inspection Program, Commission staff (``ARP staff'') conducts inspections of the trading and related systems of national securities exchanges and associations, certain ATSs, clearing agencies, and plan processors (collectively ``ARP entities''), attends periodic technology briefings by ARP entities, monitors planned significant system changes, and responds to reports of system failures, disruptions, and other systems problems of ARP entities. The goal of the ARP inspections is to evaluate whether an ARP entity's controls over its information technology resources in nine general areas, or information technology ``domains,'' \22\ is consistent with ARP and industry guidelines. Such guidelines are identified by ARP staff from a variety of information technology publications that ARP staff believes reflects industry standards for securities market participants.\23\ At the conclusion of an ARP inspection, ARP staff typically issues a report to the ARP entity with an assessment of the ARP entity's information technology program for its key systems, including any recommendations for improvement.\24\ --------------------------------------------------------------------------- \22\ These information technology ``domains'' include: application controls; capacity planning; computer operations and production environment controls; contingency planning; information security and networking; audit; outsourcing; physical security; and systems development methodology. Each domain itself contains subcategories. For example, ``contingency planning'' includes business continuity, disaster recovery, and pandemic planning, among other things. See id. at 18086. \23\ See id. at 18086-87. \24\ In addition, Commission staff conducts inspections of SROs, as part of the Commission's oversight of them. Unlike ARP inspections, however, which focus on information technology controls, such Commission staff primarily conducts risk-based examinations of securities exchanges, FINRA, and other SROs to evaluate whether they and their member firms are complying with the Exchange Act, the rules thereunder, and SRO rules, as applicable. As part of the Commission's oversight of the SROs, Commission staff also reviews systems compliance issues reported to Commission staff. The information gained from the Commission staff review of reported systems compliance issues helps to inform its examination risk- assessments for SROs. See id. at 18087. --------------------------------------------------------------------------- Because the ARP Inspection Program was established pursuant to Commission policy statements rather than Commission rules, participation in and compliance with the ARP Inspection Program by ARP entities is voluntary. As such, despite its general success in working with SROs to improve their automated systems, there are certain limitations with the ARP Inspection Program. In particular, because of the voluntary nature of the ARP Inspection Program, the Commission is constrained in its ability to assure compliance with ARP standards. The Government Accountability Office (``GAO'') has identified the voluntary nature of the ARP Inspection Program as a limitation and recommended that the Commission make compliance with ARP guidelines mandatory.\25\ In addition, as more fully discussed in the SCI Proposal, the evolution of the U.S. securities markets in recent years to become almost entirely electronic and highly dependent on sophisticated trading and other technology, including complex and interconnected routing, market data, regulatory, surveillance and other systems, has posed challenges for the ARP Inspection Program.\26\ --------------------------------------------------------------------------- \25\ See GAO, Financial Market Preparedness: Improvements Made, but More Action Needed to Prepare for Wide-Scale Disasters, Report No. GAO-04-984 (September 27, 2004). GAO cited instances in which the GAO believed that entities participating in the ARP Inspection Program failed to adequately address or implement ARP staff recommendations as the reasoning behind its recommendation to make compliance with ARP guidelines mandatory. \26\ See Proposing Release, supra note 13, at 18087-89. --------------------------------------------------------------------------- B. Recent Events A series of high-profile recent events involving systems-related issues further highlights the need for market participants to bolster the operational integrity of their automated systems in this area. In the SCI Proposal, the Commission identified several systems problems experienced by SROs and ATSs that garnered significant public attention and illustrated the types and risks of systems issues affecting today's markets.\27\ Since Regulation SCI's proposal in March 2013, additional systems problems among market participants have occurred, further underscoring the importance of bolstering the robustness of U.S. market infrastructure to help ensure its stability, integrity, and resiliency. --------------------------------------------------------------------------- \27\ See id. at 18089-90. The Proposing Release also discussed the effects of Superstorm Sandy on the U.S. securities exchanges, noting certain weaknesses in business continuity and disaster recovery planning that were highlighted by the event. See id. at 18091. --------------------------------------------------------------------------- In particular, since Regulation SCI's proposal, disruptions have continued to occur across a variety of market participants. For example, with respect to the options markets, some exchanges have delayed the opening of trading,\28\ [[Page 72255]] halted trading,\29\ or experienced other errors as a result of systems issues,\30\ and trading in options was halted due to a systems issue with the securities information processor for options market information.\31\ Systems issues have also impacted consolidated market data in the equities markets, including one incident that led to a trading halt in all securities listed on a particular exchange.\32\ Systems issues have also affected trading off of national securities exchanges, including an incident where FINRA halted trading in all OTC equity securities due to a lack of availability of quotation information resulting from a connectivity issue experienced by an ATS.\33\ Systems issues during this time have not been limited to systems disruptions, but have also included allegations of systems compliance issues.\34\ --------------------------------------------------------------------------- \28\ On April 25, 2013, the Chicago Board Options Exchange, Inc. (``CBOE'') delayed the opening of trading on its exchange for over three hours due to what CBOE described as an internal ``software bug.'' See CBOE Information Circular IC13-036, April 29, 2013, available at: https://www.cboe.com/publish/InfoCir/IC13-036.pdf. During this time, while trading in many products was able to continue on the other options exchanges, trading was completely halted for those products that are singly-listed on CBOE, including options on the S&P 500 Index and the CBOE Volatility Index (``VIX''). Trading was able to resume by approximately 1:00 p.m. ET, though some residual systems problems continued. Specifically, certain auction mechanisms were unavailable for the remainder of the day and some of the trade data from April 25 was erroneously re- transmitted to OCC on April 26. See id. and CBOE System Status notifications for April 25, 2013, available at: https://www.cboe.com/aboutcboe/systemstatus/search.aspx. CBOE subsequently reported that preliminary staging work related to a planned reconfiguration of CBOE's systems in preparation for extended trading hours on the CBOE Futures Exchange and CBOE options exchange ``exposed and triggered a design flaw in the existing messaging infrastructure configuration.'' See CBOE Information Circular IC13-036, April 29, 2013, available at: https://www.cboe.com/publish/InfoCir/IC13-036.pdf. \29\ On November 1, 2013, Nasdaq halted trading on the Nasdaq Options Market (``NOM'') for more than five hours through the close of the trading day. Nasdaq stated that the halt was a result of ``a significant increase in order entries which inhibited the system's ability to accept orders and disseminate quotes on a subset of symbols.'' As Nasdaq stated, Nasdaq determined that it was in the best interest of market participants and investors to cancel all orders on the NOM book and continue the market halt through the close. See Nasdaq Market System Status Updates for November 1, 2013, available at: https://www.nasdaqtrader.com/Trader.aspx?id=MarketSystemStatusSearch. \30\ On April 29, 2014, NYSE Arca and NYSE Amex Options experienced a systems issue that resulted in numerous complex orders booking at incorrect prices. In some cases, this resulted in erroneous fill reports, all of which were subsequently nullified. See Trader Update to All NYSE Amex Options and NYSE Arca Options Participants, ``Erroneous Complex Order Executions,'' dated April 29, 2014, available at: https://www1.nyse.com/pdfs/2014_04_29_NYSE_Amex_and_Arca_Options_Erroneous_Complex_Order_Executions.pdf. \31\ On September 16, 2013, options market trading was halted for approximately 20 minutes due to a systems issue with the Options Price Reporting Authority (``OPRA''), the securities information processor for options market information that disseminates option quotation and last sale information to market data vendors. OPRA reported that it experienced problems processing quotes as a result of a software issue originating from a limited rollout of certain software upgrades. See Notice to All OPRA Market Data Recipients from OPRA, LLC, dated September 18, 2013, available at: https://www.opradata.com/specs/16-sept-2013-opra-outage.pdf. \32\ On August 22, 2013, the NASDAQ Stock Market LLC (``Nasdaq'') halted trading in all Nasdaq-listed securities for more than three hours after the Nasdaq UTP Securities Information Processor (``SIP''), the single source of consolidated market data for Nasdaq-listed securities, was unable to process quotes from exchanges for dissemination to the public. According to Nasdaq, a sequence of events created a spike in message traffic volume into the SIP exceeding the SIP's capacity and causing the system to fail. Nasdaq cited ``more than 20 connect and disconnect sequences from NYSE Arca'' and a ``stream of quotes for inaccurate symbols from NYSE Arca'' as events contributing to the systems problem. Nasdaq noted that the stream of messages, which was 26 times greater than usual activity, degraded the system and exceeded its capacity, ultimately resulting in the failure. Nasdaq stated that these events exposed a flaw in the SIP's software code which prevented a successful failover to the backup system. See ``NASDAQ OMX Provides Updates on Events of August 22, 2013,'' by NASDAQ OMX (August 29, 2013), available at: https://www.nasdaqomx.com/newsroom/pressreleases/pressrelease?messageId=1204807&displayLanguage=en; and Nasdaq Market System Status notifications for August 22, 2013, available at: https://www.nasdaqtrader.com/Trader.aspx?id=MarketSystemStatusSearch. Nasdaq experienced another outage related to the SIP on September 4, 2013. This incident lasted only several minutes and affected only a subset of Nasdaq-listed securities. See ``NASDAQ OMX Issues Statement on the Securities Information Processor,'' by NASDAQ OMX (September 4, 2013), available at: https://ir.nasdaqomx.com/releasedetail.cfm?ReleaseID=788700. The SIP consolidates quotation information and transaction reports from market centers and disseminates such consolidated information to market participants pursuant to the Commission- approved Joint Self-Regulatory Organization Plan Governing the Collection, Consolidation and Dissemination of Quotation and Transaction Information for Nasdaq-Listed Securities Traded on Exchanges on an Unlisted Trading Privilege Basis, available at: https://www.utpplan.com/. See generally Rule 608 of Regulation NMS, 17 CFR 242.608 (``Filing and amendment of national market system plans''). More recently, on October 30, 2014, according to the NYSE, a network hardware failure impacted the Consolidated Tape System, Consolidated Quote System, and Options Price Reporting Authority data feeds at the primary data center. Exchanges experienced issues publishing and receiving trades and quotes as a result. After investigation of the issue, the Securities Industry Automation Corporation (``SIAC'') (the processor for the affected data feeds) switched over to the secondary data center for these data feeds and normal processing subsequently resumed. The exchanges then connected to the secondary data center as provided for in SIAC's business continuity plan. See ``Service Advisory--CTA Update,'' by NYSE (October 30, 2014), available at: https://markets.nyx.com/nyse/market-status/view/13467 and ``NMS SIP market wide issue,'' by NYSE (October 30, 2014), available at: https://markets.nyx.com/nyse/market-status/view/13465. \33\ On November 7, 2013, FINRA halted trading for over 3\1/2\ hours in all OTC equity securities due to a lack of availability of quotation information resulting from a connectivity issue experienced by OTC Markets Group Inc.'s OTC Link ATS. See ``Market- Wide Quotation and Trading Halt for all OTC Equity Securities,'' FINRA Uniform Practice Advisory, UPC #47-13, November 7, 2013, available at: https://www.finra.org/web/groups/industry/@ip/@comp/@mt/documents/upcnotices/p381590.pdf; ``Quotation and Trading Halt for OTC Equity Securities,'' FINRA Uniform Practice Advisory, UPC #48-13, November 7, 2013, available at: https://www.finra.org/web/groups/industry/@ip/@comp/@mt/documents/upcnotices/p381593.pdf; ``OTC Markets Group Issues Statement on OTC Link[supreg] ATS Trading on November 7, 2013,'' OTC Disclosure & News Service, November 7, 2013, available at: https://www.otcmarkets.com/stock/OTCM/news/OTC-Markets-Group-Issues-Statement-on-OTC-Linkreg-ATS-Trading-on-November-7-2013?id=71144. OTC Markets Group subsequently reported that a network outage at one of its core network providers caused the lack of connectivity to its primary data center in New Jersey. See ``OTC Markets Group Issues Statement on OTC Link[supreg] ATS Trading on November 7, 2013,'' OTC Disclosure & News Service, November 7, 2013, available at: https://www.otcmarkets.com/stock/OTCM/news/OTC-Markets-Group-Issues-Statement-on-OTC-Linkreg-ATS-Trading-on-November-7-2013?id=71144. \34\ For example, in June 2013, the Commission charged CBOE and its affiliate (C2 Options Exchange, Incorporated (``C2'')) for various systemic breakdowns in their regulatory and compliance responsibilities as self-regulatory organizations, including failure to enforce the federal securities laws and Commission rules. See Securities Exchange Act Release No. 69726, In the Matter of Chicago Board Options Exchange, Incorporated and C2 Options Exchange, Incorporated (settled action: June 11, 2013), available at: https://www.sec.gov/litigation/admin/2013/34-69726.pdf (``CBOE Order''). CBOE and C2 consented to an Order Instituting Administrative and Cease-and-Desist Proceedings Pursuant to Sections 19(h) and 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing Sanctions and a Cease-and-Desist Order. In the CBOE Order, among other charges, the Commission stated that ``CBOE's automated surveillance programs for manually handled trades were ineffective'' and that ``CBOE failed to maintain a reliable or accurate audit trail of orders'' on its trading facility. See id. at 11, 13. In addition, in May 2014, the Commission sanctioned the New York Stock Exchange LLC (``NYSE'') and two of its affiliated exchanges (NYSE Arca, Inc. (``NYSE Arca''), NYSE MKT LLC (``NYSE MKT'')) for alleged failure to comply with their responsibilities as self- regulatory organizations to conduct their business operations in accordance with Commission-approved exchange rules and the federal securities laws. See Securities Exchange Act Release No. 72065, In the Matter of New York Stock Exchange LLC, NYSE Arca, Inc., NYSE MKT LLC, and Archipelago Securities, L.L.C. (settled action: May 1, 2014), available at: https://www.sec.gov/litigation/admin/2014/34-72065.pdf (``NYSE Order''). NYSE, NYSE Arca, NYSE MKT, and Archipelago Securities consented to an Order Instituting Administrative and Cease-and-Desist Proceedings Pursuant to Sections 19(h) and 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing Sanctions and a Cease-and-Desist Order. In the NYSE Order, the Commission cited various instances of NYSE systems not operating in compliance with their effective rules, such as NYSE's block trading facility not functioning in accordance with applicable rules; NYSE distributing an automated feed of closing order imbalance information to its floor brokers at an earlier time than specified in NYSE rules; and NYSE failing to execute certain orders in locked markets contrary to exchange rules. See id. In the NYSE Order, the Commission stated that the exchanges ``lacked comprehensive and consistently-applied policies and procedures for . . . evaluating whether business operations were being conducted fully in accordance with existing exchange rules and the federal securities laws.'' Id. at 3. --------------------------------------------------------------------------- Systems issues are not unique to the U.S. securities markets, with similar incidents occurring in the U.S. commodities markets as well as foreign markets.\35\ However, the Commission [[Page 72256]] believes that it is critical that key U.S. securities market participants bolster their operational integrity to prevent, to the extent reasonably possible, these types of events, which can not only lead to tangible monetary losses,\36\ but which commenters believe to have the potential to reduce investor confidence in the U.S. markets.\37\ --------------------------------------------------------------------------- \35\ See, e.g., Jacob Bunge, Bradley Hope, and Leslie Josephs, ``Technical Glitch Hits CME Trading,'' Wall St. J., April 8, 2014; Jeremy Grant, ``Glitch Delays Singapore Derivative Trade,'' Fin. Times, April 9, 2013; Tamsyn Parker, ``NZX Trading Resumes After Technical Glitch,'' The New Zealand Herald, July 1, 2013; Matt Clinch, ``Flash Crash: Israel Stocks Hit by Typo,'' CNBC.com, available at: https://www.cnbc.com/id/100986999; and Ksenia Galouchko, ``Moscow Exchange Halts Derivatives Trading for Almost an Hour,'' Bloomberg, November 13, 2013. \36\ See, e.g., Proposing Release, supra note 13 (discussing systems issues affecting the initial public offerings (``IPO'') of BATS Global Markets, Inc. and Facebook, Inc.). In a rule change approved by the Commission in March 2013, Nasdaq implemented a $62 million accommodation program to compensate certain members for their losses in connection with the Facebook IPO. Securities Exchange Act Release No. 69216 (March 22, 2013), 78 FR 19040 (March 28, 2013). In its quarterly earnings announcement for the second quarter of 2013, UBS reported a $356 million loss tied to Facebook's IPO, while The Knight Capital Group and Citadel Investment Group claimed losses of $30 million to $35 million and Citigroup cited losses close to $20 million. See Michael J. De La Merced, ``Behind the Huge Facebook Loss at UBS,'' N.Y. Times, July 21, 2012. See also Angel Letter at 15 (stating that catastrophic failures in exchange systems are extremely costly in terms of direct losses to participants and result in reduced investor confidence in markets); and Better Markets Letter at 2 (citing to the systems related problems at Knight Capital, Direct Edge, BATS, and during the Facebook IPO that resulted in investor or company losses). \37\ See, e.g., Angel2 Letter at 2; Sungard Letter at 2; Better Markets Letter at 2; Leuchtkafer Letter at 3; FSI Letter at 3; and Angel Letter at 10, 15. --------------------------------------------------------------------------- The SCI Proposal also noted that the risks associated with cybersecurity, and how to protect against systems intrusions, are increasingly of concern to all types of entities.\38\ On March 27, 2014, the Commission conducted a Cybersecurity Roundtable (``Cybersecurity Roundtable'').\39\ The Cybersecurity Roundtable addressed the cybersecurity landscape and cybersecurity issues faced by participants in the financial markets today, including exchanges, broker-dealers, investment advisers, transfer agents and public companies.\40\ Panelists discussed, among other topics, the scope and nature of cybersecurity threats to the financial industry; how market participants can effectively manage cybersecurity threats, including public and private sector coordination efforts and information sharing; the role that government should play to promote cybersecurity in the financial markets and market infrastructure; cybersecurity disclosure issues faced by public companies; and the identification of appropriate best practices and standards with regard to cybersecurity. Although the views of panelists varied, many emphasized the significant risk that cybersecurity attacks pose to the financial markets and market infrastructure today and the need to effectively manage that risk through measures such as testing, risk assessments, adoption of consistent best practices and standards, and information sharing. --------------------------------------------------------------------------- \38\ See Proposing Release, supra note 13, at 18089-90. \39\ See Securities Exchange Act Release No. 71742 (March 19, 2014), 79 FR 16071 (March 24, 2014) (File No. 4-673). A webcast of the Cybersecurity Roundtable is available at: https://www.sec.gov/news/otherwebcasts/2014/cybersecurity-roundtable-032614.shtml. \40\ The first panel discussed the cybersecurity landscape, and panelists included: Cyrus Amir-Mokri, Assistant Secretary for Financial Institutions, Department of the Treasury; Mary E. Galligan, Director, Cyber Risk Services, Deloitte and Touche LLP; Craig Mundie, Member, President's Council of Advisors on Science and Technology; Senior Advisor to the Chief Executive Officer, Microsoft Corporation; Javier Ortiz, Vice President, Strategy and Global Head of Government Affairs, TaaSera, Inc.; Andy Roth, Partner and Co- Chair, Global Privacy and Security Group, Dentons US LLP; Ari Schwartz, Acting Senior Director for Cybersecurity Programs, National Security Council, The White House; Adam Sedgewick, Senior Information Technology Policy Advisor, national Institute of Standards and Technology; and Larry Zelvin, Director, National Cybersecurity and Communications Integration Center, U.S. Department of Homeland Security. The second panel discussed public company disclosure of cybersecurity risks and incidents, and panelists included: Peter Beshar, Executive Vice President and General Counsel, Marsh & McLennan Companies, Inc.; David Burg, Global and U.S. Advisor Cyber Security Leader, PricewaterhouseCoopers LLP; Roberta Karmel, Centennial Professor of Law, Brooklyn Law School; Jonas Kron, Senior Vice President, Director of Shareholder Advocacy, Trillum Asset Management LLC; Douglas Meal, Partner, Ropes & Gray LLP; and Leslie T. Thornton, Vice President and General Counsel, WGL Holdings, Inc. and Washington Gas Light Company. The third panel addressed cybersecurity issues faced by the securities markets, and panelists included: Mark G. Clancy, Managing Director and Corporate Information Security Officer, The Depository Trust and Clearing Corporation; Mark Graff, Chief Information Security Officer, Nasdaq OMX; Todd Furney, Vice President, Systems Security, Chicago Board Options Exchange; Katheryn Rosen, Deputy Assistant Secretary, Office of Financial Institutions Policy, Department of the Treasury; Thomas Sinnott, Managing Director, Global Information Security, CME Group; and Aaron Weissenfluh, Chief Information Security Officer, BATS Global Markets, Inc. The final panel discussed how broker-dealers, investment advisers, and transfer agents address cybersecurity issues, and panelists included: John Denning, Senior Vice President, Operational Policy Integration, Development and Strategy, Bank of America/ Merrill Lynch; Jimmie H. Lenz, Senior Vice President, Chief Risk and Credit Officer, Wells Fargo Advisors LLC; Mark R. Manley, Senior Vice President, Deputy General Counsel and Chief Compliance Officer, AllianceBernstein L.P.; Marcus Prendergast, Director and Corporate Information Security Officer, ITG; Karl Schimmeck, Managing Director, Financial Services Operations, Securities Industry and Financial Markets Association; Daniel M. Sibears, Executive Vice President, Regulatory Operations/Shared Services, FINRA; John Reed Stark, Managing Director, Stroz Friedberg; Craig Thomas, Chief Information Security Officer, Computershare; and David G. Tittsworth, Executive Director and Executive Vice President, Investment Adviser Association. --------------------------------------------------------------------------- III. Overview The Commission acknowledges that the nature of technology and the level of sophistication and automation of current market systems prevent any measure, regulatory or otherwise, from completely eliminating all systems disruptions, intrusions, or other systems issues.\41\ However, given the issues outlined above, the Commission believes that the adoption of, and compliance by SCI entities with Regulation SCI, with the modifications from the SCI Proposal as discussed below, will advance the goals of the national market system by enhancing the capacity, integrity, resiliency, availability, and security of the automated systems of entities important to the functioning of the U.S. securities markets, as well as reinforce the requirement that such systems operate in compliance with the Exchange Act and rules and regulations thereunder, thus strengthening the infrastructure of the U.S. securities markets and improving its resilience when technological issues arise. In this respect, Regulation SCI establishes an updated and formalized regulatory framework, thereby helping to ensure more effective Commission oversight of such systems. --------------------------------------------------------------------------- \41\ See, e.g., October 2, 2012 remarks by Dr. Nancy Leveson, Professor of Aeronautics and Astronautics and Professor of Engineering Systems, MIT, Technology Roundtable (stating, for example, that ``it is impossible to build totally secure software systems'' and ``we've learned that we cannot build an unsinkable ship and cannot build unfailable software''), available at: https://www.sec.gov/news/otherwebcasts/2012/ttr100212-transcript.pdf. --------------------------------------------------------------------------- As proposed, Regulation SCI would have applied to ``SCI entities'' (estimated in the SCI Proposal to be 44 entities), a term which would have included all self-regulatory organizations (excluding security futures exchanges), ATSs that exceed specified volume thresholds, plan processors for market data NMS plans, and certain exempt clearing agencies. The most significant elements of the SCI Proposal \42\ would have required each SCI entity to: --------------------------------------------------------------------------- \42\ Each provision of the SCI Proposal is described in further detail below in Section IV. See also Proposing Release, supra note 13, at Section III. ---------------------------------------------------------------------------Implement policies and procedures reasonably designed to ensure that its ``SCI systems'' and ``SCI security systems'' have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and [[Page 72257]] promote the maintenance of fair and orderly markets, with deemed compliance for policies and procedures that are consistent with current SCI industry standards, including identified information technology publications listed on proposed Table A; Implement policies and procedures reasonably designed to ensure that its systems operate in the manner intended, including in compliance with the federal securities laws and rules, and the entity's rules and governing documents, with safe harbors from liability for SCI entities and individuals; Upon any ``responsible SCI personnel'' becoming aware of the occurrence of an ``SCI event'' (defined to include systems disruptions, systems compliance issues, and systems intrusions), begin to take appropriate corrective action, including mitigating potential harm to investors and market integrity and devoting adequate resources to remedy the SCI event as soon as practicable; Report to the Commission the occurrence of any SCI event; and notify its members or participants of certain types of SCI events; Notify the Commission 30 days in advance of ``material systems changes'' (subject to an exception for exigent circumstances) and provide semi-annual summary progress reports on such material systems changes; Conduct an annual review, to be performed by objective, qualified personnel, of its compliance with Regulation SCI and submit a report of such annual review to its senior management and to the Commission; Designate those of its members or participants that would be required to participate in the testing (to occur at least annually) of its business continuity and disaster recovery plans, and coordinate such testing with other SCI entities on an industry- or sector-wide basis; and Meet certain other requirements, including maintaining records related to compliance with Regulation SCI and providing Commission representatives reasonable access to its systems to assess compliance with the rule. The Commission received substantial comment on the SCI Proposal from a wide range of entities. Commenters generally expressed support for the goals of the rule, but many suggested that the SCI Proposal's scope was unnecessarily broad and could be more tailored to lower compliance costs and still achieve the goal of reducing significant technology risk in the markets. Broadly speaking, the areas of concern garnering the greatest comment included the: (i) Breadth of certain key proposed definitions; (ii) costs associated with the scope of the proposed rule, including its reporting obligations; (iii) publications designated on Table A as proposed examples of ``current SCI industry standards;'' (iv) proposed entity safe harbor for systems compliance policies and procedures; (v) breadth of the proposed mandatory testing requirements; and (vi) proposed access provision.\43\ --------------------------------------------------------------------------- \43\ A more detailed discussion of commenters' views can be found below in Section IV. --------------------------------------------------------------------------- The Commission has carefully considered the views of commenters in crafting Regulation SCI to meet its goals to strengthen the technology infrastructure of the securities markets and improve its resilience when technology falls short. Many of these modifications are intended to further focus the scope of the requirements from the proposal and to lessen the costs and burdens on SCI entities, while still allowing the Commission to achieve its goals. While Section IV below provides a detailed discussion of the changes the Commission has made to the SCI Proposal in adopting Regulation SCI today,\44\ broadly speaking, the key changes include: --------------------------------------------------------------------------- \44\ The Economic Analysis, infra Section VI, discusses the economic effects, including the costs and benefits, of the provisions of Regulation SCI, as adopted. --------------------------------------------------------------------------- Refining the scope of the proposal by, among other things, revising certain key definitions (including the definition of SCI systems and the definition of SCI ATS to exclude ATSs that trade only municipal securities or corporate debt securities (together, ``fixed- income ATSs'')), refining the reporting framework for SCI events, and replacing the proposed 30-day advanced reporting requirement for material systems changes with a quarterly reporting requirement; Modifying the proposal to differentiate certain obligations and requirements, including tailoring certain obligations based on the criticality of a system (by, for example, adopting a new defined term ``critical SCI system'' for which heightened requirements will apply), and based on the significance of an event (such as adopting a new defined term ``major SCI event'' for purposes of the dissemination requirements, and establishing differing reporting obligations for SCI events that have had no or a de minimis impact on the SCI entity's operations or on market participants); Modifying the proposed policies and procedures requirements relating to both operational capability and the maintenance of fair and orderly markets, as well as systems compliance; Refining the scope of SCI entity members and participants that would be required to participate in mandatory business continuity/ disaster recovery plan testing; and Eliminating the proposed requirement that SCI entities provide Commission representatives reasonable access to their systems because the Commission can adequately assess an SCI entity's compliance with Regulation SCI through existing recordkeeping requirements and examination authority, as well as through the new recordkeeping requirement in Rule 1005 of Regulation SCI. In addition, the Commission notes that proposed Regulation SCI consisted of a single rule (Rule 1000) that included subparagraphs ((a) through (f)) addressing the various obligations of the rule. However, for clarity and simplification, adopted Regulation SCI is renumbered as Rules 1000 through 1007, as follows: Adopted Rule 1000 (which corresponds to proposed Rule 1000(a)) contains definitions for terms used in Regulation SCI; Adopted Rule 1001 (proposed Rules 1000(b)(1)-(2)) contains the policies and procedures requirements for SCI entities relating to both operational capability and the maintenance of fair and orderly markets, as well as systems compliance; Adopted Rule 1002 (proposed Rules 1000(b)(3)-(5)) contains the obligations of SCI entities with respect to SCI events, which include corrective action, Commission notification, and information dissemination; Adopted Rule 1003 (proposed Rules 1000(b)(6)-(8)) contains requirements relating to material systems changes and SCI reviews; Adopted Rule 1004 (proposed Rule 1000(b)(9)) contains requirements relating to business continuity and disaster recovery testing; Adopted Rule 1005 (proposed Rule 1000(c)) contains requirements relating to recordkeeping; Adopted Rule 1006 (proposed Rule 1000(d)) contains requirements relating to electronic filing and submission; Adopted Rule 1007 (proposed Rule 1000(e)) contains requirements for service bureaus. IV. Description of Adopted Regulation SCI and Form SCI A. Definitions Establishing the Scope of Regulation SCI--Rule 1000 A series of definitions set forth in Rule 1000 relate to the scope of Regulation SCI. These include the definitions for ``SCI entity'' (as well as the types of entities that are SCI entities, [[Page 72258]] namely ``SCI SRO,'' SCI ATS,'' ``plan processor,'' and ``exempt clearing agency subject to ARP''), ``SCI systems'' (and related definitions for ``indirect SCI systems'' and ``critical SCI systems''), and ``SCI event'' (as well as the types of events that constitute SCI events, namely ``systems disruption,'' ``systems compliance issue,'' and ``systems intrusion'').\45\ --------------------------------------------------------------------------- \45\ Rule 1000 contains additional defined terms that are discussed in subsequent sections below. See infra Section IV.B.3 (discussing the definition of ``responsible SCI personnel''), Section IV.B.3.d (discussing ``major SCI event'' and deletion of the proposed definition of ``dissemination SCI event''), Section IV.B.4 (discussing deletion of the proposed definition for ``material systems change''), Section IV.B.5 (discussing ``SCI review'' and ``senior management''), and Section IV.C.2 (discussing ``electronic signature''). --------------------------------------------------------------------------- 1. SCI Entities Regulation SCI imposes requirements on entities meeting the definition of ``SCI entity'' under the rule. Proposed Rule 1000(a) defined ``SCI entity'' as an ``SCI self-regulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP.'' \46\ The Commission is adopting the definition of ``SCI entity'' in Rule 1000 as proposed.\47\ --------------------------------------------------------------------------- \46\ See proposed Rule 1000(a) and Proposing Release supra note 13, at Section III.B.1. \47\ Proposed Rule 1000(a) also defined each of the terms within the definition of SCI entity for the purpose of designating specifically the entities that would be subject to Regulation SCI. As described in the Sections IV.A.1.a-d below, the Commission is also adopting these terms as proposed and without modification, with the exception of the definition of ``SCI ATS,'' which is being revised to exclude ATSs that trade only municipal securities or corporate debt securities. --------------------------------------------------------------------------- Some commenters discussed the definition of SCI entity generally and advocated for an expansion of the proposed definition, asserting that additional categories of market participants may have the potential to impact the market in the event of a systems issue.\48\ For example, one commenter suggested that the definition of ``SCI entity'' be extended to include the ATS and broker-dealer entities covered by the Regulation NMS definition of a ``trading center.'' \49\ Another commenter stated that the Commission should potentially expand the definition of SCI entity to also include dark pools if they met the volume thresholds of ATSs.\50\ --------------------------------------------------------------------------- \48\ See, e.g., NYSE Letter at 8-9 and Liquidnet Letter at 2-3. See also BlackRock Letter at 4 (stating, among other things, that Regulation SCI should extend to any trading platforms that transact significant volume because these venues have a meaningful role and impact on the equity market). See also infra Section IV.E (discussing comments regarding the potential inclusion of other types of entities, such as broker-dealers generally, within the scope of Regulation SCI). \49\ Specifically, Section 600(b)(78) of Regulation NMS includes within the definition of a ``trading center'' ``an ATS, an exchange market maker, an OTC market maker, or any other broker or dealer that executes orders internally by trading as principal or crossing orders as agent.'' 17 CFR 242.600(b)(68). See NYSE Letter at 8-9. \50\ See CoreOne Letter at 7-9. CoreOne recommended that the Commission require dark pools to publicly disclose their aggregate volume in a manner similar to disclosures made by exchanges and ATSs. CoreOne stated that, once dark pools publicly disclose their volumes, it would be easier to evaluate whether dark pools should be included as SCI entities. Id. --------------------------------------------------------------------------- Other commenters believed that the scope of the definition should be more limited.\51\ For example, one commenter suggested that the definition should only include those entities that are systemically important to the functioning of the U.S. securities markets and should utilize volume thresholds for exchanges and ATSs to make this determination.\52\ --------------------------------------------------------------------------- \51\ See, e.g., KCG Letter at 6-8; ITG Letter at 2-4; and CME Letter at 2-5. \52\ See ITG Letter at 2-4, 7. This commenter argued that, alternatively, the Commission could impose a lower set of obligations on ``lesser'' SCI entities. See id., at 9-11. See also infra notes 81-82 (discussing this commenter's suggested thresholds for exchanges) and note 131 (discussing this commenter's recommended thresholds for ATSs). See discussion in Sections IV.A.1.a and IV.A.1.b (relating to SCI SROs and SCI ATSs, respectively). --------------------------------------------------------------------------- Several commenters advocated the adoption of a ``risk-based'' approach, which would entail categorizing market participants based on the criticality of the functions performed rather than applying Regulation SCI to all ``SCI entities'' equally.\53\ Some commenters suggested replacing the term ``SCI entity'' with categories of participants based on potential market impact or including in the definition only those participants that are essential to continuous market-wide operation or that are the sole providers of a service in the securities markets.\54\ Other commenters agreed with the proposed scope of the term ``SCI entity,'' but believed that the various requirements under the rule should be tiered based on risk profiles.\55\ Several commenters identified various factors that should be considered in conducting a risk-assessment such as whether an entity is a primary listing market, is the sole market where the security is traded, or performs a monopoly or utility type role where there is no redundancy built into the marketplace, among others.\56\ Some commenters identified specific functions that they believed to be highly critical to the functioning of the securities markets and thus pose the greatest risk to the markets in the event of a systems issue, including securities information processing, clearance and settlement systems, and trading of exclusively listed securities, among others.\57\ --------------------------------------------------------------------------- \53\ See, e.g., BIDS Letter at 5-6; SIFMA Letter at 4-5; KCG Letter at 2-3, 6-8; Fidelity Letter at 2-4; UBS Letter at 2-4; and LiquidPoint Letter at 2-3. \54\ See, e.g., BIDS Letter at 3-6; Direct Edge Letter at 1-2; and KCG Letter at 2-3, 6-8. Specifically, Direct Edge stated that SCI entities should include Commission-registered exchanges, securities information processors under approved NMS plans for market data, and clearance and settlement systems. \55\ See, e.g., SIFMA Letter at 4 and Fidelity Letter at 3-4. \56\ See, e.g., SIFMA Letter at 4 and Fidelity Letter at 3-4. \57\ See, e.g., SIFMA Letter at 4; Direct Edge Letter at 1-2; and KCG Letter at 2-3. --------------------------------------------------------------------------- After careful consideration of the comments, the Commission has determined to adopt the overall scope of entities covered by Regulation SCI as proposed.\58\ As discussed below, the Commission continues to believe that it is appropriate and would further the goals of the national market system to subject all SROs (excluding securities futures exchanges), ATSs meeting certain volume thresholds with respect to NMS stocks and non-NMS stocks (discussed further below), plan processors, and certain exempt clearing agencies to the requirements of Regulation SCI. The Commission believes that this definition appropriately includes those entities that play a significant role in the U.S. securities markets and/or have the potential to impact investors, the overall market, or the trading of individual securities.\59\ --------------------------------------------------------------------------- \58\ But see infra Section IV.A.1.b (discussing revisions to the definition of ``SCI ATS''). \59\ See infra Sections IV.A.1.a-d (discussing more specifically each category of entity included within the definition of ``SCI entity''). --------------------------------------------------------------------------- While some commenters supported expanding the definition of SCI entity to encompass various other types of entities, the Commission has determined not to expand the scope of entities subject to Regulation SCI at this time. As noted in the SCI Proposal, Regulation SCI is based, in part, on the ARP Inspection Program, which has included the voluntary participation of all active registered clearing agencies, all registered national securities exchanges, the only registered national securities association--Financial Industry Regulatory Authority (``FINRA''), one exempt clearing agency, and one ATS.\60\ The ARP Inspection Program has also included the systems of entities that process and disseminate quotation and transaction data on behalf of the Consolidated Tape Association System (``CTA Plan''), Consolidated Quotation System (``CQS Plan''), Joint Self-Regulatory Organization Plan [[Page 72259]] Governing the Collection, Consolidation, and Dissemination of Quotation and Transaction Information for Nasdaq-Listed Securities Traded on Exchanges on an Unlisted Trading Privileges Basis (``Nasdaq UTP Plan''), and Options Price Reporting Authority (``OPRA Plan'').\61\ Significant-volume ATSs have also been subject to certain aspects of the ARP Policy Statements pursuant to Regulation ATS.\62\ In addition, one entity that has been granted an exemption from registration as a clearing agency has been subject to the ARP Inspection Program pursuant to the conditions of the exemption order issued by the Commission.\63\ The scope of the definition of SCI entity is intended to largely reflect the historical reach of the ARP Inspection Program and existing Rule 301 of Regulation ATS, while also expanding the coverage to certain additional entities that the Commission believes play a significant role in the U.S. securities markets and/or have the potential to impact investors, the overall market, or the trading of individual securities. The Commission acknowledged in the SCI Proposal that there may be other categories of entities not included within the definition of SCI entity that, given their increasing size and importance, could pose risks to the market should an SCI event occur.\64\ However, as discussed in further detail below,\65\ the Commission believes that, at this time, the entities included within the definition of SCI entity, because of their current role in the U.S. securities markets and/or their level of trading activity, have the potential to pose the most significant risk in the event of a systems issue. Although some commenters suggested that Regulation SCI should cover a greater range of market participants,\66\ the Commission believes that it is important to move forward now on rules that will meaningfully enhance the technology standards and oversight of key markets and market infrastructure. Further, the Commission believes that a measured approach that takes an incremental expansion from the entities covered under the ARP Inspection Program is an appropriate method for imposing the mandatory requirements of Regulation SCI at this time given the potential costs of compliance. This approach will enable the Commission to monitor and evaluate the implementation of Regulation SCI, the risks posed by the systems of other market participants, and the continued evolution of the securities markets, such that it may consider, in the future, extending the types of requirements in Regulation SCI to additional categories of market participants, such as non-ATS broker-dealers, security-based swap dealers, investment advisers, investment companies, transfer agents, and other key market participants. As noted in the SCI Proposal, should the Commission decide to propose to apply some or all of the requirements of Regulation SCI to additional types of entities, the Commission will issue a separate release discussing such a proposal and seeking public comment.\67\ --------------------------------------------------------------------------- \60\ See Proposing Release, supra note 13, at 18086. \61\ See infra note 196 and accompanying text. \62\ See Rule 301(b)(6) of Regulation ATS, 17 CFR 242.301(b)(6). \63\ See Proposing Release, supra note 13, at 18096-97. See also infra Section IV.A.1.d (discussing the inclusion in Regulation SCI of exempt clearing agencies subject to ARP). \64\ See Proposing Release, supra note 13, at 18138-39. \65\ See infra Sections IV.A.1.a-d (discussing more specifically each category of entity included within the definition of ``SCI entity''). \66\ See supra notes 48-50 and accompanying text. \67\ See Proposing Release, supra note 13, at 18138. --------------------------------------------------------------------------- With respect to another commenter's recommendation regarding dark pools, to the extent that this commenter intended its comment to refer to ATSs, ATSs would be included within the scope of Regulation SCI if they met the applicable volume thresholds discussed below.\68\ To the extent that this commenter intended its comment to refer to other types of non-ATS dark venues where broker-dealers internalize order flow, the Commission notes that it has determined not to extend the scope of Regulation SCI to other types of broker-dealers at this time for the reasons discussed below.\69\ --------------------------------------------------------------------------- \68\ See infra Section IV.A.1.b (discussing definition of ``SCI ATS''). This commenter also recommended that the Commission require dark pools to publicly disclose their aggregate volume to make it easier to evaluate whether dark pools should be included as SCI entities, and supported FINRA's plans to require such trading volume disclosures. The Commission notes that FINRA recently adopted new Rule 4552, which requires each ATS to report to FINRA weekly volume information regarding transactions in NMS stocks and OTC equity securities, and FINRA makes such information publicly available on its Web site. See Securities Exchange Act Release No. 71341 (January 17, 2014), 79 FR 4213 (January 24, 2014) (approving FINRA Rule 4552 requiring each ATS to report to FINRA weekly volume information and number of securities transactions). The Commission also notes that all ATSs (including dark pool ATSs) are required under Regulation ATS to provide the Commission with quarterly trading volume information. See Rule 301(b)(9) of Regulation ATS, 17 CFR 242.301(b)(9). \69\ See infra text accompanying notes 121-125. --------------------------------------------------------------------------- The Commission has also determined not to further limit the scope of entities subject to Regulation SCI as suggested by some commenters. As discussed in more detail below, the Commission continues to believe that each of the identified categories of entities plays a significant role in the U.S. securities markets and/or has the potential to impact investors, the overall market, or the trading of individual securities, and thus should be subject to the requirements of Regulation SCI. Accordingly, the Commission does not agree that it should adopt a ``risk-based'' approach to further limit the categories of market participants subject to Regulation SCI. The Commission believes that limiting the applicability of Regulation SCI to only the most systemically important entities posing the highest risk to the markets is too limited of a category of market participants, as it would exclude certain entities that, in the Commission's view, have the potential to pose significant risks to the securities markets should an SCI event occur. However, the Commission believes it is appropriate to incorporate risk-based considerations in various other aspects of Regulation SCI. Consistent with the views of some commenters advocating that the requirements of Regulation SCI should be tailored to the specific risk-profile of a particular entity or particular system,\70\ the Commission notes that Regulation SCI, as proposed, was intended to incorporate a consideration of risk within its requirements and believes it is appropriate to more explicitly incorporate risk considerations in various provisions of adopted Regulation SCI. For example, as discussed in further detail below, the requirement to have reasonably designed policies and procedures relating to operational capability was designed to permit SCI entities to take a risk-based approach in developing their policies and procedures based on the criticality of a particular system.\71\ In addition, the Commission believes that it is appropriate to further incorporate a risk-based approach into other aspects of the regulation, and thus, as discussed below, is adopting a new term--``critical SCI systems''--to identify systems that the Commission believes should be subject to heightened requirements in certain areas.\72\ Further, the Commission has determined that certain other definitions (such as the definition of ``SCI systems''), and certain requirements of the rule (such as Commission notification for SCI events and material systems changes), should be scaled back and refined consistent with a risk-based approach, as discussed [[Page 72260]] below. The Commission believes that these modifications, further incorporating risk-based considerations in the requirements and scaling back certain requirements, provide the proper balance between requiring that the appropriate entities are subject to baseline standards for systems capacity, integrity, resiliency, availability, security, and compliance, while reducing the overall burden of the rule for all SCI entities, which is consistent with, and responsive to, the views of those commenters that the Commission take a more risk-based approach to SCI entities. --------------------------------------------------------------------------- \70\ See supra note 55 and accompanying text. \71\ See infra Section IV.B.1 (discussing the policies and procedures requirement under adopted Rule 1001(a)). \72\ See infra Section IV.A.2.c (discussing the definition of ``critical SCI systems''). --------------------------------------------------------------------------- a. SCI Self-Regulatory Organization or SCI SRO Proposed Rule 1000(a) defined ``SCI self-regulatory organization,'' or ``SCI SRO,'' to be consistent with the definition of ``self- regulatory organization'' set forth in Section 3(a)(26) of the Exchange Act.\73\ This definition covered all national securities exchanges registered under Section 6(b) of the Exchange Act,\74\ registered securities associations,\75\ registered clearing agencies,\76\ and the Municipal Securities Rulemaking Board (``MSRB'').\77\ The definition, however, excluded an exchange that lists or trades security futures products that is notice-registered with the Commission as a national securities exchange pursuant to Section 6(g) of the Exchange Act, as well as any limited purpose national securities association registered with the Commission pursuant to Exchange Act Section 15A(k).\78\ Accordingly, the proposed definition of SCI SRO in Rule 1000(a) included all national securities exchanges registered under Section 6(b) of the Exchange Act, all registered securities associations, all registered clearing agencies, and the MSRB.\79\ The definition of ``SCI self-regulatory organization'' or ``SCI SRO'' is being adopted in Rule 1000 as proposed.\80\ --------------------------------------------------------------------------- \73\ See 15 U.S.C. 78c(a)(26): ``The term `self-regulatory organization' means any national securities exchange, registered securities association, or registered clearing agency, or (solely for purposes of sections 19(b), 19(c), and 23(b) of this title) the Municipal Securities Rulemaking Board established by section 15B of this title.'' \74\ Currently, these registered national securities exchanges are: (1) BATS Exchange, Inc. (``BATS''); (2) BATS Y-Exchange, Inc. (``BATS-Y''); (3) Boston Options Exchange LLC (``BOX''); (4) CBOE; (5) C2; (6) Chicago Stock Exchange, Inc. (``CHX''); (7) EDGA Exchange, Inc. (``EDGA''); (8) EDGX Exchange, Inc. (``EDGX''); (9) International Securities Exchange, LLC (``ISE''); (10) Miami International Securities Exchange, LLC (``MIAX''); (11) NASDAQ OMX BX, Inc. (``Nasdaq OMX BX''); (12) NASDAQ OMX PHLX LLC (``Nasdaq OMX Phlx''); (13) Nasdaq; (14) National Stock Exchange, Inc. (``NSX''); (15) NYSE; (16) NYSE MKT; (17) NYSE Arca; and (18) ISE Gemini, LLC (``ISE Gemini''). \75\ FINRA is the only registered national securities association. \76\ Currently, there are seven clearing agencies (Depository Trust Company (``DTC''); Fixed Income Clearing Corporation (``FICC''); National Securities Clearing Corporation (``NSCC''); Options Clearing Corporation (``OCC''); ICE Clear Credit; ICE Clear Europe; and CME) with active operations that are registered with the Commission. The Commission notes that in 2012 it adopted Rule 17Ad- 22, which requires registered clearing agencies to have effective risk management policies and procedures in place. See Securities Exchange Act Release No. 68080 (October 22, 2012), 77 FR 66220 (November 2, 2012) (``Clearing Agency Standards Release''). The Commission believes that Regulation SCI, to the extent it addresses areas of risk management similar to those addressed by Rule 17Ad- 22(d)(4), complements Rule 17Ad-22(d)(4). Additionally, on March 12, 2014, the Commission proposed rules that would apply to SEC-registered clearing agencies that have been designated as systemically important by the Financial Stability Oversight Council or that are involved in activities with a more complex risk profile, such as clearing security-based swaps. See Securities Exchange Act Release No. 71699 (Mar. 12, 2014), 79 FR 16865 (March 26, 2014) (``Covered Clearing Agencies Proposal''). Regulation SCI and proposed Rule 17Ad-22(e)(17) are intended to be consistent and complementary. See also Covered Clearing Agencies Proposal, 79 FR at 16866, n.1 and accompanying text (discussing the Commission's consideration of the relevant international standards). \77\ 15 U.S.C. 78c(a)(26). As noted in the Proposing Release, historically, the ARP Inspection Program did not include the MSRB, but instead focused on entities having trading, quotation and transaction reporting, and clearance and settlement systems more closely connected to the equities and options markets. The Commission believes that it is appropriate to apply Regulation SCI to the MSRB, particularly given the fact that the MSRB is the only SRO relating to municipal securities and is a key provider of consolidated market data for the municipal securities market. Accordingly, as proposed, the term ``SCI SRO'' included the MSRB. In 2008, the Commission amended Rule 15c2-12 to designate the MSRB as the single centralized disclosure repository for continuing municipal securities disclosure. In 2009, the MSRB established the Electronic Municipal Market Access system (``EMMA''). EMMA now serves as the official repository of municipal securities disclosure, providing the public with free access to relevant municipal securities data, and is the central database for information about municipal securities offerings, issuers, and obligors. Additionally, the MSRB's Real-Time Transaction Reporting System (``RTRS''), with limited exceptions, requires municipal bond dealers to submit transaction data to the MSRB within 15 minutes of trade execution, and such near real-time post-trade transaction data can be accessed through the MSRB's EMMA Web site. While pre-trade price information is not as readily available in the municipal securities market, the Commission's Report on the Municipal Securities Market also recommended that the Commission and MSRB explore the feasibility of enhancing EMMA to collect best bids and offers from material ATSs and make them publicly available on fair and reasonable terms. See Report on the Municipal Securities Market (July 31, 2012), available at: https://www.sec.gov/news/studies/2012/munireport073112.pdf. The Commission believes that the MSRB's SCI systems currently are limited to those operated by or on behalf of the MSRB that directly support market data (i.e., currently limited to the EMMA, RTRS, and SHORT systems). As discussed more fully below, the EMMA, RTRS, and SHORT systems referenced by the MSRB in its comment letter would be market data systems within the definition of SCI systems because they provide or directly support price transparency. See infra note 253 and accompanying text. \78\ See 15 U.S.C. 78f(g); 15 U.S.C. 78o-3(k). These entities are security futures exchanges and the National Futures Association, for which the CFTC serves as their primary regulator. See generally CFTC Concept Release on Risk Controls and System Safeguards for Automated Trading Environments, 78 FR 56542 (September 12, 2013) (``CFTC Concept Release'') (describing the CFTC's regulatory scheme for addressing risk controls relating to automated systems). \79\ For any SCI SRO that is a national securities exchange, any facility of such national securities exchange, as defined in Section 3(a)(2) of the Exchange Act, 15 U.S.C. 78c(a)(2), also is covered because such facilities are included within the definition of ``exchange'' in Section 3(a)(1) of the Exchange Act, 15 U.S.C. 78c(a)(1). \80\ The Commission notes that NSX ceased trading as of the close of business on May 30, 2014. See Securities Exchange Act Release No. 72107 (May 2, 2014), 79 FR 27017 (May 12, 2014) (Notice of Filing and Immediate Effectiveness of Proposed Rule Change To Cease Trading on Its Trading System) (``NSX Trading Cessation Notice''). In the NSX Trading Cessation Notice, NSX stated: ``[T]he Exchange will continue to be registered as a national securities exchange and will continue to retain its status as a self-regulatory organization[;]'' and further, that it ``shall file a proposed rule change pursuant to Rule 19b-4 of the Exchange Act prior to any resumption of trading on the Exchange pursuant to Chapter XI (Trading Rules).'' Because NSX remains a national securities exchange registered under Section 6(b) of the Exchange Act, it continues to meet the definition of SCI entity, and is counted as an SCI entity for purposes of this release. --------------------------------------------------------------------------- One commenter suggested that the rule should include volume thresholds for exchanges.\81\ Specifically, this commenter recommended that, with regard to exchanges, the definition should include only those exchanges that have five percent or more of average daily dollar volume in at least five NMS stocks for four of the previous six months.\82\ Another commenter asked the Commission to adopt certain specific exceptions to the definition of SCI SRO and SCI entity for entities that are dually registered with the CFTC and Commission where the CFTC is the entity's ``primary regulator'' and for any entity that does not play a ``significant role'' in the markets subject to the Commission's jurisdiction and that cannot have a ``significant impact'' on the markets subject to the Commission's jurisdiction.\83\ --------------------------------------------------------------------------- \81\ See ITG Letter at 10. This commenter also suggested similar revised thresholds for SCI ATSs. See also infra note 131 and accompanying text. Although only one commenter specifically commented on the proposed inclusion of SCI SROs within the scope of Regulation SCI, as discussed above, some commenters believed that Regulation SCI should generally take a more risk-based or tiered approach generally which, in some cases, would affect which entities (including SCI SROs) would be subject to Regulation SCI. See supra notes 53-56 and accompanying text. \82\ See ITG Letter at 10. \83\ See CME Letter at 2. --------------------------------------------------------------------------- The Commission does not believe that a trading volume threshold is [[Page 72261]] appropriate for SCI SROs that are exchanges, but instead believes that Regulation SCI should apply to all SCI SROs. The threshold suggested by the commenter would exclude from Regulation SCI those exchanges with volumes below the suggested threshold; however, the Commission believes that all exchanges play a significant role in our securities markets. For example, all stock exchanges are subject to a variety of specific public obligations under the Exchange Act, including the requirements of Regulation NMS which, among other things, designates the best bid or offer of such exchanges to be protected quotations.\84\ Accordingly, every exchange may have a protected quotation that can obligate market participants to send orders to that exchange. Among other reasons, given that market participants may be required to send orders to any one of the exchanges at any given time if such exchange is displaying the best bid or offer, the Commission believes that it is important that the safeguards of Regulation SCI apply equally to all exchanges irrespective of trading volume. --------------------------------------------------------------------------- \84\ See generally 17 CFR 242.600-612. In addition, as the commenter's suggested thresholds would apply only with respect to exchanges that trade NMS stocks, national securities exchanges that do not trade NMS stocks (i.e., options exchanges) would also be excluded from Regulation SCI under the commenter's suggestion. The Commission believes that it would be inappropriate to exclude options exchanges from the requirements of Regulation SCI, because technology risks are equally applicable to such exchanges, as evidenced by recent significant technology incidents affecting the options markets. See supra notes 28-31 and accompanying text. As such, systems issues at options exchanges can pose significant risks to the markets, and the Commission believes that the inclusion of options exchanges within the scope of Regulation SCI is necessary to achieve the goals of Regulation SCI. --------------------------------------------------------------------------- With regard to one commenter's suggestion to except from the definition of SCI SRO those entities dually registered with the CFTC and Commission where the CFTC is the entity's ``primary regulator,''\85\ the Commission disagrees that such entities should be relieved from the requirements of Regulation SCI solely because they are dually registered.\86\ While the CFTC is responsible for overseeing such an entity with regard to its futures activities, it does not have oversight responsibility for the entity's securities-related activities and systems. While the commenter stated that it (as a dual registrant) is already subject to similar requirements to adopt controls and procedures with regard to operational risk and reliability, security, and capacity of its systems pursuant to CFTC regulations, the Commission again notes that such requirements do not apply to such an entity's securities-related systems as such systems are outside of the CFTC's jurisdiction and, as such, such systems would not be subject to inspection and examination by the CFTC for compliance with such requirements.\87\ Further, Regulation SCI imposes a notification framework to inform the Commission of SCI events and material systems changes, as well as other requirements unique to Regulation SCI. Accordingly, the Commission believes that such entities should be subject to the requirements of Regulation SCI. In addition, as noted above, this commenter also asked the Commission to create an exception for any entity that does not play a ``significant role'' in the markets subject to the Commission's jurisdiction and that cannot have a ``significant impact'' on the markets subject to the Commission's jurisdiction.\88\ While the Commission disagrees with excluding SROs from coverage as discussed above, the Commission notes that it is revising the proposed definition of SCI systems to clarify that the term SCI systems encompasses only those systems that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance, as discussed below.\89\ Accordingly, the Commission believes this change should address the commenter's concerns about the requirements applying to entities whose systems cannot affect the markets subject to the Commission's jurisdiction, i.e., the U.S. securities markets. --------------------------------------------------------------------------- \85\ See supra note 83 and accompanying text. \86\ The commenter notes that the Commission has proposed to exclude from the definition of SCI SRO those exchanges that list or trade security futures products that are notice-registered with the Commission pursuant to Section 6(g), as well as limited purpose national securities associations registered with the Commission pursuant to Exchange Act Section 15A(k). See Proposing Release, supra note 13, at 18093, n. 97 and accompanying text. The Commission notes that such entities are subject to the joint jurisdiction of the Commission and the CFTC. To avoid duplicative regulation, however, the CFMA established a system of notice registration under which trading facilities and intermediaries that are already registered with either the Commission or the CFTC may register with the other agency on an expedited basis for the limited purpose of trading security futures products. A ``notice registrant'' is then subject to primary oversight by one agency, and is exempted under the CFMA from all but certain specified provisions of the laws administered by the other agency. See Section 6(g)(4) and Section 15A(k)(3)-(4) (enumerating the provisions of the Exchange Act from which a notice-registered exchange and limited purpose national securities association, respectively, are exempted). Given this, the Commission believes that it is appropriate to defer to the CFTC regarding the systems integrity of these entities). See also generally CFTC Concept Release, supra note 78. This regulatory scheme does not apply outside of the specific contexts of security futures exchanges and associations. In contrast, entities that are registered with both the Commission and the CFTC in other capacities, such as clearing agencies, are subject to a full set of regulations by each regulator. The Exchange Act and Commodity Exchange Act do not exempt these entities, due to any dual regulatory scheme, from any provisions of the laws administered by the Commission and, as discussed further below, the Commission believes they should not be afforded an exclusion from Regulation SCI. \87\ The Commission notes that, to the extent that such an entity's systems for its functions that fall in the purview of the Commission (relating to securities and securities-based swaps) and that fall in the purview of the CFTC (relating to futures and swaps) are integrated, it believes that the focus of the CFTC's exams and inspections of such systems would be on such systems' functionality related to non-securities-related activities, such as swaps or futures, and not those related to securities activities. Thus, the Commission believes that the potential examination and inspection of such integrated systems by both the CFTC and SEC does not support the exclusion of the SCI entities operating such systems, or the systems themselves, from the scope of Regulation SCI. \88\ See supra note 83 and accompanying text. \89\ See adopted Rule 1000 (emphasis added). See also infra Section IV.A.2.b (discussing the definition of ``SCI systems''). --------------------------------------------------------------------------- b. SCI Alternative Trading System Proposed Rule 1000(a) defined the term ``SCI alternative trading system,'' or ``SCI ATS,'' as an alternative trading system, as defined in Sec. 242.300(a), which during at least four of the preceding six calendar months, had: (1) With respect to NMS stocks--(i) five percent or more in any single NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan, or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan; (2) with respect to equity securities that are not NMS stocks and for which transactions are reported to a self- regulatory organization, five percent or more of the average daily dollar volume as calculated by the self-regulatory organization to which such transactions are reported; or (3) with respect to municipal securities or corporate debt securities, five percent or more of either--(i) the average daily dollar volume traded in the United States, or (ii) the average daily transaction volume traded in the United States.\90\ --------------------------------------------------------------------------- \90\ See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.B.1. --------------------------------------------------------------------------- The proposed definition would have modified the thresholds currently appearing in Rule 301(b)(6) of Regulation ATS that apply to significant-volume ATSs.\91\ Specifically, [[Page 72262]] the proposed definition would have: Used average daily dollar volume thresholds, instead of an average daily share volume threshold, for ATSs that trade NMS stocks or equity securities that are not NMS stocks (``non-NMS stocks''); used alternative average daily dollar and transaction volume-based tests for ATSs that trade municipal securities or corporate debt securities; lowered the volume thresholds applicable to ATSs for each category of asset class; and moved the proposed thresholds to Regulation SCI. In particular, with respect to NMS stocks, the Commission proposed to change the volume threshold from 20 percent of average daily volume in any NMS stock such that an ATS that traded NMS stocks that met either of the following two alternative threshold tests would be subject to the requirements of proposed Regulation SCI: (i) Five percent or more in any NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan; or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan. With respect to non-NMS stocks, municipal securities, and corporate debt securities, the Commission proposed to reduce the standard from 20 percent to five percent for these types of securities,\92\ the same percentage threshold for such types of securities that triggers the fair access provisions of Rule 301(b)(5) of Regulation ATS.\93\ --------------------------------------------------------------------------- \91\ 17 CFR 242.301(b)(6). \92\ See proposed Rule 1000(a). \93\ See Rule 301(b)(5) of Regulation ATS under the Exchange Act. 17 CFR 242.301(b)(5). In addition, as noted above, the proposed rule used alternative average daily dollar and transaction volume- based tests for ATSs that trade municipal securities or corporate debt securities. --------------------------------------------------------------------------- The proposed definition of ``SCI ATS'' is being adopted substantially as proposed with regard to ATSs trading NMS stocks and ATSs trading non-NMS stocks, with the addition of a six-month compliance period for entities satisfying the thresholds in the definition for the first time, as discussed in more detail below. However, for the reasons discussed below, the Commission has determined to exclude from the definition of ``SCI ATS'' ATSs that trade only municipal securities or corporate debt securities and accordingly, such ATSs will not be subject to the requirements of Regulation SCI. Inclusion of ATSs Generally Many commenters provided comment on the inclusion of ATSs within the scope of Regulation SCI. Some commenters believed that more ATSs should be covered by Regulation SCI.\94\ For example, some commenters suggested that the term ``SCI ATS'' should include all ATSs, because these commenters believed that they have the potential to negatively impact the market in the event of a systems issue.\95\ Moreover, one commenter stated that the Commission should not distinguish between ATSs based on calculated thresholds because an ATS might limit trading on its system so as to avoid being subject to the requirements of Regulation SCI.\96\ --------------------------------------------------------------------------- \94\ See, e.g., NYSE Letter at 9-10; Lauer Letter at 4; and CoreOne Letter at 7-8. \95\ See, e.g., NYSE Letter at 9-10; and Lauer Letter at 4. \96\ See, e.g., NYSE Letter at 9-10. --------------------------------------------------------------------------- Conversely, other commenters stated that fewer, or even no, ATSs should be covered.\97\ Such commenters generally argued that there are key differences between ATSs and exchanges, and thus, ATSs should be regulated differently from exchanges and not be included in Regulation SCI with exchanges.\98\ The differences identified by commenters included: ATSs' relative market shares and sizes; the fact that ATSs are already subject to various regulations as broker-dealers (including Rule 15c3-5 under the Exchange Act, various FINRA rules, and Regulation ATS); and certain fundamental economic differences between the two types of entities (including that exchanges can gain revenue from listing and market data, have self-clearing, and have a protected quote).\99\ One commenter argued that, if the Commission were to include ATSs in Regulation SCI, it should treat ATSs and SROs equally by allowing ATSs to have the same benefits of SROs, including allowing ATSs to derive an income stream from contributions to the SIP, have access to clearing, and have immunity from lawsuits.\100\ Other commenters also noted that, although ATSs have an increasingly large, collective market share, ATSs have not contributed to any of the recent major systems issues that have impacted the market.\101\ --------------------------------------------------------------------------- \97\ See, e.g., BIDS Letter at 3; ITG Letter at 3; KCG Letter at 8; and OTC Markets Letter at 9. \98\ See, e.g., BIDS Letter at 3; ITG Letter at 3; KCG Letter at 9, 14-17; TMC Letter at 2; and OTC Markets Letter at 9. \99\ Id. \100\ See OTC Markets Letter at 9. \101\ See ITG Letter at 4; and BIDS Letter at 3. --------------------------------------------------------------------------- Another commenter stated that the SCI Proposal unfairly discriminated against ATSs by including them within the definition of SCI entity.\102\ Specifically, although this commenter did not believe that Regulation SCI should be expanded to include more entities, it stated that the SCI Proposal's failure to capture certain entities (such as clearing firms, market makers, block positioners, and order routing firms) that it believed could have a greater impact on market stability in the event of a systems issue, while including ATSs, demonstrates that the proposal is arbitrary, capricious, and unfairly discriminatory in nature.\103\ --------------------------------------------------------------------------- \102\ See ITG Letter at 9. \103\ See id. --------------------------------------------------------------------------- After careful consideration of the comment letters, the Commission continues to believe that the inclusion of ATSs that trade NMS stocks and non-NMS stocks in Regulation SCI is appropriate.\104\ The Commission believes that certain of those ATSs play an important role in today's securities markets, and thus should be subject to the safeguards and obligations of Regulation SCI. As noted in the SCI Proposal, the equity markets have evolved significantly over recent years, resulting in an increase in the number of trading centers and a reduction in the concentration of trading activity.\105\ As such, even smaller trading centers, such as certain higher-volume ATSs, now collectively represent a significant source of liquidity for NMS stocks and some ATSs have similar and, in some cases, greater trading volume than some national securities exchanges, with no single national securities exchange executing more than approximately 19 percent of volume in NMS stocks in today's securities markets.\106\ Accordingly, the Commission believes that ATSs meeting certain volume thresholds can play a significant role in the securities markets and, given their heavy reliance on automated systems, have the potential to significantly impact investors, the overall market, [[Page 72263]] and the trading of individual securities should an SCI event occur. --------------------------------------------------------------------------- \104\ Given the inclusion of ATSs that trade NMS stocks and non- NMS stocks within the scope of Regulation SCI, Regulation ATS is also being amended to remove paragraphs (b)(6)(i)(A) and (b)(6)(i)(B) of Rule 301 so that Rule 301(b)(6) will no longer apply to ATSs trading NMS stocks and non-NMS stocks. However, as described below, the Commission has determined to exclude ATSs that trade only municipal securities or corporate debt securities from the scope of Regulation SCI, and such ATSs will remain subject to the requirements of Rule 301(b)(6) if they meet the volume thresholds therein. 17 CFR 242.301(b)(6). See supra notes 14 and 20 and accompanying text. \105\ See Proposing Release, supra note 13, at 18094. \106\ See market volume statistics reported by BATS, available at: https://www.batstrading.com/market_summary/ (no single stock exchange executed more than approximately 19 percent during the second quarter of 2014, with Nasdaq having the highest market share of 18.6 percent). In comparison, according to data from Form ATS-R for the second quarter of 2014, approximately 18 percent of consolidated NMS stocks dollar volume took place on ATSs. --------------------------------------------------------------------------- Commenters identified certain differences between exchanges and ATSs, which commenters argued justified different treatment under Regulation SCI for ATSs or exclusion of ATSs from the regulation completely.\107\ While the Commission recognizes that there are some fundamental differences between ATSs and exchanges, including certain of those identified by commenters, the Commission does not agree that all ATSs should be excluded from Regulation SCI because, as discussed above, it believes that there are certain significant-volume ATSs that have the potential to significantly impact investors, the overall market, or the trading of individual securities should an SCI event occur. At the same time, the risk-based considerations permitted in adopted Regulation SCI may result in the systems of those ATSs that are subject to Regulation SCI (i.e., SCI ATSs) being subject to less stringent requirements than the systems of SROs or other SCI entities in certain areas. For example, as discussed in further detail below, the Commission is adopting a definition of ``critical SCI systems,'' which are a subset of SCI systems that are subject to certain heightened requirements under Regulation SCI. This definition is intended to capture those systems that are core to the functioning of the securities markets or that represent ``single points of failure'' and thus, pose the greatest risk to the markets. The Commission believes that, as currently constituted, relative to the systems of SCI SROs, the systems of SCI ATSs generally would not fall within this category of critical SCI systems, and thus such SCI ATSs would not be subject to the more stringent requirements that would be applicable to the critical SCI systems of other SCI entities. The Commission also notes that other requirements under Regulation SCI are designed to be consistent with a risk-based approach. The Commission believes that this approach recognizes the different roles played by different SCI systems at various SCI entities and, where permitted, allows each SCI entity, including SCI ATSs, to tailor the applicable requirements accordingly. --------------------------------------------------------------------------- \107\ See supra notes 98-99 and accompanying text. --------------------------------------------------------------------------- While some commenters noted that ATSs have not contributed to any of the recent high-profile systems issues,\108\ the Commission does not believe that the relative lack of high-profile systems issues at ATSs to date is an indication that ATSs do not have the potential to have a significant impact on the market in the event of a future systems issue.\109\ --------------------------------------------------------------------------- \108\ See supra note 101 and accompanying text. \109\ The Commission also notes that, as discussed above, in November 2013, a systems issue at OTC Link ATS led FINRA to halt trading in all OTC securities for over three hours. See supra note 33 and accompanying text. --------------------------------------------------------------------------- Other commenters noted the competitive environment of ATSs and argued that, if one ATS experiences a systems issue and becomes temporarily unavailable, trading can be easily rerouted to other venues.\110\ The Commission acknowledges that a temporary outage at an ATS (or at a SCI SRO, for that matter) may not lead to a widespread systemic disruption. However, the Commission notes that Regulation SCI is not designed to solely address system issues that cause widespread systemic disruption, but also to address more limited systems malfunctions and other issues that can harm market participants or create compliance issues.\111\ --------------------------------------------------------------------------- \110\ See ITG Letter at 3; and KCG Letter at 9. \111\ The Commission notes that each ATS provides different services in terms of, among other things, pricing, latency, and order fills to meet investors' specific needs. Thus, for example, an ATS outage could interfere with the supply of certain services that investors demand and, thus, could impose costs on investors. --------------------------------------------------------------------------- Some commenters also stated that inclusion of ATSs is not necessary because ATSs are already subject to sufficient regulations as broker- dealers, citing Rule 15c3-5 under the Exchange Act, various FINRA rules, and Regulation ATS.\112\ While the Commission acknowledges that these rules similarly impose requirements related to the capacity, integrity and/or security of a broker-dealer's systems and are designed to address some of the same concerns that Regulation SCI is intended to address, the Commission notes that these rules generally take a different approach than Regulation SCI. For example, the obligations of an ATS under Rule 15c3-5 address vulnerability in the national market system that relate specifically to market access,\113\ whereas Regulation SCI is designed to further the goals of the national market system more broadly by helping to ensure the capacity, integrity, resiliency, availability, and security of the automated systems of entities important to the functioning of the U.S. securities markets.\114\ Thus, the Commission has determined to include ATSs within the scope of Regulation SCI because of their role as markets and a potential significant source of liquidity. With regard to the FINRA rules identified by commenters, the Commission does not believe that these rules, even when considered in combination with Rule 15c3-5, are an appropriate substitute for the comprehensive approach in Regulation SCI for ATSs in their role as markets.\115\ Finally, as noted above, [[Page 72264]] Rule 301(b)(6) of Regulation ATS imposed by rule certain aspects of the ARP Policy Statements on significant-volume ATSs. As described in detail herein, Regulation SCI seeks to expand upon, update, and modernize the requirements of the ARP Policy Statements and Rule 301(b)(6), by, for example, expanding the requirements to a broader set of systems, imposing new requirements for information dissemination regarding SCI events, and requiring Commission notification for additional types of events, among others. Accordingly, the Commission believes that, for SCI ATSs, the existing broker-dealer rules and regulations identified by commenters are complemented by the requirements of Regulation SCI (other than Rule 301(b)(6), which will no longer apply to ATSs that trade NMS stocks and non-NMS stocks), and do not serve as substitutes for the regulatory framework being adopted today. --------------------------------------------------------------------------- \112\ See supra notes 98-99 and accompanying text. \113\ See Securities Exchange Act Release No. 63241 (November 3, 2010), 75 FR 69792 (November 15, 2010) (``Market Access Release''). \114\ The Commission notes that Rule 15c3-5 focuses on addressing the particular risks that arise when broker-dealers provide electronic access to exchanges or ATSs and therefore does not address the same range of technology-related issues as Regulation SCI is designed to address. Both Rule 15c3-5 and Regulation SCI are policies and procedures-based rules that are designed to address the risks presented by the pervasive use of technology in today's markets.The policies and procedures required by Regulation SCI apply broadly to technology that supports trading, clearance and settlement, order routing, market data, market regulation, and market surveillance and, among other things, address their overall capacity, integrity, resilience, availability, and security. Rule 15c3-5, by contrast, is more narrowly focused on those technology and other errors that can create some of the more significant risks to broker-dealers and the markets, namely those that arise when a broker-dealer enters orders into an exchange or ATS, including when it provides sponsored or direct market access to customers or other persons, where the consequences of such an error can rapidly magnify and spread throughout the markets. See also infra note 115 (discussing FINRA rules applicable to broker- dealers). The Commission will continue to monitor and evaluate the risks posed by broker-dealer systems to the market and the implementation of the Market Access Rule, and may consider extending the types of requirements in Regulation SCI to additional market participants in the future. \115\ For example, NASD Rule 3010(b)(1) requires a member to establish, maintain, and enforce written procedures to supervise the types of business in which it engages and to supervise the activities of registered representatives, registered principals, and other associated persons that are reasonably designed to achieve compliance with applicable securities laws and regulations. This rule relates to policies and procedures to achieve compliance with applicable securities laws and regulations, and thus the Commission believes that this requirement is broadly related to adopted Rule 1001(b) regarding policies and procedures to ensure systems compliance. However, the Commission notes that, unlike adopted Rule 1001(b), which focuses on ensuring that an entity's systems operate in compliance with the Exchange Act, the rules and regulations thereunder and the entity's rules and governing documents, this NASD rule does not specifically address compliance of the systems of FINRA members. Further, the Commission does not believe this provision covers more broadly policies and procedures akin to those in adopted Rule 1001(a) that are designed to ensure that SCI systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain the SCI entity's operation capability and promote fair and orderly markets. Similarly, while FINRA Rule 3130 relates to adopted Rule 1001(b) regarding policies and procedures to ensure systems compliance in that it requires a member's chief compliance officer to certify that the member has in place written policies and procedures reasonably designed to achieve compliance with applicable FINRA rules, MSRB rules, and federal securities laws and regulations, it does not specifically address compliance of the systems of FINRA members, and does not require similar policies and procedures to those in adopted Rule 1001(a) regarding operational capability of SCI entities. Further, while FINRA Rule 4530 imposes a reporting regime for, among other things, compliance issues and other events where a member has concluded or should have reasonably concluded that a violation of securities or other enumerated law, rule, or regulation of any domestic or foreign regulatory body or SRO has occurred, the Commission notes that these reporting requirements are different in several respects from the Commission notification requirements relating to systems compliance issues (e.g., scope, timing, content, the recipient of the reports) and, importantly, would not cover reporting of systems disruptions or systems intrusions that did not also involve a violation of a securities law, rule, or regulation. In addition, FINRA Rule 4370 generally requires that a member maintain a written continuity plan identifying procedures relating to an emergency or significant business disruption, which is akin to adopted Rule 1001(a)(2)(v) requiring policies and procedures for business continuity and disaster recovery plans. Unlike Regulation SCI, however, the FINRA rule does not include the requirement that the business continuity and disaster recovery plans be reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption, nor does it require the functional and performance testing and coordination of industry or sector-testing of such plans, which the Commission believes to be instrumental in achieving the goals of Regulation SCI with respect to SCI entities. --------------------------------------------------------------------------- The Commission also believes that, unlike with respect to exchanges, it is appropriate that Regulation SCI not apply to all ATSs. Exchanges, as self-regulatory organizations, play a special role in the U.S. securities markets, and as such, are subject to certain requirements under the Exchange Act and are able to enjoy certain unique benefits.\116\ Accordingly, as discussed above, the Commission believes it is appropriate to subject all national securities exchanges to the requirements of Regulation SCI regardless of trading volume.\117\ In contrast, in recognition of the more limited role that certain ATSs may play in the securities markets and the costs that will result from compliance with the requirements of the regulation, the Commission believes that it is appropriate to adopt volume thresholds, as discussed below, to identify those ATSs that have the potential to significantly impact the market should an SCI event occur, therefore warranting inclusion within the scope of the regulation. One commenter, in advocating for the application of the regulation to all ATSs, stated that the Commission should not adopt volume thresholds because ATSs may limit trading so as to avoid being subject to the requirements of Regulation SCI.\118\ The Commission does not believe that the possibility of some ATSs structuring their business to fall below the thresholds of the rule is a sufficient justification for applying the rule to all ATSs. The Commission notes that, to the extent that an ATS limits its trading so as not to reach the volume thresholds for SCI ATSs, it would have less potential to impact investors and the market and may appropriately not be subject to the requirements of the rules. As discussed further below, the Commission believes that the dual dollar volume threshold for NMS stocks being adopted today is appropriately designed to ensure that ATSs that have either the potential to significantly impact the market as a whole or the potential to significantly impact the market for a single NMS stock (and have some impact on the market as a whole at the same time) will be subject to the requirements of Regulation SCI. Thus, only those ATSs that limit their trading so as to fall below both the single NMS stock threshold and the broad NMS stocks threshold will not be subject to the requirements of Regulation SCI. --------------------------------------------------------------------------- \116\ See supra Section IV.A.1.a (discussing the definition of ``SCI SRO'') and infra notes 120-121 and accompanying text. As identified by one commenter, benefits afforded to SROs include, among others, the ability to receive market data revenue and immunity from private liability for regulatory activities. See supra note 100. See also ATS Release, supra note 2, at 70902-03 (discussing generally some of the obligations and benefits to be considered when determining whether to register as a national securities exchange or as a broker-dealer acting as an ATS). \117\ See supra notes 81-83 and accompanying text. \118\ See supra notes 95-96 and accompanying text. --------------------------------------------------------------------------- As noted above, one commenter asserted that, if ATSs are subject to the same requirements of Regulation SCI as exchanges, they similarly should be entitled to the benefits afforded to SROs.\119\ The Commission notes that, as discussed above, SROs are subject to a variety of obligations as self-regulatory organizations under the Exchange Act--including filing proposed rules with the Commission and enforcing those rules and the federal securities laws with respect to their members--that do not apply to other market participants, including ATSs.\120\ Although SRO and non-SRO markets are subject to different regulatory regimes, with a different mix of benefits and obligations, the Commission believes it is appropriate to subject them to comparable requirements for purposes of Regulation SCI given the importance of assuring that the technology of key trading centers, regardless of regulatory status, is reliable, secure, and functions in compliance with the law.\121\ At the same time, while questions have been raised as to whether the broader regulatory regimes for exchanges and ATSs should be harmonized, the Commission does not believe it appropriate to delay implementing Regulation SCI or necessary to resolve these issues before proceeding with Regulation SCI. The Commission notes that ATSs have the ability to apply for registration as a SRO should they so wish and, if such application were to be approved by the Commission, such entities could assume the additional responsibilities that are imposed on SROs, as well as avail themselves of the same benefits. --------------------------------------------------------------------------- \119\ See supra note 100 and accompanying text. \120\ See supra Section IV.A.1.a (discussing the definition of ``SCI SRO''); see also Section 19(b) of the Exchange Act, 15 U.S.C. 78s(b)(1), and Section 6(b) of the Exchange Act, 15 U.S.C. 78f(b). Because these important regulatory responsibilities are imposed upon SROs, SROs also are afforded certain unique benefits, such as immunity from private liability with respect to their regulatory functions and the ability to receive market data revenue. See supra note 116 and accompanying text. \121\ But see discussion supra regarding potentially different requirements for ATSs and exchanges, including those relating to SCI ATSs and critical SCI systems. --------------------------------------------------------------------------- As noted above, one commenter objected to the regulation's inclusion of ATSs while excluding certain other entities that the commenter believed similarly had the potential to impact the market, concluding that the proposal was therefore arbitrary, capricious, and unfairly discriminatory in nature.\122\ At the same time, this commenter stated that it did not recommend that additional entities be included within the scope of the regulation.\123\ First, as noted above, the Commission has determined to include ATSs meeting the adopted volume thresholds within the scope of Regulation SCI because of their unique role as markets rather than because of their role as traditional broker-dealers. All broker-dealers are subject to Rule 15c3-5 and other FINRA rules as noted by some commenters, which impose certain requirements [[Page 72265]] related to the capacity, integrity and/or security of a broker-dealer's systems appropriately tailored to their role as broker-dealers. Further, as noted above, the scope of Regulation SCI is rooted in the historical reach of the ARP Inspection Program and Rule 301 of Regulation ATS (which applies to significant-volume ATSs).\124\ The Commission acknowledged in the SCI Proposal that there may be other categories of broker-dealers not included within the definition of SCI entity that, given their increasing size and importance, could pose a significant risk to the market should an SCI event occur.\125\ The Commission solicited comment on whether there are additional categories of market participants that should be subject to all or some of the requirements of Regulation SCI and noted that, were the Commission to decide to apply the requirements of Regulation SCI to such additional entities, it would issue a separate release outlining such a proposal and the rationale therefor.\126\ As discussed above, the Commission believes that, at this time, the entities included within the scope of Regulation SCI, because of their current role in the U.S. securities markets and/or their level of trading activity, have the potential to pose the most significant risk in the event of a systems issue. Further, the Commission believes that a measured approach that takes an incremental expansion from the entities covered under the ARP Inspection Program is an appropriate method for imposing the mandatory requirements of Regulation SCI at this time. As such, while the Commission believes that the types of entities subject to Regulation SCI as adopted are appropriate, the Commission may consider extending the types of requirements in Regulation SCI to additional market participants in the future. --------------------------------------------------------------------------- \122\ See supra note 103 and accompanying text. \123\ See supra note 103 and accompanying text. \124\ See supra notes 60-67 and accompanying text. \125\ See Proposing Release, supra note 13, at 18138-39. \126\ See id. --------------------------------------------------------------------------- SCI ATS Thresholds Several commenters discussed the specific proposed volume thresholds for SCI ATSs, and many offered what they believed to be more appropriate alternative methods for including ATSs within Regulation SCI.\127\ For example, some commenters urged the Commission to retain the existing 20 percent threshold under Regulation ATS for purposes of Regulation SCI or asked the Commission to provide further explanation as to why the current threshold under Regulation ATS should be altered.\128\ One commenter agreed with the Commission that the 20 percent threshold currently in Regulation ATS might be too high, and suggested using a threshold for ATSs trading NMS stocks of five percent or more of the volume in all NMS stocks during a 12-month period, to be determined once a year in the same given month.\129\ Another commenter suggested that the Commission apply its ATS threshold for NMS stocks to only the 500 most active securities.\130\ An additional recommendation by one commenter with regard to NMS stocks was to include only those ATSs with five percent or more of at least five NMS stocks with an aggregate average daily share volume greater than 500,000 shares and 0.25 percent or more of all NMS stocks for four of the previous six months, or those ATSs that have three percent or more of all NMS stocks in four of the previous six months.\131\ Another commenter suggested retaining Rule 301(b)(6) as part of Regulation ATS, but amending the rule by lowering the average daily volume threshold to 2.5 percent.\132\ --------------------------------------------------------------------------- \127\ See, e.g., Direct Edge Letter at 2; SIFMA Letter at 6-7; BIDS Letter at 6; ITG Letter at 10; and OTC Markets Letter at 11. But see BlackRock Letter at 4 (agreeing with the Commission's approach in the SCI Proposal of lowering the thresholds for SCI ATSs from the thresholds in Rule 301(b)(6) of Regulation ATS). \128\ See, e.g., Direct Edge Letter at 2; and KCG Letter at 10- 11. \129\ See SIFMA Letter at 6. \130\ See BIDS Letter at 6. \131\ See ITG Letter at 10. \132\ See OTC Markets Letter at 11. This commenter also suggested leaving in place the existing five percent average daily share volume threshold for the display requirement of Rule 301(b)(3) under Regulation ATS. --------------------------------------------------------------------------- One commenter requested clarification on the phrase ``0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by an effective transaction reporting plan.'' \133\ Because there is more than one transaction reporting plan, this commenter asked whether the proposed volume thresholds would be calculated per plan or calculated based on all NMS volume.\134\ --------------------------------------------------------------------------- \133\ See SIFMA Letter at 6-7. \134\ See SIFMA Letter at 6-7. --------------------------------------------------------------------------- Some commenters provided suggestions with regard to the proposed measurement methodology for the thresholds.\135\ A few commenters argued that the proposed time period measurement of ``at least four of the preceding six calendar months'' is cumbersome to apply in practice and believed that the time period should be over a longer term.\136\ For example, two commenters stated that the rule should utilize a 12- month measurement period.\137\ Conversely, another commenter generally opposed the thresholds stating that all ATSs should be subject to the rule, but noted that if the rule includes a trading volume metric, the measurement period should be much shorter (such as two to four weeks).\138\ In addition, one commenter stated that the measurement should be based on number of shares traded rather than dollar value.\139\ --------------------------------------------------------------------------- \135\ See, e.g., BIDS Letter at 6; KCG Letter at 19; SIFMA Letter at 7; and Lauer Letter at 4-5. \136\ See, e.g., BIDS Letter at 6; and KCG Letter at 19. \137\ See BIDS Letter at 6; and KCG Letter at 19. \138\ See Lauer Letter at 4-5. \139\ See BIDS Letter at 6. --------------------------------------------------------------------------- Two commenters also suggested that ATSs should be given six months after meeting the given threshold in the definition of SCI ATS to come into compliance with Regulation SCI.\140\ --------------------------------------------------------------------------- \140\ See KCG Letter at 19; and SIFMA Letter at 7. --------------------------------------------------------------------------- The Commission is adopting the thresholds for ATSs that trade NMS stocks and non-NMSs stock as proposed. In setting the thresholds for Regulation SCI, the Commission believes it is establishing an appropriate and reasonable scope for the application of the regulation. Although commenters provided various suggestions for different thresholds, nothing persuaded the Commission that these suggestions would better accomplish the goals of Regulation SCI than the thresholds the Commission is adopting. As discussed below, the Commission has analyzed the number of entities it believes are likely to be covered by the thresholds it is establishing. The Commission recognizes that these thresholds ultimately represent a matter of judgment by the Commission as it takes the step of promulgating Regulation SCI, and the Commission intends to monitor these thresholds to determine whether they continue to be appropriate. With regard to the threshold for ATSs trading NMS stocks, the Commission has determined to adopt this threshold as proposed. After careful consideration of the comments, the Commission continues to believe that this threshold is an appropriate measure of when a market is of sufficient significance so as to warrant the protections and requirements of Regulation SCI.\141\ The [[Page 72266]] Commission is, however, making one technical modification in response to a commenter to clarify that the threshold will be calculated based on all NMS volume, rather than on a per plan basis.\142\ The Commission agrees with the commenter that the proposed language should be clarified and, as such, the threshold language within the definition of ``SCI ATS'' in Rule 1000 is being revised to refer to ``applicable effective transaction reporting plans,'' rather than ``an effective transaction reporting plan.'' \143\ --------------------------------------------------------------------------- \141\ The numerical thresholds in the definition of SCI ATS reflect an informed assessment by the Commission, based on qualitative and quantitative analysis, of the likely economic consequences of the specific numerical thresholds included in the definition. In making such assessment and, in turn, selecting the numerical thresholds, in addition to considering the views of commenters, the Commission has reviewed relevant data. See infra notes 150 and 175 and accompanying text. \142\ See supra note 134 and accompanying text. As noted above, this commenter asked the Commission for clarification on this aspect of the rule. \143\ Because the threshold has two prongs, one of which is based on all NMS volume, it is necessary to specify that there is more than one transaction reporting plan that would be applicable in calculating all NMS stock trading volume. At the same time, since the other prong of the threshold is based on the trading volume of single NMS stocks, it is necessary to also add the term ``applicable'' before the term ``transaction reporting plans'' as only one transaction reporting plan would be applicable per security. The definition of ``eligible securities'' in each of the transaction reporting plans are mutually exclusive, ensuring that each security is subject to only one transaction reporting plan. See CTA Plan, available at: https://www.nyxdata.com/cta; and Nasdaq UTP Plan, available at: https://www.utpplan.com. --------------------------------------------------------------------------- Under the adopted definition of SCI ATS, with regard to NMS stocks, an ATS will be subject to Regulation SCI if, during at least four of the preceding six calendar months, it had: (i) Five percent or more in any single NMS stock, and 0.25 percent or more in all NMS stocks, of the average daily dollar volume reported by applicable effective transaction reporting plans, or (ii) one percent or more, in all NMS stocks, of the average daily dollar volume reported by applicable effective transaction reporting plans.\144\ The Commission continues to believe that this threshold will identify those ATSs that could have a significant impact on the overall market or that could have a significant impact on a single NMS stock and some impact on the market as a whole at the same time.\145\ --------------------------------------------------------------------------- \144\ But see infra notes 169-170 and accompanying text (discussing a six-month compliance period for SCI entities satisfying the thresholds for the first time). \145\ Under the adopted thresholds, because of the requirement to meet the threshold for at least four of the preceding six calendar months, inactive and newly operating ATSs would not be included in the definition of SCI ATS. See infra note 152. --------------------------------------------------------------------------- While some commenters advocated for thresholds higher than those proposed and/or retaining the 20 percent threshold in Regulation ATS,\146\ as the Commission discussed in the SCI Proposal, the securities markets have significantly evolved since the time of the adoption of Regulation ATS, resulting in trading activity in stocks being more dispersed among a variety of trading centers. For example, in today's markets, national securities exchanges, once the predominant type of venue for trading stocks, each account for no more than approximately 19 percent of volume in NMS stocks.\147\ By way of contrast, based on data collected from ATSs pursuant to FINRA Rule 4552 for 18 weeks of trading in 2014, the trading volume of ATSs accounted for approximately 18 percent of the total dollar volume in NMS stocks, with no individual ATS executing more than five percent.\148\ Given this dispersal of trading volume among an increasing number of trading venues, the increasingly interconnected nature of the markets, and the increasing reliance on a variety of automated systems, the Commission believes that there is a heightened potential for systems issues originating from a number of sources to significantly affect the market. Due to these developments, the Commission believes that the 20 percent threshold as adopted in Regulation ATS is no longer an appropriate measure for determining those entities that can have a significant impact on the market and thus should be subject to the protections of Regulation SCI. Rather, the Commission believes that lower volume thresholds are appropriate, and as noted in the SCI Proposal, the Commission believes that the adopted thresholds would include ATSs having NMS stock dollar volume comparable to or in excess of the NMS stock dollar volume of certain national securities exchanges subject to Regulation SCI.\149\ --------------------------------------------------------------------------- \146\ See supra note 128 and accompanying text. \147\ See supra note 106. \148\ See infra note 150. \149\ See Proposing Release, supra note 13, at 18094. --------------------------------------------------------------------------- Based on data collected from ATSs pursuant to FINRA Rule 4552 for 18 weeks of trading in 2014,\150\ the Commission believes that approximately 12 ATSs trading NMS stocks would exceed the adopted thresholds and fall within the definition of SCI entity, accounting for approximately 66 percent of the dollar volume market share of all ATSs trading NMS stocks.\151\ The Commission acknowledges that its analysis of the FINRA ATS data did not reveal an obvious threshold level above which a particular subset of ATSs may be considered to have a significant impact on individual NMS stocks or the overall market, as compared to another subset of ATSs. However, for the following reasons, the Commission continues to believe that the adopted thresholds for ATSs trading NMS stock are an appropriate measure to identify those ATSs that should be subject to the requirements of Regulations SCI. First, by imposing both a single NMS stock threshold and an all NMS stocks threshold in the first prong of the definition, the thresholds will help to ensure that Regulation SCI will not apply to an ATS that has a large volume in a small NMS stock and little volume in all other NMS stocks. At the same time, the Commission believes that inclusion of the dual-prong dollar volume thresholds is appropriate. Specifically, it will require not only that ATSs that have significant trading volume in all NMS stocks are subject to the requirements of Regulation SCI, but also that ATSs that have large trading volume in a single NMS stock and could significantly affect the market for that stock are also covered by the safeguards of Regulation SCI provided they have levels of trading in all NMS stocks that could allow such ATSs to also have some impact on the market as a whole. The Commission also believes that, as discussed further below, the adopted thresholds will also appropriately capture not only ATSs that have significant trading volume in active stocks, but also those that have significant trading volume in less active stocks. The Commission believes that a systems issue at an ATS that is a significant market for the trading of a less actively traded stock could similarly impose significant risks to the market for such securities, because a systems outage at such a venue could significantly impede the ability to trade [[Page 72267]] such securities, thereby having a significant impact on the market for such less-actively traded securities. In addition, the Commission continues to believe that thresholds that account for 66 percent of the dollar volume market share of all ATSs trading NMS stocks is a reasonable level that would not exclude new entrants to the ATS market.\152\ Further, as noted above, the thresholds would include ATSs having NMS stock dollar value comparable to the NMS stock dollar volume of the equity exchanges subject to Regulation SCI. Finally, the Commission believes that the adopted thresholds are appropriate to help ensure that entities that have determined to participate (in more than a limited manner) in the national market system as markets that bring buyers and sellers together, are subject to the requirements of Regulation SCI. --------------------------------------------------------------------------- \150\ See Securities Exchange Act Release No. 71341 (January 17, 2014), 79 FR 4213 (January 24, 2014) (approving FINRA Rule 4552 requiring each ATS to report to FINRA weekly volume information and number of securities transactions). Commission staff analyzed FINRA ATS data for the period of May 19, 2014 through September 19, 2014. The recently available FINRA ATS data is consistent with the OATS data used in the SCI Proposal. In addition, the analysis of FINRA ATS data examines a threshold of trading volume over four out of six time periods, each period defined as a period of three consecutive weeks as a rough approximation of the threshold test on four out of the preceding six calendar months as prescribed in the definition of SCI ATS. The Commission noted in the SCI Proposal that the staff analysis of OATS data may overestimate the number of ATSs that may meet the proposed thresholds. While the calculation based on FINRA ATS data may not overestimate the number of ATSs as much as the data analysis in the proposal, it could still overestimate the number of ATSs that would meet the thresholds. Nevertheless, the Commission believes the analysis of FINRA ATS data offers useful insights. See Proposing Release, supra note 13, at 18094. \151\ According to the FINRA ATS data, during this time period, a total of 44 ATSs traded NMS stocks. The Commission notes that the number of ATSs exceeding the adopted thresholds, and the percentage of volume of trading in NMS stocks that they represent, may change over time in response to market and competitive forces. \152\ Consistent with the Commission's statement in the SCI Proposal, the Commission has considered barriers to entry and the promotion of competition in setting the threshold such that new ATSs trading NMS stocks would be able to commence operations without, at least initially, being required to comply with--and thereby not incurring the costs associated with--Regulation SCI. See Proposing Release, supra note 13, at n. 102. In particular, a new ATS could engage in limited trading in any one NMS stock or all NMS stocks, until it reached an average daily dollar volume of five percent or more in any one NMS stock and 0.25 percent or more in all NMS stocks, or one percent in all NMS stocks, over four of the preceding six months. Because a new ATS could begin trading in NMS stocks for at least three months (i.e., less than four of the preceding six months), and conduct such trading at any dollar volume level without being subject to Regulation SCI, and would have to exceed the specified volume levels for the requisite period to become so subject, the Commission believes that these thresholds should not prevent a new ATS entrant from having the opportunity to initiate and develop its business. Further, the Commission notes that, as discussed below, it is adopting an additional six-month compliance period (in addition to the general nine-month compliance period from the Effective Date of Regulation SCI afforded to all SCI entities) for ATSs newly meeting the thresholds, so that once an ATS meets the threshold, it will have six months from that time to become fully compliant with Regulation SCI. See infra Section IV.F (discussing effective dates and compliance periods). The Commission believes that, for ATSs that have newly entered the market, this additional compliance period will give such ATSs additional opportunity to develop and grow their business without incurring the costs of compliance with Regulation SCI during this time. This additional compliance period should also provide such ATSs with time to plan on how they would meet the requirements of Regulation SCI, and could also potentially allow SCI ATSs to become more equipped to bear the cost of Regulation SCI once compliance is required, and thus not significantly discourage new ATSs from entering the market and growing. See infra Section VI.C.1.c (discussing further barriers to entry and the potential effects on competition of the adopted thresholds). --------------------------------------------------------------------------- As noted above, several commenters provided specific suggestions for alternative standards for determining which ATSs should be included within the scope of Regulation SCI.\153\ While the Commission recognizes that some of the suggested alternatives could have certain benefits, it also believes that each recommended standard also has corresponding limitations, and thus believes that the adopted thresholds are an appropriate measure for identifying those ATSs that should be subject to Regulation SCI. First, as described above, the Commission believes that adopting a two-prong standard is necessary to identify those ATSs that, in the event of a systems issue, could have a significant impact on the overall market or that could have a significant impact on a single NMS stock and some impact on the market as a whole at the same time. The Commission notes that several of the thresholds suggested by commenters lacked such a dual-prong standard (and, in particular, the prong relating to individual NMS stocks) and thus do not provide the advantages associated with the adopted threshold in protecting the trading venues for a single NMS stock. With regard to one commenter's suggestion that the first prong of the threshold should, among other things, consider five NMS stocks, rather than a single stock, the Commission does not believe the commenter has provided any clear rationale for this standard.\154\ As discussed, the purpose of the first prong is to identify significant trading venues (or markets) for a single security where a systems disruption could have a significant effect on the market for that security, and setting the threshold to consider five NMS securities could potentially exclude trading venues that host large trading activity for a single NMS security. Additionally, the Commission notes that the suggested alternative approach would be unlikely to have any significant practical effect when used in conjunction with the second prong of the threshold, which looks at trading across all NMS stocks, because the second prong would likely capture an ATS with five percent or more volume in five NMS stocks. With regard to one commenter's suggestion to apply the threshold to only the 500 most active NMS stocks \155\ and another commenter's suggestion to include only stocks with an aggregate average daily share volume greater than 500,000,\156\ the Commission disagrees that the threshold should be structured to capture only ATSs that have significant trading volume in active stocks. Rather, the first prong of the adopted threshold is designed to capture any ATS that has five percent or more of the trading volume of any NMS stock, irrespective of how actively traded it is, so that Regulation SCI can effectively address risks relating to the trading of all NMS stocks, and not only the most active of NMS stocks. If the Commission were to apply the threshold only to the 500 most active NMS stocks or stocks only with average daily share volumes greater than 500,000, an ATS that, for example, served as the primary venue for the trading of less actively traded NMS stocks, but had negligible market share for more actively traded NMS stocks, would not be subject to Regulation SCI. However, an SCI event that resulted in an outage of such an ATS could have a significant impact on the market for such less actively traded NMS stocks. As such, failure to include such an ATS within the scope of Regulation SCI would be contrary to the goals of the regulation. Finally, with regard to one commenter's suggestion to retain Rule 301(b)(6) as part of Regulation ATS and amend the threshold to 2.5 percent,\157\ as discussed throughout this release, Regulation SCI is intended to expand upon the requirements of Rule 301(b)(6) and to supersede and replace such requirements for ATSs that trade NMS stocks.\158\ For the reasons noted above, the Commission believes it is appropriate to include ATSs meeting the adopted volume thresholds within the scope of Regulation SCI, and the Commission does not believe it is appropriate to retain Rule 301(b)(6) as part of Regulation ATS, thereby subjecting ATSs to a separate and differing set of regulatory requirements than other SCI entities with regard to systems capacity, integrity, resiliency, availability, security, and compliance.\159\ For all of the reasons discussed above, the Commission does not believe that any of the alternative standards suggested by commenters would better capture those entities that [[Page 72268]] have the potential to pose significant risk to the market. --------------------------------------------------------------------------- \153\ See supra notes 127-132 and accompanying text. \154\ See supra note 131 and accompanying text. This commenter argued generally that the thresholds should be revised so as to only include those entities that would have an ``immediate and substantial impairment of a functioning marketplace.'' However, the commenter did not explain why it advocated the use of five NMS stocks, rather than a single NMS stock. See ITG Letter at 9. \155\ See supra note 130 and accompanying text. \156\ See supra note 131 and accompanying text. \157\ See supra note 132 and accompanying text. \158\ But see infra notes 189-192 and accompanying text (discussing the Commission's determination to retain the applicability of Rule 301(b)(6) to fixed-income ATSs). \159\ The Commission notes that, with regard to the specific threshold level suggested by this commenter (2.5%), the Commission believes the adopted thresholds to be an appropriate measure to identify those ATSs that should be subject to the requirements of Regulations SCI for the reasons discussed above. See supra note 141. --------------------------------------------------------------------------- One commenter urged the Commission to utilize number of shares traded rather than dollar value, stating that while most of the world uses value traded, available data for the U.S. equity markets is share- based.\160\ The Commission disagrees with this commenter and notes that daily dollar volume is readily available from a number of sources, including the SIPs.\161\ --------------------------------------------------------------------------- \160\ See supra note 139 and accompanying text. \161\ See also Proposing Release, supra note 13, at 18094 (stating that the use of dollar thresholds may better reflect the economic impact of trading activity). --------------------------------------------------------------------------- The time measurement period for ATSs that trade NMS stocks and non- NMS stocks is also being adopted as proposed. Thus, ATSs will be subject to Regulation SCI only if they meet the numerical thresholds for at least four of the preceding six months.\162\ The Commission notes that the adopted time measurement period is consistent with the current standard in Rule 301(b)(6) of Regulation ATS.\163\ The Commission believes that this time measurement period is an appropriate time period over which to evaluate the trading volume of an ATS and should help to ensure that it does not capture ATSs with relatively low trading volume that may have had an anomalous increase in trading on a given day or few days. Contrary to concerns raised by some commenters,\164\ under this time measurement methodology, an ATS would not qualify as an SCI entity simply by trading a single large block of an illiquid security during one month (or even two or three months). While one commenter suggested that the time measurement period be shorter and recommended a period of two to four weeks,\165\ the Commission believes that this could cause ATSs to fall within the scope of the definition solely as a result of an atypical, short-term increase in trading or a small number of large block trades that is not reflective of ATSs' general level of trading. Specifically, with such a short period of measurement, a short-term spike in trading volume uncharacteristic of an ATS's overall trading volume history could (and if large enough, likely would) skew the overall trading volume for that time period, causing an ATS to meet the volume thresholds and thus become subject to Regulation SCI even though the overall risk posed by the ATS does not warrant it. Further, the Commission believes that such a shorter time measurement period could provide more barriers to entry for ATSs, because new ATSs would not have as long of a time period to develop their business prior to having to incur the costs of compliance associated with being subject to the requirements of Regulation SCI.\166\ This potential to incur such costs almost immediately after the initial start of operations could act as a barrier to entry for some new ATSs. --------------------------------------------------------------------------- \162\ See adopted Rule 1000 (definition of ``SCI ATS''). The Commission notes that if an ATS that was not previously subject to Regulation SCI meets the SCI ATS volume threshold for four consecutive months, it would become subject to Regulation SCI at the end that four-month period. However, as discussed further below, such an ATS would have an additional six months from that time to comply with the requirements of Regulation SCI. See infra text accompanying notes 169-170. \163\ 17 CFR 242.301(b)(6). \164\ See, e.g., BIDS Letter at 6. \165\ See supra note 138 and accompanying text. \166\ See supra note 152 and accompanying text. See also infra Section VI.C.1.c (discussing barriers to entry and the effects on competition of the adopted thresholds and time measurement period for SCI ATSs). --------------------------------------------------------------------------- Other commenters recommended a longer measurement period, such as 12 months.\167\ The Commission does not believe, however, that a longer time period is necessary or more appropriate to identify those entities that play a significant role in the market for a particular asset class and/or that have the potential to significantly impact investors or the market, warranting inclusion in the scope of Regulation SCI. The Commission believes that the adopted time measurement period provides sufficient trading history data so as to indicate an ATS's significance to the market, and that the structure of the test (i.e., requiring an ATS to meet the threshold for four out of six months) ensures sustainability of such trading levels. In addition, modifying the time measurement period to 12 months (and thus eliminating the four out of six month measurement period) would make such a measure more susceptible to capturing ATSs that have a major but isolated spike in trading during a single month. Specifically, as noted above, a single anomalous large increase in trading volume during one month (or such a spike in two or three months) could never result in an ATS becoming subject to Regulation SCI solely as a result of such a spike in trading, because the ATS would meet the threshold only for one month, rather than the four months required by the rule. On the other hand, a threshold based on an average over 12 months could be skewed by the occurrence of one large spike in trading that results in the overall average for the 12-month period being increased to such a level that it meets the volume threshold levels. Thus, contrary to one commenter's suggestion that a 12-month period would require ``a sustained trading level at the threshold,'' \168\ the Commission believes that the structure of the adopted measurement period test (i.e., four out of six months) may be a better indicator of actual sustained trading levels at the threshold warranting the protections of the rule. Further, the Commission believes that 12 months is a less appropriate time measurement period than the period adopted because, for example, an ATS could have significant trading volume early on during such a time period such that it may pose significant risk to the markets in the event of a systems issue at such an ATS without being subject to Regulation SCI for a significant period of time. The Commission believes that the adopted time period strikes an appropriate balance between being a long enough period so as to not be triggered by atypical periods of increased trading or a few occurrences of very large trades, while also not causing unnecessary delay in requiring that ATSs playing an important role in the market are subject to Regulation SCI. --------------------------------------------------------------------------- \167\ See supra notes 136-137 and accompanying text. One of these commenters noted that the ``four out of the preceding six months'' measurement is cumbersome to apply in practice. See KCG Letter at 19. The Commission does not believe this measurement period to be overly cumbersome to apply in practice, as it would require only that an ATS undertake an assessment once at the end of each month as to whether the ATSs had exceeded the volume thresholds set forth in the rule and then make a determination at the end of a six month period whether the ATS met this threshold for four out of the six preceding months. \168\ See KCG Letter at 19. See also supra notes 136-137 and accompanying text. --------------------------------------------------------------------------- Finally, as discussed further in Section IV.F, the Commission agrees with commenters that it is appropriate to provide ATSs meeting the volume thresholds in the definition of SCI ATS for the first time a period of time before they are required to comply with Regulation SCI.\169\ Thus, consistent with the recommendation of these commenters, the Commission is revising the definition of SCI ATS to provide that an SCI ATS will not be required to comply with the requirements of Regulation SCI until six months after satisfying any of the applicable thresholds in the definition of SCI ATS for the first time.\170\ --------------------------------------------------------------------------- \169\ See supra note 140 and accompanying text. \170\ See Rule 1000 (definition of SCI ATS). --------------------------------------------------------------------------- ATSs Trading Non-NMS Stocks Some commenters addressed whether Regulation SCI should apply to ATSs trading non-NMS stocks.\171\ Specifically, [[Page 72269]] one commenter stated that the rules should apply only to trading in NMS securities because non-NMS stock trading--which is dispersed among broker-dealers--does not have a single point of failure and is therefore less susceptible to rapid, widespread issues that occur as a result of a high degree of linkage or inter-dependency.\172\ Another commenter stated that, with respect to non-NMS stocks (as well as municipal securities and corporate debt securities), the proposed five percent threshold was too low and would unnecessarily include ATSs for these product types that are ``not systemic to maintaining fair, orderly, and efficient markets'' and asked the Commission to further study the appropriate threshold for these ATSs.\173\ --------------------------------------------------------------------------- \171\ See, e.g., OTC Markets Letter at 7; SIFMA Letter at 7; TMC Letter at 1-3 (asserting that retail fixed-income ATSs should not be subject to Regulation SCI); and KCG Letter at 3, 10-11. \172\ See OTC Markets Letter at 7. \173\ See SIFMA Letter at 7. --------------------------------------------------------------------------- With regard to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, the adopted thresholds remain unchanged from the SCI Proposal. Thus, for such securities, an ATS will be subject to the requirements of Regulation SCI if, during four of the preceding six calendar months, it had five percent or more of the average daily dollar volume as calculated by the self-regulatory organization to which such transactions are reported.\174\ The Commission continues to believe that this threshold will appropriately identify ATSs that play a significant role in the market for those securities and, thus, should be subject to the requirements of Regulation SCI. --------------------------------------------------------------------------- \174\ However, as noted above, an ATS meeting the definition of SCI ATS for the first time will be afforded a six-month compliance period. See supra notes 169-170 and accompanying text. --------------------------------------------------------------------------- Using data from the second quarter of 2014, an ATS executing transactions in non-NMS stocks at a level exceeding five percent of the average daily dollar volume traded in the United States would be executing trades at a level exceeding $45.2 million daily.\175\ Based on data collected from Form ATS-R for the second quarter of 2014, the Commission estimates that two ATSs would exceed this threshold and fall within the definition of SCI entity, accounting for approximately 99 percent of the dollar volume market share of all ATSs trading non-NMS stocks.\176\ These thresholds reflect an assessment by the Commission, based on qualitative and quantitative analysis, of the likely consequences of the specific quantitative thresholds included in the definition. From this analysis and in conjunction with considering the views of commenters, the Commission has derived what it believes to be an appropriate threshold to identify those ATSs that should be subject to the requirements of Regulation SCI. --------------------------------------------------------------------------- \175\ In the Proposing Release, the Commission used data from the first six months of 2012 to estimate that an ATS executing transactions in non-NMS stocks at a level exceeding five percent of the average daily volume traded in the United States would be executed trades at a level exceeding $31 million daily. See Proposing Release, supra note 13, at n.111 and accompanying text. The Commission has updated this estimate using over-the-counter reporting facility data available from FINRA. \176\ The Commission notes that the number of ATSs exceeding the adopted threshold, and the percentage of volume of trading in non- NMS stocks that they represent, may change over time in response to market and competitive forces. --------------------------------------------------------------------------- As discussed above, one commenter objected to the inclusion of ATSs trading non-NMS stocks within the scope of Regulation SCI.\177\ This commenter argued that non-NMS trading is not susceptible to the issues that Regulation SCI is designed to address because such trading is dispersed among broker-dealers and does not create the types of single points of failure that pose widespread systemic risk.\178\ First, as noted above, while the Commission is particularly concerned with systems issues that pose the greatest risk to our markets and have the potential to cause the most widespread effects and damage (such as those that are single points of failure), Regulation SCI is intended to address a broader set of risks of systems issues. Accordingly, the adopted threshold for non-NMS stock ATSs is designed to identify those ATSs that play a significant role in the market for such securities. Further, the Commission disagrees with the commenter's assertion that trading in non-NMS stocks cannot result in widespread disruptions.\179\ --------------------------------------------------------------------------- \177\ See supra note 172 and accompanying text. \178\ See id. \179\ See supra note 33 and accompanying text. --------------------------------------------------------------------------- While one commenter stated that the five percent threshold was too low, this commenter did not provide an alternative threshold but rather asked the Commission to further study this issue.\180\ As noted above, based on qualitative and quantitative analysis, the Commission believes the five percent threshold to be an appropriate measure to determine which ATSs are of sufficient significance in the current market for non-NMS stocks to warrant their inclusion within the scope of Regulation SCI. The Commission notes that it intends to monitor the level of this threshold, and other thresholds being adopted today, to ensure that they continue to be appropriate. --------------------------------------------------------------------------- \180\ See supra note 173. --------------------------------------------------------------------------- The Commission notes that adoption of a higher threshold for non- NMS stocks than for NMS stocks reflects the Commission's acknowledgement of certain differences between the two markets. In particular, as noted in the SCI Proposal, while the Commission believes that similar concerns about the trading of NMS stocks on ATSs apply to the trading of non-NMS stocks, the Commission also believes that certain characteristics of the market for non-NMS stocks, such as the lower degree of automation, electronic trading, and interconnectedness, generally result in an overall lower risk to the market in the event of a systems issue.\181\ In particular, the Commission believes that a systems issue at an SCI entity that trades non-NMS stocks would not be as likely to have as significant or widespread an impact as readily as a systems issue at an SCI entity that trades NMS stocks. Therefore, the Commission believes that there is less risk of market impact in the markets for those securities at this time. As such, the Commission has determined not to adopt the same, more stringent, thresholds that would trigger the requirements of Regulation SCI that the Commission is adopting for ATSs trading NMS stocks. The Commission also believes that imposition of a threshold that is set too low in markets that lack automation could have the unintended effects of discouraging automation in these markets and discouraging new entrants into these markets. Specifically, it could increase the cost of automation in relation to other methods of executing trades, and thus market participants might make a determination that the costs associated with becoming subject to Regulation SCI preclude a shift to automated trading or the development of a new automated trading system, particularly given the expected lower trading volume when beginning operations. Further, the Commission notes that it has traditionally provided special safeguards with regard to NMS stocks in its rulemaking efforts relating to market structure.\182\ For these reasons, the Commission believes that it is appropriate at this time to apply a different threshold to ATSs trading NMS stocks than those ATSs trading non-NMS stocks. --------------------------------------------------------------------------- \181\ See Proposing Release, supra note 13, at 18096. \182\ See, e.g., Regulation NMS, 17 CFR 242.600-612; Securities Exchange Act Release No. 51808 (June 9, 2005), 70 FR 27496 (June 29, 2005) (Regulation NMS Adopting Release). --------------------------------------------------------------------------- [[Page 72270]] ATSs Trading Fixed-Income Securities Several commenters specifically addressed the inclusion of municipal security and corporate debt security ATSs within the scope of Regulation SCI, stating that these ATSs should not be subject to Regulation SCI or that the proposed thresholds should be modified.\183\ These commenters identified differences in the nature of fixed-income trading as compared to the markets for NMS securities and concluded that the thresholds were inappropriate and would be detrimental to the market for these types of securities.\184\ In particular, commenters stated that inclusion of fixed-income ATSs and/or the adoption of the proposed thresholds would impose unduly high costs on these entities given their size, scope of operations, lack of automation, low speed, and resulting low potential to pose risk to systems.\185\ Further, one commenter noted that the cost of compliance for these types of entities would discourage the shift from manual fixed-income trading in the OTC markets to more transparent and efficient automated trading venues.\186\ --------------------------------------------------------------------------- \183\ See, e.g., SIFMA Letter at 7; TMC Letter at 1-3; and KCG Letter at 2-3, 10-11. \184\ See, e.g., SIFMA Letter at 7; TMC Letter at 1-3; and KCG Letter at 2-3, 10-11. \185\ See, e.g., SIFMA Letter at 7; TMC Letter at 1-3; and KCG Letter at 2-3, 10-11. \186\ See KCG Letter at 3, 10-11 (noting that the vast majority of fixed-income trades are done in the OTC markets and only a few ATSs for the fixed-income market have emerged in recent years). --------------------------------------------------------------------------- In addition, one commenter stated that if retail fixed-income ATSs are included in the final rule, a better measurement would be to look at par amount traded rather than volume.\187\ Finally, one commenter requested that the Commission clarify that ATSs relating to listed- options are not subject to the obligations of proposed Regulation SCI.\188\ --------------------------------------------------------------------------- \187\ See TMC Letter at 1-3. \188\ See LiquidPoint Letter at 2-3. --------------------------------------------------------------------------- While the adopted definition of SCI ATS remains unchanged from the proposal for NMS stocks and non-NMS stocks, the Commission, after considering the views of commenters, has determined to exclude ATSs that trade only municipal securities or corporate debt securities from the definition of SCI ATS at this time.\189\ Accordingly, such fixed- income ATSs will not be subject to the requirements of Regulation SCI. Rather, fixed-income ATSs will continue to be subject to the existing requirements in Rule 301(b)(6) of Regulation ATS regarding systems capacity, integrity and security if they meet the twenty percent threshold for municipal securities or corporate debt securities provided by that rule.\190\ The Commission believes that this change is warranted given the unique nature of the current fixed-income markets, as noted by several commenters. In particular, fixed-income markets currently rely much less on automation and electronic trading than markets that trade NMS stocks or non-NMS stocks.\191\ In addition, the municipal and corporate fixed-income markets tend to be less liquid than the equity markets, with slower execution times and less complex routing strategies.\192\ As such, the Commission believes that a systems issue at a fixed-income ATS would not have as significant or widespread an impact as in other markets. Thus, while ensuring the capacity, integrity and security of the systems of fixed-income ATSs is important, the benefits of lowering the threshold applicable to fixed- income ATSs from the current twenty percent threshold in Regulation ATS and subjecting such ATSs to the safeguards of Regulation SCI would not be as great as for ATSs that trade NMS stock or non-NMS stock. As commenters pointed out, the cost of the requirements of Regulation SCI could be significant for fixed-income ATSs relative to their size, scope of operations, and more limited potential for systems risk. The Commission is cognizant that lowering the current threshold applicable to fixed-income ATSs in Regulation ATS and subjecting such ATSs to the requirements of Regulation SCI could have the unintended effect of discouraging automation in these markets and discouraging the entry of new fixed-income ATSs into the market, which could impede the evolving transparency and efficiency of these markets and negatively impact liquidity in these markets. --------------------------------------------------------------------------- \189\ See supra notes 183-186. \190\ See 17 CFR 242.301(b)(6). \191\ See, e.g., supra notes 183-186 and accompanying text (discussing the unique nature of fixed-income trading). See also Tracy Alloway and Michael Mackenzie, ``Goldman Retreats from Bond Platform,'' Fin. Times, February 17, 2014 (noting that, despite efforts to make the market for bond trades more electronic, large bond trading continues to occur overwhelmingly by `voice-brokered' transactions); and Lisa Abramowicz, ``Humans Beat Machines as Electronic Trading Slows: Credit Markets,'' Bloomberg, February 19, 2014 (stating that a shift in corporate bond transactions to electronic systems is failing to keep up with total volume). \192\ See, e.g., TMC Bonds Letter at 1 (stating that fixed- income markets have significantly lower volumes and slower execution times than equity markets and have no meaningful connectivity between fixed-income ATS participants). --------------------------------------------------------------------------- For these reasons, the Commission believes that it is appropriate to continue to apply the requirements in Rule 301(b)(6) of Regulation ATS to fixed-income ATSs that meet the volume thresholds of that rule and to exclude ATSs that trade only municipal securities or corporate debt securities from the scope of Regulation SCI at this time. c. Plan Processor Under Proposed Rule 1000(a), the term ``plan processor'' had the meaning set forth in Rule 600(b)(55) of Regulation NMS, which defines ``plan processor'' as ``any self-regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective national market system plan.'' \193\ The Commission is adopting the definition of ``plan processor'' as proposed.\194\ --------------------------------------------------------------------------- \193\ See 17 CFR 242.600(b)(55). \194\ See proposed Rule 1000(a) and Proposing Release supra note 13, at Section III.B.1. --------------------------------------------------------------------------- The Commission received no comments on the proposed definition of ``plan processor.'' \195\ As noted in the SCI Proposal, the ARP Inspection Program included the systems of the plan processors of four national market system plans--the CTA Plan, CQS Plan, Nasdaq UTP Plan, and OPRA Plan.\196\ [[Page 72271]] Although an entity selected as the processor of an SCI Plan acts on behalf of a committee of SROs, such entity is not required to be an SRO, nor is it required to be owned or operated by an SRO.\197\ The Commission believes, however, that the systems of such entities, because they deal with key market data, are central features of the national market system \198\ and should be subject to the same systems standards as SCI SROs. The inclusion of plan processors in the definition of SCI entity is designed to ensure that the processor for an SCI Plan, regardless of its identity, is independently subject to the requirements of Regulation SCI. The Commission believes that it is important for such plan processors to be subject to the requirements of Regulation SCI because of the important role they serve in the national market system: Operating and maintaining computer and communications facilities for the receipt, processing, validating, and dissemination of quotation and/or last sale price information generated by the members of the plan. --------------------------------------------------------------------------- \195\ However, some commenters did support the overall scope of the term ``SCI entity'' or agreed specifically that plan processors should be included within the definition of that term. See, e.g., Lauer Letter at 3 (urging the Commission to expand the scope of entities covered) and KCG Letter at 5-6 (recommending that Regulation SCI be targeted to services offered by only one or a few entities, such as plan processors). In addition, one commenter, although commenting specifically on the definition of ``SCI system,'' stated that Regulation SCI should be tailored to focus only on systems impacting the core functions of the overall market, which should include the exclusive SIPs that transmit market data. See OTC Markets Letter at 12-13. \196\ See ARP I Release, supra note 1, at n. 8 and n. 17. Each of the CTA Plan, CQS Plan, Nasdaq UTP Plan, and OPRA Plan, is a ``national market system plan'' (``NMS Plan'') as defined under Rule 600(a)(43) of Regulation NMS under the Exchange Act, 17 CFR 242.600(a)(43). Rule 600(a)(55) of Regulation NMS under the Exchange Act, 17 CFR 242.600(a)(55), defines a ``plan processor'' as ``any self-regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective national market system plan.'' Section 3(a)(22)(B) of the Exchange Act, 15 U.S.C. 78c(22)(B), defines ``exclusive processor'' to mean ``any securities information processor or self-regulatory organization which, directly or indirectly, engages on an exclusive basis on behalf of any national securities exchange or registered securities association, or any national securities exchange or registered securities association which engages on an exclusive basis on its own behalf, in collecting, processing, or preparing for distribution or publication any information with respect to (i) transactions or quotations on or effected or made by means of any facility of such exchange or (ii) quotations distributed or published by means of any electronic system operated or controlled by such association.'' As a processor involved in collecting, processing, and preparing for distribution transaction and quotation information, the processor of each of the CTA Plan, CQS Plan, Nasdaq UTP Plan, and OPRA Plan meets the definition of ``exclusive processor;'' and because each acts as an exclusive processor in connection with an NMS Plan, each also meets the definition of ``plan processor'' under Rule 600(a)(55) of Regulation NMS, as well as Rule 1000(a) of Regulation SCI. For ease of reference, an NMS Plan having a current or future ``plan processor'' is referred to herein as an ``SCI Plan.'' The Commission notes that not every processor of an NMS Plan would be a ``plan processor'' under Rule 1000, and therefore not every processor of an NMS Plan would be an SCI entity subject to the requirements of Regulation SCI. For example, the processor of the Symbol Reservation System associated with the National Market System Plan for the Selection and Reservation of Securities Symbols (File No. 4-533) would not be a ``plan processor'' subject to Regulation SCI because it does not meet the ``exclusive processor'' statutory definition, as it is not involved in collecting, processing, and preparing for distribution transaction and quotation information. \197\ Pursuant to Section 11A of the Exchange Act (15 U.S.C. 78k-1), and Rule 609 of Regulation NMS thereunder (17 CFR 242.609), such entities, as ``exclusive processors,'' are required to register with the Commission as securities information processors on Form SIP. See 17 CFR 249.1001 (Form SIP, application for registration as a securities information processor or to amend such an application or registration). \198\ See Concept Release on Equity Market Structure, supra note 4, at 3594-95. --------------------------------------------------------------------------- Recent SIP incidents further highlighted the importance of plan processors to the U.S. securities markets and the necessity of including such processors within the scope of Regulation SCI.\199\ As evidenced by the incidents, the availability of consolidated market data is central to the functioning of the securities markets. The unavailability of a system, such as a plan processor, that is a single point of failure with no backups or alternatives can result in a significant impact on the entire national market system. Accordingly, the Commission believes that that it is essential to ensure that the automated systems of the entities responsible for the consolidation and processing of important market data, namely, plan processors, have adequate levels of capacity, integrity, resiliency, availability, and security.\200\ --------------------------------------------------------------------------- \199\ As noted above, a disruption of the Nasdaq SIP on August 22, 2013 resulted in a three hour halt in trading in all Nasdaq- listed securities because of the SIP's inability to process quotes. See supra note 32 and accompanying text. Also as noted above, on October 30, 2014, according to the NYSE, a network hardware failure impacted the Consolidated Tape System, Consolidated Quote System, and Options Price Reporting Authority data feeds at the primary data center, and SIAC switched over to the secondary data center for these data feeds. See id. \200\ Systems directly supporting functionality relating to the provision of consolidated market data are included within the definition of ``critical SCI systems,'' for which heightened obligations under Regulation SCI will apply. See adopted Rule 1000. See also supra Section IV.A.2.c (discussing the definition of ``critical SCI systems''). --------------------------------------------------------------------------- Further, pursuant to its terms, each SCI Plan is required to periodically review its selection of its processor, and may in the future select a different processor for the SCI Plan than its current processor.\201\ Thus, the definition of ``plan processor'' covers any entity selected as the processor for a current or future SCI Plan.\202\ --------------------------------------------------------------------------- \201\ See CTA Plan Section V(d) and CQS Plan Section V(d), available at: https://www.nyxdata.com/cta; OPRA Plan Section V, available at: https://www.opradata.com/pdf/opra_plan.pdf; and Nasdaq UTP Plan Section V, available at: https://www.utpplan.com. \202\ Currently, SIAC is the processor for the CTA Plan, CQS Plan, and OPRA Plan, and Nasdaq is the processor for the Nasdaq UTP Plan. SIAC is wholly owned by NYSE Euronext. Both SIAC and Nasdaq are registered with the Commission as securities information processors, as required by Section 11A(b)(1) of the Exchange Act, 15 U.S.C. 78k-1(b)(1), and in accordance with Rule 609 of Regulation NMS, 17 CFR 242.609. --------------------------------------------------------------------------- d. Exempt Clearing Agency Subject to ARP Proposed Rule 1000(a) defined the term ``exempt clearing agency subject to ARP'' to mean ``an entity that has received from the Commission an exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to the Commission's Automation Review Policies, or any Commission regulation that supersedes or replaces such policies.'' This definition is being adopted as proposed. As noted in the SCI Proposal, this definition of ``exempt clearing agency subject to ARP'' currently covers one entity, Omgeo Matching Services--US, LLC (``Omgeo'').\203\ In its comment letter, Omgeo stated that it believed its inclusion as an SCI entity was reasonable because clearing agencies that provide matching services, such as Omgeo, perform a critical role in the infrastructure of the U.S. financial markets in handling large amounts of highly confidential proprietary trade data.\204\ Omgeo requested, however, that the Commission clarify that other similarly situated clearing agencies would also be subject to the requirements of Regulation SCI, and further requested that the Commission expand the definition of SCI entity, as applied to clearing agencies, to include, without limitation, any entity providing either matching services or confirmation/affirmation services for depository eligible securities that settle in the United States, as contemplated by FINRA Rule 11860.\205\ --------------------------------------------------------------------------- \203\ On April 17, 2001, the Commission issued an order granting Omgeo an exemption from registration as a clearing agency subject to certain conditions and limitations in order that Omgeo might offer electronic trade confirmation and central matching services. See Global Joint Venture Matching Services--US, LLC; Order Granting Exemption from Registration as a Clearing Agency, Securities Exchange Act Release No. 44188 (April 17, 2001), 66 FR 20494 (April 23, 2001) (File No. 600-32) (``Omgeo Exemption Order''). Because the Commission granted it an exemption from clearing agency registration, Omgeo is not a self-regulatory organization. \204\ See Omgeo Letter at 2-3. \205\ See id. --------------------------------------------------------------------------- The Commission notes that the adopted definition of ``exempt clearing agency subject to ARP'' does provide that any entity that receives from the Commission an exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to the Automation Review Policies or any Commission regulation that supersedes or replaces the Commission's Automation Review Policies (such as Regulation SCI) would be included within the scope of Regulation SCI. Therefore, clearing agencies that are similarly situated as Omgeo (i.e., those that are subject to an exemption that contains the relevant conditions) will be subject to Regulation SCI.\206\ The Commission does not believe, therefore, that an expansion of the definition as suggested by Omgeo is necessary to further clarify that [[Page 72272]] similarly situated entities will be subject to the requirements of Regulation SCI. --------------------------------------------------------------------------- \206\ Any entity seeking an exemption from registration as a clearing agency is responsible for requesting and obtaining such an exemption from the Commission. --------------------------------------------------------------------------- Among the operational conditions required by the Commission in the Omgeo Exemption Order were several that directly related to the ARP policy statements.\207\ For the same reasons that it required Omgeo to abide by the conditions relating to the ARP policy statements set forth in the Omgeo Exemption Order, the Commission believes it is appropriate that Omgeo (or any similarly situated exempt clearing agency) should be subject to the requirements of Regulation SCI, and thus is including any ``exempt clearing agency subject to ARP'' within the definition of SCI entity. --------------------------------------------------------------------------- \207\ These conditions require Omgeo to, among other things: Provide the Commission with an audit report addressing all areas discussed in the Commission ARP policy statements; provide annual reports prepared by competent, independent audit personnel in accordance with the annual risk assessment of the areas set forth in the ARP policy statements; report all significant systems outages to the Commission; provide advance notice of any material changes made to its electronic trade confirmation and central matching services; and respond and require its service providers to respond to requests from the Commission for additional information relating to its electronic trade confirmation and central matching services, and provide access to the Commission to conduct inspections of its facilities, records and personnel related to such services. See supra note 203. --------------------------------------------------------------------------- 2. SCI Systems, Critical SCI Systems, and Indirect SCI Systems a. Overview Regulation SCI, as adopted, distinguishes three categories of systems of an SCI entity: ``SCI systems;'' ``critical SCI systems,'' and ``indirect SCI systems.'' The SCI Proposal broadly defined SCI systems to mean ``all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity, whether in production, development, or testing, that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance.'' The SCI Proposal also defined the term SCI security systems (to which only the provisions of Regulation SCI relating to security and intrusions would apply) as: ``any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems.'' \208\ --------------------------------------------------------------------------- \208\ See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.B.2. --------------------------------------------------------------------------- Many commenters stated that the proposed definitions of SCI systems and SCI security systems were too broad and urged the Commission to target systems that pose the greatest risk to the market if they malfunction.\209\ After careful consideration of the comments, and as discussed more fully below, the Commission agrees that certain types of systems included in the proposed definition of SCI systems may be appropriately excluded from the adopted definition. However, because U.S. securities market infrastructure is highly interconnected and seemingly minor systems problem at a single entity can spread rapidly across the national market system, the Commission does not believe it is appropriate to apply Regulation SCI only to the most critical SCI systems, as some commenters suggested. Instead, the adopted regulation applies to a broader set of systems than urged by some commenters, but a more targeted set of systems than proposed. In addition, the adopted approach recognizes that some systems pose greater risk than others to the maintenance of fair and orderly markets if they malfunction. To this end, adopted Regulation SCI identifies three broad categories of systems of SCI entities that are subject to the regulation: ``SCI systems,'' ``critical SCI systems,'' and ``indirect SCI systems,'' with each category subject to differing requirements under Regulation SCI. --------------------------------------------------------------------------- \209\ See, e.g., NYSE Letter at 10; Joint SROs Letter at 5; Omgeo Letter at 4; KCG Letter at 3; DTCC Letter at 4; FIF Letter at 3; Liquidnet Letter at 3; and OTC Markets Letter at 12-13. --------------------------------------------------------------------------- As discussed more fully below, the adopted definition of ``SCI systems'' includes those systems that directly support six areas that have traditionally been considered to be central to the functioning of the U.S. securities markets, namely trading, clearance and settlement, order routing, market data, market regulation, and market surveillance. SCI systems are subject to all provisions of Regulation SCI, except for certain requirements applicable only to critical SCI systems. In addition, the Commission is adopting a definition of ``critical SCI systems,'' a subset of SCI systems that are subject to certain heightened resilience and information dissemination provisions of Regulation SCI. Guided significantly by commenters' views on those systems that are most critical, the Commission is defining the term ``critical SCI systems'' as SCI systems that: (1) Directly support functionality relating to: (i) Clearance and settlement systems of clearing agencies; (ii) openings, reopenings, and closings on primary trading markets; (iii) trading halts; (iv) initial public offerings; (v) the provision of consolidated market data (i.e., SIPs); or (vi) exclusively-listed securities; or (2) provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets.\210\ As more fully discussed below, systems in this category are those that, if they were to experience systems issues, the Commission believes would be most likely to have a widespread and significant impact on the securities markets. --------------------------------------------------------------------------- \210\ See Rule 1000. --------------------------------------------------------------------------- In addition, the Commission is adopting a definition of ``indirect SCI systems,'' in place of the proposed definition of ``SCI security systems.'' ``Indirect SCI systems'' are subject only to the provisions of Regulation SCI relating to security and intrusions. The term ``indirect SCI systems'' is defined to mean ``any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems'' and, if an SCI entity puts in place appropriate security measures, is intended to refer to few, if any, systems of the SCI entity. b. SCI Systems SCI Systems Generally Proposed Rule 1000(a) defined the term ``SCI systems'' to mean ``all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity, whether in production, development, or testing, that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance.'' \211\ After careful consideration of the comments, the Commission is refining the scope of the systems covered by the definition of ``SCI systems.'' As adopted, the term ``SCI systems'' in Rule 1000 means ``all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance.'' --------------------------------------------------------------------------- \211\ See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.B.2. --------------------------------------------------------------------------- One commenter generally supported the proposed definition of SCI systems, and stated that the definition should be expanded to include any technology system that has direct market access.\212\ In response to this comment, the Commission believes that many systems with direct market access are captured by the adopted definition. However, as [[Page 72273]] discussed above, the Commission has determined not to propose to expand the scope of Regulation SCI to include other broker-dealer entities and their systems at this time.\213\ --------------------------------------------------------------------------- \212\ See Lauer Letter at 5. \213\ See supra Section IV.A.1 (discussing scope of SCI entities covered by Regulation SCI) and infra Section IV.E (discussing comments on the inclusion of broker-dealers generally within the scope of Regulation SCI). --------------------------------------------------------------------------- Contrary to the commenter who urged expansion of the proposed definition, many commenters believed the term to be too broad and recommended that it be revised in various ways.\214\ These commenters argued that the definition was over-inclusive, with some believing that it could potentially apply to all systems of an SCI entity. --------------------------------------------------------------------------- \214\ See, e.g., NYSE Letter at 10-11; Omgeo Letter at 3-6; MSRB Letter at 7-9; FIF Letter at 3; ICI Letter at 4; BIDS Letter at 15- 16; ITG Letter at 5; Liquidnet Letter at 3; CME Letter at 5; DTCC Letter at 3-5; OCC Letter at 3-4; Joint SROs Letter at 5; FINRA Letter at 5-10; SIFMA Letter at 8; Oppenheimer Letter at 3; OTC Markets Letter at 12; and Direct Edge Letter at 2. --------------------------------------------------------------------------- Specifically, several commenters recommended that the definition of SCI systems be revised to include a more limited set of systems than proposed.\215\ Commenters advocating this general approach provided various suggestions for the specific standard that they believed should apply. For example, among commenters' recommendations were suggestions that the definition of SCI systems should include only those systems: whose failure or degradation would reasonably be expected to have an adverse material impact on the sound operation of financial markets; \216\ that are highly critical to functioning as an SCI entity; \217\ that have the potential to impact the protection of securities investors and the maintenance of fair and orderly markets; \218\ that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance in real-time; \219\ that support the SCI entity's ``core functions . . . which the SCI entity performs pursuant to applicable Commission regulations;'' \220\ that are reasonably likely to pose a plausible risk to the markets (namely, systems that route or execute orders, clear and settle trades, or transmit required market data); \221\ or that impact the core functions of the overall market, which, according to the commenter, would include exclusive SIPs that transmit market data and systems responsible for primary NMS auction markets that set daily opening and closing prices.\222\ In addition, one commenter suggested that the term should be defined as a production system that connects to and is part of the electronic network that comprises the market.\223\ This commenter also noted that the definition should distinguish between systems that connect to the markets and those that are used to run a business.\224\ Another commenter suggested that, if Regulation SCI were to apply only to exchanges and ATSs, the term should be limited to exchange and ATS systems operated by the entity and should not include, for example, brokerage systems.\225\ --------------------------------------------------------------------------- \215\ See, e.g., NYSE Letter at 10; Joint SROs Letter at 5; Omgeo Letter at 4; KCG Letter at 3; DTCC Letter at 4; FIF Letter at 3; Liquidnet Letter at 3; and OTC Markets Letter at 12-13. See infra text accompanying notes 216-225. \216\ See Omgeo Letter at 4. \217\ See KCG Letter at 3. See also ICI Letter at 3 and Oppenheimer Letter at 3 (stating generally that the proposed definitions should be revised to more specifically focus on system events that are truly disruptive to the markets and the systems themselves that are likely to pose a risk to the fair and orderly operation of the markets or participants in the markets). \218\ See CME Letter at 5. \219\ See Joint SROs Letter at 5. This group of commenters further stated that non-real-time systems should not be included, as they do not warrant the level of oversight and added costs that the regulation imposes. \220\ See DTCC Letter at 4. \221\ See NYSE Letter at 3, 10. In addition, this commenter added that the key to whether a proposed ``supporting'' function should be included is whether or not it is critical to the proper operation of a core functionality. \222\ See OTC Markets Letter at 13. \223\ See BIDS Letter at 15-16. Thus, this commenter argued that, for a venue that does not route orders, the reporting of trade executions to the tape should not be enough to qualify such a system as an ``SCI system.'' \224\ See id. \225\ See Liquidnet Letter at 3. --------------------------------------------------------------------------- The Commission is further focusing the scope of the definition of SCI systems in response to these comments.\226\ The Commission is replacing the proposed language referring to ``systems . . . whether in production, development, or testing that directly support trading, clearance and settlement, order routing, market data, regulation, or surveillance'' with the following language: ``systems, with respect to securities, that directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance.'' As such, the adopted definition has been limited to apply to production systems that relate to securities market functions, and in particular to those six functions--trading, clearance and settlement, order routing, market data, market regulation, or market surveillance--that traditionally have been considered to be central to the functioning of the U.S. securities markets, as urged by several commenters.\227\ The Commission believes that systems providing these six functions may pose a significant risk to the maintenance of fair and orderly markets if their capacity, integrity, reliability, availability or security is compromised, and therefore that they should be covered by the definition of ``SCI systems.'' --------------------------------------------------------------------------- \226\ See supra notes 215-218, 220-222, and 224-225, and accompanying text. The definition is not limited strictly to real- time systems, however, or those that ``connect to'' and are ``part of the electronic network that comprises the market,'' because those limitations could exclude relevant systems, such as certain market regulation or market surveillance systems operated by or on behalf of an SCI entity, which the Commission views as integral to one or more of the six functions identified in the definition. In response to the commenter requesting that ``brokerage'' systems be excluded from the definition of SCI systems, the Commission notes that the adopted definition of SCI systems applies to systems that directly support the enumerated six functions, operated by or on behalf of an SCI entity. The definition therefore would exclude systems, including brokerage systems, that are not operated by or on behalf of an SCI entity. See, respectively, supra notes 219 and 223 and accompanying text. \227\ See supra notes 219-221 and accompanying text. --------------------------------------------------------------------------- Although some commenters pointed to the phrase ``directly support'' in the proposed rule as vague and overbroad,\228\ the Commission has retained this phrase in the adopted definition. The term ``directly support,'' is retained to acknowledge that systems of SCI entities are complex and highly interconnected and that the definition of SCI systems should not exclude functionality or supporting systems on which the six identified categories of systems rely to remain operational.\229\ In response to comment that the definition of SCI systems should distinguish between systems that connect to the markets and those that are used to run a business,\230\ the Commission notes that the adopted definition would not include systems ``used to run a business'' if they are not within the six identified categories of market-related production systems and not necessary to their continued functioning. Further, the adopted definition clarifies that SCI systems encompass only those systems that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance. The Commission believes [[Page 72274]] that this change appropriately responds to one commenter's concerns that the proposed definition would capture systems operated by an SCI entity that have ``practically no relevance or relation to SEC markets'' and suggested that the definition should be revised to include only those systems that would directly impact a market that was subject to the Commission's jurisdiction. \231\ As a result of this modification, if an SCI SRO does not use its systems to conduct business with respect to securities, its systems would not fall within the definition of ``SCI systems.'' Further, if an SCI entity operates systems for the trading of both futures and securities, only its trading systems for securities would be subject to the requirements of Regulation SCI.\232\ --------------------------------------------------------------------------- \228\ See OCC Letter at 3; and NYSE Letter at 10. \229\ The Commission notes that it believes that specifying that the definition applies to those systems that ``directly support'' these core functions is necessary so as to not result in a definition that is overly broad and would capture systems that only peripherally or indirectly support these functions. See generally supra notes 214-225 and accompanying text (discussing comments that urged revisions to the definition of SCI systems). See also infra Section IV.A.2.d (discussing the definition of ``indirect SCI systems''). \230\ See supra note 224 and accompanying text. \231\ See CME Letter at 5. \232\ However, the Commission notes that, if an SCI entity has systems that do not relate to securities, and that have not been properly walled off from its SCI systems for securities, they may be captured by the definition of ``indirect SCI systems'' (as discussed below) and subject to certain requirements of the rule including those relating to security and intrusions standards. See infra Section IV.A.2.d (discussing definition of ``indirect SCI systems''). --------------------------------------------------------------------------- In addition, one commenter urged that the Commission should initially limit the scope of SCI systems to those systems covered by the ARP Policy Statements (trading, clearance and settlement, and order routing) and phase in other types of systems later.\233\ The Commission believes that the adopted definition of SCI systems obviates the need for such an approach, as many systems for which the commenter urged a delay in compliance will not be covered by the regulation, as adopted. --------------------------------------------------------------------------- \233\ See MSRB Letter at 9. --------------------------------------------------------------------------- SCI Systems: Inclusions and Exclusions Various commenters objected to specific categories proposed to be included in the definition of SCI systems. First, many commenters opposed the proposed inclusion of development and testing systems in the definition, noting that issues in development and testing systems would have little or no impact on the operations of SCI entities and that such systems are designed to identify and address problems before they are introduced into production systems.\234\ Some commenters argued that inclusion of development and testing systems in the definition of SCI systems would subject such systems to more requirements under Regulation SCI than was necessary and noted that certain other provisions of Regulation SCI would necessarily include reporting information to the Commission on such systems, even without their inclusion in the definition of SCI systems.\235\ For example, one commenter stated that application of most provisions of Regulation SCI to testing and development systems would provide little benefit, and noted that updates regarding systems in development and material new features of existing systems could instead be done through the semi- annual reports to the Commission under proposed Rule 1000(b)(8).\236\ Similarly, one commenter noted that information regarding the status of systems that are in development and testing would be captured in the notices regarding material systems changes under proposed Rule 1000(b)(6) and in the updates under proposed Rule 1000(b)(8).\237\ Alternatively, this commenter suggested that the Commission could require that any testing errors be corrected (and such corrections be retested) prior to implementation of those changes in production.\238\ --------------------------------------------------------------------------- \234\ See NYSE Letter at 11; FINRA Letter at 10-11; Omgeo Letter at 5; DTCC Letter at 4; SIFMA Letter at 8; BIDS Letter at 16; MSRB Letter at 7-8; OCC Letter at 5; CME Letter at 6; Joint SROs Letter at 5; and Direct Edge Letter at 2. One commenter qualified this position by stating that, to the extent that a systems issue in a development and testing environment were to give rise to an issue affecting an SCI system, the proposal should apply to that development and testing environment. See OCC Letter at 5. \235\ See MSRB Letter at 7; and DTCC Letter at 4. \236\ See MSRB Letter at 7. \237\ See DTCC Letter at 4. \238\ See id. --------------------------------------------------------------------------- The Commission believes that certain modifications to the elements of the proposed definition of SCI systems are appropriate. First, in response to comments, the reference to development and testing systems in the proposed definition of SCI systems has been deleted.\239\ As commenters pointed out, development and testing systems are generally designed to identify and address problems before new systems or systems changes are introduced into production systems and, by their nature, can often experience issues, both intentional and unplanned, during the testing process. The Commission believes that systems issues that occur with respect to such systems are less likely to have a significant impact on the operations of an SCI entity or on the securities markets as a whole than issues occurring with respect to production systems. Further, subjecting these systems to the Commission notification requirements in adopted Rule 1002(b) could have the unintended effect of deterring SCI entities from fully utilizing the testing and development processes to test new systems and systems changes and develop solutions to issues prior to implementation of such systems or changes in production. At the same time, the Commission notes that, in order to have policies and procedures reasonably designed to achieve capacity, integrity, resiliency, availability, and security for SCI systems in accordance with adopted Rule 1001(a), an SCI entity will be required to have policies and procedures that include a program to review and keep current systems development and testing methodology for SCI systems.\240\ Accordingly, review of programs relating to systems development and testing for SCI systems is within the scope of Regulation SCI, and an SCI entity should reasonably expect Commission staff to review such processes and systems during the course of its exams and inspections. In addition, the Commission notes that the definition of SCI review in adopted Rule 1000 and corresponding requirements for an annual SCI review in adopted Rule 1003(b) require an assessment of internal control design and effectiveness, which includes development processes.\241\ Further, if development and testing systems are not appropriately walled off from production systems, such systems could be captured under the definition of indirect SCI systems as discussed below and be subject to the requirements of Regulation SCI. If an SCI entity's development and testing systems are not walled off from production systems, the SCI entity should consider whether its policies and procedures should specify safeguards to ensure that its personnel can clearly distinguish the development and testing systems from the production systems, in order to avoid inadvertent errors that may result in an SCI event. --------------------------------------------------------------------------- \239\ Because the Commission is removing development and testing systems from the definition of SCI systems, the reference to production systems in the definition of SCI systems is also being deleted as it is unnecessary to distinguish between development, testing and production systems within the definition. See adopted Rule 1000 (definition of ``SCI systems''). \240\ See adopted Rule 1001(a) and discussion in infra Section IV.B.1 (discussing the policies and procedures requirement under adopted Rule 1001(a)). \241\ See adopted Rule 1000 and 1003(b) and discussion in infra Section IV.B.5 (discussing the SCI review requirement). The Commission also notes that development processes include testing processes. --------------------------------------------------------------------------- Some commenters also opposed the proposed inclusion of regulatory and surveillance systems within the definition of SCI systems or suggested that the Commission refine or clarify the scope of such systems.\242\ Some of these [[Page 72275]] commenters argued that inclusion of such systems was not necessary because these systems do not operate on a real-time basis or have a real-time impact on trading.\243\ Further, one commenter suggested that periodic reporting of material outages or delays in the operation of regulatory and surveillance systems, pursuant to appropriate policies and procedures, would support the goals of Regulation SCI without imposing undue burdens on SCI entities or raising the risk that market participants would purposefully direct order flow to SCI entities experiencing regulatory or surveillance systems issues.\244\ Another commenter advocated for replacing the terms ``regulation'' and ``surveillance'' with ``market regulation'' and ``market surveillance,'' respectively, and asked the Commission to clarify the difference between ``regulatory'' and ``surveillance'' systems.\245\ --------------------------------------------------------------------------- \242\ See NYSE Letter at 11; BATS Letter at 5; MSRB Letter at 8- 9; and FINRA Letter at 7-8. \243\ See NYSE Letter at 11; and Joint SROs Letter at 5. \244\ See NYSE Letter at 11 (citing concerns regarding the potential that dissemination of information regarding issues with regulatory or surveillance systems to members or participants could provide a ``roadmap for violative market behavior''). \245\ See FINRA Letter at 7-8. --------------------------------------------------------------------------- In consideration of these comments, the Commission has determined to limit SCI systems to those systems relating to market regulation and market surveillance rather than including all regulation and surveillance systems. As proposed, the definition contained no such limitations and could potentially be interpreted to cover systems used for member regulation and member surveillance. The Commission does not believe that inclusion of member regulation or member surveillance systems such as those, for example, relating to member registration, capital requirements, or dispute resolution, would advance the goals of Regulation SCI. Issues relating to such systems are unlikely to have the same level of impact on the maintenance of fair and orderly markets or an SCI entity's operational capability as those systems identified in the definition of SCI systems. The Commission believes that this change will more appropriately capture only those regulatory and surveillance systems that are related to core market functions, such as trading, clearance and settlement, order routing, and market data.\246\ Another element of the proposed definition of ``SCI systems'' that some commenters addressed was the inclusion of market data systems. Specifically, one commenter believed that the inclusion of all market data systems was too broad, and argued that only ``systems that directly support `the transmission of market data as required by the Exchange Act''' should be included, thus limiting the types of market data systems to those relating to consolidated data and excluding those that transmit proprietary market data.\247\ Although the term ``market data'' is not defined in Regulation SCI, that term generally refers to price information for securities, both pre-trade and post-trade, such as quotations and transaction reports.\248\ In response to the commenter urging that only market data systems relating to consolidated data be included, the term ``market data'' does not refer exclusively to consolidated market data, but includes proprietary market data generated by SCI entities as well. The Commission notes that both consolidated and proprietary market data systems are widely used and relied upon by a broad array of market participants, including institutional investors, to make trading decisions, and that if a consolidated or a proprietary market data feed became unavailable or otherwise unreliable, it could have a significant impact on the trading of the securities to which it pertains, and could interfere with the maintenance of fair and orderly markets. Therefore, systems of an SCI entity directly supporting proprietary market data or consolidated market data are both within the scope of the definition of SCI systems and subject to Regulation SCI. However, the Commission has repeatedly emphasized the importance of consolidated market data to the national market system and the protection of investors \249\ and the severe impact of its unavailability was evidenced by the SIP outage in August 2013.\250\ Thus, as discussed below, systems directly supporting functionality related to the provision of consolidated market data are distinguished by their inclusion in the definition of ``critical SCI systems.'' \251\ --------------------------------------------------------------------------- \246\ The Commission notes that Rule 613 of Regulation NMS requires the creation of an NMS plan to govern the creation, implementation, and maintenance of a consolidated audit trail and central repository. See 17 CFR 242.613. See also Securities Exchange Act Release No. 67457 (July 18, 2012), 77 FR 45722 (August 1, 2012) (``Consolidated Audit Trail Adopting Release''). Although the consolidated audit trail central repository has not yet been created, the Commission believes that the consolidated audit trail repository will be a market regulation system that falls within the definition of SCI systems, and further that it will be an SCI system of each SCI SRO that is a member of an approved NMS plan under Rule 613, because it will be a facility of each SCI SRO that is a member of such plan. See Consolidated Audit Trail Adopting Release, 77 FR at 45774 (stating, ``[T]he central repository will be jointly owned by, and be a facility of, each SRO that is a sponsor of the NMS plan.''). See also SCI Proposing Release, supra note 13, at 18099 (contemplating inclusion of the consolidated audit trail central repository as an SCI system). \247\ See NYSE Letter at 10-11. \248\ See Exchange Act Section 11A (15 U.S.C. 78K- 1(a)(1)(C)(iii)), granting the Commission authority to assure the availability to brokers, dealers, and investors of ``information with respect to quotations for and transactions in securities''). See also Regulation of Market Information Fees and Revenues, Securities Exchange Act Release No. 42208, 64 FR 70613 (December 17, 1999) (describing ``market information'' as information concerning quotations for and transactions in equity securities and options that are actively traded in the U.S. markets). \249\ See, e.g., Concept Release on Equity Market Structure, supra note 198; and Regulation NMS Adopting Release, supra note 182, at 37503-04. \250\ See supra note 32 and accompanying text. \251\ See infra Section IV.A.2.c (discussing definition of ``critical SCI systems''). --------------------------------------------------------------------------- Further, one commenter questioned whether the phrase ``market data systems'' was intended to be limited to data-driven systems devoted to price transparency or whether the Commission also intended to include document-based systems devoted to public disclosure.\252\ In response to this comment, the Commission notes that systems providing or directly supporting price transparency are within the scope of SCI systems.\253\ However, systems solely providing or directly supporting other types of data, such as systems used by market participants to submit disclosure documents, or systems used by SCI entities to make disclosure documents publicly available, are not within the scope of SCI systems, so long as they do not also directly support price transparency. --------------------------------------------------------------------------- \252\ See MSRB Letter at 8-9 (citing its EMMA Primary Market Disclosure Service and EMMA Continuing Disclosure Service system as an example of a document-based system devoted to public disclosure). \253\ With regard to this particular comment, the Commission notes that the specific systems referenced--the RTRS, EMMA Primary Market Disclosure Service, EMMA Continuing Disclosure Service and SHORT System--all include pricing information for securities, and thus would fall within the definition of ``SCI systems.'' --------------------------------------------------------------------------- Several commenters also argued that the term SCI systems should not include systems operated on behalf of an SCI entity by a third party.\254\ Some of these commenters pointed to potential difficulties with meeting the requirements of Regulation SCI with regard to third party systems.\255\ One [[Page 72276]] commenter specifically suggested that the proposal should be limited to those systems under the control of the SCI entity.\256\ Another commenter noted that the SCI entity should instead be responsible for managing these relationships through due diligence, contract terms, and monitoring of third party performance.\257\ One commenter also requested that the Commission clarify how SCI entities should comply with the oversight of vendor systems as part of Regulation SCI.\258\ --------------------------------------------------------------------------- \254\ See Omgeo Letter at 5-6; DTCC Letter at 4; SIFMA Letter at 8-9; BIDS Letter at 16; and BATS Letter at 4. See also ITG Letter at 5 (expressing concern about the inclusion of systems of third parties operated on behalf of an SCI entity and systems that are unrelated to the trading operations of an ATS). \255\ See, e.g., Omgeo Letter at 5-6; and BATS Letter at 4 (arguing that it would be difficult for SCI entities to ensure compliance by third party vendors absent their willingness to disclose to SCI entities highly detailed information about their intellectual property and proprietary systems). \256\ See SIFMA Letter at 9. \257\ See BIDS Letter at 16. \258\ See FIF Letter at 3. --------------------------------------------------------------------------- Although several commenters argued that the term SCI systems should not include third-party systems, the Commission continues to believe that, if a system is operated on behalf of an SCI entity and directly supports one of the six key functions listed within the definition of SCI system, it should be included as an SCI system subject to the requirements of Regulation SCI. The Commission believes that any system that directly supports one of the six functions enumerated in the definition of SCI system is important to the functioning of the U.S. securities markets, regardless of whether it is operated by the SCI entity directly or by a third party. The Commission believes that permitting such systems to be excluded from the requirements of Regulation SCI would significantly reduce the effectiveness of the regulation in promoting the national market system by ensuring the capacity, integrity, resiliency, availability, and security of those systems important to the functioning of the U.S. securities markets. Further, if the definition did not include systems operated on behalf of an SCI entity, the Commission is concerned that some SCI entities might be inclined to outsource certain of their systems solely to avoid the requirements of Regulation SCI, which would further undermine the goals of Regulation SCI. The Commission agrees with the comment that an SCI entity should be responsible for managing its relationship with third parties operating systems on behalf of the SCI entity through due diligence, contract terms, and monitoring of third party performance. However, the Commission believes that these methods may not be sufficient in all cases to ensure that the requirements of Regulation SCI are met for SCI systems operated by third parties. The fact that they might be sufficient some of the time is therefore not a basis for excluding these systems from the definition of SCI systems. Instead, if an SCI entity determines to utilize a third party for an applicable system, it is responsible for having in place processes and requirements to ensure that it is able to satisfy the requirements of Regulation SCI for systems operated on behalf of the SCI entity by a third party. The Commission believes that it would be appropriate for an SCI entity to evaluate the challenges associated with oversight of third-party vendors that provide or support its applicable systems subject to Regulation SCI. If an SCI entity is uncertain of its ability to manage a third-party relationship (whether through due diligence, contract terms, monitoring, or other methods) to satisfy the requirements of Regulation SCI,\259\ then it would need to reassess its decision to outsource the applicable system to such third party.\260\ For example, if a third-party vendor is unwilling to disclose to an SCI entity information regarding the vendor's intellectual property or proprietary system that the SCI entity believes it needs to satisfy the requirements of Regulation SCI, as some commenters suggested might be the case, an SCI entity will need to reassess its relationship with that vendor, because the vendor's unwillingness to provide necessary information or other assurances would not exclude the outsourced system from the definition of SCI systems. Accordingly, the definition of SCI system, as adopted in Rule 1000, retains the reference to systems operated ``on behalf of'' SCI entities. --------------------------------------------------------------------------- \259\ See BIDS Letter at 16 (suggesting these methods of managing third-party relationships to comply with the proposed rule). \260\ See FIF Letter at 3 and FINRA Letter at 22-23 (requesting Commission guidance on how an SCI entity should manage third-party relationships in the context of adopted Regulation SCI). See also infra notes 851-852 and accompanying text (discussing comments on the risk of noncompliance by an SCI entity in connection with reporting SCI events and material systems changes due to challenges posed by third-party systems). --------------------------------------------------------------------------- Finally, some commenters asked for clarification on miscellaneous aspects of the definition. For example, one commenter requested that the Commission clarify that the definition of SCI system for purposes of Regulation SCI is separate and distinct from the definition of a facility set forth in Section 3(a)(2) of the Exchange Act.\261\ The Commission notes that the term ``SCI system'' under Regulation SCI is distinct from the term ``facility'' in Section 3(a)(2) of the Exchange Act.\262\ Because a facility of an exchange would only fall within the definition of ``SCI systems'' if it is a system that directly supports any one of the six functions provided in the definition of ``SCI systems,'' not all systems that are facilities of an exchange will be SCI systems. For example, as noted in the SCI Proposal, the definition of SCI systems would apply to systems of exchange-affiliated routing brokers that are facilities of national securities exchanges.\263\ But a system used for member regulation that may meet the definition of a facility under the Exchange Act, would not be within the scope of the definition of ``SCI systems.'' --------------------------------------------------------------------------- \261\ See NYSE Letter at 10. \262\ See 15 U.S.C. 78c3(a)(2). \263\ See Proposing Release, supra note 13, at 18099. --------------------------------------------------------------------------- Another commenter requested confirmation that internal systems are excluded from the definition of SCI system.\264\ The Commission notes that the definition of ``SCI system'' does not differentiate between ``internal systems'' and those systems accessed by market participants or other outside parties.\265\ The Commission notes that, while some internal systems of an SCI entity may not meet the definition of SCI system, it does not believe that that all internal systems (as described by this commenter) would be outside of the scope of the definition of SCI system.\266\ --------------------------------------------------------------------------- \264\ See FINRA Letter at 10. \265\ See adopted Rule 1000 (definition of SCI systems). \266\ In addition, the Commission notes that, while certain internal systems may not be ``SCI systems,'' they may instead meet the definition of ``indirect SCI systems'' under adopted Rule 1000, if they are not properly walled off from SCI systems. However, as discussed below, the Commission is clarifying the meaning of this defined term to note that systems that are effectively physically or logically separated from SCI systems would be outside of the definition of indirect SCI systems and thus outside of the scope of Regulation SCI. See infra Section IV.A.2.d (discussing the definition of ``indirect SCI systems''). --------------------------------------------------------------------------- Other commenters advocated that SCI entities should be permitted to conduct their own risk-based assessment to determine which of their systems should be considered SCI systems.\267\ One commenter noted that SCI entities should be required to develop and maintain an established methodology for identifying which systems qualify as SCI systems,\268\ while other commenters advocated for coordination with the Commission in establishing criteria to be used in conducting such risk-based assessments or review by the Commission of an SCI entity's own risk- based assessment.\269\ The Commission has carefully considered these comments and generally agrees that [[Page 72277]] certain systems pose greater risk to the markets in the event of a systems issue and are of paramount importance to the functioning of the U.S. securities markets. Rather than include only those in the definition of SCI systems, the Commission believes that it is more prudent to instead identify these systems as ``critical SCI systems'' subject to certain heightened obligations. Further, adopted Rule 1001(a) requiring SCI entities to have policies and procedures reasonably designed to ensure that their systems have adequate levels of capacity, integrity, resiliency, availability, and security is consistent with a risk-based approach.\270\ Specifically, as discussed in further detail below, an SCI entity may tailor its policies and procedures based on the relative criticality of a given SCI system to the SCI entity and to the securities markets generally.\271\ --------------------------------------------------------------------------- \267\ See DTCC Letter at 3-5; Omgeo Letter at 5-6; and OCC Letter at 3-4. \268\ See Omgeo Letter at 5. \269\ See OCC Letter at 3-4; and DTCC Letter at 3-4. \270\ See adopted Rule 1001(a). See also infra Section IV.B.1 (discussing policies and procedures for operational capability). \271\ See infra Section IV.B.1.a-b (discussing the use of risk- based considerations to tailor policies and procedures for operational capability). --------------------------------------------------------------------------- c. Critical SCI Systems As discussed above, in response to comments, the Commission is incorporating a risk-based approach in certain aspects of Regulation SCI.\272\ To that end, the Commission is adopting a definition of ``critical SCI systems'' to designate SCI systems that the Commission believes should be subject to the highest level of requirements. As a subset of ``SCI systems,'' ``critical SCI systems'' are subject to the same provisions as ``SCI systems,'' except that critical SCI systems are subject to certain heightened resilience and information dissemination provisions of Regulation SCI. In these respects, critical SCI systems are subject to an increased level of obligation as compared to other SCI systems.\273\ --------------------------------------------------------------------------- \272\ See supra notes 53-56 and accompanying text (discussing comments on a risk-based approach). \273\ See infra Sections IV.B.1.b and IV.B.3.d (discussing the two-hour resumption goal for ``critical SCI systems'' and information dissemination requirement for ``major SCI events,'' respectively). --------------------------------------------------------------------------- Rule 1000 defines ``critical SCI systems'' as ``any SCI systems of, or operated by or on behalf of, an SCI entity that: (1) Directly support functionality relating to: (i) Clearance and settlement systems of clearing agencies; \274\ (ii) openings, reopenings, and closings on the primary listing market; (iii) trading halts; (iv) initial public offerings; (v) the provision of consolidated market data; or (vi) exclusively-listed securities; or (2) provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets.'' --------------------------------------------------------------------------- \274\ ``Clearance and settlement systems of clearing agencies'' includes systems of registered clearing agencies and exempt clearing agencies subject to ARP. See Rule 1000 (definition of ``exempt clearing agency subject to ARP,'' which by its terms would also include an entity that has received from the Commission an exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to ARP, or any Commission regulation that supersedes or replaces such policies, including Regulation SCI). --------------------------------------------------------------------------- As noted above, many commenters advocated for a risk-based approach to Regulation SCI and either suggested that only the entities or systems that pose the greatest risk to the markets should be within the scope of the regulation or, alternatively, that the requirements of Regulation SCI be tailored to the specific risk-profile of a particular entity or particular system.\275\ While the Commission disagrees with commenters who suggested that Regulation SCI should apply only to ``critical systems,'' as it believes that these are not the only systems that could pose a significant risk to the securities markets, the Commission believes that it is appropriate to hold systems that pose the greatest risk to the markets if they malfunction to higher standards and more stringent requirements under Regulation SCI. Recent events have also demonstrated the importance of certain critical systems functionality, including those that represent ``single points of failure'' to the securities markets, and the need for more robust market infrastructure, particularly with regard to critical market systems.\276\ --------------------------------------------------------------------------- \275\ See supra notes 53-56 and 216-222 and accompanying text (discussing comments on a risk-based approach and limiting SCI systems to only core or critical systems). \276\ See supra Section II.B (describing recent events involving systems-related issues). In particular, the Nasdaq SIP incident, which caused a disruption in the dissemination of consolidated market data in the equity markets and led to a trading halt in all Nasdaq-listed stocks for several hours, confirmed that disruptions in systems that represent single points of failure can have a major and detrimental impact across an entire national market system. --------------------------------------------------------------------------- The Commission believes that the adoption of the definition of ``critical SCI systems'' and heightened requirements for such systems recognizes that some systems are critical to the continuous and orderly functioning of the securities markets more broadly and, as such, ensuring their capacity, integrity, resiliency, availability, and security is of the utmost importance. Therefore, as discussed further below, the Commission believes that it is appropriate for such critical SCI systems to be held to heightened requirements (as compared to those for SCI systems) related to capacity, integrity, resiliency, availability, and security generally; rapid recovery following wide- scale disruptions; and disclosure of SCI events. The Commission believes that the definition of critical SCI systems is appropriately designed to identify those SCI systems whose functions are critical to the operation of the markets, including those systems that represent potential single points of failure in the securities markets. Systems in this category are those that, if they were to experience systems issues, the Commission believes would be most likely to have a widespread and significant impact on the securities markets. The first prong of the definition identifies six specific categories of systems that the Commission believes are the most critical to the securities markets, and the most likely to have widespread and significant market impact should a systems issue occur. These are: clearance and settlement systems of clearing agencies; openings, reopenings, and closings on the primary listing market; trading halts; initial public offerings; the provision of consolidated market data (i.e., SIPs); and exclusively-listed securities. In the context of suggesting the adoption of a risk-based approach for Regulation SCI, some commenters identified those functions that they believed were most critical to the functioning of the markets. Among those identified were clearance and settlement, opening and closing auctions, IPO auctions, the provision of consolidated market data by the SIPs; and trading of exclusively-listed securities.\277\ The Commission agrees with commenters who characterized these categories of systems as critical. In addition, as discussed below, the Commission believes that systems that directly support functionality relating to [[Page 72278]] trading halts should be included in the definition of critical SCI systems. --------------------------------------------------------------------------- \277\ See, e.g., Direct Edge Letter at 2 (citing, among others, SIPs and clearance and settlement systems as essential to continuous market-wide operation); KCG Letter at 2-3 (identifying opening and closing auctions, IPO auctions, trading of exclusively-listed options, market data consolidators, and settlement and central clearing as ``single points of failure'' that should be subject to heightened regulatory requirements); and SIFMA Letter at 4 (stating that highly critical functions should include primary listing exchanges, trading exclusively listed securities, SIPs, clearance and settlement, distribution of unique post-trade transparency information, and real-time market surveillance). Although these commenters were urging that Regulation SCI apply only to these critical systems, as explained above, the Commission believes that such an approach would be too limited. --------------------------------------------------------------------------- With respect to ``clearance and settlement systems of clearing agencies,'' the clearance and settlement of securities is fundamental to securities market activity.\278\ Clearing agencies perform a variety of services that help ensure that trades settle on time and at the agreed upon terms. For example, clearing agencies compare transaction information (or report to members the results of exchange comparison operations), calculate settlement obligations (including net settlement), collect margin (such as initial and variation margin), and serve as a depository to hold securities as certificates or in dematerialized form to facilitate automated settlement. Because of their role, clearing agencies are critical central points in the financial system. A significant portion of securities activity flows through one or more clearing agencies. Clearing agencies have direct links to participants and indirect links to the customers of participants. Clearing agencies are also linked to each other through common participants and, in some cases, by operational processes. Safe and reliable clearing agencies are essential not only to the stability of the securities markets they serve but often also to payment systems, which may be used by a clearing agency or may themselves use a clearing agency to transfer collateral.\279\ The safety of securities settlement arrangements and post-trade custody arrangements is also critical to the goal of protecting the assets of investors from claims by creditors of intermediaries and other entities that perform various functions in the operation of the clearing agency.\280\ Investors are more likely to participate in markets when they have confidence in the safety and reliability of clearing agencies as well as settlement systems.\281\ Accordingly, the Commission believes ``clearance and settlement systems of clearing agencies'' are appropriate for inclusion in the definition of critical SCI systems.\282\ --------------------------------------------------------------------------- \278\ See Clearing Agency Standards Release, supra note 76, at 66220, 66264. \279\ See Clearing Agency Standards Release, supra note 76, at 66264. \280\ See id. \281\ See id. \282\ The Commission notes that systems of SCI entities other than clearing agencies that are used in connection with the clearance and settlement of trades are not captured by the definition of ``critical SCI systems,'' but rather would fall within the definition of ``SCI systems,'' as discussed above. See supra Section IV.2. The Commission believes that such systems of other SCI entities, such as SROs and ATSs, do not provide the same critical functions or pose the same level of risk to the market as the clearance and settlement systems of clearing agencies as discussed above. --------------------------------------------------------------------------- Similarly, reliable openings, reopenings, and closings on primary listing markets are key to the establishment and maintenance of fair and orderly markets. NYSE and Nasdaq, for example, each have an opening cross for their listed securities that solicits trading interest and generates a single auction price that attracts widespread participation and is relied upon as a benchmark by other markets and market participants.\283\ Similar processes are used, and heavy levels of participation typically are generated, at the primary listing markets in the reopening cross that follows a trading halt.\284\ Closing auctions at the primary listing markets also attract widespread participation, and the closing prices they establish are commonly used as benchmarks, such as to value derivative contracts and generate mutual fund net asset values. As such, during these critical trading periods, market participants rely on the processes of the primary listing markets to effect transactions, and establish benchmark prices that are used in a wide variety of contexts so that the unavailability or disruption of systems directly supporting the opening, reopening and closing processes on the primary listing markets could have widespread detrimental effects.\285\ --------------------------------------------------------------------------- \283\ See Nasdaq Rule 4752 (Opening Process) and NYSE Rules 115A (Orders at the Opening) and 123D (Openings and Halts in Trading). \284\ See, e.g., Nasdaq Rule 4753 (Nasdaq Halt and Imbalance Crosses) and NYSE Rules 115A (Orders at the Opening) and 123D (Openings and Halts in Trading). \285\ For example, press reports indicated that the decision to close the New York Stock Exchange in the wake of Superstorm Sandy, and the resulting lack of availability of the NYSE opening and closing prices, was a significant contributing cause of the unscheduled closure of the U.S. national securities exchanges. See, e.g., Jenny Strasburg, Jonathan Cheng, and Jacob Bunge, ``Behind Decision to Close Markets,'' Wall St. J., October 29, 2012. See also Proposing Release, supra note 13, at 18091 (discussing the effects of Superstorm Sandy on the securities markets). While other exchanges outside of the path of Superstorm Sandy did not experience the same risks to their electronic trading systems as the NYSE and could have otherwise opened for business, the risk that opening and closing prices might not be set by NYSE for its listed securities contributed to the consensus recommendation of market participants that the markets remain closed. See Jenny Strasburg, Jonathan Cheng, and Jacob Bunge, ``Behind Decision to Close Markets,'' Wall St. J., October 29, 2012. --------------------------------------------------------------------------- In addition, the Commission believes that systems directly supporting functionality relating to trading halts \286\ are essential to the orderly functioning of the securities markets, and therefore should be included in the definition of critical SCI systems. In the event a trading halt is necessary, it is essential that the systems responsible for communicating the trading halt--typically maintained by the primary listing market--are robust and reliable so that the trading halt is effective across the U.S. securities markets. For example, when there is material ``news pending'' with respect to an issuer, it is the responsibility of the primary listing market to call a regulatory halt by generating a halt message which, when received by other trading centers, requires them to cease trading the security.\287\ Similar responsibilities are placed on the primary listing market with respect to calling trading halts under the National Market System Plan to Address Extraordinary Market Volatility, as well as on plan processors to disseminate this information to the public.\288\ Thus, systems which communicate information regarding trading halts provide an essential service in the U.S. markets and, should a systems issue occur affecting the ability of an SCI entity to provide such notifications, the fair and orderly functioning of the securities markets may be significantly impacted. --------------------------------------------------------------------------- \286\ For purposes of clarity, the Commission notes that the term ``trading halts'' as used in this context is intended to capture market-wide halts, such as regulatory halts, rather than a halt to trading for securities on a particular market (for example, caused by a systems issue specific to that market). \287\ See, e.g., CTA Plan Section IX(a), available at: https://www.nyxdata.com/cta; National Market System Plan To Address Extraordinary Market Volatility, Section VII (``Limit Up/Limit Down Plan''); NYSE Arca Rule 7.12, BATS Rule 11.18, and EDGA Rule 11.14. See also Securities Exchange Act Release No. 67091 (May 31, 2012), 77 FR 33498 (June 6, 2012) (File No. 4-631) (Order Approving, on a Pilot Basis, the National Market System Plan To Address Extraordinary Market Volatility) (``Limit Up/Limit Down Plan Approval Order''). \288\ See Limit Up/Limit Down Plan, supra note 287 and Limit Up/ Limit Down Plan Approval Order, supra note 287. --------------------------------------------------------------------------- Companies offer shares of capital stock to the general public for the first time through the IPO process, in which the primary listing market initiates public trading in a company's shares. The IPO is conducted exclusively on that exchange, and secondary market trading cannot commence on any other exchange until the opening trade is printed on the primary listing market.\289\ As such, the Commission believes that an exchange's systems that directly support the IPO process and the initiation of secondary market trading are a critical element of the capital formation process and the effective functioning of the securities markets. The Commission believes that these [[Page 72279]] systems, which are the sole responsibility of the primary listing market, can adversely affect not only the IPO of a particular issuer, but may also result in significant monetary losses and harm to investors if they fail.\290\ As noted in the SCI Proposal, systems issues affecting the two recent high-profile IPOs highlighted how disruptions in IPO systems can have a significant impact on the market.\291\ --------------------------------------------------------------------------- \289\ See Rule 12f-2 under the Exchange Act, 17 CFR 240.12f-2 (providing that a national securities exchange may extend unlisted trading privileges to a security when at least one transaction in the security has been effected on the national securities exchange upon which the security is listed and the transaction has been reported pursuant to an effective transaction reporting plan). \290\ See, e.g., supra note 36 (discussing the losses associated with Nasdaq's Facebook IPO). \291\ Specifically, in March 2012, BATS announced that a ``software bug'' caused BATS to shut down the IPO of its own stock, and in May 2012, issues with Nasdaq's trading systems delayed the start of trading in the IPO of Facebook, Inc. and some market participants experienced delays in notifications of whether orders had been filled. See Proposing Release, supra note 13, at 18089; and Securities Exchange Act Release No. 69655, In the Matter of The NASDAQ Stock Market, LLC and NASDAQ Execution Services, LLC (settled action: May 29, 2013), available at: https://www.sec.gov/litigation/admin/2013/34-69655.pdf. Nasdaq and Nasdaq Execution Services, LLC consented to an Order Instituting Administrative and Cease-and- Desist Proceedings Pursuant to Sections 19(h)(1) and 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing Sanctions and a Cease-and-Desist Order. --------------------------------------------------------------------------- Systems directly supporting the provision of consolidated market data are also critical to the functioning of U.S. securities markets and represent potential single points of failure in the delivery of important market information. When Congress mandated a national market system in 1975, it emphasized that the systems for collecting and distributing consolidated market data would be central features of the national market system.\292\ Further, one of the findings of the recent report by the staffs of the Commission and the CFTC on the market events of May 6, 2010 was that ``fair and orderly markets require that the standards for robust, accessible, and timely market data be set quite high.'' \293\ Accurate, timely, and efficient collection, processing, and dissemination of consolidated market data provides the public with ready access to a comprehensive and reliable source of information for the prices and volume of any NMS stock at any time during the trading day.\294\ This information helps to ensure that the public is aware of the best displayed prices for a stock, no matter where they may arise in the national market system.\295\ It also enables investors to monitor the prices at which their orders are executed and serves as a data point that helps them to assess whether their orders received best execution.\296\ --------------------------------------------------------------------------- \292\ See H.R. Rep. No. 94-229, 94th Cong., 1st Sess. 93 (1975). See also Concept Release on Equity Market Structure, supra note 4, at 3600, and Proposing Release, supra note 13, at 18108 (each discussing the importance of consolidated market data). \293\ See Findings Regarding The Market Events Of May 6, 2010, Report Of The Staffs Of The CFTC And SEC To The Joint Advisory Committee On Emerging Regulatory Issues, September 30, 2010, at 8 (``May 6 Staff Report''). \294\ See id. \295\ See id. \296\ See id. Also, as discussed above, the recent Nasdaq SIP disruption demonstrated that the availability, accuracy, and reliability of consolidated market data is currently central to the functioning of the securities markets, and systems issues affecting such systems can result in major disruptions to the national market system, undermining the maintenance of fair and orderly markets. --------------------------------------------------------------------------- Finally, systems directly supporting functionality relating to exclusively-listed securities represent single points of failure in the securities markets, because exclusively-listed securities, by definition, are listed and traded solely on one exchange.\297\ As such, a trading disruption on the exclusive listing market necessarily will disrupt trading by all market participants in those securities.\298\ --------------------------------------------------------------------------- \297\ As noted above, commenters identified the systems supporting the trading of exclusively-listed securities as representing critical points of failure or critical functionality in the securities markets. See, e.g., KCG Letter at 2-3; and SIFMA Letter at 4. \298\ For example, as noted above, in April 2013, CBOE delayed the opening of trading on its exchange for over three hours due to an internal ``software bug,'' preventing investors from trading in those products that are singly-listed on CBOE, including options on the S&P 500 Index and the VIX. See supra note 28 and accompanying text. --------------------------------------------------------------------------- The second prong of the definition is a broader catch-all provision intended to capture any SCI systems, beyond those specifically identified within the first prong of the definition, that provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets. The Commission is not aware of any SCI systems that would fall under this prong of the critical SCI systems definition at this time, and notes that this prong of the definition is intended to account for further technology advancements and the continual evolution of the securities markets, in recognition that such developments could result in additional or new types of systems that would, similar to the enumerated categories of systems in the first prong of the definition, become so critical to the continuous and orderly functioning of the securities markets such that they should be subject to the requirements of Regulation SCI imposed on those systems specifically enumerated in the first prong of the definition. The Commission also notes that the definition applies to those systems ``of, or operated by or on behalf of, an SCI entity.'' This language mirrors the language in the definitions of SCI system and indirect SCI system, and as discussed above, is intended to cover systems that are third-party systems operated on behalf of SCI entities.\299\ --------------------------------------------------------------------------- \299\ See supra notes 254-260 and accompanying text. --------------------------------------------------------------------------- d. Indirect SCI Systems (Proposed as ``SCI Security Systems'') Proposed Rule 1000 defined the term ``SCI security systems'' to mean ``any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems.'' \300\ As adopted, Regulation SCI includes the new term ``indirect SCI systems,'' in place of the proposed term ``SCI security systems.'' The term ``indirect SCI systems'' is defined to mean ``any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems.'' --------------------------------------------------------------------------- \300\ See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.B.2. --------------------------------------------------------------------------- As an initial matter, the Commission has determined to replace the proposed term ``SCI security systems'' with the adopted term ``indirect SCI systems'' because it believes that the latter term, in using the word ``indirect,'' better reflects that it is intended to cover non-SCI systems only if they are not appropriately secured and segregated from SCI systems, and therefore could indirectly pose risk to SCI systems.\301\ The adopted definition of indirect SCI systems includes systems ``of, or operated by or on behalf of'' of an SCI entity that, ``if breached, would be reasonably likely to pose a security threat to SCI systems.'' As discussed below, in response to comment that the proposed term would cover too many systems unrelated to SCI systems, the adopted term excludes the phrase ``share network resources.'' --------------------------------------------------------------------------- \301\ The Commission also believes that eliminating the word ``security'' from the defined term will help clarify that the term is not limited to systems relating only to security of the SCI entity and its systems (e.g., firewalls, VPNs). --------------------------------------------------------------------------- One commenter expressly supported the definition of SCI security systems and urged that it be expanded to include any technology system that has direct market access.\302\ In response to this comment, the Commission notes that the adopted definition includes any technology system of, or operated by or on behalf of an SCI entity, that has direct market access if that system meets the definition's test: whether a breach of [[Page 72280]] that system would be reasonably likely to pose a security threat to SCI systems. --------------------------------------------------------------------------- \302\ See Lauer Letter at 5. --------------------------------------------------------------------------- This commenter also suggested that the Commission additionally require SCI entities to have independent security audits performed and allow the auditor to have the ability to define which systems should be included and which can be safely excluded.\303\ The Commission is not requiring ``independent security audits'' to determine which systems would fall within the definition of indirect SCI system as suggested by this commenter,\304\ because the Commission believes its adopted rule requiring an annual SCI review addresses the commenter's request. The Commission notes that the adopted annual SCI review requirement requires that such review be performed by objective, qualified personnel, and that it include an assessment of logical and physical security controls for SCI systems and indirect SCI systems. The Commission believes that an SCI entity is generally in the best position to assess in the first instance which of its systems may fall within the definition of indirect SCI systems, and that having an independent third party audit to make that determination should be optional rather than required at this time. --------------------------------------------------------------------------- \303\ See id. \304\ See adopted Rule 1000 (definition of ``SCI review'') and infra Section IV.B.5 (discussing the SCI review requirement). --------------------------------------------------------------------------- Contrary to the commenter urging expansion of the proposed definition of SCI security systems, many commenters argued that the proposed definition was overbroad,\305\ with several of these same commenters suggesting that the term be deleted from the rule entirely.\306\ The Commission believes that Regulation SCI warrants inclusion of a definition of indirect SCI systems because an issue or systems intrusion with respect to a non-SCI system still could cause or increase the likelihood of an SCI event with respect to an SCI entity's SCI systems.\307\ In particular, because systems that are not adequately walled off from SCI systems may present potential entry points to an SCI entity's network and thus represent potential vulnerabilities to SCI systems, the Commission believes that it is important that the provisions of Regulation SCI relating to security standards and systems intrusions apply to such systems (i.e., indirect SCI systems). --------------------------------------------------------------------------- \305\ See, e.g., NYSE Letter at 11; Omgeo Letter at 6; MFA Letter at 6 (noting specifically that the definition could be read to extend to broker-dealers or other third parties); SIFMA Letter at 8; ITG Letter at 5, 12; BIDS Letter at 16-17; MSRB Letter at 7; OCC Letter at 4; FINRA Letter at 12-13; CME Letter at 6; DTCC Letter at 5; Oppenheimer Letter at 3; and Direct Edge Letter at 3. \306\ See, e.g., NYSE Letter at 11; Omgeo Letter at 6; MFA Letter at 6; SIFMA Letter at 2; FIF Letter at 3; LiquidPoint Letter at 3; KCG Letter at 18; OCC Letter at 3; and Joint SROs Letter at 5. \307\ See Proposing Release, supra note 13, at 18099. --------------------------------------------------------------------------- Many commenters objecting to the proposed definition as too broad addressed particular elements of the proposed definition of SCI security systems or provided specific recommendations for modifications or limitations to the definition.\308\ For example, some commenters criticized the use of the phrase ``share network resources,'' noting that it was vague and too broad, potentially encompassing almost any system of an SCI entity.\309\ Similarly, one commenter stated that the definition of SCI security system should include only systems that ``directly'' share network resources with an SCI system.\310\ One commenter argued that the definition should only include those systems that are materially and directly connected to the trading operations of an SCI entity.\311\ Several commenters recommended that systems that are logically and/or physically separated from SCI systems should be excluded from the definition.\312\ Some commenters qualified this position by stating that such systems should be excluded, for example, as long as SCI entities monitor those systems for security breaches and have the ability to shut the system off if they detect a security breach; \313\ or provided that the separation is routinely monitored and has appropriate risk controls in place and the system is ``air gapped'' (i.e., has no point of entry) from the public internet.\314\ One commenter believed that the definition should exclude any system with ``compensatory controls in place,'' which it stated would protect and secure SCI systems from vulnerabilities that could arise from shared network links.\315\ Another commenter asked for greater clarity on the extent to which SCI security systems that are isolated from production, such as email and intranet sites, raise security issues that are within the scope of the proposal.\316\ --------------------------------------------------------------------------- \308\ See NYSE Letter at 12; BATS Letter at 5-6; ISE Letter at 7-8; BIDS Letter at 16-17; SROs Letter at 15; Direct Edge Letter at 3; FINRA Letter at 13; ISE Letter at 8; and DTCC Letter at 5; and ITG Letter at 12. \309\ See NYSE Letter at 12; BATS Letter at 5; and ISE Letter at 7-8. \310\ See BIDS Letter at 16-17. \311\ See ITG Letter at 12 (stating that its suggested approach would, in its case, cover systems for order handling and execution, processing of market data, transaction reporting, and clearing and settlement of trades). \312\ See, e.g., Joint SROs Letter at 15 (stating that the term ``SCI security systems'' should be deleted, but if retained, should exclude those systems that are physically and logically separated); BATS Letter at 5-6; Direct Edge Letter at 3; FINRA Letter at 13; ISE Letter at 8; and DTCC Letter at 5. \313\ See BATS Letter at 5-6. \314\ See Direct Edge Letter at 3. \315\ See FINRA Letter at 13. \316\ See ISE Letter at 8. --------------------------------------------------------------------------- After careful consideration of these comments, the Commission believes that inclusion of the phrase ``share network resources'' in the proposed definition could be interpreted in a manner that would include almost any system that is part of an SCI entity's network. In response to commenters who expressed concern about the breadth of the proposed definition, the Commission has determined to eliminate the phrase ``share network resources'' from the definition, so that the adopted result-oriented test depends on whether a system ``if breached, would be reasonably likely to pose a security threat to SCI systems.'' As a result, the inquiry into whether any system is an indirect SCI system will depend on whether it is effectively physically or logically separated from SCI systems. Systems that are adequately physically or logically separated (i.e., isolated from SCI systems, such that they do not provide vulnerable points of entry into SCI systems) will not fall within the definition of indirect SCI systems. The Commission believes that having adequate separation and security controls should protect SCI systems from vulnerabilities caused by other systems. To the extent that non-SCI systems are sufficiently walled off from SCI systems using appropriate security measures, and thus are not reasonably likely to pose a security threat to SCI systems if breached, they would not be included in the definition of indirect SCI systems, and thus would be outside of the scope of Regulation SCI. The Commission notes that the definition of indirect SCI systems will not include any systems of an SCI entity for which the SCI entity establishes reasonably designed and effective controls that result in SCI systems being logically or physically separated from such non-SCI systems. Thus, the universe of an SCI entity's indirect SCI systems is in the control of each SCI entity, and SCI entities should reasonably expect Commission staff to assess its security controls around SCI systems in connection with an inspection or examination for compliance with Regulation SCI. If these controls are not present or are not reasonably designed, the applicable non-SCI systems would be within the scope of the definition of indirect SCI systems and subject to the security [[Page 72281]] standards and systems intrusions provisions of Regulation SCI. Some commenters recommended that, rather than including SCI security systems in the scope of the regulation, the Commission should instead require SCI entities to establish policies and procedures designed to ensure the security of their systems.\317\ According to these commenters, such an approach would require an evaluation of the risks posed to SCI systems by non-SCI systems. As noted, the Commission believes that the adopted definition of ``indirect SCI systems'' will effectively require SCI entities to evaluate the risks posed to SCI systems by non-SCI systems. However, the Commission believes that the adopted approach will incentivize SCI entities to seek to have in place strong security controls around SCI systems. As noted, if an SCI entity designs and implements security controls so that none of its non-SCI systems would be reasonably likely to pose a security threat to SCI systems, then it will have no indirect SCI systems. If, however, an SCI entity does have indirect SCI systems, then certain provisions of Regulation SCI will apply to those indirect SCI systems.\318\ The Commission believes this approach to indirect SCI systems is more appropriate than the policies and procedures approach suggested by some commenters because the Commission believes that its approach is more comprehensive as it includes, for example, the requirements to take corrective action, provide notifications to the Commission, and disseminate information for certain SCI events relating to indirect SCI systems which, by definition, if breached, would be reasonably likely to pose a security threat to SCI systems. Another commenter stated that a more precise definition of SCI security systems is important and that it would be valuable for the Commission to work with representatives within the securities industry to collectively craft the most appropriate definition that will ensure that critical security systems are captured.\319\ In crafting the definition, the Commission has taken into account comments received, with such commenters representing a wide variety of types of participants in the securities markets, and believes the adopted definition of indirect SCI systems, along with the definition of SCI systems, is responsive to a broad range of commenters' concerns.\320\ --------------------------------------------------------------------------- \317\ See, e.g., NYSE Letter at 12; MFA Letter at 6; SIFMA Letter at 2; FIF Letter at 3; LiquidPoint Letter at 3; KCG Letter at 18; OCC Letter at 3; and Joint SROs Letter at 5. \318\ See infra notes 323-328 (discussing the provisions of Regulation SCI applicable to indirect SCI systems). \319\ See DTCC Letter at 5. \320\ See supra note 17 and accompanying text. --------------------------------------------------------------------------- Another commenter suggested that the definition be limited to systems ``of, or operated by or on behalf of, an SCI entity,'' noting that the definition of SCI security systems should have parallel construction to the definition of ``SCI systems'' and without this phrase, SCI entities would be tasked inappropriately with controlling for systems outside of their effective control.\321\ As noted, the adopted definition of ``indirect SCI systems'' applies to those systems ``of, or operated by or on behalf of, an SCI entity.'' As a result, the adopted definition of indirect SCI systems provides (as is the case for SCI systems) that systems ``of, or operated by or on behalf of'' an SCI entity, are included in the definition of indirect SCI systems if their breach would be reasonably likely to pose a security threat to SCI systems.\322\ The Commission believes that the addition of this language is warranted to make clear that security of SCI systems is not limited solely to threats from systems operated directly by the SCI entity. If it were, outsourced systems of SCI entities would not be subject to the requirements of Regulation SCI, which would undermine the goals of Regulation SCI. --------------------------------------------------------------------------- \321\ See MSRB Letter at 7. \322\ See supra Section IV.A.2.b (discussing the inclusion of third party systems in the definition of ``SCI systems''). --------------------------------------------------------------------------- As discussed in further detail below, unlike SCI systems, those systems meeting the definition of ``indirect SCI systems'' will only be subject to certain provisions of Regulation SCI. Specifically, references to ``indirect SCI systems'' are included in the definitions of ``responsible SCI personnel,'' ``SCI review,'' and ``systems intrusion'' in adopted Rule 1000.\323\ Rule 1001(a), requiring reasonably designed policies and procedures to ensure operational capability, will apply to indirect SCI systems only for purposes of security standards.\324\ In addition, Rule 1002, which relates to an SCI entity's obligations with regard to SCI events, will apply to indirect SCI systems only with respect to systems intrusions.\325\ Further, pursuant to Rule 1003(a), the obligations related to systems changes will apply to material changes to the security of indirect SCI systems.\326\ In addition, the requirements regarding an SCI review will apply to indirect SCI systems.\327\ Finally, Rules 1005 through 1007, relating to recordkeeping and electronic filing and submission of Form SCI, respectively, will also apply to indirect SCI systems.\328\ The Commission believes that it is appropriate to subject indirect SCI systems to only these specified provisions because the Commission believes that the primary risk posed by indirect SCI systems is that they may serve as vulnerable entry points to SCI systems. The Commission's objective with respect to indirect SCI systems is to guard against a non-SCI system being breached in a manner that threatens the security of any SCI system. The Commission believes that its approach to defining indirect SCI systems, and requiring SCI entities to consider, address, and report on security changes and intrusions into systems where vulnerabilities have been identified, is tailored to meet this objective. --------------------------------------------------------------------------- \323\ See adopted Rule 1000. \324\ See adopted Rule 1001(a) and supra Section IV.B.1 (discussing the policies and procedures requirement under Rule 1001(a)). \325\ See adopted Rule 1000 (definitions of system compliance and systems disruption, which do not include indirect SCI systems, and the definition of systems intrusion, which includes indirect SCI systems) and supra Section IV.B.3 (discussing an SCI entity's obligations with respect to SCI events). \326\ See adopted Rule 1003(a)(i) and Section IV.B.4 (discussing requirements relating to material systems changes). \327\ See adopted Rule 1003(b) and Section IV.B.5 (discussing the SCI review requirement). \328\ See adopted Rules 1005-1007 and Section IV.C (discussing the recordkeeping and electronic filing of Form SCI). --------------------------------------------------------------------------- 3. SCI Events Regulation SCI specifies the types of events--i.e., SCI events-- that give rise to certain obligations under the rule, including taking corrective action, reporting to the Commission, and disseminating information about such SCI events.\329\ Proposed Rule 1000(a) defined the term ``SCI event'' as ``an event at an SCI entity that constitutes: (1) A systems disruption; (2) a systems compliance issue; or (3) a systems intrusion.'' \330\ The Commission is adopting the definition of ``SCI event'' as proposed. --------------------------------------------------------------------------- \329\ See infra Section IV.B.3 (discussing an SCI entity's obligations with respect to SCI events). \330\ See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.B.3. --------------------------------------------------------------------------- Many commenters believed that the proposed definition of ``SCI event'' was vague \331\ or overly broad because it was not limited to capturing material SCI events \332\ or events that the commenters believed are truly disruptive and pose a risk to the market.\333\ Specifically, [[Page 72282]] several commenters recommended that the definition of SCI event include a materiality threshold, so that only events determined by the SCI entity to be material would trigger certain obligations under the rule.\334\ One commenter stated that the definition of SCI event could be interpreted to include trivial events, and therefore believed that the definition needed clarity.\335\ Finally, one commenter suggested that SCI event be defined as outlined in Rule 301(b)(6)(ii)(G) under Regulation ATS,\336\ which requires a qualifying ATS to notify the Commission of material systems outages and significant systems changes.\337\ --------------------------------------------------------------------------- \331\ See ITG Letter at 12; and OTC Markets Letter at 16. \332\ See FIF Letter at 2; ITG Letter at 12; DTCC Letter at 5; and OTC Markets Letter at 16. \333\ See NYSE Letter at 3; ICI Letter at 4; Oppenheimer Letter at 3. See also supra note 231 and accompanying text (discussing comment that the definition of SCI systems should be revised to cover only those systems where a disruption, compliance issue, intrusion or material systems change would impact investors and markets that are subject to the Commission's jurisdiction). \334\ See, e.g., FIF Letter at 2 (suggesting factors for determining what is a material SCI event, and urging that only material SCI events be subject to notification requirements); ITG Letter at 12 (suggesting that a Commission notification requirement apply only to those events that have a material impact on the ongoing maintenance of fair and orderly markets in an NMS security); and DTCC Letter at 5 (recommending that each component of the term SCI event be limited by a materiality threshold and be ``risk- based'' so that the term includes events that cause a disruption to the SCI entity's ability to conduct its core functions). \335\ See ITG Letter at 12. \336\ 17 CFR 242.301(b)(6)(ii)(G). \337\ See OTC Markets Letter at 16. In addition, some commenters objected to the inclusion of systems compliance issues within the definition of SCI events. See infra notes 403-405 and accompanying text. --------------------------------------------------------------------------- After careful consideration of the views of commenters, although the Commission is adopting the definition of ``SCI event'' as proposed, the requirements of Regulation SCI are tiered in a manner that the Commission believes is responsive to the concerns of commenters about the breadth of the definition.\338\ Specifically, and as explained in further detail below, the Commission is incorporating a risk-based approach to the obligations of SCI entities with respect to SCI events.\339\ --------------------------------------------------------------------------- \338\ See supra notes 331-337 and accompanying text. \339\ Under this risk-based approach, for example, de minimis SCI events will not be subject to the immediate Commission reporting requirements as proposed, but rather, SCI entities will only be required to make, keep, and preserve records regarding de minimis SCI events and submit de minimis systems disruptions and de minimis systems intrusions to the Commission in quarterly summary reports. See Rule 1002(b)(5). --------------------------------------------------------------------------- The Commission is not incorporating a materiality threshold as requested by some commenters,\340\ including by limiting the definition of SCI event to only those events that are considered by SCI entities to be truly disruptive to the market.\341\ Rather, the Commission believes that the adopted Commission notification and information dissemination requirements for SCI events will help to focus the Commission's and SCI entities' resources on the more significant SCI events by providing appropriate exceptions from reporting and dissemination for events that have no or de minimis impacts on an SCI entity's operations or market participants. In addition, the Commission believes that SCI event should not be defined as outlined in Rule 301(b)(6)(ii)(G) under Regulation ATS as suggested by one commenter,\342\ because Rule 301(b)(6)(ii)(G) requires Commission notification of ``material systems outages.'' \343\ Such an approach would exclude any systems compliance issues or systems intrusions, two types of events that the Commission believes should be included as SCI events. This approach would also create a materiality threshold for systems disruptions, which the Commission believes would not be appropriate, as discussed below. --------------------------------------------------------------------------- \340\ See supra notes 334 and 337 and accompanying text. \341\ See supra note 333 and accompanying text. \342\ See supra note 337 and accompanying text. \343\ See 17 CFR 242.301(b)(6)(ii)(G). Rule 301(b)(6)(ii)(G) also requires that ATSs promptly notify the Commission of significant systems changes. --------------------------------------------------------------------------- In addition, by not including a materiality threshold within the definition, SCI entities will be required to assess, take corrective action, and keep records of all such events, some of which may initially seem insignificant to an SCI entity, but which may later prove to be the cause of significant systems issues at the SCI entity. An SCI entity's records of de minimis SCI events may also be useful to the Commission in that they may, for example, aid the Commission in identifying patterns of de minimis SCI events that together might result in a more impactful SCI event, either at an SCI entity or across a group of SCI entities, or circumstances in which an SCI event causes de minimis systems issues for one particular SCI entity but results in significant issues for another SCI entity. The Commission also believes that the ability to view such events in the aggregate and across multiple SCI entities is important to allow the Commission and its staff to be able to gather information about trends related to SCI events that could not otherwise be properly discerned. Information about trends will assist the Commission in fulfilling its oversight role by keeping Commission staff informed about the nature and frequency of the types of de minimis SCI events that SCI entities encounter. Moreover, information about trends and notifications of de minimis SCI events generally can also inform the Commission of areas of potential weaknesses, or persistent or recurring problems, across SCI entities and also should help the Commission better focus on common types of SCI events or issues with certain types of SCI systems across SCI entities. This information also will permit the Commission and its staff to issue industry alerts or guidance if appropriate. In addition, this information would allow the Commission and its staff to review SCI entities' classification of SCI events as de minimis SCI events. In addition, although the definition of SCI event is unchanged, to address commenters' concerns, the Commission has determined to modify the various components of that definition (i.e., the definition of systems disruption, systems compliance issue, and systems intrusion), in certain respects, as discussed below. a. Systems Disruption Proposed Rule 1000(a) would have defined ``systems disruption'' as ``an event in an SCI entity's SCI systems that results in: (1) A failure to maintain service level agreements or constraints; (2) a disruption of normal operations, including a switchover to back up equipment with near-term recovery of primary hardware unlikely; (3) a loss of use of any SCI system; (4) a loss of transaction or clearance and settlement data; (5) significant backups or delays in processing; (6) a significant diminution of ability to disseminate timely and accurate market data; or (7) a queuing of data between systems components or queuing of messages to or from customers of such duration that normal service delivery is affected.'' \344\ As discussed below, in response to comments, the Commission is substantially modifying the proposed definition of systems disruption in adopted Rule 1000. --------------------------------------------------------------------------- \344\ See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.B.3.a. --------------------------------------------------------------------------- One commenter stated that the proposed definition of systems disruption was reasonable, but recommended that it be expanded to encompass disruptions originating from a third party.\345\ However, many other commenters believed that the definition of systems disruption was too broad and would include minor events that they believed should be excluded from the [[Page 72283]] definition.\346\ Several commenters suggested ways to limit the scope of the defined term. For example, some commenters suggested limiting the definition to material disruptions.\347\ One of these commenters added that systems disruptions should exclude any regularly planned outages occurring during the normal course of business.\348\ Another commenter recommended that development and testing environments should be excluded from the definition of systems disruption.\349\ One commenter suggested modifying the definition to include only two elements: (1) Disruptions of either the SCI systems or of the operations of the SCI entity that have the effect of disrupting the delivery of the SCI service provided by those systems; and (2) degradations of SCI systems processing creating backups or delays of such a degree and duration that the delivery of service is effectively disrupted or unusable by the market participants who use the systems.\350\ --------------------------------------------------------------------------- \345\ See Lauer Letter at 5-6. \346\ See, e.g., FINRA Letter at 16; BATS Letter at 9; Omgeo Letter at 7; NYSE Letter at 14; Joint SROs Letter at 6; OCC Letter at 6; SIFMA Letter at 9-10; and OTC Markets Letter at 21. \347\ See DTCC Letter at 6; SIFMA Letter at 9; OCC Letter at 6; OTC Markets Letter at 21; and Joint SROs Letter at 6. \348\ See DTCC Letter at 7. \349\ See FINRA Letter at 11, 16 (noting also that the many elements of the defined term were vague). See also Section IV.A.2.b (discussing the definition of ``SCI systems,'' including the elimination of test and development systems from its definition). \350\ See Omgeo Letter at 11. --------------------------------------------------------------------------- Two commenters believed that the proposed definition of systems disruption was too rigid and should provide for more flexibility and discretion.\351\ Both commenters were skeptical that an event should be reportable solely because it matched the description of one of the seven elements of the definition.\352\ One of these commenters noted that the Commission's proposed definition seeks to codify as a formal definition language used by the ARP Inspection Program that was meant to provide flexibility and latitude in determining what constitutes a systems disruption.\353\ The other commenter thought that the seven prongs of the proposed definition of ``systems disruption'' were appropriate considerations in determining whether a systems disruption had occurred, but that an SCI entity should be afforded more discretion and flexibility in determining whether a particular issue meets the definition.\354\ --------------------------------------------------------------------------- \351\ See Omgeo Letter at 7; and OCC Letter at 6-8. \352\ See Omgeo Letter at 7; and OCC Letter at 6-8. \353\ See Omgeo Letter at 7. \354\ See OCC Letter at 6. This commenter also critiqued or requested clarification for each prong of the definition, as discussed further below. --------------------------------------------------------------------------- Service Level Agreements Two commenters believed that the first element of the definition regarding service level agreements should be eliminated.\355\ One of these commenters stated that an SCI entity's regulatory requirements should not depend upon the negotiated language of an agreement between business partners, while the other commenter noted that, in some cases, a private contract might have more stringent requirements than required by regulation, which would, in effect, transform such agreements into new regulatory obligations.\356\ Other commenters stated this element should be revised to capture only the most significant disruptions to a service level agreement.\357\ In addition, one commenter expressed concern that SCI entities may forgo negotiating detailed and stringent service level agreements if the first element were to be adopted as proposed.\358\ --------------------------------------------------------------------------- \355\ See NYSE Letter at 13; and BATS Letter at 9. \356\ See NYSE Letter at 13; and BATS Letter at 9. \357\ See DTCC Letter at 7 (suggesting that the definition capture only the most significant disruptions to a service level agreement that are caused by the SCI entity and that impede its ability to perform its core functions and critical operations); and OCC Letter at 7. See also Omgeo Letter at 9 (noting concerns that this element could require reporting of events too minor to be noticed by participants and that do not cause any disruptions of service or material risks to the entity or users). \358\ See OCC Letter at 7. --------------------------------------------------------------------------- Disruptions of Normal Operations Two commenters stated that the second element of the definition needs clarification because the phrase ``disruption of normal operations'' is vague and overbroad and therefore could potentially include minor events.\359\ Two commenters stated that, if a switchover is utilized and there is no material impact on the core services, then there should not be a requirement to notify the Commission of a systems disruption.\360\ One of these commenters added that programming errors that occur prior to production and regularly scheduled maintenance should not be considered disruptions.\361\ Several commenters also recommended that testing errors should not be included in the definition,\362\ and one commenter stated that testing errors should only be included if they result in a material impact on an SCI entity's operations.\363\ --------------------------------------------------------------------------- \359\ See NYSE Letter at 13; and Omgeo Letter at 8. \360\ See BATS Letter at 9; and SIFMA Letter at 10. \361\ See BATS Letter at 10. \362\ See BATS Letter at 11; SIFMA Letter at 10; and NYSE Letter at 13. \363\ See Omgeo Letter at 9 (noting that inclusion of testing errors would discourage SCI entities from conducting effective quality assurance programs and could undermine good quality engineering practices). --------------------------------------------------------------------------- Loss of Use of Any System One commenter stated that the term ``loss of use of any SCI system'' is unclear and expressed concern that the lack of clarity may lead to interpretive differences and inconsistencies in application among SCI entities.\364\ Three commenters discussed failovers to backup systems, with one commenter stating the Commission should clarify whether this constitutes a loss of use of a system,\365\ another commenter stating that it should not be considered a systems disruption,\366\ and the third commenter stating that it should only be considered a systems disruption if there is an impact on normal operations.\367\ --------------------------------------------------------------------------- \364\ See OCC Letter at 7. \365\ See id. \366\ See NYSE Letter at 13. \367\ See Direct Edge Letter at 3. --------------------------------------------------------------------------- Loss of Data Several commenters stated that losses of transaction or clearance and settlement data that are immediately retrieved, promptly corrected, or, for clearance and settlement data, resolved prior to the close of the trading day should not be systems disruptions.\368\ One commenter suggested that the rule be revised to include as a systems disruption data that is altered or corrupted in some way.\369\ Another commenter stated that this prong of the definition should include a materiality qualifier.\370\ --------------------------------------------------------------------------- \368\ See, e.g., OCC Letter at 7; DTCC Letter at 7; SIFMA Letter at 10; and Omgeo Letter at 11. \369\ See Omgeo Letter at 11. \370\ See NYSE Letter at 14. --------------------------------------------------------------------------- Backups or Delays and Market Data Dissemination With respect to the fifth and sixth elements of the definition regarding significant backups or delays in processing and a significant diminution of ability to disseminate timely and accurate market data, one commenter expressed support for the inclusion of such performance degradations in the definition of systems disruptions but stated that it believed that the Commission's interpretation of the term ``significant'' in the SCI Proposal was overly broad because it would encompass delays that are small and, in fact, insignificant.\371\ --------------------------------------------------------------------------- \371\ See Omgeo Letter at 9. See also Proposing Release, supra note 13, at 18101-02. --------------------------------------------------------------------------- [[Page 72284]] Data Queuing With respect to the seventh element, one commenter stated that queuing of data is a very good indicator of a problem, but also noted that it is not necessarily being properly monitored by most firms and suggested that the Commission require SCI entities to monitor queue depth.\372\ However, several other commenters stated that queuing of data is normal and necessary.\373\ Some commenters suggested that the Commission should only require reporting of such queuing if it materially affects the delivery of core services to customers.\374\ One commenter asked for additional clarification on this element because all systems have queues to some extent with normal functionality and only certain queues should trigger recovery actions.\375\ One commenter expressed concern that language in the SCI Proposal stating that ``queuing of data is a warning signal of significant disruption'' \376\ would make events that are precursors to system disruptions themselves become system disruptions.\377\ --------------------------------------------------------------------------- \372\ See Lauer Letter at 5. \373\ See, e.g., BATS Letter at 10; DTCC Letter at 7; SIFMA Letter at 10; Omgeo Letter at 10; and Joint SROs Letter at 6. \374\ See, e.g., BATS Letter at 10-11; DTCC Letter at 7; Omgeo Letter at 10; and OCC Letter at 8. \375\ See NYSE Letter at 14. \376\ See Proposing Release, supra note 13, at 18102. \377\ See Omgeo Letter at 9. --------------------------------------------------------------------------- Customer Complaints Several commenters objected to the Commission's discussion in the SCI Proposal regarding customer complaints,\378\ stating that the Commission should not consider each instance in which a customer or systems user complains or inquires about a slowdown or disruption of operations as an indicator of a systems disruption.\379\ For example, one commenter noted that customer complaints are often ultimately determined to be the result of system errors or discrepancies on the customer's end, and stated that requiring an SCI entity to treat these complaints as significant systems disruptions simply because they are made would impose an unnecessary burden on the SCI entity.\380\ --------------------------------------------------------------------------- \378\ See Proposing Release, supra note 13, at 18102. \379\ See, e.g., DTCC Letter at 7; Omgeo Letter at 10; BATS Letter at 11; NYSE Letter at 14; and OCC Letter at 8. \380\ See Omgeo Letter at 10-11. --------------------------------------------------------------------------- Definition of ``Systems Disruption'' as Adopted After careful consideration of the views of commenters, the Commission is removing the seven specific types of systems malfunctions that were proposed to define systems disruption. As adopted, ``systems disruption'' is defined in Rule 1000 to mean ``an event in an SCI entity's SCI systems that disrupts, or significantly degrades, the normal operation of an SCI system.'' The Commission has considered commenters' suggestions and feedback with respect to the proposed definition, including the criticisms of various aspects of the seven specific types of systems malfunctions delineated in the SCI Proposal and believes that the adopted definition, which largely follows the definition suggested by a commenter, is appropriate.\381\ Specifically, this commenter recommended that the definition of systems disruption be revised to have two elements: (1) Disruptions of either the SCI systems or of the operations of the SCI entity that have the effect of disrupting the delivery of the SCI service provided by those systems; and (2) degradations of SCI systems processing creating backups or delays of such a degree and duration that the delivery of service is effectively disrupted or unusable by the market participants who use the systems.\382\ --------------------------------------------------------------------------- \381\ See id. at 11. \382\ See supra note 353 and accompanying text. --------------------------------------------------------------------------- The Commission agrees with commenters that the proposed definition of systems disruption had the potential to be both over-inclusive and under-inclusive. The Commission believes that the adopted definition appropriately represents a change in focus of the definition from the prescriptive seven prongs in the SCI Proposal's definition that represented the effects caused by a disruption of an SCI entity's systems to, instead, whether a system is halted or degraded in a manner that is outside of its normal operation. The Commission believes the revised definition sets forth a standard that SCI entities can apply in a wide variety of circumstances to determine in their discretion whether a systems issue should be appropriately categorized as a systems disruption. Further, because the adopted definition of systems disruption takes into account whether a systems problem is outside of normal operations, the Commission also believes that partly addresses the concerns of the commenters suggesting that the definition of systems disruption include a materiality qualifier.\383\ --------------------------------------------------------------------------- \383\ As discussed more fully below, an SCI entity's assessment of the impact of an event meeting the definition of a systems disruption will affect whether it is subject to an immediate Commission notification obligation, or a recordkeeping and quarterly reporting obligation. See infra Section IV.B.3.c (discussing the exclusion of de minimis systems disruptions from immediate Commission notification requirements in Rule 1002(b)(5)). --------------------------------------------------------------------------- Because the Commission agrees with commenters regarding the difficulties of the proposed definition of ``systems disruption,'' it is not including any of the specific types of systems malfunctions in the adopted definition of ``systems disruption.'' Thus, the Commission believes SCI entities would likely find it helpful to establish parameters that can aid them and their staff in determining what constitutes the ``normal operation'' \384\ of each of its SCI systems, and when such ``normal operation'' has been disrupted or significantly degraded because those parameters have been exceeded. The Commission agrees with commenters who noted that, given its voluntary nature, entities that participate in the ARP Inspection Program are afforded a certain degree of flexibility and discretion in reporting systems outages, and agrees that, given its proposed application to a mandatory rule, the proposed definition limited the flexibility and discretion of SCI entities in a manner that was overly rigid.\385\ Although the specific types of systems malfunctions have been removed from the adopted definition of systems disruption, the Commission nonetheless continues to believe, as suggested by one commenter,\386\ that the types of systems malfunctions that comprised the proposed definition may be useful to SCI entities to consider as indicia of a systems disruption. --------------------------------------------------------------------------- \384\ The Commission notes that, for certain SCI systems, ``normal operation'' may include a certain degree of operational variability that would allow for a given amount of degradation of functionality (e.g., some data queuing or some slowing of response times) before the system's operations reach the point of being ``significantly degraded.'' However, such variability parameters may be included as part of an SCI entity's policies and procedures so that the SCI entity and its personnel would be aware of them before the occurrence of systems issues. \385\ Commenters highlighted many examples where a rigid interpretation of the proposed definition had the potential to incorporate into the definition events that could be considered part of normal operation. See, e.g., supra notes 361, 364, 368, 369, 374, and 379 and accompanying text. As adopted, however, such events would not be captured by the definition of systems disruptions because an event that disrupts, or significantly degrades, the normal operation of an SCI system would not be considered the ``normal operation'' of such SCI system. \386\ See supra note 354 and accompanying text. --------------------------------------------------------------------------- [[Page 72285]] As discussed in the SCI Proposal \387\ and by certain commenters,\388\ the seven categories of malfunctions in the proposed definition of ``systems disruption'' have their origin in ARP staff guidance regarding when ARP participants should notify the Commission of system outages and represent practical examples that SCI entities should consider to be systems disruptions in many circumstances. The Commission notes that the revised definition is intended to address some commenters' concerns with the particular elements of the definition of systems disruption as originally proposed. For example, under the modified definition, if an SCI system experiences an unplanned outage but fails over smoothly to its backup system such that there is no disruption or significant degradation of the normal operation of the system, the outage of the primary system would not constitute a systems disruption. On the other hand, an SCI entity may determine that, even when a primary system fails over smoothly to its backup system such that users are not impacted by the failover, operating from the backup system without additional redundancy would not constitute normal operation. In this case, the outage of the primary system would fall within the definition of systems disruption. Further, the Commission believes it would be appropriate for an SCI entity to take into account regularly scheduled outages or scheduled maintenance as part of ``normal operations.'' \389\ In particular, a planned disruption to an SCI system that is a part of regularly scheduled outages or scheduled maintenance would not constitute a systems disruption or be subject to the requirements of Regulation SCI, if such regularly scheduled outages or scheduled maintenance are part of the SCI entity's normal operations. With regard to data queuing, to the extent that such queuing is part of the normal functionality of a system and does not cause a disruption or significant degradation of normal operations, it would not be captured by the rule, which is limited to events occurring to an SCI system that are outside its normal operations.\390\ Additionally, by eliminating the seven types of malfunctions from the definition as proposed, the Commission has responded to commenters who expressed concern that events that are precursors to system disruptions, such as the queuing of data, would themselves be systems disruptions.\391\ Similarly, by eliminating the seven types of malfunctions, the Commission has addressed comments that called for the elimination of specific elements of the proposed definition, such as service level agreements.\392\ --------------------------------------------------------------------------- \387\ See Proposing Release, supra note 13, at 18101. \388\ See supra note 353 and accompanying text. \389\ See supra note 361 and accompanying text. \390\ See supra notes 372-377 and accompanying text. \391\ See supra note 377 and accompanying text. \392\ See supra notes 355 and 358 and accompanying text. --------------------------------------------------------------------------- Further, the Commission agrees with commenters that customer complaints may be indicia of a systems issue,\393\ but that a customer complaint alone would not be determinative of whether a system problem has occurred that meets the definition of systems disruption under Regulation SCI.\394\ With respect to the commenters who stated that losses of transaction or clearance and settlement data that are immediately retrieved, promptly corrected, or, for clearance and settlement data, resolved prior to the close of the trading day should not be systems disruptions, the adopted definition would exclude these events if they do not disrupt or significantly degrade the normal operations of an SCI system.\395\ However, if loss of transaction or clearance and settlement data disrupts or significantly degrades the normal operation of an SCI system, it would constitute a systems disruption and be subject to the requirements of Regulation SCI (e.g., immediate or quarterly Commission notification, depending on the impact of the disruption). --------------------------------------------------------------------------- \393\ The Commission agrees, as noted by some commenters, that in some instances, customer complaints may be the result of a problem at a system not operated by (or on behalf of) an applicable SCI entity, but rather a system operated by the customer itself. See supra note 380 and accompanying text. \394\ See supra notes 379-380 and accompanying text. \395\ See supra note 368. The Commission notes that for clearance and settlement systems, normal operations would include all steps necessary to effectuate timely and accurate end of day settlement. In response to the commenter who stated that the definition of systems disruption should be revised to include data that is altered or corrupted in some way, because the Commission has determined to eliminate the pronged approach to the definition of systems disruption, the Commission notes that, under the adopted definition, data that is altered or corrupted in some way may be a systems disruption if such altered or corrupted data disrupt or significantly degrade the affected SCI system's normal operation. See supra note 369. --------------------------------------------------------------------------- Several commenters also suggested that testing errors or other disruptions in development and testing environments should be excluded from the definition of systems disruption.\396\ The Commission notes that, as discussed above, development and testing systems have been excluded from the definition of SCI systems, and thus such disruptions would not be subject to the requirements of Regulation SCI.\397\ --------------------------------------------------------------------------- \396\ See supra notes 361-363 and accompanying text. \397\ See supra Section IV.A.2.b (discussing the definition of ``SCI systems''). --------------------------------------------------------------------------- The Commission is not incorporating a materiality threshold into the definition of systems disruption as requested by some commenters.\398\ Rather, as discussed below, the requirements of Regulation SCI are tiered in a manner that the Commission believes is responsive to commenters' concerns regarding the breadth of the definition of systems disruption (while stopping short of including a materiality standard).\399\ In particular, the Commission believes that the adopted Commission notification and information dissemination requirements for SCI events (i.e., quarterly Commission reporting of de minimis systems disruptions, and an exception for de minimis systems disruptions from the information dissemination requirement) will help to focus the Commission's and SCI entities' resources on the more significant systems disruptions. In addition, by not including a materiality threshold within the definition, SCI entities will be required to assess, take corrective action, and keep records of all systems disruptions, some of which may initially seem insignificant to an SCI entity, but which may later prove to be the cause of significant systems disruptions at the SCI entity. An SCI entity's records of de minimis systems disruptions may also be useful to the Commission in that they may, for example, aid the Commission in identifying patterns of de minimis systems disruptions that together might result in a more impactful SCI event, either at an SCI entity or across a group of SCI entities, or circumstances in which a systems disruption causes de minimis systems issues for one particular SCI entity but results in significant issues for another SCI entity. The Commission also believes that the ability to view de minimis SCI events in the aggregate and across multiple SCI [[Page 72286]] entities is important to the Commission and its staff to be able to gather information about trends related to such systems disruptions that could not otherwise be properly discerned. Information about trends will assist the Commission in fulfilling its oversight role by keeping Commission staff informed about the nature and frequency of the types of de minimis systems disruptions that SCI entities encounter. Moreover, information about trends can also inform the Commission of areas of potential weaknesses, or persistent or recurring problems, across SCI entities and also should help the Commission better focus on common types of systems disruptions with certain types of SCI systems across SCI entities. This information also would permit the Commission and its staff to issue industry alerts or guidance if appropriate. In addition, this information would allow the Commission and its staff to review SCI entities' classification of events as de minimis systems disruptions. Moreover, the Commission believes that, even without adopting a materiality threshold, the adopted definition of SCI systems further focuses the scope of the definition of systems disruption.\400\ --------------------------------------------------------------------------- \398\ See supra note 347 and accompanying text. \399\ See Rule 1002(b)(5) and infra Section IV.B.3.c (discussing the Commission notification requirement for SCI events and requiring a quarterly summary report for de minimis systems disruptions). See also Rule 1002(c)(4) and infra Section IV.B.3.d (discussing information dissemination requirement for certain SCI events, but excluding de minimis systems disruptions). \400\ See supra Sections IV.A.2.b (discussing the definition of ``SCI systems''). --------------------------------------------------------------------------- The Commission also believes that it is unnecessary to modify the definition of systems disruption specifically to encompass disruptions originating from a third party, as one commenter suggested.\401\ The definition of systems disruption does not limit such events with respect to the source of the disruption, whether an internal source at the SCI entity or an external third party source. --------------------------------------------------------------------------- \401\ See supra note 345. --------------------------------------------------------------------------- b. Systems Compliance Issue Proposed Rule 1000(a) would have defined the term ``systems compliance issue'' as ``an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the federal securities laws and rules and regulations thereunder or the entity's rules or governing documents, as applicable.'' \402\ The Commission is adopting the definition of systems compliance issue substantially as proposed, with modifications to refine its scope. --------------------------------------------------------------------------- \402\ See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.B.3.b. --------------------------------------------------------------------------- Two commenters stated that the term ``systems compliance issue'' should be deleted from the definition of SCI event entirely.\403\ One of these commenters stated that the inclusion of systems compliance issue as an SCI event would be a departure from the ARP Inspection Program and ARP Policy Statements.\404\ The other commenter argued that any report regarding a systems compliance issue is an admission that the SCI entity has violated a law, rule, or one of its governing documents, creating a risk of an enforcement action or other liability for the SCI entity.\405\ --------------------------------------------------------------------------- \403\ See Omgeo Letter at 13; and NYSE Letter at 16. \404\ See Omgeo Letter at 14. \405\ See NYSE Letter at 16. --------------------------------------------------------------------------- Other commenters stated that the proposed definition is too broad and should be refined to include only those issues that are material or significant.\406\ Commenters' specific recommendations included limiting the definition to those systems compliance issues that: have a material and significant effect on members; \407\ can be reasonably expected to result in significant harm or loss to market participants or impact the operation of a fair and orderly market; \408\ or have a materially negative impact on the SCI entity's ability to perform its core functions.\409\ One commenter also noted that the term should be specifically defined to take account of an SCI entity's function, such as clearing agencies' ability to comply with Section 17A.\410\ --------------------------------------------------------------------------- \406\ See, e.g., Joint SROs Letter at 2, 8; ISE Letter at 6; SIFMA Letter at 13; Liquidnet Letter at 3; CME Letter at 8; DTCC Letter at 6; OCC Letter at 13; and FINRA Letter at 17 (stating that systems compliance issues should be reportable only if they would directly impact the market or a member firm's ability to comply with FINRA rules). See also BATS Letter at 13. \407\ See ISE Letter at 6-7. \408\ See Liquidnet Letter at 3; and CME Letter at 8. See also FINRA Letter at 17. \409\ See DTCC Letter at 6; and OCC Letter at 13. \410\ See DTCC Letter at 6. See also infra Sections IV.B.3.c and IV.B.3.d (discussing comments with respect to systems compliance issues and their relation to Commission notification and information dissemination to members or participants). --------------------------------------------------------------------------- After considering the view of commenters that the proposed definition of systems compliance issue is too broad,\411\ the Commission is revising the definition to mean an event that has caused an SCI system to operate ``in a manner that does not comply with the Act'' and the rules and regulations thereunder and the entity's rules and governing documents, as applicable.\412\ The Commission believes the refinement from ``federal securities laws'' to ``the Act'' (i.e., the Securities Exchange Act of 1934) will appropriately focus the definition on Exchange Act compliance rather than other areas of the federal securities laws. Although the Commission did not receive specific comment suggesting that it amend the definition of systems compliance issue by using the term ``the Act'' instead of the broader ``federal securities laws,'' commenters did suggest that the Commission limit the scope of the definition to only apply to those sections of the Act that are applicable to a particular SCI entity \413\ or the SCI entity's rules.\414\ The Commission agrees with these commenters insofar as they advocated for focusing the scope to a more specific set of securities laws and for reducing the burden on SCI entities, and further believes this refinement does not compromise the objective of the definition, which is to capture systems compliance issues with respect to SCI entities' obligations under the Exchange Act. The Commission believes that the refinement provides additional clarity to SCI entities that, for purposes of Regulation SCI, their obligations are with respect to compliance with the Exchange Act and the rules and regulations thereunder and the entity's rules and governing documents.\415\ --------------------------------------------------------------------------- \411\ See supra note 406 and accompanying text. \412\ As noted above, proposed Rule 1000 defined systems compliance issue as an event at an SCI entity that has caused any SCI system of such entity to operate ``in a manner that does not comply with the federal securities laws'' and rules and regulations thereunder or the entity's rules and governing documents, as applicable. \413\ See supra note 410 and accompanying text. \414\ See supra note 406 and accompanying text. \415\ Notwithstanding this provision's focus on compliance with the Exchange Act and the rules and regulations thereunder and the entity's rules and governing documents, the Commission notes that its objective in adopting Regulation SCI is not, for example, to change the obligations of SCI entities that are public companies with respect to their disclosure obligations under the Securities Act of 1933. See 15 U.S.C. 77a et seq. --------------------------------------------------------------------------- The Commission disagrees with commenters who suggested removing systems compliance issues from the definition of SCI event altogether.\416\ Although systems compliance issues have not been within the scope of the ARP Inspection Program,\417\ the Commission believes that inclusion of systems compliance issues in the definition of SCI event and the resulting applicability of the Commission reporting, information dissemination, and recordkeeping requirements to systems compliance issues is important to help ensure that SCI systems are operated by SCI entities in compliance with the Exchange Act, rules thereunder, and their own rules and governing documents. --------------------------------------------------------------------------- \416\ See supra notes 403-405 and accompanying text. \417\ See supra note 404 and accompanying text. See also Proposing Release, supra note 13, at 18087. --------------------------------------------------------------------------- [[Page 72287]] In addition, the Commission is not adopting a materiality qualifier \418\ or other limiting threshold \419\ in the definition of systems compliance issue as suggested by some commenters. Instead, the requirements of Regulation SCI are tiered in a manner that the Commission believes is responsive to commenters' concerns regarding the breadth of the definition of systems compliance issue.\420\ In particular, the Commission believes that the adopted Commission notification requirement and the information dissemination requirement (each of which provides an exception for systems compliance issues that have no or de minimis impacts on an SCI entity's operations or market participants) will help to focus the Commission's and SCI entities' resources on those systems compliance issues with more significant impacts. In addition, by not including a materiality threshold within the definition, SCI entities will be required to assess, take corrective action, and keep records of all systems compliance issues, some of which may initially seem to have little or no impact, but which may later prove to be the cause of significant systems compliance issues at the SCI entity. The Commission notes that all SCI entities are required to comply with the Exchange Act, the rules and regulations thereunder, and their own rules, as applicable. Therefore, even if an SCI entity determines that a systems compliance issue has no or a de minimis impact, the Commission believes that it is important that it have ready access to records regarding such de minimis systems compliance issues to allow it to more effectively oversee SCI entities' compliance with the Exchange Act and relevant rules. An SCI entity's records of de minimis systems compliance issues may also be useful to the Commission in that they may, for example, aid the Commission in identifying areas of potential weaknesses, or persistent or recurring problems, at an SCI entity or across multiple SCI entities. This information also would permit the Commission and its staff to issue industry alerts or guidance if appropriate. In addition, this information would allow the Commission and its staff to review SCI entities' classification of events as de minimis systems compliance issues. --------------------------------------------------------------------------- \418\ See supra notes 406-407 and 409 and accompanying text. \419\ See supra note 408. \420\ See Rule 1002(b)(5) and infra Section IV.B.3.c (discussing the Commission notification requirement for SCI events and the exclusion for de minimis systems compliance issues). See also Rule 1002(c)(4) and infra Section IV.B.3.d (discussing the information dissemination requirement for certain SCI events, but excluding de minimis systems compliance issues). --------------------------------------------------------------------------- Finally, the Commission believes that, even without adopting a materiality threshold, the adopted definition of SCI systems, as described in Section IV.A.2 above, further focuses the scope of the definition of systems compliance issue. With respect to a commenter's concern that any report regarding a systems compliance issue would be an admission of a violation and thus create a risk of enforcement action or other liability,\421\ the Commission notes that the Commission notification requirement is not triggered until a responsible SCI personnel has a reasonable basis to conclude that a systems compliance issue has occurred.\422\ The Commission acknowledges that it could consider the information provided to the Commission in determining whether to initiate an enforcement action. However, the Commission notes that the occurrence of a systems compliance issue also does not necessarily mean that the SCI entity will be subject to an enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation.\423\ With respect to the potential for other types of liability as suggested by this commenter, many entities that fall within the definition of SCI entity already currently disclose to the Commission and their members or participants certain information regarding systems issues, including issues that may potentially give rise to liability.\424\ Moreover, the Commission recognizes that compliance with Regulation SCI will increase the amount of information about SCI events available to the Commission and SCI entities' members and participants, and that the greater availability of this information has some potential to increase litigation risks for SCI entities, including the risk of private civil litigation. The Commission believes that the value of disclosure to the Commission, market participants and investors justifies the potential increase in litigation risk. Moreover, the Commission notes that, to the extent members and participants or the public suffer damages when SCI events occur, SCI entities are already subject to litigation risk. --------------------------------------------------------------------------- \421\ See supra note 405 and accompanying text. \422\ See supra Section IV.B.3.a (discussing the triggering standard). \423\ See, e.g., infra notes 626-628 and accompanying text. \424\ See supra Section II.B (discussing recent events related to systems issues). --------------------------------------------------------------------------- As adopted, Rule 1000 defines ``systems compliance issue'' as ``an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the Act and the rules and regulations thereunder or the entity's rules or governing documents, as applicable.'' As noted in the SCI Proposal, a systems compliance issue could, for example, occur when a change to an SCI system is made by information technology staff, without the knowledge or input of regulatory staff, that results in the system operating in a manner that does not comply with the Act and rules thereunder or the entity's rules and other governing documents.\425\ For an SCI SRO, systems compliance issues would include SCI systems operating in a manner that does not comply with the SCI SRO's rules as defined in the Act and the rules thereunder.\426\ For a plan processor, systems compliance issue would include SCI systems operating in a manner that does not comply with an applicable effective national market system plan. For an SCI ATS or exempt clearing agency subject to ARP, a systems compliance issue would include SCI systems operating in a manner that does not comply with documents such as subscriber agreements and any rules provided to subscribers and users and, for an ATS, described in its Form ATS filings with the Commission.\427\ --------------------------------------------------------------------------- \425\ See Proposing Release, supra note 13, at 18103. \426\ The rules of an SCI SRO include, among other things, its constitution, articles of incorporation, and bylaws. See 15 U.S.C. 78c(a)(27)-(28). See also 17 CFR 240.19b-4(c). \427\ Subscriber agreements and other similar documents that govern operations of SCI ATSs and exempt clearing agencies subject to ARP are generally not publicly available, but are typically provided to subscribers and users of such entities. See 17 CFR 242.301(b) for a description of the filing requirements for ATSs. --------------------------------------------------------------------------- c. Systems Intrusion Proposed Rule 1000(a) defined ``systems intrusion'' as ``any unauthorized entry into the SCI systems or SCI security systems of an SCI entity.'' \428\ The proposed definition is being adopted as proposed, with one technical modification to replace the term ``SCI security systems'' with ``indirect SCI systems.'' \429\ --------------------------------------------------------------------------- \428\ See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.B.3.c. \429\ See supra Section IV.A.2.d (discussing the definition of ``indirect SCI systems''). --------------------------------------------------------------------------- While one commenter noted its general support for the inclusion of systems intrusions within the scope of [[Page 72288]] Regulation SCI,\430\ this commenter and others stated that the proposed definition was too broad or vague.\431\ Several commenters asserted that the proposed definition would capture too many insignificant and minor incidents.\432\ Some commenters recommended limiting the definition to material systems intrusions, and offered various suggestions for how to do so.\433\ --------------------------------------------------------------------------- \430\ See NYSE Letter at 15. \431\ See, e.g., NYSE Letter at 15; BATS Letter at 12; DTCC Letter at 7; Omgeo Letter at 11; SIFMA Letter at 10-11; and Joint SROs Letter at 7. \432\ See, e.g., BATS Letter at 12; DTCC Letter at 7; Omgeo Letter at 11; SIFMA Letter at 10-11; and Joint SROs Letter at 7. \433\ See, e.g., NYSE Letter at 15 (recommending that the definition include only major intrusions that pose a plausible risk to the trading, routing, or clearance and settlement operations of the exchange or to required market data transmission); Omgeo Letter at 11-12 (expressing concern that the definition did not contain a reference to the materiality of an intrusion, nor the intrusion's impact on markets or market participants); DTCC Letter at 7 (suggesting that the definition capture only unauthorized entries where the SCI entity has reason to believe such entry could materially impact its ability to perform its core functions or critical operations); Joint SROs Letter at 7 (stating that the definition should include only those intrusions that the SCI entity reasonably estimated would result in significant harm or loss to market participants); FINRA Letter at 18 (arguing that only intrusions that have a material impact on the SCI system or a direct impact on the market or market participants should be included); and OCC Letter at 13 (suggesting, as an alternative to a ``risk-based'' approach, that the definition be limited to any unauthorized entry into the SCI systems or SCI security systems of an SCI entity, which the SCI entity reasonably believes may materially impact its ability to perform its core functions or critical operations). --------------------------------------------------------------------------- One commenter stated that the proposed definition was overbroad because it would include both intentional and unintentional conduct, as well as events that have no adverse impact.\434\ Another commenter also stated that the definition should be modified to make clear that an intrusion that is inadvertent would not qualify as a systems intrusion.\435\ This commenter further stated that a systems intrusion should be limited to unauthorized access to confidential information or to the SCI systems of an SCI entity that materially disrupts the operations of such systems.\436\ Another commenter suggested that the definition focus on the unauthorized control of the confidentiality, integrity, or availability of an SCI system and/or its data.\437\ --------------------------------------------------------------------------- \434\ See, e.g., BATS Letter at 12. \435\ See SIFMA Letter at 11. \436\ See id. \437\ See NYSE Letter at 15. --------------------------------------------------------------------------- Some commenters noted that the proposed definition of systems intrusion did not take into account the multi-layered nature of today's technology systems. Two commenters stated that the multi-layered protections of systems architecture are designed to anticipate intrusions into the outer layer without material risk or impact, thus intrusions into such a peripheral system should not constitute a systems intrusion under the rule.\438\ --------------------------------------------------------------------------- \438\ See SIFMA Letter at 11; and Omgeo Letter at 12. The Commission discusses below the comments that advocated greater Commission use of FS-ISAC for reporting systems intrusions. --------------------------------------------------------------------------- Several commenters stated that only successful systems intrusions should be covered in the definition.\439\ One commenter suggested that this concept be made explicit in the rule text by adding the term ``successful'' to the definition.\440\ Two commenters, while supporting the inclusion of only successful systems intrusions in the definition, pointed out the value of sharing information regarding unsuccessful systems intrusions, stating that this practice already occurs today among SCI entities, their regulators, and appropriate law enforcement agencies.\441\ --------------------------------------------------------------------------- \439\ See BIDS Letter at 17; SIFMA Letter at 11; NYSE Letter at 15; DTCC Letter at 8. \440\ See NYSE Letter at 15. \441\ See BIDS Letter at 17; and DTCC Letter at 8. --------------------------------------------------------------------------- As adopted, Rule 1000 defines ``systems intrusion'' to mean ``any unauthorized entry into the SCI systems or indirect SCI systems of an SCI entity.'' This definition is intended to cover any unauthorized entry into SCI systems or indirect SCI systems, regardless of the identity of the person committing the intrusion (whether they are outsiders, employees, or agents of the SCI entity), and regardless of whether or not the intrusion was part of a cyber attack, potential criminal activity, or other unauthorized attempt to retrieve, manipulate, or destroy data, or access or disrupt systems of SCI entities. Thus, for example, this definition is intended to cover the introduction of malware or other attempts to disrupt SCI systems or indirect SCI systems provided that such systems were actually breached. In addition, the definition is intended to cover unauthorized access, whether intentional or inadvertent, by employees or agents of the SCI entity that resulted from weaknesses in the SCI entity's access controls and/or procedures. In response to comments, the Commission emphasizes that the definition of systems intrusion does not include unsuccessful attempts at unauthorized entry because an unsuccessful systems intrusion is much less likely to disrupt the systems of an SCI entity than a successful intrusion. The Commission believes that it is unnecessary and redundant to specifically state in the definition of systems intrusion that unauthorized entries must be ``successful'' because the term ``entry'' incorporates the concept of successfully gaining access to an SCI system or indirect SCI system. Further, the Commission is not incorporating a materiality threshold for the definition of systems intrusion or otherwise limiting the definition of systems intrusion to only those systems intrusions that are major or significant as requested by some commenters. The Commission believes that, even without adopting a materiality threshold, the adopted definitions of SCI systems and indirect SCI systems further focus the scope of the definition of systems intrusion. Further, because any unauthorized entry into an SCI system or indirect SCI system is a security breach of which the Commission, having responsibility for oversight of the U.S. securities markets, should be notified, the Commission is not including a materiality threshold. In addition, as discussed below, the requirements of Regulation SCI are tiered in a manner that the Commission believes is responsive to commenters' concerns regarding the breadth of the definition of systems intrusion.\442\ By not including a materiality threshold within the definition, SCI entities will be required to assess, take corrective action, and keep records of all systems intrusions, some of which may initially seem insignificant to an SCI entity, but which may later prove to be the cause of significant systems issues at the SCI entity. An SCI entity's records of de minimis systems intrusions may also be useful to the Commission in that they may, for example, aid the Commission in identifying patterns of de minimis systems intrusions that together might result in a more impactful SCI event, either at an SCI entity or across a group of SCI entities, or circumstances in which a systems intrusion causes de minimis systems issues for one particular SCI entity but results in significant issues for another SCI entity. The Commission also believes that the ability to view de minimis systems intrusions in the aggregate and across multiple SCI entities is important to allow the Commission and its staff to be able to gather information about trends related to such systems intrusions that could not otherwise be properly discerned. Information about trends will [[Page 72289]] assist the Commission in fulfilling its oversight role by keeping Commission staff informed about the nature and frequency of the types of de minimis systems intrusions that SCI entities encounter. Moreover, information about trends and notifications of de minimis systems intrusions generally can also inform the Commission of areas of potential weaknesses, or persistent or recurring problems, across SCI entities and also should help the Commission better focus on common types of systems intrusions or issues with certain types of SCI systems across SCI entities. This information also would permit the Commission and its staff to issue industry alerts or guidance if appropriate. In addition, this information would allow the Commission and its staff to review SCI entities' classification of events as de minimis systems intrusions. --------------------------------------------------------------------------- \442\ See Rule 1002(b)(5) and infra Section IV.B.3.c (discussing the Commission notification requirement for SCI events and requiring a quarterly summary report for de minimis systems intrusions). See also Rule 1002(c)(4) and infra Section IV.B.3.d (discussing information dissemination requirement for certain SCI events, but excluding de minimis systems intrusions). --------------------------------------------------------------------------- The Commission also is not distinguishing between intentional and unintentional systems intrusions, as suggested by some commenters.\443\ The Commission acknowledges that intentional systems intrusions may result in more severe disruptions to the systems of an SCI entity than unintentional or inadvertent intrusions. On the other hand, the Commission believes that it should be notified of successful unintentional or inadvertent systems intrusions because they can still indicate weaknesses in a system's security controls. To the extent that these systems intrusions have no or a de minimis impact on the SCI entity's operations or on market participants, they will only be subject to a quarterly reporting requirement and will be excepted from the information dissemination requirement.\444\ --------------------------------------------------------------------------- \443\ See supra notes 434-435 and accompanying text. \444\ See Rule 1002(b)(5) and infra Section IV.B.3.c (discussing the Commission notification requirement for SCI events and requiring a quarterly summary report for de minimis systems intrusions). See Rule 1002(c)(4), and infra Sections IV.B.3.d (discussing the information dissemination requirements for certain SCI events, but excluding de minimis systems intrusions). --------------------------------------------------------------------------- Additionally, the Commission does not agree that the definition of systems intrusion should be limited to unauthorized access to confidential information \445\ or should be focused on the unauthorized control of the confidentiality, integrity, or availability of an SCI system and/or its data \446\ because the Commission believes that these modifications would create a definition that would limit the Commission's ability to be aware of events that fall outside the limited definition that commenters suggested but that could, for example, have industry-wide implications. Similarly, with respect to the comment that intrusions into a peripheral system should not constitute a systems intrusion because the multi-layered protections of systems architecture are designed to anticipate intrusions into the outer layer and help prevent material risk or impact,\447\ the Commission believes that its discussion of indirect SCI systems in Section IV.A.2.d above responds to commenters' concerns by explaining that systems intrusions into an indirect SCI system could cause or increase the likelihood of an SCI event with respect to an SCI system. And to the extent a system intrusion occurs with respect to an SCI system or indirect SCI system but the SCI entity's multi-layered systems architecture helps prevent material risk or impact, the Commission notes that de minimis systems intrusions (if such a system intrusion was determined to be de minimis) would be subject to less frequent Commission reporting requirements and would not be subject to the information dissemination requirements. --------------------------------------------------------------------------- \445\ See supra note 436 and accompanying text. \446\ See supra note 437 and accompanying text. \447\ See supra note 438 and accompanying text. --------------------------------------------------------------------------- B. Obligations of SCI Entities--Rules 1001-1004 Proposed Rules 1000(b)(1)-(9) are renumbered as adopted Rules 1001- 1004. Adopted Rule 1001 corresponds to proposed Rules 1000(b)(1)-(2) and contains the policies and procedures requirements for SCI entities with respect to operational capability and the maintenance of fair and orderly markets (Rule 1001(a)), systems compliance (Rule 1001(b)), and identification and designation of responsible SCI personnel and escalation procedures (Rule 1001(c)).\448\ Adopted Rule 1002 corresponds to proposed Rules 1000(b)(3)-(5) and contains the obligations of SCI entities with respect to SCI events, which include corrective action, Commission notification, and information dissemination. Adopted Rule 1003 corresponds to proposed Rules 1000(b)(6)-(8) and contains requirements relating to material systems changes and SCI reviews. Finally, adopted Rule 1004 corresponds to proposed Rule 1000(b)(9) and contains requirements relating to business continuity and disaster recovery plan testing, including requiring participation of designated members or participants of SCI entities in such testing. --------------------------------------------------------------------------- \448\ The discussion of Rule 1001(c), which relates to the triggering standard for Rule 1002, is discussed below in Section IV.B.3.a. --------------------------------------------------------------------------- 1. Policies and Procedures To Achieve Capacity, Integrity, Resiliency, Availability and Security--Rule 1001(a) a. Proposed Rule 1000(b)(1) Proposed Rule 1000(b)(1) would have required an SCI entity to: (1) Establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, SCI security systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets; and (2) include certain required elements in such policies and procedures. As proposed, these policies and procedures were required to provide for: (A) The establishment of reasonable current and future capacity planning estimates; (B) periodic capacity stress tests of systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (C) a program to review and keep current systems development and testing methodology; (D) regular reviews and testing of systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (E) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption; and (F) standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data. Proposed Rule 1000(b)(1)(i) also provided that an SCI entity's applicable policies and procedures would be deemed to be reasonably designed if they were consistent with ``current SCI industry standards.'' Proposed Rule 1000(b)(1)(ii) provided that ``current SCI industry standards'' were to be comprised of ``information technology practices that are widely available for free to information technology professionals in the financial sector . . . and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely [[Page 72290]] recognized organization.'' \449\ The SCI Proposal also included, on ``Table A,'' a list of publications that the Commission had preliminarily identified as examples of current SCI industry standards in each of nine information security domains.\450\ The SCI Proposal stated that an SCI entity, taking into account its nature, size, technology, business model, and other aspects of its business, could, but would not be required to, use the publications listed on Table A to establish, maintain, and enforce reasonably designed policies and procedures that satisfy the requirements of proposed Rule 1000(b)(1).\451\ The SCI Proposal also stated that ``current SCI industry standards'' were not limited to those identified in the publications on Table A and could include other publications meeting the proposed criteria for ``current SCI industry standards.'' \452\ In addition, proposed Rule 1000(b)(1)(ii) stated that compliance with ``current SCI industry standards'' would not be the exclusive means to comply with the requirements of proposed Rule 1000(b)(1).\453\ --------------------------------------------------------------------------- \449\ See Proposing Release, supra note 13, at 18178. \450\ The domains covered in Table A of the SCI Proposal are: application controls; capacity planning; computer operations and production environment controls; contingency planning; information security and networking; audit; outsourcing; physical security; and systems development methodology. See id. at 18111. \451\ See id. at 18110. \452\ See id. at 18110 (stating that an SCI entity could elect standards contained in publications other than those identified on proposed Table A to comply with the rule). \453\ See id. at 18109. --------------------------------------------------------------------------- b. Comments Received on Proposed Rule 1000(b)(1) and Commission Response i. Policies and Procedures Generally--Rules 1001(a)(1) and (3) The Commission received a wide range of comments on proposed Rule 1000(b)(1). With respect to policies and procedures generally, some commenters believed the proposal was too prescriptive.\454\ Several characterized it as a ``one-size-fits-all'' approach that did not adequately take into account differences between SCI entities and SCI entity systems.\455\ Several commenters objecting to the rule as too prescriptive urged that the adopted rule incorporate a risk-based framework, so that SCI entities and/or systems of greater criticality would be required to adhere to a stricter set of policies and procedures than SCI entities and/or systems of lesser criticality.\456\ These commenters maintained that each SCI entity should have discretion to calibrate its policies and procedures based on its own assessment of the criticality of the SCI entity and its systems to market stability, or that the Commission should ``tier'' the obligations of SCI entities or SCI entity systems based on their market function.\457\ --------------------------------------------------------------------------- \454\ See, e.g., Angel Letter at 2, 8; BIDS Letter at 7; FIF Letter at 3-4; Joint SROs Letter at 4; LiquidPoint Letter at 3-4; MFA Letter at 3; and SIFMA Letter at 12-13. \455\ See, e.g., FIF Letter at 3-4; FINRA Letter at 31; Joint SROs Letter at 4; KCG Letter at 2-3, 6-8; Liquidpoint Letter at 3-4; MFA Letter at 3; OCC Letter at 3-4; SIFMA Letter at 12-13; UBS Letter at 2-4; Tellefsen Letter at 13; and BIDS Letter at 2-3, 6-9. \456\ See, e.g., Joint SROs Letter at 4; LiquidPoint Letter at 3; MFA Letter at 3; and SIFMA Letter at 8, 12-13. See also FIF Letter at 4; MSRB Letter at 3; Fidelity Letter at 2; NYSE Letter at 3, 4, 21; FINRA Letter at 13-14; and OCC Letter at 3. \457\ See, e.g., Joint SROs Letter at 4; FINRA Letter at 13-14; MSRB Letter at 3; MFA Letter at 6; NYSE Letter at 3, 4, and 21; SIFMA Letter at 12-13; FIF Letter at 4; Fidelity Letter at 2; and OCC Letter at 3. --------------------------------------------------------------------------- In contrast, some commenters stated that the Commission's proposed approach was too vague or insufficient.\458\ For example, one commenter characterized the minimum elements of policies and procedures in proposed Rule 1000(b)(1)(A)-(F) as ``so vague that they will fail to provide any meaningful improvement in technological systems.'' \459\ Another commenter stated that the proposed scope of required policies and procedures was appropriate, but that further elaboration on the details was warranted.\460\ One commenter stated that the proposed rule lacked adequate discussion of what it means for policies and procedures to be reasonably designed ``to maintain . . . operational capability and promote the maintenance of fair and orderly markets.'' \461\ --------------------------------------------------------------------------- \458\ See Better Markets Letter at 3-5; CAST Letter at 4; CISQ Letter at 2, 5; CISQ2 Letter at 5; and Direct Edge Letter at 4. \459\ See Better Markets Letter at 3. \460\ See CISQ Letter at 2. \461\ See Direct Edge Letter at 4. --------------------------------------------------------------------------- The Commission has carefully considered the views of commenters on its proposed policies and procedures approach to ensuring adequate capacity, integrity, resiliency, availability, and security of SCI systems (and security for indirect SCI systems). The Commission agrees with commenters who stated that requiring SCI entities to have policies and procedures relating to the capacity, integrity, resiliency, availability, and security of SCI systems (and security for indirect SCI systems) should not be a ``one-size-fits-all'' approach and, as discussed in detail below, is therefore clarifying that the adopted rule is consistent with a risk-based approach, as it allows an SCI entity's policies and procedures to be tailored to a particular system's criticality and risk. As noted above, while some commenters characterized the proposed rule as too vague and sought further specificity, others found the rule to be too prescriptive. The Commission believes that the adopted rule provides an appropriate balance between these two opposing concerns by providing a framework that identifies the minimum areas that are required to be addressed by an SCI entity's policies and procedures without prescribing the specific policies and procedures that an SCI entity must follow, or detailing how each element in Rule 1001(a)(2) should be addressed. Given the various types of systems at SCI entities, each of which represent a different level of criticality and risk to each SCI entity and to the securities markets more broadly, the adopted rule seeks to provide flexibility to SCI entities to design their policies and procedures consistent with a risk-based approach, as discussed in further detail below. At the same time, because the Commission believes that additional guidance on how an SCI entity may comply with the rule is warranted in certain areas, the Commission is providing further guidance below. In response to comment, the Commission is adopting Rule 1001(a) with modifications that it believes will better provide SCI entities with sufficient flexibility to develop their policies and procedures to achieve robust systems, while also providing guidance on how an SCI entity may comply with the final rule. Specifically, adopted Rule 1001(a) is modified to: (i) Clarify that the rule is consistent with a risk-based approach that requires more robust policies and procedures for higher-risk systems and provides an SCI entity with flexibility to tailor its policies and procedures to the nature of its business, technology, and the relative criticality of each of its SCI systems; (ii) make clear that an SCI entity's reasonable policies and procedures remain subject to ongoing self-assessment; (iii) provide increased flexibility in the manner in which an SCI entity may satisfy the minimum elements of required policies and procedures; and (iv) revise the criteria for ``current SCI industry standards.'' In addition, proposed Table A is recharacterized and will be issued as staff guidance that will evolve over time. Response to Commenters Advocating a Risk-Based Approach Adopted Rule 1001(a)(1) requires each SCI entity to establish, maintain, and enforce written policies and procedures [[Page 72291]] reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. The text of this part of the rule is largely unchanged from the proposal. Although several commenters expressed concern that the proposed rule would have imposed a ``one-size-fits- all'' approach, requiring all SCI entities to hold all of their SCI systems to the same standards,\462\ this was not the intent of proposed Rule 1000(b)(1), nor is it what adopted Rule 1001(a)(1) requires. By requiring an SCI entity to have policies and procedures ``reasonably designed'' and ``adequate'' to maintain operational capability and promote the maintenance of fair and orderly markets, the adopted rule provides an SCI entity with flexibility to determine how to tailor its policies and procedures to the nature of its business, technology, and the relative criticality of each of its SCI systems.\463\ Although the adopted rule does not assign differing obligations to an SCI entity based on its registration status, or its general market function, as some commenters urged, by allowing each SCI entity to tailor its policies and procedures accordingly, the adopted approach recognizes that there are differences between, and varying roles played by, different systems at various SCI entities. In tandem with the refined definition of ``SCI systems,'' the modified definition of ``SCI security systems'' (adopted as ``indirect SCI systems''), and the new definition of ``critical SCI systems,\464\ adopted Rule 1001(a)(1) explicitly recognizes that policies and procedures that are ``reasonably designed'' and ``adequate'' to maintain operational capability and promote the maintenance of fair and orderly markets for critical SCI systems may differ from those that are ``reasonably designed'' and ``adequate'' to maintain operational capability and promote the maintenance of fair and orderly markets for other SCI systems, or indirect SCI systems. As such, the Commission believes that its adopted approach in Regulation SCI is consistent with a risk-based approach, and that adopted Regulation SCI may result in the systems of certain SCI entities (for example, those that have few or no critical SCI systems) generally being subject to less stringent policies and procedures than the systems of other SCI entities. Thus, a risk assessment is appropriate for an SCI entity to determine how to tailor its policies and procedures for its SCI systems and indirect SCI systems. --------------------------------------------------------------------------- \462\ See supra note 455 and accompanying text. \463\ See Proposing Release, supra note 13, at 18109 (stating: ``The Commission intends to . . . provide SCI entities sufficient flexibility, based on the nature, size, technology, business model, and other aspects of their business, to identify appropriate policies and procedures that would meet the articulated standard, namely that they be reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets.''). \464\ As a result of these changes, the adopted rule applies to fewer systems than as proposed, and only to those types of systems that the Commission believes pose significant risk to market integrity if not adequately safeguarded. --------------------------------------------------------------------------- The Commission also believes that requiring an SCI entity to tailor its policies and procedures so that they are reasonably designed and adequate will entail that an SCI entity assess the relative criticality and risk of each of its SCI systems and indirect SCI systems. Evaluation of the risk posed by any particular SCI system to the SCI entity's operational capability and the maintenance of fair and orderly markets will be the responsibility of the SCI entity in the first instance. The Commission believes this approach will achieve the goal of improving Commission review and oversight of U.S. securities market infrastructure, but will do so within a more focused framework than as proposed. By being subject to requirements for a more targeted set of SCI systems, and guided by consideration of the relative risk of each of its SCI systems, SCI entities may more easily determine how to allocate their resources to achieve compliance with the regulation than they would have under the proposed regulation. As noted above, one commenter urged the Commission to discuss what it means for policies and procedures to be reasonably designed ``to maintain . . . operational capability and promote the maintenance of fair and orderly markets.'' \465\ This commenter characterized the proposed standard of ``maintaining operational capability'' as an ``introspective standard relevant to the applicable SCI entity,'' and the proposed standard of ``promoting the maintenance of fair and orderly markets'' as implying ``some incremental responsibility to the collective market.'' \466\ The Commission agrees with this commenter's characterization and believes that it is appropriate for SCI entities to assess the risk of their systems taking into consideration both objectives, which are related and complementary.\467\ Specifically, the Commission believes that it is important that an SCI entity's policies and procedures are reasonably designed to ensure its own operational capability, including the ability to maintain effective operations, minimize or eliminate the effect of performance degradations, and have sufficient backup and recovery capabilities. At the same time, an SCI entity's own operational capability can have broader effects and, as entities that play a significant role in the U.S. securities markets and/or have the potential to impact investors, the overall market, or the trading of individual securities,\468\ the Commission believes that the policies and procedures should also be reasonably designed to promote the maintenance of fair and orderly markets. --------------------------------------------------------------------------- \465\ See supra note 461 and accompanying text. \466\ See Direct Edge Letter at 4. \467\ The Commission notes that the identification of ``critical SCI systems'' in Regulation SCI emphasizes that some systems pose greater risk than others to the maintenance of fair and orderly markets if they malfunction, and that it is appropriate for an SCI entity to consider the risk to other SCI entities and market participants in the event of a systems malfunction. \468\ See supra note 59 and accompanying text. --------------------------------------------------------------------------- Periodic Review Some commenters expressed concern that, when an SCI entity's policies and procedures fail to prevent an SCI event, the Commission might use such failure as the basis for an enforcement action, charging that the policies and procedures were not reasonable.\469\ One commenter suggested that the Commission's focus should be on an entity's adherence to its own set of policies and procedures, developed based on ``experience, annual SCI reviews, and other inputs,'' rather than a ``set of generic standards.'' \470\ --------------------------------------------------------------------------- \469\ See, e.g., BATS Letter at 3-4; Angel Letter at 2; and FSR Letter at 5. See also ITG Letter at 14 (stating that no set of policies and procedures could guarantee perfect operational compliance); and NYSE Letter at 32 (urging inclusion of a good faith safe harbor). \470\ See FIF Letter at 4. --------------------------------------------------------------------------- In response to these comments, the Commission notes that the reasonably designed policies and procedures approach taken in adopted Rule 1001(a) does not require an entity to guarantee flawless systems. But the Commission believes it should be understood to require diligence in maintaining a reasonable set of policies and procedures that keeps pace with changing technology and circumstances and does not become outdated over time. The Commission is therefore adopting a requirement for periodic review by an SCI entity of the effectiveness of its policies and procedures required by Rule 1001(a), and prompt action by the SCI entity to [[Page 72292]] remedy deficiencies in such policies and procedures.\471\ An SCI entity will not be found to be in violation of this maintenance requirement solely because it failed to identify a deficiency in its policies and procedures immediately after the deficiency occurred if the SCI entity takes prompt action to remedy the deficiency once it is discovered, and the SCI entity had otherwise reviewed the effectiveness of its policies and procedures and took prompt action to remedy those deficiencies that were discovered, as required by Rule 1001(a)(3). --------------------------------------------------------------------------- \471\ See Rule 1001(a)(3). --------------------------------------------------------------------------- Further, the occurrence of a systems disruption or systems intrusion will not necessarily mean that an SCI entity has violated Rule 1001(a), or that it will be subject to an enforcement action for violation of Regulation SCI. The Commission will exercise its discretion to initiate an enforcement action if the Commission determines that such action is warranted, based on the particular facts and circumstances. While a systems problem may be probative as to the reasonableness of an SCI entity's policies and procedures, it is not determinative. ii. Minimum Elements of Reasonable Policies and Procedures--Rule 1001(a)(2) Proposed Rule 1000(b)(1)(i) would have required that an SCI entity's policies and procedures provide for, at a minimum: (A) The establishment of reasonable current and future capacity planning estimates; (B) periodic capacity stress tests of systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (C) a program to review and keep current systems development and testing methodology; (D) regular reviews and testing of systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (E) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption; and (F) standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data. References to ``systems'' in the proposed rule were to the proposed definition of SCI systems, and with respect to security standards only, the proposed definition of SCI security systems. Adopted Rule 1001(a)(2) includes the items formerly proposed as Rules 1001(b)(1)(i)(A)-(F) as renumbered Rules 1001(2)(i)-(vi) and a new item (vii), relating to monitoring of SCI systems. Proposed items (A), (D), and (E) are revised in certain respects in response to comment. In addition, the Commission discusses below each of the adopted provisions of Rule 1001(a)(2) in the context of the adopted definitions of SCI systems and indirect SCI systems, where relevant.\472\ --------------------------------------------------------------------------- \472\ In particular, the Commission is adopting the language of items (B) and (C) as proposed (renumbered as Rule 1001(a)(2)(ii) and (iii), respectively) but elaborates on the scope of these provisions, as well as the scope of revised item (D) (renumbered as Rule 1001(a)(2)(iv)) and in the context of the adopted definitions of SCI systems and indirect SCI systems. --------------------------------------------------------------------------- Capacity Planning The SCI Proposal stated that policies and procedures for the establishment of reasonable current and future capacity planning (proposed item (A)) would help an SCI entity determine its systems' ability to process transactions in an accurate, timely, and efficient manner, and thereby help ensure market integrity.\473\ One commenter expressed support for the requirement in proposed item (A),\474\ and another commenter recommended that proposed item (A) be revised to make clear that SCI entity capacity planning estimates apply to ``technology infrastructure'' capacity, as opposed to capacity with respect to non- technology infrastructure of an SCI entity.\475\ Because the Commission intended proposed item (A) to relate to capacity planning for SCI systems, rather than capacity planning more broadly (for example, in relation to an SCI entity's office space), the Commission is including this suggested clarification in adopted Rule 1001(a)(2)(i), and thus requires that an SCI entity's policies and procedures include the establishment of reasonable current and future technology infrastructure capacity planning estimates. --------------------------------------------------------------------------- \473\ See Proposing Release, supra note 13, at 18107. \474\ See MSRB Letter at 9. \475\ See DTCC Letter at 14-15. The Commission also received comments in regard to capacity planning as it relates to proposed industry standards on the capacity planning domain set out in proposed Table A. See, e.g., infra note 580 and accompanying text. --------------------------------------------------------------------------- Stress Testing A few commenters raised concerns about proposed item (B), which required periodic capacity stress tests.\476\ Some of these commenters urged that the adopted rule provide an SCI entity with flexibility to determine, using a risk-based assessment, when capacity stress tests are appropriate.\477\ Others suggested that capacity stress tests be required in specified circumstances or time frames, such as when new capabilities are released into production,\478\ whenever required system capacity increases by 10 percent, on a quarterly basis, or in conjunction with any material systems change.\479\ One commenter suggested that SCI entities should supplement dynamic stress and load testing with static analysis, a technique used to help uncover structural weaknesses in software.\480\ In proposing item (B), the Commission intended for SCI entities to engage in a careful risk-based assessment (as suggested by some commenters) \481\ of its SCI systems to determine when to stress test its systems.\482\ Rule 1001(a)(2)(ii), as adopted, affords SCI entities the flexibility to consider the factors suggested by commenters, as appropriate for their specific systems and circumstances.\483\ The adopted rule does not prescribe a particular frequency or trigger for stress testing; however, because the Commission believes that, in light of the variability in SCI systems, an SCI entity's experience with its particular systems [[Page 72293]] and assessment of risk in this area will dictate when capacity stress testing is warranted. The requirement for periodic capacity stress tests of systems to determine their ability to process transactions in an accurate, timely, and efficient manner is therefore adopted as proposed as Rule 1001(a)(2)(ii). --------------------------------------------------------------------------- \476\ See, e.g., CISQ Letter at 5; DTCC Letter at 14; Lauer Letter at 6; MSRB Letter at 9; OCC Letter at 10; and SIFMA Letter at 12. \477\ See DTCC Letter at 14; and OCC Letter at 10. See also SIFMA Letter at 12 (suggesting that periodic capacity monitoring would be more appropriate and cost-effective than periodic capacity stress testing). \478\ See MSRB Letter at 9. \479\ See Lauer Letter at 6. \480\ See CISQ Letter at 5. See also infra notes 491 and 497, and 498 and accompanying text (further discussing this comment and the commenter's views on the value of assessing the structural quality of software). \481\ See supra note 477 and accompanying text. \482\ In response to the commenter that suggested periodic capacity monitoring would be more appropriate and cost-effective than periodic capacity stress testing, see supra note 477 and accompanying text, the Commission believes that such monitoring is appropriate and may play an important role in an SCI entity's assessing when to stress tests its systems. However, the Commission continues to believe that stress testing is necessary to help an SCI entity determine its systems' ability to process transactions in an accurate, timely, and efficient manner, and thereby help ensure market integrity. See Proposing Release, supra note 13, at 18107. While monitoring may be a cost-effective method to determine when a stress test is warranted, the Commission does not believe monitoring alone will be an effective substitute for stress testing, which, unlike monitoring, is designed to challenge systems capacity. \483\ See supra notes 478-479 and accompanying text. --------------------------------------------------------------------------- Systems Development and Testing Methodology In the SCI Proposal, the Commission explained that proposed item (C), which would require SCI entities to have policies and procedures for a ``program to review and keep current systems development and testing methodology,'' would help an SCI entity monitor and maintain systems capacity and availability.\484\ The Commission is adopting the language of this item as proposed as Rule 1001(a)(2)(iii). --------------------------------------------------------------------------- \484\ See Proposing Release, supra note 13, at 18107. --------------------------------------------------------------------------- Two commenters supported this requirement as proposed.\485\ Another commenter argued that sufficient controls were in place with respect to production systems, as proposed, and therefore that separate policies and procedures specifically for the development and testing environment would be unnecessary and duplicative.\486\ This commenter added that, if development and testing systems were not excluded from the definition of SCI systems altogether, then the policies and procedures requirements regarding systems development and testing methodology should not apply separately to these environments. The Commission agrees with this comment, and believes it logically follows that policies and procedures requiring a program to review and keep current systems development and testing methodology for SCI systems, and indirect SCI systems, as applicable, are important if development and testing systems are excluded from the definition of SCI systems, as they are under the adopted regulation.\487\ An SCI entity's systems development and testing methodology is a core part of the systems development life cycle for any SCI system. Therefore, the Commission believes that if an SCI entity did not have a program to review and keep current systems development and testing methodology for SCI systems, and indirect SCI systems, as applicable, its ability to assess the capacity, integrity, reliability, availability and security of its SCI systems and indirect SCI systems, as applicable, would be undermined. In complying with this adopted requirement, an SCI entity may wish to consider how closely its testing environment simulates its production environment; whether it designs, tests, installs, operates, and changes SCI systems through use of appropriate development, acquisition, and testing controls by the SCI entity and/or its third- party service providers, as applicable; whether it identifies and corrects problems detected in the development and testing stages; whether it verifies change implementation in the production stage; whether development and test environments are segregated from SCI systems in production; and whether SCI entity personnel have adequately segregated roles between the development and/or test environment, and the production environment. --------------------------------------------------------------------------- \485\ See CISQ Letter at 2; and MSRB Letter at 9. \486\ See FINRA Letter at 12. \487\ See supra Section IV.A.2.b (discussing the definition of ``SCI systems''). Because development and testing systems are not part of the adopted definition of ``SCI systems,'' systems issues with regard to development and testing systems would not be subject to the requirements of adopted Rule 1002 relating to corrective action, Commission notification, and dissemination of information on SCI events; or Rule 1003(a) regarding notification of systems changes. --------------------------------------------------------------------------- Reviews of SCI Systems and Indirect SCI Systems The SCI Proposal explained that proposed item (D), which would have required an SCI entity to establish, maintain, and enforce policies and procedures to review and test regularly SCI systems (and SCI security systems, as applicable), including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters, would assist an SCI entity in ascertaining whether such systems are and remain sufficiently secure and resilient.\488\ Proposed item (D) garnered a range of comments. Some commenters addressing this item focused on internal SCI entity testing,\489\ whereas others focused more broadly on industry-wide testing and testing of backup systems.\490\ --------------------------------------------------------------------------- \488\ See Proposing Release, supra note 13, at 18107. \489\ See, e.g., CAST Letter at 4; CISQ Letter at 3-7; FIA PTG Letter at 4; Lauer Letter at 6; and MSRB Letter at 10. \490\ See, e.g., Angel Letter at 2; CoreOne Letter at 3-5; DTCC Letter at 13; FIA PTG Letter at 2; FIX Letter at 1-2; Tradebook Letter at 1-4; UBS Letter at 4; and CISQ Letter at 6. See also infra Section IV.B.6 (discussing adopted Rule 1004, requiring business continuity and disaster recovery testing, including required participation of designated members or participants of SCI entities in such testing). --------------------------------------------------------------------------- With respect to comments on internal testing, one commenter suggested that the proposed requirement be expanded beyond testing to cover a range of ``quality assurance activities'' with each release of software into production.\491\ Two commenters advocated for requiring an SCI entity to focus on identifying structural deficiencies, which they stated pose much greater risks than functional deficiencies.\492\ A few commenters urged that groups independent of the team that designed and developed the systems should be involved in testing to offer a diverse perspective.\493\ One of these commenters further suggested that enforcement of the policies governing development and testing activities should be conducted by a ``process audit'' role that evaluates compliance with policies, provides guidance to development and testing teams on how to comply, and reports on compliance to senior management.\494\ --------------------------------------------------------------------------- \491\ See CISQ Letter at 3-7 (encouraging the Commission to require quality assurance activities other than testing, including that an SCI entity evaluate and measure the structural quality of its SCI systems because ``the attributes of an SCI system most critically affecting its capacity, integrity, resiliency, availability, and security are predominantly structural (engineering) rather than functional (correctness)''). \492\ See CAST Letter at 4; and CISQ Letter at 3-7. \493\ See, e.g., CISQ Letter at 7; and Lauer Letter at 6. \494\ See CISQ Letter at 7. This commenter further recommended that such process audits be conducted at least annually for each SCI system, and more often for SCI systems with operational problems, a record of non-compliance, or those being developed, tested, or operated by an inexperienced staff, and stated that process auditors who perform a mentoring role to software teams have proven a cost- effective mechanism for on-the-job training. --------------------------------------------------------------------------- After careful consideration of the comments, the Commission is adopting this provision with modifications as Rule 1001(a)(2)(iv). Specifically, adopted Rule 1001(a)(2)(iv) requires an SCI entity's reasonably designed policies and procedures to include ``[r]egular reviews and testing, as applicable, of [its SCI systems and, for purposes of security standards, indirect SCI systems], including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters.'' As adopted, this provision will afford an SCI entity greater flexibility, through the addition of the phrase ``as applicable,'' to determine how to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters. Specifically, the adopted rule replaces the proposed rule's requirement that an SCI entity conduct ``regular reviews and testing'' of relevant systems (including backup systems) with a more flexible requirement that an SCI entity conduct ``regular reviews and [[Page 72294]] testing, as applicable'' of relevant systems, including backup systems. In response to some commenters' concerns that the proposed requirement focused too much on regular testing and not enough on other methods to assess systems operation,\495\ the adopted rule provides an SCI entity the flexibility to determine an assessment methodology that would be most appropriate for a given system, or particular functionality of a system. Thus, consistent with commenters' views, the adopted provision does not specifically require both regular reviews and regular testing in connection with an SCI entity's identification of vulnerabilities. Instead, the provision requires reviews or testing (or both) to occur as applicable, so long as the approach is effective to identify vulnerabilities in SCI systems, and indirect SCI systems, as applicable. --------------------------------------------------------------------------- \495\ See supra notes 491-492 and accompanying text. --------------------------------------------------------------------------- While Rule 1001(a)(2)(iv) specifically identifies reviews and testing as means to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters, it does not dictate the precise manner or frequency of reviews and testing, and does not prohibit an SCI entity from determining that there are methods other than reviews and testing that may be effective in identifying vulnerabilities. For example, reviews and testing would each be one of the methods that an SCI entity could employ, and each SCI entity would be able to determine which method(s) are most appropriate for each SCI system (or indirect SCI system, as applicable) or particular functionality of a given system, as well as the frequency with which such method(s) should be employed.\496\ In addition, in response to commenters advocating that SCI entities should focus on identifying structural vulnerabilities or weaknesses,\497\ an SCI entity may also find it useful to conduct reviews of its software and systems architecture and design to assess whether they have flaws or dependencies that constitute structural risks that could pose a threat to SCI systems' operational capability.\498\ Likewise, an inspection by an SCI entity of its physical premises may be a method of assessing some of the vulnerabilities listed in the rule (such as physical hazards). --------------------------------------------------------------------------- \496\ Rule 1001(a)(2)(iv) would also permit an SCI entity to engage personnel independent of the team that designed and developed the systems in testing, or to employ a process audit role, to comply with this requirement, as some commenters suggested. See supra notes 493-494 and accompanying text. Like other methods of review and testing, such engagements could identify vulnerabilities in a number of ways, such as through assessments of the SCI entity's compliance with applicable standards, its risk management and control framework, or its use of resources. In response to the comment suggesting that process audits be conducted at least annually for each SCI system, and more often for SCI systems with operational problems, a record of non-compliance, or those being developed, tested, or operated by an inexperienced staff, the Commission notes that Rule 1001(a)(2)(iv) does not specify the precise manner or frequency of reviews and tests. Rather, Rule 1001(a)(2)(iv) provides flexibility to an SCI entity in determining the precise manner and frequency of reviews and/or tests. For example, an SCI entity could determine that, in order for its policies and procedures to be reasonably designed, as required by Rule 1001(a), its policies and procedures should provide that process audits be conducted at least annually for some SCI systems, and more frequently for certain other SCI systems. \497\ See supra note 492 and accompanying text. \498\ As noted by one commenter, static analysis could be a technique SCI entities could choose to utilize to help uncover structural weaknesses in software. See supra note 480 and accompanying text. --------------------------------------------------------------------------- Business Continuity and Disaster Recovery Proposed item (E) would have required an SCI entity to have business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption. The Commission received significant comment on this aspect of the proposal, with several commenters questioning or challenging the principle that securities market infrastructure resilience is achieved by requiring both geographic diversity and specific recovery times for the backup and recovery capabilities of all SCI entities.\499\ Although several commenters were supportive of the broad goals of the proposed requirement,\500\ others maintained that, because the national market system has built-in redundancies, the proposed geographic diversity and resumption requirements need not apply to all SCI entities to ensure securities market resilience.\501\ Some of these commenters urged that the specific redundancy requirement implicit in the proposed geographic diversity provision should apply to a more limited set of SCI entities.\502\ In addition, some commenters stated that proposed time frames were too inflexible.\503\ --------------------------------------------------------------------------- \499\ See, e.g., BIDS Letter at 8; FIA PTG Letter at 4; FIF Letter at 3; Group One Letter at 2-3; KCG Letter at 6-8, 11-14; FINRA Letter at 35-36; Angel Letter at 12; and ITG Letter at 15. \500\ See Direct Edge Letter at 4; FINRA Letter at 35; ISE Letter at 2; and MSRB Letter at 10. \501\ See, e.g., BIDS Letter at 8; FIA PTG Letter at 4; FIF Letter at 3; Group One Letter at 2-3; and KCG Letter at 6-8, 11-14. According to these commenters, because of the ease with which market participants are able to shift their order flow when there is an issue at one or more markets, the proposed requirements are burdensome and unnecessary. See also Angel Letter at 12 (stating that, if an exchange experiences an issue, other exchanges have more than enough capacity to handle the trading volume, and suggesting that it is not necessary for each exchange to have totally redundant backup facilities if the market network as a whole has sufficient capacity). \502\ See, e.g., FIA PTG Letter at 4. See also supra note 53 and accompanying text. \503\ See, e.g., SIFMA Letter at 13; and Joint SROs Letter at 17. --------------------------------------------------------------------------- The Commission has carefully considered commenters' views and is revising this provision from the proposal to: (i) Specify that the stated recovery timeframes in Regulation SCI are goals, rather than inflexible requirements; \504\ and (ii) provide that the stated two- hour recovery goal applies to critical SCI systems generally. In addition, the Commission is adopting the geographic diversity requirement, which does not specify any minimum distance for an SCI entity's backup and recovery facilities, as proposed. As explained below, the Commission continues to believe that geographic diversity of physical facilities is an important component of every SCI entity's BC/ DR plan. --------------------------------------------------------------------------- \504\ See Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial Systems, Securities Exchange Act Release No. 47638 (April 7, 2003), 68 FR 17809, 17812 (April 11, 2003) (``Interagency White Paper''), stating: ``Recovery-time objectives provide concrete goals to plan for and test against. They should not be regarded as hard and fast deadlines that must be met in every emergency situation;'' and 2003 Policy Statement on Business Continuity Planning for Trading Markets, Securities Exchange Act Release No. 48545 (September 25, 2003), 68 FR 56656, 56658 (October 1, 2003) (``2003 BCP Policy Statement''), stating: ``Consistent with the approach taken in the Interagency Paper, the next-day resumption objective should provide a concrete goal to plan for and test against. This should not be regarded as a hard and fast deadline that must be met in every emergency situation.'' --------------------------------------------------------------------------- Recovery Timeframes as Goals Several commenters addressing proposed item (E) focused their comments specifically on the proposed recovery timeframes.\505\ A few commenters that are clearing agencies specifically expressed concern about the proposed requirement for the two-hour resumption of clearance and settlement services, urging that the two-hour standard be a goal rather than a requirement.\506\ One commenter noted [[Page 72295]] that the ``Interagency White Paper itself recognizes that `various external factors surrounding a disruption such as time of day, scope of disruption, and status of critical infrastructure--particularly telecommunications can affect actual recovery times,' and concludes that `[r]ecovery-time objectives provide concrete goals to plan for and test against . . . they should not be regarded as hard and fast deadlines that must be met in every emergency situation.' '' \507\ Several commenters suggested that SCI entities generally be given more discretion to decide when to resume trading following a wide-scale disruption.\508\ Other commenters stated more broadly that the proposed recovery timeframes were too rigid and inconsistent with the Interagency White Paper and the 2003 BCP Policy Statement.\509\ Other commenters similarly noted that it might be in the public interest and consistent with the protection of investors and the maintenance of fair and orderly markets for the markets to remain closed following a wide- scale disruption.\510\ --------------------------------------------------------------------------- \505\ See, e.g., SIFMA Letter at 3, 13, 18; KCG Letter at 11-12; DTCC Letter at 15; OCC Letter at 9-10; Omgeo Letter at 27-28; Angel Letter at 16-17; Direct Edge Letter at 4-5; ISE Letter at 2-5; Joint SROs Letter at 16-17; FINRA Letter at 36; MSRB Letter at 10; Tellefsen Letter at 6; and Group One Letter at 2. \506\ See DTCC Letter at 15 (``[P]roposed Rule 1000(b)(l)(i)(E) has made what is currently a target within the 2003 Interagency White Paper that clearing and settling services be resumed within 2 hours of a disruption into a requirement that may not be attainable in all circumstances. . . .''); OCC Letter at 9-10 (``While a two- hour recovery time objective is a laudable goal . . . current guidelines remain appropriate to recover and resume clearing and settlement activities within the business day on which the disruption occurs, with the overall aspiration of achieving recovery and resumption within two hours''); and Omgeo Letter at 27-28 (``While Omgeo agrees that SCI entities should be required to rapidly recover from a wide-scale disruption and resume operations to avoid disrupting the critical markets beyond a single business day, it is unreasonable to require these operations to be resumed within two hours.''). \507\ See Omgeo Letter at 27-28. \508\ See Angel Letter at 16-17; Direct Edge Letter at 4-5; ISE Letter at 2; Joint SROs Letter at 16-17; and Group One Letter at 2. \509\ See SIFMA Letter at 13 (noting that the Interagency White Paper recommends that ``core clearing and settlement organizations develop the capacity to recover and resume clearing and settlement activities within the business day on which the disruption occurs with the overall goal of achieving recovery and resumption within two hours after an event.'' See also Joint SROs Letter at 17 (noting that the 2003 BCP Policy Statement, supra note 504, provides that rapid recovery should not be regarded as a hard and fast deadline that must be met in every emergency situation). \510\ See, e.g., Angel Letter at 16-17; Direct Edge Letter at 4- 5, 9; ISE Letter at 2-5; and Joint SROs Letter at 16-17. --------------------------------------------------------------------------- In response to comments that the proposed two-hour recovery time frame was too inflexible,\511\ the Commission is eliminating the proposed requirement that an SCI entity must ``ensure'' next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption. The Commission acknowledges that a hard and fast resumption timeframe may not be achievable in each and every case, given the variety of disruptions that potentially could arise and pose challenges even for well-designed business continuity and disaster recovery. For this reason, the Commission is revising the proposed requirement by replacing it with a requirement that an SCI entity have policies and procedures that include ``business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption.'' Replacement of the phrase ``to ensure'' with the phrase ``reasonably designed to achieve'' means that Regulation SCI's enumerated recovery timeframes are concrete goals, consistent with the Interagency White Paper and 2003 BCP Policy Statement.\512\ As such, the rule's specified recovery timeframes are the standards against which the reasonableness of business continuity and disaster recovery (``BC/DR'') plans will be assessed by the Commission and its inspection staff. Moreover, as recovery goals, rather than hard and fast deadlines, the enumerated time frames in the rule will continue to allow for SCI entities to account for the specific facts and circumstances that arise in a given scenario to determine whether it is appropriate to resume a system's operation following a wide-scale disruption. --------------------------------------------------------------------------- \511\ See supra notes 506-510 and accompanying text. \512\ See Interagency White Paper, supra note 504, at 17812-13, and the 2003 BCP Policy Statement, supra note 504, at 56658. --------------------------------------------------------------------------- Recovery Timeframe Distinctions In the SCI Proposal, the Commission solicited comment on whether the proposed next business day resumption of trading following a wide- scale disruption and proposed two-hour resumption of clearance and settlement services following a wide-scale disruption were appropriate.\513\ The Commission also solicited comment on whether it should consider revising the proposed next business day resumption requirement for trading to a shorter period for certain entities that play a significant role within the securities markets.\514\ One commenter stated that it agreed with imposing more stringent requirements for resumption of clearance and settlement services than for trading services following a wide-scale disruption.\515\ However, this commenter also urged more broadly that the Commission take into account the criticality of the functions performed by an SCI entity to the maintenance of fair and orderly markets in order to tailor the obligations of the rule more effectively.\516\ According to this commenter, ``[n]otification and remediation requirements . . . should be tailored to the time sensitivity of each of the functions performed, not applied uniformly across all activities of an SCI entity.'' This commenter identified ``highly critical functions'' as including the primary listing exchanges, trading of securities on an exclusive basis, securities information processors, clearance and settlement agencies, distribution of unique post-trade transparency information, and real- time market surveillance,'' and urged the Commission to ``leverage the best practices of the Interagency White Paper, and expand them to include the [highly] critical functions. . . .'' \517\ Other commenters also urged the Commission to consider the criticality of SCI systems functionality and tailor requirements accordingly.\518\ One [[Page 72296]] commenter noted that the August 2013 Nasdaq SIP outage revealed each of SIAC and Nasdaq (in their roles as plan processors) as a potential ``single point of failure'' in the national market system, and specifically urged improved backup capabilities for these systems.\519\ Another commenter, in the context of questioning the need for all markets to have geographically diverse backups, acknowledged that specific redundancy might be appropriate in certain areas, such as where an instrument is traded only on one exchange or in the case of a primary market during the open and closing periods of the market.\520\ --------------------------------------------------------------------------- \513\ See Proposing Release, supra note 13, at 18112, question 73. \514\ See id. at 18112, question 76. \515\ See SIFMA Letter at 12-13. Specifically, this commenter noted that the Interagency White Paper, supra note 504, distinguishes between ``core clearing and settlement organizations'' and firms that play ``significant roles in the financial markets'' and recommended that the Commission continue to distinguish between SCI entities that are responsible for the highly critical function of centralized counterparties (e.g., clearing agencies registered with the Commission) and SCI entities that are not. \516\ See SIFMA Letter at 4. \517\ See id. at 4, 18. SIFMA also listed the distribution of unique post-trade transparency information and real-time market surveillance as highly critical functions. While such systems are not specifically identified in the first prong of the definition of critical SCI systems (as are SCI systems that directly support functionality relating to: (1) Clearance and settlement systems of clearing agencies; (2) openings, reopenings, and closings on the primary listing market; (3) trading halts; (4) initial public offerings; (5) the provision of consolidated market data; or (6) exclusively-listed securities), the Commission notes that systems that provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets are considered critical SCI systems under its second prong. See supra Section IV.A.2.c (discussing the definition of ``critical SCI systems''). \518\ See, e.g., KCG Letter at 8, 13-14 (suggesting that proposed item (E) apply only to SCI entities that perform critical, unique functions in the market), and at 5 (stating ``when critical services are provided, additional heightened regulatory requirements, as proposed in Regulation SCI, may be appropriate''). See also UBS Letter at 3 (urging the Commission to take into consideration the difference between ``interruptions of activities that hold significant implications for the National Market System'' and ``low criticality activities [that] are much more manageable and localized in impact . . . because market participants are not directly touched or are equipped to quickly route around the problem''). According to this commenter, activities that hold such significant implications would include: ``disruption at primary exchange during [the] open/close, [a] problem with protected quote data, [an] outage at listing exchange during [an] IPO, [and] SIP data disruptions.'' \519\ See Angel Letter 2 at 3-4. \520\ See FIA PTG Letter at 4. --------------------------------------------------------------------------- The Commission has carefully considered these comments and believes they support revising the proposed rule to provide that the two-hour recovery goal specified in the adopted rule, as the standard against which BC/DR plans are to be assessed, should apply not only to ``clearance and settlement services,'' but more generally to the functions performed by critical SCI systems. Given that the securities markets are dependent upon the reliable operation of critical SCI systems, the Commission believes it is reasonable to distinguish the two-hour and next-business day recovery goals in a manner consistent with other provisions of adopted Regulation SCI: Specifically, to have the shorter recovery goal apply to critical SCI systems, and the longer recovery goal apply to resumption of trading by non-critical SCI systems. The Commission also notes that, because the proposed recovery timeframes are being adopted as concrete goals that the policies and procedures must be reasonably designed to achieve, rather than hard and fast requirements, the adopted approach is somewhat more flexible than that proposed. Accordingly, adopted Rule 1001(a)(2)(v) holds BC/DR plans for critical SCI systems (as defined in Rule 1000) to a higher standard than BC/DR plans for resumption of trading operations more generally. Specifically, an SCI entity responsible for a given critical SCI system will be expected to design BC/DR plans that contemplate resumption of critical SCI system functionality to meet a recovery goal of two hours or less. The Commission believes that this approach is consistent with the broader risk-based approach urged by commenters.\521\ The Commission also believes that its approach to holding critical SCI systems to stricter resiliency standards than other systems is an appropriate measure that responds not only to comments received, but also to recent events highlighting the effects of malfunctions in critical SCI systems.\522\ --------------------------------------------------------------------------- \521\ See supra notes 53-57 and accompanying text (summarizing commenters' recommendations with regard to adopting a risk-based approach generally). \522\ See supra Section II.B (discussing recent systems issues, including a systems problem that resulted in certain exclusively- listed securities being unable to trade for over three hours, and a systems problem affecting the SIP that halted trading in all Nasdaq- listed securities for more than three hours). --------------------------------------------------------------------------- Two commenters requested clarification on the expectations for resumption of SCI systems that are not related to trading, clearance, or settlement.\523\ In response to this comment, the Commission notes that the adopted definition of SCI systems has been refined from the proposed definition of SCI systems and that all SCI systems could be considered to be ``related to'' trading. However, systems that directly support market regulation and/or market surveillance will not be held to the resumption goals of Rule 1001(a)(2)(v) (unless they are critical SCI systems) because the Commission believes that the resumption of trading and critical SCI systems could occur following a wide-scale disruption without the immediate availability of market regulation and/ or market surveillance systems (unless they are critical SCI systems). However, systems that directly support trading, order routing, and market data would be subject to the next-business day resumption goal, unless they are also critical SCI systems, in which case they would be subject to the two-hour resumption goal. --------------------------------------------------------------------------- \523\ See FINRA Letter at 36; and MSRB Letter at 10. --------------------------------------------------------------------------- One commenter questioned what the expectations are with respect to next-day resumption if an SCI entity loses functionality towards the end of the trading day.\524\ In response to this comment, the Commission notes that neither the next-business day resumption of trading goal nor the two-hour recovery goal for critical SCI systems is dependent on the time of day that the loss of functionality occurs. Consistent with the Interagency White Paper and 2003 BCP Policy Statement, however, the Commission acknowledges that the time of day of a disruption can affect actual recovery times.\525\ The Commission believes it is important, particularly with respect to clearing agencies, that SCI entities endeavor to take all steps necessary to effectuate end of day settlement. --------------------------------------------------------------------------- \524\ See Tellefsen Letter at 6. \525\ See Interagency White Paper, supra note 504, at 17812, and the 2003 BCP Policy Statement, supra note 504, at 56658. --------------------------------------------------------------------------- Geographic Diversity To Ensure Resilience Several commenters addressing proposed item (E) expressed concern about the proposed geographic diversity requirement.\526\ Some commenters cited a reluctance on the part of SCI entity members or participants to incur the cost or assume the risk of connecting to a backup site that would only be used infrequently.\527\ In addition, some commenters cited concerns, such as challenges to market makers generating quotes, if a backup site did not have the same low latency as the primary site.\528\ One of these commenter suggested that allowing other fully operational exchanges to fill in and perform the duties of an exchange experiencing an outage would offer the advantages of continued operation on tested systems and the introduction of fewer variables.\529\ Another of these commenters argued that, in many respects, the goal of resilient and redundant markets is already in place due to the existence of multiple competing and interconnected venues, operating as a collective system under Regulation NMS.\530\ --------------------------------------------------------------------------- \526\ See, e.g., KCG Letter at 13; FIA PTG Letter at 3-4; Group One Letter at 2-3; ISE Letter at 2-5; BIDS Letter at 8; and ITG Letter at 15. \527\ See KCG Letter at 13; FIA PTG Letter at 3-4; and Group One Letter at 2-3. \528\ See KCG Letter at 13; and FIA PTG Letter at 3-4. \529\ See Group One Letter at 2-3. \530\ See FIA PTG Letter at 4. See also Angel 2 Letter at 3. --------------------------------------------------------------------------- One commenter agreed that it is a best business practice for a market to have backup disaster recovery facilities and robust BC/DR plans, but stated that ``significant geographic diversity'' should not be an absolute requirement,'' because a wide-scale disruption in New York or Chicago would make next day resumption difficult, even with a geographically diverse backup.\531\ This commenter noted that the more remote the backup, the more difficult it would be to staff such a facility, and even more so in a surprise disaster, unless the backup was fully staffed at all times.\532\ Several commenters also argued that SCI entities that are ATSs are less critical to market stability, and therefore [[Page 72297]] should be subject to less stringent geographic diversity and recovery requirements.\533\ One commenter suggested eliminating the reference to ``geographic diversity'' in favor of requiring ``comprehensive business continuity and disaster recovery plans with recovery time objectives of the next business day for trading and two hours for clearance and settlement,'' and emphasizing as guidance that geographic diversity of physical facilities would be an expected component of any such plan.\534\ --------------------------------------------------------------------------- \531\ See ISE Letter at 2-5. \532\ See id. \533\ See BIDS Letter at 8; FIA PTG Letter at 4; ITG Letter at 15; and KCG Letter at 8, 13. These commenters believed that the proposed geographic diversity requirements are burdensome and unnecessary because of the ease with which market participants are able to shift their order flow when there is an issue at one or more markets. In addition, two commenters argued that, because ATSs are subject to FINRA regulations with respect to BC/DR plans, further regulation would be redundant and unnecessary. See ITG Letter at 15; and OTC Markets Letter at 9. \534\ See Direct Edge Letter at 4. --------------------------------------------------------------------------- The Commission has carefully considered commenters' views on the proposed geographic diversity requirement and continues to believe that geographic diversity of physical facilities is an important component of every SCI entity's BC/DR plan.\535\ The Commission believes that challenges to recovery are increased when a disruption impacts a broad geographic area, and therefore that an SCI entity's arrangements to assure resilience in the event of a wide-scale disruption cannot reliably be achieved without geographic diversity of its BC/DR resources.\536\ The Commission does not agree with commenters who argued that the existence of multiple competing and interconnected venues operating as a collective system under Regulation NMS obviates the need for geographic diversity at the individual SCI entity level.\537\ For example, a wide-scale disruption, such as a natural disaster or man-made attack, could affect a large number of SCI entities, and absent individual SCI entity responsibility for maintaining geographic diversity, there could be a greater likelihood that a critical mass of SCI entities would not be operational, so that the continued maintenance of fair and orderly markets could be impacted. The Commission notes that some of the practical difficulties commenters cited as the basis for objecting to a backup site requirement, such as the cost and operational risk of maintaining a redundant connection to an SCI entity backup facility that would be used infrequently, are concerns raised on behalf of SCI entity members and participants.\538\ In response to commenters who expressed concern regarding the cost for members or participants to co-locate their systems at backup sites to replicate the speed and efficiency of the primary site, the Commission emphasizes that adopted Rule 1001(a)(2)(v) does not require an SCI entity to require members or participants to use the backup facility in the same way it uses the primary facility. Rather, the assessment of the effectiveness of a BC/DR plan that includes geographically diverse backup facilities is whether it is reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption. --------------------------------------------------------------------------- \535\ The Commission's view is consistent with the 2003 BCP Policy Statement. See 2003 BCP Policy Statement, supra note 504, at 56658. See also infra Section VI.C.2.b (discussing the benefits of geographic diversity). \536\ See, e.g., 2003 BCP Policy Statement, supra note 504, at 56657 (stating that a critical ``lesson learned'' from the events of September 11, 2001 is the need for more rigorous business continuity planning in the financial sector to address problems of wider geographic scope and longer duration than those previously addressed). \537\ See supra notes 530 and 533 and accompanying text. \538\ See infra Section IV.B.6 (discussing SCI entity BC/DR testing requirements for members or participants). --------------------------------------------------------------------------- In response to comments that geographic diversity should be encouraged but not required for all SCI entities, the Commission does not believe that it would be appropriate to eliminate the proposed requirement that SCI entities maintain geographically diverse backup and recovery capabilities (which the Commission understands many SCI entities already have) because, as stated, absent individual SCI entity responsibility for maintaining geographic diversity, there could be a greater likelihood that a critical mass of SCI entities would not be operational following a wide-scale disruption. In response to comment that ATSs are less critical to market stability, and therefore should be subject to less stringent geographic diversity and recovery requirements, the Commission notes that ATSs that do not have critical SCI systems will be subject to less stringent geographic diversity and recovery requirements than SCI entities that do.\539\ However, because the Commission believes that SCI ATSs have the potential to significantly impact investors, the overall market, and the trading of individual securities as a result of an SCI event, the Commission believes that these entities are appropriate for inclusion in the definition of SCI entity and for the application of the geographic diversity requirement.\540\ --------------------------------------------------------------------------- \539\ In addition, in response to commenters who argued that, because ATSs are subject to FINRA regulations with respect to BC/DR plans further regulation would be redundant and unnecessary (see supra note 533), the Commission notes that FINRA Rule 4370 generally requires that a member maintain a written continuity plan identifying procedures relating to an emergency or significant business disruption. Unlike Regulation SCI, however, the FINRA rule does not include the requirement that the business continuity and disaster recovery plans be reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption, nor does it require the functional and performance testing and coordination of industry or sector-testing of such plans, which the Commission believes to be instrumental in achieving the goals of Regulation SCI with respect to SCI entities. See also supra note 115. \540\ See supra notes 107-109 and accompanying text. --------------------------------------------------------------------------- Like the proposed rule, the adopted rule does not specify any particular minimum distance or geographic location that would be necessary to achieve geographic diversity.\541\ However, as stated in the SCI Proposal, the Commission continues to believe that backup sites should not rely on the same infrastructure components, such as for transportation, telecommunications, water supply, and electric power.\542\ The Commission also continues to believe that an SCI entity should have a reasonable degree of flexibility to determine the precise nature and location of its backup site depending on the particular vulnerabilities associated with those sites, and the nature, size, technology, business model, and other aspects of its business.'' \543\ In response to comment that a geographically diverse backup facility is impractical if key personnel do not live sufficiently close to the backup facility, the Commission notes that adopted Regulation SCI does not require an SCI entity to have a geographically diverse backup facility so distant from the primary facility that the SCI entity may not rely primarily on the same labor pool to staff both facilities if it believed it to be appropriate.\544\ Given that the Commission did not propose a specified minimum distance to achieve geographic diversity, the Commission believes that the geographic diversity requirement is reasonable and appropriate for all SCI entities. The [[Page 72298]] geographic diversity requirement is therefore adopted as proposed. --------------------------------------------------------------------------- \541\ See Proposing Release, supra note 13, at 18108, n. 182 and accompanying text. \542\ See id. \543\ See id. \544\ An SCI entity with critical SCI systems subject to a two- hour recovery goal may, however, find it prudent to establish back- up facilities a significant distance away from their primary sites, or otherwise address the risk that a wide-scale disruption could impact either or both of the sites and their labor pool. See Interagency White Paper, supra note 504, at 17813. --------------------------------------------------------------------------- In sum, the Commission believes that adopted Rule 1001(a)(2)(v), requiring an SCI entity to have business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption, is consistent with, and builds upon, both the Interagency White Paper and the 2003 BCP Policy Statement by applying their principles to SCI entities in today's trading environment, one with a heavy reliance on technological infrastructure. The Commission believes that individual SCI entity resilience is fundamental to achieving the goal of improving U.S. securities market infrastructure resilience. Robust Standards for Market Data Proposed item (F), requiring an SCI entity to have standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data, received little comment. One commenter supported the proposed requirement, subject to further clarification about what constitutes market data.\545\ Another commenter believed that this proposed requirement is redundant because SROs and other market participants are already subject to substantial requirements for market data.\546\ --------------------------------------------------------------------------- \545\ See MSRB Letter at 8. \546\ See Angel Letter at 19. --------------------------------------------------------------------------- While consolidated market data is collected and distributed pursuant to a variety of Exchange Act rules and joint industry plans,\547\ the Commission does not believe that existing requirements have the same focus on ensuring the operational capability of the systems for collecting, processing, and disseminating market data. Thus, the Commission believes that this provision, while consistent with existing rules, acts as a complement to such requirements and is not redundant. Further, as explained above, the term ``market data'' is not intended to include only consolidated market data, but proprietary market data as well and, as such, SCI systems directly supporting proprietary market data or consolidated market data are subject to the requirements of item (F). As stated in the SCI Proposal, the Commission believes that the accurate, timely, and efficient processing of data is important to the proper functioning of the securities markets. The Commission continues to believe that it is important that each SCI entity's market data systems are reasonably designed to maintain market integrity and that the proposed requirement would facilitate that goal.\548\ This element, requiring that an SCI entity's policies and procedures include standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data, is adopted as proposed, as Rule 1001(a)(2)(vi). --------------------------------------------------------------------------- \547\ See, e.g., Rules 601-604 of Regulation NMS and Rule 301(b)(3) of Regulation ATS. See also supra Section IV.A.1.c (discussing definition of plan processor) and Concept Release on Equity Market Structure, supra note 4, at 3600 (discussing various rules and requirements relating to consolidated market data). \548\ See Proposing Release, supra note 13, at 18108. --------------------------------------------------------------------------- Monitoring The Commission is adopting an additional provision, designated as Rule 1001(a)(2)(vii), that requires an SCI entity's policies and procedures to provide for monitoring of SCI systems, and, for purposes of security standards, indirect SCI systems, to identify potential SCI events. Several commenters argued that Regulation SCI should allow entities to adopt and follow escalation procedures instead of providing that obligations under Regulation SCI are triggered by one employee's awareness of a systems issue.\549\ The Commission is modifying Regulation SCI in three respects in response to these comments: revising the definition of responsible SCI personnel to focus on senior managers; requiring that an SCI entity have policies and procedures to identify, designate, and escalate potential SCI events to responsible SCI personnel; and explicitly requiring policies and procedures for monitoring.\550\ The requirement that an SCI entity have policies and procedures to provide for monitoring of SCI systems and, for purposes of security standards, indirect SCI systems, is added to make explicit that escalation of a systems problem should occur not only if a systems problem is identified by chance, but rather that an SCI entity should have a monitoring process in place so that systems problems are able to be identified as a matter of standard operations and pursuant to parameters reasonably established by the SCI entity. In addition, the Commission believes that the reliability of escalation of potential SCI events to designated responsible SCI personnel for determination as to whether they are, in fact, SCI events is likely to be more effective when it occurs in connection with established procedures for monitoring of SCI systems and indirect SCI systems and pursuant to a process for the communication of systems problems by those who are not responsible SCI personnel to those who are. The Commission notes that several commenters discussed the role that technology staff play in monitoring and identifying potential systems problems and escalating issues up the chain of command to management as well as legal and/or compliance personnel. Although systems monitoring may already be routine in many SCI entities, there are expected benefits of monitoring and thus it is appropriate to require an SCI entity's policies and procedures to provide for monitoring of SCI systems, and, for purposes of security standards, indirect SCI systems, to identify potential SCI events. The Commission believes that monitoring in tandem with escalation to responsible SCI personnel is an appropriate approach to ensuring SCI compliance. As noted, the requirement that an SCI entity have policies and procedures for monitoring provides an SCI entity with flexibility to establish parameters that define the types of systems problems to which technology personnel should be alert, as well as the frequency and duration of monitoring. The Commission also believes this requirement is consistent with a risk-based approach, and that an SCI entity's policies and procedures for monitoring may be tailored to the relative criticality of SCI systems, with critical SCI systems likely to be subject to relatively more rigorous policies and procedures for monitoring than other SCI systems. --------------------------------------------------------------------------- \549\ See, e.g., OCC Letter at 12; FINRA Letter at 25-26; Omgeo Letter at 13; FIF Letter at 5; and NYSE Letter at 19-20. See also infra notes 758-761 and accompanying text (discussing comments on the proposed ``becomes aware'' standard). \550\ See infra Section IV.B.3.a (discussing the Commission's determination to further focus the definition of ``responsible SCI personnel''). --------------------------------------------------------------------------- iii. Policies and Procedures Consistent With ``Current SCI Industry Standards''--Rule 1001(a)(4) Proposed Rule 1000(b)(1)(ii) stated that an SCI entity's policies and procedures would be deemed to be reasonably designed if they are consistent with ``current SCI industry standards,'' such as those listed on proposed Table A. ``Current SCI industry standards'' were not limited to those listed on proposed Table A, but [[Page 72299]] were proposed to be required to be: (A) Comprised of information technology practices that are widely available for free to information technology professionals in the financial sector; and (B) issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. The rule further stated that ``compliance with such current SCI industry standards . . . shall not be the exclusive means to comply with the requirements of paragraph (b)(1).'' The goal of proposed Rule 1000(b)(1)(ii) was to provide guidance to SCI entities on policies and procedures that would meet the articulated standard of being ``reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain their operational capability and promote the maintenance of fair and orderly markets.'' The proposal sought to provide this guidance by identifying example information technology publications describing processes, guidelines, frameworks, and/or standards that SCI entities could elect to look to in developing its policies and procedures. Proposed Table A set forth an example of one set of technology publications that the Commission preliminarily believed was an appropriate set of reference documents. The SCI Proposal acknowledged that ``current SCI industry standards'' would not be limited to the publications identified on proposed Table A. As such, an SCI entity's choice of a current SCI industry standard in a given domain or subcategory thereof could appropriately be different from those contained in the publications identified in proposed Table A.\551\ Many commenters, however, objected to the proposed objective criteria for reference publications, and/or one or more of the specific publications listed on proposed Table A. The Commission has carefully considered commenters' views and is adopting Rule 1000(b)(1)(ii), renumbered as Rule 1001(a)(4), with certain modifications as described below. --------------------------------------------------------------------------- \551\ See Proposing Release, supra note 13, at 18109. --------------------------------------------------------------------------- Criteria for Identifying SCI Industry Standards: Comments Received and Commission Response Some commenters disagreed with the Commission's proposal to require SCI industry standards to be ``comprised of information technology practices that are widely available for free to information technology professionals in the financial sector.'' Several commenters argued that there were significant disadvantages to requiring that standards be available free of charge.\552\ One of these commenters stated that requiring standards to be available for free ``may encourage SCI entities to use standards that may be outdated when more suitable standards may be available and would be more appropriate.'' \553\ Another of these commenters stated that ``the cost or lack thereof of a technology standard or standard framework has no bearing on the quality or appropriateness of such standard or framework and bears no significance to the maintenance of fair and orderly markets.'' \554\ --------------------------------------------------------------------------- \552\ See ANSI Letter at 1; DTCC Letter at 15; OCC Letter at 9; Omgeo Letter at 33-34; and X9 Letter at 1. \553\ See OCC Letter at 9. \554\ See Omgeo Letter at 33 (noting also that the proposed criteria would eliminate appropriate standards such ITIL and ISO 27000). --------------------------------------------------------------------------- Two standard setting organizations commented regarding the use of consensus standards, citing OMB Circular No. A-119, which directs agencies to use voluntary consensus standards (i.e., standards developed by professional standards organizations), and urged the Commission to eliminate the requirement that SCI industry standards be ``available for free.'' \555\ Another commenter similarly urged that it was important for SCI entities to use publications generated by professional organizations that regularly update their standards and employ open processes for gathering industry input.\556\ --------------------------------------------------------------------------- \555\ See ANSI Letter at 1; and X9 Letter at 1. \556\ See CISQ2 Letter at 6. See also Angel Letter at 8 (suggesting that the proposed criteria could potentially result in the creation of race-to-the-bottom standards organizations that establish lax standards). --------------------------------------------------------------------------- The Commission agrees that the cost or lack thereof of a technology standard or standard framework has no bearing on the quality or appropriateness of such standard, and also that SCI entities should be encouraged to use appropriate standards developed by professional organizations that regularly update their standards and employ open processes for gathering industry input. While the Commission did not propose to require that particular standards be used, in response to comment, the Commission is adopting Rule 1001(a)(4) without the criterion in the SCI Proposal that a technology standard be available free of charge. The other criteria are adopted as proposed. Thus, to qualify as an ``SCI industry standard,'' a publication must be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. The Commission believes that this criterion is sufficiently flexible to include technology practices issued by professional organizations, including the professional organizations referenced by commenters.\557\ --------------------------------------------------------------------------- \557\ See infra notes 583-601 and accompanying text. The Commission expresses no view, however, on any particular publication that is not specifically identified in infra notes 584-601, or standards that remain in development (e.g., a standard being drafted by AT 9000) (see infra note 601 and accompanying text). --------------------------------------------------------------------------- Proposed Table A: Comments Received The SCI Proposal stated that written policies and procedures that are consistent with the relevant examples of SCI industry standards contained in the publications identified in Table A would be deemed to be ``reasonably designed'' for purposes of proposed Rule 1000(b)(1).\558\ Proposed Table A listed publications covering nine inspection areas, or ``domains,'' that Commission staff historically has evaluated under the ARP Inspection Program.\559\ --------------------------------------------------------------------------- \558\ See Proposing Release, supra note 13, at 18109. \559\ See id. --------------------------------------------------------------------------- Proposed Table A elicited significant and varied comment. Some commenters objected generally to the Table A framework.\560\ Others objected more specifically to Table A's proposed content,\561\ and some commenters objected to Table A as a premature attempt to establish consensus on SCI industry standards where consensus has not yet emerged.\562\ --------------------------------------------------------------------------- \560\ See, e.g., Angel Letter at 8-9; BATS Letter at 6-7; BIDS Letter at 7; Direct Edge Letter at 2; Joint SROs Letter at 4; MSRB Letter at 11-12; and NYSE Letter at 20-21. \561\ See, e.g., Angel Letter at 8-9; BATS Letter at 6-7; FIF Letter at 3-4; ISE Letter at 11-12; CAST Letter at 10; MSRB Letter at 11-12; DTCC Letter at 15; FINRA Letter at 31; Omgeo Letter at 33; CISQ Letter at 1-2; OCC Letter at 9; Lauer Letter at 5-7; BIDS Letter at 7; and Liquidnet Letter at 3-4. \562\ See, e.g., FIF Letter at 3-4; Liquidnet Letter at 3-4; UBS Letter at 7; and ISE Letter at 11-12. --------------------------------------------------------------------------- Table A Framework and Process One group of commenters suggested that, in lieu of the publications identified in Table A, the Commission should characterize policies and procedures as reasonably designed if they comply with ``generally accepted standards.'' \563\ Another commenter similarly suggested that the Commission replace the proposed rule's reference to ``current SCI industry standards'' with [[Page 72300]] the phrase ``generally accepted technology principles,'' and delete Table A and the proposed Table A criteria.\564\ These commenters viewed proposed Table A as flawed in concept.\565\ Specifically, one of these commenters expressed concern that the standards set forth in Table A might not keep pace with a constantly evolving technological landscape and that, despite this evolution, Commission staff might take a checklist approach to its review of policies and procedures, which would result in unintended consequences.\566\ --------------------------------------------------------------------------- \563\ See Joint SROs Letter at 4. \564\ See NYSE Letter at 20-21. \565\ See Joint SROs Letter at 4; and NYSE Letter at 20. \566\ See Joint SROs Letter at 4. Other commenters similarly expressed concern that SCI entities would closely adhere to the publications listed in Table A (even though the SCI Proposal specified that such adherence would not be the exclusive means to comply with the requirements of proposed Rule 1000(b)(1)), rather than take advantage of the flexibility built into the proposed rule out of concern that if they did not, they would expose themselves to potential regulatory action for failure to comply with Regulation SCI. See, e.g., MSRB Letter at 11; Angel Letter at 8; BATS Letter at 6; and NYSE Letter at 20-21. --------------------------------------------------------------------------- The other commenter stated that it was more common, and more appropriate in any industry that relies heavily on technology, for an entity to review a variety of different standards for frameworks or best practices, and then adopt a derivative of multiple standards, customizing them for the systems at issue.\567\ According to this commenter, SCI entities would be unlikely to comply with all aspects of any particular standard in Table A at any particular time, thereby ``obviating its usefulness.'' \568\ --------------------------------------------------------------------------- \567\ See NYSE Letter at 20. \568\ See id. --------------------------------------------------------------------------- Other commenters argued that the Table A concept was flawed because Table A would always be on the verge of being outdated. For example, one commenter characterized the proposed Table A publications as ``soon-to-be outdated'' and stated that it is crucial that SCI entity policies and procedures be ``forward-looking'' and able to respond to future threats.\569\ Another commenter stated that the proposed process for updating Table A \570\ would not be sufficiently nimble to assure that SCI entities adhere to the best possible then-current standards, and suggested that the Commission defer to the expertise of the organizations that have established the listed standards and rely on the updates provided by these organizations.\571\ Another commenter stated that any ``hard coded'' solutions are likely to become obsolete very quickly.\572\ --------------------------------------------------------------------------- \569\ See id. See also ISE Letter at 10 (stating that the standards listed in Table A are not the most current or appropriate standards). See also infra notes 577-578 and accompanying text. \570\ In the SCI Proposal, the Commission stated that it ``preliminarily believes that, following its initial identification of one set of SCI industry standards . . . it would be appropriate for Commission staff, from time to time, to issue notices to update the list of previously identified set of SCI industry standards after receiving appropriate input from interested persons. . . . However, until such time as Commission staff were to update the identified set of SCI industry standards, the then-current set of SCI industry standards would be the [relevant] standards. . . .'' Proposing Release, supra note 13, at 18111. \571\ See MSRB Letter at 11-12. \572\ See Direct Edge Letter at 2. --------------------------------------------------------------------------- After careful consideration of these comments, the Commission acknowledges that the proposed framework for identifying and updating publications on Table A may not be sufficiently nimble to assure that its list of publications does not become obsolete as technology and standards change. The Commission agrees that, in an industry that relies heavily on technologies that are constantly evolving, the prescription of hard-coded solutions that may become quickly outdated is not the better approach. However, because several commenters stated that there is currently a lack of consensus on what constitutes generally accepted standards or principles in the securities industry,\573\ the Commission continues to believe that there is value in identifying example publications for SCI entities to consider looking to in establishing policies and procedures that are consistent with ``current SCI industry standards.'' \574\ --------------------------------------------------------------------------- \573\ See supra note 633 and accompanying text. \574\ See Rule 1001(a)(4), which states: ``For purposes of [complying with Rule 1001(a)], such policies and procedures shall be deemed to be reasonably designed if they are consistent with current SCI industry standards, which shall be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. Compliance with such current SCI industry standards, however, shall not be the exclusive means to comply with [Rule 1001(a)].'' --------------------------------------------------------------------------- After considering the potential disadvantages of ``hard-coding'' Table A in a Commission release, and the potential benefits of providing further guidance to SCI entities on the meaning of ``current SCI industry standards,'' the Commission has determined that, rather than the Commission issuing Table A in this release, Commission staff should issue guidance to assist SCI entities in developing policies and procedures consistent with ``current SCI industry standards'' in a manner that is consistent with the Commission's response to comments received on proposed Table A, as discussed in this Section IV.B.1.b.iii, and periodically update such guidance as appropriate. The Commission believes that guidance issued by the Commission staff will have the advantage of easier updating and allow for emerging consensus on standards more focused on the securities industry. Thus, concurrent with the Commission's adoption of Regulation SCI, Commission staff is issuing guidance to SCI entities on developing policies and procedures consistent with ``current SCI industry standards.'' \575\ --------------------------------------------------------------------------- \575\ Staff Guidance on Current SCI Industry Standards will be available on the Commission's Web site at: www.sec.gov. --------------------------------------------------------------------------- Table A Publications Many commenters who did not urge elimination of Table A altogether addressed the content of proposed Table A. Those commenters did not express opposition to the identification of certain inspection areas or domains on proposed Table A, but some commenters identified issues with specific publications listed on Table A.\576\ Specifically, two commenters stated that the NIST publication listed for the Systems Development Methodology domain was outdated.\577\ One of these commenters objected to this publication as reflecting a burdensome staged process to software development that favors the ``waterfall methodology'' over ``agile'' software development, which generally uses more ``nimble processes'' and is more typical in the financial services industry today.\578\ Another commenter noted that this publication had both strengths and weaknesses.\579\ Two commenters objected to the FFIEC's Operations IT Examination Handbook in the capacity planning domain as too generic.\580\ One commenter objected to the inclusion of FFIEC's Audit IT Examination Handbook.\581\ Another commenter stated more broadly that the proposed Table A publications focus too heavily [[Page 72301]] on firm-level risks and do not take into account the technological and economic stability of the U.S. market as a whole.\582\ --------------------------------------------------------------------------- \576\ See, e.g., Angel Letter at 9; BATS Letter at 6-7; FIF Letter at 3-4; and ISE Letter at 10. \577\ See BATS Letter at 6; and ISE Letter at 10 (objecting to the inclusion of NIST Security Considerations in the System Development Life Cycle (Special Publication 800-64 Rev. 2) as a suitable ``current SCI industry standard'' in the systems development methodology domain). \578\ See BATS Letter at 6-7. \579\ See CISQ2 Letter at 4-5 (stating that NIST Special Publication 800-64, Rev. 2 and any derivative standard should ``be reviewed and if necessary revised by a panel of industry practitioners and technical experts to balance the requirement for rigor with the amount of practices and documentation specified in the standard''). \580\ See ISE Letter at 10; and FIF Letter at 3-4 (both described this publication as setting forth a process for conducting capacity planning). \581\ See ISE Letter at 10. \582\ See Angel Letter at 9. --------------------------------------------------------------------------- In addition, several commenters suggested specific additions to the proposed list of publications on Table A.\583\ For example, more than one commenter suggested the following standards as appropriate for inclusion on Table A: COBIT/ISACA; \584\ ISO-27000; \585\ ISO 25000; \586\ and NFPA-1600.\587\ Other standards or publications mentioned by commenters as useful, particularly in the area of software quality or software security, include the CISQ Software Quality Specification,\588\ the Capability Maturity Model Integration (CMMI) framework, \589\ ``SANS 20 Critical Security Controls,'' \590\ ``CWE/ SANS Top 25 Most Dangerous Software Errors,'' \591\ the Open Source Security Testing Methodology Manual (OSSTMM),\592\ the BITS Financial Services Roundtable Software Assurance Framework (January 2012),\593\ the ``Build Security In Maturity Model'' (BSTMM),\594\ Microsoft's SDL,\595\ and resources for defining secure software development practices from organizations such as OWASP, WASC and SAFECode,\596\ and publications issued by Scrum Alliance,\597\ the Association for Software Testing (AST),\598\ the Institute of Electrical and Electronics Engineers (IEEE),\599\ and the Association for Computing Machinery (ACM).\600\ In addition, one commenter suggested a standard currently being drafted by AT 9000, a working group which focuses on trading safety, regulatory requirements, and achieving efficiency and effectiveness of systems involved in automated trading.\601\ --------------------------------------------------------------------------- \583\ See, e.g., CAST Letter; ISE Letter; MSRB Letter; DTCC Letter; FINRA Letter; Omgeo Letter; CISQ2 Letter; OCC Letter; BIDS Letter; Liquidnet Letter; and X9 Letter. \584\ See CAST Letter at 10; ISE Letter at 11; and MSRB Letter at 11. COBIT (formerly known as Control Objectives for Information and related Technology) is an enterprise information technology governance framework developed by ISACA (formerly known as the Information Systems Audit and Control Association). \585\ See DTCC Letter at 15; ISE Letter at 11; FINRA Letter at 31; and Omgeo Letter at 33. FINRA recommended ISO-27000 series because it provides ``greater specificity'' and may be ``less burdensome'' than the standards identified in proposed Table A. ISE and DTCC recommended ISO 27000 specifically for application controls, information security and networking, and physical security controls. Omgeo stated more broadly that it models aspects of its program on widely accepted international standards and frameworks such as ITIL and ISO 27000. \586\ See CAST Letter and CISQ2 Letter. CAST suggested supplementing the SCI industry standards with standards that address development, as well as standards that pertain to structural software quality, such as ISO 25010 and CISQ Software Quality Specification. See CAST Letter at 5. CISQ2 agreed that standards addressing structural software quality are needed and suggested including CISQ Specification for Automated Quality Characteristic Measures: CISQ-TR-2012-01 in Table A. CISQ also pointed to the Capability Maturity Model Integration (CMMI) as another potential option, noting that it was the most widely adopted process standard for rigorous software development practices. See CISQ2 Letter at 3- 4. \587\ See OCC Letter at 9; and ISE Letter at 11. ISE also specifically recommended BS 25999 as an alternative contingency planning standard. \588\ See CAST Letter at 5; and CISQ Letter at 1. \589\ See CAST Letter at 10. \590\ See FIF Letter at 4. \591\ See id. \592\ See Lauer Letter at 5-7. \593\ See BIDS Letter at 7. \594\ See id. \595\ See id. \596\ See id. \597\ See Liquidnet Letter at 4. \598\ See id. \599\ See id. \600\ See id. \601\ See X9 Letter at 2. --------------------------------------------------------------------------- A few commenters opposed referencing standards in Regulation SCI at the outset and instead supported establishing a process that they believed would, after a certain period of time, yield a coherent set of standards.\602\ One of these commenters urged that best practices should evolve from the Commission's experience with the annual SCI review process and experience with the ARP program, because such best practices will be specific to the securities industry and reflect the actual practices of SCI entities.\603\ Finally, several commenters suggested that the Commission establish a working group to develop SCI industry standards.\604\ --------------------------------------------------------------------------- \602\ See, e.g., FIF Letter at 4, 6; Liquidnet Letter at 3; UBS Letter at 7; and ISE Letter at 11. \603\ See FIF Letter at 4, 6. \604\ See, e.g., Liquidnet Letter at 3 (urging that a working group consisting of regulators, industry participants (from exchanges, ATSs and broker-dealers) and security and controls experts be established to develop a security and controls framework for the industry). See also UBS Letter at 7 (urging the Commission to convene a ``cross-industry, multi-disciplinary Working Group'' to be responsible for developing recommendations for appropriate standards); and ISE Letter at 11 (recommending that the Commission authorize SCI entities to establish a standards committee to review and recommend specific sets of standards). See also CISQ Letter at 2, 6 (supporting the Table A approach but also seeing value in tailoring existing standards from professional organizations into an industry-specific set of standards for SCI entities). --------------------------------------------------------------------------- The Commission has carefully considered these comments, and continues to believe that there is value in identifying publications for SCI entities to consider looking to in establishing reasonable policies and procedures, because doing so will provide guidance on how an SCI entity may comply with adopted Rule 1001(a). The Commission therefore believes that issuance of staff guidance that does this, as discussed above, will be useful for SCI entities. However, after careful consideration of commenters' views regarding the publications on proposed Table A, the Commission believes it is useful to characterize how such staff guidance should be used by SCI entities. In particular, the Commission understands that some commenters who objected to the proposed Table A concept and/or the proposed Table A content were more broadly taking issue with the characterization of certain of the documents on proposed Table A, such as the NIST 800-53 document, as a ``standard,'' rather than a ``framework'' or a ``process.'' \605\ The Commission believes that many commenters implicitly were questioning why certain identified technology frameworks (such as NIST 800-53) were being labeled as, and thereby elevated to, an example of ``current SCI industry standards'' when many SCI entities were already following ISO 27000, COBIT, or other technology standards that they viewed as more specific, relevant, and/ or cost effective than the NIST frameworks identified on proposed Table A.\606\ In response to these comments, the Commission believes it is appropriate that the staff's guidance be characterized as listing examples of publications describing processes, guidelines, frameworks, or standards for an SCI entity to consider looking to in developing reasonable policies and procedures, rather than strictly as listing industry standards. Thus, the Commission believes it is appropriate if Commission staff were to list publications that provide guidance to SCI entities on suitable processes for developing, documenting, and implementing policies and procedures for their SCI systems (and indirect SCI systems, as applicable), taking into account the criticality of each such system. --------------------------------------------------------------------------- \605\ The Commission also notes that this point was made by a member of the third panel at the Cybersecurity Roundtable, supra note 39. See also FINRA Letter at 31. \606\ See supra notes 577-601 and accompanying text. --------------------------------------------------------------------------- With respect to the publications commenters suggested for inclusion on proposed Table A, the Commission is not disputing the value of such standards, and believes that each, when considered with respect to a particular system at an SCI entity, may contain appropriate standards for the SCI entity to use as, or incorporate within, its [[Page 72302]] policies and procedures.\607\ The Commission notes that the guidance is intended to be used as a baseline from which the staff may work with SCI entities and other interested market participants to build consensus on industry-specific standards, as discussed more fully below. Further, the Commission believes that the goal of providing general and flexible guidance to SCI entities does not necessitate providing a lengthy list of all the publications that meet the criteria set forth in Rule 1001(a)(4).\608\ --------------------------------------------------------------------------- \607\ See supra notes 577-601 and accompanying text. \608\ See supra note 557 and accompanying text. --------------------------------------------------------------------------- The Commission continues to believe that it may be appropriate for an SCI entity to choose to adhere to a standard or guideline in a given domain or subcategory thereof that is different from those contained in the staff guidance, and emphasizes that nothing that the staff may include in its guidance precludes an SCI entity from adhering to standards such as ISO 27000, COBIT, or others referenced by commenters to the extent they result in policies and procedures that comply with the requirements of Rule 1001(a).\609\ Moreover, adopted Rule 1001(a)(4) explicitly provides that compliance with current SCI industry standards (i.e., including those publications identified by the Commission staff) is not the exclusive method of compliance with Rule 1001(a). Accordingly, an SCI entity's determination not to adhere to some or all of the publications included in the staff guidance in developing its policies and procedures does not necessarily mean that its policies and procedures will be deficient or unreasonable for purposes of Rule 1001(a)(1). Importantly, the publications listed by Commission staff should be understood to provide guidance to SCI entities on selecting appropriate controls for applicable systems, as well as suitable processes for developing, documenting, and implementing policies and procedures for their SCI systems (and indirect SCI systems, as applicable), taking into account the criticality of each such system. Thus, for example, the Commission believes it would be reasonable for the most robust controls to be selected and implemented for ``critical SCI systems,'' as compared to other types of SCI systems, and the Commission believes it would be appropriate that the staff's guidance include publications that require more rigorous controls for higher-risk systems. The staff guidance is not intended to be static, however. As the Commission staff works with SCI entities, as well as members of the securities industry, technology experts, and interested members of the public, and as technology standards continue to evolve, the Commission anticipates that the Commission staff will periodically update the staff guidance as appropriate. --------------------------------------------------------------------------- \609\ Likewise, such guidance would not preclude an SCI entity from adopting a derivative of multiple standards, and/or customizing one or more standards for the particular system at issue, as one commenter suggested. See supra note 567 and accompanying text. In assessing whether an SCI entity's use of such an approach in designing its policies and policies and procedures would be ``deemed'' to be reasonably designed, the Commission's inquiry would be into whether its policies and procedures were consistent with standards meeting the criteria in adopted Rule 1001(a)(4). --------------------------------------------------------------------------- Another way in which the publications identified by Commission staff should provide guidance to SCI entities is by providing transparency on how the staff will, at least initially, prepare for and conduct inspections relating to Regulation SCI. As discussed in the SCI Proposal and above,\610\ for over two decades, ARP staff has conducted inspections of ARP entity systems, with a goal of evaluating whether an ARP entity's controls over its information technology resources in each domain are consistent with ARP and industry guidelines,\611\ as identified by ARP staff from a variety of information technology publications that ARP staff believed were appropriate for securities market participants.\612\ With the adoption of Regulation SCI, and the resultant transition away from the voluntary ARP Inspection Program to an inspection program under Regulation SCI, the Commission believes it is helpful to establish consistency in its approach to examining SCI entities for compliance with Regulation SCI. Importantly, establishing consistency does not mean that the Commission will take a one-size- fits-all or checklist approach. Because the publications identified by Commission staff should be general and flexible enough to be compatible with many widely-recognized technology standards that SCI entities currently use, the Commission believes the publications identified by Commission staff should provide guidance for an SCI entity to self- assess whether its policies and procedures comply with Rules 1001(a)(1)-(2). Moreover, because use of the publications identified by Commission staff is not mandatory, the staff guidance should not be regarded as establishing a checklist, the use of which could result in unintended consequences, but rather a basis for considering how an SCI entity's selected standards relate to the guidance provided by Commission staff and whether they are appropriate standards for use by that particular SCI entity for a given system. --------------------------------------------------------------------------- \610\ See supra Section II.A. \611\ As stated in the SCI Proposal, the domains covered during an ARP inspection depend in part upon whether the inspection is a regular inspection or a ``for-cause'' inspection. Typically, however, to make the most efficient use of resources, a single ARP inspection will cover fewer than nine domains. See Proposing Release, supra note 13, at 18086. \612\ See id. and supra Section II.A (discussing the ARP Inspection Program). --------------------------------------------------------------------------- The Commission believes that it would be appropriate that the publications initially identified by Commission staff at a minimum include the nine inspection areas, or ``domains,'' that the Commission identified on Table A in the SCI Proposal and that are relevant to SCI entities' systems capacity, integrity, resiliency, availability, and security, namely: Application controls; capacity planning; computer operations and production environment controls; contingency planning; information security and networking; audit; outsourcing; physical security; and systems development methodology. The Commission believes it would be appropriate that each publication identified by Commission staff be identified with specificity and include the particular publication's date, volume number, and/or publication number, as the case may be. Thus, for SCI entities that establish or self-assess their policies and procedures in reliance on the guidance provided by the publications identified by Commission staff, the Commission believes that the publications should be the relevant publications until such time as the list is updated by Commission staff. Of course, SCI entities may elect to use publications describing processes, guidelines, frameworks, and/or standards other than those identified by Commission staff to develop policies and procedures that satisfy the requirements of Rules 1001(a)(1)-(2). As stated in the SCI Proposal, however, the Commission continues to believe that the development of securities-industry specific standards is a worthy goal. Although some commenters urged the Commission not to adopt Table A at the outset, and instead establish a process to achieve that end,\613\ the Commission believes that the better approach is for Commission staff to provide examples of publications through its guidance that form a baseline and remain open to emerging consensus on industry-specific standards. In response to the [[Page 72303]] commenter that suggested that the Commission leverage the annual SCI review process and the SCI inspection process to yield a coherent set of industry-specific standards that could be referenced on Table A, the Commission believes that such an approach could serve as an appropriate input into the future development of such standards.\614\ In response to the commenter who stated that the proposed Table A publications do not take into account the technological and economic stability of the U.S. market as a whole,\615\ the Commission notes that the technological stability of individual SCI entities, in tandem with a heightened focus on critical SCI systems, are necessary prerequisites to achieving such market-wide goals. Accordingly, the Commission believes that the publications identified by Commission staff today should serve as an appropriate initial set of publications, processes, guidelines, frameworks, and standards for SCI entities to use as guidance to develop their policies and procedures under Rule 1001(a). With this guidance as a starting point, the Commission expects that the Commission staff will seek to work with members of the securities industry, technology experts, and interested members of the public towards developing standards relating to systems capacity, integrity, resiliency, availability, and security appropriately tailored for the securities industry and SCI entities, and periodically issue staff guidance that updates the guidance with such standards. --------------------------------------------------------------------------- \613\ See supra note 604 and accompanying text. \614\ See supra note 602 and accompanying text. \615\ See supra note 582 and accompanying text. --------------------------------------------------------------------------- 2. Policies and Procedures To Achieve Systems Compliance--Rule 1001(b) Proposed Rule 1000(b)(2)(i) would have required each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in the manner intended, including in a manner that complies with the federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable. Proposed Rule 1000(b)(2) also would have included safe harbors for an SCI entity and its employees. Specifically, proposed Rule 1000(b)(2)(ii) provided that an SCI entity would be deemed not to have violated proposed Rule 1000(b)(2)(i) if the SCI entity: (1) Established policies and procedures reasonably designed to provide for specified elements; (2) established and maintained a system for applying such policies and procedures which would reasonably be expected to prevent and detect, insofar as practicable, any violations of such policies and procedures by the SCI entity or any person employed by the SCI entity; and (3) reasonably discharged the duties and obligations incumbent upon it by such policies and procedures, and was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. The safe harbor for SCI entities in proposed Rule 1000(b)(2)(ii) specified that the SCI entity's policies and procedures must be reasonably designed to provide for: (1) Testing of all SCI systems and any changes to such systems prior to implementation; (2) periodic testing of all SCI systems and any changes to such systems after their implementation; (3) a system of internal controls over changes to SCI systems; (4) ongoing monitoring of the functionality of SCI systems to detect whether they are operating in the manner intended; (5) assessments of SCI systems compliance performed by personnel familiar with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable; and (6) review by regulatory personnel of SCI systems design, changes, testing, and controls to prevent, detect, and address actions that do not comply with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable. In addition, proposed Rule 1000(b)(2)(iii) set forth a safe harbor for individuals. It provided that a person employed by an SCI entity would be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity has reasonably discharged the duties and obligations incumbent upon such person by the policies and procedures, and was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. After careful consideration of the comments, proposed Rule 1000(b)(2) is adopted as Rule 1001(b) with modifications, as discussed below. a. Reasonable Policies and Procedures To Achieve Systems Compliance The Commission received significant comment on its proposal to require that SCI entities establish, maintain, and enforce written policies and procedures reasonably designed to ensure systems compliance. Some commenters supported the broad goals of a policies and procedures requirement to help ensure that SCI systems operate as intended.\616\ Other commenters questioned whether any set of policies and procedures could guarantee perfect operational compliance.\617\ One commenter emphasized that no set of policies and procedures can guarantee 100% operational compliance and that, historically, the Commission has allowed entities to use a reasonableness standard so that policies and procedures are required to be reasonably designed to promote compliance, and the same should be used for the underlying predicate requirement in Regulation SCI.\618\ A few commenters expressed concern that, in instances where an SCI entity's policies and procedures failed to prevent SCI events, the Commission might use such failures as the basis for an enforcement action, charging that the policies and procedures were not reasonable.\619\ One commenter believed that compliance with Regulation SCI should be measured against a firm's adherence to its own set of policies and procedures that are in keeping with SCI system objectives, and such policies should be reviewed and updated as part of the annual SCI review process.\620\ Another commenter requested that the Commission more clearly distinguish between liability under Regulation SCI and liability for SCI events, stating that compliance with Regulation SCI and compliance with other federal securities laws and rules must remain distinct.\621\ --------------------------------------------------------------------------- \616\ See MSRB Letter at 12-13; SIFMA Letter at 12; and MFA Letter at 3. Two of these commenters believed that SCI entities that perform critical market functions should be required to have more stringent policies and procedures than less critical SCI entities. See SIFMA Letter at 12; and MFA Letter at 3-4. \617\ See ITG Letter at 14. See also BATS Letter at 3-4, 6. \618\ See ITG Letter at 14. \619\ See BATS Letter at 3-4; Angel Letter at 4; and FSR Letter at 5. One of these commenters considered this possibility as, in effect, imposing a strict liability standard with respect to systems issues, and was concerned that the proposed approach would result in ``finger-pointing'' and constant enforcement actions for immaterial violations that desensitize people to actual material violations. See FSR Letter at 3-8. \620\ See FIF Letter at 4. \621\ See FSR Letter at 6. --------------------------------------------------------------------------- Whereas adopted Rule 1001(a) \622\ concerns the robustness of the SCI entity's systems, adopted Rule 1001(b) \623\ concerns the operational compliance of an SCI entity's SCI systems with the Exchange Act, the rules and regulations thereunder, and [[Page 72304]] the SCI entity's governing documents. The Commission continues to believe, as stated in the SCI Proposal, that a rule requiring SCI entities to establish, maintain, and enforce policies and procedures reasonably designed to ensure operational compliance will help to: ensure that SCI SROs comply with Section 19(b)(1) of the Exchange Act; \624\ reinforce existing SRO rule filing processes to assist market participants and the public in understanding how the SCI systems of SCI SROs are intended to operate; and assist SCI SROs in meeting their obligations to file plan amendments to SCI Plans under Rule 608 of Regulation NMS.\625\ It will similarly help other SCI entities (i.e., SCI ATSs, plan processors, and exempt clearing agencies subject to ARP) to achieve operational compliance with the Exchange Act, the rules and regulations thereunder, and their governing documents. --------------------------------------------------------------------------- \622\ Adopted Rule 1001(a) was proposed as Rule 1000(b)(1). \623\ Adopted Rule 1001(b) was proposed as Rule 1000(b)(2). \624\ See 15 U.S.C. 78s(b)(1) (requiring each SRO to file with the Commission copies of any proposed rule or any proposed change in, addition to, or deletion from the rules of the SRO). \625\ See Proposing Release, supra note 13, at 18115. --------------------------------------------------------------------------- The Commission notes that Rule 1001(b) is intended to help prevent the occurrence of systems compliance issues at SCI entities. The Commission discussed in Section IV.A.3.b the rationale for further focusing the definition of systems compliance issue (i.e., replacing the reference to operating ``in the manner intended, including in a manner that complies with the federal securities laws'' with a reference to operating ``in a manner that complies with the Act''). To provide consistency between the definition of systems compliance issue and the requirement for policies and procedures to ensure systems compliance, the Commission is similarly revising Rule 1001(b)(1) to require each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate ``in a manner that complies with the Act'' and the rules and regulations thereunder and the entity's rules and governing documents, as applicable. As noted above, some commenters expressed concern that an SCI entity would be found to be in violation of Rule 1001(b) if an SCI event occurs.\626\ Consistent with the discussion above regarding Rule 1001(a), the Commission emphasizes that the occurrence of a systems compliance issue at an SCI entity does not necessarily mean that the SCI entity has violated Rule 1001(b) of Regulation SCI. As stated in the SCI Proposal, an SCI entity will not be deemed to be in violation of Rule 1001(b) solely because it experienced a systems compliance issue.\627\ The Commission also notes that Rule 1001(b) requires systems compliance policies and procedures to be reasonably designed.\628\ The Commission acknowledges that reasonable policies and procedures will not ensure the elimination of all systems issues, including systems compliance issues. While a systems compliance issue may be probative as to the reasonableness of an SCI entity's policies and procedures, it is not determinative. Further, the occurrence of a systems compliance issue also does not necessarily mean that the SCI entity will be subject to an enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation. --------------------------------------------------------------------------- \626\ See supra notes 617-620 and accompanying text. One of these commenters believed that compliance with Regulation SCI should be measured against a firm's adherence to its own set of policies and procedures that are in keeping with SCI systems objectives. See supra note 620 and accompanying text. The Commission understands this commenter to be expressing the same concern as other commenters that an SCI entity would be found to be in violation of Rule 1001(b) if an SCI event occurs. This commenter also noted that policies and procedures should be reviewed and updated as part of the annual SCI review process. See supra note 620 and accompanying text. The comment regarding reviews and updates of policies and procedures is addressed below. See infra note 673 and accompanying text. \627\ Also, as noted in the SCI Proposal, an employee of an SCI entity would not be deemed to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of Rule 1001(b) merely because the SCI entity at which the employee worked experienced a systems compliance issue. See Proposing Release, supra note 13, at 18116. \628\ As stated above, one commenter noted that no set of policies and procedures can guarantee 100% operational compliance and that historically, the Commission has allowed entities to use a reasonableness standard so that policies and procedures are required to be reasonably designed to promote compliance, and the same approach should be used for Regulation SCI. See supra note 618 and accompanying text. The Commission agrees with this commenter that reasonably designed policies and procedures might not completely eliminate the occurrence of systems compliance issues. Also, adopted Rule 1001(b) is consistent with this commenter's suggestion, because it requires policies and procedures that are ``reasonably designed'' to ensure systems compliance. --------------------------------------------------------------------------- In response to one commenter's request that the Commission more clearly distinguish between liability under Regulation SCI and liability for SCI events,\629\ the Commission notes that liability under Regulation SCI is separate and distinct from liability for other violations that may arise from the underlying SCI event. In particular, whether an SCI entity violated Regulation SCI does not affect the determination of whether the underlying SCI event also caused the SCI entity to violate other laws or rules, and compliance with Regulation SCI is not a safe harbor or other shield from liability under other laws or rules. Thus, even if the occurrence of an SCI event does not cause an SCI entity to be found to be in violation of Regulation SCI, the SCI entity may still be liable under other Commission rules or regulations, the Exchange Act, or SRO rules for the underlying SCI event.\630\ --------------------------------------------------------------------------- \629\ See supra note 621 and accompanying text. \630\ For example, it is possible for an SCI SRO to have established, maintained, and enforced reasonably designed systems compliance policies and procedures consistent with the requirements of Rule 1001(b) of Regulation SCI, but still potentially violate Section 19(g) of the Exchange Act if the operation of its systems is inconsistent with its own rules. See 15 U.S.C. 78s(g) (requiring every SRO to comply with the Exchange Act, the rules and regulations thereunder, and its own rules). --------------------------------------------------------------------------- b. Proposed Safe Harbor for SCI Entities i. Comments Received In the SCI Proposal, the Commission solicited comment on the proposed approach to include safe harbor provisions in proposed Rule 1000(b)(2) and specifically asked whether commenters agreed with the proposed inclusion of safe harbors.\631\ Many commenters specifically addressed the safe harbors in proposed Rule 1000(b)(2). Two commenters urged elimination of the proposed safe harbors.\632\ One of these commenters stated that the safe harbors were framed so generally that they would be easy to invoke.\633\ This commenter also stated that inclusion of a safe harbor provision for compliance standards would unnecessarily and severely limit the Commission's ability to deter violations through meaningful enforcement actions.\634\ The other commenter stated that, if a safe harbor is adopted, the Commission should be as specific as possible in establishing how to qualify for the safe harbor, and recommended that Commission guidance ensure that SCI entities are actively building and improving upon safety systems and not simply checking boxes and doing the minimal amount necessary to ensure compliance.\635\ --------------------------------------------------------------------------- \631\ See Proposing Release, supra note 13, at 18117, question 104. \632\ See Better Markets Letter at 5-6; and Lauer Letter at 7-8. \633\ See Better Markets Letter at 5-6. \634\ See id. at 6. \635\ See Lauer Letter at 7-8. --------------------------------------------------------------------------- In contrast, several commenters supported the inclusion of a safe harbor in proposed Rule 1000(b)(2) in theory, but objected to the proposed [[Page 72305]] approach.\636\ Some commenters stated that the proposed safe harbor, with its prescriptive requirements, would evolve into the de facto rule itself as SCI entities decide to adhere to the requirements of the safe harbor rather than risk a potential enforcement action stemming from an SCI event.\637\ One of these commenters noted that the safe harbor merely further defined the elements that the policies and procedures must have by providing a list of points that reasonably designed policies and procedures must cover.\638\ This commenter believed that including a requirement for reasonably designed policies and procedures and providing a safe harbor when those policies and procedures are reasonably designed is inherently circular, and expressed concern about liability under Regulation SCI whenever there is a systems or technology malfunction or error.\639\ This commenter also compared the proposed SCI entity safe harbor to other rules, stating that the other rules requiring policies and procedures recognize the need for those policies and procedures to be reasonably designed in light of the manner in which business is conducted.\640\ This commenter further noted that, if the Commission intends that all SCI entities conform to the standards articulated in the safe harbor, the Commission should set them forth as express provisions of the rule, although this commenter believed that such an approach would be misguided because it would create strictures that impose protocols that may not be suitable for certain market participants.\641\ --------------------------------------------------------------------------- \636\ See, e.g., Angel Letter; Direct Edge Letter; FSR Letter; ITG Letter; MSRB Letter; NYSE Letter; OCC Letter; OTC Markets Letter; and Joint SROs Letter. \637\ See ITG Letter at 14 (stating that ``[t]he safe harbor contains so many requirements that it operates as a rule by itself''); and FSR Letter at 8. \638\ See FSR Letter at 4-5. \639\ See id. at 5-6. \640\ See FSR Letter at 8-9 (expressing concern that the safe harbor will become the sole yardstick by which conduct is measured and, even if the safe harbor were non-exclusive, it could become the de facto standard to the exclusion of other, legitimate approaches). \641\ See FSR Letter at 9. --------------------------------------------------------------------------- Several other commenters expressed concern that the proposed safe harbors were unclear.\642\ One group of commenters noted that the provisions in the proposed safe harbors were vague, subjective, and merely duplicate elements that would result from a logical interpretation of Rule 1000(b)(1),\643\ which these commenters believed offered no safe harbor protection at all.\644\ Another commenter stated that the use of a reasonableness standard with respect to the design of systems and the discharge of duties under an SCI entity's policies and procedures would mean that an SCI entity and its employees would never know with certainty whether they met the terms of the safe harbor.\645\ Another commenter similarly stated that SCI entities cannot know if they have complied with the safe harbor unless more guidance is provided on the concept of ``reasonable policies and procedures'' and the Commission explains what constitutes adequate testing, monitoring, assessments, and review for each system.\646\ One commenter agreed with the need for a safe harbor but stated that the proposed safe harbor is not sufficiently robust because it contains ``vague and extensive requirements that are overly subjective'' and the Commission therefore would be ``likely to review an SCI entity's interpretation of the safe harbor in the event of a systems issue with the benefit of 20/20 hindsight.'' \647\ This commenter expressed concern that the occurrence of a significant systems event would mean that an exchange did not have reasonable policies and procedures and would be outside the terms of the proposed safe harbor.\648\ --------------------------------------------------------------------------- \642\ See, e.g., FSR Letter; OCC Letter; and OTC Markets Letter. \643\ See Joint SROs Letter at 13 (stating that the proposed safe harbor should provide a more objective and transparent approach, and provide SCI entities a clear, affirmative defense from allegations of having violated Regulation SCI). \644\ See Joint SROs Letter at 13. \645\ See OCC Letter at 11. This commenter also questioned the value of the safe harbors as proposed and requested that the Commission consider including bright-line tests and minimum standards in the safe harbor provisions to better guide SCI entities and their employees in avoiding liability under Regulation SCI. See OCC Letter at 11. See also NYSE Letter at 30 (noting that the Commission provided no guidance on the phrase ``policies and procedures reasonably designed''). \646\ See OTC Markets Letter at 15. \647\ See NYSE Letter at 30. \648\ See id. --------------------------------------------------------------------------- A few commenters suggested specific alternatives to the proposed safe harbors.\649\ One commenter recommended that the Commission adopt a safe harbor with objective criteria to protect SCI entities from enforcement actions under Regulation SCI except in cases of intentional or reckless non-compliance or patterns of non-compliance with Regulation SCI, or if an SCI entity fails to implement reasonable corrective action in response to a written communication from the Commission regarding Regulation SCI.\650\ This commenter urged that, even if the Commission does not include the suggested safe harbor, the adopting release should clearly state that the Commission will not pursue enforcement actions against SCI entities that establish, maintain, and enforce compliance policies and procedures or act in good faith, notwithstanding a violation of Regulation SCI.\651\ --------------------------------------------------------------------------- \649\ See, e.g., FSR Letter; ITG Letter; OTC Markets Letter; Joint SROs Letter; and NYSE Letter. \650\ See NYSE Letter at 29, 31-32. This commenter also suggested that SCI entity employees be protected except in instances where employees intentionally or recklessly fail to discharge their duties and obligations under the SCI entity's policies and procedures. See NYSE Letter at 29, 31-32. This comment and the individual safe harbor are addressed in Section IV.B.2.d below. Another commenter, expressing support for NYSE's suggested approach for SCI entities and their employees, stated that an objective standard would provide the proper incentives for compliance and allow SCI entities to reasonably evaluate their potential exposure when an SCI event occurs and act quickly in the critical moments following an SCI event. See OTC Markets Letter at 16. \651\ See NYSE Letter at 32, n. 41. --------------------------------------------------------------------------- One group of commenters similarly recommended that the Commission adopt an objective safe harbor.\652\ These commenters noted that minor mistakes and unintentional errors occur in the daily operations of running a business, and a safe harbor should provide protection to SCI entities that follow the policies and procedures as intended, including in the resolution and containment of such mistakes and errors.\653\ These commenters believed that it should be sufficient for an SCI entity to qualify for the safe harbor if it adopts policies and procedures reasonably designed to comply with Regulation SCI and does not knowingly violate such policies and procedures.\654\ These commenters further requested that the Commission clarify its views on the protections of the safe harbor for inadvertent violations of other laws and rules despite compliance with Regulation SCI and expand the safe harbor to explicitly cover such instances.\655\ --------------------------------------------------------------------------- \652\ See Joint SROs Letter at 13-14. \653\ See id. \654\ See id. These commenters suggested a parallel safe harbor for employees of SCI entities. See id. at 14. \655\ See id. --------------------------------------------------------------------------- One commenter suggested simplifying the safe harbor to require only that an SCI entity adopt reasonable policies and procedures to comply with proposed Regulation SCI, which should include reasonable ongoing responsibilities related to testing and monitoring.\656\ Another commenter believed that the safe harbor should grant immunity from enforcement penalties for all problems that are self-reported by SCI entities and individuals.\657\ One commenter suggested that Regulation SCI should: (1) Encourage parties to discover and [[Page 72306]] remediate technology errors and malfunctions, and/or deficiencies in their policies and procedures; (2) avoid ipso facto liability under Regulation SCI for failures by technology or systems; and (3) require some form of causation in order for liability to attach.\658\ This commenter also recommended that the Commission provide safe harbors from liability under both proposed Rules 1000(b)(1) and (2) where either: (1) The SCI entity or SCI personnel discovers and remediates a problem without regulatory intervention and assuming no underlying material violation; or (2) no technology error or problem has occurred, but the policies and procedures might benefit from improvements.\659\ According to this commenter, the remediation safe harbor should also apply to underlying technology problems if the SCI entity had complied with Regulation SCI.\660\ One commenter expressed concern that, without a safe harbor and a guarantee of immunity, the disclosures to the Commission required under Regulation SCI would provide a roadmap for litigation against non-SRO entities.\661\ --------------------------------------------------------------------------- \656\ See ITG Letter at 14. \657\ See Angel Letter at 4. \658\ See FSR Letter at 9. \659\ See id. at 9-10. \660\ See id. at 3, 9-10. \661\ See OTC Markets Letter at 15-16 (stating that ``entities that do not have SRO immunity, such as ATSs, may be subject to liability based on information reported under Reg. SCI's Rule 1000(b)(4)(iv) . . . [w]ithout a safe harbor and a guarantee of immunity, this kind of disclosure provides a roadmap for litigation against non-SRO SCI entities''). --------------------------------------------------------------------------- ii. Elimination of Proposed Safe Harbor for SCI Entities and Specification of Minimum Elements As discussed in greater detail below, after careful consideration of the comments, and in light of the more focused scope of Regulation SCI, the Commission has determined not to adopt the proposed safe harbor for SCI entities.\662\ Rather, Rule 1001(b) sets forth non- exhaustive minimum elements that an SCI entity must include in its systems compliance policies and procedures. The Commission recognizes that the precise nature, size, technology, business model, and other aspects of each SCI entity's business vary. Therefore, the minimum elements are intended to be general in order to accommodate these differences, and each SCI entity will need to exercise judgment in developing and maintaining specific policies and procedures that are reasonably designed to achieve systems compliance. The Commission also believes that SCI entities should consider the evolving nature of the securities industry, as well as industry practices and standards, in developing and maintaining such policies and procedures. As such, the elements specified in Rule 1001(b) are non-exhaustive, and each SCI entity should consider on an ongoing basis what steps it needs to take in order to ensure that its policies and procedures are reasonably designed. --------------------------------------------------------------------------- \662\ The Commission's decision not to adopt an SCI entity safe harbor also addresses a commenter's concern that the inclusion of a safe harbor provision in Rule 1001(b) could unnecessarily and severely limit the Commission's ability to deter violations through meaningful enforcement actions. See supra notes 633-634 and accompanying text. As discussed in Section IV.B.2.d below, however, the Commission is adopting a safe harbor for personnel of SCI entities. --------------------------------------------------------------------------- In the SCI Proposal, the Commission stated that, ``[b]ecause of the complexity of SCI systems and the breadth of the federal securities laws and rules and regulations thereunder and the SCI entities' rules and governing documents, the Commission preliminarily believes that it would be appropriate to provide an explicit safe harbor for SCI entities and their employees in order to provide greater clarity as to how they can ensure that their conduct will comply with [Rule 1000(b)(2)].'' \663\ --------------------------------------------------------------------------- \663\ See Proposing Release, supra note 13, at 18115. --------------------------------------------------------------------------- One reason that the Commission is not adopting the proposed safe harbor for SCI entities is that the Commission has focused the scope of Regulation SCI as adopted. For example, adopted Rule 1001(b) requires policies and procedures that are reasonably designed to ensure compliance with ``the Act''--rather than operating ``in the manner intended, including in a manner that complies with the federal securities laws'' as was proposed--and the rules and regulations thereunder, and the SCI entity's rules and governing documents. Therefore, the requirement under adopted Rule 1001(b) is more targeted than the requirement under proposed Rule 1000(b)(2), and alleviates some of the concern regarding the ``breadth of the federal securities laws and rules and regulations thereunder'' that was expressed in the SCI Proposal. The Commission expects that SCI entities are familiar with their obligations under the Exchange Act, the rules and regulations thereunder, and their own rules and governing documents. In addition, as discussed in Section IV.A.2.b above, the Commission has further focused the scope of SCI systems, which also alleviates some of the concern regarding the ``complexity of SCI systems'' that was expressed in the SCI Proposal.\664\ --------------------------------------------------------------------------- \664\ See id. --------------------------------------------------------------------------- Further, as noted above, in the SCI Proposal, the Commission stated its preliminary belief that it would be appropriate to provide an explicit safe harbor for SCI entities in order to provide greater clarity on how they could comply with proposed Rule 1000(b)(2).\665\ Rather than achieving this goal, commenters argued that the proposed safe harbor merely further defined the elements that the policies and procedures must have, and did not include sufficient guidance or specificity to SCI entities seeking to rely on it.\666\ For example, one commenter noted that the policies and procedures specified in the safe harbor would still need to be ``reasonably designed.'' \667\ Further, the Commission acknowledges some commenters' concern that the proposed safe harbor, ``with its prescriptive requirements,'' could evolve into the de facto rule itself.\668\ --------------------------------------------------------------------------- \665\ See id. \666\ See supra notes 638-639, 643-648 and accompanying text. With respect to the group of commenters who suggested that the safe harbor should give SCI entities a clear, affirmative defense from allegations of having violated Regulation SCI, as discussed above, the Commission is eliminating the proposed safe harbor for SCI entities. See supra note 643. As discussed below, the Commission believes that, by specifying non-exhaustive minimum elements that an SCI entity must include in its systems compliance policies and procedures, the rule will encourage SCI entities to actively build and improve upon the compliance of their systems, rather than limit their compliance to some fixed elements of a safe harbor. \667\ See supra notes 638-639 and accompanying text. This commenter also compared the proposed SCI entity safe harbor to other rules, stating that the other rules requiring policies and procedures recognize the need for those policies and procedures to be reasonably designed in light of the manner in which business is conducted. See supra note 640 and accompanying text. Rule 1001(b), as adopted, requires policies and procedures to be ``reasonably designed'' to ensure the compliance of SCI systems. Therefore, Rule 1001(b) recognizes the need for policies and procedures to be reasonably designed in light of the manner in which an SCI entity's business is conducted. \668\ See supra note 637 and accompanying text and supra note 640. The Commission acknowledges that some commenters who believed that the proposed safe harbor was inadequate also advocated for alternative safe harbors, such as those that require knowledge or recklessness for liability. These comments are discussed below in Section IV.B.2.b.iii. --------------------------------------------------------------------------- As discussed above, the Commission is not adopting a safe harbor for SCI entities. Rather, adopted Rule 1001(b)(1) requires an SCI entity to have reasonably designed policies and procedures to achieve systems compliance and adopted Rule 1001(b)(2) specifies non- exhaustive, general minimum elements that an SCI entity must include in its systems compliance policies and procedures. These minimum elements are based on the elements contained in the proposed safe harbor for SCI entities, but modified in [[Page 72307]] response to concerns raised by commenters. As adopted, Rules 1001(b)(1) and (b)(2) specify the minimum elements of reasonably designed policies and procedures to achieve systems compliance, and at the same time provide flexibility by permitting an SCI entity to establish policies and procedures that are reasonably designed based on the nature, size, technology, business model, and other aspects of its business. Moreover, the Commission believes that, by specifying non-exhaustive, general minimum elements of systems compliance policies and procedures, the rule will encourage SCI entities to actively build and improve upon the compliance of their systems rather than limit their compliance to bright-line tests or the fixed elements of a safe harbor, and encourage the evolution of sound practices over time. In addition, the Commission notes that there currently are no publicly available written industry standards regarding systems compliance that are applicable to all SCI entities that can serve as the basis for a clear, objective safe harbor, as there is with current SCI industry standards (e.g., the publications listed in staff guidance) relating to operational capability. Even if such standards existed, the Commission believes that the specificity necessary to achieve the goal of a clear, objective safe harbor would disincentivize SCI entities from continuing to improve their systems over time. Finally, the Commission believes that, because the minimum elements specified in Rule 1001(b)(2) are non-exhaustive, Rule 1001(b) can accommodate the possibility that, as technology evolves, additional or updated elements could become appropriate for SCI entities to include in their systems compliance policies and procedures to ensure that such policies and procedures remain reasonably designed on an ongoing basis. iii. Response to Other Comments on the SCI Entity Safe Harbor With respect to commenters who requested clarification on the protection of the safe harbor for inadvertent violations of other laws and rules despite compliance with Regulation SCI,\669\ as noted above, the Commission clarifies that liability under Regulation SCI is separate and distinct from liability for other violations that may arise from the underlying SCI events under other laws and rules. Specifically, Regulation SCI imposes new requirements on SCI entities and is not intended to alter the standards for determining liability under other laws or rules. Therefore, if an SCI entity is in compliance with Regulation SCI but inadvertently violates another law or rule, whether or not the SCI entity will be liable under the other law or rule depends on the standards for determining liability under such law or rule. Because the new requirements under Regulation SCI are separate and distinct from existing requirements under other laws or rules, Regulation SCI is not a shield from liability under such laws or rules. --------------------------------------------------------------------------- \669\ See supra notes 655 and 660 and accompanying text. --------------------------------------------------------------------------- The Commission also does not believe that it would be appropriate to provide a safe harbor for all problems that are self-reported by SCI entities and individuals or that are discovered and remediated without regulatory intervention, as suggested by commenters.\670\ In particular, Rule 1001(b) is intended to help ensure that SCI entities operate their systems in compliance with the Exchange Act and relevant rules in the first place, and thus is not only focused on helping to ensure that SCI entities appropriately respond to a compliance issue (e.g., by taking corrective action or reporting the issue to the Commission) after it has occurred and impacted the market or market participants. Therefore, the Commission does not believe that the suggested self-report or remediation safe harbors will effectively further this intent of Rule 1001(b). In particular, the Commission notes that reporting and remediation of SCI events are separately required under Rules 1002(b) and (a) of Regulation SCI, respectively. The purposes of Rule 1002(b) include keeping the Commission informed of SCI events after they have occurred. Moreover, Rule 1002(a) is intended to ensure that SCI entities remedy a systems issue and mitigate the resulting harm after the issue has already occurred. The Commission believes that, if an SCI entity is protected from liability under Rule 1001(b) simply because it self-reported systems compliance issues or discovered and remediated systems compliance issues without regulatory intervention, the SCI entity will not be effectively incentivized to have reasonably designed policies and procedures to ensure systems compliance in the first place. As discussed above, the occurrence of an SCI event will not necessarily cause a violation of Regulation SCI. Further, the occurrence of a systems compliance issue also does not necessarily mean that the SCI entity will be subject to an enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation. --------------------------------------------------------------------------- \670\ See supra notes 657 and 659 and accompanying text. --------------------------------------------------------------------------- As discussed above, some commenters expressed concern that the occurrence of a significant systems issue would mean that an SCI entity did not have reasonable policies and procedures and therefore suggested ``objective'' safe harbors.\671\ The Commission notes that all SCI entities are required to comply with the Exchange Act, the rules and regulations thereunder, and their own rules and governing documents, as applicable, and the purpose of Rule 1001(b) is to effectively help ensure compliance of the operation of SCI systems with these laws and rules. The Commission does not believe that Rule 1001(b) would further this goal to the same degree if the Commission were to adopt commenters' safe harbor suggestions (i.e., an SCI entity is deemed to be in compliance with Rule 1001(b) so long as: The SCI entity is not knowingly out of compliance; such non-compliance is not intentional, reckless, or in bad faith; or there is no pattern of non-compliance) because, with these suggested ``objective'' safe harbors, SCI entities may not be effectively incentivized to establish, maintain, and enforce reasonably designed policies and procedures to ensure systems compliance. Moreover, the Commission notes that Rule 1001(b) requires ``reasonably designed'' policies and procedures, which already provides flexibility to SCI entities in complying with the rule. The Commission also emphasizes again that, while it is eliminating the safe harbor for SCI entities, the occurrence of a systems compliance issue may be probative, but is not determinative, of whether an SCI entity violated Regulation SCI. As noted above, an SCI entity would not be [[Page 72308]] deemed to be in violation of Rule 1001(b)(1) merely because it experienced a systems compliance issue. Further, the occurrence of a systems compliance issue also does not necessarily mean that the SCI entity will be subject to an enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation. --------------------------------------------------------------------------- \671\ See supra notes 650-654 and accompanying text. As discussed above, some of these commenters suggested that the safe harbor should protect SCI entities from enforcement action except in cases of intentional or reckless non-compliance, or patterns of non- compliance with Regulation SCI. See supra note 650 and accompanying text. As an alternative to the intentional and recklessness standard, one of these commenters requested that the Commission specifically state that the Commission will not pursue enforcement actions against SCI entities that establish, maintain, and enforce systems compliance policies and procedures or act in good faith, notwithstanding a violation of Regulation SCI. See supra note 651 and accompanying text. One commenter noted that it should be sufficient for an SCI entity to qualify for the safe harbor if it adopts policies and procedures reasonably designed to comply with Regulation SCI and does not knowingly violate such policies and procedures. See supra note 654 and accompanying text. --------------------------------------------------------------------------- Further, as noted above, one commenter recommended that the Commission provide a safe harbor where no technology error or problem has occurred, but the policies and procedures might benefit from improvements.\672\ The Commission believes that there may be instances where an SCI entity's policies and procedures might benefit from improvement, even though they are reasonably designed. In such instances, the SCI entity is in compliance with Rule 1001(b) and therefore does not need a safe harbor. At the same time, the Commission notes that there may be instances where no technology error or problem has occurred, but an SCI entity's policies and procedures with regard to systems compliance might nonetheless be deficient and not satisfy the requirements of Rule 1001(b). The Commission does not believe that it would be appropriate to provide a safe harbor in these instances. As noted above, Rule 1001(b) is intended to help ensure that SCI entities operate their SCI systems in compliance with the Exchange Act and relevant rules. The Commission does not believe that a safe harbor that effectively insulates deficient policies and procedures will further the intent of this rule. Further, the Commission notes that one requirement of Rule 1001(b)(1) is that an SCI entity ``maintain'' its policies and procedures. To explicitly set forth an SCI entity's obligation to review and update its policies and procedures, similar to Rule 1001(a), the Commission is adopting a requirement for periodic review by an SCI entity of the effectiveness of its systems compliance policies and procedures, and prompt action by the SCI entity to remedy deficiencies in such policies and procedures.\673\ The Commission notes that an SCI entity will not be found to be in violation of this maintenance requirement solely because it failed to identify a deficiency immediately after the deficiency occurred, if the SCI entity takes prompt action to remedy the deficiency once it is discovered, and the SCI entity had otherwise appropriately reviewed the effectiveness of its policies and procedures and took prompt action to remedy those deficiencies that were discovered. --------------------------------------------------------------------------- \672\ See supra note 659 and accompanying text. \673\ See Rule 1001(b)(3). The adoption of this review and update requirement is consistent with the views of some commenters. See supra notes 620 and accompanying text (discussing a commenter's suggestion that policies and procedures should be reviewed and updated as part of the annual SCI review process) and 658 and accompanying text (discussing a commenter's suggestion that Regulation SCI should encourage parties to discover and remediate deficiencies in policies and procedures). The Commission notes that Rule 1001(b)(3) requires SCI entities to review and update their systems compliance policies and procedures rather than simply ``encourage'' the discovery and remediation of deficiencies because, in order to achieve the intended benefits of Rule 1001(b), an SCI entity's systems compliance policies and procedures must remain reasonably designed. If the Commission simply encourages SCI entities to review and update their systems compliance policies and procedures, the Commission believes that there would be a greater likelihood that such policies and procedures might become outdated and less effective in preventing systems compliance issues. --------------------------------------------------------------------------- Finally, as noted above, one commenter believed that, without a safe harbor and a guarantee of immunity (such as the regulatory immunity of SROs), information provided to the Commission pursuant to Rule 1000(b)(4)(iv) would provide a roadmap for litigation. As discussed below in Section IV.B.3.c, the Commission acknowledges that, if an SCI entity experiences an SCI event, it could become the subject of litigation (including private civil litigation). At the same time, the Commission notes that the information submitted to the Commission pursuant to Regulation SCI will be treated as confidential, subject to applicable law.\674\ On the other hand, the Commission acknowledges that it could consider the information provided to the Commission pursuant to Rule 1002(b) in determining whether to initiate an enforcement action. The Commission notes that all SCI entities are required to comply with the Exchange Act, the rules and regulations thereunder, and their own rules and governing documents, as applicable, and the requirement for Commission notification of systems compliance issues is intended to assist the Commission in its oversight of such compliance. With respect to the regulatory immunity of SROs, the Commission notes that, although courts have found that SROs are entitled to absolute immunity from private claims under certain circumstances,\675\ if an SRO fails to comply with the provisions of the Exchange Act, the rules or regulations thereunder, or its own rules, the Commission is still authorized to impose sanctions.\676\ As such, like other SCI entities, SROs are not immune from Commission sanctions. Finally, as discussed in detail above, the Commission does not believe that it would be appropriate to provide a safe harbor for all problems that are self-reported to the Commission by SCI entities and individuals. --------------------------------------------------------------------------- \674\ The Commission notes that the General Instructions to Form SCI, Item G. Paperwork Reduction Act Disclosure, provides that the Commission ``will keep the information collected pursuant to Form SCI confidential to the extent permitted by law.'' See infra Section IV.C.2. \675\ The Commission notes that SRO immunity applies only under certain circumstances. In particular, ``when acting in its capacity as a SRO, [the SRO] is entitled to immunity from suit when it engages in conduct consistent with the quasi-governmental powers delegated to it pursuant to the Exchange Act and the regulations and rules promulgated thereunder.'' See DL Capital Group, LLC v. NASDAQ Stock Market, Inc., 409 F.3d 93, 97 (2d Cir. 2005) (quoting D'Alessio v. New York Stock Exchange, Inc., 258 F.3d 93, 106 (2d Cir. 2001)). \676\ See 15 U.S.C. 78s(g). --------------------------------------------------------------------------- c. Minimum Elements of Reasonable Policies and Procedures The safe harbor for SCI entities in proposed Rule 1000(b)(2)(ii) specified that, to qualify for the safe harbor, the SCI entity's policies and procedures must be reasonably designed to provide for: (1) Testing of all SCI systems and any changes to such systems prior to implementation; (2) periodic testing of all SCI systems and any changes to such systems after their implementation; (3) a system of internal controls over changes to SCI systems; (4) ongoing monitoring of the functionality of SCI systems to detect whether they are operating in the manner intended; (5) assessments of SCI systems compliance performed by personnel familiar with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable; and (6) review by regulatory personnel of SCI systems design, changes, testing, and controls to prevent, detect, and address actions that do not comply with applicable federal securities laws and rules and regulations thereunder and the SCI entity's rules and governing documents, as applicable. In the SCI Proposal, the Commission asked whether each element of the proposed safe harbor for SCI entities was appropriate.\677\ Several commenters addressed one or more of the proposed safe harbor elements. --------------------------------------------------------------------------- \677\ See Proposing Release, supra note 13, at 18116-17. --------------------------------------------------------------------------- As discussed above, rather than adopting the proposed safe harbor for SCI entities, the Commission is specifying non-exhaustive, general [[Page 72309]] minimum elements that an SCI entity must include in its systems compliance policies and procedures. The minimum elements are based on the proposed safe harbor. These elements are: (i) Testing of all SCI systems and any changes to SCI systems prior to implementation; (ii) a system of internal controls over changes to SCI systems; (iii) a plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and (iv) a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. Each of these elements is discussed below. As noted above, some commenters requested more guidance or certainty regarding the safe harbor elements (e.g., by including bright-line tests and minimum standards).\678\ As discussed above in Section IV.B.2.b, the Commission is not adopting a safe harbor but is specifying the minimum elements that an SCI entity must include in its systems compliance policies and procedures. By generally requiring policies and procedures to be reasonably designed and specifying non- exhaustive, general minimum elements of systems compliance policies and procedures, the Commission intends to provide specificity on how to comply with Rule 1001(b), and at the same time provide a reasonable degree of flexibility to SCI entities in establishing and maintaining policies and procedures that are appropriately tailored to each SCI entity. --------------------------------------------------------------------------- \678\ See supra notes 645-647 and accompanying text. --------------------------------------------------------------------------- Regarding elements (1) and (2) of the proposed safe harbor, a few commenters opposed the inclusion of a requirement that an SCI entity conduct periodic testing of systems absent systems changes.\679\ One commenter stated that it performs testing prior to implementation of trading systems changes in the production environment and conducts regression testing to ensure that the changes did not introduce any undesired side-effects.\680\ This commenter explained that the proposed periodic testing requirement would impose additional cost and not provide any benefit.\681\ One commenter believed that the pre- and post-implementation testing components of the safe harbor, which would apply to all systems changes, could potentially drive SCI entities to take a narrow view of what constitutes a systems change.\682\ Another commenter sought further guidance from the Commission on the scope of periodic testing of all SCI systems and whether, for example, systems testing would be required following a systems change if the SCI entity has already provided notice of the systems change to the Commission.\683\ One commenter requested clarification that the testing described in proposed Rules 1000(b)(2)(ii)(A)(1) and (2) refers to testing to ensure that SCI systems operate in the manner intended, and noted that testing should not be required to be periodic, but instead should be based on the relative risks of non-compliance arising from any changes being introduced into production or any changes to the applicable laws or rules.\684\ One commenter stated that it believed that the frequency and type of testing under proposed Rules 1000(b)(2)(ii)(A)(1) and (2) are open to interpretation.\685\ --------------------------------------------------------------------------- \679\ See FINRA Letter at 33; BATS Letter at 7; and ISE Letter at 7. \680\ See ISE Letter at 7. \681\ See id. See also FINRA Letter at 33. \682\ See Direct Edge Letter at 6. This commenter expressed concern that, under the proposed approach, any opening of a customer port, the removal of access rights from a departing employee, and the previously unscheduled closing of the market for the death of a U.S. president all involve ``changes'' to SCI systems that need to be tracked, approved, and catalogued within the construct of an enterprise-wide change management system. See id. This commenter stated that these ``changes'' cannot all be tested, either prior to or after implementation, without an extraordinary amount of redundancy and bureaucracy, if at all. See id. This commenter therefore suggested requiring instead ``[a]ppropriate testing of [SCI] systems and changes to such systems prior to their implementation.'' See id. \683\ See OCC Letter at 11. \684\ See MSRB Letter at 13-14. \685\ See NYSE Letter at 30. --------------------------------------------------------------------------- After consideration of the views of commenters, the Commission believes that testing of SCI systems and changes to such systems prior to implementation is appropriate for inclusion as a required element of systems compliance policies and procedures. As noted in the SCI Proposal, elements (1) and (2) of the proposed safe harbor were intended to help SCI entities to identify potential problems before such problems have the ability to impact markets and investors.\686\ The Commission believes that testing prior to implementation of SCI systems and prior to implementation of any SCI systems changes would likely be an important component for achieving this goal and it is included as a required element of systems compliance policies and procedures.\687\ In contrast, the Commission believes that the value of the proposed element for additional testing in the absence of systems changes may be variable, depending on the SCI system or change to an SCI system at issue.\688\ At the same time, each SCI entity should consider on an ongoing basis what steps it needs to take in order to ensure that its policies and procedures are reasonably designed, including whether its policies and procedures should provide for testing of certain systems changes after their implementation to ensure that they operate in compliance with the Exchange Act and relevant rules. --------------------------------------------------------------------------- \686\ See Proposing Release, supra note 13, at 18115. \687\ With respect to a commenter's concern that ``changes'' to SCI systems could include, for example, any opening of a customer port, the removal of access rights from a departing employee, and the previously unscheduled closing of the market for the death of a U.S. president, the Commission does not view these as changes to an SCI entity's systems, because the Commission believes that these actions are part of an SCI entity's standard operations. See supra note 682. In particular, the Commission believes that the opening of a customer port, the removal of access rights, and the closing of the market are existing functionalities at SCI entities, and are routinely performed by SCI entities without the need to change existing functionalities. \688\ See supra notes 681-682 and accompanying text. The Commission notes that a commenter asked about the scope of periodic testing under the proposed safe harbor, and whether systems testing under the proposed safe harbor would be required following a systems change if the SCI entity has already provided notice of the systems change to the Commission. Another commenter noted that testing under the proposed safe harbor should not be required to be periodic, but instead could be based on the relative risks of non-compliance arising from any changes being introduced into production or any changes to applicable laws or rules. The Commission is not requiring periodic testing or testing following systems changes in Rule 1001(b), and, as discussed above, the Commission is not adopting the proposed safe harbor. --------------------------------------------------------------------------- With regard to element (3) of the proposed safe harbor, one commenter stated that it is unclear what minimum standards are required for the internal controls under proposed Rule 1000(b)(2)(ii)(A)(3).\689\ As discussed above, the Commission believes it is appropriate to set forth minimum elements of systems compliance policies and procedures that are broad enough to provide SCI entities with reasonable flexibility to design their policies and procedures based on the nature, size, technology, business model, and other aspects of their businesses. Therefore, while the Commission believes that a system of internal controls over changes to SCI systems is appropriate for inclusion as a required element of systems compliance policies and [[Page 72310]] procedures, the Commission is not specifying the minimum standard for internal controls. As stated in the SCI Proposal, a system of internal controls and ongoing monitoring of systems functionality are intended to help ensure that an SCI entity adopts a framework that will help it bring newer, faster, and more innovative SCI systems online without compromising due care, and to help prevent SCI systems from becoming noncompliant resulting from, for example, inattention or failure to review compliance with established written policies and procedures. The Commission believes that such internal controls would likely include, for example, protocols that provide for: Communication and cooperation between legal, business, technology, and compliance departments in an SCI entity; appropriate authorization of systems changes by relevant departments of the SCI entity prior to implementation; review of systems changes by legal or compliance departments prior to implementation; and monitoring of systems changes after implementation. --------------------------------------------------------------------------- \689\ See NYSE Letter at 30. --------------------------------------------------------------------------- With regard to elements (4)-(6) of the proposed safe harbor, one commenter noted that the proposed requirement related to ongoing monitoring was too broad and should be eliminated or revised to be more flexible.\690\ This commenter noted that the proposal for ``monitoring of the functionality of [SCI] systems to detect whether they are operating in the manner intended'' is potentially quite broad and seems to suggest some form of independent validation.\691\ Another commenter asked the Commission to clarify how the testing requirements in proposed Rules 1000(b)(2)(ii)(1) and (2) (testing prior to and after implementation) differ from those in proposed Rule 1000(b)(2)(ii)(A)(5) (assessments of systems compliance by personnel familiar with applicable laws and rules).\692\ One commenter noted that the monitoring, assessments, and reviews under proposed Rules 1000(b)(2)(ii)(A)(4), (5), and (6) are unclear.\693\ Two commenters sought guidance on how an SCI entity could satisfy the requirements related to reviews and assessments by legal and compliance personnel (i.e., proposed Rules 1000(b)(2)(ii)(A)(5) and (6)).\694\ One of these commenters suggested that each SCI entity be given the discretion to determine the level of familiarity necessary to qualify as personnel able to undertake the assessments and which personnel are regulatory personnel, and asked whether these two categories of personnel are different.\695\ Another commenter also sought clarification on the meaning of the term ``regulatory personnel'' and suggested that each SCI entity should have discretion in determining which of its employees constitute regulatory personnel.\696\ One commenter expressed concern that review by regulatory personnel of SCI systems would unreasonably expose non-technology persons to potential liability if an SCI entity suffers a malfunction.\697\ --------------------------------------------------------------------------- \690\ See FINRA Letter at 33-34. \691\ See id. \692\ See MSRB Letter at 13. \693\ See NYSE Letter at 30. \694\ See FINRA Letter at 34-35; and MSRB Letter at 13. \695\ See MSRB Letter at 13-14. \696\ See OCC Letter at 11. See also FINRA Letter at 34-35 (requesting more guidance on which types of personnel are intended to fulfill the requirements of proposed Rules 1000(b)(2)(ii)(A)(5) and (6)). \697\ See ITG Letter at 14. --------------------------------------------------------------------------- After consideration of the views of commenters, the Commission believes that ``a plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents'' is appropriate for inclusion as a required element of systems compliance policies and procedures. In particular, rather than ``ongoing monitoring of the functionality of [SCI] systems to detect whether they are operating in the manner intended'' and also ``assessments of SCI systems compliance . . . ,'' the Commission believes that ``a plan for assessments'' of SCI systems compliance would be more appropriate.\698\ The Commission notes that ``a plan for assessments'' could include, for example, not only a plan for monitoring, but also a plan for testing or assessments, as appropriate, and at a frequency (e.g., periodic or continuous) that is based on the SCI entity's risk assessment of each of its SCI systems.\699\ The Commission is not specifying the manner and frequency of assessments that must be set forth in such plan because the Commission believes that each SCI entity will likely be in the best position to assess and determine the assessment plan that is most appropriate for its SCI systems. The Commission emphasizes that the nature and frequency of the assessments contemplated by an SCI entity's plan will vary based on a range of factors, including the entity's governance structure, business lines, and legal and compliance framework. The plan for assessments does not require the SCI entity to conduct a specific kind of assessment, nor does it require that assessments be performed at a certain frequency. The plan, however, may address the specific reviews required by Rule 1003(b)(1). --------------------------------------------------------------------------- \698\ The Commission notes that ``a plan for assessments'' is derived from a combination of the ``ongoing monitoring'' and ``assessments'' elements of the proposed SCI entity safe harbor. Because ``a plan for assessments'' could provide for ongoing (i.e., periodic or continuous) monitoring, the Commission believes that it would be duplicative to include both monitoring and a plan for assessments as required elements of systems compliance policies and procedures. \699\ See supra note 690 and accompanying text (discussing the view of a commenter that the proposed element of the SCI entity safe harbor related to ongoing monitoring was too broad and should be eliminated or revised to be more flexible) and supra note 694 and accompanying text (discussing comments seeking guidance on how an SCI entity could satisfy the requirements related to reviews and assessments by legal and compliance personnel). Further, in response to a commenter, a plan for assessments is different from the testing of SCI systems prior to implementation of systems changes. See supra note 692 and accompanying text. --------------------------------------------------------------------------- In addition, in response to a commenter's concern that the proposed safe harbor element of ``monitoring of the functionality of [SCI] systems to detect whether they are operating in the manner intended'' is potentially quite broad and seems to suggest some form of independent validation, the Commission notes that it is not requiring SCI entities to include independent validation in their assessment plans.\700\ However, if an SCI entity determines that its reasonably designed systems compliance policies and procedures should provide for independent validation in its assessment plan under certain circumstances, then the SCI entity should design its policies and procedures accordingly. In that case, pursuant to Rule 1001(b), which requires an SCI entity to establish, maintain, and enforce its written policies and procedures, the SCI entity would be required to enforce its own policies and procedures, including those related to independent validation. --------------------------------------------------------------------------- \700\ See supra note 691 and accompanying text. --------------------------------------------------------------------------- In addition, the Commission believes that ``a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues'' is appropriate for inclusion as a required element of systems compliance policies and procedures. As noted in the SCI Proposal, assessments of SCI systems compliance by personnel familiar with applicable laws and rules [[Page 72311]] and regulatory personnel review of SCI systems design, changes, testing, and controls are intended to help foster coordination between the information technology and regulatory staff of an SCI entity so that SCI events and other issues related to SCI systems would be more likely to be addressed by a team of staff in possession of the requisite range of knowledge and skills.\701\ They are also intended to help ensure that an SCI entity's business interests do not undermine regulatory, surveillance, and compliance functions and, more broadly, the requirements of the Exchange Act, during the development, testing, implementation, and operation processes for SCI systems.\702\ The Commission believes that a plan of coordination and communication between regulatory and other personnel, including by responsible SCI personnel, would further these same goals. --------------------------------------------------------------------------- \701\ See Proposing Release, supra note 13, at 18116. \702\ For example, profit incentive could lead an SCI entity to introduce a new functionality before regulatory personnel are able to adequately check that the functionality will operate in compliance with relevant laws and rules. --------------------------------------------------------------------------- The Commission expects that an SCI entity will determine for itself the responsible SCI personnel and other personnel who have sufficient knowledge of relevant laws and rules to be able to effectively implement systems assessments,\703\ such that the SCI entity's policies and procedures are reasonably designed to ensure that SCI systems operate in compliance with the Exchange Act and relevant rules, as required by Rule 1001(b).\704\ Similarly, the Commission expects that an SCI entity will determine for itself the regulatory and other personnel, including responsible SCI personnel, who have sufficient knowledge with respect to the legal and technical aspects of systems design, changes, testing, and controls to engage in coordination and communication regarding such operations, such that the SCI entity's policies and procedures are reasonably designed to ensure that its SCI systems operate in compliance with the Exchange Act and relevant rules, as required by Rule 1001(b).\705\ --------------------------------------------------------------------------- \703\ See supra notes 694-696 and accompanying text (describing comments on the proposed safe harbor related to who would be involved in systems assessments). \704\ Criteria for identification of such personnel could, for example, be set forth in the SCI entity's systems compliance policies and procedures. \705\ Some commenters expressed concern regarding the potential liability for regulatory personnel. See supra note 697 and accompanying text. The Commission discusses individual liability in Section IV.B.2.d below. --------------------------------------------------------------------------- One commenter sought clarity on how an SCI entity would satisfy the requirement that it does ``not have reasonable cause to believe the policies and procedures were not being complied with.'' \706\ Another commenter stated that there is no guidance for SCI entities on how to appropriately follow the procedures that they have developed and stated that as proposed, it would be reasonable to interpret the safe harbor as excluding any SCI entity that suffers a significant systems event.\707\ One commenter believed that the Commission should resolve any potential ambiguity between the requirements of proposed Rule 1000(b)(2)(ii)(C)(1) (requiring SCI entities to reasonably discharge the duties and obligations set forth in the policies and procedures) and proposed Rule 1000(b)(2)(ii)(C)(2) (requiring that SCI entities not have reasonable cause to believe such policies and procedures were not being complied with).\708\ As discussed throughout this section, the Commission is not adopting the proposed safe harbor for SCI entities. Therefore, as adopted, Rule 1001(b) does not include the provisions of proposed Rules 1000(b)(2)(ii)(B) and (C). Further, the Commission believes that proposed Rules 1000(b)(2)(ii)(B) and (C) reiterated the requirements for SCI entities to establish, maintain, and enforce their systems compliance policies and procedures, and provided an example of how SCI entities could satisfy these requirements. For example, the SCI Proposal noted that proposed Rules 1000(b)(2)(ii)(B) and (C) specified that an SCI entity's policies and procedures must be reasonably designed to achieve SCI systems compliance, and that, as part of such policies and procedures, the SCI entity must establish and maintain systems for applying those policies and procedures, and enforce its policies and procedures, in a manner that would reasonably allow it to prevent and detect violations of the policies and procedures.\709\ The Commission believes that Rule 1001(b), as adopted, provides flexibility to SCI entities regarding their methods for establishing, maintaining, and enforcing their systems compliance policies and procedures. --------------------------------------------------------------------------- \706\ See FINRA Letter at 35. \707\ See OTC Markets Letter at 15. \708\ See MSRB Letter at 13-15. \709\ See Proposing Release, supra note 13, at 18116. --------------------------------------------------------------------------- d. Individual Safe Harbor Proposed Rule 1000(b)(2)(iii) set forth a safe harbor for individuals. It provided that a person employed by an SCI entity would be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person of proposed Rule 1000(b)(2)(i) if the person employed by the SCI entity has reasonably discharged the duties and obligations incumbent upon such person by the policies and procedures, and was without reasonable cause to believe that such policies and procedures were not being complied with in any material respect. In the SCI Proposal, the Commission asked whether commenters agreed with the requirements of the proposed safe harbor for employees of SCI entities, and whether a similar safe harbor should be available to individuals other than employees of SCI entities.\710\ Some commenters specifically addressed the proposed safe harbor for individuals.\711\ Several commenters urged that individuals not be subject to liability under Regulation SCI absent an intentional act of willful misconduct.\712\ Two commenters questioned the need for a safe harbor for individuals generally,\713\ and one commenter stated [[Page 72312]] that inclusion of a safe harbor would unnecessarily and severely limit the Commission's ability to deter violations through meaningful enforcement actions.\714\ Two commenters questioned why the proposed safe harbor for individuals was limited to SCI entity employees.\715\ One commenter expressed concern that the proposed safe harbor for individuals could be counterproductive and create an environment of second-guessing and distrust, where employees act in a way to avoid potential liability (i.e., each person would be effectively deputized to police others' actions).\716\ A few commenters added that the proposed safe harbor for individuals, and the resulting implication of potential individual liability, may have the unintended consequence of limiting the ability of SCI entities to hire the best available talent in information technology, risk-management, and compliance disciplines.\717\ One commenter questioned why the proposed safe harbor for individuals would apply only to actions of aiding any other person and not apply to any actions of the reporting individual.\718\ --------------------------------------------------------------------------- \710\ See id. at 18117, question 103. \711\ See, e.g., Angel Letter; Direct Edge Letter; FINRA Letter; FSR Letter; and MSRB Letter. \712\ See Direct Edge Letter at 6; and MSRB Letter at 17. See also supra notes 650 and 654 and accompanying text (discussing comments suggesting individual safe harbors). One commenter suggested that the safe harbor should provide that a person employed by an SCI entity shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by any other person unless such violation directly or indirectly relates to the duties and obligations of such person under the policies and procedures described in Rule 1000(b)(2)(i) and such person: (A) Has not reasonably discharged the applicable duty or obligation under such policies and procedures; (B) was not directed by his or her supervisor, SCI entity legal counsel, SCI senior management, or the governing body of the SCI entity to act in a manner that would constitute such a failure to discharge such duty or obligation; and (C) acted recklessly or intentionally with respect to such failure to discharge such duty or obligation. See MSRB Letter at 17. The Commission believes that elements (A) and (B) of this commenter's suggestion are consistent with the adopted individual safe harbor. In particular, the Commission notes that the safe harbor specifies that an individual must have reasonably discharged the duties and obligations incumbent upon such person by the SCI entity's policies and procedures. The Commission believes that there can be instances where a person has reasonably discharged his or her duties and obligations under the SCI entity's policies and procedures, even though such person was directed by his or her supervisor, SCI entity legal counsel, SCI entity senior management, or the governing body of the SCI entity to act in a manner that is inconsistent with his or her duties that are set forth the policies and procedures. For example, the SCI entity's reasonably designed policies and procedures could specifically set forth circumstances where certain personnel of the SCI entity may direct another person to act outside of his or her duties or obligations that are set forth in the policies and procedures. \713\ See FINRA Letter at 35; and FSR Letter at 3-8 (stating that the proposed rule lacks clarity over why individuals need a safe harbor when the policies and procedures requirement is placed exclusively on SCI entities, and lacks clarity regarding to whom SCI entities or SCI personnel would be liable for a breach and how liability would be apportioned between market participants for an SCI event). See also MSRB Letter at 15 (seeking further clarification from the Commission regarding the nature of the potential liabilities faced by individuals). \714\ See Better Markets Letter at 6. \715\ See FINRA Letter at 35; and MSRB Letter at 17. These commenters suggested extending the safe harbor to contractors, consultants, and other non-employees used by SCI entities in connection with their SCI systems. See FINRA Letter at 35; and MSRB Letter at 17. \716\ See MSRB Letter at 15-17. \717\ See Direct Edge Letter at 6; and MSRB Letter at 17. \718\ See Angel Letter at 4. --------------------------------------------------------------------------- After careful consideration of these comments, the Commission is adopting the individual safe harbor with certain modifications. With respect to the commenter who expressed concern that a safe harbor would ``unnecessarily and severely'' limit the Commission's ability to deter violations through meaningful enforcement actions,\719\ the Commission notes that Regulation SCI only imposes obligations directly on SCI entities and the Commission is not adopting a safe harbor for SCI entities. Further, personnel of SCI entities qualify for the individual safe harbor under Rule 1001(b) only if they satisfy certain requirements.\720\ In particular, in connection with a Commission finding that an SCI entity violated Rule 1001(b), the individual safe harbor will not apply if an SCI entity personnel failed to reasonably discharge his or her duties and obligations under the policies and procedures. In addition, for an SCI entity personnel who is responsible for or has supervisory responsibility over an SCI system, the individual safe harbor also will not apply if he or she had reasonable cause to believe that the policies and procedures related to such an SCI system were not in compliance with Rule 1001(b) in any material respect. Therefore, the Commission does not believe that the individual safe harbor will ``unnecessarily and severely'' limit the Commission's ability to deter violations. --------------------------------------------------------------------------- \719\ See supra note 714 and accompanying text. \720\ As discussed below in this section, the Commission is extending the safe harbor to all personnel of an SCI entity, rather than only persons employed by an SCI entity, as proposed. --------------------------------------------------------------------------- With respect to commenters who questioned the need for an individual safe harbor because Rule 1001(b) imposes an obligation on SCI entities,\721\ the Commission agrees that Regulation SCI imposes direct obligations on SCI entities, and does not impose obligations directly on personnel of SCI entities. At the same time, as with all other violations of the Exchange Act and rules that impose obligations on an entity, there is a potential for secondary liability for an individual who aided and abetted or caused a violation. The Commission is therefore revising the individual safe harbor to clarify that personnel of an SCI entity shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by ``an SCI entity'' (rather than ``any other person'') of Rule 1001(b) if the elements of the safe harbor are satisfied. --------------------------------------------------------------------------- \721\ See supra note 713 and accompanying text. --------------------------------------------------------------------------- As noted above, one commenter questioned why the proposed safe harbor for individuals would only apply to actions of aiding another and not apply to any direct violative action of the reporting individual.\722\ The Commission notes that the individual safe harbor only applies to actions of aiding, abetting, counseling, commanding, causing, inducing, or procuring the violation by an SCI entity because Regulation SCI does not impose any direct obligations on personnel of SCI entities. Therefore, individuals could not be found to be in violation of Regulation SCI, except through aiding, abetting, counseling, commanding, causing, inducing, or procuring the violation by an SCI entity of Regulation SCI. --------------------------------------------------------------------------- \722\ See supra note 718 and accompanying text. --------------------------------------------------------------------------- With respect to commenters who suggested extending the individual safe harbor to contractors, consultants, and other non-employees used by SCI entities in connection with their SCI systems,\723\ the Commission agrees with these comments and is extending the safe harbor to all ``personnel of an SCI entity,'' rather than only persons employed by an SCI entity, as was proposed. Specifically, the Commission believes that contractors, consultants, and other similar non-employees may act in a capacity similar to an SCI entity's employees, and thus should be able to avail themselves of the individual safe harbor if they satisfy its requirements. --------------------------------------------------------------------------- \723\ See supra note 715 and accompanying text. --------------------------------------------------------------------------- To be covered by the individual safe harbor, for which the individual has the burden of proof, personnel of an SCI entity must: (i) Have reasonably discharged the duties and obligations incumbent upon such person by the SCI entity's policies and procedures; and (ii) be without reasonable cause to believe that the policies and procedures relating to an SCI system for which such person was responsible, or had supervisory responsibility, were not established, maintained, or enforced in accordance with Rule 1001(b) in any material respect. Element (i) of the adopted individual safe harbor is substantively unchanged from the proposal. For the reasons discussed below in this section, element (ii) of the adopted individual safe harbor specifies that it applies only to a person who is responsible for or has supervisory responsibility over an SCI system. In addition, rather than requiring an individual to be without reasonable cause to believe that systems compliance policies and procedures ``were not being complied with in any material respect'' as proposed, element (ii) of the adopted safe harbor requires the applicable personnel to be without reasonable cause to believe that the relevant systems compliance policies and procedures ``were not established, maintained, or enforced'' in accordance with Rule 1001(b) in any material respect. The Commission notes that element (ii) of the adopted safe harbor tracks the language of the general requirement under Rule 1001(b) that an SCI entity ``establish, maintain, and enforce'' written policies and procedures reasonably designed to ensure systems compliance, and appropriately reflects the responsibilities of a person who is responsible for or has supervisory responsibility over an SCI system.\724\ --------------------------------------------------------------------------- \724\ As noted below, the Commission believes it is appropriate in the context of the safe harbor that, if a person with responsibility over an SCI system becomes aware of potential material non-compliance of the SCI entity's policies and procedures related to that system, such person should take action to review and address, or direct other personnel to review and address, such material non-compliance. --------------------------------------------------------------------------- [[Page 72313]] The Commission believes that it is appropriate to not provide a safe harbor to a person with responsibility over an SCI system if such person had reasonable cause to believe that the policies and procedures for such system were not established, maintained, or enforced as required by Rule 1001(b) in a material respect. The limited application of this element to such personnel (rather than to any person employed by an SCI entity as proposed) is intended to mitigate commenters' concerns that the proposed safe harbor would create an environment of distrust and limit the ability of SCI entities to hire high quality personnel.\725\ In particular, personnel who are not responsible for and do not have supervisory responsibility over SCI systems can qualify for the individual safe harbor, regardless of their belief regarding the reasonableness of the SCI entity's systems compliance policies and procedures. Therefore, such personnel would not be ``deputized to police'' the actions of other personnel, as a commenter believed they would.\726\ Further, with respect to personnel who are responsible for or have supervisory responsibility over an SCI system, such personnel likely already have the responsibility to supervise others' activities related to that SCI system, which would provide such personnel with information to form a reasonable belief regarding the reasonableness of the policies and procedures. Because Rule 1001(b) is intended to help prevent the occurrence of systems compliance issues at SCI entities, the Commission believes that it is appropriate for supervisory personnel to be knowledgeable regarding the entity's policies and procedures regarding systems compliance, which may be accomplished through training provided by the SCI entity. Moreover, the Commission believes it is appropriate in the context of the safe harbor that, if a person with responsibility over an SCI system becomes aware of potential material non-compliance of the SCI entity's policies and procedures related to that system, such person should take action to review and address, or direct other personnel to review and address, such material non-compliance. Finally, to further mitigate commenters' concern that potential individual liability may limit the hiring ability of SCI entities,\727\ as noted above, personnel of an SCI entity will not be deemed to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by an SCI entity of Regulation SCI merely because the SCI entity experienced a systems compliance issue, whether or not the person was able to take advantage of the individual safe harbor. --------------------------------------------------------------------------- \725\ See supra notes 716-717 and accompanying text. \726\ See supra note 716 and accompanying text. \727\ See supra note 717 and accompanying text. --------------------------------------------------------------------------- As noted above, with respect to a personnel of an SCI entity who is not responsible for and does not have supervisory responsibility over SCI systems, the safe harbor provides that such personnel shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by an SCI entity of Rule 1001(b) if such person has reasonably discharged the duties and obligations incumbent upon him or her by the systems compliance policies and procedures. Therefore, unlike personnel who are responsible for or have supervisory responsibility over SCI systems, these persons would not be liable even if the SCI entity itself did not have reasonably designed systems compliance policies and procedures or did not enforce its policies and procedures, as long as they discharged their duties and obligations under the policies and procedures in a reasonable manner.\728\ The Commission believes this safe harbor is appropriate because the persons who will seek to rely on this safe harbor are those who do not have responsibility for the establishment, maintenance, and enforcement of the policies and procedures, or the actions of other personnel of the SCI entity. --------------------------------------------------------------------------- \728\ The Commission believes that, in order for a person to reasonably discharge his duties and obligations under the SCI entity's policies and procedures, that person must be able to understand his duties and obligations under such policies and procedures, which may be accomplished through training provided by the SCI entity. --------------------------------------------------------------------------- With respect to commenters who argued that individuals should not be subject to liability under Regulation SCI absent an intentional act of willful misconduct,\729\ the Commission notes again that Regulation SCI imposes direct obligations only on SCI entities, and not on individuals. However, as with all other violations of provisions of the Exchange Act and rules that impose obligations on an entity, there is a potential for secondary liability for an individual who aided and abetted or caused a violation. As discussed above in the context of SCI entities, all SCI entities are required to comply with the Exchange Act, the rules and regulations thereunder, and their own rules and governing documents, as applicable, and the purpose of Rule 1001(b) is to effectively help ensure compliance of the operation of SCI systems with the Exchange Act, the rules and regulations thereunder, and their own rules and governing documents. The Commission does not believe that the rule would further this goal to the same degree if the Commission adopts commenters' suggestions for the individual safe harbor (i.e., personnel of an SCI entity are permitted to cause an SCI entity to be out of compliance with Rule 1001(b) so long as the personnel did not act intentionally or willfully). --------------------------------------------------------------------------- \729\ See supra note 712 and accompanying text. --------------------------------------------------------------------------- 3. SCI Events: Corrective Action; Commission Notification; Dissemination of Information--Rule 1002 Adopted Rule 1002, which corresponds to proposed Rules 1000(b)(3)- (5), requires an SCI entity to take corrective action, notify the Commission, and disseminate information regarding certain SCI events. a. Triggering Standard As proposed, the obligation of an SCI entity to take corrective action (proposed Rule 1000(b)(3)), notify the Commission (proposed Rule 1000(b)(4)), and disseminate information (proposed Rule 1000(b)(5)) would have been triggered upon ``any responsible SCI personnel becoming aware of'' an SCI event.\730\ Proposed Rule 1000(a) defined ``responsible SCI personnel'' to mean, for a particular SCI system or SCI security system impacted by an SCI event, any personnel, whether an employee or agent, of an SCI entity having responsibility for such system.\731\ In the SCI Proposal, the Commission noted that this proposed definition was intended to include any personnel of the SCI entity having responsibility for the specific system(s) impacted by a given SCI event.\732\ The Commission stated that such personnel would include any technology, business, or operations staff with responsibility for such systems, and with respect to systems compliance issues, any regulatory, legal, or compliance personnel with legal or compliance responsibility for such systems.\733\ The Commission also [[Page 72314]] explained that ``responsible SCI personnel'' would not be limited to managerial or senior-level employees of the SCI entity and could include junior personnel with responsibility for a particular system.\734\ --------------------------------------------------------------------------- \730\ See proposed Rules 1000(b)(3), 1000(b)(4)(i)-(ii), and 1000(b)(5)(i)-(ii). \731\ See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.C.3.a. \732\ See Proposing Release, supra note 13, at 18118. \733\ See id. \734\ See id. --------------------------------------------------------------------------- After considering the views of commenters, the Commission is modifying the proposed standard for triggering corrective action, Commission notification, and dissemination of information obligations in adopted Rule 1002, including by amending the definition of responsible SCI personnel, as discussed below. Responsible SCI Personnel Many commenters expressed concern that the proposed definition of responsible SCI personnel was too broad.\735\ These commenters generally urged the Commission to revise the scope of the definition to cover only those employees in management or supervisory roles that have responsibility over an SCI system, rather than including relatively junior or inexperienced employees.\736\ Some of these commenters stated that junior employees and/or technology personnel may not have the training or breadth of knowledge or experience necessary to identify, analyze, and determine whether a systems issue is an SCI event under the rule.\737\ Similarly, one commenter advocated limiting responsible SCI personnel to employees with full knowledge and authority over a system.\738\ Some commenters also suggested that SCI entities should have the discretion to decide which employees are responsible SCI personnel.\739\ --------------------------------------------------------------------------- \735\ See, e.g., Omgeo Letter at 13; MSRB Letter at 6; BATS Letter at 8; Liquidnet Letter at 3; CME Letter at 7; OCC Letter at 12; Joint SROs Letter at 12; FINRA Letter at 25-26; and OTC Markets Letter at 19. See also NYSE Letter at 19 (stating that the proposed definition was too vague and suggesting an alternative approach). See also infra note 761 and accompanying text. \736\ See, e.g., Omgeo Letter at 13; MSRB Letter at 6, 18; NYSE Letter at 19; BATS Letter at 8; Liquidnet Letter at 3; CME Letter at 7; OCC Letter at 12; Joint SROs Letter at 12; FINRA Letter at 25-26; and OTC Markets Letter at 19. Similarly, with regard to the Commission notification requirement in proposed Rule 1000(b)(4), one commenter stated that the obligation to notify the Commission should only be triggered when the responsible SCI personnel notifies the officer or senior staff responsible for the SCI system or systems generally. See DTCC Letter at 9. \737\ See, e.g., OCC Letter at 12; FINRA Letter at 25-26; and OTC Markets Letter at 19. \738\ See FIF Letter at 3, 5. \739\ See, e.g., Liquidnet Letter at 3; NYSE Letter at 19; and Joint SROs Letter at 12. --------------------------------------------------------------------------- Similarly, several commenters emphasized the importance of escalation policies and procedures, pursuant to which technology staff or junior employees could assess a systems problem and escalate the issue up the chain of command to management as well as legal and/or compliance personnel, who will help determine whether a systems issue was an SCI event and whether the obligations under Regulation SCI are triggered.\740\ These commenters argued that the rule should allow entities to adopt and follow such escalation procedures rather than triggering the obligations under Regulation SCI upon one employee's awareness of a systems issue.\741\ One commenter also asserted that limiting the definition of responsible SCI personnel would be appropriate if the Commission also required a robust escalation procedure.\742\ --------------------------------------------------------------------------- \740\ See, e.g., OCC Letter at 12; FINRA Letter at 25-26; Omgeo Letter at 13; FIF Letter at 5; and NYSE Letter at 19-20. \741\ See, e.g., OCC Letter at 12; FINRA Letter at 25-26; Omgeo Letter at 13; FIF Letter at 5; and NYSE Letter at 19-20. \742\ See FIF Letter at 5. --------------------------------------------------------------------------- Some commenters also expressed concern about the potential liability that responsible SCI personnel could face if the rule were adopted as proposed, given the breadth of the definition of ``responsible SCI personnel.'' \743\ Specifically, commenters asserted that, as a result of including junior and information technology personnel within the definition and the potential liability of such individuals, the proposed provision would make it more difficult for SCI entities to attract and retain high quality information technology employees.\744\ Another commenter noted that responsible operations or technical personnel may not be in a position to make legal determinations about when a compliance issue has arisen.\745\ --------------------------------------------------------------------------- \743\ See, e.g., NYSE Letter at 19; BATS Letter at 8; Joint SROs Letter at 13; and OTC Markets Letter at 18. See also supra note 717. \744\ See, e.g., NYSE Letter at 19; BATS Letter at 8; Joint SROs Letter at 13; and OTC Markets Letter at 18. These commenters therefore recommended that the definition include only senior personnel who would more appropriately be responsible for making a determination as to whether an SCI event had occurred given their knowledge and authority. \745\ See Omgeo Letter at 13. --------------------------------------------------------------------------- After consideration of the views of commenters, the Commission has revised the term ``responsible SCI personnel'' to mean, ``for a particular SCI system or indirect SCI system impacted by an SCI event, such senior manager(s) of the SCI entity having responsibility for such system, and their designee(s).'' \746\ The Commission agrees that the proposed definition of responsible SCI personnel was broad and, consistent with the views of some commenters, believes that it is appropriate to instead focus the adopted definition on senior personnel of SCI entities that have responsibility for a particular system.\747\ The Commission believes that adopting a more focused definition of responsible SCI personnel to include only senior managers having responsibility for a given system (and their designees) addresses commenters' concerns that the obligations of the rule could have been triggered upon the awareness of junior or inexperienced employees who lack the knowledge or experience to be able to make a determination regarding whether an SCI event had, in fact, occurred.\748\ The Commission believes that the revised definition is a better approach than the proposed definition because, consistent with suggestions from some commenters, it will appropriately allow SCI entities to adopt procedures that would require personnel of an SCI entity to escalate a systems issue to senior individuals who are responsible for a particular system and who have the ability and authority to appropriately analyze and assess the issue affecting the SCI system or indirect SCI system, and their designees, as applicable.\749\ --------------------------------------------------------------------------- \746\ See adopted Rule 1000. \747\ See generally supra notes 735-738 and accompanying text. \748\ See supra notes 736-737. See also note 738 and accompanying text. \749\ See supra Section IV.B.1.b (discussing Rule 1001(a)(1)(2)(vii), which requires an SCI entity to have policies and procedures to provide for monitoring of SCI systems, and indirect SCI systems, as applicable, to identify potential SCI events, and escalate them to responsible SCI personnel); and infra notes 758-761 and accompanying text. --------------------------------------------------------------------------- The Commission also notes that, consistent with some commenters' recommendations, under the adopted rule, SCI entities will be afforded flexibility to determine which personnel to designate as ``responsible SCI personnel.'' \750\ Specifically, SCI entities will need to affirmatively identify one or more senior managers that have responsibility for each of its SCI systems or indirect SCI systems.\751\ In addition, the Commission notes that the definition of responsible SCI personnel affords SCI entities with the flexibility to designate one or more other personnel as designees for a given system.\752\ The Commission believes that it is important to include designees within the definition of responsible SCI personnel to provide an SCI entity with the flexibility that it may need, and [[Page 72315]] which the Commission believes is necessary, given the varying sizes, natures, and complexities of each SCI entity. A senior manager may name a designee (or designees) who would also have responsibility for a given system with regard to Regulation SCI, for example, if the senior manager is absent, is occupied with other oversight responsibilities for a period of time, or because of other practical limitations, is otherwise unavailable to assess the SCI entity's obligations under Regulation SCI at a given point in time. The Commission believes it is likely that the designation of a designee and such designee's particular responsibilities with regard to an SCI system or indirect SCI system would be addressed by an SCI entity's policies and procedures, as discussed below. However, the Commission notes that while the definition of ``responsible SCI personnel'' does not permit the senior manager having responsibility for an applicable system to disclaim responsibility under the rule by delegating it fully to one or more designees (i.e., the adopted rule reads ``and their designees'' rather than ``or their designees''), it may assist SCI entities in fulfilling their responsibilities under Regulation SCI by allowing them to delegate to personnel other than senior managers such that those designees can also serve in the role of responsible SCI personnel. --------------------------------------------------------------------------- \750\ See supra note 739 and accompanying text. \751\ See Rule 1001(c). \752\ The Commission notes that the rules do not, however, require SCI entities to have designees. Rather, each SCI entity has the discretion to have designees if they choose to do so. --------------------------------------------------------------------------- The Commission further believes that the modifications to the definition addresses some commenters' concerns regarding the potential liability of junior SCI personnel, as the obligations of the rule are now triggered only when senior managers, rather than junior employees, having responsibility for a particular system have a reasonable basis to conclude that an SCI event has occurred.\753\ Further, the Commission reiterates that Regulation SCI imposes direct obligations on SCI entities and does not impose obligations directly on personnel of SCI entities. For these reasons, the Commission believes that an SCI entity's ability to attract and retain employees should not be negatively affected by the requirements of Regulation SCI, as adopted.\754\ The Commission also reiterates that the occurrence of an SCI event may be probative, but is not determinative of whether an SCI entity violated Regulation SCI.\755\ --------------------------------------------------------------------------- \753\ See supra notes 743-744 and accompanying text. \754\ See supra notes 721 and 743-744 and accompanying text. The Commission notes that commenters' concerns regarding potential liability of employees were related to the scope of the proposed definition of responsible SCI personnel and the effect on the hiring and retention of junior and information technology personnel. Commenters believed that the definition should instead focus on senior managers who could appropriately be held responsible given their responsibilities and authority to take necessary actions under the rule. \755\ See, e.g., supra notes 470 and 627 and accompanying text. --------------------------------------------------------------------------- In light of the more focused definition of responsible SCI personnel and consistent with commenters' suggestions,\756\ the Commission believes it is appropriate to also adopt a policies and procedures requirement with respect to the designation of responsible SCI personnel and escalation procedures. As discussed above, many commenters highlighted the importance of escalation procedures and advocated for their use as an alternative to the adoption of a broader definition of responsible SCI personnel.\757\ Specifically, the Commission is adopting Rule 1001(c), which requires each SCI entity to ``[e]stablish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events.'' The Commission believes that it is important for an SCI entity's policies and procedures to have a defined set of criteria for identifying responsible SCI personnel so that such personnel are identified in a consistent manner across all of an SCI entity's operations and with regard to all of its SCI systems and indirect SCI systems. The Commission believes that SCI entities are best suited to establish the appropriate criteria for such a designation but notes that such criteria could include, for example, consideration of the level of knowledge, skills, and authority necessary to take the required actions under the rules. The Commission also believes it is important for policies and procedures to include the designation and documentation of responsible SCI personnel, so that it is clear to all employees of the SCI entity who the designated responsible SCI personnel are for purposes of the escalation procedures and so that Commission staff can easily identify such responsible SCI personnel in the course of its inspections and examinations and other interactions with SCI entities. The Commission also believes that, given the more focused definition of responsible SCI personnel, escalation procedures to quickly inform responsible SCI personnel of potential SCI events are necessary to help ensure that the appropriate person(s) are provided notice of potential SCI events so that any appropriate actions can be taken in accordance with the requirements of Regulation SCI without unnecessary delay. Such escalation procedures would establish the means by which, and actions required for, escalating information regarding a systems issue that may be an SCI event up the chain of command to the responsible SCI personnel, who will be responsible for determining whether an SCI event has occurred and what resulting obligations may be triggered. The Commission notes that each SCI entity may establish escalation procedures that conform to its needs, organization structure, and size. By requiring that responsible SCI personnel are ``quickly inform[ed]'' of potential SCI events, the Commission intends to require that escalation procedures emphasize promptness and ensure that responsible SCI personnel are informed of potential SCI events without delay. At the same time, the rule does not prescribe a specific time requirement in order to give flexibility to SCI entities in recognition that immediate notification may not be possible or feasible. Further, similar to adopted Rules 1001(a) and 1001(b), Rule 1001(c) requires that an SCI entity periodically review the effectiveness of the policies and procedures related to responsible SCI personnel, and to take prompt action to remedy deficiencies in such policies and procedures. --------------------------------------------------------------------------- \756\ See supra notes 740-742 and accompanying text and infra notes 759-761 and accompanying text. \757\ See supra notes 740-742 and accompanying text. --------------------------------------------------------------------------- Becomes Aware Several commenters criticized the proposed requirement that certain obligations under Regulation SCI be triggered when a responsible SCI personnel ``becomes aware'' of an SCI event. Some commenters stated that the standard was vague and lacked clarity regarding when, exactly, responsible SCI personnel would be deemed to become aware of an SCI event.\758\ Further, some commenters noted that the ``becomes aware'' standard emphasized immediate action over methodical escalation, diagnosis, and resolution procedures.\759\ As noted above, several commenters emphasized the importance of escalation policies and procedures, and argued that the rule should allow entities to adopt and follow such escalation procedures rather [[Page 72316]] than triggering the obligations under Regulation SCI upon one employee's awareness of a systems issue.\760\ Another commenter suggested specific revisions to the triggering standard so that the phrase ``responsible SCI personnel becoming aware'' would be eliminated entirely and replaced with ``SCI entity having a reasonable basis to conclude,'' which it believed would allow for escalation through a normal chain of command.\761\ --------------------------------------------------------------------------- \758\ See, e.g., BATS Letter at 8-9; NYSE Letter at 19; and Joint SROs Letter at 12. \759\ See Joint SROs Letter at 3, 9, and 12. See also OCC Letter at 12; FINRA Letter at 25-26; Omgeo Letter at 13; FIF Letter at 5; and NYSE Letter at 19-20. \760\ See supra notes 740-742 and accompanying text. \761\ See NYSE Letter at 19. --------------------------------------------------------------------------- With regard to the Commission notification requirements specifically,\762\ one commenter suggested that SCI entities should only be required to notify the Commission ``upon confirming the existence of an SCI event,'' \763\ while another commenter stated that the rule should require notification to the Commission as soon as reasonably practicable after responsible personnel becomes aware of the SCI event.\764\ Similarly, one commenter believed that the ``becomes aware'' standard was problematic because it would require notification before an SCI entity has accurate information upon which to act.\765\ --------------------------------------------------------------------------- \762\ See infra Section IV.B.3.c (discussing the Commission notification requirement for SCI events). \763\ See Direct Edge Letter at 8. \764\ See Omgeo Letter at 17. \765\ See FIF Letter at 5 (urging that notification be required when ``accurate and actionable'' information is provided to responsible SCI personnel). See also BATS Letter at 9. --------------------------------------------------------------------------- After consideration of the views of commenters, the Commission has determined to revise the triggering standard so that SCI entities will be required to comply with the obligations of adopted Rule 1002 upon responsible SCI personnel having ``a reasonable basis to conclude'' that an SCI event has occurred, as suggested by a commenter.\766\ This standard permits an SCI entity to gather relevant information and perform an initial analysis and assessment as to whether a systems issue may be an SCI event, rather than requiring an SCI entity to take corrective action, notify the Commission, and/or disseminate information about an SCI event immediately upon responsible SCI personnel becoming aware of an SCI event.\767\ Thus, the Commission believes that the ``reasonable basis to conclude'' standard should provide some additional flexibility and time for judgment to determine whether there is a ``reasonable basis to conclude'' in contrast to the ``becomes aware'' standard which many commenters noted would be difficult to apply in practice due to the difficulty of determining when an individual, in fact, ``becomes aware'' of an SCI event.\768\ Further, the Commission believes that, consistent with commenters' recommendations, the revised standard, in conjunction with the revised definition of ``responsible SCI personnel,'' will allow an SCI entity to adopt and follow its internal escalation policies and procedures to inform senior SCI entity personnel of systems issues, and allow meaningful assessment of the issues by such senior management prior to triggering obligations of the rule.\769\ At the same time, the Commission believes that the obligations of the rule will continue to be triggered in a timely manner because the Commission is adopting a separate requirement in Rule 1001(c), as noted above, for escalation procedures to quickly inform responsible SCI personnel of potential SCI events. --------------------------------------------------------------------------- \766\ See adopted Rules 1002(a), (b), and (c). See also supra note 761. \767\ See supra notes 759 and 763-765 and accompanying text. Additionally, the Commission does not agree with the commenter who stated that notification should be required only as soon as reasonably practicable after responsible personnel become aware of an SCI event because that standard would unnecessarily delay the requirement for an SCI entity to take necessary actions under the rule and the Commission's knowledge of an SCI event. See supra note 764. \768\ See supra note 758 and accompanying text. \769\ See supra notes 758-760 and accompanying text. The Commission believes that the adopted standard similarly allows for escalation of a systems issue to senior officials because the Commission believes that having ``a reasonable basis to conclude'' is a good indication that an SCI event has likely occurred and does not require that the responsible SCI personnel come to a definitive conclusion, which would cause unnecessary delay in taking the actions required by Regulation SCI. Rather, once responsible SCI personnel have a reasonable basis to conclude that an SCI event has occurred, the Commission believes that an SCI entity should begin to take corrective action, provide notice to the Commission, and/or disclose such event, as applicable, because these requirements are designed to ensure that the SCI entity begins to take action in a timely fashion to mitigate potential harm arising from the incident and that the Commission and relevant market participants are kept apprised of an SCI event even where a definitive conclusion is not yet available. The Commission does not agree with the commenter that it should apply the triggering standard only to the SCI entity rather than responsible SCI personnel. The Commission notes, as discussed above, that the adopted definition of responsible SCI personnel imposes obligations only upon the senior personnel of an SCI entity that have responsibility for a particular system. Additionally, the Commission believes that it is important to apply the triggering standard to responsible SCI personnel rather than to the SCI entity because, when combined with an SCI entity's policies and procedures with respect to the designation of responsible SCI personnel and escalation and monitoring procedures, the triggering standard is designed to ensure that senior managers are provided notice of potential SCI events so that any appropriate actions can be taken in accordance with the requirements of Regulation SCI without unnecessary delay. --------------------------------------------------------------------------- b. Corrective Action--Rule 1002(a) Proposed Rule 1000(b)(3) required an SCI entity, upon any responsible SCI personnel becoming aware of an SCI event, to begin to take appropriate corrective action including, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable.\770\ The corrective action requirement is being adopted substantially as proposed, but with the triggering standard modified as discussed above.\771\ --------------------------------------------------------------------------- \770\ See proposed Rule 1000(b)(3) and Proposing Release, supra note 13, at 18117. \771\ See supra Section IV.B.3.a (discussing the triggering standard). --------------------------------------------------------------------------- Two commenters supported the corrective action provision generally.\772\ Several commenters stated that the proposed requirement put too great an emphasis on immediately taking corrective action at the expense of thoroughly analyzing the SCI event and its cause, considering potential remedies, and/or acting in accordance with internal policies and procedures before committing to a plan to take corrective action.\773\ One group of commenters suggested that the rule should make clear that ``corrective action'' should also include a variety of other potential actions, such as communicating with responsible parties, diagnosing the root cause, disclosing to members and the public, and mitigating potential harm by following their policies and procedures.\774\ Another commenter stated that, in certain circumstances, it is ``aggressive to presume that one individual's knowledge should prompt an immediate response by the SCI [e]ntity at large.'' \775\ This commenter further stated that a standard requiring an SCI entity to mitigate potential harm to investors is extremely vague.\776\ --------------------------------------------------------------------------- \772\ See MSRB Letter at 17 and DTCC Letter at 9-10. \773\ See SIFMA Letter at 3; OCC Letter at 14; Joint SROs Letter at 11; LiquidPoint Letter at 4; DTCC Letter at 10; and Direct Edge Letter at 7. \774\ See Joint SROs at 11. \775\ See Direct Edge Letter at 7. \776\ Id. --------------------------------------------------------------------------- As adopted, Rule 1002(a) requires an SCI entity, upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, to begin to take appropriate corrective action including, at a minimum, mitigating potential harm to investors and market integrity resulting [[Page 72317]] from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. The Commission continues to believe that this provision of Regulation SCI is important to make clear that each SCI entity has the obligation to respond to SCI events with appropriate steps necessary to remedy the problem or problems causing such SCI event and mitigate the negative effects of the SCI event, if any, on market participants and the securities markets more broadly. As discussed below, the specific steps that an SCI entity will need to take to mitigate the harm will be dependent on the particular systems issue, its causes, and the estimated impact of the event, among other factors. To the extent that a systems issue affects not only the particular users of an SCI system, but also has a more widespread impact on the market generally, as may be likely with regard to systems issues affecting critical SCI systems, the SCI entity will need to consider how it might mitigate any potential harm to the overall market to help ensure market integrity. For example, an SCI entity would need to take steps to regain a system's ability to process transactions in an accurate, timely, and efficient manner, or to ensure the accurate, timely, and efficient collection, processing, and dissemination of market data. As noted above, many of the comments on this requirement are related to the standard for triggering the obligation to take corrective action under this provision, namely ``upon any SCI responsible personnel becoming aware of'' an SCI event. As discussed above, the Commission has further focused the scope of the term ``responsible SCI personnel'' in response to commenters' concerns that the term was too broad and could inappropriately capture junior and/or inexperienced employees. Further, as discussed above, the Commission has revised the ``becomes aware'' standard to instead trigger obligations when responsible personnel have ``a reasonable basis to conclude'' an SCI event has occurred. As explained above, the Commission believes that these important modifications are responsive to commenters' concerns that the corrective action requirement could be triggered upon the knowledge of only one individual or a junior employee of a systems issue without sufficient time to analyze and assess the systems problem and follow internal escalation procedures. Under the adopted standard, only when (i) suspected systems problems are escalated to senior managers of the SCI entity who have responsibility for the SCI system or indirect SCI system experiencing an SCI event and their designees, and (ii) such personnel have ``a reasonable basis to conclude'' that an SCI event has occurred are the appropriate corrective actions required by Rule 1002(a) triggered. Further, in response to commenters who stated that the proposed rule places too large an emphasis on immediate corrective action,\777\ in addition to the modifications noted above which are intended to allow for appropriate time for an SCI entity to perform an initial analysis and preliminary investigation into a potential systems issue before the obligations under Rule 1002(a) are triggered, the Commission notes that it does not use the term ``immediate'' in either the proposed or adopted rules. Rather, the Commission emphasizes that the rule requires that corrective action be taken ``as soon as reasonably practicable'' once the triggering standard has been met. The Commission believes that, because the facts and circumstances of each specific SCI event will be different, this standard ensures that an SCI entity will take necessary corrective action soon after an SCI event, but not without sufficient time to first consider what is the appropriate action to remedy the SCI event in a particular situation and how such action should be implemented. --------------------------------------------------------------------------- \777\ See supra notes 773-775 and accompanying text. --------------------------------------------------------------------------- Moreover, the Commission has considered the comment that the rule prescribe in more specificity the particular types of corrective action that must be taken by an SCI entity and believes that it is appropriate to adopt, as proposed, a rule that requires more generally that ``appropriate'' corrective action be taken and requires that, at a minimum, the SCI entity take appropriate steps to mitigate potential harm to investors and market integrity resulting from the SCI event and devote adequate resources to remedy the SCI event. The Commission notes that the rule is designed to afford flexibility to SCI entities in determining how to best respond to a particular SCI event in order to remedy the problem causing the SCI event and mitigate its effects. As a general matter, though, the Commission agrees that such corrective action would likely include a variety of actions, such as those identified by one group of commenters, including determining the scope of the SCI event and its causes, making a determination regarding its known and anticipated impact, following adequate internal diagnosis and resolution policies and procedures, and taking additional action to respond as each SCI entity deems appropriate.\778\ The Commission also notes that certain other specific types of corrective action identified by such commenters are already required by other provisions of Regulation SCI, such as communicating and escalating the issue to responsible personnel and making appropriate disclosures to members or participants regarding the SCI event.\779\ --------------------------------------------------------------------------- \778\ See supra note 774 and accompanying text. \779\ See adopted Rule 1001(c) (requiring policies and procedures that include, among other things, escalation procedures to quickly inform responsible SCI personnel of potential SCI events) and Rule 1002(c) (requiring dissemination of information regarding SCI events). --------------------------------------------------------------------------- c. Commission Notification--Rule 1002(b) i. Proposed Rule 1000(b)(4) Proposed Rule 1000(b)(4) addressed the Commission notification obligations of an SCI entity upon any responsible SCI personnel becoming aware of an SCI event.\780\ Specifically, proposed Rule 1000(b)(4)(i) required an SCI entity, upon any responsible SCI personnel becoming aware of a systems disruption that the SCI entity reasonably estimated would have a material impact on its operations or on market participants, any systems compliance issue, or any systems intrusion (``immediate notification SCI event''), to notify the Commission of such SCI event, which could be done orally or in writing (e.g., by email). Proposed Rule 1000(b)(4)(ii) required an SCI entity to submit a written notification pertaining to any SCI event to the Commission within 24 hours of any responsible SCI personnel becoming aware of the SCI event. Proposed Rule 1000(b)(4)(iii) required an SCI entity to submit to the Commission continuing written updates on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until such time as the SCI event was resolved. --------------------------------------------------------------------------- \780\ See proposed Rule 1000(b)(4) and Proposing Release, supra note 13, at Section III.C.3.b. --------------------------------------------------------------------------- Proposed Rule 1000(b)(4)(iv) detailed the types of information that was required for written notifications under proposed Rule 1000(b)(4).\781\ In [[Page 72318]] addition, proposed Rule 1000(b)(4)(iv)(C) required an SCI entity to provide a copy of any information disseminated regarding the SCI event to its members or participants or on the SCI entity's publicly available Web site. --------------------------------------------------------------------------- \781\ Specifically, the SCI Proposal required written notifications and updates to be made electronically and required initial written notifications to include all pertinent information known about an SCI event, including: (1) A detailed description of the SCI event; (2) the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; (3) the potential impact of the SCI event on the market; and (4) the SCI entity's current assessment of the SCI event, including a discussion of the SCI entity's determination regarding whether the SCI event was a dissemination SCI event or not. In addition, as proposed, to the extent available as of the time of the initial notification, Exhibit 1 to Form SCI would have required inclusion of the following information: (1) A description of the steps the SCI entity was taking, or planned to take, with respect to the SCI event; (2) the time the SCI event was resolved or timeframe within which the SCI event was expected to be resolved; (3) a description of the SCI entity's rule(s) and/or governing documents, as applicable, that related to the SCI event; and (4) an analysis of the parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. See proposed Rule 1000(b)(4)(iv)(A). --------------------------------------------------------------------------- As described below, adopted Rule 1002(b) retains the general framework of proposed Rule 1000(b)(4) for Commission notification of SCI events, but makes several modifications in response to comments. Comments Regarding Commission Notification of SCI Events One commenter generally supported proposed Rule 1000(b)(4), stating that it would enhance transparency and might allow the Commission to see patterns in small, seemingly non-material SCI events that are worthy of attention.\782\ However, many other commenters expressed concerns about proposed Rule 1000(b)(4).\783\ Many of these commenters stated that the scope of proposed Rule 1000(b)(4) was too broad, and that the notification requirement would lead to over-reporting to the Commission.\784\ Commenters also suggested various ways to revise the reporting requirement. For example, several commenters recommended requiring notification to the Commission only for ``material'' or ``significant'' events.\785\ For example, one commenter recommended reporting most SCI events as part of the annual SCI review process, while focusing Commission notification on material SCI events.\786\ Similarly, another commenter suggested that SCI entities should only be required to report information relating to ``impactful'' systems disruptions in an annual report to the Commission rather than in near real time reports.\787\ Another commenter recommended requiring notification only for systems issues that warrant notification to an SCI entity's subscribers or participants.\788\ Some commenters recommended a risk-based approach under which each SCI event would be subject to a risk-based assessment, in which the obligation to notify the Commission would be based on the attendant risk, with only material events requiring notification.\789\ --------------------------------------------------------------------------- \782\ See Lauer Letter at 6. The Commission also notes that, although many other commenters expressed reservations with proposed Rule 1000(b)(4), many of these commenters also expressed their general support for a notification rule that is more limited in scope. See, e.g., ITG Letter at 12 (stating that a reduction in notifications would result in lower costs, reduce the over-reporting of events, and allow the Commission to focus on events that warrant review); and FINRA Letter at 18 (``FINRA fully supports the Commission's goal of ensuring that Commission staff is informed of events that could potentially impact the market''). \783\ See, e.g. NYSE Letter at 21; BATS Letter at 12-13; ITG Letter at 12; FINRA Letter at 16-17; Omgeo Letter at 16; SIFMA Letter at 13; ISE Letter at 6; OCC Letter at 11; and CME Letter at 9. \784\ See, e.g., NYSE Letter at 22; Omgeo Letter at 16; SIFMA Letter at 14; ISE Letter at 6; and OCC Letter at 12. \785\ See, e.g., ITG Letter at 12; CME Letter at 9; DTCC Letter at 8; and Omgeo Letter at 15. \786\ See FIF Letter at 4. \787\ See BATS Letter at 10. \788\ See OTC Markets Letter at 19 (stating that the notification requirement to the Commission should be aligned with the current industry practice of notifying SCI entities' subscribers of material events, explaining that competitive forces motivate entities to promptly notify subscribers about significant issues). \789\ See, e.g., OCC Letter at 13; SIFMA Letter at 13; Omgeo Letter at 1; FINRA Letter at 14; and NYSE Letter at 25. --------------------------------------------------------------------------- Commenters also identified potential problems resulting from a notification requirement that they perceived as too broad. For example, one commenter stated that the notification requirements have the potential to create efficiency issues, delay system remediation, create substantial resource demands, and create instability, which would diminish an SCI entity's ability to be responsive to investors and damage market efficiency.\790\ Similarly, several commenters stated that the proposed Commission notification provision would require SCI entities to divert resources to comply with the requirement which, in turn, would risk delaying resolution of the SCI event that is being reported on.\791\ Other commenters suggested that the proposed rule would result in large volumes of data and reporting, which would present challenges to, and burdens on, SCI entities as well as Commission staff.\792\ One commenter also questioned the extent to which the reported information provided by the notifications would be useful to the Commission.\793\ --------------------------------------------------------------------------- \790\ See UBS Letter at 3. \791\ See Omgeo Letter at 16; MSRB Letter at 19; and OCC Letter at 14. \792\ See SunGard Letter at 5; and Joint SROs Letter at 7. \793\ See NYSE Letter at 22. --------------------------------------------------------------------------- Some commenters focused their comments on the proposal's requirements for Commission reporting of systems intrusions and offered alternative approaches to reporting systems intrusions. One commenter stated that, in order to limit the number of notifications, SCI entities should be required to investigate and keep a record of all systems intrusions that did not cause a material disruption of service, or that were a malicious (but unsuccessful) attempt in gaining unauthorized access to confidential data, and make these records available to the Commission staff if requested.\794\ Another commenter recommended that non-material systems intrusions be recorded within the SCI entity's records.\795\ Another commenter suggested that systems intrusions in a development or testing environment should only be reportable if there is a likelihood that the same issue or vulnerabilities exist in the current production environment and cannot be verified within a certain period, such as, for example, 24 to 48 hours.\796\ In addition, one commenter suggested that, for systems intrusions, rather than impose the Commission notification requirement on SCI entities, the Commission should instead require SCI entities to establish policies and procedures reasonably designed to prevent, detect, and respond to systems intrusions.\797\ --------------------------------------------------------------------------- \794\ See Omgeo Letter at 12. \795\ See DTCC Letter at 8. \796\ See FINRA Letter at 11-12. \797\ See BATS Letter at 12. This commenter believed that the cost of the proposed requirement would outweigh any benefits because the proposed rule would require SCI entities to ``rapidly investigate and report a multitude of minor incidents that regularly occur during the normal course of business.'' Id. --------------------------------------------------------------------------- One commenter stated that the Commission should support the enhancement of the Financial Services Information Sharing and Analysis Center (``FS-ISAC'') \798\ and another commenter suggested that non- material cyber-relevant events be provided to and disseminated through FS-ISAC rather than the Commission.\799\ Some commenters further suggested that certain systems intrusions should be reported to FS- ISAC.\800\ --------------------------------------------------------------------------- \798\ FS-ISAC is a service that gathers information from a multitude of sources related to threat, vulnerability, and risk of cyber and physical security and communicates timely notifications and authoritative information specifically designed to help protect critical systems and assets from physical and cybersecurity threats. See FS-ISAC: Financial Services--Information Sharing and Analysis Center, available at: www.fsisac.com. \799\ See BIDS Letter at 10; and Omgeo Letter at 12. \800\ See SIFMA Letter at 14 (recommending that systems intrusions be reported to FS-ISAC in addition to the Commission); and Omgeo Letter at 12 and 21 (recommending that non-material systems intrusions be reported solely to FS-ISAC). --------------------------------------------------------------------------- Other commenters stated that reporting a systems compliance issue is [[Page 72319]] reporting a legal conclusion, and that requiring an SCI entity to do so would overburden them with extensive technical and legal analysis and potentially expose those entities to Commission sanctions or litigation.\801\ Several commenters expressed concerns regarding the confidentiality of the information provided pursuant to proposed Rule 1000(b)(4), and stated that the such information should be confidential and protected from public disclosure.\802\ One of these commenters requested that the Commission confirm in the final rule that the information will remain confidential.\803\ --------------------------------------------------------------------------- \801\ See OTC Markets Letter at 16. See also NYSE Letter at 16. \802\ See NYSE Letter at 24; Joint SROs Letter at 12; and DTCC Letter at 11. \803\ See DTCC Letter at 11. --------------------------------------------------------------------------- Commenters also raised other general concerns and made suggestions with regard to proposed Rule 1000(b)(4). One commenter argued that the proposed rules could cause SCI entities to release information before all relevant factors are known, which could be counterproductive and harmful.\804\ Another commenter was concerned that SCI entities would be required to provide notification reports multiple times to different Commission staff for the same event.\805\ Another commenter suggested that the proposed requirement is onerous and costly and thus, to realize benefits, the Commission, based on notifications received from SCI entities, should provide regular summary-level feedback that communicates the types, frequency, severity, and impact of market incidents across all reporting entities and other related data on the root cause of problems.\806\ Another commenter suggested that the Commission provide examples, such as publications and reference blueprints, which could be useful to SCI entities as they attempt to understand the types of SCI events that warrant Commission notification.\807\ Finally, some commenters broadly questioned the Commission's legal authority to adopt Regulation SCI as proposed, asserting, among other things that the Commission's proposed notification requirement was beyond its legal authority.\808\ --------------------------------------------------------------------------- \804\ See ITG Letter at 13. \805\ See NYSE Letter at 22. Another commenter suggested that the notification requirement with respect to system disruptions should make clear that multiple notifications are not required if a disruption impacts multiple SCI entities. See FINRA Letter at 22. \806\ See BIDS Letter at 10. \807\ See SunGard Letter at 6. \808\ See NYSE Letter at 4-6; and OTC Markets at 6. See infra notes 833-837 and accompanying text (discussing ``Commission Legal Authority''). --------------------------------------------------------------------------- ii. Rule 1002(b) After careful consideration of the comments on proposed Rule 1000(b)(4), the Commission is adopting Rule 1002(b), with several modifications in response to comments.\809\ --------------------------------------------------------------------------- \809\ Specific comments on proposed Rules 1000(b)(4)(i)-(iii) that are not discussed above are discussed below in conjunction with the Commission's response to those comments. --------------------------------------------------------------------------- Overview The Commission notes that, even without the modifications the Commission is making in adopted Rule 1002(b), the proposed Commission notification rule would require Commission notice of fewer SCI events than as proposed as a result of the adopted definitions of SCI systems, indirect SCI systems, systems disruption, and systems compliance issue, and the revised triggering standard discussed above. In addition, the Commission has determined to refine the scope of the adopted Commission notification requirement by incorporating a risk-based approach that requires SCI entities, for purposes of Commission notification, to divide SCI events into two main categories: SCI events that ``[have] had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants'' (``de minimis'' SCI events); and SCI events that are not de minimis SCI events. De minimis SCI events will not be subject to an immediate Commission notification requirement as proposed. Instead, all de minimis SCI events will be subject to recordkeeping requirements, and de minimis systems disruptions and de minimis systems intrusions will be subject to a quarterly reporting obligation, as set forth in adopted Rule 1002(b)(5). For SCI events that are not de minimis, Commission notification will be governed by adopted Rules 1002(a)(1)- (4), which is substantially similar to proposed Rules 1000(b)(4)(ii)- (iv), but relaxed in certain respects in response to comment, as discussed below. Effect of Revised Definitions and Revised Triggering Standard on Commission Notification Requirement The Commission believes that the revisions made to a number of definitions already focus the scope of the Commission notification requirement in adopted Rule 1002(b) from the SCI Proposal. For example, elimination of member regulation and member surveillance systems from the adopted definition of SCI systems will substantially reduce the potential number of SCI events that would be subject to Commission notification under the proposal.\810\ Likewise, systems problems that would otherwise meet the definition of SCI event do not meet the definition of an SCI event if they occur in the development or testing environment.\811\ In addition, the Commission believes that the revised definition of ``systems disruption'' and ``systems compliance issue'' also will result in fewer systems issues being identified as SCI events.\812\ In tandem with the revised definitions, the Commission also believes that the revised triggering standard for notification of SCI events, which affords an SCI entity time to evaluate whether a potential SCI event is an actual SCI event, will also result in fewer SCI events being subject to the requirements of Rules 1002(b)(1)- (4).\813\ The Commission believes that these changes respond to comments that proposed Rule 1000(b)(4) was overbroad and overly burdensome for SCI entities.\814\ --------------------------------------------------------------------------- \810\ See supra Section IV.A.2.b (discussing the definition of ``SCI systems''). \811\ See supra note 796 and accompanying text. See also supra Section IV.A.2.b (discussing the definition of ``SCI systems''). According to one commenter who supported excluding non-market systems from the definition of SCI systems and the notification and dissemination requirements, applying the reporting requirements to non-market systems ``would significantly increase the volume of the reports the Commission receives.'' FINRA Letter at 10. (``If the definition of SCI systems is broadly construed to apply to non- market regulatory and surveillance systems, approximately 111 FINRA systems could be subject to Regulation SCI.'') FINRA Letter at 7. \812\ See supra Section IV.A.3 (discussing the definition of ``SCI event,'' ``systems disruption,'' and ``systems compliance issue''). \813\ See supra Section IV.B.3.a (discussing the definition of ``responsible SCI personnel'') and Section IV.B.3.a (discussing the triggering standard). \814\ See supra note 784 and accompanying text. See also Section VI (discussing comments regarding the burdens associated with proposed Rule 1000(b)(4)). --------------------------------------------------------------------------- Exclusion of De Minimis SCI Events From Immediate Notification Requirements: Adopted Rule 1002(b)(5) Adopted Rule 1002(b)(5) states that the requirements of Rules 1002(b)(1)-(4) do not apply to any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants. For such de minimis events, Rule 1002(b)(5) requires that an SCI entity: (i) Make, keep, and preserve records relating to all such SCI events; and (ii) submit to the Commission a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of such systems [[Page 72320]] disruptions and systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions and systems intrusions during the applicable calendar quarter. The Commission believes that this exception will result in a less burdensome reporting framework for de minimis SCI events than for other SCI events, and therefore responds to comment that the proposed reporting framework was too burdensome. The Commission believes that the quarterly reporting of de minimis systems disruptions and de minimis systems intrusions will reduce the frequency and volume of SCI event notices submitted to the Commission and also will allow both the SCI entity and its personnel, as well as the Commission and its staff, to focus their attention and resources on other, more significant SCI events. Consistent with taking a risk-based approach in other aspects of Regulation SCI, the Commission believes this modification from the SCI Proposal will result in more focused Commission monitoring of SCI events than if this aspect of the SCI Proposal was adopted without modification. Further, by reducing the number of SCI event notices provided to the Commission on an immediate basis as compared to the SCI Proposal, the adopted rule should also impose lower compliance costs and fewer burdens than if this aspect of the SCI Proposal was adopted without modification. However, the Commission has determined not to incorporate a materiality threshold as requested by some commenters,\815\ to limit the Commission reporting requirements to those events that are considered by SCI entities to be truly disruptive to the markets, as suggested by other commenters,\816\ or to limit the Commission reporting requirement only to those events that warrant notification to an SCI entity's subscribers or participants, as suggested by still other commenters.\817\ The Commission has made this determination because while there may be SCI events with little apparent impact on an SCI entity's operations or on market participants and the burden on an SCI entity to provide immediate notice to the Commission every time such an event occurs may not justify the benefit of providing such notice to the Commission on an immediate basis, the Commission does not believe that such de minimis events are irrelevant or that the Commission should never be made aware of them. To fulfill its oversight role, the Commission believes that the Commission and its staff should regularly be made aware of de minimis systems disruptions and de minimis systems intrusions and should have ready access to records regarding de minimis systems compliance issues that SCI entities are facing and addressing because, as the regulator of the U.S. securities markets, it is important that the Commission and its staff have access to information regarding all SCI events (including de minimis SCI events) and their impact on the technology systems and systems compliance of SCI entities, which may also provide useful insights into learning about indications of more impactful SCI events. The Commission has, however, determined to distinguish the timing of its receipt of information regarding SCI events based on their impact: those SCI events that an SCI entity reasonably estimates to have a greater impact are subject to ``immediate'' notification upon responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred; and those SCI events that an SCI entity reasonably estimates to have no or a de minimis impact are subject to recordkeeping obligations, and for de minimis systems disruptions and de minimis systems intrusions, a quarterly summary notification. Despite commenters' arguments to the contrary that de minimis SCI events do not warrant the Commission's and its staff's attention, the Commission believes that quarterly reporting of de minimis systems disruptions and de minimis systems intrusions and review of records regarding de minimis systems compliance issues is beneficial to the Commission and its staff in understanding SCI entity systems operations at the level of the individual SCI entity, as well as across the spectrum of SCI entities, and to monitor compliance with the Exchange Act and rules thereunder. The Commission notes that, while it is not requiring that de minimis systems compliance issues be submitted to the Commission in quarterly reports, Commission staff may request records relating to such de minimis systems compliance issues as necessary. The Commission encourages and does not intend to inhibit an evaluation by SCI entities of systems compliance issues, including de minimis systems compliance issues, which may inherently involve legal analysis. --------------------------------------------------------------------------- \815\ See, e.g., supra note 785 and accompanying text. \816\ See, e.g., supra notes 785-787. \817\ See supra note 788. --------------------------------------------------------------------------- As noted, some commenters focused specifically on systems intrusions, urging the Commission to modify or significantly reduce the instances in which notice of systems intrusions would be required,\818\ or provide that non-material systems intrusions not be reported at all, and only be recorded by the SCI entity.\819\ The Commission believes that the recordkeeping and quarterly reporting requirement for de minimis systems intrusions described in Rule 1002(b)(5) is partially responsive to these comments, but also believes that notice of intrusions in SCI systems and indirect SCI systems is important to allow the Commission and its staff to detect patterns or understand trends in the types of systems intrusions that may be occurring at multiple SCI entities. However, as compared to what would have been required if the SCI Proposal was adopted without modification, the Commission expects that the exception from the immediate reporting requirement provided for de minimis SCI events under Rule 1002(b)(5) will result in a much lower number of systems intrusions that SCI entities will be required to immediately report to the Commission than commenters believed,\820\ and will achieve this result without compromising the Commission's interest in receiving more timely notification of impactful SCI events. --------------------------------------------------------------------------- \818\ See supra notes 794-797 and accompanying text. \819\ See supra notes 794-795 and accompanying text. \820\ See, e.g., supra note 794 and accompanying text (discussing a commenter's suggestion to limit the number of notifications by requiring recordkeeping of all systems intrusions that did not cause a material disruption of service or that were a malicious (but unsuccessful) attempt in gaining unauthorized access to confidential data). --------------------------------------------------------------------------- In addition, some commenters suggested that certain types of systems intrusions or non-material SCI events be reported exclusively to FS-ISAC or to both the Commission and FS-ISAC, and some advocated that the Commission support the enhancement of FS-ISAC.\821\ The Commission believes that FS-ISAC, and other information sharing services play an important role in assisting SCI entities and other entities with respect to security issues. Consistent with views shared by several members of the third panel at the Cybersecurity Roundtable, to the extent SCI entities determine that such information sharing services are useful, the Commission encourages SCI entities to cooperate with and share information relating to information security threats and related issues with such entities to [[Page 72321]] further enhance their utility.\822\ At the same time, for the reasons discussed above,\823\ the Commission believes that it is important that the Commission directly receive information regarding systems intrusions from SCI entities, through immediate notifications or quarterly reports, as applicable. --------------------------------------------------------------------------- \821\ See supra notes 799-800 and accompanying text. \822\ See supra notes 39-40 and accompanying text. During the Cybersecurity Roundtable, panelists referenced other services that they believed useful to SROs, including the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security (FSSCC), the Clearing House and Exchange Forum (CHEF), and the Worldwide Federation of Exchange's recently established Global Exchanges Cyber Security Working Group (GLEX). See supra note 39. \823\ See supra notes 904-906 and accompanying text. --------------------------------------------------------------------------- In response to comments that recordkeeping of non-material SCI events would be more appropriate than reporting, the Commission believes that quarterly reporting of de minimis systems disruptions and de minimis systems intrusions will better achieve the goal of keeping Commission staff informed regarding the nature and frequency of SCI events that arise but are reasonably estimated by the SCI entity to have a de minimis impact on the entity's operations or on market participants. Importantly, submission and review of regular reports will facilitate Commission staff comparisons among SCI entities and thereby permit the Commission and its staff to have a more holistic view of the types of systems operations challenges that were posed to SCI entities in the aggregate. With regard to de minimis systems compliance issues, however, the Commission believes the goals of Regulation SCI can be achieved through the SCI entity's obligation to keep, and provide to representatives of the Commission upon request, records of such de minimis systems compliance issues. The Commission believes that systems compliance issues generally are more specific to a particular entity's systems and rules and less likely, as compared to systems disruptions and systems intrusions, to raise market-wide issues that could affect several SCI entities. Accordingly, information on such events are less likely to provide valuable insight into trends and risks across the industry and, therefore, the Commission believes that the benefits of receiving quarterly reports on such de minimis systems compliance issues would be less relative to de minimis systems disruptions and de minimis systems intrusions. Further, the Commission notes that, based on Commission staff's experience with notifications of compliance-related issues at SROs, the Commission believes that SCI entities will experience a relatively small number of systems compliance issues each year, and thus, its regular examinations of SCI entities will provide an adequate mechanism for reviewing and addressing de minimis systems compliance issues affecting SCI entities. As noted above, Commission staff may request records relating to such de minimis systems compliance issues as necessary. In response to the concerns raised by one commenter that the notification requirements have the potential to create efficiency issues, delay system remediation, create substantial resource demands, and create instability, the Commission believes that these concerns have been mitigated by the numerous changes made from the proposal, such as the adoption of a quarterly reporting framework for de minimis systems disruptions and de minimis systems intrusions and revised definitions of the terms SCI systems, indirect SCI systems, systems disruption, and systems compliance issue, in addition to the reduction in the obligations SCI entities have with respect to reporting requirements.\824\ In addition, ARP entities today are able to regularly notify the Commission of systems related issues, such as systems outages, and the Commission therefore believes that the notification requirements will not require a majority of SCI entities to develop policies and procedures that are incongruous with their current practice. Moreover, the Commission believes that providing SCI entities with 30 days after the end of each quarter is adequate time for an SCI entity to prepare its report without unduly diverting SCI entity resources away from focusing on SCI events occurring in real time.\825\ --------------------------------------------------------------------------- \824\ See supra note 790. \825\ See supra notes 791-793 and accompanying text. --------------------------------------------------------------------------- The Commission believes that requiring SCI entities to report de minimis systems disruptions and de minimis systems intrusions quarterly balances the interest of SCI entities in having a limited reporting burden for such types of events with the Commission's interest in oversight of the information technology programs and systems compliance of SCI entities.\826\ Similarly, the Commission believes that requiring recordkeeping of de minimis systems compliance issues allows the Commission to adequately monitor compliance with the Exchange Act and rules thereunder, while reducing the burdens on SCI entities with regard to providing information to the Commission on such de minimis systems compliance issues. Accordingly, the Commission has determined to exclude certain SCI events from the immediate Commission reporting requirements, subject to certain recordkeeping and reporting requirement for such events, as applicable.\827\ --------------------------------------------------------------------------- \826\ The Commission notes an SCI entity should be prepared for the possibility that Commission staff may, whether upon request pursuant to Rule 1002(b)(3), Rule 1005(b)(3), or Rule 1007 or during an examination of its compliance with Regulation SCI, include a review of the entity's classification of SCI events as de minimis SCI events under Rule 1002(b). \827\ While the facts and circumstances surrounding a particular SCI event will ultimately determine the severity of a given event, including whether the event is reasonably estimated to be a de minimis event, a wide range of factors may be relevant to an SCI entity in making such a determination. For example, such factors could include, but are not limited to: whether critical SCI systems are impacted; the duration of the SCI event; whether there is a loss of redundancy (that negatively impacts, for example, a source of power, telecommunications, or other key service); whether an alternate trading system is available following a trading system disruption; the size of the affected market trading volume; whether the processes for trade completion or clearance and settlement are adversely impacted; whether settlement is completed on time; whether an event is resolved prior to the market's open; whether a post- trade event is resolved before the market closes; whether a failover, despite being successful, results in a given system operating without a backup; and the number of securities symbols that are adversely affected. --------------------------------------------------------------------------- As described above, the de minimis exception from the immediate Commission notification requirements applies to systems compliance issues as well as systems disruptions and systems intrusions. The Commission believes that this approach strikes a balance that will help focus the Commission's and SCI entities' resources on those systems compliance issues with more significant impacts. Even if an SCI entity determines that the impact of the systems compliance issue is none or negligible, however, the Commission believes that it should have ready access to records regarding such systems compliance issues, and notes that Rule 1002 requires that an SCI entity take corrective action with respect to all SCI events, including de minimis systems compliance issues.\828\ --------------------------------------------------------------------------- \828\ See infra note 829 and accompanying text. --------------------------------------------------------------------------- The Commission recognizes that in many cases, the discovery of a potential systems compliance issue may be of a different nature than the discovery of potential systems disruptions or systems intrusions, as the latter types of events often have an immediately apparent and negative impact on the operations of a given system of the SCI entity. In contrast, in many instances, a systems compliance issue may require the involvement of various personnel [[Page 72322]] (potentially including compliance and/or legal personnel) and a period of time may be required to afford such personnel the chance to perform a preliminary legal analysis to analyze whether a systems compliance issue had, in fact, occurred. Because Rule 1002(b)(1) only requires notification to the Commission when responsible SCI personnel have a ``reasonable basis to conclude'' that a non-de minimis SCI event has occurred, the Commission believes it is appropriate for an SCI entity to notify the Commission of a non-de minimis systems compliance issue after it has conducted such a preliminary legal analysis, unless the nature of the issue makes it readily identifiable as a systems compliance issue.\829\ Further, if an SCI entity determines that a systems compliance issue is de minimis, such event will not be required to be reported immediately to the Commission, but rather the SCI entity will be required to keep, and provide to representatives of the Commission upon request, records of such de minimis systems compliance issue. Thus, the Commission believes that, as adopted, the requirements with respect to systems compliance issues are reasonable because SCI entities are afforded flexibility to assess and understand potential SCI events and are not required to notify the Commission prior to forming a reasonable basis to conclude that an SCI event has occurred. The Commissions also believes that, as part of its oversight of the securities markets, it should have access to information regarding de minimis systems compliance issues when requested. And, although some commenters expressed concern that a systems compliance issue is a legal conclusion that requires time to analyze and could possibly expose the entity to liability if reported,\830\ as discussed above, the Commission believes these concerns will be mitigated by the revised triggering standard for the obligations in Rule 1002.\831\ However, while commenters are correct that the occurrence of a systems compliance issue may expose an SCI entity to liability,\832\ the occurrence of an SCI event will not necessarily cause a violation of Regulation SCI. Further, the occurrence of a systems compliance issue also does not necessarily mean that the SCI entity will be subject to an enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation. --------------------------------------------------------------------------- \829\ At the same time, the Commission cautions SCI entities against unnecessarily delaying Commission notifications of SCI events, including systems compliance issues. The Commission notes that the notification requirement is triggered when responsible SCI personnel have a reasonable basis to conclude that an SCI event has occurred and not, for example, when responsible SCI personnel have definitively concluded that an SCI event has occurred. As discussed above, the Commission does not believe it is appropriate for an SCI entity to delay notifying its regulator of a systems compliance issue once the SCI entity has a reasonable basis to conclude there is one. See supra note 828 and accompanying text. \830\ See OTC Markets Letter at 16; and NYSE Letter at 16. \831\ See supra Section IV.B.3.a (discussing the triggering standard). \832\ If an SRO fails to, among other things, comply with the provisions of the Exchange Act, the rules or regulations thereunder, or its own rules, the Commission is authorized to impose sanctions. See 15 U.S.C. 78s(g). --------------------------------------------------------------------------- Commission Legal Authority As noted above, some commenters broadly questioned the Commission's legal authority to adopt certain provisions of Regulation SCI as proposed, including those relating to Commission notification of SCI events, as well as Commission notification of material systems changes.\833\ Section 11A(a)(2) of the Exchange Act directs the Commission, having due regard for the public interest, the protection of investors, and the maintenance of fair and orderly markets, to use its authority under the Exchange Act to facilitate the establishment of a national market system for securities in accordance with the Congressional findings and objectives set forth in Section 11A(a)(1) of the Exchange Act. Among the findings and objectives in Section 11A(a)(1) is that ``[n]ew data processing and communications techniques create the opportunity for more efficient and effective market operations'' and ``[i]t is in the public interest and appropriate for the protection of investors and the maintenance of fair and orderly markets to assure . . . the economically efficient execution of securities transactions.'' In addition, Sections 6(b), 15A, and 17A(b)(3) of the Exchange Act impose obligations on national securities exchanges, national securities associations, and clearing agencies, respectively, to be ``so organized'' and ``[have] the capacity to . . . carry out the purposes of [the Exchange Act].'' --------------------------------------------------------------------------- \833\ See supra note 808 and accompanying text. See infra note 1268 (noting comments relating to the Commission's legal authority for the proposed access provision, which the Commission has determined not to adopt in its final rules because the Commission can adequately assess an SCI entity's compliance with Regulation SCI through existing recordkeeping requirements and examination authority, as well as through the new recordkeeping requirement in Rule 1005 of Regulation SCI). --------------------------------------------------------------------------- Consistent with this statutory authority, the Commission is adopting Regulation SCI to require, among other things, that SCI entities: (1) Provide certain notices and reports to the Commission to improve Commission oversight of securities market infrastructure; and (2) have comprehensive policies and procedures in place to help ensure the robustness and resiliency of their technological systems, and also that their technological systems operate in compliance with the Exchange Act, rules thereunder, and with their own rules and governing documents. These requirements are important to furthering the directives in Section 11A(a)(2) of the Exchange Act that the Commission, having due regard for the public interest, the protection of investors, and the maintenance of fair and orderly markets, facilitate the establishment of a national market system for securities in accordance with the Congressional findings and objectives set forth in Section 11A(a)(1) of the Exchange Act, including the economically efficient execution of securities transactions. As discussed in Section I, the U.S. securities markets have been transformed in recent years by technological advancements that have enhanced the speed, capacity, efficiency, and sophistication of the trading functions that are available to market participants. Central to these technological advancements have been changes in the automated systems that route and execute orders, disseminate quotes, clear and settle trades, and transmit market data. At the same time, however, these technological advances have generated an increasing risk of operational problems with automated systems, including failures, disruptions, delays, and intrusions. Accordingly, in today's securities markets, properly functioning technology is central to the maintenance of fair and orderly markets, the national market system, and the efficient and effective market operations and the execution of securities transactions. While the Commission's ARP Inspection Program has been active in this area, the Commission has not adopted rules specific to these matters. The Commission believes that the adoption of Regulation SCI, with the modifications from the SCI Proposal as discussed above, and compliance with the regulation by SCI entities, will further the goals of the national market system. It will help to ensure the capacity, integrity, resiliency, availability, and security of the automated systems of entities important [[Page 72323]] to the functioning of the U.S. securities markets, as well as reinforce the requirement that such systems operate in compliance with the Exchange Act and rules and regulations thereunder, thus strengthening the infrastructure of the U.S. securities markets and improving its resilience when technological issues arise. In addition, Regulation SCI establishes an updated and formalized regulatory framework, thereby helping to ensure more effective Commission oversight of these systems whose proper functioning is central to the maintenance of fair and orderly markets and for the continued operation of the national market system. For these reasons, the Commission disagrees with the comments questioning the Commission's legal authority to adopt Regulation SCI. More specifically, the Commission disagrees with comment regarding its legal authority under Rule 1002(b) related to Commission notification of SCI events. As discussed above, having immediate notice and continuing updates of non-de minimis SCI events, quarterly reports related to de minimis systems disruptions and de minimis systems intrusions, and recordkeeping requirements for de minimis SCI events, directly enables the Commission to have more effective oversight of the systems whose proper functioning is central to the maintenance of fair and orderly markets and for the continued operation of the national market system. In this respect, Rule 1002(b) is integral to furthering the statutory purposes of Section 11A of the Act under which the Commission is directed to act. Moreover, the Commission underscores that the adopted Commission notification provisions would require immediate Commission notice of fewer SCI events than as proposed because the adopted definitions of SCI systems, indirect SCI systems, systems disruption, and systems compliance issue have been refined from the proposal, and de minimis SCI events are not subject to immediate notice. Some commenters also questioned the Commission's legal authority to require Commission notification of material systems changes.\834\ As discussed in more detail below, the material systems change reports are intended to make the Commission and its staff aware of significant systems changes at SCI entities, and thereby improve Commission oversight of U.S. securities market infrastructure, which directly furthers the findings and objectives set forth in Section 11A(a)(1) of the Exchange Act.\835\ The Commission believes that the adopted material systems change notification requirement will allow the Commission to more efficiently and effectively participate in discussions with SCI entities when systems issues occur and will allow Commission staff to effectively prepare for inspections and examinations of SCI entities. Moreover, Rule 1003(a), as adopted, differs significantly from the proposed requirements as it no longer requires 30-day advance notification, but rather requires quarterly reports of material systems changes. As such, the requirement is designed not to result in ``close, minute regulation of computer systems and computer security.'' \836\ Additionally, the Commission notes that Regulation SCI does not provide for a new review or approval process for SCI entities' material systems changes.\837\ --------------------------------------------------------------------------- \834\ See infra note 1046 and accompanying text. \835\ See infra Section IV.B.4 (discussing the requirement to notify the Commission of material systems changes). \836\ See infra note 1046. \837\ As noted below in Section IV.B.4, Commission staff will not use material systems change reports to require any approval of prospective systems changes in advance of their implementation pursuant to any provision of Regulation SCI, or to delay implementation of material systems changes pursuant to any provision of Regulation SCI. --------------------------------------------------------------------------- Immediate Commission Notification--Proposed Rule 1000(b)(4)(i) Commenters also specifically discussed proposed Rule 1000(b)(4)(i) regarding reporting to the Commission on immediate notification SCI events. One commenter stated that it generally supported the immediate notification requirement of proposed Rule 1000(b)(4)(i) in the case of material SCI events,\838\ but other commenters were critical.\839\ For example, some commenters stated that the Commission should adopt a materiality threshold which would only require an SCI entity to immediately report material SCI events.\840\ Similarly, one group of commenters suggested a tiered method that would reserve immediate notification to the Commission for truly critical events ``where the Commission's input would contribute to an expedient resolution,'' while requiring SCI entities to have written policies and procedures that focus the SCI entity's attention primarily on taking corrective measures during an SCI event and maintaining records to provide information to the Commission and members and participants as appropriate.\841\ Two commenters suggested that different reporting standards should apply to different types of systems, suggesting, for example, that immediate notification should be required only for higher priority systems.\842\ --------------------------------------------------------------------------- \838\ See MSRB Letter at 18. \839\ See, e.g., NYSE Letter at 22. \840\ See SIFMA Letter at 13; FIF Letter at 4; ITG Letter at 12; NYSE Letter at 23; FINRA Letter at 10, 22; and OCC Letter at 13. One commenter stated that, in considering factors that would determine whether or not an SCI event is material, the Commission should consider the overall market disruption caused by the SCI event, the length of the event, the financial impact of the event, and the inability to meet core regulatory obligations regarding order handling and execution activities. See ITG Letter at 13. Similarly, two commenters stated that, with respect to systems compliance issues or systems intrusions, immediate notification SCI events should be limited to systems compliance issues or systems intrusions that the SCI entity reasonably estimates would have a material impact on its operations or on market participants. See MSRB Letter at 18; and Omgeo Letter at 15. Further, in the case of intrusions, one commenter stated that notifications could also include intrusions that would cause a malicious unauthorized access to confidential data, but recommended that other types of intrusions be subject to recordkeeping. See Omgeo Letter at 15. One group of commenters supported implementing a materiality threshold for systems compliance issues, which it stated should be based on factors such as the number of members affected, financial impact and operation impact, and these guidelines should be articulated in the SCI entities' policies and procedures. See Joint SROs Letter at 9. \841\ See Joint SROs Letter at 10. \842\ See FINRA Letter at 22 (suggesting, for example, that immediate Commission notification should not be required for SCI events that occur in systems that do not provide real-time data to the market); and SIFMA Letter at 13 (stating that that lower priority systems should only be reported on an aggregate and periodic basis). --------------------------------------------------------------------------- One commenter questioned the adequacy of the Commission's asserted basis and purpose for requiring notification for the vast majority of SCI events.\843\ In this commenter's view, the Commission's asserted rationale for the Commission notification requirement \844\ would only support requiring immediate notification for a limited number of SCI events, where the Commission's involvement is necessary.\845\ For other SCI events, in which the Commission would only be gathering and analyzing submitted information, the commenter stated that the Commission's rationale for requiring immediate notification is insufficient.\846\ --------------------------------------------------------------------------- \843\ See NYSE Letter at 21-22. \844\ See Proposing Release, supra note 13, at 18119. \845\ See NYSE Letter at 22; see also Joint SROs Letter at 10. \846\ See NYSE Letter at 22. --------------------------------------------------------------------------- Some commenters addressed the use of the term ``immediately'' in the proposed rule. One commenter characterized the proposed immediate reporting requirements as rigid, and questioned why reporting could not occur ``promptly'' with follow-up as reasonably requested by the Commission staff.\847\ Another commenter stated that immediate notification is unrealistic and predicted [[Page 72324]] that it could trigger an innumerable amount of false alarms.\848\ --------------------------------------------------------------------------- \847\ See BATS Letter at 12. \848\ See Direct Edge Letter 8. --------------------------------------------------------------------------- Other commenters addressed SCI events that occur outside of normal business hours. Two commenters believed that an SCI entity should not be required to notify the Commission of an SCI event outside of normal business hours.\849\ Other commenters stated that material events should require immediate notification to the Commission, but all other types of events should be reported by the next business day.\850\ --------------------------------------------------------------------------- \849\ See FINRA Letter at 21; and BATS Letter at 12. FINRA also stated that an SCI entity should have one full business day to report an SCI event. \850\ See, e.g., DTCC Letter at 9 (stating that, outside of normal business hours, an SCI entity should only be required to notify the Commission of the most critical events; i.e., those with the potential to impact the core functions and critical operations of the SCI entity); and OCC Letter at 14 (stating that when an event is material because it could have a market-wide impact or impact the core functions of an SCI entity, immediate notification should be required even outside of normal business hours, but all other SCI events should be reported no later than the next business day). --------------------------------------------------------------------------- One commenter stated that immediate notification of an SCI event may be difficult where an SCI entity uses a third party to operate its systems, and therefore believed that an SCI entity should not be responsible for reporting an SCI event caused by a third party unless there is a material impact to the market or the SCI entity's ability to meet its service level agreements.\851\ This commenter stated that the rule should permit SCI entities flexibility on how to address third party issues and requested further guidance from the Commission in this area.\852\ --------------------------------------------------------------------------- \851\ See FINRA Letter at 22; see also supra Section IV.A.2.b (discussing the definition of ``SCI systems'' as it relates to third parties). \852\ See FINRA Letter at 22. --------------------------------------------------------------------------- Immediate Notification of SCI Events: Adopted Rule 1002(b)(1) Adopted Rule 1002(b)(1) requires each SCI entity to notify the Commission of an SCI event immediately upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred (unless it is a de minimis SCI event). Such notification may be provided orally (e.g., by telephone) or in writing (e.g., by email or on Form SCI). Although many commenters were critical of the immediate notification provision, Rule 1002(b)(1) substantially retains the requirements of proposed Rule 1000(b)(4)(i), but is modified in certain respects in response to comments. The Commission has considered the views of commenters who stated that the Commission should require immediate notification only for material SCI events, or when Commission involvement would contribute to an expedient resolution.\853\ Given the Commission's oversight responsibilities over SCI entities and the U.S. securities market generally, the notification rule is not intended to be limited to instances in which SCI entities might believe that it would be useful for the Commission to provide input. SCI event notifications also serve the function of providing the Commission and its staff with information about the potential impact of an SCI event on the securities markets and market participants more broadly, which potential impacts may not be readily apparent or important to the SCI entity reporting such an event. Moreover, the Commission believes that there will be instances in which an SCI entity will not know the significance of an SCI event at the time of the occurrence of an event, or whether such event (or, potentially, the aggregated impact of several SCI events occurring, for example, across many SCI entities) will warrant the Commission's input or merit the Commission's awareness, nor does the Commission believe it should be solely within an SCI entity's discretion to make such a determination. And SCI entities retain the flexibility to revise their initial assessments should they subsequently determine that the event in question was incorrectly initially assessed to be a de minimis event (or incorrectly initially assessed to not be a de minimis event). Consequently, the Commission does not agree with commenters who stated that only material SCI events should be reported to the Commission immediately.\854\ --------------------------------------------------------------------------- \853\ See supra notes 838-846 and accompanying text. \854\ See, e.g., supra note 842 and accompanying text. --------------------------------------------------------------------------- The Commission has also considered comments that the term ``immediately'' as used in proposed Rule 1000(b)(4) is rigid and unrealistic.\855\ The Commission, in adopting Rule 1002(b), has retained the requirement that SCI entities must notify the Commission immediately; however, as discussed in detail above,\856\ the triggering standard has been modified so that the notification obligations of Rule 1002(b) are triggered only upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred. The Commission believes this modification responds to commenters concerns that the ``immediate'' reporting requirement is too rigid or would pose practical difficulties, as it allows additional time for escalation to senior SCI entity personnel and for the performance of preliminary analysis and assessment regarding whether an SCI event has, in fact, occurred before requiring notification to the Commission. As such, the Commission believes that the immediate notification requirement of Rule 1002(b)(1) will not unduly cause ``false alarms,'' as one commenter stated.\857\ At the same time, the Commission believes that the immediate notification requirement, as adopted, will help ensure that the Commission and its staff are kept apprised of SCI events after they occur, and as their impact unfolds and is mitigated and, ultimately, as the SCI entity engages in corrective action to resolve the SCI events. Additionally, the Commission notes that immediate notifications made pursuant to Rule 1002(b)(1) may be made orally (e.g., by telephone) or in a written form (e.g., by email or on Form SCI).\858\ The Commission notes that, by not prescribing the precise method of communication for an immediate notification, SCI entities are afforded the flexibility to determine the most effective and efficient method to communicate with the Commission. --------------------------------------------------------------------------- \855\ See supra note 847 and accompanying text. \856\ See supra Section IV.B.3.a (discussing the triggering standard). \857\ See supra note 848 and accompanying text. The Commission notes that, if an SCI entity at some point after submitting an immediate notification concludes after further investigation and analysis that it was incorrect in its initial determination that an SCI event had occurred, the SCI entity should alert the Commission of its updated assessment pursuant to Rule 1002(b)(3). Relatedly, Rule 1002(b) is designed to provide SCI entities flexibility in notifying the Commission of the details regarding an SCI event (for example, through the ability to provide the Rule 1002(b)(2) written notification on a good faith, best efforts basis) and time to assess and analyze the SCI event (for example, by requiring that the Rule 1002(b)(2) written notification only provide a description of the SCI event, including the system(s) affected, and with additional information only required to the extent available at that time). \858\ The Commission notes that, prior to the compliance date of Regulation SCI, Commission staff intends to notify SCI entities of the email addresses, phone numbers, and contact persons that SCI entities should use when notifying the Commission of SCI events under Rule 1002(b). --------------------------------------------------------------------------- The Commission has also considered comments that immediate notification should not be required outside of normal business hours, or that it should only be required outside of normal business hours in the case of material SCI events.\859\ The Commission notes that the adopted rule will afford SCI entities considerable flexibility in how to communicate an immediate notification to the Commission--that is, SCI entities may satisfy the immediate [[Page 72325]] notification requirement simply by communicating with the Commission via telephone or email. In addition, because an SCI entity's obligation to report to the Commission is not triggered until responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred,\860\ the Commission does not believe that timely notification, even outside of normal business, is so onerous that it necessitates allowing a full business day to comply. Particularly because it has determined to exclude de minimis SCI events from the immediate notification requirement, the Commission believes that it is reasonable to require that an SCI event (except those specified in Rule 1002(b)(5)) be reported to the Commission orally (e.g., by telephone) or in writing (e.g., by email or on Form SCI) when responsible SCI personnel have a reasonable basis to conclude that an SCI event has occurred, even if such communication may be outside of normal business hours. Because the rule provides flexibility to more easily enable communication--by permitting oral notification--of the fact of an SCI event to the Commission, and because only non-de minimis SCI events are subject to this requirement, the Commission believes notice to the Commission is appropriate sooner rather than later. In addition, as discussed above, the Commission believes that there may be situations where the severity of an SCI event may not be immediately apparent to an SCI entity experiencing the event, but the Commission, from its unique position, may determine as a result of receiving multiple immediate notifications, each related to an SCI event of a similar nature, that the SCI event is part of a pattern of a larger, more significant occurrence. The Commission is therefore adopting Rule 1002(b) to require that an SCI entity notify the Commission of an SCI event immediately upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, without an exception for periods outside of normal business hours. --------------------------------------------------------------------------- \859\ See, e.g., supra notes 849 and 794-797 and accompanying text. \860\ See supra Section IV.B.3.a (discussing the triggering standard). --------------------------------------------------------------------------- In addition, as noted above, the information submitted to the Commission pursuant to Regulation SCI will be treated as confidential, subject to applicable law \861\ and, as noted in Sections IV.B.1.b.i and IV.B.2.a, the occurrence of an SCI event does not necessarily mean that an SCI entity has violated Regulation SCI. --------------------------------------------------------------------------- \861\ See supra note 674. --------------------------------------------------------------------------- The Commission disagrees with the commenter who stated that the Commission should not require SCI entities to be responsible for reporting an SCI event caused by a third party because immediate notification would be difficult.\862\ An SCI event, whether or not caused by a third party system, by definition relates to an SCI system or indirect SCI system. As explained in Section IV.A.2 above (discussing the definitions of ``SCI systems'' and ``indirect SCI systems''), the Commission has adopted the definition of SCI systems to include, specifically, those systems of SCI entities that would be reasonably likely to impact the protection of investors and the maintenance of fair and orderly markets and an SCI entity's operational capability, and has not excluded third party systems from the definition. As stated above, if an SCI entity is uncertain of its ability to manage a third-party relationship to satisfy the requirements of Regulation SCI, then it would need to reassess its decision to outsource the applicable system to such third party.\863\ --------------------------------------------------------------------------- \862\ See supra notes 851-852 and accompanying text. \863\ See supra note 260 and accompanying text. --------------------------------------------------------------------------- In response to comment that SCI entities would be required to provide notification reports multiple times to different Commission staff for the same event,\864\ the Commission notes that rule does not include such a requirement. In addition, the Commission also disagrees with the commenter who stated that, for systems disruptions, notifications should not be required from each separate entity where a disruption impacts multiple SCI entities.\865\ Excusing immediate notification where a given event seems to be affecting multiple SCI entities would not be appropriate because the Commission, as the centralized receiver of notifications, will be the entity that will be in a position to determine whether, in fact, SCI entities are concurrently experiencing the same SCI event. Moreover, even if a given event affects multiple SCI entities, it may be the case that the event impacts each SCI entity and the affected systems in a different manner, and thus the Commission believes it is important to receive individual notifications from each affected SCI entity. --------------------------------------------------------------------------- \864\ See, e.g., supra note 805 and accompanying text. \865\ See, e.g., id. --------------------------------------------------------------------------- Written Commission Notification: Proposed Rule 1000(b)(4)(ii) Commenters also specifically discussed and suggested alternatives to proposed Rule 1000(b)(4)(ii), which would have required an SCI entity, within 24 hours of any responsible SCI personnel becoming aware of any SCI event, to submit a written notification pertaining to such SCI event to the Commission. Many commenters stated that the proposed 24-hour time frame was too short or burdensome.\866\ Several commenters specifically suggested that the Commission extend the time frame to allow SCI entities to attend to the SCI event without also devoting resources to notifying the Commission, suggesting different time frames they believed to be appropriate.\867\ One commenter suggested that SCI entities be given until 24 to 48 hours after final resolution of the SCI event to submit a written notification.\868\ Another commenter similarly recommended that, where real-time notification is needed, written notification should not be required unless an SCI event remains unresolved after a reasonable period (such as 10 or 15 days).\869\ --------------------------------------------------------------------------- \866\ See NYSE Letter at 23; FINRA Letter at 19; BATS Letter at 12; DTCC Letter at 9; MSRB Letter at 18; SIFMA Letter at 13; FIF Letter at 5; BIDS Letter at 10; Omgeo Letter at 17; and CME Letter at 9. \867\ Commenters suggested time frames of 48 hours (CME Letter at 9); 72 hours (OCC Letter at 12; DTCC Letter at 9, 11 (noting, however, that details surrounding an SCI event should not be required to be provided in writing until after the investigation of the event is complete and the event has been resolved)); and five business days (BIDS Letter at 10). \868\ See FINRA Letter at 20. This commenter further suggested that, if an SCI event has not been fully resolved within a reasonable period, e.g.,10 or 15 days, an SCI entity could be required to submit written notification based on currently available information at the end of that period, with periodic status updates via telephone or email, and a final written submission within 24 to 48 hours after the event has been fully resolved. \869\ See SIFMA Letter at 14. --------------------------------------------------------------------------- Some commenters also suggested that, if the Commission retains the 24-hour requirement, it should require provision of less information. For example, one commenter suggested that SCI entities should only be required to provide whatever information is sufficiently reliable at that time.\870\ Two other commenters stated that SCI entities should not be required to include an estimate of the markets and participants [[Page 72326]] impacted by an SCI event or to quantify such impact because this requirement may create a risk of civil liability for the SCI entity.\871\ Another commenter recommended that the rule require only a brief written summary that is one or two paragraphs, which could be supplemented by oral communications and a longer summary within 15 days after an SCI event has been fully resolved.\872\ --------------------------------------------------------------------------- \870\ See FINRA Letter at 20. This commenter also suggested that the rule require an SCI entity to assess the ``business impact'' of an SCI event, noting that this information may provide more context than requiring an SCI entity to estimate the number of market participants impacted by an SCI event (which in some cases could be zero, but still have a negative impact on the SCI entity). See FINRA Letter at 30. \871\ See DTCC Letter at 10; and Omgeo Letter at 30. Omgeo added that such a calculation would be difficult to compute, likely inaccurate, and of little use to the Commission. \872\ See Omgeo Letter at 17. --------------------------------------------------------------------------- With respect to the information provided to the Commission via notification of an SCI event, one commenter suggested that the rule provide a safe harbor for entities and employees for either inadvertent omissions in a submitted report, or when a good faith, documented determination is made that no report is required.\873\ One commenter stated that that the Commission should expressly provide that initial written submissions are to be made on a best efforts basis and SCI entities will incur no liability or penalty for any unintentional inaccuracies or omissions contained in these submissions.\874\ Some commenters stated that entities should not be liable for information that is later found to be incomplete or inaccurate.\875\ --------------------------------------------------------------------------- \873\ See id. at 18. \874\ See FINRA Letter at 20. \875\ See, e.g., SIFMA Letter at 14; and UBS Letter at 4 (stating that SCI entities acting in good faith should not be held accountable if details offered in reports to the Commission are substantially different from what is revealed by further analysis). --------------------------------------------------------------------------- Some commenters \876\ questioned the purpose of requiring that information disseminated to members and participants (under proposed Rule 1000(b)(5)) be copied and attached to Form SCI as part of notifications to the Commission, and considered it ``an overly broad inclusion of communications'' that would have ``a chilling effect on communications between the SCI entities and their members and participants,'' \877\ while another commenter argued that, when an exchange is having a technology issue, many members may be reaching out to the exchange's staff with requests for information and status. Therefore, that commenter questioned the feasibility, need, and potential impact of the proposed requirement that SCI entities provide a copy of any information disseminated to date regarding the SCI event to their members or participants.\878\ --------------------------------------------------------------------------- \876\ Because the requirement to provide information disseminated to an SCI entity's members or participants is now included in the Final Report (Rule 1002(b)(4)) instead of with the 24-written notification requirement as proposed, the Commission's response to these comments is discussed below in the subsection ``Final Report: Adopted Rule 1002(b)(4).'' \877\ See Joint SROs Letter at 11. \878\ See Direct Edge Letter at 7-8. --------------------------------------------------------------------------- One commenter stated that, to reduce the cost of compliance, the Commission should accept the same notifications of service interruptions that an ATS already provides to its subscribers.\879\ --------------------------------------------------------------------------- \879\ See BIDS Letter at 11. --------------------------------------------------------------------------- Commenters also provided suggestions for limiting the circumstances for which 24-hour written notification would be required under proposed Rule 1000(b)(4)(ii). One commenter stated that only SCI events that materially impact an SCI entity's operations or market participants should be subject to the 24-hour written notification requirement, but questioned whether 24 hours was realistic even for those events.\880\ One commenter suggested that proposed Rule 1000(b)(4)(ii) only apply to significant SCI events and that other events only be subject to a recordkeeping requirement.\881\ In addition, some commenters suggested that if an SCI entity has provided oral notification to the Commission, it should not be required to file written notice within 24 hours after the initial report unless reasonably requested by the Commission.\882\ --------------------------------------------------------------------------- \880\ See MSRB Letter at 18. \881\ See CME Letter at 9. \882\ See BATS Letter at 12; and Omgeo Letter at 17. See also DTCC Letter at 10; and OCC Letter at 14 (suggesting 72 hours to provide written information after providing verbal notification). --------------------------------------------------------------------------- Written Notification Within 24 Hours: Adopted Rule 1002(b)(2) Adopted Rule 1002(b)(2) requires an SCI entity, within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, to submit a written notification pertaining to such SCI event to the Commission. Rule 1002(b)(2) allows for such written notifications to be made on a good faith, best efforts basis and requires that it include: (i) A description of the SCI event, including the system(s) affected; and (ii) to the extent available as of the time of the notification: the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event. The Commission has considered comments stating that 24 hours is too short and burdensome a duration for an SCI entity to submit a compliant written notification.\883\ The Commission understands commenters' concerns that SCI entities may still be actively investigating and working to resolve an SCI event and that information it initially provides to the Commission about an SCI event may not ultimately prove correct.\884\ Therefore, in line with commenters' concerns regarding a good faith and best efforts standard,\885\ the Commission has modified the 24-hour written notification requirement in adopted Rule 1002(b) to make clear that the written notification should be provided on a ``good faith, best efforts basis.'' This modification acknowledges that a written notification provided within 24 hours may provide only a preliminary assessment of the SCI event, that additional information may come to light after the initial 24-hour period, and that the initial assessment may prove in retrospect to be incorrect or incomplete. Consequently, the adopted rule requires that the written notification provided within 24 hours be submitted on a good faith, best efforts basis, and does not require that the written notification be a comprehensive or complete assessment of the SCI event (unless, of course, an SCI entity has completed a full assessment by such time). The Commission believes that a ``good faith'' standard will help to ensure that SCI entities will not be accountable for unintentional inaccuracies or omissions contained in these submissions, and a ``best efforts'' standard will help to ensure that SCI entities will make a diligent and timely attempt to provide all the information required by the written notification requirement. The Commission also notes that an SCI entity will not need to submit a written notification where an SCI entity documents that an SCI event is determined to be a de minimis SCI event, other than including de minimis systems disruptions and de minimis systems intrusions in the quarterly report required by Rule 1002(b)(5). As discussed in further detail below, in the event that new information comes to light or previously reported information is found to be materially incorrect, adopted Rule 1002(b)(3) requires an SCI entity to update the information at that [[Page 72327]] time, and does not require that such updates be written.\886\ The Commission believes these modifications will help ensure that SCI entities are able to provide the information required by Rule 1002(b)(2) within 24 hours, and therefore the Commission is not modifying the timeframe to extend beyond 24 hours, as requested by several commenters.\887\ Moreover, because the information need only be provided on a good faith, best efforts basis and, pursuant to Rule 1002(b)(3), updates can be provided on a regular basis to correct any materially incorrect information previously provided or when new material information is discovered, the Commission disagrees with commenters that stated that the information required by Rule 1002(b) should be provided only after resolution of the SCI event. The Commission continues to believe that Rule 1002(b)(2)'s requirement to provide information to the Commission within 24 hours is appropriately tailored to help the Commission and its staff quickly assess the nature and the scope of an SCI event and will contribute to more timely and effective Commission oversight of systems whose proper functioning is central to the maintenance of fair and orderly markets, and that this would particularly be the case for SCI events that are not yet resolved.\888\ --------------------------------------------------------------------------- \883\ See, e.g., supra note 866 and accompanying text. \884\ See supra notes 873-875 and accompanying text. \885\ See id. \886\ See infra note 909 and accompanying text. \887\ See supra notes 867-869 and accompanying text; and Proposing Release, supra note 13, at 18119. \888\ See supra notes 868 and 872 and accompanying text. --------------------------------------------------------------------------- Adopted Rule 1002(b)(2) is also responsive to comments urging the Commission to require less information in a 24-hour written notification.\889\ Specifically, whereas proposed Rule 1000(b)(4) required a detailed description of the SCI event, adopted Rule 1002(b)(2)(i) specifies that an SCI entity must only provide ``a description of the SCI event, including the system(s) affected.'' Additional information is only required to the extent available as of the time of the notification, which includes an ``SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event.'' \890\ This information is the type of necessary information that SCI entities are able to provide in a short timeframe and that the Commission has come, over time, to rely upon to properly assess systems issues. --------------------------------------------------------------------------- \889\ See supra notes 870-872 and accompanying text. \890\ Rule 1002(b)(2)(ii). The information required to be provided in Rule 1002(b)(2)(ii) is a subset of information proposed to be required under Rule 1000(b)(4)(iv)(A)(1)-(2) of the SCI Proposal. --------------------------------------------------------------------------- Additionally, the Commission notes that adopted Rule 1002(b) does not require that an SCI entity provide the Commission, at the time of the initial notice to the Commission, with its current assessment of the SCI event, including a discussion of the determination of whether it is subject to a dissemination requirement, as proposed in Rule 1000(b)(4). The Commission has also determined to further refine the scope of information that needs to be reported in the 24-hour written notification by requiring that the following items instead be included in the final report under Rule 1002(b)(4), rather than in the 24-hour written notification required by Rule 1002(b)(2): A description of the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss.\891\ --------------------------------------------------------------------------- \891\ At the same time, if such information is known at the time of the notification, the SCI entity will be required to provide it pursuant to Rule 1002(b)(2)(ii)'s requirement that the SCI entity provide ``any other pertinent information known . . . about the SCI event.'' Additionally, such information would be provided under the requirement to provide the Commission with regular updates under Rule 1002(b)(3)'s requirement to provide any of the information listed in Rule 1002(b)(2)(ii) if it becomes available after the time of submission of the 24-hour notification. The Commission also notes that Rule 1002(b)(4)(ii) requires that an SCI entity include in the final report a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding an SCI event to any of its members or participants. --------------------------------------------------------------------------- In response to commenters who suggested that the Commission limit the events for which 24-hour written notification would be required to material events,\892\ the Commission notes that it has partially responded to such comments by providing an exception to the immediate notification requirement for de minimis events in Rule 1002(b)(5). The Commission believes that this exception should reduce the overall number of SCI events subject to immediate notification requirements as compared to what would have been required if the SCI Proposal was adopted without modification and, consequently, the requirement to submit a written notification within 24 hours of an SCI event, thereby alleviating some of the burdens about which commenters expressed concerns. Moreover, the Commission believes that a materiality threshold would likely exclude from the 24-hour written notification a large number of SCI events that are not de minimis SCI events but that the Commission, as part of its oversight role, should be updated on so that the Commission and its staff can quickly assess the nature and scope of those SCI events and potentially assist the SCI entity in identifying the appropriate response, including ways to mitigate the impact of SCI events on investors and promote the maintenance of fair and orderly markets. The Commission reemphasizes that the information to be provided under the 24-hour written notification would represent the SCI entity's preliminary assessment--performed on a good faith, best efforts basis--of the SCI event, and only certain key information is required under the 24-hour written notification, with ``other pertinent information'' required only where ``known by the SCI entity'' within the 24-hour timeframe. For these reasons, the Commission has determined not to adopt a materiality threshold for the requirement that an SCI entity update the Commission within 24 hours after it has a reasonable basis to conclude that an SCI event has occurred. --------------------------------------------------------------------------- \892\ See supra note 880 and accompanying text. --------------------------------------------------------------------------- Additionally, the Commission disagrees with those commenters who stated that written notification should only be required when reasonably requested by the Commission.\893\ The Commission believes that it should be notified of all SCI events and that all SCI events (other than those specified in Rule 1002(b)(5)) should be subject to the 24-hour written notification requirement because, by articulating in a single notification what is currently known about an SCI event and the steps expected to be taken to respond to the SCI event, the Commission will be better able to assess the nature and scope of, and respond to, SCI events and potentially assist SCI entities in identifying the appropriate response, including ways to mitigate the impact of SCI events on investors and promote the maintenance of fair and orderly markets. --------------------------------------------------------------------------- \893\ See supra note 882 and accompanying text. --------------------------------------------------------------------------- In response to the comment that the Commission should accept the same notifications of service interruptions that an ATS provides to its [[Page 72328]] subscribers,\894\ the Commission believes that SCI ATSs can use the types of information contained in ATS notices to subscribers when completing Form SCI, but nevertheless believes that it is more useful and efficient for the Commission and its staff to be able to have all SCI event notifications standardized in a single format (i.e., Form SCI). --------------------------------------------------------------------------- \894\ See supra note 879 and accompanying text. --------------------------------------------------------------------------- As discussed above, the information required under the adopted 24- hour written notification requirement has been refined as compared with the requirements in the proposal. Consequently, the Commission believes that SCI entities should be able to provide the Commission with this information in a written format, and does not agree that such information should be provided in an oral format, as requested by some commenters, regardless of the manner in which the immediate notification was provided to the Commission.\895\ The Commission emphasizes that regular updates provided under Rule 1002(b)(3) may, however, be provided either orally or in written form.\896\ --------------------------------------------------------------------------- \895\ See supra notes 872 and 882 and accompanying text. \896\ See infra note 911 and accompanying text. --------------------------------------------------------------------------- In response to commenters that stated SCI entities should not be required to include an estimate of the market participants impacted by an SCI event or to quantify such impact because this requirement may create a risk of civil liability for the SCI entity,\897\ the Commission notes that the information submitted to the Commission pursuant to Regulation SCI will be treated as confidential, subject to applicable law, including amended Rule 24b-2.\898\ Moreover, the requirement to provide a 24-hour written notification does not itself create a risk of civil liability, but the Commission acknowledges that the information provided to it may be subject to FOIA requests. --------------------------------------------------------------------------- \897\ See supra note 871. \898\ See supra notes 802-803 and accompanying text. For a discussion of the amendment to Rule 24b-2, see infra notes 1245-1248 and accompanying text. --------------------------------------------------------------------------- Regarding the comment that the requirement to include an estimate of the markets and participants impacted by an SCI event or to quantify such impact would be difficult to compute, likely inaccurate, and of little use to the Commission,\899\ the Commission disagrees. The rule requires an SCI entity to provide its current assessment of the types and number of market participants potentially affected by the SCI event and the potential impact of the SCI event on the market, to the extent this information is available as of the time of the notification, rather than an exact computation. In addition, the rule does not require that the assessment be submitted only if the SCI entity ensures that it is free of inaccuracies. Further, contrary to the commenter's suggestion, the Commission believes that such estimates will be of significant use to the Commission and its staff in understanding the potential severity of the SCI event. In addition, because the SCI entity is likely to be in the best position to assess an SCI event, the Commission also believes that an assessment of the impact of an SCI event on markets and participants is useful because it afford the Commission the opportunity to learn the SCI entity's perspective on the potential or actual impact of an SCI event.\900\ --------------------------------------------------------------------------- \899\ See supra note 871 and accompanying text. \900\ The Commission notes that SCI entities retain the flexibility to provide additional information to the Commission as part of their assessments, such as providing the ``business impact'' of an SCI event, as suggested by one commenter. See supra note 870. --------------------------------------------------------------------------- Written Commission Updates: Proposed Rule 1000(b)(4)(iii) Commenters also addressed proposed Rule 1000(b)(4)(iii), which required an SCI entity to provide the Commission written updates pertaining to an SCI event on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until the SCI event was resolved. Some commenters urged the Commission to provide clarity on the definition of ``resolved.'' \901\ For example, one commenter suggested that the Commission should define the resolution of an SCI event to be when the affected SCI systems have been normalized,\902\ and another commenter stated that there should be a precise definition of when an SCI event is resolved and that definition should be linked directly to the definition of the SCI event itself.\903\ Other commenters expressed concern that the continuing update requirement could divert resources from resolution of the SCI event and suggested that updates be required only to the extent they would not interfere with event resolution.\904\ One commenter stated that continual updates should only be necessary if the SCI entity had not resolved the event within a reasonable period, such as 10 to 15 days.\905\ --------------------------------------------------------------------------- \901\ See DTCC Letter at 11; and Omgeo Letter at 18. \902\ See DTCC Letter at 11. \903\ See Omgeo Letter at 18. \904\ See MSRB Letter at 19; and OCC Letter at 14. \905\ See FINRA Letter at 20. --------------------------------------------------------------------------- Other commenters addressed the method of providing updates. For example, one commenter stated that only oral communication should be required when an SCI event is ongoing, and that the rule should allow a written supplement to a final or post mortem report if additional information comes to light regarding the SCI event.\906\ Another commenter suggested that updates should be permitted to be in writing or provided orally based on the judgment of the SCI entity.\907\ Finally, one commenter stated that requests for updates regarding SCI events should only be permitted to come from senior staff at the Commission.\908\ --------------------------------------------------------------------------- \906\ See Omgeo Letter at 17. \907\ See MSRB Letter at 19. \908\ See NYSE Letter at 24. --------------------------------------------------------------------------- Regular Updates: Adopted Rule 1002(b)(3) Rule 1002(b)(3) requires that, until such time as an SCI event is resolved, and the SCI entity's investigation of the SCI event is closed, an SCI entity provide the Commission with updates pertaining to the SCI event on a regular basis, or at such frequency as reasonably requested by a representative of the Commission. Updates are required to correct any materially incorrect information previously provided, or when new material information is discovered, including not limited to, any of the information listed in Rule 1002(b)(2)(ii). While the Commission recognizes that providing the Commission with such updates imposes an additional reporting requirement on SCI entities, the Commission also believes that updates are important to allow the Commission to fully monitor the SCI event. In addition, the Commission believes that the update requirement will encourage SCI entities to formalize their processes for gathering information on SCI events, which will help to ensure that responsible SCI personnel receive accurate and updated information on SCI events as they are being resolved, and further, that this process may be helpful to SCI entities when providing information about SCI events to their members or participants. Also, because the Commission has revised the requirements of the 24-hour notification to allow SCI entities to provide information on a good faith, best efforts basis and has limited the scope of information required in that report as discussed above, the Commission believes that updates to the Commission to correct materially incorrect information previously reported or when new material information is [[Page 72329]] discovered as required by the rule is important to keep the Commission up to date with accurate information, including the following: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event. Consequently, the Commission does not agree with the commenter who suggested that updates should be only required if an SCI event has not been resolved within a reasonable amount of time, such as 10 to 15 days.\909\ --------------------------------------------------------------------------- \909\ See supra note 870 and accompanying text. --------------------------------------------------------------------------- The Commission believes that updates regarding this information are important to enhance the Commission's oversight of the securities markets and its informed and continued understanding of an SCI event. Moreover, the Commission underscores that updates are only required to the extent that they correct any materially incorrect information previously provided or when new material information is discovered, including but not limited to, any of the information listed in Rule 1002(b)(2)(ii), thereby alleviating the burden to SCI entities of providing such updates absent such circumstances.\910\ The Commission has also eased the requirements of the proposed update provision by eliminating the proposed requirements that an SCI entity attach a copy of any information disseminated to date regarding the SCI event to its members or participants or on the SCI entity's publicly available Web site; a description of the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. Instead, these information requirements must only be provided as part of the final report required by Rule 1002(b)(4), and the Commission therefore believes that burdens associated with the continuing update requirement will be streamlined because SCI entities will not need to devote resources to providing written updates while an SCI event is ongoing. --------------------------------------------------------------------------- \910\ The requirement that updates regarding new or corrected information be provided on a regular basis (unless an alternative, specific frequency is reasonably requested by a representative of the Commission) is designed to take into account the fact that new or updated information may develop at different frequencies for different SCI events. --------------------------------------------------------------------------- At the same time, the Commission is cognizant of the burdens associated with requiring written updates and therefore has revised the update requirement in adopted Rule 1002(b)(3) to remove the proposed requirement that such updates be provided in written form. Thus, submission of updates may be provided either orally or in written form, and will result in a lighter burden on SCI entities than the proposed requirement, and is responsive to commenters that suggested that SCI entity resources would be better directed to resolving an SCI event.\911\ --------------------------------------------------------------------------- \911\ See supra note 791 and accompanying text. SCI entities may, but are not required to, utilize Form SCI to submit such updates. See Section IV.D (discussing Form SCI). The Commission also believes that, to the extent commenters suggested that the Commission permit oral updates, they did so because, at least in part, oral updates are less burdensome to SCI entities than written updates. See supra notes 906-907 and accompanying text. --------------------------------------------------------------------------- In response to comment that the Commission provide guidance to clarify when an SCI event has been ``resolved'' \912\ and in line with the particular comment that the concept of resolution should be linked directly to the definition of the SCI event itself,\913\ the Commission believes that an SCI event is resolved when the event no longer meets the definitions of a systems disruption, systems intrusion, or systems compliance issue, as defined in Rule 1000, and that an SCI entity's Rule 1002(b) reporting obligations are completed when an SCI entity submits a final report as required by Rule 1002(b)(4). Further, the Commission does not believe that it is necessary to prescribe that requests to SCI entities regarding updates should come solely from senior Commission staff, as suggested by one commenter.\914\ The Commission believes that requiring an SCI entity to update the Commission at such frequency as reasonably requested by a representative of the Commission provides appropriate flexibility to the Commission to request additional information as necessary, but does not anticipate that requests will be made by multiple members of the Commission staff because the Commission expects that such requests would be coordinated by a particular group of Commission staff that are assigned to handle specific reports from SCI entities. --------------------------------------------------------------------------- \912\ See supra notes 902-903 and accompanying text. \913\ See supra note 903 and accompanying text. \914\ See supra note 802 and accompanying text. --------------------------------------------------------------------------- Final Report: Adopted Rule 1002(b)(4) Adopted Rule 1002(b)(4) requires that if an SCI event is resolved and the SCI entity's investigation of the SCI event is closed within 30 days of the occurrence of the SCI event, then within five business days after the resolution of the SCI event and closure of the SCI entity's investigation regarding the SCI event, the SCI entity is to submit a final written notification pertaining to such SCI event to the Commission (``final report''). The final report is required to include: (i) A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; (ii) a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI event to any of its members or participants; and (iii) an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. Rule 1002(b)(4) also specifies that, if an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 days of the occurrence of the SCI event, then, the SCI entity is required to submit a written notification pertaining to such SCI event to the Commission within 30 days after the occurrence of the SCI event containing the information required in Rules 1002(b)(4)(i)-(iii), to the extent known at the time. Within five business days after the resolution of such SCI event and closure of the investigation regarding such SCI event, the SCI entity is required to submit a final written notification pertaining to such SCI event to the Commission containing the information specified in the rule. As an initial matter, the Commission notes that several of the items that are specifically required to be described in the final report (as specified in adopted Rule 1002(b)(4)) were proposed to be required to be provided to the Commission under proposed Rule 1000(b)(4)(ii), within a shorter time frame.\915\ The Commission believes that [[Page 72330]] the adopted rule, by requiring that this information be submitted to the Commission after resolution of an SCI event and closure of the SCI entity's investigation, will encourage SCI entities to devote resources first to resolving the SCI event, and providing status reports when required, and then to preparing a comprehensive final report. In particular, as some commenters suggested, certain information would be more accurate, and therefore more useful, if provided after an SCI event is resolved.\916\ The Commission believes that the information required under Rule 1002(b)(4) will provide the Commission with a comprehensive analysis to more fully understand and assess the impact caused by the SCI event. In addition, the Commission ordinarily would expect an SCI entity to include the root cause of an SCI event as part of ``any other pertinent information'' known about the SCI event. The Commission also believes that certain of the information requested by Rule 1002(b)(4) is more suitable to be provided after, rather than prior to, resolution of an SCI event. Specifically, much of the information required by Rule 1002(b)(4) (an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss) can only be comprehensively known after the final resolution of an SCI event.\917\ --------------------------------------------------------------------------- \915\ The Commission notes that while proposed Rule 1000(b)(4)(iv)(C) specified that an SCI entity was required to provide a copy of any information disseminated on the SCI entity's publicly available Web site, adopted Rule 1002(b)(4) specifies that an SCI entity provide a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI event to any of its members or participants. \916\ See supra notes 870-878 and accompanying text. \917\ The Commission notes that a notification required pursuant to proposed Rule 1000(b)(4)(ii) required the SCI entity to provide information on the ``potential impact of the SCI event on the market,'' whereas adopted Rule 1002(b)(4)(ii)(A) requires a description of ``the SCI entity's assessment of the impact of the SCI event on the market.'' Because adopted Rule 1002(b)(4) requires a final report upon resolution of an SCI event and the closure of the SCI entity's investigation of the SCI event, the Commission believes it is appropriate that an SCI entity provide its assessment of the impact of the SCI event in the final report, rather than information on the SCI event's potential impact. --------------------------------------------------------------------------- Similarly, the Commission is revising the proposed requirement that SCI entities provide to the Commission a copy of any information disclosed by the SCI entity to date regarding the SCI event to any of its members or participants. First, rather than requiring that SCI entities provide a copy of ``any information disclosed by the SCI entity,'' the adopted rule requires that SCI entities provide a copy of any information ``disseminated pursuant to paragraph (c) of [Rule 1002]'' by the SCI entity to date regarding the SCI event to any of its members or participants. The Commission believes that this refined requirement will more appropriately capture only the information needed for the Commission to assess compliance with the dissemination requirements of Rule 1002(c). Further, to limit the burden on, and provide additional flexibility to, SCI entities as they resolve SCI events, the adopted rule does not require this information to be included as part of a Form SCI submission until the final report is to be submitted to the Commission. The Commission believes that it is sufficient to require that this information be included in the final report because it is an important part of the record of an SCI event and SCI entity's response to such event.\918\ As noted above, one commenter questioned the purpose of this requirement and expressed concern that it may negatively impact open communication between an SCI entity and its members and participants,\919\ while another commenter questioned the feasibility, need, and potential impact of this requirement in light of the numerous communications that SCI entities will engage in with their members or participants.\920\ While the Commission recognizes that it is possible that the requirement could have some chilling effect on such communications, it believes that this information is important for SCI entities to share with the Commission because it is an efficient means for the Commission to assess whether SCI entities are complying with the dissemination requirements of Rule 1002(c). Further, the Commission believes that, by requiring that SCI entities provide a copy only of information disseminated pursuant to Rule 1002(c) (rather than all information disclosed to members or participants regarding the SCI event), it addresses one commenter's concern that it would be difficult, unnecessary, and could impede open communication, to provide the Commission with a copy of all information disclosed to members or participants, which could include hundreds of individual communications via email or telephone for each SCI event. --------------------------------------------------------------------------- \918\ Under Rule 1002(b)(4), SCI entities are required to provide a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI event to any of its members or participants. \919\ See supra note 877. \920\ See supra note 878 and accompanying text. Specifically, this commenter noted that there could be hundreds of communications between the SCI entity and its members or participants during a systems incident and questioned the feasibility of, and need for, recreating and providing to the Commission a copy of all such communications. Further, the commenter noted that this requirement could have an unintended effect of discouraging open communication between the SCI entity and its members. --------------------------------------------------------------------------- The Commission also believes that, if an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 days of the occurrence of the SCI event, it is reasonable to require that an SCI entity submit within thirty business days after the occurrence of the SCI event the information required in Rule 1002(b)(4)(ii), to the extent known at the time, because this timeframe provides SCI entities with flexibility to continue their investigation while also apprising the Commission of relevant information discovered during the course of the SCI entity's investigation. Moreover, the rule takes into account the Commission's recognition that an SCI entity's investigation regarding an SCI may not yet be complete despite the fact that the SCI event itself has resolved. In such cases, within five business days after the SCI event has resolved and the investigation regarding the SCI event has closed, the Commission believes that it is reasonable and necessary to provide it with a comprehensive and complete understanding of the SCI event. Consequently, SCI entities are required to submit a final written notification that contains all information required by Rule 1002(b). Goals of Adopted Commission Notification Rule As discussed in greater detail above, the Commission has carefully considered the views of commenters as well as what it believes is necessary for the Commission and its staff with respect to the timing and content of notifications regarding SCI events, and believes that the adopted rule will be less burdensome for SCI entities than if the proposed rule was adopted without modification, while still resulting in meaningful notice to the Commission and its staff with information about SCI events in a timely manner that permits the Commission to fulfill its oversight role. With regard to comments on the resource and efficiency demands of the notification requirements,\921\ the Commission believes that while SCI entities will need to devote resources to fulfilling the notification requirements, the Commission does not believe that these resources will diminish SCI entities' ability to respond to SCI events because it is the Commission's [[Page 72331]] experience that the staff that engages in corrective action is generally distinct from the staff that has been charged with notifying the Commission of systems issues. Consequently, the Commission does not believe that, due to this requirement, staff that engages in corrective action will be unable to fulfill its responsibilities after implementation of Regulation SCI. --------------------------------------------------------------------------- \921\ See supra notes 790-793. --------------------------------------------------------------------------- The Commission believes that adopted Rules 1002(b)(1)-(4) are responsive to concerns that the proposed Commission notification requirements would have required SCI entities to notify the Commission of information before all relevant facts are known.\922\ As discussed, in tandem with the revised triggering standard, which affords an SCI entity time to assess whether an SCI event has occurred,\923\ the adopted rule affords an SCI entity the flexibility to gather information for the 24-hour written notification on a good faith best, efforts basis,\924\ and adopted Rule 1002(b)(3) makes clear that an SCI entity is required to update the Commission to correct any materially inaccurate information previously provided, or when pertinent new information is discovered, until such time as the SCI event is resolved, and the SCI entity's investigation of the SCI event is closed. Further, the final report for a given SCI event is only required once, when both the SCI event is resolved and the SCI entity's investigation of the SCI event is closed, with an interim report required only when an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 days of the occurrence of the SCI event. Taken together, the Commission believes that Rule 1002(b) does not require reporting before all relevant fact are known, which one commenter suggested would be counterproductive and harmful.\925\ Instead, the Commission believes that the rule is designed to provide SCI entities with a process that gives them sufficient time to submit information to the Commission when known. In addition, and in response to comment questioning the usefulness of the notification requirement for the Commission,\926\ the Commission believes that adopted Rule 1002(b) will foster a system for comprehensive reporting of SCI events, which should enhance the Commission's review and oversight of U.S. securities market infrastructure and foster cooperation between the Commission and SCI entities in responding to SCI events. The Commission also believes that the aggregated data that will result from the reporting of SCI events will enhance its ability to comprehensively analyze the nature and types of various SCI events and identify more effectively areas of persistent or recurring problems across the systems of all SCI entities. Some commenters suggested that the Commission provide to SCI entities regular summary-level feedback on SCI entities' notifications \927\ or provide examples of the types of SCI events that warrant notification.\928\ To the extent it believes that guidance or other information, including summary-level feedback, publications, or reference blueprints, would be appropriate to share, the Commission or its staff may do so in the future. --------------------------------------------------------------------------- \922\ See supra note 804 and accompanying text. \923\ See supra Section IV.B.3.a (discussing the triggering standard). \924\ See supra discussion of ``good faith, best efforts'' above. \925\ See supra note 804. \926\ See supra note 793. \927\ See supra note 806 and accompanying text. \928\ See supra note 807 and accompanying text. --------------------------------------------------------------------------- d. Dissemination of Information--Rule 1002(c) i. Proposed Rule 1000(b)(5) Proposed Rule 1000(b)(5) would have required an SCI entity to provide specified information relating to ``dissemination SCI events'' to SCI entity members or participants. The term ``dissemination SCI event'' was proposed to mean an SCI event that is a: (1) Systems compliance issue; (2) systems intrusion; or (3) systems disruption that results, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants. Proposed Rule 1000(b)(5)(i)(A) would have required an SCI entity, promptly after any responsible SCI personnel becomes aware of a dissemination SCI event other than a systems intrusion, to disseminate to its members or participants the following information about such SCI event: (1) The systems affected by the SCI event; and (2) a summary description of the SCI event. Proposed Rule 1000(b)(5)(i)(B) would have required an SCI entity to further disseminate to its members or participants, when known: (1) A detailed description of the SCI event; (2) the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and (3) a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. Proposed Rule 1000(b)(5)(i)(C) would have further required an SCI entity to provide regular updates to members or participants on any of the information required to be disseminated under proposed Rules 1000(b)(5)(i)(A) and (i)(B). In the case of a systems intrusion, the proposed rule permitted a limited delay in dissemination if the dissemination would compromise the security of the SCI entity's systems.\929\ Except for the delay in dissemination of information for systems intrusions in specified circumstances, the proposed rule did not distinguish dissemination obligations based on the severity or impact of a dissemination SCI event. --------------------------------------------------------------------------- \929\ See proposed Rule 1000(b)(5)(ii) (permitting a delay in dissemination of information regarding a systems intrusion if ``the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or SCI security systems, or an investigation of the systems intrusion, and documents the reasons for such determination''). --------------------------------------------------------------------------- ii. Comments Regarding Information Dissemination Two commenters generally supported proposed Rule 1000(b)(5).\930\ One commenter characterized it as ``one of the major benefits of th[e] proposal.'' \931\ Another commenter suggested broadening the proposal to require an SCI entity to reveal dissemination SCI events to the public at large, and not just to its members or participants.\932\ This commenter believed that public dissemination of the facts of an SCI event would help enhance investor confidence by preventing speculation and misinformation, and would provide important learning opportunities for the industry and other SCI entities.\933\ --------------------------------------------------------------------------- \930\ See Angel Letter at 5; and MFA Letter at 7. \931\ See Angel Letter at 5. This commenter stated: ``Instead of keeping information about hardware failures, system intrusions, and software glitches private, sharing the information will alert others in the industry about such problems and help to reduce system wide costs of diagnosing problems, as well as result in improved responses to technology problems. These will serve as warnings to the other SCI entities to stay vigilant to prevent similar problems from occurring on their platforms.'' Angel Letter at 5. \932\ See MFA Letter at 7. \933\ See id. --------------------------------------------------------------------------- In contrast, many commenters urged the Commission to revise the proposed dissemination requirement.\934\ For example, a few commenters expressed concern that the proposal would require dissemination of too much information too soon.\935\ One of these commenters stated that the proposed rule would be counterproductive and harmful because [[Page 72332]] it would cause the release of information before all relevant facts are known and suggested dissemination should only be required when the SCI entity has credible information that can be acted upon.\936\ Another commenter suggested that dissemination should only be required when the information to be disseminated is certain and clear.\937\ Another commenter urged that, if immediate dissemination is required, then the information required to be disseminated should be limited to communication of the basic fact that there is a systems issue and additional information will be provided when known.\938\ --------------------------------------------------------------------------- \934\ See, e.g., NYSE Letter at 28-29; FINRA Letter at 24; BATS Letter at 13; DTCC Letter at 11-12; OCC Letter at 16; CME Letter at 9-10; ICI Letter at 4; Oppenheimer Letter at 2; Direct Edge Letter at 8; Omgeo Letter at 21; ITG Letter at 13; and FIA PTG Letter at 3. \935\ See, e.g., DTCC Letter at 12, NYSE Letter at 29; and ITG Letter at 13. \936\ See ITG Letter at 13. See also supra note 804 and accompanying text. \937\ See DTCC Letter at 12. \938\ See NYSE Letter at 29 (stating also that the scope of the information required to be provided is too extensive, particularly given the timing requirements of the proposed rule). --------------------------------------------------------------------------- Several commenters opposed requiring information dissemination to all members and participants.\939\ For example, some commenters urged that an SCI entity be required to provide information only to members or participants actually impacted by an SCI event, or that interact with the SCI system impacted, rather than to all members or participants of an SCI entity.\940\ One commenter recommended that an SCI entity be required to disseminate information only to persons reasonably likely to be affected by a significant systems issue.\941\ Two commenters stated that SCI entities should have reasonable discretion to determine who among their members and participants should receive notification of an SCI event, as well as the manner and timing for providing notice.\942\ A few commenters more broadly expressed concern that the proposed rule would result in over-reporting of information about SCI events and would have limited usefulness.\943\ Some of these commenters stated that the proposed approach would result in SCI entity members and participants becoming immunized to the notifications because they would receive too many notifications and therefore would not focus on the truly significant events.\944\ --------------------------------------------------------------------------- \939\ See, e.g., MSRB Letter at 20-21; DTCC Letter at 11; CME Letter at 10; NYSE Letter at 28; FINRA Letter at 24-25; ISE Letter at 6-7; SIFMA Letter at 15; and OCC Letter at 17. \940\ See MSRB Letter at 20-21; DTCC Letter at 11; CME Letter at 9; NYSE Letter at 28; FINRA Letter at 25; and ISE Letter at 6-7. In addition, one of these commenters sought clarification on whether the term ``participant'' refers to a formal participant or, more broadly speaking, any market participant that interacts with the SCI system in question. See MSRB Letter at 20. See also Omgeo Letter at 21, and infra note 954. \941\ See NYSE Letter at 28. \942\ See SIFMA Letter at 15 (urging that an SCI entity should have discretion to determine which participants or members are affected and how to notify them); and OCC Letter at 17 (urging that an SCI entity should be able to limit the communication to those members and participants that are actually affected and to provide the communication on a confidential and secure basis when the SCI entity has reasonable certainty of the information that is required to be provided). \943\ See, e.g., CME Letter at 9; FIA PTG Letter at 3; and Omgeo Letter at 39. See also Fidelity Letter at 5 (requesting that the Commission provide greater specificity regarding the types of dissemination SCI events that must be disclosed and to whom disclosure must be made). \944\ See, e.g., Omgeo Letter at 40; FIA PTG Letter at 3; and CME Letter at 9. --------------------------------------------------------------------------- Several commenters suggested that the Commission apply the proposed dissemination requirement to fewer types of SCI events.\945\ For example, several commenters stated that information dissemination should only be required for material or significant SCI events.\946\ One commenter suggested that, for an SCI event that is ``de minimis,'' information dissemination to members or participants should not be required at all.\947\ This commenter suggested that a de minimis SCI event would be one that is limited in impact, brief in duration, or involves little or no member or participant harm.\948\ Another commenter noted that, as proposed, Commission notification would be required for a systems disruption if the systems disruption had a ``material impact'' on the SCI entity's operations or on market participants, whereas information dissemination to members or participants would be required if an SCI entity reasonably estimated that the systems disruption would result ``in significant harm or loss to market participants.'' \949\ This commenter criticized the differing standards for Commission notification and member/participant notification and suggested that the Commission clarify the standards or adopt a uniform standard for both types of notifications.\950\ --------------------------------------------------------------------------- \945\ See, e.g., NYSE Letter at 28; FIA PTG Letter at 3; FINRA Letter at 24; BATS Letter at 13; OCC Letter at 16-17; CME Letter at 9-10; ICI Letter at 4; Oppenheimer Letter at 2; and Direct Edge Letter at 8. \946\ See NYSE Letter at 28; FIA PTG Letter at 3; FINRA Letter at 24; BATS Letter at 13; OCC Letter at 16-17; CME Letter at 9-10; ICI Letter at 4; Oppenheimer Letter at 2; and Direct Edge Letter at 8. \947\ See BATS Letter at 13. \948\ See id. \949\ See OCC Letter at 16. \950\ See id. --------------------------------------------------------------------------- Several commenters specifically opposed the proposed dissemination requirement for systems compliance issues. Some commenters urged that an SCI entity be required to disseminate information only for material or significant systems compliance issues.\951\ One of these commenters stated that prompt dissemination of information regarding systems compliance issues to members or participants might lead to widespread dissemination of extraneous and potentially inaccurate information.\952\ --------------------------------------------------------------------------- \951\ See, e.g., FINRA Letter at 24; Joint SROs Letter at 9; SIFMA Letter at 12; BATS Letter at 13; MSRB Letter at 6; and CME Letter at 10. \952\ See Joint SROs Letter at 8. --------------------------------------------------------------------------- Regarding systems intrusions, a few commenters stated that dissemination of systems intrusions information could raise significant risks and security concerns.\953\ One commenter recommended that a dissemination requirement apply only in the case of members, participants, or clients for whom confidential data was disclosed, processing was impacted, or where such member, participant, or client could take further action to mitigate the risk of such disclosure.\954\ This commenter also expressed support for the limited exception for intrusions that would compromise an investigation or resolution of the systems intrusion, noting that once dissemination would no longer compromise an investigation or the resolution of the issue, the entity should notify materially affected members, participants, or clients. --------------------------------------------------------------------------- \953\ See DTCC Letter at 11; and NYSE Letter at 29. See also Direct Edge Letter at 3 (suggesting that, to ensure that sensitive information does not fall into the wrong hands, the Commission should require reporting of systems intrusions to the Commission, and only require public disclosure in instances where there is a risk of significant harm to the SCI entity's customers). \954\ See Omgeo Letter at 21. --------------------------------------------------------------------------- One commenter stated that information should not be disseminated regarding disruptions in regulatory or surveillance systems, nor should information be disseminated about intrusions or compliance issues, arguing that the information could be misused, or if disseminated too soon, could be inaccurate and misleading.\955\ Two other commenters also expressed concern that information dissemination should not be required when the information provided might be misused to the detriment of the markets or investors, such as with respect to systems intrusions or issues relating to surveillance systems.\956\ --------------------------------------------------------------------------- \955\ See NYSE Letter at 29. See also supra note 935 and accompanying text. \956\ See ICI Letter at 4; and Oppenheimer Letter at 2. --------------------------------------------------------------------------- iii. Rule 1002(c) In the SCI Proposal, the Commission stated that the intended purpose of the proposed rule was twofold: To aid members or participants of SCI entities [[Page 72333]] in determining whether their trading activity has been or might be impacted by the occurrence of an SCI event at an SCI entity so that they could consider that information in making trading decisions, seeking corrective action or pursuing remedies, or taking other responsive action; and to provide an incentive for SCI entities to devote more resources and attention to improving the integrity and compliance of their systems and preventing the occurrence of SCI events.\957\ Although commenters generally did not object to the Commission's stated rationale for proposed Rule 1000(b)(5), several commenters suggested that the proposed approach did not adequately consider circumstances in which the proposed information dissemination might not be helpful to the market or market participants, or could be detrimental to the markets or market participants. One commenter, however, urged that public dissemination of information regarding SCI events would help to prevent speculation and misinformation regarding such events.\958\ --------------------------------------------------------------------------- \957\ See Proposing Release, supra note 13, at 18120. \958\ See supra note 933 and accompanying text. --------------------------------------------------------------------------- The Commission has carefully considered the views of commenters with respect to proposed Rule 1000(b)(5), and has determined to adopt it as Rule 1002(c), with several modifications in response to comment. In particular, the Commission has determined to eliminate the definition of ``dissemination SCI event'' from the final rule and adopt an information dissemination requirement that scales dissemination obligations in accordance with the nature and severity of an SCI event. In response to comment that the proposed rule would result in over- reporting of information about SCI events and have limited usefulness, the Commission has further focused the rule from the proposal by requiring dissemination of information about SCI events that are not major SCI events only to affected SCI entity members and participants, and excepting de minimis SCI events and SCI events regarding market regulation or market surveillance systems from the information dissemination requirement.\959\ In the case of a ``major SCI event,'' the Commission agrees with the commenter who stated that requiring dissemination should help to prevent speculation and misinformation regarding such events.\960\ Therefore, in the case of a ``major SCI event,'' the adopted rule requires an SCI entity to disseminate information to all of its members or participants. At the same time, as with other SCI events, any SCI event that meets the definition of major SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants is excepted from the information dissemination requirement.\961\ The Commission believes the revised approach will better achieve the purpose of maximizing the utility of information disseminated to SCI entity members and participants while simultaneously reducing compliance burdens for SCI entities. --------------------------------------------------------------------------- \959\ See supra notes 943-956 and accompanying text. \960\ See supra note 933 and accompanying text. \961\ See Rule 1002(c)(4)(ii). --------------------------------------------------------------------------- Rule 1002(c)(1): Information Dissemination for Systems Disruptions and Systems Compliance Issues Adopted Rule 1002(c)(1) generally addresses dissemination requirements for systems disruptions and systems compliance issues. Rule 1002(c)(1)(i) requires an SCI entity, promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, to disseminate information about such SCI event, unless an exception applies. When the dissemination obligation is triggered,\962\ Rule 1002(c)(1)(i) requires an SCI entity to disseminate to the persons specified in Rule 1002(c)(3) information on the system(s) affected by the SCI event and a summary description of the SCI event. Thereafter, Rule 1002(c)(1)(ii) provides that, when known, an SCI entity shall promptly further disseminate: A detailed description of the SCI event; the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. Rule 1002(c)(1)(iii) provides that, until resolved, an SCI entity shall provide regular updates of any information required to be disseminated under Rules 1002(c)(1)(i) and (ii). The specified types of information and the update requirements are unchanged from the proposal. The Commission continues to believe that, for the dissemination of information to be meaningful, it is necessary for an SCI entity to describe the SCI event in sufficient detail to permit a member or participant to determine whether and how it was affected by the SCI event and make appropriate decisions based on that determination.\963\ Adopted Rule 1002(c)(1)(i) requires that the information initially disseminated include the systems affected by the SCI event and a summary description of the SCI event, and only after responsible SCI personnel have a reasonable basis to conclude that a systems disruption or systems compliance issue has occurred. Implicit in this requirement is that the disseminated information be accurate. Without the dissemination of accurate information, the impact on the SCI entity's members or participants or the market may be more pronounced because market participants may not recognize that an SCI event is occurring, or may mistakenly attribute unusual market activity to some other cause. --------------------------------------------------------------------------- \962\ See supra Section IV.B.3.a (discussing the triggering standard). \963\ See Proposing Release, supra note 13, at 18120. --------------------------------------------------------------------------- Adopted Rule 1002(c)(1) also requires that required information be disseminated ``promptly.'' \964\ Although the Commission agrees that SCI entities should not prematurely disseminate information regarding an SCI event, lest it be inaccurate, speculative, misleading, or otherwise unhelpful, as some commenters were concerned about,\965\ the Commission does not agree with the commenter who suggested that information dissemination be provided at a time chosen by the SCI entity.\966\ The Commission believes that accurate information that is timely is more likely to aid a market participant in determining whether its trading activity has been or might be impacted by the occurrence of an SCI event than accurate information that is delayed. However, as compared to Commission notification, which is required to be provided immediately after an SCI entity has a reasonable basis to conclude that an SCI event has occurred, and which notice may be provided orally, dissemination of information to SCI entity members or participants is required to be provided promptly. The requirement for prompt dissemination, as opposed to immediate dissemination, is designed to provide some limited flexibility to an SCI entity to determine an efficient way to disseminate information to multiple potentially affected members or participants, or all of its members or participants, as the case may be, in a timely manner. Likewise, as new information becomes [[Page 72334]] known, immediate updates are not required, but an SCI entity is obligated to also disseminate updated information ``promptly'' after it is known. The Commission believes that adopted Rule 1002(c)(1) strikes an appropriate balance by requiring an SCI entity to disseminate specific information about SCI events, but also permits an SCI entity to have time to check relevant facts before disseminating that information. The Commission therefore believes that adopted Rule 1002(c)(1) is responsive to comment that the proposed rule would have required release of information too soon, before it is determined to be credible, or before relevant facts were known.\967\ --------------------------------------------------------------------------- \964\ The persons to whom the required information about systems disruptions and systems compliance issues is to be disseminated are specified in Rules 1002(c)(3) and (4). \965\ See also supra notes 935-938 and 933 and accompanying text. \966\ See supra note 942 and accompanying text. \967\ See supra notes 935-938 and accompanying text. --------------------------------------------------------------------------- Rule 1002(c)(2): Information Dissemination for Systems Intrusions Adopted Rule 1002(c)(2) requires an SCI entity, promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems intrusion has occurred, to disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. This rule applies to systems intrusions that are not de minimis events. In response to commenters stating that information about a systems intrusion in many cases will be sensitive and raise security concerns, and those urging that the dissemination requirement apply only in limited cases,\968\ the Commission notes that, although it does not wholly exclude systems intrusions from the dissemination requirement, the rule permits a delay in dissemination of any information about a systems intrusion if dissemination would compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and the SCI entity documents the reason for such determination.\969\ Adopted Rule 1002(c)(2) also provides that the content of the required disclosure for a systems intrusion is less detailed than required for other types of SCI events. These provisions are unchanged from the SCI Proposal.\970\ As stated in the SCI Proposal, the Commission continues to believe that there may be circumstances in which the dissemination of information related to a systems intrusion should be delayed to avoid compromising the investigation or resolution of a systems intrusion.\971\ Also, as stated in the SCI Proposal, the affirmative documentation required by Rule 1002(c)(2) is important to allow the Commission to ensure that SCI entities are not improperly invoking the limited exception provided by Rule 1002(c)(2).\972\ This delayed dissemination provision permits an SCI entity to delay providing information about an intrusion to its members or participants to protect legitimate security concerns. However, under Rule 1002(c)(2), if an SCI entity cannot, or can no longer, determine that information dissemination as required by Rule 1002(c)(2) would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, no delay (or further delay, if applicable) in dissemination is permitted.\973\ Pursuant to Rule 1002(c)(2), information about a systems intrusion is required to be disseminated eventually, as the Commission believes that circumstances permitting a delay (i.e., dissemination of information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion), will not continue indefinitely.\974\ --------------------------------------------------------------------------- \968\ See, e.g., supra notes 953-954 and accompanying text. \969\ See Rule 1002(c)(4) (excepting de minimis systems intrusions and intrusions into market regulation or market surveillance systems from the dissemination requirement) and Rule 1001(c)(2) (permitting a delay in dissemination). \970\ The persons to whom the required information about a systems intrusion is to be disseminated (provided the circumstances warranting a delay do not apply) is specified in Rules 1002(c)(3) and (4). \971\ See Proposing Release, supra note 13, at 18120. \972\ See id. \973\ See id. \974\ Some commenters urged modifications to the proposed rule that would further circumscribe the proposed dissemination requirement for systems intrusions. See, e.g., supra notes 953-954 and accompanying text (urging that dissemination for systems intrusions only be required for affected persons and only if material). These comments are addressed in the discussion of adopted Rules 1002(c)(3) and (4). --------------------------------------------------------------------------- Rule 1002(c)(3): To Whom Information Is To Be Disseminated Adopted Rule 1002(c)(3) provides that the information required to be provided under Rules 1002(c)(1) and (2) promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event. The rule further requires that, for major SCI events, such information shall be disseminated by the SCI entity to all of its members or participants. As noted, several commenters urged that an SCI entity be required to disseminate information relating to an SCI event only to those members or participants affected by the SCI event.\975\ Some suggested that an SCI entity have discretion to determine who should receive information regarding SCI events,\976\ and one suggested that SCI events warrant public disclosure.\977\ Others expressed more general concern that the breadth of the proposed dissemination requirement would result in over- reporting of information about SCI events because they believed that SCI entities would over-report out of an abundance of caution \978\ or that SCI entity members and participants would become immunized to reports of SCI events and not focus on significant events.\979\ --------------------------------------------------------------------------- \975\ See supra note 940 and accompanying text. \976\ See supra note 942 and accompanying text. \977\ See supra notes 932-933 and accompanying text. \978\ See supra note 943 and accompanying text. \979\ See supra notes 943-944 and accompanying text. --------------------------------------------------------------------------- After careful consideration of the comments, the Commission believes that, to maximize the utility of information dissemination, a more tailored approach to who should receive information about an SCI event is warranted, based on an SCI event's impact. Because information about an SCI event is likely to be of greatest value to those market participants affected by it, who can use such information to evaluate the event's impact on their trading and other activities and develop an appropriate response, adopted Rule 1002(c)(3) requires prompt dissemination to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event. With respect to more serious SCI events, however, the Commission believes that dissemination to all members or participants of an SCI entity is warranted. Accordingly, under adopted Regulation SCI, certain SCI events will be defined as ``major SCI events.'' Adopted Rule 1000 defines ``major SCI event'' as ``an SCI event that has [[Page 72335]] had, or the SCI entity reasonably estimates would have: (1) Any impact on a critical SCI system; or (2) a significant impact on the SCI entity's operations or on market participants.'' The Commission believes that dissemination of information regarding a major SCI event to all members or participants of an SCI entity is appropriate because major SCI events are likely to impact a large number of market participants (e.g., with respect to critical SCI systems, a disruption of consolidated market data or the clearance and settlement system, or an event significantly impacting the operations of an exchange).\980\ As noted, one commenter suggested broadening the proposed rule to generally require an SCI entity to reveal dissemination SCI events (other than intrusions) to the public at large. This commenter expressed the view that public dissemination of the facts of an SCI event would help ``enhance investor confidence by presenting the facts of the SCI event, preventing speculation and misinformation, and informing the public of corrective action being taken'' and would ``serve as an important collective learning opportunity'' that would allow for ``SCI [e]ntities and market participants [to] learn from [the event] . . . and build upon their policies and controls as appropriate.'' This commenter stated further that such an ``industry protocol would help strengthen and enhance the integrity and security of our markets.'' \981\ The Commission agrees with this commenter that it is appropriate for an SCI entity to present the facts, prevent speculation and misinformation, and provide transparency about corrective action being taken when the impact of an SCI event is most likely to be felt by many market participants (i.e., when it is a major SCI event). In the context of a major SCI event, the Commission believes these goals can be achieved by requiring an SCI entity to disseminate information to all of its members or participants (as opposed to the ``public at large''). Moreover, the Commission believes it is appropriate to require dissemination of information on major SCI events to all of the SCI entity's members or participants because these market participants are the most likely to act on this information. Based on the experience of the Commission and its staff, when an entity disseminates information about a systems issue to all of its members or participants (e.g., on the entity's Web site), and that information has the potential to affect the market and investors more broadly (including market participants that may not be members or participants of the SCI entity reporting the event), such information is routinely picked up by financial or other media outlets, and also may be relayed to market participants for whom such information is relevant (e.g., by members or participants of SCI entities to their own clients). Therefore, the Commission believes that when information about a systems issue with broad potential impact is disseminated to all of an SCI entity's member or participants, such dissemination is tantamount to public dissemination.\982\ As such, the Commission believes that it can achieve the purposes of the rule without requiring public dissemination, and believes that any additional gain in benefits from public dissemination would be minimal. Rule 1002(c)(3) does not specify how an SCI entity is to disseminate information to all of its members or participants when required to do so, but the Commission believes that posting the information on a Web site accessible to, at a minimum, all of its member or participants (for example, on a ``systems status alerts'' page) would meet the rule's requirements.\983\ --------------------------------------------------------------------------- \980\ At the same time, the Commission recognizes that some SCI events that meet the definition of ``major SCI event'' could also qualify as de minimis SCI events. Like other de minimis SCI events, they are excepted from the information dissemination requirement. See Rule 1002(c)(4). \981\ See supra notes 932-933. \982\ The Commission notes that one commenter referred to the dissemination provision in the SCI Proposal as the ``public dissemination provision of Proposed Reg SCI.'' See NYSE Letter at 28. See also ICI Letter at 4 and Oppenheimer Letter at 4 (each supporting ``transparency of SCI events to members and participants of an SCI entity'' but recommending that the Commission only require ``public dissemination'' where such information enhances investor protection). \983\ The Commission notes that, irrespective of the medium chosen to disseminate information to the SCI entity members or participants, the SCI entity would also be required to submit the disseminated information to the Commission as part of the report submitted pursuant to Rule 1002(b)(4). See supra Section IV.B.3.c. --------------------------------------------------------------------------- For an SCI event that is neither a major SCI event nor an event identified in Rule 1002(c)(4), however, the information specified in Rule 1002(c)(1) or (2), as applicable, is required to be disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event.\984\ The Commission believes that an SCI entity is generally in the best position to identify those of its members or participants that are or are reasonably likely to be affected by such events. Under this approach, as commenters urged, members or participants not reasonably estimated to be affected by such events will not be the recipients of information likely to be irrelevant to them. The Commission believes that SCI entities will be able to analyze which members or participants are or reasonably likely will be impacted, and the rule requires SCI entities to disseminate information to such members or participants. The requirement that information is to be disseminated only to those members or participants that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event (other than a major SCI event or a de minimis SCI event) addresses the concern raised by some commenters that members and participants will become immunized by receiving irrelevant notifications \985\ because, under the adopted approach, members or participants should only receive notifications relevant to them. --------------------------------------------------------------------------- \984\ In response to the commenter seeking clarification on whether the term ``participant'' refers to a formal participant or, more broadly speaking, any market participant that interacts with the SCI system in question (see supra note 940), for purposes of adopted Rule 1002, the term ``participant'' refers to a formal participant. The Commission also notes that, with respect to the MSRB, the term ``members'' as used in Regulation SCI includes entities that are registered with the MSRB, but does not include ``a member of the Board,'' which is the definition of ``member'' in MSRB Rule D-5. \985\ See supra notes 944 and 952 and accompanying text. --------------------------------------------------------------------------- Whereas the proposed rule would have required dissemination of information about certain SCI events to all SCI entity members and participants, the adopted rule requires dissemination only to those members and participants reasonably estimated to be affected by an SCI event (other than a major SCI event or a de minimis SCI event). Because it is possible that an SCI entity's reasonable estimate of members or participants affected may change as an SCI event unfolds, the adopted rule also requires prompt dissemination of information to newly identified members or participants reasonably estimated to be affected by an SCI event.\986\ This provision reflects the view that newly identified affected members or participants should receive prompt dissemination of information about an SCI event, just as those originally identified as affected members or participants. Although compliance with this requirement may result in an SCI entity disseminating information at several different times to [[Page 72336]] different members and participants, consistent with commenters' suggestions, the Commission believes that this requirement is appropriately tailored to result in information dissemination being provided to the relevant members or participants of an SCI entity.\987\ --------------------------------------------------------------------------- \986\ Rule 1002(c)(1) requires that, among other things, the SCI entity must disseminate the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event, and until resolved, provide regular updates of this and any other information required to be disseminated under the rule. \987\ The Commission notes that an SCI entity would be in compliance with the rule if it disseminated the required information to all members or participants, rather than disseminating only to those members and participants it reasonably initially estimated to be affected by the event (which might require subsequent dissemination(s) to additional members or participants if its estimate regarding those members or participants that were affected by a given SCI event changes over time). --------------------------------------------------------------------------- If an SCI event is a de minimis event--i.e., is an SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants--the adopted rule does not impose any dissemination requirement.\988\ --------------------------------------------------------------------------- \988\ See discussion of adopted Rule 1002(c)(4) below (excepting, among other things, de minimis systems SCI events from the dissemination requirement). See also supra Section IV.B.3.c (discussing Rule 1002(b)(5), which requires that, for de minimis SCI events, an SCI entity is required to: (i) Make, keep, and preserve records relating to all such SCI events; and (ii) submit to the Commission a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of such systems disruptions and systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions and systems intrusions during the applicable calendar quarter). --------------------------------------------------------------------------- Adopted Rule 1002(c)(4): Exceptions to the General Rules on Information Dissemination Adopted Rule 1002(c)(4) provides that the requirements of Rules 1002(c)(1)-(3) shall not apply to: (i) SCI events to the extent they relate to market regulation or market surveillance systems; or (ii) any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants. The Commission has added the exception in adopted Rule 1002(c)(4)(i) in response to comments that information should not be disseminated regarding disruptions in regulation and surveillance systems, because dissemination of such information to an SCI entity's members or participants or the public at large could encourage prohibited market activity.\989\ The Commission notes that the exception for market regulation or market surveillance systems is limited to dissemination of information about SCI events related to market regulation or market surveillance systems. Information about an SCI event that impacts other SCI systems would still be required to be disseminated in accordance with Rule 1002(c) even if that same SCI event also impacts market regulation or market surveillance systems. --------------------------------------------------------------------------- \989\ See supra notes 955-956 and accompanying text. --------------------------------------------------------------------------- The exception in Rule 1002(c)(4)(ii) for de minimis SCI events is consistent with the Commission's approach to excluding de minimis SCI events from the immediate Commission notification requirements in Rule 1002(b), and is therefore responsive to comment that notification and dissemination of systems disruptions were subject to differing standards under the proposal,\990\ as well as to the comment that a de minimis SCI event should not be subject to dissemination.\991\ With respect to the comment that dissemination should only be required for material or significant SCI events,\992\ while the Commission is not limiting the dissemination requirement as suggested by these commenters, the exception for de minimis SCI events is responsive to this comment, to an extent. Moreover, the Commission believes that a materiality threshold would likely exclude from the information dissemination requirement a large number of SCI events that are not de minimis SCI events, but that an SCI entity's members or participants should be made aware of so that they can quickly assess the nature and scope of those SCI events and identify the appropriate response, including ways to mitigate the impact of the SCI events. The Commission also believes that, even without adopting a materiality threshold, the adopted definitions of SCI systems and indirect SCI systems significantly focus the scope of the Commission dissemination requirements from the SCI Proposal. --------------------------------------------------------------------------- \990\ See supra notes 949-950 and accompanying text. \991\ See supra notes 947-948 and accompanying text; Section IV.B.3.c (discussing Rule 1002(b)) and supra note 988 and accompanying text. The Commission notes that, because major SCI events are a subset of SCI events, the exception in Rule 1002(c)(4)(ii) also applies to major SCI events that meet the requirements of that rule. \992\ See supra note 946 and accompanying text; see also supra notes 941 and 944 and accompanying text. --------------------------------------------------------------------------- Consistent with its statements in the SCI Proposal, the Commission notes that the requirements relating to dissemination of information in Regulation SCI relate solely to Regulation SCI.\993\ Nothing in adopted Regulation SCI should be construed as superseding, altering, or affecting the reporting obligations of SCI entities or their affiliates under other federal securities laws or regulations. Accordingly, in the case of an SCI event, SCI entities or their affiliates subject to the public company reporting requirements of Section 13 or Section 15(d) of the Exchange Act would need to comply with their disclosure obligations pursuant to those provisions (including, for example, with respect to Regulation S-K and Forms 10-K, 10-Q, and 8-K) in addition to their disclosure and reporting obligations under Regulation SCI.\994\ In addition, the Commission also wishes to highlight that the requirements of Rule 1002(c) address to whom and when SCI entities are obligated under Regulation SCI to disseminate information. Subject to any applicable laws or regulations, SCI entities still retain the flexibility to disseminate information--e.g., to their members or participants, the public, or market participants that interact with the affected SCI systems--at any time they determine to be appropriate. --------------------------------------------------------------------------- \993\ See Proposing Release, supra note 13, at 18119, n. 235. \994\ As an additional example, nothing in adopted Regulation SCI should be construed as superseding any obligations under Regulation FD. SCI entities may also wish to consider staff guidance on this topic. See CF Disclosure Guidance: Topic No. 2, Cybersecurity (October 13, 2011), available at: https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. --------------------------------------------------------------------------- 4. Notification of Systems Changes--Rule 1003(a) a. Proposed Definition of Material Systems Change, Proposed Rules 1000(b)(6) and (b)(8)(ii) Proposed Rule 1000(a) would have defined the term ``material systems change'' as a change to one or more: (1) SCI systems of an SCI entity that: (i) Materially affects the existing capacity, integrity, resiliency, availability, or security of such systems; (ii) relies upon materially new or different technology; (iii) provides a new material service or material function; or (iv) otherwise materially affects the operations of the SCI entity; or (2) SCI security systems of an SCI entity that materially affects the existing security of such systems. In the SCI Proposal, the Commission set forth examples that it preliminarily believed could be included within the proposed definition of material systems change.\995\ --------------------------------------------------------------------------- \995\ These examples included: Major systems architecture changes; reconfiguration of systems that would cause a variation greater than five percent in throughput or storage; the introduction of new business functions or services; changes to external interfaces; changes that could increase susceptibility to major outages; changes that could increase risks to data security; changes that were, or would be, reported to or referred to the entity's board of directors, a body performing a function similar to the board of directors, or senior management; and changes that could require allocation or use of significant resources. See Proposing Release, supra note 13, at 18105-06. These examples were cited in the 2001 Staff ARP Interpretive Letter. The Commission also stated its preliminary belief that any systems change occurring as a result of the discovery of an actual or potential systems compliance issue would be material. See id. --------------------------------------------------------------------------- [[Page 72337]] Proposed Rule 1000(b)(6)(i) would have required an SCI entity, absent exigent circumstances, to notify the Commission in writing at least 30 calendar days before implementation of any planned material systems changes, including a description of the planned material systems changes as well as the expected dates of commencement and completion of implementation of such changes. If exigent circumstances existed, or if the information previously provided to the Commission regarding any planned material systems change had become materially inaccurate, proposed Rule 1000(b)(6)(ii) would have required the SCI entity to notify the Commission, either orally or in writing, with any oral notification to be memorialized within 24 hours after such oral notification by a written notification, as early as reasonably practicable. A written notification to the Commission made pursuant to proposed Rule 1000(b)(6) would have been required to be made electronically on Form SCI and include all information as prescribed in Form SCI and the instructions thereto. Proposed Rule 1000(b)(8)(ii) would have required each SCI entity to submit to the Commission a report, within 30 calendar days after the end of June and December of each year, containing a summary description of the progress of any material systems change during the six month period ending on June 30 or December 31, as the case may be, and the date, or expected date, of completion of implementation of such changes. A written notification to the Commission made pursuant to proposed Rule 1000(b)(8)(ii) would have been required to be made electronically on Form SCI and include all information as prescribed in Form SCI and the instructions thereto. b. Quarterly and Supplemental Material Systems Change Reports--Rule 1003(a) i. Adopted Rule 1003(a)(1): Quarterly Material Systems Change Reports Many commenters viewed the proposed 30-day advance notification requirement for material systems changes as burdensome.\996\ For example, one commenter believed that the Commission significantly underestimated the number of material systems changes, and suggested that the proposal might require reporting of as many as 60 material systems changes per week, rather than that same amount per year, as the Commission estimated in the SCI Proposal.\997\ Some commenters stated that many SCI entities implement frequent agile modifications rather than major episodic or ``waterfall'' changes, and therefore viewed the proposed 30-day advance notification requirement as favoring a model that employs waterfall changes over agile changes.\998\ Several commenters stated more broadly that the proposed requirement would mandate constant reporting that would stifle innovation, interfere with an SCI entity's natural planning and development process, and potentially do more harm than good by curtailing an SCI entity's ability to respond to systems issues with appropriate fixes.\999\ Several commenters also expressed concern that the burden of reporting would incentivize an SCI entity to change its systems less often instead of making smaller and more frequent iterative systems adjustments, which they believed would be inconsistent with current software best practices, curtail innovation, and expose their systems to increased risk.\1000\ One commenter questioned the purpose of the proposed requirement, stating that the Commission has not presented any empirical evidence that major or material technology changes by SCI entities are in fact the leading cause of market disruption, and that non-material systems changes by SCI entities and non-SCI entities have a high likelihood of causing market disruptions, but they are not captured by the proposal.\1001\ At the same time, this commenter stated that providing 30-day advance notification of these non-material systems changes would hamstring SCI entities.\1002\ --------------------------------------------------------------------------- \996\ See, e.g., NYSE Letter at 26; BATS Letter at 14; ISE Letter at 8; BIDS Letter at 14; UBS Letter at 3-4; SIFMA Letter at 15; ITG Letter at 8 and 13; FIF Letter at 5; MFA Letter at 5-6; CME Letter at 11; FINRA Letter at 27; Joint SROs Letter at 7; and OTC Markets Letter at 20. \997\ See BATS Letter at 14. See also NYSE Letter at 26; and ISE Letter at 8 (stating that the proposal would require reporting of too many routine changes), and infra discussion of the definition of material systems change. \998\ See KCG Letter at 19; FIF Letter at 5; UBS Letter at 4; and ITG Letter at 8. ``Agile'' software development, which involves smaller, more frequent changes in software code, is contrasted with the ``waterfall'' methodology, which involves larger, episodic software overhauls. \999\ See KCG Letter at 19; FIF Letter at 5; UBS Letter at 4; BATS Letter at 14; and ITG Letter at 8. See also SunGard Letter at 3. \1000\ See KCG Letter at 19; FIF Letter at 5; UBS Letter at 4; BATS Letter at 14; and ITG Letter at 8. See also SIFMA Letter at 16. \1001\ See SunGard Letter at 3. \1002\ See id. --------------------------------------------------------------------------- Some commenters also noted that Regulation ATS already requires an ATS to report material changes to the operation of the ATS at least 20 calendar days prior to their implementation.\1003\ One of these commenters noted that it is common for an ATS to finalize the systems specifications for a change close to when the ATS wants to go live with the change, but the ATS must wait 20 days before implementation, and occasionally the questions from Commission staff can further delay implementation.\1004\ This commenter expressed concern that Regulation SCI would lengthen the notification requirement to 30 calendar days and broaden the requirement to include any significant systems change, not just a material change to the operation of the ATS.\1005\ --------------------------------------------------------------------------- \1003\ See BIDS Letter at 14; and ITG Letter at 8. \1004\ See ITG Letter at 8. \1005\ See id. --------------------------------------------------------------------------- The Commission continues to believe that it is important to receive notifications of planned and implemented material changes to SCI systems or the security of indirect SCI systems in connection with its oversight of U.S. securities market infrastructure.\1006\ However, after considering the views of commenters regarding the 30-day advance notification requirement, the Commission is instead adopting a quarterly reporting requirement, which will permit the Commission and its staff to have up-to-date information regarding an SCI entity's systems development progress and plans, to aid in understanding the operations and functionality of the systems and any material changes thereto, without requiring SCI entities to submit a notification to the Commission for each [[Page 72338]] material systems change.\1007\ Specifically, Rule 1003(a)(1) requires an SCI entity, within 30 calendar days after the end of each calendar quarter, to submit to the Commission a report describing completed, ongoing, and planned material systems changes to its SCI systems and security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion.\1008\ --------------------------------------------------------------------------- \1006\ See Proposing Release, supra note 13, at 18122, 18144. As noted above, one commenter argued that the Commission has not presented any empirical evidence that major or material technology changes by SCI entities are in fact the leading cause of market disruption, and that non-material systems changes have a high likelihood of causing market disruptions. See supra note 1001 and accompanying text. The Commission notes that the primary purpose of Rule 1003(a) is not to prevent market disruptions. Rather, it is to keep the Commission and its staff informed of the systems changes that SCI entities determine to be material, which will assist the Commission with its oversight of U.S. securities market infrastructure. While the Commission acknowledges that non-material systems changes could cause market disruptions, the Commission agrees with this commenter that requiring Commission notification of all systems changes would be burdensome. See supra note 1002 and accompanying text (noting this commenter's view that providing 30- day advance notification of non-material systems changes would hamstring SCI entities). \1007\ As discussed in more detail below, the Commission is also not adopting the proposed definition of material systems change or the proposed semi-annual reporting requirement. \1008\ Using the quarter ending December 31, 2014 as an example, an SCI entity would be required to submit a report by January 30, 2015 (i.e., within 30 calendar days after December 31, 2014) that describes material systems changes that the SCI entity has made (including the dates when those changes commenced and were completed), are currently implementing (including the dates when those changes commenced and are expected to be completed), and plan to make (including the dates those changes are expected to commence and complete) for the period from October 1, 2014 (the beginning of the prior calendar quarter) through June 30, 2015 (the end of the subsequent calendar quarter). The next report that corresponds to the quarter ending March 31, 2015 would be required to be submitted by April 30, 2015. As discussed in more detail below, Rule 1003(a)(2) requires an SCI entity to promptly submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under Rule 1003(a)(1). --------------------------------------------------------------------------- The Commission believes that elimination of the 30-day advance notification requirement for material systems changes is responsive to commenters who were concerned that the proposed approach was unsuited to the agile systems development methodology that some SCI entities use today. In particular, an SCI entity will have the ability to implement material systems changes without having to individually report each material systems change to the Commission 30 days in advance, which commenters noted could lead SCI entities to favor the waterfall methodology of systems changes over the agile methodology.\1009\ The Commission also believes that the adopted quarterly reporting requirement provides more flexibility to SCI entities with respect to the timing of implementing material systems changes. In particular, SCI entities will not be required to wait 30 calendar days after notifying the Commission in order to implement a material systems change. Therefore, the adopted rule is responsive to commenters who stated that the proposed rule would stifle innovation, interfere with an entity's planning and development process, and expose SCI entities' systems to risk. Moreover, the Commission believes that elimination of the proposed 30-day advance notification requirement is responsive to commenters' concern that ATSs are already required to report material changes to the operation of the ATSs at least 20 calendar days prior to implementation, and that proposed Regulation SCI would extend the advance notification period to 30 calendar days.\1010\ --------------------------------------------------------------------------- \1009\ At the same time, because systems changes utilizing the waterfall methodology are often planned well in advance, these systems changes would generally be included in the quarterly report, as Rule 1003(a) requires the quarterly report to describe, among other things, planned material systems changes during the subsequent calendar quarter. However, this requirement of Rule 1003(a) is not limited to planned material systems changes utilizing the waterfall methodology, but also would apply to planned material systems changes utilizing other development methodologies, including the agile methodology. \1010\ The Commission notes that the adoption of Rule 1003(a) does not affect an SCI ATS's existing obligation under Rule 301(b)(2)(ii) of Regulation ATS to file amendments on Form ATS at least 20 calendar days prior to implementing material change to the operation of the ATS. Therefore, with respect to a material systems change, an SCI ATS may be required to describe such change in a quarterly report under Rule 1003(a) and submit an amendment to Form ATS. --------------------------------------------------------------------------- The Commission also believes that adopting the quarterly reporting requirement instead of the 30-day advance notification requirement lessens SCI entities' burden of compliance as compared to the proposal.\1011\ For example, rather than submitting a Form SCI for each material systems change, an SCI entity is now required to submit four reports each year pursuant to Rule 1003(a)(1) and, as applicable, supplemental reports pursuant to Rule 1003(a)(2). To the extent certain material systems changes are related or similar, an SCI entity will not be required to separately notify the Commission of each change. Instead, the SCI entity can describe such related changes within the single quarterly report. The Commission also believes that this quarterly report process will provide the Commission and its staff with a more efficient framework to review material systems changes that are described in the larger context afforded by such periodic reports, rather than parsing every submission that reports a material systems change.\1012\ --------------------------------------------------------------------------- \1011\ See supra notes 996-997 and accompanying text. \1012\ The Commission acknowledges that some systems changes deployed by an SCI entity may not by themselves be considered material by the SCI entity, but that, in the aggregate, can be considered material by the SCI entity (e.g., making a series of small systems changes over time in order to implement a broad systems change). The Commission believes that the adopted quarterly reporting requirement is better suited to capture such changes than the proposed 30-day advance notification requirement (i.e., 30-day advance notification for each single systems change that is by itself considered material by the SCI entity). --------------------------------------------------------------------------- One commenter expressed concern that the proposed exception for exigent circumstances was too narrow.\1013\ Because adopted Rule 1003(a)(1) requires quarterly reports of material systems changes rather than 30-day advance notification of each material systems change, the Commission is not adopting the proposed ``exigent circumstances'' exception. Specifically, the Commission notes that the purpose of the exception was to accommodate situations where it would not be prudent or desirable for an SCI entity to delay a systems change simply to provide 30-day advance notification of the change. At the same time, the Commission notes that, because Rule 1003(a)(1) requires in part a description of completed, ongoing, and planned material systems changes during the prior and current calendar quarters, an SCI entity's quarterly report will be required to include a description of all material changes to its SCI systems or the security of its indirect SCI systems, including those that have been implemented in response to exigent circumstances during the prior and current calendar quarters. --------------------------------------------------------------------------- \1013\ See BATS Letter at 15. --------------------------------------------------------------------------- Several commenters suggested possible alternatives to the proposed requirements related to material systems changes. Some commenters suggested eliminating the proposed advance notification requirement for material systems changes.\1014\ One of these commenters explained that information regarding material systems changes would be available to the Commission during an inspection, but stated that, if an advance notification requirement is adopted, it should be folded into the proposed semi-annual reporting requirement.\1015\ Another commenter similarly urged that the Commission require only semi-annual reporting of material systems changes, as proposed in Rule 1000(b)(8).\1016\ One commenter supported the reporting of material systems changes in the annual SCI review report.\1017\ One commenter believed that information related to systems changes should be reported periodically.\1018\ Another commenter noted that if the Commission retains the 30-day advance notification requirement, it should be limited to material systems changes of only higher priority SCI systems and that [[Page 72339]] notifications of changes to lower criticality systems could be provided at the time of the change or periodically.\1019\ --------------------------------------------------------------------------- \1014\ See MFA Letter at 7 and ITG Letter at 13-14. See also Joint SROs Letter at 8 (stating that material systems changes should be reported in a periodic, post-hoc basis, as was required under ARP). \1015\ See MFA Letter at 7. \1016\ See Direct Edge Letter at 8. \1017\ See CME Letter at 11. \1018\ See NYSE Letter at 27. \1019\ See SIFMA Letter at 15. --------------------------------------------------------------------------- Some commenters suggested that the Commission provide more flexibility and allow SCI entities more time to report material systems changes.\1020\ One commenter supported giving SCI entities discretion to determine the appropriate timing and format for reporting changes to the Commission, and stated that the current practice under ARP to submit quarterly reports that cover changes for the previous and upcoming quarters has proven effective in keeping the Commission staff apprised of planned and completed systems changes.\1021\ --------------------------------------------------------------------------- \1020\ See NYSE Letter at 27; FINRA Letter at 27; and MSRB Letter at 22. See also CME Letter at 11 (stating ``instead of setting firm time limits under which an entity is required to submit notifications of material systems changes under Rule 1000(b)(6), the Commission should instead simply require `timely advance notice of all material planned changes to SCI systems that may impact the reliability, security, or adequate scalable capacity of such systems'''). \1021\ See FINRA Letter at 27. --------------------------------------------------------------------------- One commenter suggested that SCI entities be required to keep records of all systems changes and technical issues, and make that information available to the Commission upon request.\1022\ If the Commission decides to retain the notification requirement, this commenter recommended that it be satisfied through periodic (ideally, quarterly) reporting of material systems changes.\1023\ One commenter believed the Commission should allow all 30-day advance notifications regarding pending material systems changes to be communicated orally, and only submitted in writing after development and testing is completed and the feature is finalized.\1024\ --------------------------------------------------------------------------- \1022\ See OTC Markets Letter at 20. \1023\ See id. This commenter also noted that this would allow for the elimination of proposed Rule 1000(b)(6)(ii), which required notices for material inaccuracies in prior notifications. See OTC Markets Letter at 20-22. According to this commenter, quarterly updates would disclose material deviations from plans described in a previous report, whether stemming from inaccuracies in prior reports or new information that prompts beneficial deviations from a systems implementation plan. See id. \1024\ See Omgeo Letter at 22. --------------------------------------------------------------------------- The Commission believes that the adopted quarterly reporting requirement is responsive to commenters who requested additional flexibility or time for material systems change notifications, as well as to commenters who suggested that such notices be submitted on a periodic or quarterly basis.\1025\ The Commission does not agree with the commenters who suggested that the Commission completely eliminate the advance notification requirements. The Commission believes that advance notifications of planned material systems changes will help ensure that the Commission has up-to-date information regarding important future systems changes at an SCI entity, to aid in its understanding of the operations and functionality of the systems post- change.\1026\ As adopted, Rule 1003(a)(1) requires an SCI entity to provide the Commission with advance notification of planned material systems changes in the current and subsequent quarters through the quarterly reports. As noted above, after considering the views of commenters, the Commission is not adopting the proposed 30-day advance notification requirement for each material systems change. --------------------------------------------------------------------------- \1025\ Because the Commission is only adopting a quarterly reporting requirement for material systems changes, the adopted approach is responsive to a commenter's suggestion that notifications of changes to lower criticality systems could be provided at the time of the change or periodically. See supra note 1019 and accompanying text. \1026\ The Commission acknowledges that there may occasionally be unexpected material systems changes that are not reported to the Commission in advance, but expects that material systems changes generally will be planned well in advance and reported in the quarterly report accordingly. --------------------------------------------------------------------------- The Commission is also not adopting commenters' suggestion that material systems changes be reported semi-annually or annually.\1027\ As noted in the SCI Proposal, proposed Rule 1000(b)(8)(ii) required semi-annual reports because the proposal would have separately required information relating to each planned material systems change to be submitted at least 30 calendar days before its implementation.\1028\ Thus, in the SCI Proposal, the Commission stated its preliminary view that requiring ongoing summary reports more frequently would not be necessary.\1029\ At the same time, the Commission expressed the concern that a longer period of time would permit significant updates and milestones relating to systems changes to occur without notice to the Commission.\1030\ Because the Commission is not adopting the 30-day advance notification requirement, the Commission believes that it is appropriate to require more frequent reports of material systems changes than on a semi-annual basis. Further, as noted above, some commenters suggested quarterly reports, which is consistent with the practice of some entities under the ARP Inspection Program.\1031\ --------------------------------------------------------------------------- \1027\ See supra notes 1015-1017 and accompanying text. \1028\ See Proposing Release, supra note 13, at 18124. \1029\ See id. \1030\ See id. \1031\ See supra notes 1021, 1023 and accompanying text. --------------------------------------------------------------------------- The Commission does not agree with the commenter who suggested that Regulation SCI should only require SCI entities to keep records of all systems changes and make that information available to the Commission upon request.\1032\ Similarly, the Commission does not agree with commenters who suggested that SCI entities be given discretion to determine the timing of the reports.\1033\ The Commission believes that quarterly reporting of material systems changes will help ensure that the Commission has, on an ongoing basis, a comprehensive view and up- to-date information regarding material systems changes at an SCI entity. --------------------------------------------------------------------------- \1032\ See supra note 1022 and accompanying text. As discussed above, this commenter also stated that, if the Commission decides to retain the notification requirement for material systems changes, the Commission should require periodic (ideally, quarterly) reporting. See supra note 1023 and accompanying text. Adopted Rule 1003(a)(1) is consistent with this commenter's alternative suggestion. \1033\ See supra note 1021 and accompanying text. See also supra note 1020. --------------------------------------------------------------------------- With respect to the commenter who suggested that all 30-day advance material systems change notifications should be provided orally, and submitted in writing only after the changes are fully tested and implemented,\1034\ the Commission notes that it is not adopting the proposed 30-day advance notification requirement for material systems changes. --------------------------------------------------------------------------- \1034\ See supra note 1024 and accompanying text. --------------------------------------------------------------------------- With respect to the commenter who suggested giving SCI entities discretion to determine the format for reporting changes to the Commission,\1035\ the Commission notes that Rule 1003(a) does not prescribe a specific style that the quarterly reports should take. The Commission intends for the quarterly report to allow the Commission and its staff to gain a sufficient level of understanding of the material systems changes that have been implemented, are on-going, and are planned for the future, which would aid the Commission and its staff in understanding the operations and functionality of the systems of an SCI entity and any changes to such systems. In particular, the Commission notes that Rule 1003(a)(1) only specifically requires the quarterly reports to ``describe'' the material systems changes and the dates or expected dates of their commencement and completion. Therefore, Rule 1003(a)(1) gives each [[Page 72340]] SCI entity reasonable flexibility in determining precisely how to describe its material systems changes in the report in a manner that best suits the needs of that SCI entity as well as the needs of the Commission and its staff.\1036\ In addition, to the extent the Commission seeks additional information about a given change noted in a quarterly report, an SCI entity would be required to provide Commission staff with such information in accordance with Rule 1005 (Recordkeeping Requirements Related to Compliance with Regulation SCI).\1037\ --------------------------------------------------------------------------- \1035\ See supra note 1021 and accompanying text. \1036\ See also Omgeo Letter at 43 (requesting that the Commission specify in the final rule the required content for a planned material systems change notification). \1037\ See infra Section IV.C. --------------------------------------------------------------------------- The Commission also notes that the quarterly reports are required to include descriptions of material systems changes during the prior calendar quarter that were completed, ongoing, or planned. Therefore, if a report for the first quarter of a given year discusses the SCI entity's plan to implement a particular series of material changes to an SCI system, Rule 1003(a)(1) requires that, in the report for the second quarter of that year, the SCI entity describe the material systems changes that were completed, ongoing, and planned in the first quarter, including the planned changes discussed in the prior quarter's report, as applicable. Several commenters expressed concern that the proposed 30-day advance notification requirement would potentially give the Commission new authority to ``reject'' a Form SCI filing describing material systems changes, similar to the way the Commission may reject an improperly filed proposed rule change pursuant to Rule 19b-4 under the Exchange Act.\1038\ Three commenters requested that the Commission clarify how proposed Rule 1000(b)(6) would relate to Rule 19b-4, suggesting that there may be unnecessary redundancy between the two processes.\1039\ Another commenter suggested limiting the types of changes that would require 30-day advance notification to those changes that are already required to be filed with the Commission as proposed rule changes for immediate effectiveness under Section 19(b)(3)(A) of the Exchange Act (excluding those filings that would not become operative for 30 days after the date of the filing because those filings would already provide the Commission with 30 days' advance notification of the material systems changes).\1040\ This commenter also noted that where a material systems change would be filed for approval under Section 19(b)(2) of the Exchange Act, the Section 19(b)(2) approval process provides the Commission sufficient notification of the systems change.\1041\ One commenter stated that proposed Rule 1000(b)(6) was improperly premised on the notion that the Commission should be responsible for a minutely-detailed understanding of the IT infrastructure of SCI entities and for assessing prospective changes in advance of their implementation.\1042\ --------------------------------------------------------------------------- \1038\ See Omgeo Letter at 23; and SIFMA Letter at 16. See Section 19(b) of the Exchange Act, 15 U.S.C. 78s(b). \1039\ See KCG Letter at 19; Joint SROs Letter at 8; and FIF Letter at 5. \1040\ See MSRB Letter at 22. \1041\ See MSRB Letter at 22. This commenter also suggested that material systems changes (other than those filed pursuant to Rule 19b-4 under the Exchange Act) be reported semi-annually, or that de minimis changes be excepted from the notice requirement altogether if the Commission continues to require 30-day advance notification. See MSRB Letter at 22-23. As discussed above, the Commission is adopting a quarterly reporting requirement for systems changes that an SCI entity determines to be material. \1042\ See Direct Edge Letter at 1, 8. See also ITG Letter at 13-14 (stating that the Exchange Act does not enable the Commission to ``bootstrap its SRO rule review authority or its national market system authority to force regulated entities to submit upcoming material systems changes for agency approval'' and that ``the Commission need only receive notifications when they are a significant part of proposed rule changes by SROs or amendments to Form ATS of material changes to the operation of the ATS''). --------------------------------------------------------------------------- The Commission disagrees with commenters who believed that material systems change reports are redundant given the rule filing requirements of Rule 19b-4 under the Exchange Act, or that material systems change reports should not be required if the SCI entity submitted certain types of rule filings regarding the same change.\1043\ The Commission acknowledges that some systems changes require proposed rule changes under Rule 19b-4, and some Rule 19b-4 proposed rule changes result in systems changes. However, based on Commission staff's experience with the ARP Inspection Program and the rule filing process, the Commission believes that the type of information regarding systems changes included in rule filings is different from the type of information that will be included in reports on material systems changes. In particular, the technical details or specifications of SCI systems and indirect SCI systems are generally not specifically set forth in the rules of an SCI SRO. Therefore, technical information regarding systems changes is usually not set forth in rule filings. In addition, the Commission notes that the rule filing process and the material systems change reports serve different purposes. In particular, the material systems change reports are intended to inform the Commission and its staff of important technical changes to an SCI entity's systems. On the other hand, the rule filing process provides notice of changes to an SCI entity's rules, including, for example, the statutory basis for such changes, and in some cases seeks approval by the Commission of the rule changes. Therefore, if an SCI SRO submits a rule filing regarding a particular systems change and the change is also included in a material systems change report, the information included in the rule filing may not necessarily further the goal of the material systems change reporting requirement, and the information included in the material systems change report may not necessarily assist in the Commission's review of the rule filing. Moreover, commenters' concern regarding the redundancy between the rule filing process and the material systems change reports stemmed from concerns regarding the 30-day advance notification requirement. As discussed above, the Commission is not adopting a 30-day advance notification requirement. --------------------------------------------------------------------------- \1043\ See supra notes 1039-1041 and accompanying text. The Commission notes that the requirement under Regulation SCI to submit reports of material systems changes does not alter an SRO's obligation to file proposed rule changes, the obligation of participants of an SCI Plan to file a proposed amendment to such SCI Plan, or any other obligation any SCI entity may have under the Exchange Act or rules thereunder. --------------------------------------------------------------------------- The Commission also reiterates that the material systems change reports are intended to inform the Commission and its staff of such changes and help the Commission in its oversight of U.S. securities market infrastructure. Regulation SCI does not provide for a new approval process for SCI entities' material systems changes. As such, Commission staff will not use material systems change reports to require any approval of prospective systems changes in advance of their implementation pursuant to any provision of Regulation SCI,\1044\ or to delay implementation of material systems changes pursuant to any provision of Regulation SCI.\1045\ --------------------------------------------------------------------------- \1044\ See supra note 1042 and accompanying text. \1045\ See supra note 1038 and accompanying text. --------------------------------------------------------------------------- Three commenters questioned the Commission's legal authority to adopt the proposed material systems change notification requirements, including, in particular, those set forth in proposed Rule 1000(b)(6).\1046\ For the reasons [[Page 72341]] discussed above in Section IV.B.3.c, the Commission disagrees with these comments and believes that adopted Rule 1003(a) will assist the Commission in its oversight of U.S. securities market infrastructure consistent with its legal authority under the Exchange Act. --------------------------------------------------------------------------- \1046\ See NYSE Letter at 4 (stating the belief that ``[a]uthority to facilitate a national market or assure economically efficient execution of securities transaction is remote from close, minute regulation of computer systems and computer security''); ITG Letter at 13 (stating the belief that the proposed notification requirement for material systems changes ``would extend the SEC's reach far beyond that of a securities regulator and instead enable it to regulate the IT process of marketplace participants'' and that the Exchange Act does not enable the Commission to ``bootstrap its SRO rule review authority or its national market system authority to force regulated entities to submit upcoming material systems changes for agency approval''); and KCG Letter at 19 (stating the belief that ``[t]he Commission does not have authority to stop implementation of systems changes by ATSs or systems changes that exchanges are not required to submit under Section 19(b) of the Exchange Act''). --------------------------------------------------------------------------- In light of the 30-day advance notification requirement in proposed Rule 1000(b)(6), some commenters suggested eliminating the semi-annual reporting requirement in proposed Rule 1000(b)(8)(ii) because they considered it duplicative and unnecessary.\1047\ One commenter believed that the required semi-annual reporting requirement was excessive and should instead be incorporated into the annual reporting obligations in proposed Rule 1000(b)(8)(i).\1048\ As discussed above, the Commission is adopting a quarterly reporting requirement under Rule 1003(a)(1) and is not adopting the proposed 30-day advance notification requirement. Therefore, the Commission is not adopting the requirement in proposed Rule 1000(b)(8)(ii) for semi-annual progress reports. --------------------------------------------------------------------------- \1047\ See Omgeo Letter at 24-25; and OCC Letter at 16. \1048\ See CME Letter at 11. --------------------------------------------------------------------------- ii. Definition of Material Systems Change Commenters generally opposed the proposed definition of material systems change. Many commenters stated their belief that the term was too broad and would therefore necessitate an excessive number of notifications of material systems changes.\1049\ Some commenters believed that the definition should be revised and offered a variety of suggestions.\1050\ Several commenters advocated for creating a risk- based definition whereby, for example, notifications are only required for those material systems changes that pose a risk to critical operations of an entity.\1051\ One commenter suggested that the requirement focus on SCI systems only.\1052\ One commenter stated that SCI entities should be afforded flexibility to establish reasonable standards for defining material systems changes for their systems.\1053\ --------------------------------------------------------------------------- \1049\ See, e.g., BATS Letter at 14; MFA Letter at 6; ICI Letter at 4; BIDS Letter at 14; Liquidnet Letter at 3; FINRA Letter at 24- 26; MSRB Letter at 22; NYSE Letter at 26-27; Joint SROs Letter at 7; CME Letter at 5; Oppenheimer Letter at 3; OTC Markets Letter at 20- 21; and Direct Edge Letter at 3. \1050\ See, e.g., BATS Letter at 14-15 (recommending that only those material systems changes that are reported to an SCI entity's board of directors or similar body should be required to be reported to the Commission, which BATS stated is the standard it uses currently for the ARP Inspection Program); OCC Letter at 15 (stating that the reporting of systems changes to the board of directors, or to a similar governing body, is a more appropriate standard for determining materiality than reporting to ``senior management''); BIDS Letter at 14-15 (stating its belief that the Commission should define a ``material systems change'' to be a large-scale architectural upgrade, the implementation of industry-wide rules or other market structure changes, or other technology changes that may be required because of changes in trading rules defined in the exchange's or the ATS's trading rule book); and FIF Letter at 5 (recommending that the term be defined to include significant functional enhancements, major technology infrastructure changes, or changes requiring member/participant notifications). \1051\ See, e.g., OCC Letter at 15; DTCC Letter at 16; Liquidnet Letter at 3; MFA Letter at 6; ICI Letter at 4; CME Letter at 5; and Direct Edge at 4. \1052\ See NYSE Letter at 27. \1053\ See FINRA Letter at 27. --------------------------------------------------------------------------- Several commenters sought guidance from the Commission on the materiality threshold, which commenters believed was unclear, explaining, for example, that the term ``material'' appears both in the term ``material systems change'' and in the definition of that term.\1054\ Similarly, several commenters requested that the Commission provide more guidance on the meaning of ``material'' in the context of systems changes because, although the wording of the proposed definition contained the concept of ``materiality,'' the commenters believed some of the examples provided in the SCI Proposal to be non- material.\1055\ One commenter asked that the Commission clearly define what types of systems changes are not subject to the prior notification requirement in order to avoid receiving notices of all systems changes, material or otherwise.\1056\ One commenter asked that the Commission clarify the meaning of ``material'' and confirm that prior notification would not be required for changes that do not pertain to the production environment.\1057\ --------------------------------------------------------------------------- \1054\ See Direct Edge Letter at 3-4; OCC Letter at 15; and NYSE Letter at 26. \1055\ See, e.g., Joint SROs Letter at 7; DTCC Letter at 15-16; Omgeo Letter at 23; OCC Letter at 15; FINRA Letter at 27; OTC Markets Letter at 20-21; BIDS Letter at 14; Direct Edge Letter at 3- 4; and ISE Letter at 8. See also supra note 1050. \1056\ See KCG Letter at 20. \1057\ See SIFMA Letter at 15-16. --------------------------------------------------------------------------- Rather than adopting a detailed definition of material systems change as proposed, Rule 1003(a)(1) requires an SCI entity to establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and to report to the Commission those changes the SCI entity identified as material in accordance with such criteria. This change is responsive to a commenter's suggestion that SCI entities should be granted flexibility to establish reasonable standards for determining whether a systems change is material. In addition, the Commission does not believe that it is appropriate to adopt a precise definition for the term ``material systems change'' because SCI entities differ in nature, size, technology, business model, and other aspects of their businesses. The Commission notes that there currently is no industry definition of ``material systems change'' that is applicable to all SCI entities that can serve as the basis for a precise definition of the term ``material systems change'' in Regulation SCI, and believes that whether a systems change is material is dependent on the facts and circumstances, such as the reason for the change and how it may impact operations. Moreover, requiring SCI entities to establish their own reasonable criteria for identifying material systems changes reflects the Commission's view that an SCI entity is in the best position to determine, in the first instance, whether a change, or series of changes, is material in the context of its systems. Because adopted Rule 1003(a)(1) allows each SCI entity to identify material systems changes, it is responsive to commenters' concern that the proposed definition was too broad and would result in an excessive number of notifications, and to commenters' suggestion that the definition should be revised. Further, the Commission's determination to not adopt the proposed definition of material systems change mitigates commenters' concern that the proposed definition was unclear. In particular, by eliminating the proposed definition of material systems change, the Commission seeks to eliminate the confusion caused by the proposed definition of this term, which contained the word ``material.'' Moreover, some commenters requested additional clarity on the definition of material systems change because they believed that some of the examples the Commission provided in the SCI Proposal were not material systems changes. Because adopted Rule 1003(a)(1) requires SCI entities to establish reasonable written criteria for identifying material systems changes, SCI entities will not be required to identify material systems changes in accordance with the detailed definition and examples from the SCI [[Page 72342]] Proposal. Rather, an SCI entity will have reasonable discretion in establishing the written criteria in order to capture the systems changes that it believes are material. Specifically, the Commission believes that adopted Rule 1003(a) is sufficiently flexible to allow each SCI entity to identify changes that it believes are material, which may include some of the suggestions identified by the commenters if an SCI entity determines such changes to be appropriate to include in its criteria for identifying material systems changes. For example, if an SCI entity reasonably believes that its systems changes are material if they involve significant functional enhancements, major technology infrastructure changes, or changes requiring member/ participant notifications, and such criteria is set forth in the SCI entity's reasonable written criteria, the SCI entity may identify material systems changes in accordance with such written criteria. Likewise, if an SCI entity reasonably believes that some of the examples of material systems changes identified in the SCI Proposal can appropriately serve as criteria for identifying material systems changes, and such criteria is set forth in the SCI entity's reasonable written criteria, the SCI entity may identify material systems changes in accordance with such written criteria. In response to a commenter's suggestion that the Commission clearly define what types of systems changes are not subject to the prior notification requirement in order to avoid notification of all systems changes, material or otherwise, the Commission notes that Rule 1003(a)(1) specifically requires SCI entities to identify material systems changes and report only material systems changes. With respect to a commenter's question regarding whether prior notification would be required for changes that do not pertain to the production environment, the Commission notes that SCI systems do not include development and testing systems, although indirect SCI systems could include development and testing systems if they are not walled-off from SCI systems. Therefore, Rule 1003(a) could apply to material changes to the security of development and testing systems that are not walled-off from SCI systems. Finally, with respect to a commenter's suggestion that Rule 1003(a) focus only on SCI systems, the Commission believes that notifications of material systems changes regarding the security of indirect SCI systems is important to the Commission's oversight of U.S. securities market infrastructure. At the same time, the Commission notes that Rule 1003(a)(1) provides that each SCI entity establish its own reasonable criteria for identifying a change to the security of its indirect SCI systems as material. Therefore, to the extent that an SCI entity determines that certain changes to the security of its indirect SCI systems are not material in accordance with its reasonable written criteria, such changes are not required to be reported to the Commission. As with an SCI entity's other policies and procedures under Regulation SCI, Commission staff may review an SCI entity's established criteria relating to the materiality of a systems change (e.g., in the course of an examination) to determine whether it agrees with the SCI entity's assessment that such criteria is reasonable and in compliance with the requirements of Rule 1003(a). The Commission believes that, by providing SCI entities flexibility in establishing the criteria and reviewing SCI entities' established criteria, it strikes the proper balance between granting discretion to SCI entities and ensuring that SCI entities carry out their obligations under Regulation SCI. iii. Adopted Rule 1003(a)(2): Supplemental Material Systems Change Reports A commenter who advocated for a quarterly reporting requirement noted that quarterly updates would disclose material deviations from plans described in a previous report, including those stemming from inaccuracies in prior reports.\1058\ Another commenter similarly noted that periodic reporting of any inaccuracies is sufficient for oversight purposes.\1059\ The Commission believes that there may be circumstances in which an SCI entity realizes that information previously provided to the Commission in a quarterly report was materially inaccurate or that the quarterly report omitted material information. The Commission believes that it should, on an ongoing basis, have complete and correct information regarding material systems changes at an SCI entity, rather than waiting until the next quarterly report to receive corrected information, as suggested by these commenters. The Commission is therefore adopting Rule 1003(a)(2), which requires an SCI entity to promptly submit a supplemental report to notify the Commission of a material error in or material omission from a report previously submitted under Rule 1003(a)(1). The Commission notes that the supplemental report requirement applies only if the error or omission in a prior report is material. --------------------------------------------------------------------------- \1058\ See OTC Markets Letter at 22. \1059\ See NYSE Letter at 28. --------------------------------------------------------------------------- 5. SCI Review--Rule 1003(b) Proposed Rule 1000(b)(7) required an SCI entity to conduct an SCI review of the SCI entity's compliance with Regulation SCI not less than once each calendar year, and submit a report of the SCI review to senior management of the SCI entity no more than 30 calendar days after completion of such SCI review.\1060\ Further, proposed Rule 1000(b)(8)(i) required an SCI entity to submit to the Commission a report of the SCI review required by paragraph (b)(7), together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity.\1061\ --------------------------------------------------------------------------- \1060\ See proposed Rule 1000(b)(7) and Proposing Release, supra note 13, at Section III.C.5. \1061\ See proposed Rule 1000(b)(8)(i) and Proposing Release, supra note 13, at Section III.C.6. --------------------------------------------------------------------------- Proposed Rule 1000(a) defined the term ``SCI review'' to mean a review, following established procedures and standards, that is performed by objective personnel having appropriate experience in conducting reviews of SCI systems and SCI security systems, and which review contains: (1) A risk assessment with respect to such systems of the SCI entity; and (2) an assessment of internal control design and effectiveness to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards.\1062\ In addition, the proposed definition provided that such review must include penetration test reviews of the SCI entity's network, firewalls, and production systems at a frequency of not less than once every three years.\1063\ --------------------------------------------------------------------------- \1062\ See proposed Rule 1000(a) and Proposing Release, supra note 13, at Section III.C.5. \1063\ See id. --------------------------------------------------------------------------- The Commission is adopting the provisions relating to SCI reviews with modifications in response to comment. In addition, the Commission is adopting a definition of ``senior management'' in Rule 1000 for purposes of the SCI review requirement. Some commenters expressed support for the proposed requirements for SCI reviews,\1064\ with a few advocating that the SCI review be conducted by an independent third party, rather than ``objective personnel.'' \1065\ One commenter noted that it agreed that annual SCI reviews and reports can have a meaningful impact on improving [[Page 72343]] technology and business practices.\1066\ Another commenter expressed support for proposed Rule 1000(b)(7), but asked for clarification that any review of a processor under an NMS plan be performed independently of reviews of the same entity in other capacities (e.g., as an exchange or other SCI entity).\1067\ --------------------------------------------------------------------------- \1064\ See, e.g., MSRB Letter at 23; Lauer Letter at 5; Better Markets Letter at 5; and Direct Edge Letter at 9. \1065\ See Lauer Letter at 5; Better Markets Letter at 5; and BlackRock Letter at 4. \1066\ See FIF Letter at 6 (expressing support for the SCI review requirement while also providing suggestions for modifications to the rule). \1067\ See Direct Edge Letter at 9. --------------------------------------------------------------------------- With regard to the suggestion that the Commission adopt a requirement that SCI reviews be conducted by an independent third party rather than ``objective personnel'' as proposed,\1068\ the Commission continues to believe that it is appropriate to permit SCI reviews to be performed by personnel of the SCI entity or an external firm, provided that such personnel are, in fact, objective and, as required by rule, have the appropriate experience to conduct reviews of SCI systems and indirect SCI systems. Experienced personnel should have the knowledge and skills necessary to conduct such reviews. In the SCI Proposal, the Commission noted that to satisfy the criterion that an SCI review be conducted by ``objective personnel,'' it should be performed by persons who have not been involved in the development, testing, or implementation of such systems being reviewed.\1069\ The Commission continues to believe that persons who were not involved in the process for development, testing, and implementation of the systems being reviewed would generally be in a better position to identify weaknesses and deficiencies that were not identified in the development, testing, and implementation stages. The Commission believes that, given the requirement that such personnel be ``objective,'' any personnel with conflicts of interest that have not been adequately mitigated to allow for objectivity should be excluded from serving in this role. In particular, the Commission believes that a person or persons conducting an SCI review should not have a conflict of interest that interferes with their ability to exercise judgment, express opinions, and present recommendations with impartiality. While the Commission recognizes that, as one commenter asserted, all personnel of an SCI entity could be viewed as having some level of conflict of interest,\1070\ the Commission believes that SCI entities can have appropriate policies and procedures in place to mitigate such conflicts or to help ensure that certain departments and/or specified personnel (such as internal audit departments) are appropriately insulated from such conflicts so as to be able to objectively conduct SCI reviews.\1071\ --------------------------------------------------------------------------- \1068\ See supra note 1065 and accompanying text. \1069\ See Proposing Release, supra note 13, at 18123. \1070\ See Better Markets Letter at 5. \1071\ For example, the Commission believes that many entities implement a reporting structure pursuant to which internal audit employees or departments report directly to the board of directors or an audit committee of the board. The Commission notes that, while utilizing external personnel (i.e., third parties) to conduct an SCI entity's SCI review generally would not raise the same concerns regarding objectivity, the SCI entity would likewise need to mitigate any conflicts of interest that would prevent such personnel from meeting the objectivity standard required for an SCI review. For example, among the factors an SCI entity may consider in evaluating the objectivity of a third party review could be who within the SCI entity is managing the third party review, is setting the scope of review, is authorizing payment for such review, and has the authority to review and comment on the third party report, among others. Further, an SCI entity may consider the third party's ability to remain objective in light of any other services provided by the third party to the SCI entity. --------------------------------------------------------------------------- Accordingly, the Commission believes that the goals of Regulation SCI can be achieved through reviews by either internal objective personnel or external objective personnel. Taking into consideration the advantages and disadvantages associated with each approach, each SCI entity should make its own determination regarding the levels of review or assurance that can be provided by different personnel, the best means to ensure their objectivity, and whether it is appropriate to incur the additional costs of an independent third party review. An SCI entity may, for example, determine that it is appropriate to utilize personnel not employed by the SCI entity (i.e., third parties) to conduct such review each year or only on a less frequent, periodic basis (e.g., every three years), or only with regard to certain of its systems. In addition, with regard to one commenter's suggestion that an SCI review should be performed independently for each capacity in which an SCI entity acts, the Commission notes that the definition of SCI review and provisions of Rule 1003(b) require that an SCI entity perform a review, following established procedures and standards, for compliance with Regulation SCI that includes a risk assessment of the SCI entity's SCI systems and indirect SCI systems and an assessment of internal control design and effectiveness of such systems and does not require an SCI entity that serves in two different capacities with respect to Regulation SCI to conduct two independent SCI reviews. The Commission believes that, as a practical matter, an SCI entity may determine that, to comply with these requirements, it is necessary to conduct separate assessments and analysis for each capacity of the SCI entity, because the standards used, risk assessments, applicable policies and procedures, and assessment of internal control design and effectiveness are different with regard to the distinct and differing functions of the SCI entity in each capacity. For example, an entity that meets both the definition of an SCI SRO and a plan processor may determine that it is necessary to conduct separate reviews for each function performed, because, for instance, the findings of a risk assessment determine that certain SCI systems fall into the category of ``critical SCI systems'' with regard to the functions of the plan processor, but not with regard to the functions of the SRO. At the same time, the Commission notes that, even where separate reviews are conducted, there may be certain overlap in conducting such reviews (for example, the entity may use the same objective reviewer for each function performed), such reviews may be conducted at the same time, and a single SCI review report may contain findings for each capacity. While other commenters also supported some form of review, many of these commenters stated that the term SCI review is defined too broadly and/or that the SCI review requirements should allow more flexibility.\1072\ Some commenters expressed concerns about the need to review all systems on an annual basis, which they argued could be costly, burdensome, and unnecessary.\1073\ Several commenters suggested the adoption of a risk-based approach for determining the scope of the review, which would entail conducting a risk assessment to determine which systems should be reviewed and how often.\1074\ Under such an approach, the highest risk systems would be reviewed more frequently than other, less critical systems, which could be reviewed less frequently than annually or on a rotational basis. Similarly, one [[Page 72344]] commenter recommended that SCI reviews should be focused only on those core systems capable of having a material impact on members or participants, and ``adjacent'' systems should not be subject to the review process.\1075\ --------------------------------------------------------------------------- \1072\ See, e.g., FINRA Letter at 39-41; Omgeo Letter at 23-24; OCC Letter at 19; NYSE Letter at 35; SIFMA Letter at 17; DTCC Letter at 16-17. \1073\ See, e.g., FINRA Letter at 39-41; Omgeo Letter at 23-24; OCC Letter at 19; NYSE Letter at 35; DTCC Letter at 16-17; and BIDS Letter at 11. \1074\ See, e.g., FINRA Letter at 39-41; OCC Letter at 19; NYSE Letter at 35; SIFMA Letter at 17; DTCC Letter at 16-17; LiquidPoint Letter at 3; and Omgeo Letter at 24. One commenter noted that the proposed SCI review requirement essentially eliminated the ability to utilize its current risk assessment approach to determine the frequency of review for each system (ranging from annually to once every four years). See FINRA Letter at 40. \1075\ See FIF Letter at 6. --------------------------------------------------------------------------- After considering the views of commenters, the Commission has determined to adopt the provisions relating to SCI reviews with modifications in response to comment.\1076\ Thus, adopted Rule 1003(b) requires an SCI entity to conduct an SCI review of the SCI entity's compliance with Regulation SCI not less than once each calendar year.\1077\ However, the Commission notes that, because it has revised the scope of the definition of ``SCI systems'' as described above, fewer systems of each SCI entity will be subject to the SCI review, thereby focusing the overall scope of the SCI review requirement.\1078\ Further, to address some commenters' concerns about the burdens and inflexibility of the proposed rule and the recommendation that the proposed rule utilize a more risk-based approach, the adopted rule is being revised to allow assessments of SCI systems directly supporting market regulation or market surveillance to be conducted, based upon a risk-assessment, at least once every three years, rather than annually.\1079\ SCI entities would be required to determine the specific frequency with which to conduct assessments of these systems depending on the risk assessment that they conduct as part of the annual SCI review, provided that these systems are assessed at least once every three years. The Commission believes that market regulation and market surveillance systems have the potential to pose less risk to an entity or the market than other SCI systems. While the Commission believes that these systems are essential to investor protection and market integrity and that they can pose a significant risk to the markets in the event of a systems issue, the Commission also believes that certain market regulation and market surveillance systems may not have as immediate or widespread of an impact on the maintenance of fair and orderly markets or an entity's operational capability as the other categories of systems included within the definition of SCI systems. While a systems issue affecting a trading system could result in the immediate inability of a market, and thus market participants, to continue trading on such system and potentially impact trading on other markets as well, the Commission believes that the temporary disruption or failure of a SCI entity's market regulation and/or market surveillance systems in the wake of a wide-scale disruption would likely not have as direct an impact on market participants' ability to continue to trade. Thus, after considering commenters' views regarding the costs and burdens of the proposed SCI review requirements, as well as the suggestion that the Commission incorporate more of a risk-based approach in Regulation SCI, the Commission believes that a longer frequency of review of these systems may be appropriate in cases where the risk assessment conducted as part of the SCI review results in such a determination. The Commission also notes that, as originally proposed the rule would have required penetration test reviews of the SCI entity's network, firewalls and development, testing, and production systems at a frequency of not less than once every three years in recognition of the potentially significant costs that may be associated with the performance of such tests.\1080\ However, consistent with modifications to the definition of SCI systems, references to development and test systems have been deleted in adopted Rule 1003(b)(1)(i).\1081\ The Commission notes that SCI entities may, however, determine that based on its risk assessment, it is appropriate and/or necessary to conduct such penetration test reviews more frequently than once every three years. --------------------------------------------------------------------------- \1076\ See adopted Rule 1003(b). However, the Commission is moving the clause regarding penetration test reviews from the definition of SCI review into Rule 1003(b), which addresses the timing of reviews. Further, the adopted definition of SCI review will require that the objective reviewer have ``appropriate experience to conduct reviews'' rather than ``appropriate experience in conducting reviews'' as proposed. The Commission believes this revision is appropriate given that, prior to the adoption of Regulation SCI today, no individual or entity would have experience in conducting the specific SCI reviews required by Rule 1003(b). Rather, the Commission believes that there are individuals or entities that have experience in conducting reviews, audits, and/or testing similar to the functions that would be necessary to address certain aspects of the SCI review requirement, and thus, the objective reviewer should have this type of appropriate experience that would allow them to conduct SCI reviews in accordance with the requirements of Regulation SCI. Thus, as adopted, the term ``SCI review'' means ``a review, following established procedures and standards, that is performed by objective personnel having appropriate experience to conduct reviews of SCI systems and indirect SCI systems, and which review contains: (1) A risk assessment with respect to such systems of an SCI entity; and (2) An assessment of internal control design and effectiveness of its SCI systems and indirect SCI systems to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards.'' See Rule 1000. Further, the Commission is moving the requirement relating to reports to the Commission on SCI reviews from proposed Rule 1000(b)(8) into Rule 1003(b) so that all provisions regarding SCI reviews are in the same rule. \1077\ See adopted Rule 1003(b)(1). \1078\ The Commission also notes that it has clarified that the definition of ``indirect SCI systems'' includes only those systems that have not been effectively logically or physically separated from SCI systems. Thus, the scope of the SCI review is also more focused than what some commenters may have believed. It is also further focused by the elimination of references to development and test systems from the penetration test requirement in adopted in Rule 1003(b)(1)(i). \1079\ See adopted Rule 1003(b)(1)(ii). \1080\ As noted by some commenters, penetration tests are highly technical and would require special expertise, and thus the Commission believes such testing could potentially require substantial costs. See, e.g., DTCC Letter at 17; and Omgeo Letter at 44. See also infra Sections V.D.2.d and VI.C.2.b.vi (discussing estimated costs associated with the SCI review requirement, which takes into consideration the costs of penetration testing) and Proposing Release, supra note 13, at 18123 (stating that the Commission seeks to balance the frequency of such tests with the costs associated with performing the tests). As noted in the SCI Proposal, the Commission believes that the penetration test reviews should help an SCI entity evaluate the system's security and resiliency in the face of attempted and successful intrusions. See id. \1081\ See supra Section IV.A.2.b (discussing elimination of development and test systems from the definition of SCI systems). --------------------------------------------------------------------------- The Commission is not, however, adopting a broader risk-based approach to determine the required frequency of an SCI review (i.e., for SCI systems other than market regulation and market surveillance systems), as suggested by some commenters.\1082\ The Commission believes that a critical element to ensuring the capacity, integrity, resiliency, and availability of SCI systems and indirect SCI systems is conducting an annual objective review to assess the risks of an SCI entity's systems and the effectiveness of its internal information technology controls and procedures. Such reviews will not only assist the Commission in improving its oversight of the technology infrastructure of SCI entities, but also each SCI entity in assessing the effectiveness of its information technology practices, helping to ensure compliance with the safeguards provided by the requirements of Regulation SCI, identifying potential areas of weakness that require additional or modified controls, and determining where to best devote resources. Further, the Commission believes that the competitive environment of today's securities markets drives SCI entities to continually update, modify, and introduce new technology and systems, often in an effort to meet specific business needs and achieve ``quick- to-market'' results, potentially without [[Page 72345]] adequate focus on ensuring the continuous integrity of its systems. In addition, given today's fast-paced nature of technological advancement, existing controls can quickly become obsolete or ineffective and the relative criticality or risk nature of a system can change over time as well.\1083\ Further, as one commenter noted, it is not uncommon for entities to experience repeated unsuccessful attempts to gain access to their systems,\1084\ which the Commission believes can expose certain vulnerabilities not identified previously and, if successful, also create new vulnerabilities and risk. For these reasons, the Commission believes that it is appropriate to require an SCI entity to conduct an SCI review of its applicable systems not less than once every 12 months.\1085\ --------------------------------------------------------------------------- \1082\ See supra note 1074 and accompanying text. \1083\ In addition, the Commission believes changes in personnel with access to SCI systems throughout the year can create additional risk that should be considered in evaluating the risks of any particular system. \1084\ See SIFMA Letter at 11. \1085\ The Commission notes that, while the rule requires that an SCI review be conducted ``not less than once each calendar year,'' an SCI entity may determine that it is appropriate to conduct an assessment of an SCI system more frequently, particularly for critical SCI systems. See adopted Rule 1003(b)(1). --------------------------------------------------------------------------- Further, the Commission notes that, as described in detail above, Regulation SCI is consistent with a risk-based approach in several areas, and thus, a risk assessment is appropriate in order to determine the standards and requirements applicable to a given SCI system. As such, the Commission believes that it is appropriate to require SCI entities to conduct a risk-based assessment with regard to its SCI systems and indirect SCI systems as part of its SCI review at least annually to help ensure that SCI entities are meeting the requirements of Regulation SCI.\1086\ --------------------------------------------------------------------------- \1086\ See adopted Rule 1003(b) and Rule 1000 (definition of ``SCI review''). --------------------------------------------------------------------------- For the reasons noted above, the Commission believes it is appropriate to require that SCI reviews be conducted at least annually, rather than utilizing a risk-based approach to determine the frequency of the required SCI review.\1087\ At the same time, the Commission notes that this provision is consistent with a risk-based approach in that SCI entities may design the scope and rigor of the SCI review for a particular system based on its risk assessment of such system, provided that the review meets the requirements of the rule, such as including an assessment of internal control design and effectiveness to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards \1088\ and performing penetration test reviews at least once every three years.\1089\ --------------------------------------------------------------------------- \1087\ However, as discussed above, an SCI entity may conduct an SCI review of its market regulation and market surveillance systems based upon its risk assessment of such systems, but not less than once every three years. See adopted Rule 1003(b)(1)(ii). \1088\ See adopted Rule 1000 (definition of ``SCI review''). \1089\ See adopted Rule 1003(b)(1)(i). --------------------------------------------------------------------------- Some commenters sought clarification on various aspects of the SCI review requirement. One commenter stated that the term SCI review, as proposed, expanded significantly on what is required under ARP and asked for greater specificity as to the objectives and intended scope of the SCI review.\1090\ This commenter suggested, as an alternative, that the Commission establish an ``agreed upon procedures'' approach, which would involve outlining specific SCI review objectives and procedures that would be performed by an objective reviewer.\1091\ One commenter also requested that the Commission clarify whether there is a distinction between the existing ARP report and the SCI review and whether the ARP practice of on-site inspections would be eliminated.\1092\ --------------------------------------------------------------------------- \1090\ See FINRA Letter at 39-40. \1091\ See id. at 40. \1092\ See OCC Letter at 19. --------------------------------------------------------------------------- With regard to the comment seeking clarity on the scope of the review as compared to what is done under the current ARP Inspection Program,\1093\ as noted in the SCI Proposal, the requirement for an annual SCI review was intended to formalize a practice in place under the current ARP Inspection Program in which SROs conduct annual systems reviews following established audit procedures and standards that result in the presentation of a report to senior SRO management on the recommendations and conclusions of the review.\1094\ Specifically, the ARP Policy Statements called for each SRO to have its automated systems reviewed annually by an ``independent reviewer'' \1095\ and stated that independent reviews and analysis should: ``(1) Cover significant elements of the operations of the automation process, including the capacity planning and testing process, contingency planning, systems development methodology and vulnerability assessment; (2) be performed on a cyclical basis by competent and independent audit personnel following established audit procedures and standards; and (3) result in the presentation of a report to senior SRO management on the recommendations and conclusions of the independent reviewer, which report should be made available to Commission staff for its review and comment.'' \1096\ Similar to (1) above, the definition of SCI review requires the review to contain an assessment of internal control design and effectiveness of its SCI systems and indirect SCI systems to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards. Consistent with element (2), an SCI review must be performed by objective personnel having appropriate experience to conduct reviews of SCI systems and indirect SCI systems and must be performed following established procedures and standards. Finally, like item (3), Rule 1003(b)(2)-(3) requires SCI entities to submit a report of the SCI review to senior management after completion of the review, and following submission to senior management, to submit a report of the SCI review to the Commission, along with any response by senior management. Senior management, after reviewing the report, should note, in addition to any other response that may be made, any material inaccuracy or omission that, to their knowledge, is in the report. In this regard, the Commission recognizes that senior managers, by virtue of their positions and experience, may have differing levels of knowledge regarding their entity's SCI systems and indirect SCI systems and compliance with Regulation SCI. --------------------------------------------------------------------------- \1093\ See supra note 1092 and accompanying text. See also supra note 1090 and accompanying text. \1094\ See Proposing Release, supra note 13, at 18123. \1095\ See ARP I, supra note 1, at 48706-07. ARP I provided that an ``independent reviewer'' could be either an internal auditor group or an external audit firm so long as the independent reviewer had the competence, knowledge, consistency, and independence sufficient to perform the role. \1096\ See ARP II, supra note 1, at 22491. In ARP II, the Commission also explained that, in its view, ``a critical element to the success of the capacity planning and testing, security assessment and contingency planning processes for [automated] systems is obtaining an objective review of those planning processes by persons independent of the planning process to ensure that adequate controls and procedures have been developed and implemented.'' Id. --------------------------------------------------------------------------- While the SCI review requirement in Rule 1003 is based on the ARP review and report, a greater number of automated systems meeting the definition of SCI system or indirect SCI system would be subject to the SCI review requirements because the scope of Regulation SCI expands upon the current ARP Inspection Program. The Commission notes that the SCI review is not a substitute for inspections and [[Page 72346]] examinations conducted by Commission staff, and therefore SCI entities should expect that technology systems inspections and examinations will continue following the adoption of Regulation SCI. Along with notifications of material systems changes under adopted Rule 1003(a) and SCI event notifications pursuant to adopted Rule 1002(b), one purpose of SCI reviews will be to aid the Commission and its staff in understanding the operations and risks associated with the applicable systems of an SCI entity. In addition, as noted above, one commenter, in seeking further clarity on the scope of the SCI review requirement, suggested that the Commission take an ``agreed upon approach'' which would outline more specific review objectives and procedures that would be performed by the objective reviewer. The Commission believes that an SCI entity should have the ability to design the specific parameters of an SCI review within the confines of the general framework of the rule, including identifying its own review objectives and procedures, given the SCI entity's in-depth knowledge of, and familiarity with, its own systems and their attendant risks. As such, the adopted rule is designed to provide a general framework for the scope of the SCI review by specifying that the review must include a risk assessment of SCI systems and indirect SCI systems and an assessment of the internal control design and effectiveness of its systems in certain areas.\1097\ At the same time, the rule provides flexibility by permitting the review to be conducted ``following established procedures and standards,'' which would be identified and established by the SCI entity itself.\1098\ --------------------------------------------------------------------------- \1097\ See adopted Rule 1000 (defining ``SCI review''). \1098\ See id. --------------------------------------------------------------------------- Some commenters expressed views on the provisions requiring SCI entities to submit reports of the SCI review to senior management of the SCI entity and to the Commission. Specifically, two commenters supported the proposed requirement that reports of the SCI review be submitted to senior management of the SCI entity no later than 30 days after completion of the SCI review.\1099\ One commenter urged that senior management of an SCI entity certify the report before it is submitted to the Commission in order to promote accountability at the highest ranks of the SCI entity.\1100\ Another commenter believed that 45 days for submission of such reports to senior management would be more appropriate as a target timeframe given the complexity of the issues addressed in an SCI review, and that should this target fail to be met, the Board of Directors Audit Committee (or similar governing body) should be informed of the reason therefor.\1101\ Two commenters recommended that the distribution cycle within proposed Rule 1000(b)(8)(i) be modified so that individual, focused audit reports resulting from rotational reviews could be bundled and distributed to the Commission on a regular basis (semi-annually or quarterly).\1102\ --------------------------------------------------------------------------- \1099\ See MSRB Letter at 23; and FIF Letter at 6. \1100\ See Better Markets Letter at 6. \1101\ See DTCC Letter at 17. \1102\ See OCC Letter at 19; and DTCC Letter at 17. --------------------------------------------------------------------------- The Commission does not believe that it is necessary to require senior management certification of the report of the SCI review, as suggested by one commenter.\1103\ Adopted Rules 1003(b)(2)-(3) require that the SCI entity submit a report of the SCI review to senior management of the SCI entity no more than 30 calendar days after completion of such SCI review, and that the SCI entity submit a report of the SCI review, together with any response by senior management, to the Commission and the board of directors of the SCI entity or the equivalent of such board within 60 calendar days after its submission to senior management. Because reports of SCI reviews and any responses by senior management are required to be filed using Form SCI under the Exchange Act and Regulation SCI, it is unlawful for any person to willfully or knowingly make, or cause to be made, a false or misleading statement with respect to any material fact in such reports or responses.\1104\ --------------------------------------------------------------------------- \1103\ See supra note 1100 and accompanying text. \1104\ See, e.g., Section 32(a) of the Exchange Act, 15 U.S.C. 78ff(a). --------------------------------------------------------------------------- The Commission recognizes that senior management certifications are used in other regulatory contexts, including in some Commission rules and regulations.\1105\ However, at this time, the Commission believes that, in light of the other requirements for an SCI entity, the goals of Regulation SCI can be achieved without the imposition of an additional requirement on SCI entities for senior management certification. Specifically, the Commission believes that the adopted requirements promote the responsibility and accountability of senior management of an SCI entity by helping to ensure that senior management receives and reviews reports of SCI reviews, is made aware of issues relating to compliance with Regulation SCI, and is encouraged to promptly establish plans for resolving such issues. --------------------------------------------------------------------------- \1105\ See, e.g., 17 CFR 240.15c3-5(e)(2) (chief executive officer certification under the Market Access Rule); and 17 CFR 240.13a-14 (principal executive and principal financial officer certification of disclosure in annual and quarterly reports). --------------------------------------------------------------------------- The Commission is also adopting a definition of ``senior management'' in Rule 1000 to make clear which individuals at an SCI entity must receive and review the report of the SCI review. The Commission believes that, in the context of the SCI review requirement, senior management should not be limited to a single individual or officer of an SCI entity. Thus, ``senior management,'' for purposes of adopted Rule 1003(b) is defined as an SCI entity's Chief Executive Officer, Chief Technology Officer, Chief Information Officer, General Counsel, and Chief Compliance Officer, or the equivalent of such employees or officers of an SCI entity. The Commission believes that, in order to achieve the goals of the rule to promote increased awareness and oversight of the technology infrastructure at an SCI entity by its most senior employees and officers, it is important that the SCI entity's senior management team receive and carefully review reports of SCI reviews. The Commission believes that these employees and officers, or their functional equivalent, represent the executive, technology, legal, and compliance functions that are necessary to effectively review the reports of SCI reviews. The Commission also believes that awareness by an SCI entity's senior management of SCI reviews and issues with Regulation SCI compliance should help to promote a focus by senior management on such reviews and issues, enhance communication and coordination regarding such reviews and issues among business, technology, legal, and compliance personnel, and, in turn, strengthen the capacity, integrity, resiliency, and availability of the systems of SCI entities. To help ensure that persons at the highest levels of an SCI entity are made aware of any issues raised in the SCI review, the Commission is also adopting a requirement for each SCI entity to submit to its board of directors or the equivalent of such board a report of the SCI review and any response by senior management within 60 calendar days after the submission of the report to senior management of the SCI entity. With regard to one commenter's suggestion that SCI entities should be given 45 days rather than 30 days to submit the report of the SCI review to senior management (and that it should be only a target timeframe rather than a [[Page 72347]] requirement),\1106\ the Commission notes that the 30-day timeframe is based on the Commission's experience with the current ARP Inspection Program that an ARP entity is able to consider the review and prepare a report for senior management consideration prior to the submission to the Commission.\1107\ The Commission acknowledges that a greater number of systems will be subject to the SCI review requirement than the current ARP Inspection Program given the definitions of SCI system and indirect SCI system,\1108\ and that the issues addressed in an SCI review may be complex. However, the Commission notes that the adopted timeframe, while based on experience with the current ARP Inspection Program, also takes into account these factors.\1109\ Further, the Commission believes that the complexity of the issues presented during an SCI review would more likely affect the timing of conducting and completing the SCI review, rather than the timing for submitting a report of the review to senior management. The Commission, therefore, continues to believe that this requirement is appropriate. The Commission also notes that the requirement to submit the annual report to the Commission within 60 calendar days after its submission to senior management is similarly based on the Commission's experience with the ARP Inspection Program that this time period is a sufficient period to enable senior management to consider such review or report before submitting it to the Commission.\1110\ Because an SCI entity will already have prepared the report and any response by senior management for filing with the Commission, the Commission believes that an SCI entity will not need significant additional time to submit the same report and response to its board of directors or the equivalent of such board. --------------------------------------------------------------------------- \1106\ See supra note 1101 and accompanying text. \1107\ See Proposing Release, supra note 13, at 18123. \1108\ The Commission also notes, however, that as discussed above, the scope of systems subject to Regulation SCI has been refined from what was proposed. \1109\ The Commission notes that, while the ARP II Release recommended that an SRO's independent review should result in the presentation of a report to senior SRO management on the recommendations and conclusions of the independent review and such report should be made available to Commission staff, it did not provide recommended time periods for the submission of such reports. See ARP II Release, supra note 1. The adopted 30-day time period is based on experience with the ARP Inspection Program, as well as a consideration of the scope of the review required under Regulation SCI. \1110\ See Proposing Release, supra note 13, at 18124. --------------------------------------------------------------------------- Contrary to the suggestion of some commenters, the Commission does not believe it is appropriate to allow an SCI entity to delay the submission of SCI review reports to the Commission in order to bundle several reports together and submit them on a quarterly or semi-annual basis. Rather, the Commission believes that it is important to receive such reports in a timely manner after completion of the SCI review, so that the Commission is made aware of potential areas of weakness in an SCI entity's systems that may pose risk to the entity or the market as a whole, as well as areas of non-compliance with the provisions of Regulation SCI, without undue delay. With respect to clearing agencies, two commenters noted that the SCI review requirement potentially might overlap with staff guidance for clearing agencies that calls for an annual report on internal controls and recommended that the Commission consider further coordination on potential redundancies.\1111\ The Commission notes that the section in the guidance provided in the Announcement for Standards for the Registration of Clearing Agencies referenced by commenters is distinct from the adopted SCI review requirement, as such section in the guidance relates to the review and evaluation of clearing agencies' accounting controls.\1112\ In contrast, the SCI review requirement involves a risk assessment and assessment of internal control design and effectiveness of all of an SCI entity's SCI systems and indirect SCI systems. --------------------------------------------------------------------------- \1111\ See OCC Letter at 19-20; and DTCC Letter at 18 (citing Securities Exchange Act Release No. 16900, 45 FR 41920, available at: https://sec.gov/rules/other/34-16900.pdf). \1112\ See Securities Exchange Act Release No. 16900 (June 17, 1980), 45 FR 41920 (June 23, 1980). --------------------------------------------------------------------------- Finally, it should be noted that the required review and timely reporting to the Commission will enable the Commission and Commission staff to monitor the quality of compliance with Regulation SCI, thoroughness and robustness of SCI reviews, and the responses of senior management to such reviews. Accordingly, the Commission will be in a position to consider enhancing these regulatory requirements in the future, if necessary. 6. SCI Entity Business Continuity and Disaster Recovery Plans Testing Requirements for Members or Participants--Rule 1004 Adopted Rule 1004 addresses testing of SCI entity business continuity and disaster recovery plans, including backup systems, by SCI entity members or participants. Rule 1004 corresponds to proposed Rule 1000(b)(9), and is adopted with certain modifications in response to comment, as discussed below. a. Proposed Rule 1000(b)(9) Proposed Rule 1000(b)(9)(i) required each SCI entity, with respect to its BC/DR plans, to require participation by designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, at least once every 12 months. Proposed Rule 1000(b)(9)(ii) further required each SCI entity to coordinate the testing of such plans on an industry- or sector-wide basis with other SCI entities. Proposed Rule 1000(b)(9)(iii) would have additionally required each SCI entity to designate those members or participants it deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its BC/DR plans, to participate in the testing of such plans, and notify the Commission of such designations and its standards for such designation on Form SCI. b. Comments and Commission Response The Commission received significant comment on proposed Rule 1000(b)(9) and is adopting it with revisions, as Rule 1004. As more fully discussed below, the adopted rule requires designation of a more limited set of SCI entity members and participants for mandatory participation in BC/DR testing than the proposed rule. Further, the adopted rule does not require an SCI entity to file designation standards or member/participant designations with the Commission on Form SCI, as was proposed, but instead an SCI entity must keep records of its standards and designations. The scope, frequency, and coordination aspects of the proposed rule are adopted as proposed. i. Mandatory BC/DR Testing Generally Some commenters expressed general support for the goals of proposed Rule 1000(b)(9).\1113\ One commenter in particular stated that ``[i]t is vital that as many firms as possible participate in [market-wide] testing with conditions as realistic as possible.'' \1114\ According to this commenter, broader mandatory participation in testing would be ``one of the most valuable parts of Regulation SCI and will do the most to ensure improved market network reliability.''\1115\ Another commenter [[Page 72348]] expressed support for broad participation in BC/DR testing, but also expressed concern that the testing requirement would put SCI entities at a competitive disadvantage versus non-SCI entities.\1116\ --------------------------------------------------------------------------- \1113\ See, e.g., Angel Letter at 9; UBS Letter at 4-5; and FIF Letter at 6-7. \1114\ See Angel Letter at 9. \1115\ See id. at 10. \1116\ See FIF Letter at 7. --------------------------------------------------------------------------- Several commenters objected to the proposed mandatory testing requirement for SCI ATSs.\1117\ For example, two commenters suggested that few ATSs are critical enough to warrant inclusion in the proposed mandatory testing requirement.\1118\ One commenter urged that only SCI entities that provide market functions on which other market participants depend be subject to the requirements for separate backup and recovery capabilities.\1119\ Another commenter stated that the added benefit of requiring fully redundant backup systems is almost impossible to measure while the cost of implementation is significant, and added further that fully redundant systems and increased testing do not guarantee a flawless backup plan.\1120\ --------------------------------------------------------------------------- \1117\ See SIFMA Letter at 17; BIDS Letter at 8; and ITG Letter at 15. \1118\ See BIDS Letter at 5, 8; and ITG Letter at 15. \1119\ See KCG Letter at 8. \1120\ See Group One Letter at 3. --------------------------------------------------------------------------- Two commenters stated that the current voluntary coordinated testing organized by SIFMA \1121\ already attracts significant participation without any mandate in place.\1122\ However, a different commenter noted the difficulties it has encountered in fostering participation in its voluntary disaster recovery exercises, and stated that, despite encouraging users to participate in its disaster recovery exercises, participation levels were only 20 percent of its targeted high volume client base.\1123\ One commenter sought clarification on whether the requirements of proposed Rule 1000(b)(9) would apply only to trading and clearance systems, or would extend to other SCI systems as well.\1124\ Two commenters asked whether third parties that perform critical market functions for an SCI entity, such as data vendors and service bureaus, would be subject to the proposed requirement.\1125\ One commenter stated that testing by an SCI entity of its business continuity capabilities should not be required to be coordinated with members.\1126\ According to this commenter, ``[t]he entire point of [business continuity plan testing] would be to not coordinate it with customers, and assess whether operations out of [backup] facilities was seamless to members and other market participants.'' \1127\ One commenter stated that it would be more appropriate for SCI entities' members and participants to be responsible for their own business continuity plans and testing.\1128\ The Commission has carefully considered commenters' views on the need for all SCI entities to be subject to the proposed mandatory testing requirement. The Commission continues to believe that adopted Rule 1004 should apply to all SCI entities. --------------------------------------------------------------------------- \1121\ SIFMA organizes an annual industry-wide testing exercise for firms and exchanges to submit and process test orders using their backup facilities. Participation is voluntary. See https://www.sifma.org/services/bcp/industry-testing/. \1122\ See CME Letter at 13; and Tellefsen Letter at 7-8. \1123\ See Omgeo Letter at 26 (noting also that it lacks the ability to require participation by its clients). \1124\ See FINRA Letter at 37. \1125\ See FINRA Letter at 39; and MSRB Letter at 25. \1126\ See Direct Edge Letter at 9. \1127\ See id. \1128\ See SIFMA Letter at 17. In addition, some commenters believed that ATSs should be excluded from requiring members or participants to test, given that ATSs and their broker-dealer participants are already subject to FINRA Rule 4370, which relates to BC/DR plans. See FIA PTG Letter at 5; and BIDS Letter at 9. --------------------------------------------------------------------------- Whereas adopted Rule 1001(a)(2)(v) requires that each SCI entity's policies and procedures include BC/DR plans and specifies recovery goals and geographic diversity requirements for such plans,\1129\ adopted Rule 1004 sets forth certain minimum requirements for SCI entity testing of its BC/DR plans. Adopted Rule 1004, like proposed Rule 1000(b)(9), aims to reduce the risks associated with an SCI entity's decision to activate its BC/DR plans and help to ensure that such plans operate as intended, if activated, by requiring that an SCI entity include participation by certain members and participants in testing of the SCI entity's BC/DR plans. Although some commenters, including several ATSs, argued that ATSs should be excluded from requiring members or participants to test because, according to these commenters, ATSs are less critical to the orderly functioning of the markets than other SCI entities,\1130\ the Commission believes that eliminating any category of SCI entity--including SCI ATSs--from the testing requirement would undermine the goal of maintaining fair and orderly markets in the wake of a wide-scale disruption, and assuring the smooth and effective implementation of an SCI entity's BC/DR plans.\1131\ The Commission continues to believe that a testing participation requirement will help an SCI entity to ensure that its efforts to develop effective BC/DR plans are not undermined by a lack of participation by members or participants that the SCI entity believes are necessary to the successful activation of such plans.\1132\ As stated in the SCI Proposal, the Commission believes that a factor in the shutdown of the equities and options markets in the wake of Superstorm Sandy was the exchanges' belief regarding the inability of some market participants to adequately operate from the backup facilities of all market centers.\1133\ And, although testing protocols were in place and the chance to participate in such testing was available, the member participation rate was low.\1134\ The Commission does not agree with comments that seamless operation of backup facilities should not require coordination of testing, or that the fact that members and participants have their own BC/DR plans and testing means that they should not be required, if designated, to participate in the testing of an SCI entity's BC/DR plans.\1135\ The Commission continues to believe that testing of the effectiveness of back-up arrangements in recovering from a wide-scale disruption is a sound principle, and that, without the participation of significant members or participants of SCI entities, the effectiveness of such testing could be [[Page 72349]] undermined. Based on its experience with the ARP Inspection Program, the Commission understands that many SCI entities have already made significant investments in their backup facilities.\1136\ The Commission believes that the requirements of Rule 1004 will help to ensure that such facilities will be effective in the event they are needed.\1137\ --------------------------------------------------------------------------- \1129\ See supra Section IV.B.1.b (discussing the requirement that an SCI entity have reasonable policies and procedures that include business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption). \1130\ See supra note 1118 and accompanying text. \1131\ See supra Section IV.A.1 (discussing the Commission's rationale for adopting the definition of SCI entity as proposed). See supra Section IV.B.1.b (discussing the BC/DR requirements in Rule 1001(a)(2)(v) for SCI entities). See also infra Sections VI.C.1.c and VI.C.2.b.vii (discussing competitive concerns raised by requiring SCI entities to require members or participants to participate in the SCI entities' BC/DR testing). \1132\ See Proposing Release, supra note 13, at 18125. \1133\ See id. at 18158. See also id. at 18091. The Commission notes that its basis for adopting a mandatory testing rule is independent of whether the market closures in the wake of Superstorm Sandy were appropriate to protect the health and safety of exchange personnel. \1134\ See id. at 18158 and text accompanying n. 83 at 18091. In addition, based on the discussions of Commission staff with market participants in the months following Superstorm Sandy, the Commission understands that many market participants had previously engaged in connectivity testing with backup facilities, and yet remained uncomfortable about switching over to the use of backup facilities in advance of the storm. \1135\ Nor does the Commission agree that Rule 1004 would be duplicative of FINRA Rule 4370, as Rule 1004 relates to participation by members or participants in the testing of an SCI entity's business continuity plans, whereas FINRA Rule 4370 relates to the testing of the member's or participant's own business continuity plan. See supra note 539 and accompanying text. \1136\ See infra Section VI.B.2 (stating that nearly all national securities exchanges already have backup facilities that do not rely on the same infrastructure components as those used by their primary facility). \1137\ See 2003 BCP Policy Statement, supra note 512, at 56658 (stating: ``The effectiveness of back-up arrangements in recovering from a wide-scale disruption should be confirmed through testing.''). See also Interagency White Paper, supra note 512, at 17811 (identifying ``a high level of confidence, through ongoing use or robust testing, that critical internal and external continuity arrangements are effective and compatible'' as one of three important business continuity objectives). See also supra Section IV.B.1.b (discussing adopted Rule 1001(a)(2)(v)). --------------------------------------------------------------------------- In response to commenters who questioned the need for mandatory participation by SCI entity members and participants,\1138\ the Commission believes that current voluntary industry-led testing has been useful because it annually brings together a wide variety of market participants, including many SCI entities, and involves a range of asset classes.\1139\ The current industry-led testing program coordinated by SIFMA therefore could provide a foundation for the development of the testing required by Rule 1004. However, because participation rates by members and participants in voluntary testing generally has been low, the Commission believes that a mandatory participation requirement is the best means to achieve effective and coordinated BC/DR testing with assured participation by the more significant SCI entity members and participants.\1140\ In addition, although the Commission generally agrees with the comment that ``[i]t is vital that as many firms as possible participate in [market-wide] testing with conditions as realistic as possible,'' \1141\ because of the burden and costs of requiring participation by all SCI entity members and participants, regardless of their market significance, the Commission believes it is appropriate to adopt a more measured approach to mandatory participation in BC/DR testing.\1142\ The Commission is therefore adopting a BC/DR testing designation requirement that applies to all SCI entities, but does not apply to all members and participants of SCI entities, as discussed below.\1143\ --------------------------------------------------------------------------- \1138\ See supra notes 1117-1122 and accompanying text. \1139\ See https://www.sifma.org/services/bcp/industry-testing/ (in which SIFMA describes its annual BC/DR test held annually in October, which includes assets classes such as commercial paper, equities, options, futures, fixed-income, settlement, payments, Treasury auctions and market data). \1140\ See supra note 1123 (noting Omgeo's comment that voluntary participation levels are low). See also Proposing Release, supra note 13, at 18091, n. 83 and accompanying text (noting that press reports indicated that a large number of NYSE members did not participate in NYSE's contingency plan testing that occurred seven months prior to Superstorm Sandy). \1141\ See supra note 1114 and accompanying text. \1142\ In addition, because the Commission recognizes that the coordination of such testing is complex and time-consuming, it has provided for a compliance date for the coordination requirement of Rule 1004(d) that is 12 months after the compliance date required for other provisions of Regulation SCI. See Section IV.F. \1143\ In response to commenters seeking clarification on the types of systems that would be subject to the mandatory testing requirement (see supra notes 1124-1125 and accompanying text), because the required testing is BC/DR testing, all systems necessary for an SCI entity to successfully activate it BC/DR plan would be included. --------------------------------------------------------------------------- ii. SCI Entity Designation of Members or Participants for Participation in BC/DR Testing--Rules 1004(a)-(c) Several commenters raised concerns about the proposed requirement that SCI entities exercise discretion to designate members or participants for participation in coordinated BC/DR testing under proposed Rule 1000(b)(9).\1144\ After careful consideration of the views of commenters, the Commission is adopting the requirement that SCI entities designate certain members or participants to participate in testing BC/DR plans with certain modifications from the proposal. As proposed, the rule would have required each SCI entity to designate those members or participants it ``deems necessary, for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans . . .'' The Commission has determined instead to require that each SCI entity designate those members or participants ``that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans.'' This change is broadly consistent with the suggestion of one commenter to revise the criteria for designation to those firms ``critical to the operation of the SCI entity.'' \1145\ However, the Commission believes that the adopted standard is more appropriate in that it focuses on the ability of the SCI entity to maintain fair and orderly markets under its BC/DR plan.\1146\ --------------------------------------------------------------------------- \1144\ See NYSE Letter at 33; FIF Letter at 6-7; Omgeo Letter at 26; Fidelity Letter at 6; and Angel Letter at 10. \1145\ See ISE Letter at 9. \1146\ As discussed more fully in Section IV.B.6.b.iv infra, the Commission also believes that the adopted standard could, but would be unlikely to, cause members or participants to elect to withdraw from participation in an SCI entity (particularly a smaller SCI entity) to save on the cost of connectivity fees. --------------------------------------------------------------------------- Several commenters suggested eliminating SCI entity discretion and setting forth in the rule clear, objective criteria (such as trading volume) for which members or participants would be required to participate in testing.\1147\ One commenter suggested that the Commission require that all members or participants that represent a meaningful percentage of the volume in the marketplace participate in the testing in order to capture the more significant market participants, while recognizing the financial burden such testing may pose for smaller entities.\1148\ This commenter believed that giving discretion to SCI entities in this area might lead to regulatory arbitrage and a race to the bottom regarding how many and which members or participants are designated to participate in testing.\1149\ On the other hand, another commenter commented that the discretion contemplated by the proposal keeps the rule flexible enough to accommodate SCI entities conducting a diverse range of business activities.\1150\ This commenter also suggested that SCI entities should not be required to report to the Commission who they have designated to test, and instead should only be required to keep a record of who they have designated.\1151\ --------------------------------------------------------------------------- \1147\ See NYSE Letter at 33; Omgeo Letter at 26; Angel Letter at 10; and FIF Letter at 6. \1148\ See NYSE Letter at 33. \1149\ See NYSE Letter at 33. \1150\ See CME Letter at 12. \1151\ See id. at 13. --------------------------------------------------------------------------- In response to commenters who were concerned about the discretionary aspect of the designation requirement,\1152\ the Commission believes the SCI entity is in the best position to determine which of its members or participants collectively represent sufficient liquidity for the SCI entity to maintain fair and orderly markets in a BC/DR scenario following a wide-scale disruption. The Commission believes such determinations require the exercise of reasonable judgment by each SCI entity, and are not well-suited for a ``one-size- fits-all'' objective measure determined by the Commission. For example, if the Commission were to establish an objective measure (e.g., based on a specified percentage of trading volume), [[Page 72350]] it might represent a meaningful percentage for some SCI entities, but not for others. Thus, the rule requires that each SCI entity establish standards for the designation of those members or participants that the SCI entity ``reasonably'' determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of its BC/DR plans. This adopted provision is in lieu of the proposed requirement, which would have required an SCI entity to designate those members or participants it ``deems necessary'' for the maintenance of fair and orderly markets in the event of the activation of its BC/DR plans. Because the adopted rule requires an SCI entity's determination to be reasonable, it provides some degree of flexibility to SCI entities but also imposes a check on SCI entity discretion, which the Commission believes should help prevent an SCI entity's designations from being overly limited. In response to concerns that a discretionary designation requirement would lead to regulatory arbitrage and a race to the bottom regarding how many and which members or participants are designated to participate in testing, the Commission believes that this is unlikely to occur because each SCI entity will be subject to the same requirement and will be required to make a reasonable determination that the designated members or participants are those that are the minimum necessary for it to maintain fair and orderly markets in the event of activation of its BC/ DR plans. Further, the Commission believes that broad participation in BC/DR testing will enhance the utility of the testing, and that allowing non-designated members or participants the opportunity to participate in such testing generally will further this goal. Therefore, the Commission encourages SCI entities to permit non- designated members or participants to participate in the testing of the SCI entity's BC/DR plans if they request to do so. --------------------------------------------------------------------------- \1152\ See supra notes 1144, 1147-1149 and accompanying text. --------------------------------------------------------------------------- Consistent with the recommendation of one commenter, however, the Commission has determined not to require that each SCI entity notify the Commission of its designations and its standards for designation on Form SCI as proposed. Instead, an SCI entity's standards, designations, and updates, if applicable, would be part of its records and therefore available to the Commission and its staff upon request.\1153\ Unlike de minimis systems disruptions and de minimis systems intrusions, which may occur with regularity (and for which a quarterly summary report would aid Commission oversight of systems whose proper functioning is central to the maintenance of fair and orderly markets), the establishment of standards for designation, the designations themselves, and updates to such standards or designations are likely to occur less frequently. Thus, the Commission believes it is sufficient for the Commission to review records relating to such designations when the Commission determines that it is necessary to do so to fulfill its oversight role, such as during its examination of an SCI entity.\1154\ More broadly, the Commission believes this revision is generally consistent with modifications that the Commission has made in response to comment that proposed Regulation SCI would have required unnecessary and burdensome notice and reporting submissions. --------------------------------------------------------------------------- \1153\ See infra Section IV.C.1 (discussing SCI entity recordkeeping requirements). \1154\ See supra Sections IV.A.3 and IV.B.3.c (discussing the rationale for quarterly reporting of de minimis systems disruptions and de minimis systems intrusions). --------------------------------------------------------------------------- Some commenters questioned whether many SCI entities, particularly non-SROs and ATSs, have the authority to require their members or participants to participate in such testing.\1155\ Another commenter more generally stated that it was unclear how an SCI entity could enforce a requirement that its customers engage in BC/DR testing.\1156\ In response to these comments, the Commission believes that SCI SRO rulemaking authority and non-SRO contractual arrangements would enable SCI entities to implement this requirement.\1157\ Specifically, SROs have the authority, and legal responsibility, under Section 6 of the Exchange Act, to adopt and enforce rules (including rules to comply with Regulation SCI's requirements relating to BC/DR testing) applicable to their members or participants that are designed to, among other things, foster cooperation and coordination with persons engaged in regulating, clearing, settling, processing information with respect to, and facilitating transactions in securities, to remove impediments to and perfect the mechanism of a free and open market and a national market system, and, in general, to protect investors and the public interest.\1158\ Further, SCI entities that are not SROs have the ability to include provisions in their contractual agreements with their participants (such as their subscriber or participant agreements) requiring such parties to engage in BC/DR testing. --------------------------------------------------------------------------- \1155\ See Omgeo Letter at 26; MSRB Letter at 24; BIDS Letter at 8; LiquidNet Letter at 4; and SIFMA Letter at 17. See also ITG Letter at 15-16. \1156\ See SIFMA Letter at 17-18 (suggesting that the Commission instead adopt a ``BCP testing requirement more akin to the `best practices' described in the Interagency White Paper''). \1157\ While some designated members or participants of SCI entities might choose to withdraw from membership or participation in an SCI entity if they assess the cost of participating in BC/DR testing to be too great, the Commission believes that other aspects of their involvement with the SCI entity, including an interest in maintaining a profitable business relationship, will factor significantly into any decision regarding their continued membership or participation in the SCI entity. See also infra Sections VI.C.1.c and VI.C.2.b.vii (discussing competition between SCI entities and non-SCI entities in relation to the requirements under Rule 1004). \1158\ See Section 6 of the Exchange Act, 15 U.S.C. 78f. --------------------------------------------------------------------------- Other commenters focused on the potential impact of the rule on the members or participants designated to participate in testing. One commenter pointed out that, without clearly defined industry level coordination, some members or participants may be overburdened by being subject to multiple individual tests with various SCI entities.\1159\ Another commenter asked the Commission to clarify what the obligation is for firms that are members or participants at multiple SCI entities.\1160\ Several commenters expressed concern that the Commission underestimated the costs and burdens of the proposed testing.\1161\ According to some of these commenters, under the proposal, certain firms, such as market makers and other firms performing important market functions, could be required to maintain connections to the backup sites of a number of SCI entities, at significant cost.\1162\ A group of commenters requested that the scope be targeted to only cover those instances in which an SCI entity determines to enact its disaster recovery plans.\1163\ One commenter agreed that the designation requirement could be relaxed and still achieve the provision's aim, because the bulk of the liquidity at a market center is provided by a small number of firms.\1164\ Another commenter asked the Commission to give designated firms the [[Page 72351]] ability to opt-out if they have a good reason.\1165\ --------------------------------------------------------------------------- \1159\ See OCC Letter at 18. \1160\ See DTCC Letter at 13. \1161\ See FINRA Letter at 37-39; OCC Letter at 18; Fidelity Letter at 6; Joint SROs Letter at 15-16; ISE Letter at 9; and Group One Letter at 3. See also infra Section VI (discussing the costs and burdens of the requirement, including the costs for members or participants to participate in BC/DR testing). \1162\ See FINRA Letter at 37-39; OCC Letter at 18; and Fidelity Letter at 6 (expressing concern an SCI entity might cast a wide net with its designation powers to include more firms than necessary). \1163\ See Joint SROs Letter at 16 (noting the complexity of testing a scenario in which a market participant may have enacted its business continuity plan but can still access an SCI entity through the primary facility). \1164\ See Tellefsen Letter at 9. \1165\ See Fidelity Letter at 6. --------------------------------------------------------------------------- The Commission believes that adoption of a more focused designation requirement that requires SCI entities to exercise reasonable discretion to identify those members or participants that, taken as a whole, are the ``minimum necessary'' for the maintenance of fair and orderly markets in the event of the activation of such plans is likely to result in a smaller number of SCI entity members or participants being designated for participation in testing as compared to the SCI Proposal. Because the Commission believes that SCI entities have an incentive to limit the imposition of the cost and burden associated with testing to the minimum necessary to comply with the rule, it also believes that, given the option, most SCI entities would, in the exercise of reasonable discretion, prefer to designate fewer members or participants to participate in testing, than to designate more. On balance, the Commission believes that adopted rule will incentivize SCI entities to designate those members and participants that are in fact the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of their BC/DR plans, and that this should reduce the number of designations to which any particular member or participant would be subject, as compared to the SCI Proposal, and would potentially simplify efforts for SCI entities to coordinate BC/DR testing, as required by adopted Rule 1004(d). Despite the modifications from the proposal, it remains possible, as some commenters noted, that firms that are members of multiple SCI entities will be the subject of multiple designations, and that multiple designations could require certain firms to maintain connections to and participate in testing of the backup sites of multiple SCI entities. The Commission believes this possibility, though real, may be mitigated by the fact that multiple designations are likely to be made to firms that are already connected to one or more SCI entity backup facilities, since they represent significant members or participants of the applicable SCI entities; and that, because some SCI entity backup facilities are located in close proximity to each other, multiple connections to such backup facilities may be less costly than if SCI entity backup facilities were not so located. The Commission recognizes that there will be greater costs to a firm being designated by multiple SCI entities to participate in the testing of their BC/DR plans than to a firm designated by only one SCI entity. However, the Commission believes that these greater costs are warranted for such firms, as they represent significant participants in each of the SCI entities for which they are designated, and their participation in the testing of each such SCI entity's BC/DR plans is necessary to evaluate whether such plans are reliable and effective. The designation of a firm to participate in the BC/DR testing of an SCI entity means that such firm is significant, as the SCI entity has reasonably determined it to be included in the set of its members or participants that is, ``taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans.'' Nonetheless, the Commission acknowledges that there may be instances in which an SCI entity has reasonably designated a firm to participate in BC/DR testing, and the firm is unwilling to bear the cost of participation in BC/DR testing with a given SCI entity. In such instances, there may be firms that opt out of such testing by withdrawing as a member or subscriber of one or more SCI entities, but the Commission believes that is unlikely. In particular, the Commission believes that it is unlikely that a firm determined to be significant enough to be designated to participate in testing by an SCI entity would choose to withdraw its membership or participation in an SCI entity solely because of the costs and burdens of Regulation SCI's BC/ DR testing provisions. The Commission also believes that such firm is likely to be a larger firm with greater resources and a significant level of participation in such SCI entity, and is likely to already be connected to the backup facility of the SCI SRO that is designating it to test.\1166\ Moreover, the Commission does not agree with the suggestion made by one commenter that the Commission give designated firms the ability to ``opt-out'' if they have a good reason,\1167\ because the ability to opt-out in this manner would render participation in BC/DR testing voluntary which, as discussed above, is unlikely to result in adequate BC/DR testing.\1168\ The Commission continues to believe, as stated in the SCI Proposal, that ``unless there is effective participation by certain of its members or participants in the testing of [BC/DR] plans, the objective of ensuring resilient and available markets in general, and the maintenance of fair and orderly markets in particular, would not be achieved.'' \1169\ Although the Commission recognizes that testing of a BC/DR plan does not guarantee flawless execution of that plan, the Commission believes that a tested plan is likely to be more reliable and effective than an inadequately tested plan.\1170\ --------------------------------------------------------------------------- \1166\ See infra Section IV.B.6.b.iv. \1167\ See Fidelity Letter at 6. \1168\ See supra note 1140 and accompanying text. \1169\ See Proposing Release, supra note 13, at 18091, 18125. \1170\ Further, because the Commission believes that increased participation in BC/DR testing is likely to enhance the utility of the testing, the Commission encourages SCI entities to permit members or participants that do not meet the SCI entity's reasonable designation standards to participate in such testing if they request to do so. --------------------------------------------------------------------------- iii. Scope, Timing, and Frequency of BC/DR Testing--Rule 1004(b) The SCI Proposal specified that the type of testing for which designees would be required to participate was ``scheduled functional and performance testing of the operation of [BC/DR] plans, in the manner and frequency specified by the SCI entity, at least once every 12 months.'' \1171\ After careful consideration of the views of commenters, the Commission is adopting the scope, frequency, and timing requirements in the rule as proposed. Specifically, adopted Rule 1004(b) requires that an SCI entity's designees participate in ``scheduled functional and performance testing of the operation of [BC/ DR] plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months.'' --------------------------------------------------------------------------- \1171\ See proposed Rule 1000(b)(9)(i). --------------------------------------------------------------------------- In the SCI Proposal, the Commission noted that functional testing is commonly understood to examine whether a system operates in accordance with its specifications, whereas performance testing examines whether a system is able to perform under a particular workload.\1172\ The Commission added that functional and performance testing should include not only testing of connectivity, but also testing of an SCI entity's systems, such as order entry, execution, clearance and settlement, order routing, and the transmission and/or receipt of market data, as applicable, to determine if they can operate as contemplated by its business continuity and disaster recovery plans.\1173\ With regard to the proposed scope of testing, several commenters expressed specific concerns about the requirement for ``functional and performance'' testing of BC/DR [[Page 72352]] plans.\1174\ Specifically, one commenter expressed concern about the logistical challenges of conducting functional and performance testing at the same time.\1175\ Two commenters expressed concern that requiring firms to perform industry-wide, end-to-end testing by processing transactions in their disaster recovery systems would introduce risk to the markets because such testing would increase the chance that test transactions could inadvertently be introduced into production systems.\1176\ Another commenter stated that a full functional test across all primary and recovery data centers for any significant number of members or participants would require substantial time to conduct and may require market downtime, as would a full performance test.\1177\ One group of commenters suggested that the scope of the requirement should be revised to only cover ``functional and operational testing'' of disaster recovery plans, but requested additional guidance with regard to the scope of testing required to establish the effectiveness of disaster recovery plans.\1178\ This group of commenters expressed concern about the ``complexity and cost associated with establishing an effective coordinated test script that captures the significant number of possibilities that may occur to each significant market participant or SCI entity'' and recommended that the scope of the coordinated functional and operational testing requirements be revised to cover those instances in which an SCI entity determines to enact its disaster recovery plan.\1179\ Two commenters believed the tests should be ``scenario-based'' to recreate as closely as possible the actual conditions that would trigger widespread use of BC/DR plans.\1180\ --------------------------------------------------------------------------- \1172\ See Proposing Release, supra note 13, at 18125, n. 267. \1173\ See id. at 18126. \1174\ See, e.g., FINRA Letter at 37; OCC Letter at 18; and DTCC Letter at 12. \1175\ See FINRA Letter at 37 (stating that combining performance testing with functional testing on weekends would be difficult and possibly not feasible because an end-to-end functional test combined with a stress test would require much more time to accommodate processing volumes than would be afforded in an abbreviated non-business day session). \1176\ See OCC Letter at 17-18 (stating that its systems and systems of many member firms are configured to prevent test activity from being processed by production or disaster recovery systems); and DTCC Letter at 12 (stating similarly that the testing proposed by Rule 1000(b)(9) (as opposed to communication and connectivity testing) would not be supported by most SCI entities' current systems configurations, and encouraging the Commission to consider this in adopting testing requirements). \1177\ See Omgeo Letter at 26-27. This commenter urged a more limited scope of testing. Specifically, this commenter urged the Commission to focus on ``smoke testing,'' which it characterized as a more limited form of testing to validate that system functionality is fully deployed and operational in the new recovered or resumed production environment, and with respect to the goals of performance testing, a more limited set of system operations to assure that the recovery system would perform those operations at roughly comparable speeds as those performed on the main production systems. This commenter further stated that, in both cases, the purpose of these tests would be to validate that the backup or recovery systems have the necessary functionality to perform the service required of the SCI systems, and have sufficient capacity to process the production workloads at roughly comparable levels of performance, rather than to test the actual functional or performance characteristics of the backup or alternate recovery systems in their own right. See Omgeo Letter at 27. \1178\ See Joint SROs Letter at 15-16. \1179\ See id. at 16. \1180\ See FIF Letter at 7; and UBS Letter at 4. --------------------------------------------------------------------------- Adopted Rule 1004(b) provides that the scope of required testing is ``functional and performance testing of the operation of BC/DR plans.'' As stated in the SCI Proposal, such functional and performance testing should include not only testing of connectivity, but also testing of an SCI entity's systems, such as order entry, execution, clearance and settlement, order routing, and the transmission and/or receipt of market data, as applicable, to determine if they can operate as contemplated by its business continuity and disaster recovery plans.\1181\ In response to commenters expressing concern about the breadth of the requirement, the Commission notes that the rule requires functional and performance testing of the ``operation of [BC/DR] plans.'' While the type of testing required by adopted Rule 1004(b) is more rigorous than some types of testing urged by some commenters, the Commission does not believe that the requirement for ``functional and performance testing of the operation of such plans'' requires additional testing that is as burdensome as that feared by some of those commenters. Importantly, ``functional and performance testing of the operation of [BC/DR] plans'' entails testing that goes beyond communication and connectivity testing, and beyond validation testing, which are more limited types of testing urged by some commenters. But the requirement to conduct ``functional and performance testing of the operation of [BC/DR] plans'' does not mean that a full test of the functional and performance characteristics of each backup facility is required to be conducted all at once and in coordination with other SCI entities all at the same time, as some commenters characterized the proposed requirement.\1182\ Specifically, the Commission notes that the testing of BC/DR plans, which is required by Rule 1004, is different from testing of the function and performance of backup facilities generally.\1183\ What Rule 1004 requires is coordinated testing to evaluate annually whether such backup facilities of SCI entities can function and perform in accordance with the operation of BC/DR plans in the event of wide-scale disruption. In addition, the Commission notes that performance testing, which examines whether a system is able to perform under a particular workload, is not synonymous with ``stress testing,'' in which capacity limits are tested, and therefore should not require as much time to conduct as one commenter suggested. --------------------------------------------------------------------------- \1181\ See Proposing Release, supra note 13, at 18126. \1182\ Conducting the required testing is not intended to require market downtime, but permits a range of possibilities, as SCI entities determine to be appropriate, including weekend testing, as well as testing in segments over the course of a year, if SCI entities determine that, to meet the requirements of the rule, a single annual test cannot be properly conducted within a single period of time (e.g., over the course of a weekend). \1183\ Testing of the function and performance of backup facilities generally would occur before such facilities are launched into production (such as pursuant to Rule 1001(a)), and Regulation SCI does not impose a requirement for coordinating such testing with other SCI entities. --------------------------------------------------------------------------- In response to commenters concerned that the required testing would necessitate system reconfigurations,\1184\ the Commission understands that the requirement to test backup facilities may require technology adjustments to permit testing activity to be processed by BC/DR systems, and believes that such adjustments to permit testing are warranted to achieve the goal, as discussed above, of achieving reliable and effective BC/DR plans at SCI entities. The Commission also believes that such system reconfigurations would be less burdensome than a Commission rule requiring the establishment of a dedicated environment for safe end-to-end testing that accurately simulates the trading environment, which some commenters suggested might be appropriate. One group of commenters noted the ``complexity and cost associated with establishing an effective coordinated test script,'' and urged that the scope of the coordinated testing be ``narrowed to cover those instances in which an SCI entity determines to enact its disaster recovery plan.'' The Commission acknowledges that establishment of an effective coordinated test script will involve [[Page 72353]] some costs and complexity, but believes that this is an important first step in establishing robust and effective testing under the rule. The Commission encourages SCI entities to develop one or more test scripts contemplating a wide-scale disruption and the enactment by SCI entities in the region of the wide-scale disruption of their BC/DR plans. --------------------------------------------------------------------------- \1184\ See supra note 1176 and accompanying text. See also Tradebook Letter at 2-3 (stating its view that ``the only way to test integration from order generation to allocation and then through to final settlement, is in the production environment'' and ``test tickers that operate in the production environment are the only way to reliably simulate exactly what will happen in the production environment with a live order''). --------------------------------------------------------------------------- Further, the Commission notes that nothing in Rule 1001(a) nor Rule 1004 requires that an SCI entity's BC/DR plan specify that its backup site must fully replicate the capacity, speed, and other features of the primary site. Similarly, SCI entity members and participants are not required by Regulation SCI to maintain the same level of connectivity with the backup sites of an SCI entity as they do with the primary sites.\1185\ In the event of a wide-scale disruption in the securities markets, the Commission acknowledges that an SCI entity and its members or participants may not be able to provide the same level of liquidity as on a normal trading day. In addition, the Commission recognizes that the concept of ``fair and orderly markets'' does not require that trading on a day when business continuity and disaster recovery plans are in effect will reflect the same levels of liquidity, depth, volatility, and other characteristics of trading on a normal trading day. Nevertheless, the Commission believes it is critical that SCI entities and their designated members or participants be able to operate with the SCI entities' backup systems in the event of a wide- scale disruption. Therefore, Rule 1004 requires that an SCI entity's BC/DR plan that meets the requirements of Rule 1001(a)(2)(v) be tested for both its functionality and performance as specified by the SCI entity's BC/DR plan. --------------------------------------------------------------------------- \1185\ See infra Section VI.C.2.b.vii (discussing the estimated costs of adopted Rule 1004). --------------------------------------------------------------------------- In addition, several commenters addressed testing more generally.\1186\ For example, some commenters urged that comprehensive, industry-wide, end-to-end testing could be enhanced if there were uniform test tickers supported by the testing infrastructure at all SCI entities.\1187\ Two commenters urged the establishment of principles for end-to-end, integrated testing.\1188\ Specifically, one of these commenters suggested that SCI entities, the Commission, and relevant third-parties think about how to establish a dedicated environment where end-to-end testing could be done safely, and where it could accurately simulate the trading environment.\1189\ This commenter also suggested that testing plans concentrate on high volume periods, stress testing common order types, and focusing on securities that generally experience low liquidity.\1190\ This commenter believed that industry- wide testing should include derivatives and cross-asset scenarios, and possibly include some involvement by foreign regulators and markets as well.\1191\ While the suggestions of these commenters are not inconsistent with the rule's requirement for functional and performance testing of BC/DR plans, the Commission has determined not to require them because the Commission does not believe, at this time, that these suggestions are necessary in every instance to achieve reliable and effective BC/DR plans at SCI entities. However, to the extent an SCI entity believes them to be appropriate for its systems, these suggestions could be utilized in its BC/DR plans testing. --------------------------------------------------------------------------- \1186\ See Tradebook Letter at 1-3; CAST Letter at 9; FIA PTG Letter at 2; and CoreOne Letter at 3-7. \1187\ See Tradebook Letter at 2-3; CAST Letter at 9; and FIA PTG Letter at 2. \1188\ See CoreOne Letter at 3; and Tradebook Letter at 1-3. \1189\ See CoreOne Letter at 3. \1190\ See id. at 3-4. \1191\ See id. at 7. --------------------------------------------------------------------------- Importantly, the adopted rule does not prescribe how SCI entities are to develop plans for functional and performance testing of order entry, execution, clearance and settlement, order routing, and the transmission and/or receipt of market data, as applicable, to determine if these functions can operate as contemplated by SCI entity BC/DR plans. Thus, as with the proposed requirement, the adopted rule provides an SCI entity with discretion to determine the precise manner and content of the BC/DR testing required pursuant to Rule 1004, and SCI entities have discretion to determine, for example, the duration of the testing, the sample size of transactions tested, the scenarios tested, and the scope of the test. Therefore, while comments urging the creation of uniform test tickers, establishment of principles for end- to-end testing, mandatory types of test scripts, and cross-asset and cross-jurisdictional coordination are matters that SCI entities may wish to consider in implementing the testing required by the rule, the Commission does not believe it is appropriate to mandate such details in Regulation SCI. To do so would be more prescriptive than the Commission believes is appropriate, as this requirement is designed to provide SCI entities flexibility and discretion in determining how to meet it. The Commission believes that the adopted testing requirement will help to improve securities market infrastructure resilience by helping to ensure not only that an SCI entity can operate following an event that triggers its BC/DR plans, but also that it can do so with a greater level of confidence that its core members or participants are also ready based on experience during testing. The Commission is adopting Rule 1004(b) substantively as proposed because it gives SCI entities discretion to develop a test that meets the requirements of the rule. One commenter recommended requiring that each entity be run entirely under its backup plan at least one day a year for a full trading day, and that the entire market run off of the backup sites at least once a year.\1192\ While adopted Rule 1004 would not preclude this approach, the Commission notes that other commenters disagreed with the wisdom of it.\1193\ Specifically, one group of commenters stated that the risks of testing in a ``live production environment on a periodic basis'' outweigh the benefits.\1194\ Another commenter stated that requiring SCI entities to operate using their backup facilities would increase the risk of erroneous quotes and orders entering the marketplace.\1195\ --------------------------------------------------------------------------- \1192\ See Angel Letter at 10. \1193\ See Joint SROs Letter at 15; and Group One Letter at 2. \1194\ See Joint SROs Letter at 15. \1195\ See Group One Letter at 2. --------------------------------------------------------------------------- After careful consideration of these comments, the Commission has determined not to prescribe the time of day or week during which testing shall occur. In addition, the adopted rule does not require an SCI entity to test its BC/DR plan in live production, but also does not prohibit an SCI entity from testing its BC/DR plans in live production, either, if an SCI entity determines such a method of testing to be appropriate. The Commission continues to believe that SCI entities are in the best position to structure the details of the test in a way that would maximize its utility. With respect to testing frequency, one commenter agreed with the proposal that an SCI entity's BC/DR plans, including its backup systems, be tested ``at least once every 12 months.'' \1196\ One commenter stated that the rule should explicitly set forth the required frequency of testing.\1197\ One commenter believed that two coordinated industry tests per year would be more appropriate.\1198\ One commenter [[Page 72354]] believed that testing once per year is arbitrary, and suggested that a risk-based approach might justify testing certain systems with more or less frequency.\1199\ --------------------------------------------------------------------------- \1196\ See DTCC Letter at 13 \1197\ See NYSE Letter at 33. \1198\ See FIF Letter at 6. \1199\ See MSRB Letter at 24. --------------------------------------------------------------------------- The Commission is adopting as proposed the requirement that testing occur not less than once every 12 months. Although commenters offered differing views on the appropriate frequency for the required testing,\1200\ the Commission continues to believe that a testing frequency of once every 12 months is an appropriate minimum frequency that encourages regular and focused attention on the establishment of meaningful and effective testing. In the context of coordinated BC/DR testing, the Commission believes the key is for testing to occur regularly enough to offer practical utility in the event of a wide- scale disruption without imposing undue cost, and that a minimum frequency of one year achieves this balance. This requirement does not prevent SCI entities from testing more frequently, but rather is intended to give SCI entities the flexibility to test their BC/DR plans, including their backup systems, at more frequent intervals if they find it appropriate to do so. --------------------------------------------------------------------------- \1200\ See supra notes 1196-1199. --------------------------------------------------------------------------- iv. Industry- or Sector-Wide Coordination--Rule 1004(d) Proposed Rule 1000(b)(9)(a)(ii) specified that an SCI entity would be required to coordinate the testing of BC/DR plans on an industry- or sector-wide basis with other SCI entities. The Commission received significant comment on this aspect of the proposal. Two commenters supported the coordinated testing requirement.\1201\ Specifically, one of these commenters stated that a coordination requirement targets an area where technology risks have left the markets more vulnerable, namely, the complex ways that firms interact.\1202\ This commenter favored market-wide testing as a way to better manage that risk.\1203\ This commenter also stated that coordination is vital because the more SCI entities and member firms that participate in testing, the more realistic that testing will be.\1204\ Another commenter noted that one of the most important steps in validating and maintaining systems integrity is an effective BC/DR model and urged the Commission to promptly advance a program to introduce a new and more comprehensive BC/DR testing paradigm.\1205\ --------------------------------------------------------------------------- \1201\ See Angel Letter at 9; and UBS Letter at 4. \1202\ See Angel Letter at 9. \1203\ See id. \1204\ See id. \1205\ See UBS Letter at 4-5. This commenter also stated that improved BC/DR testing should not be delayed until Regulation SCI is adopted. See UBS Letter at 5. --------------------------------------------------------------------------- In contrast, some commenters opposed the proposed comprehensive, coordinated testing structure.\1206\ Some commenters stated that coordinating testing presents significant technological and logistical challenges that need to be weighed carefully.\1207\ One commenter stated that coordinated testing is a good aspirational goal, but expressed concern that too much is outside of the control of an individual SCI entity, and therefore the rule should, at most, require SCI entities to attempt to coordinate such testing.\1208\ Another commenter stated that the fixed-income market is so fragmented that coordinated testing is difficult to conduct and much less imperative.\1209\ --------------------------------------------------------------------------- \1206\ See DTCC Letter at 12-13; FINRA Letter at 37-39; OCC Letter at 17-18; and ISE Letter at 8. \1207\ See LiquidPoint Letter at 4; and SIFMA Letter at 17-18. See also supra notes 1175-1177 and accompanying text. \1208\ See CME Letter at 13. \1209\ See TMC Letter at 3. --------------------------------------------------------------------------- Some commenters offered suggestions on how to improve the proposed coordination requirement. One commenter urged that coordination only be required among providers of singular services in the market (i.e., exchanges that list securities, exclusive processors under NMS plans, and clearing and settlement agencies).\1210\ Some commenters believed that coordination would work best if it was organized by an entity with regulatory authority over SCI entities, or by an organization designated by the Commission to fulfill that role.\1211\ One such commenter supported coordinating testing through a Commission-approved plan, provided SCI entities have the right to maintain the confidentiality of certain critical information.\1212\ Another commenter recommended that the Commission work with the CFTC to adopt a coordinated approach to dealing with technology issues across financial markets, including through participation by derivatives exchanges in testing alongside their equity markets counterparts.\1213\ --------------------------------------------------------------------------- \1210\ See Direct Edge Letter at 9. \1211\ See DTCC Letter at 13; OCC Letter at 18; and NYSE Letter at 33. \1212\ See NYSE Letter at 33. \1213\ See Angel Letter at 12. --------------------------------------------------------------------------- After careful consideration of the comments, the Commission has determined to adopt the coordination requirement as proposed. Specifically, Rule 1004(d) requires that an SCI entity ``coordinate the testing of [BC/DR] plans on an industry- or sector-wide basis with other SCI entities.'' The Commission recognizes that coordinating industry- or sector-wide testing among SCI entities and their designated members or participants may present logistical challenges. Because of these challenges, the Commission does not believe that a more prescriptive approach is warranted. Instead, the coordination requirement provides discretion to SCI entities to determine how to meet it. The Commission does not agree with commenters suggesting that the Commission should assume leadership on the organization of coordinated testing, designate an organization to fulfill that role, or require a ``Commission-approved plan'' for testing, because it believes at this time that SCI entities can achieve coordination more quickly and efficiently without the imposition of a formal procedural framework that these suggestions would entail.\1214\ In response to comment suggesting that coordination should be aspirational rather than required, the Commission believes that, because trading in the U.S. securities markets today is dispersed among a wide variety of exchanges, ATSs, and other trading venues, and is often conducted through sophisticated trading strategies that access many trading platforms simultaneously, requiring SCI entities to coordinate testing would result in testing under more realistic market conditions.\1215\ The Commission also continues to believe that it would be more cost- effective for SCI entity members and participants to participate in testing of SCI entity BC/DR plans on an industry- or sector-wide basis than to test with each SCI entity on an individual basis because such coordination would likely reduce duplicative testing efforts.\1216\ In [[Page 72355]] addition, if SCI entities that are ``providers of singular services'' in the markets (i.e., which the Commission believes would be synonymous with SCI entities that are providers of ``critical SCI systems'') lead coordination efforts on behalf of all SCI entities, such an approach would not be impermissible under Rule 1004(d), provided all SCI entities agreed to such an approach. --------------------------------------------------------------------------- \1214\ With respect to the suggestion that there be a Commission approved plan, the Commission notes that Rule 608 of Regulation NMS is designed to facilitate participation in NMS plans by self- regulatory organizations, which does not include SCI entities that are not SCI SROs, including SCI ATSs. The Commission notes that at least one commenter suggested that the Commission work with the CFTC to adopt a coordinated approach to testing. But, as discussed above, the Commission believes that Regulation SCI is an important step to reduce the risks associated with a decision to activate BC/DR plans. And, although the Commission may in the future consider additional initiatives to promote further coordination with the CFTC, in the Commission's view, this initial step of adopting Regulation SCI should not be delayed. \1215\ See Proposing Release, supra note 13, at 18126. \1216\ In response to comment that coordinated BC/DR testing is not needed in the current fixed-income market, the Commission notes that it has determined to exclude ATSs trading only municipal securities or corporate debt securities from the scope of Regulation SCI. See supra notes 189-192 and accompanying text (discussing the exclusion of ATSs trading only fixed-income securities from the definition of SCI ATS). --------------------------------------------------------------------------- In response to commenters who more generally expressed concern about the rule subjecting SCI entity members and participants to multiple duplicative and costly testing requirements,\1217\ the Commission notes that the flexibility provided in the adopted coordination requirement, in tandem with the more focused adopted mandatory designation requirement should mitigate these concerns. As discussed above, adoption of a more focused designation requirement that requires SCI entities to exercise reasonable discretion is likely to reduce the extent to which SCI entity member or participant designations overlap and possibly result in a smaller number of SCI entity members or participants being designated for participation in testing than as contemplated by the SCI Proposal, and a fewer number of members or participants designated to participate in testing should simplify efforts to coordinate testing. However, as some commenters noted, it remains possible that, despite coordination, some firms that are members of multiple SCI entities may be designated to participate in testing with multiple SCI entities at greater cost than if they had been designated by only one SCI entity, and may be required to test more than once annually, as this may be necessary for each SCI entity to meet its obligations under the rule. Though the Commission recognizes that the possibility of being designated by multiple SCI entities to participate in the testing of their BC/DR plans may be costly, the Commission ultimately believes that such a cost is appropriate to help ensure that the BC/DR plan of each SCI entity is useful and effective. If, for example, a firm is designated for mandatory testing by multiple SCI entities, it would be so designated because each such SCI entity determines that such firm is necessary to the successful activation of its BC/DR plan. The Commission recognizes that it is conceivable that a firm that is required to participate in testing with multiple SCI entities assesses the costs and burdens of participating in every such test to be too great, and makes its own business decision to withdraw its membership or participation in one or more such SCI entities so as to avoid the costs and burdens of such testing, but believes such scenario to be unlikely. Specifically, the Commission believes that it is unlikely that a firm determined to be significant enough to be designated to participate in testing by an SCI entity (even a smaller SCI entity) would choose to withdraw its membership or participation in an SCI entity solely because of the costs and burdens of Regulation SCI's BC/DR testing provisions. The Commission also believes that such firm is likely to be a larger firm with greater resources and a significant level of participation in such SCI entity, and is likely to already be connected to the backup facility of the SCI SRO that is designating it to test. The Commission continues to believe that SCI entities are best suited to find the most efficient and effective manner in which to test its BC/DR plans.\1218\ --------------------------------------------------------------------------- \1217\ See supra notes 1159-1160 and accompanying text. \1218\ See Proposing Release, supra note 13, at 18126. --------------------------------------------------------------------------- Furthermore, the Commission is also adopting a longer compliance period with regard to the industry- or sector-wide coordinated testing requirement in adopted Rule 1004(d).\1219\ Specifically, SCI entities will have 21 months from the Effective Date to coordinate the testing of an SCI entity's business continuity and disaster recovery plans on an industry- or sector-wide basis with other SCI entities pursuant to adopted Rule 1004(d). In sum, the Commission believes that Rule 1004, as adopted, will enhance the resilience of the infrastructure of the U.S. securities markets. --------------------------------------------------------------------------- \1219\ See infra Section IV.F (discussing the delayed implementation time for adopted Rule 1004(d)). --------------------------------------------------------------------------- C. Recordkeeping, Electronic Filing on Form SCI, and Access--Rules 1005-1007 Adopted Rules 1005 through 1007 specify several additional requirements of Regulation SCI relating to recordkeeping and electronic filing and submission. As discussed below, the Commission has determined not to adopt the proposed provision regarding Commission access to the systems of an SCI entity because the Commission can adequately assess an SCI entity's compliance with Regulation SCI through existing recordkeeping requirements and examination authority, as well as through the new recordkeeping requirement in Rule 1005 of Regulation SCI. 1. Recordkeeping--Rules 1005-1007 a. Recordkeeping Related to Compliance With Regulation SCI--Rule 1005 Proposed Rule 1000(c) required SCI SROs to make, keep, and preserve all documents relating to their compliance with Regulation SCI, as prescribed in Rule 17a-1 under the Exchange Act. Proposed Rule 1000(c) required SCI entities other than SCI SROs to: Make, keep, and preserve at least one copy of all documents relating to their compliance with Regulation SCI; keep these documents for not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and promptly furnish to Commission representatives \1220\ copies of any of these documents upon request. Further, proposed Rule 1000(c) provided that, upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, an SCI entity must ensure that the required records are accessible to the Commission and its representatives in a manner required by Rule 1000(c) for the remainder of the period required by Rule 1000(c). --------------------------------------------------------------------------- \1220\ As discussed above, the Commission has renamed the ARP Inspection Program the Technology Controls Program. See supra note 6. --------------------------------------------------------------------------- The Commission received one comment letter supporting proposed Rule 1000(c).\1221\ The Commission is adopting Rule 1000(c) as proposed, but re-designated as Rule 1005.\1222\ --------------------------------------------------------------------------- \1221\ See MSRB Letter at 25. As discussed above, some commenters suggested recordkeeping in lieu of certain Commission reporting requirements. See, e.g., supra note 881 and accompanying text. \1222\ The Commission notes that adopted Rule 1005 replaces the term ``SCI security systems'' with ``indirect SCI systems'' as described in more detail in Section IV.A.2.d. Furthermore, internal cross references to Rules 1000(c)(2)(i) and (c)(2)(ii) in Rule 1000(c)(2)(iii) were updated to paragraphs (b)(1) and (b)(2) of Rule 1005 in accordance with the renumbering of the rule. --------------------------------------------------------------------------- As noted in the SCI Proposal, SCI entities are already subject to recordkeeping requirements,\1223\ but records relating to Regulation SCI may not be specifically addressed in certain [[Page 72356]] current recordkeeping rules.\1224\ As adopted, Rule 1005 specifically addresses recordkeeping requirements for SCI entities with respect to records relating to Regulation SCI compliance. --------------------------------------------------------------------------- \1223\ See, e.g., 17 CFR 240.17a-1, applicable to SCI SROs; 17 CFR 240.17a-3 and 17a-4, applicable to broker-dealers; and 17 CFR 242.301-303, applicable to ATSs. It has been the experience of the Commission that SCI entities presently subject to the ARP Inspection Program (nearly all of whom are SCI SROs that are also subject to the recordkeeping requirements of Rule 17a-1(a)) do generally keep and preserve the types of records that would be subject to the requirements of Rule 1005. Nevertheless, the Commission continues to believe that Regulation SCI's codification of these preservation practices will support an accurate, timely, and efficient inspection and examination process and help ensure that all types of SCI entities keep and preserve such records. \1224\ See Proposing Release, supra note 13, at 18128. --------------------------------------------------------------------------- With respect to SCI SROs, Rule 17a-1(a) under the Exchange Act requires every national securities exchange, national securities association, registered clearing agency, and the MSRB to keep and preserve at least one copy of all documents, including all correspondence, memoranda, papers, books, notices, accounts, and other such records as shall be made and received by it in the course of its business as such and in the conduct of its self-regulatory activity.\1225\ In addition, Rule 17a-1(b) requires these entities to keep all such documents for a period of not less than five years, the first two years in an easily accessible place, subject to the destruction and disposition provisions of Rule 17a-6.\1226\ Rule 17a- 1(c) requires these entities, upon request of any representative of the Commission, to promptly furnish to the possession of Commission representatives copies of any documents required to be kept and preserved by it pursuant to Rules 17a-1(a) and (b).\1227\ Therefore, as noted in the SCI Proposal, the breadth of Rule 17a-1 under the Exchange Act is such that it would require SCI SROs to make, keep, and preserve records relating to their compliance with Regulation SCI.\1228\ The Commission continues to believe that it is appropriate to cross- reference Rule 17a-1 in Rule 1005 to be clear that all SCI entities are subject to the same recordkeeping requirements regarding compliance with Regulation SCI. The Commission also continues to believe that it is appropriate to adopt recordkeeping requirements for SCI entities other than SCI SROs that are consistent with the recordkeeping requirements applicable to SROs under Rule 17a-1 under the Exchange Act. The Commission believes it is important to require such records be kept at both SCI SROs and SCI entities other than SCI SROs because such records are essential to understanding whether an SCI entity is meeting its obligations under Regulation SCI, to assess whether an SCI entity has appropriate policies and procedures with respect to its technology systems, to help identify the causes and consequences of an SCI event, and to understand the types of material systems changes occurring at an SCI entity.\1229\ --------------------------------------------------------------------------- \1225\ See 17 CFR 240.17a-1(a). Such records would, for example, include copies of incident reports and the results of systems testing. \1226\ See 17 CFR 240.17a-1(b). Rule 17a-6(a) under the Exchange Act states: ``Any document kept by or on file with a national securities exchange, national securities association, registered clearing agency or the Municipal Securities Rulemaking Board pursuant to the Act or any rule or regulation thereunder may be destroyed or otherwise disposed of by such exchange, association, clearing agency or the Municipal Securities Rulemaking Board at the end of five years or at such earlier date as is specified in a plan for the destruction or disposition of any such documents if such plan has been filed with the Commission by such exchange, association, clearing agency or the Municipal Securities Rulemaking Board and has been declared effective by the Commission.'' 17 CFR 240.17a-6(a). \1227\ See 17 CFR 240.17a-1(c). \1228\ See Proposing Release, supra note 13, at 18128. \1229\ To achieve the goals for which the recordkeeping requirements are designed, and to comply with the recordkeeping requirements of Rule 17a-1 and Rule 1005 of Regulation SCI, SCI entities must ensure that the records that they make, keep, and maintain are complete and accurate. --------------------------------------------------------------------------- Further, as noted above, the definitions of SCI system and indirect SCI system include systems operated ``on behalf of'' an SCI entity by third parties. An SCI entity retains legal responsibility for systems operated on its behalf and, as such, is responsible for producing to Commission representatives records required to be made, kept, and preserved under Regulation SCI, even if those records are maintained by third parties, and the SCI entity is responsible for ensuring that such third parties produce those requested documents, upon examination or other request. Accordingly, the Commission believes that an SCI entity should have processes and requirements in place, such as contractual provisions with a third party, to ensure that it is able to satisfy the requirements of Regulation SCI for systems operated on its behalf by a third party, including the recordkeeping requirements in Rule 1005.\1230\ The Commission believes that if an SCI entity is unable to ensure compliance with Regulation SCI with regard to third party systems or recordkeeping, it should reassess its decision to outsource its systems or recordkeeping. --------------------------------------------------------------------------- \1230\ See also Rule 1007, which states that, if records required to be filed or kept by an SCI entity under Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity is required to ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service, signed by a duly authorized person at such service bureau or other recordkeeping service. --------------------------------------------------------------------------- The Commission believes that Rule 1005 will facilitate its inspections and examinations of SCI entities and assist it in evaluating an SCI entity's compliance with Regulation SCI. In particular, Rule 1005 should facilitate Commission examination of SCI entities by helping to reduce delays in obtaining relevant records during an examination. Therefore, as noted in the SCI Proposal, the Commission's ability to examine for, and enforce compliance with, Regulation SCI could be hampered if an SCI entity were not required to adequately provide accessibility to its records for the full proposed retention period. Further, while many SCI events may occur, be discovered, and be resolved in a short time frame, there may be other SCI events that may not be discovered until months or years after their occurrences, or may take significant periods of time to fully resolve. In such cases, having an SCI entity's records available even after it has ceased to do business or be registered under the Exchange Act would be beneficial. Because SCI events have the potential to negatively impact trade execution, price discovery, liquidity, and investor participation, the Commission believes that its ability to oversee the securities markets could be undermined if it is unable to review records to determine the causes and consequences of one or more SCI events experienced by an SCI entity that deregisters or ceases to do business. This information should provide an additional tool to help the Commission reconstruct important market events and better understand how such events impacted trade execution, price discovery, liquidity, and investor participation. b. Service Bureau--Rule 1007 Proposed Rule 1000(e) required that, if the records required to be filed or kept by an SCI entity under Regulation SCI were prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service and signed by a duly authorized person at such service bureau or other recordkeeping service. Further, the written undertaking was required to include an agreement by the service bureau designed to permit the Commission and its representatives to examine such records at any time or from time to time during business hours, and to promptly furnish to the Commission and its representatives true, correct, and current electronic files in a form acceptable to the Commission or its representatives or hard copies of any, all, or any part of such records, [[Page 72357]] upon request, periodically, or continuously and, in any case, within the same time periods as would apply to the SCI entity for such records. Proposed Rule 1000(e) also provided that the preparation or maintenance of records by a service bureau or other recordkeeping service would not relieve an SCI entity from its obligation to prepare, maintain, and provide the Commission and its representatives with access to such records. The Commission did not receive any comments on proposed Rule 1000(e) and is adopting Rule 1000(e) as proposed, but re-designated as Rule 1007. As noted in the SCI Proposal, Rule 1007 is substantively the same as the requirement applicable to broker-dealers under Rule 17a- 4(i) of the Exchange Act.\1231\ The Commission continues to believe that this requirement will help ensure the Commission's ability to obtain required records that are held by a third party who may not otherwise have an obligation to make such records available to the Commission. In addition, the Commission continues to believe that the requirement that SCI entities obtain from such third parties a written undertaking will also help ensure that such service bureau or other recordkeeping service is aware of its obligation with respect to records relating to Regulation SCI. The Commission believes that this requirement will help ensure that the Commission has prompt and efficient access to all required records, including those housed at a service bureau or any other recordkeeping service.\1232\ --------------------------------------------------------------------------- \1231\ 17 CFR 240.17a-4(i). See Proposing Release, supra note 13, at 18129. \1232\ See 17 CFR 240.17a-4(i) (records preserved or maintained by a service bureau). --------------------------------------------------------------------------- 2. Electronic Filing and Submission of Reports, Notifications, and Other Communications--Rule 1006 Proposed Rule 1000(d) required that, except with respect to notifications to the Commission made pursuant to proposed Rule 1000(b)(4)(i) (Commission notification of certain SCI events) or oral notifications to the Commission made pursuant to proposed Rule 1000(b)(6)(ii) (Commission notification of certain material systems changes), any notification, review, description, analysis, or report to the Commission required under Regulation SCI be submitted electronically on Form SCI and include an electronic signature. Proposed Rule 1000(d) also required that the signatory to an electronically submitted Form SCI manually sign a signature page or document, in the manner prescribed by Form SCI, authenticating, acknowledging, or otherwise adopting his or her signature that appears in typed form within the electronic filing. This document would be required to be executed before or at the time Form SCI is electronically submitted and would be required to be retained by the SCI entity in accordance with the recordkeeping requirements of Regulation SCI. The Commission is adopting Rule 1000(d) substantially as proposed, as discussed below, but re-designated as Rule 1006. One commenter supported the electronic submission of Form SCI.\1233\ One commenter suggested that the Commission should make clear that Regulation SCI filings do not need to be made in a tagged data format such as XBRL, which could be costly.\1234\ Another commenter stated that the electronic signature requirement was appropriate only if the final rule included a safe harbor for good faith reporting of SCI events.\1235\ According to this commenter, the requirement that there be an electronic signature and a manual signature could put SCI entity personnel at risk if it is later determined that there were factual errors, omissions, or other flaws in the initial filing.\1236\ --------------------------------------------------------------------------- \1233\ See MSRB Letter at 25. \1234\ See OTC Markets Letter at 4. See also FINRA Letter at 28. \1235\ See Omgeo Letter at 20. \1236\ See id. --------------------------------------------------------------------------- After consideration of the comments, the Commission is adopting Rule 1000(d) substantially as proposed, and with updated internal cross references to reflect revisions to other aspects of Regulation SCI, as adopted. Specifically, Rule 1006 provides that notifications made pursuant to Rule 1002(b)(1) (immediate Commission notification of SCI events) and updates made pursuant to Rule 1002(b)(3) (updates regarding SCI events) are not required to be filed on Form SCI.\1237\ As noted in the SCI Proposal, Rule 1006 is intended to provide a uniform manner in which the Commission would receive--and SCI entities would provide-- written notifications, reviews, descriptions, analyses, or reports made pursuant to Regulation SCI.\1238\ Rule 1006 should therefore allow SCI entities to efficiently draft and submit the required reports, and for the Commission to efficiently review, analyze, and respond to the information provided.\1239\ In addition, the Commission believes that filing Form SCI in an electronic format would be less burdensome and more efficient for SCI entities and the Commission than mailing and filing paper forms.\1240\ Further, after considering comments regarding the burden of submitting Form SCI in a tagged data format such as XBRL, the Commission is not requiring the use of XBRL formatting for Form SCI. Rather, certain fields in Sections I-III of Form SCI will require information to be provided by SCI entities in a format that will allow the Commission to gather information in a structured manner (e.g., the submission type and SCI event type in Section I), whereas the exhibits to Form SCI will allow SCI entities to provide narrative responses, such as through a text format. Further, the Commission also is specifying that documents filed through the EFFS system must be in a text-searchable format without the use of optical character recognition. If, however, a portion of a Form SCI submission (e.g., an image or diagram) cannot be made available in a text-searchable format, such portion may be submitted in a non-text-searchable format.\1241\ The Commission believes that requiring documents to be submitted in a text-searchable format (with the limited exception noted) is necessary to allow Commission staff to efficiently review and analyze information provided by SCI entities. In particular, a text-searchable format allows Commission staff to better gather, analyze and use data submitted as exhibits, whereas a non-text-searchable format submission would require significantly more steps and labor to review and analyze data. The Commission notes that word processing and spreadsheet applications that are widely used by many businesses, including SCI entities, generate documents in this format. --------------------------------------------------------------------------- \1237\ See supra Section IV.B.3.c (discussing the Commission notification requirement for SCI events). Adopted Rule 1006 refers to an electronically ``filed'' Form SCI, rather than an electronically ``submitted'' Form SCI as proposed in Rule 1000(d)(1). This change clarifies that notices and reports required to be submitted under Regulation SCI are filings under the Exchange Act and Regulation SCI. See proposed and adopted 17 CFR 249.1900 (stating that Form SCI shall be used to ``file'' notices and reports as required by Regulation SCI). See also amended Rule 24b-2 (referring to material ``filed'' in electronic format on Form SCI). \1238\ See Proposing Release, supra note 13, at 18129-30. \1239\ See id. at 18130. \1240\ The Commission will implement Form SCI through the electronic form filing system (``EFFS'') currently used by SCI SROs to file Form 19b-4 filings. See Securities Exchange Act Release No. 50486 (October 4, 2004), 69 FR 60287 (October 8, 2004) (adopting the EFFS for use in filing Form 19b-4). See also Proposing Release, supra note 13, at 18130. \1241\ See General Instructions to Form SCI, Item A. --------------------------------------------------------------------------- As noted above, one commenter stated that the electronic signature requirement was appropriate only if the [[Page 72358]] final rule included a safe harbor for good faith reporting of SCI events. The Commission is adopting the electronic signature requirement as proposed. The Commission notes that, as discussed above in Section IV.B.3.c, immediate Commission notification following an SCI event and updates regarding the SCI event may be given orally; the 24-hour Commission notification is required to be made on a good faith, best efforts basis; and the final Commission notification is not required until the resolution of the SCI event and the completion of the SCI entity's investigation of the SCI event. The Commission also notes that the purpose of the electronic signature requirement on Form SCI is to ensure that the person submitting the form to the Commission has been properly authorized by the SCI entity to submit the form on its behalf.\1242\ Therefore, the electronic signature requirement would not put SCI entity personnel at risk if the SCI entity later determines that there were factual errors, omissions, or other flaws in the initial filing. As such, the Commission does not agree with the comment that the electronic signature requirement was appropriate only if the final rule included a safe harbor for good faith reporting of SCI events.\1243\ --------------------------------------------------------------------------- \1242\ Additionally, similar to use of the EFFS in the context of electronic filing of Form 19b-4, by using a digital ID for each duly authorized signatory providing an electronic signature, both the Commission and an SCI entity may be assured of the authenticity and integrity of the electronic filing of Form SCI. See infra Section V.D.2.e (noting the necessity of completing a form to gain access to EFFS). \1243\ The same rationale also applies to the requirement for manual signature in Rule 1006. --------------------------------------------------------------------------- Amendment To Facilitate Electronic Filing Requirements In addition, to permit implementation of Rule 1006,\1244\ the Commission is adopting an amendment to Rule 24b-2 under the Exchange Act.\1245\ Rule 24b-2 currently provides confidential treatment requests and the confidential portion of an electronic filing may be submitted in paper format only.\1246\ The Commission is amending Rule 24b-2 by amending the rule's preliminary note, and paragraph (b) of the rule to clarify that under Rule 24b-2, confidential treatment requests and the confidential portion of an electronic filing may be submitted in paper format only, unless Rule 24b-2 provides otherwise. The Commission also is adding a new paragraph (g) to Rule 24b-2 to provide an electronic means by which an SCI entity may request confidential treatment of its filings on Form SCI. New paragraph (g) will provide that an SCI entity's electronic filings on Form SCI pursuant to Regulation SCI must include any information with respect to which confidential treatment is requested (``confidential portion''), and provide that, in lieu of the procedures described in Rule 24b-2b, an SCI entity may request confidential treatment of all information submitted on Form SCI by completing Section IV of Form SCI. The Commission's amendment provides an exception from Rule 24b-2's paper- only request for confidential treatment for all Form SCI filings, and specifically permits an SCI entity to electronically request confidential treatment of all information filed on Form SCI in accordance with Regulation SCI. The Commission believes that allowing for electronic submission of confidential treatment requests will reduce the burden on SCI entities by not requiring a separate paper submission, and provided the confidential treatment request is properly made, will expedite Commission review of the requests for confidential treatment, as all information submitted on Form SCI will be deemed to be the subject of the request for confidential treatment. --------------------------------------------------------------------------- \1244\ See Rule 1006, 17 CFR 242.1006; see also General Instruction E to Form SCI (requiring Form SCI and exhibits to be filed electronically under Rule 1006). \1245\ 17 CFR 240.24b-2. \1246\ See 17 CFR 240.24b-2. --------------------------------------------------------------------------- If such a confidential treatment request is properly made, the Commission will keep the information collected pursuant to Form SCI confidential to the extent permitted by law.\1247\ --------------------------------------------------------------------------- \1247\ The Freedom of Information Act (``FOIA'') provides at least two pertinent exemptions under which the Commission has authority to withhold certain information. FOIA Exemption 4 provides an exemption for ``trade secrets and commercial or financial information obtained from a person and privileged or confidential.'' 5 U.S.C. 552(b)(4). FOIA Exemption 8 provides an exemption for matters that are ``contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions.'' 5 U.S.C. 552(b)(8). --------------------------------------------------------------------------- 3. Access to the Systems of an SCI Entity Proposed Rule 1000(f) would have required each SCI entity to provide Commission representatives reasonable access to its SCI systems and SCI security systems to assess the SCI entity's compliance with Regulation SCI.\1248\ In the SCI Proposal, the Commission noted that the proposed rule would facilitate the access of representatives of the Commission to such systems of an SCI entity either remotely or on site, noting, for example, that with such access, Commission representatives could test an SCI entity's firewalls and vulnerability to intrusions.\1249\ Further, the Commission noted that the proposed rule was intended to be consistent with the Commission's current authority with respect to access to records generally \1250\ and could help ensure that Commission representatives have ready access to the SCI systems and SCI security systems of SCI entities in order to evaluate an SCI entity's practices with regard to the requirements of Regulation SCI.\1251\ As discussed below, the Commission has determined not to adopt the proposed requirement because it believes it can achieve the goal of the proposed rule through its existing recordkeeping requirements and examination authority, as well as through the new recordkeeping requirement in Rule 1005 of Regulation SCI. --------------------------------------------------------------------------- \1248\ See proposed Rule 1000(f) and Proposing Release, supra note 13, at Section III.D.3. \1249\ See Proposing Release, supra note 13, at 18130. \1250\ See Proposing Release, supra note 13, at 18130 (citing Section 17(b) of the Exchange Act, as well as Sections 11A, 6(b)(1), 15A(b)(2), and 17A(b)(3)(A) of the Exchange Act). \1251\ See Proposing Release, supra note 13, at 18130. --------------------------------------------------------------------------- Many commenters criticized the SCI Proposal's discussion of the proposed access requirement as permitting unfettered access by third parties that could pose significant security risks to an SCI entity's systems.\1252\ Potential issues identified by commenters included unauthorized access to confidential information,\1253\ risk and damage to systems,\1254\ and contractual issues with third party vendors.\1255\ One commenter stated that the Commission should bear in mind that access to such highly sensitive environments of SCI entities carries a duty of care commensurate with the sensitivity of the access and information involved.\1256\ --------------------------------------------------------------------------- \1252\ See, e.g., NYSE Letter at 34; BATS Letter at 15; ISE Letter at 10; MSRB Letter at 25-26; Omgeo Letter at 28-29; SIFMA Letter at 18-19; FIF Letter at 7; Fidelity Letter at 5-6; LiquidPoint Letter at 4; ITG Letter at 16; KCG Letter at 20-21; Joint SROs Letter at 17-18; OCC Letter at 20; UBS Letter at 5; Tellefsen Letter at 10; and FINRA Letter at 41. \1253\ See, e.g., FINRA Letter at 41; and Omgeo Letter at 29. \1254\ See, e.g., Omgeo Letter at 29; and ITG Letter at 16. \1255\ See, e.g., SIFMA Letter at 19. \1256\ See OCC Letter at 20. --------------------------------------------------------------------------- While several commenters advocated for the elimination of the proposed access provision,\1257\ some commenters recommended ways to refine the proposed requirement while still achieving its goals.\1258\ These [[Page 72359]] suggestions included: Limiting the category of Commission staff to whom access could be provided; \1259\ providing the Commission with access to ``configuration and information flows of the system, instead of direct access;'' \1260\ providing the Commission with reports and metrics on systems vulnerabilities rather than direct access; \1261\ requiring only that SCI entities demonstrate for Commission staff their controls and safeguards and compliance with the rule; \1262\ mandating training of Commission staff and supervision of Commission staff access by SCI entity personnel; \1263\ and requiring that an SCI entity's staff conduct any tests while Commission staff observed, rather than providing Commission staff with direct access.\1264\ One commenter also noted that the concept of reasonable access was vague.\1265\ Other commenters asked that the Commission more clearly prescribe what would constitute ``reasonable access.'' \1266\ One commenter also recommended that SCI entities provide an individual contact for a designated Commission representative to communicate and meet with regarding an SCI entity's systems.\1267\ --------------------------------------------------------------------------- \1257\ See, e.g., ITG Letter at 16; and CME Letter at 11. \1258\ See, e.g., NYSE Letter at 34; OCC Letter at 20; ISE Letter at 10; DTCC Letter at 14; CME Letter at 11; Omgeo Letter at 29; Joint SROs Letter at 18; and MSRB Letter at 26. \1259\ See, e.g., NYSE Letter at 34. \1260\ See NYSE Letter at 34. \1261\ See, e.g., ISE Letter at 10; DTCC Letter at 14; OCC Letter at 20; and CME Letter at 11. \1262\ See, e.g., Omgeo Letter at 28-29; and DTCC Letter at 14. \1263\ See MSRB Letter at 26. \1264\ See OCC Letter at 20. \1265\ See, e.g., ITG Letter at 16. \1266\ See, e.g., MSRB Letter at 26; Joint SROs Letter at 18; and FINRA Letter at 41. \1267\ See SIFMA Letter at 19. --------------------------------------------------------------------------- A few commenters also questioned whether the proposed access requirement is authorized by Section 17(b) or Section 11A of the Exchange Act, as stated in the SCI Proposal.\1268\ Other commenters considered the proposed access requirement unnecessary and questioned the Commission's justification for needing this authority.\1269\ Another commenter pointed out that this type of access is authorized by other sections of the Exchange Act and an additional provision in Regulation SCI is redundant.\1270\ --------------------------------------------------------------------------- \1268\ See NYSE Letter at 34; BATS Letter at 15; and CME Letter at 11. \1269\ See FINRA Letter at 41; BATS Letter at 15; Omgeo Letter at 28-29; and Fidelity Letter at 5. \1270\ See Angel Letter at 18. --------------------------------------------------------------------------- After consideration of the views of commenters, the Commission has determined not to adopt the proposed reasonable access provision because it believes it can achieve its goals through existing recordkeeping requirements and its examination authority, as well as through the new recordkeeping requirement in Rule 1005 of Regulation SCI. As discussed in the SCI Proposal, the reasonable access provision was designed to help ensure that the Commission was able to evaluate an SCI entity's practices with regard to the requirements of proposed Regulation SCI.\1271\ The Commission believes that it can adequately assess an SCI entity's compliance with Regulation SCI through its authority provided by existing provisions of the Exchange Act and rules thereunder, as well as through the additional recordkeeping provisions being adopted today in Rule 1005 of Regulation SCI, as described above. In this regard, as discussed above, Section 17(a) of the Exchange Act provides the Commission with the authority to adopt recordkeeping rules, and the breadth of Rule 17a-1 thereunder is such that it would require SCI SROs to make, keep, and preserve records relating to their compliance with Regulation SCI, including records produced by SCI systems and indirect SCI systems.\1272\ Further, adopted Rule 1005 specifically imposes requirements on each SCI entity (other than SCI SROs) to, among other things: Make, keep, and preserve at least one copy of all documents relating to its compliance with Regulation SCI; keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and upon request of any representative of the Commission, promptly furnish to the possession of such representative copies of any documents required to be kept and preserved by it pursuant to Rules 1005(b)(1) and (2).\1273\ The Commission also notes that Section 17(b) of the Exchange Act authorizes the Commission to conduct reasonable periodic, special, or other examinations of all records maintained by the entities described in Section 17(a).\1274\ These examinations can be conducted ``at any time, or from time to time,'' as the Commission ``deems necessary or appropriate in the public interest, for the protection of investors, or otherwise in furtherance of the purposes of [the Exchange Act].'' \1275\ --------------------------------------------------------------------------- \1271\ See Proposing Release, supra note 13, at 18130. \1272\ See supra note 1251 and accompanying text. \1273\ See supra Section IV.C.1 (discussing recordkeeping requirements of adopted Rule 1005). As noted above, the recordkeeping requirements also extend to records of third parties. Specifically, an SCI entity is responsible for producing to Commission representatives records required to be made, kept, and preserved under Regulation SCI, even if those records are maintained by third parties, and the SCI entity is responsible for ensuring that such third parties produce those requested documents, upon examination or other request. See id. \1274\ See Section 17(b) of the Exchange Act, 15 U.S.C. 78q(b). \1275\ Id. --------------------------------------------------------------------------- Taken together, the Commission believes that these provisions afford the Commission the authority and ability to assess SCI entities' compliance with the requirements of Regulation SCI, rendering the adoption of a reasonable access provision unnecessary. Pursuant to this authority, in some circumstances, the Commission's assessment of an SCI entity's compliance may require appropriate access to certain SCI systems in coordination with the relevant SCI entity. In particular, the Commission's ability to assess the accuracy and completeness of an SCI entity's records with regard to Regulation SCI, including the written policies and procedures established and maintained pursuant to Rule 1001 and the report of the SCI review prepared in accordance with Rule 1003(b), and to evaluate whether SCI entities are otherwise complying with Regulation SCI, may necessitate the observation of SCI systems and indirect SCI systems by Commission representatives.\1276\ --------------------------------------------------------------------------- \1276\ The Commission notes that, under the ARP Inspection Program, such access has been routinely requested by Commission staff and provided by ARP entities. --------------------------------------------------------------------------- The Commission believes that such access would not require an SCI entity to agree to remote or direct access by Commission personnel to an SCI entity's systems, such as by permitting Commission staff to run tests or use system scanning tools on its SCI systems or indirect SCI systems. Rather, as suggested by some commenters, access would entail allowing Commission staff to observe the SCI entity's SCI systems and indirect SCI systems with appropriate safeguards, including through systems demonstrations for Commission staff performed by the SCI entity and running tests on an SCI system with Commission staff onsite to observe.\1277\ The Commission believes that such access does not raise the potential security risks posed by unrestricted third party access to SCI systems.\1278\ --------------------------------------------------------------------------- \1277\ See supra notes 1262 and 1264 and accompanying text. \1278\ The Commission believes that the elimination of the proposed reasonable access provision addresses the other comments on this provision. --------------------------------------------------------------------------- D. Form SCI Pursuant to proposed Rule 1000(d), subject to certain exceptions, notices, reports, and other information required [[Page 72360]] to be provided to the Commission under Regulation SCI would have been required to be submitted electronically through the EFFS on proposed Form SCI.\1279\ Proposed Form SCI included detailed instructions regarding the specific information that SCI entities would have been required to submit to the Commission. After careful consideration of comments, the Commission is adopting Form SCI with certain modifications, as further discussed below. These modifications to proposed Form SCI correspond to the changes to the Commission notification and reporting requirements as adopted, each of which is discussed in greater detail above.\1280\ --------------------------------------------------------------------------- \1279\ Proposed Rule 1000(d) provided exceptions for notifications under proposed Rule 1000(b)(4)(i) and oral notifications pursuant to proposed Rule 1000(b)(6)(ii). \1280\ See supra Sections IV.B.3.c, IV.B.4, and IV.B.5 (discussing the reporting requirements of the adopted regulation). See also supra Section IV.B.6 (discussing the business continuity and disaster recovery plans testing requirement for SCI entity members or participants, and elimination of the proposed Commission notification requirement related to member or participation designations). --------------------------------------------------------------------------- Adopted Rule 1006 provides that, except with respect to notifications to the Commission made pursuant to Rule 1002(b)(1) or updates to the Commission made pursuant to Rule 1002(b)(3), all notifications, reviews, descriptions, analyses, or reports to the Commission required to be submitted under Regulation SCI must be filed electronically on Form SCI. Form SCI solicits information through a series of questions designed to elicit short-form answers, but also requires SCI entities to provide information and/or reports in narrative form by attaching specified exhibits. All filings on Form SCI require that an SCI entity identify itself and indicate the basis for submitting the form. Specifically, an SCI entity would indicate on the form the specific type of submission it is making: A notification regarding an SCI event pursuant to Rule 1002(b)(2); a final report or interim status report regarding an SCI event pursuant to Rule 1002(b)(4); a quarterly report on de minimis systems disruptions and de minimis systems intrusions pursuant to Rule 1002(b)(5)(ii); a quarterly report of material systems changes pursuant to Rule 1003(a)(1); a supplemental report of material system changes pursuant to Rule 1003(a)(2); or a submission of the report of an SCI review, together with any response by senior management, pursuant to Rule 1003(b)(3). In addition, Form SCI permits, but does not require, SCI entities to utilize the form to submit initial notifications of SCI events pursuant to Rule 1002(b)(1), as well as updates regarding SCI events pursuant to Rule 1002(b)(3). Moreover, if an SCI entity decides to withdraw a previously submitted Form SCI, it would complete page 1 of Form SCI and select the appropriate check box to indicate the withdrawal. A filing on Form SCI also requires that an SCI entity provide additional information on attached exhibits, as discussed below. Because Form SCI is a report that is required to be filed under the Exchange Act and Regulation SCI, it is unlawful for any person to willfully or knowingly make, or cause to be made, a false or misleading statement with respect to any material fact in Form SCI.\1281\ --------------------------------------------------------------------------- \1281\ See, e.g., Section 32(a) of the Exchange Act, 15 U.S.C. 78ff(a). --------------------------------------------------------------------------- Several commenters addressed the information required by Form SCI as well as the submission process for the form. One commenter asked a number of questions on how the submission process would work in practice, including: (i) Whether the form would be rejected by the Commission if information was missing; (ii) whether the Commission would deem it a failure to comply with Regulation SCI if a Form SCI is rejected for incompleteness and the SCI entity is unable to resubmit within the applicable reporting time frame; (iii) how SCI entities would update or correct information previously submitted on Form SCI; (iv) will the EFFS system be available for Form SCI submissions during non-business hours and whether there is an alternative means to submit notifications if the EFFS system is down or unavailable; (v) who at the Commission would be reviewing submissions and whether they would be familiar with technical jargon; and (vi) whether the SCI entities will be expected to attach documentation supporting the descriptions provided in the exhibits.\1282\ The commenter also expressed several concerns, including: (i) The amount of time it would take SCI entities to master the new submission process for proposed Form SCI and suggested a delayed implementation or transition period; (ii) that the form could encourage SCI entities to guess where they are missing information if a form could be rejected for incomplete information; (iii) that a submission that needs to be updated or corrected would not be considered timely filed; (iv) that the updating procedure could become burdensome if the SCI entity needed to explain the reason for any changes to information previously provided; and (v) that submissions would be more burdensome if technical notifications and reports needed to be translated into plain English.\1283\ Another commenter requested that the electronic filing system that the Commission puts in place to receive Form SCI submissions be made available on weekends and outside normal business hours.\1284\ This commenter also suggested that the Commission remain open to changes to Form SCI as it and SCI entities gain experience with the use of Form SCI and that the Commission should work with SCI entities to test the electronic submission system to ensure its operational capability.\1285\ --------------------------------------------------------------------------- \1282\ See FINRA Letter at 28-30. \1283\ See id. \1284\ See MSRB Letter at 19, 25. See also FINRA Letter at 29 (questioning whether the EFFS system would be available during non- business hours for Form SCI submissions). \1285\ See MSRB Letter at 25-26. --------------------------------------------------------------------------- The Commission has considered these comments and has addressed many of the issues raised by commenters by revising the substantive requirements of adopted Rules 1002 and 1003, as well as making certain changes to the adopted form. With respect to a commenter's question regarding whether a Form SCI would be rejected if information was missing,\1286\ as stated in the General Instructions for Form SCI, an SCI entity must provide all information required by the form, including the exhibits. The General Instructions for Form SCI also state that a filing that is incomplete or similarly deficient may be returned to the SCI entity, and any filing so returned will be deemed not to have been filed with the Commission.\1287\ In response to the commenter who expressed concern that a submission that needed to be updated or corrected would not be considered timely filed, the Commission notes that an SCI entity is responsible for submitting a complete and correct Form SCI within the time period specified in the relevant provisions under Regulation SCI.\1288\ At the same time, the Commission notes [[Page 72361]] that, while the SCI event notification under Rule 1002(b)(2) is required to be provided within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that an SCI event occurred, information for such notifications is only required to be provided on a good faith, best efforts basis. For other types of notifications and reports required to be submitted on Form SCI, SCI entities have more time to prepare such submission, and to ensure that the information provided is complete and correct. --------------------------------------------------------------------------- \1286\ See supra note 1282 and accompanying text. \1287\ While the Commission has the ability to reject a Form SCI filing, the Commission notes that the Form SCI submission process is different from the Form 19b-4 filing process. Specifically, SCI entities file Form SCI to provide notification to the Commission regarding SCI events and material systems changes, and reports of SCI reviews. On the other hand, SROs file Form 19b-4 for immediately effective rule changes or to seek Commission approval of rule changes. Therefore, the process for rejecting a Form 19b-4 filing does not apply to Form SCI submissions. \1288\ With respect to a commenter's concern that SCI entities may have to guess where information is missing if a form could be rejected for incomplete information, the Commission intends there to be communication between Commission staff and SCI entity personnel in instances where a Form SCI is rejected to discuss the information missing in the submission and anything else necessary to comply with the form requirements. See supra note 1283 and accompanying text. --------------------------------------------------------------------------- With respect to a commenter's question regarding how SCI entities would update or correct information previously submitted on Form SCI, the Commission notes that the rules under Regulation SCI already provide for updates for many of the Form SCI submissions. Specifically, Rule 1002(b)(2) requires certain information to be submitted on a good faith, best efforts basis within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred. Rule 1002(b)(3) requires SCI entities to provide updates regarding SCI events until the SCI event is resolved and the SCI entity's investigation of the SCI event is closed.\1289\ As such, SCI entities may use the updates under Rule 1002(b)(3) to correct or update previously submitted information. Also, Rule 1003(a)(2) requires SCI entities to submit supplemental reports to notify the Commission of any material error in or material omission from a previously submitted material systems change report. --------------------------------------------------------------------------- \1289\ As discussed in detail in Section IV.B.3.c above, Rule 1002(b)(3) allows SCI entities to discuss the update with Commission staff orally, rather than by completing the form, although an SCI entity may use Form SCI if it chooses to do so. To the extent an SCI entity chooses to utilize the form for such updates, the written updates can facilitate the Commission's tracking and assessment of SCI events. --------------------------------------------------------------------------- With respect to the Form SCI submissions where the rules do not specifically provide for updates (i.e., SCI event notifications under Rule 1002(b)(4), quarterly SCI event notifications under Rule 1002(b)(5), report of SCI reviews under Rule 1003(b)(3)), if an SCI entity discovers that a previously submitted Form SCI must be corrected or updated, the SCI entity should contact Commission staff as it corrects or updates the prior submission. In addition, an SCI entity will be able to withdraw and re-submit a previously submitted Form SCI.\1290\ However, as noted above, an SCI entity is responsible for submitting a complete and correct Form SCI within the time period specified in the relevant provisions under Regulation SCI.\1291\ --------------------------------------------------------------------------- \1290\ See General Instructions to Form SCI, Item F. \1291\ As noted above, one commenter expressed concern that an updating procedure could become burdensome if the SCI entity needs to explain the reason for any changes to information previously provided. See supra note 1283 and accompanying text. The Commission notes that, with respect to rules under Regulation SCI that require updates, those rules specify the information that is required to be contained in an update, and do not require an explanation of the reason for the update. With respect to the Form SCI submissions where the rules do not specifically provide for updates, as noted above, the SCI entity can contact Commission staff as the SCI entity corrects or updates the prior submission. --------------------------------------------------------------------------- In addition, in response to comments,\1292\ the Commission notes that Form SCI does not require SCI entities to attach documentation supporting the descriptions in the exhibits, although SCI entities will be able to do so if they so choose by attaching the documentation as part of the relevant exhibit. Moreover, in response to the commenter who asked who at the Commission would be reviewing submissions and whether they would be familiar with technical jargon, the Commission notes that appropriate Commission staff from different offices or divisions with the necessary expertise to understand the Form SCI submission will review it depending on the nature of the submission (i.e., legal or technical), and thus, it is not necessary for SCI entities to translate technical jargon into plain English. --------------------------------------------------------------------------- \1292\ See supra notes 1282-1283 and accompanying text. --------------------------------------------------------------------------- In response to the commenter who expressed concern as to the amount of time it would take SCI entities to master the Form SCI submission process and suggested delayed implementation, the Commission believes that, by utilizing the EFFS system currently used by many SROs for Rule 19b-4 and Rule 19b-7 filings, it will allow for a quicker and smoother implementation of the Form SCI submission process for certain SCI entities, and allow the Commission to apply its experience with EFFS to facilitate the submissions of notifications and reports required by Regulation SCI. Nevertheless, the Commission notes that it is delaying the date for compliance with Regulation SCI, as discussed in Section IV.F below. The Commission does not expect that the Form SCI submission process will require substantial time for SCI entities to master and the delayed date for compliance with Regulation SCI provides SCI entities with more time to learn and adopt it. With respect to commenters' question regarding whether the EFFS system will be available during non-business hours and whether there is an alternative means to submit notifications if the EFFS system is down or unavailable,\1293\ the Commission notes that, as is the case with Rule 19b-4 and Rule 19b-7 filings, EFFS is available 24 hours a day. If EFFS becomes unavailable for a period of time, the Commission recognizes that SCI entities will not be able to submit any required notifications during that time period, and the Commission would expect the SCI entities to file any required notifications promptly once it becomes available. In response to the commenter who suggested that the Commission remain open to changes to Form SCI and that the Commission work with SCI entities to test the electronic submission system to ensure its operational capability, the Commission expects, as it has done with the SRO rule filing process, to periodically evaluate the effectiveness of the submission process for Form SCI, as well as the form itself, and may consider improvements in the future as appropriate.\1294\ The Commission also notes that it expects, prior to the compliance date, that its staff will provide materials to SCI entities regarding the operation of the electronic filing system to submit Forms SCI. Furthermore, the Commission will perform internal testing to help ensure the operational capability of EFFS prior to the compliance date. --------------------------------------------------------------------------- \1293\ See supra notes 1282, 1284 and accompanying text. \1294\ See supra note 1285 and accompanying text. --------------------------------------------------------------------------- 1. Notice of SCI Events Pursuant to Rule 1002(b) Proposed Rule 1000(b)(4) would have required each SCI entity to submit certain information regarding SCI events to the Commission using proposed Form SCI.\1295\ The Commission is adopting proposed Rule 1000(b)(4) as Rule 1002(b) with certain modifications, which are discussed above in Section IV.B.3.c. --------------------------------------------------------------------------- \1295\ Proposed Rule 1000(d) provided an exception for notifications under proposed Rule 1000(b)(4)(i). --------------------------------------------------------------------------- With respect to Commission notifications under Rule 1002, adopted Form SCI requires an SCI entity to provide the following information in a short, standardized format: (i) Whether the Commission has previously been notified of the SCI event pursuant to Rule 1002(b)(1); (ii) the type of submission (i.e., an initial notification pursuant to Rule 1002(b)(1), a notification pursuant to Rule 1002(b)(2), an update pursuant to Rule 1002(b)(3), a final report pursuant to Rule 1002(b)(4), or an interim status report [[Page 72362]] pursuant to Rule 1002(b)(4)); (iii) the type(s) of SCI event (i.e., systems compliance issue, systems disruption, or systems intrusion); \1296\ (iv) the date/time the SCI event occurred; (v) the duration of the SCI event; (vi) when responsible SCI personnel had a reasonable basis to conclude that an SCI event occurred; (vii) whether the SCI event has been resolved and, if so, the date/time of resolution; (viii) whether the SCI entity's investigation of the SCI event is closed and, if so, the date of closure; (ix) the estimated number of market participants potentially impacted by the SCI event; (x) whether the SCI event is a major SCI event; (xi) the types of systems impacted (i.e., trading, clearance and settlement, order routing, market data, market regulation, market surveillance, or indirect SCI systems) and the name of such system(s); and (xii) whether any critical SCI system(s) are impacted by the SCI event and, if so, the types of such critical SCI systems (i.e., systems that directly support functionality relating to: Clearance and settlement systems of clearing agencies; openings, reopenings, and closings on the primary listing market; trading halts; initial public offerings; the provision of consolidated market data; exclusively listed securities; or systems that provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets) and a description of such systems. --------------------------------------------------------------------------- \1296\ Some SCI events may meet the definition of more than a single SCI event type, and the form permits SCI entities to check one, two, or all three SCI event types. --------------------------------------------------------------------------- If an SCI entity chooses to utilize Form SCI to submit an initial notification required by Rule 1002(b)(1), an SCI entity will be able to submit a short description of the SCI event, and be allowed to attach documents regarding such SCI event as part of Exhibit 6 of Form SCI if the SCI entity chooses to do so. For a notification required by Rule 1002(b)(2), in addition to providing the applicable standardized information on Form SCI as discussed above, an SCI entity is required to submit an Exhibit 1. An SCI entity is required to provide the following information on a good faith, best efforts basis in the Exhibit 1: (i) A description of the SCI event, including the system(s) affected; and (ii) to the extent available as of the time of notification, the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event. If an SCI entity chooses to utilize Form SCI to submit an update required by Rule 1002(b)(3), an SCI entity will be able to submit a short description of the update, and be allowed to attach documents regarding such update as part of Exhibit 6 of Form SCI if the SCI entity chooses to do so. For a submission required by Rule 1002(b)(4), in addition to providing the applicable standardized information on Form SCI as discussed above, adopted Form SCI also requires an SCI entity to indicate if it is a final report or an interim status report and submit an Exhibit 2. If an SCI event is resolved and the SCI entity's investigation of the SCI event is closed within 30 calendar days of the occurrence of the SCI event, an SCI entity must file a final report under Rule 1002(b)(4)(i)(A) within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event. However, if an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 calendar days of the occurrence of the SCI event, an SCI entity must file an interim status report under Rule 1002(b)(4)(i)(B)(1) within 30 calendar days after the occurrence of the SCI event. For SCI events in which an interim status report is required to be filed, an SCI entity must file a final report under Rule 1002(b)(4)(i)(B)(2) within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event. For any submission required by Rule 1002(b)(4), an SCI entity is required to provide the following information in the Exhibit 2: (i) A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; (ii) a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI event to any of its members or participants; and (iii) an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. As noted above, if an SCI entity submits an interim written notification under Rule 1000(b)(4)(i)(B), the SCI entity is required to provide the information specified in Exhibit 2, but only to the extent known at the time. The SCI entity is also required to subsequently submit a final report under Rule 1000(b)(4)(i)(B) and provide all the information specified in Exhibit 2. Rule 1002(b)(5) states that the Commission notification requirements under Rules 1002(b)(1)-(4) do not apply to any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants. Rule 1002(b)(5)(i) instead requires that an SCI entity make, keep, and preserve records relating to all such SCI events and Rule 1002(b)(5)(ii) requires an SCI entity to submit to the Commission quarterly reports containing a summary description of such de minimis systems disruptions and de minimis systems intrusions. For a quarterly report required by Rule 1002(b)(5), an SCI entity is required to indicate the end date of the applicable calendar quarter for which the report is being submitted. The SCI entity is also required to submit an Exhibit 3, containing a summary description of such de minimis systems disruptions and de minimis systems intrusions, including the SCI systems and, for systems intrusions, the indirect SCI systems, affected by such de minimis systems disruptions and de minimis systems intrusions during the applicable calendar quarter. 2. Notices of Material Systems Changes Pursuant to Rule 1003(a) Proposed Rule 1000(b)(6) would have required an SCI entity to provide advance Commission notifications of material systems changes. Proposed Rule 1000(b)(8)(ii) would have required an SCI entity to submit to the Commission semi-annual reports on material systems changes. As discussed in detail in Section IV.B.4 above, many commenters were critical of the proposed reporting framework with respect to material systems changes, including the 30-day advance notification procedure. After considering the views of commenters, the Commission is not adopting the 30-day advance notification requirement or the semi-annual reporting requirement [[Page 72363]] for material systems changes. Rather, an SCI entity is required to submit quarterly reports for material systems changes under Rule 1003(a)(1). An SCI entity is also required under Rule 1003(a)(2) to promptly submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under Rule 1003(a). One commenter raised a concern that an advance notification could be rejected by the Commission for inadequate description and result in a delay to a planned systems change.\1297\ As noted above in Section IV.B.4, the Commission is adopting a quarterly reporting system that does not require the advanced notification of individual planned material systems changes required by proposed Rule 1000(b)(6). The adopted framework is intended to keep the Commission and its staff apprised of systems changes at SCI entities while reducing the burdens related to notifying the Commission of such changes and allowing for the various types of development processes used by SCI entities (including agile development processes). Also, as noted above in Section IV.B.4, Regulation SCI does not provide for a new review or approval process for SCI entities' material systems changes. As such, Commission staff will not use material systems change reports to require any approval of prospective systems changes in advance of their implementation pursuant to any provision of Regulation SCI, or to delay implementation of material systems changes pursuant to any provision of Regulation SCI.\1298\ --------------------------------------------------------------------------- \1297\ See SIFMA Letter at 16. \1298\ At the same time, the Commission notes that the General Instructions for Form SCI state that a filing that is incomplete or similarly deficient may be returned to the SCI entity, and any filing so returned will be deemed not to have been filed with the Commission. --------------------------------------------------------------------------- For a notification required by Rule 1003(a) (including supplemental reports under Rule 1003(a)(2)), an SCI entity is required to indicate the end date of the applicable calendar quarter for which the report is being submitted and submit an Exhibit 4. For a notification required by Rule 1003(a)(1), Exhibit 4, is required to contain a description of completed, ongoing, and planned material changes to its SCI systems and the security of its indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. For a notification required by Rule 1003(a)(2), Exhibit 4 is required to contain the supplemental report of a material error in or material omission from a report previously submitted under Rule 1003(a)(1).\1299\ --------------------------------------------------------------------------- \1299\ See General Instructions to Form SCI, Item C. --------------------------------------------------------------------------- 3. Reports of SCI Reviews Pursuant to 1003(b) Proposed Rule 1000(b)(8)(i) would have required an SCI entity to submit to the Commission a report of the SCI review required by proposed Rule 1000(b)(7), together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. As discussed above in Section IV.B.5, the Commission is adopting this Commission reporting requirement as proposed. There were no comments on proposed Form SCI with respect to reports of SCI reviews. For a notification required by Rule 1003(b), an SCI entity is required to indicate on Form SCI the date of completion of the SCI review and the date of submission of the SCI review to the SCI entity's senior management. An SCI entity is also required to submit an Exhibit 5, containing the report of the SCI review that was submitted to the SCI entity's senior management, along with any response to the report by senior management.\1300\ --------------------------------------------------------------------------- \1300\ As discussed in Section IV.B.5, the SCI review would contain: (1) A risk assessment with respect to SCI systems and indirect SCI systems of an SCI entity; and (2) an assessment of internal control design and effectiveness of SCI systems and indirect SCI systems to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards. --------------------------------------------------------------------------- 4. Notification of Member or Participant Designation Standards and List of Designees Proposed Rule 1000(b)(9) would have required an SCI entity to notify the Commission of its members or participants that have been designated for business continuity and disaster recovery plans testing, as well as the standards for such designation. Proposed Rule 1000(b)(9) would have also required SCI entities to promptly update such notification after any changes to its list of designees or standards for designation. As discussed above in Section IV.B.6, the Commission is not adopting these Commission notification requirements. 5. Other Information and Electronic Signature Proposed Form SCI would have required an SCI entity to provide the Commission with contact information for the systems personnel, regulatory personnel, and senior officer responsible for addressing an SCI event, including the name, title, telephone number, and email address of such persons. Proposed Form SCI would also have given the SCI entity an option to provide contact information for an additional systems personnel and regulatory personnel. Finally, proposed Form SCI would have required an electronic signature to help ensure the authenticity of the Form SCI submission. Adopted Form SCI more generally requires an SCI entity to provide contact information for a person who is prepared to respond to questions for a particular submission. Form SCI continues to require an electronic signature to help ensure the authenticity of the Form SCI submission. The Commission believes that these requirements will expedite communications between Commission staff and SCI entities, because they will help identify the person or persons responsible for communicating with Commission staff about an SCI event even though one or more other persons may be responsible for addressing and resolving the SCI event, and also help ensure that only authorized personnel at each SCI entity submit filings required by adopted Regulation SCI. E. Other Comments Received 1. Applying Regulation SCI to Security-Based Swap Data Repositories and Security-Based Swap Execution Facilities As noted in the SCI Proposal, on July 21, 2010, the President signed the Dodd-Frank Act into law.\1301\ The Dodd-Frank Act was enacted, among other things, to promote the financial stability of the United States by improving the accountability and transparency of the nation's financial system.\1302\ Title VII of the Dodd-Frank Act provides the Commission and the CFTC with the authority to regulate over-the-counter derivatives. --------------------------------------------------------------------------- \1301\ The Dodd-Frank Wall Street Reform and Consumer Protection Act (Pub. L. 111-203, H.R. 4173) (``Dodd-Frank Act''). \1302\ See Dodd-Frank Act Preamble. --------------------------------------------------------------------------- In particular, as noted in the SCI Proposal, Section 763 of the Dodd-Frank Act amends the Exchange Act by adding new statutory provisions to govern the regulation of various entities, including security-based swap data repositories (``SB SDRs'') and security-based swap execution facilities (``SB SEFs'').\1303\ [[Page 72364]] Under the authorities of Section 13(n) of the Exchange Act, applicable to SB SDRs, and Section 3D(d) of the Exchange Act, applicable to SB SEFs, the Commission proposed rules for these entities with regard to their automated systems' capacity, resiliency, and security.\1304\ In the SB SDR Proposing Release and the SB SEF Proposing Release, respectively, the Commission proposed Rule 13n-6 and Rule 822 under the Exchange Act, which would set forth the requirements for these entities with regard to their automated systems' capacity, resiliency, and security. In each release, the Commission stated that it was proposing standards comparable to the standards applicable to SROs, including exchanges and clearing agencies, and other registrants, pursuant to the Commission's ARP standards.\1305\ The SCI Proposal described in detail the SB SDR and SB SEF proposals relating to systems' capacity, resiliency, and security; the comments received on those proposals; and the differences between proposed Regulation SCI and those proposals.\1306\ --------------------------------------------------------------------------- \1303\ See Dodd-Frank Act, Section 763 (adding Sections 13(n), 3C, and 3D of the Exchange Act). The Dodd-Frank Act also directs the Commission to harmonize to the extent possible Commission regulation of SB SDRs and SB SEFs with CFTC regulation of swap data repositories (``SDRs'') and swap execution facilities (``SEFs'') under the CFTC's jurisdiction, an endeavor that Commission staff is undertaking as it seeks to move the SB SDR and SB SEF proposals toward adoption. See Dodd-Frank Act, Section 712 (directing the Commission, before commencing any rulemaking with regard to SB SDRs or SB SEFs, to consult and coordinate with the CFTC for purposes of assuring regulatory consistency and comparability to the extent possible). \1304\ See Securities Exchange Act Release Nos. 63347 (November 19, 2010), 75 FR 77306 (December 10, 2010) (proposing new Rule 13n-6 under the Exchange Act applicable to SB SDRs) (``SB SDR Proposing Release''); 63825 (February 2, 2011), 76 FR 10948 (February 28, 2011) (proposing new Rule 822 under the Exchange Act applicable to SB SEFs) (``SB SEF Proposing Release''). See also Dodd-Frank Act, Section 761(a) (adding Section 3(a)(75) of the Exchange Act) (defining the term ``security-based swap data repository''), and Section 761(a) (adding Section 3(a)(77) of the Exchange Act) (defining the term ``security-based swap execution facility''). \1305\ See SB SDR Proposing Release, supra note 1304, at 77332 and SB SEF Proposing Release, supra note 1304, at 10987. \1306\ See Proposing Release, supra note 13, at 18133-34. --------------------------------------------------------------------------- In the SCI Proposal, the Commission recognized that there could be differences between Regulation SCI, as adopted, and Rules 13n-6 and 822, if adopted. Therefore, the Commission sought comment on whether it should propose to apply the requirements of Regulation SCI, in whole or in part, to SB SDRs and/or SB SEFs.\1307\ In addition, the Commission sought comment on what--if the Commission were to propose to apply some or all of the requirements of Regulation SCI to SB SDRs or SB SEFs-- would be the most appropriate way to implement such requirements for SB SDRs and SB SEFs.\1308\ However, the Commission also noted that, should the Commission decide to propose to apply the requirements of Regulation SCI to SB SDRs or SB SEFs, the Commission would issue a separate release discussing such a proposal.\1309\ --------------------------------------------------------------------------- \1307\ See id. at 18134-37. \1308\ See id. at 18137-38. As noted in the SCI Proposal, although the Commission has issued a policy statement regarding the anticipated sequencing of the compliance dates of final rules to be adopted by the Commission for certain provisions of Title VII of the Dodd-Frank Act, the precise timing for adoption of or compliance with any final rules relating to SB SDRs or SB SEFs is not known at this time. See Securities Exchange Act Release No. 67177 (June 11, 2012), 77 FR 35625 (June 14, 2012) (Statement of General Policy on the Sequencing of the Compliance Dates for Final Rules Applicable to Security-Based Swaps Adopted Pursuant to the Securities Exchange Act of 1934 and the Dodd-Frank Wall Street Reform and Consumer Protection Act). \1309\ See Proposing Release, supra note 13, at 18134. --------------------------------------------------------------------------- One commenter supported the inclusion of SB SEFs and possibly SB SDRs under proposed Regulation SCI.\1310\ Several commenters supported some form of harmonization, but were cognizant of the practical differences between options and equities, on the one hand, and derivatives, on the other.\1311\ --------------------------------------------------------------------------- \1310\ See Tellefsen Letter at 5. \1311\ See DTCC Letter at 18-19; and NYC Bar Letter at 2-5. See also CoreOne Letter at 5-7. --------------------------------------------------------------------------- In the context of considering whether Regulation SCI should apply to SB SDRs or SB SEFs, one commenter supported principles-based rules relating to systems compliance and integrity, and generally believed that principles applicable to one type of system should be applicable to all types of systems.\1312\ This commenter noted that the Commission should not promulgate principles-based rules that would apply different principles to different systems, unless such difference is clearly warranted by the facts and circumstances relating to and the purpose of a particular system.\1313\ This commenter also commented that, because technology continues to evolve at a rapid pace and because specific and technical rules may create conflicting standards, any attempt to provide specific and technical rules should be avoided, unless the context clearly warrants such specific and technical rules.\1314\ This commenter concluded that the similarities between certain SCI entities and SB SDRs and SB SEFs do not provide a clear justification for a different set of rules.\1315\ --------------------------------------------------------------------------- \1312\ See NYC Bar Letter at 3. \1313\ See id. at 3-4. \1314\ See id. at 4. \1315\ See id. This commenter also specifically noted that important market systems should not have differing recovery requirements without a clear justification, particularly in light of a Congressional mandate in the Dodd-Frank Act to ensure regulatory consistency and comparability, to the extent possible. See NYC Bar Letter at 5. --------------------------------------------------------------------------- One commenter noted that SB SDRs should have standards that are consistent with, but not identical to, those of SCI entities.\1316\ According to this commenter, the functions that SB SDRs perform are significantly different from those performed by SCI entities.\1317\ However, this commenter supported applying to SB SDRs: Proposed Rule 1000(b)(1)(i)(A)-(E); \1318\ requirements relating to Commission notification of SCI events (by adopting the notification provisions described in proposed Rule 13n-6(3)); and requirements for business continuity planning and testing (but SB SDRs should not be required to test with other SB SDRs given the structure of the proposed SB SDR Regulations).\1319\ Finally, rather than making Regulation SCI applicable to SB SDRs, this commenter recommended that these provisions be incorporated into Rule 13n-6.\1320\ --------------------------------------------------------------------------- \1316\ See DTCC Letter at 18. \1317\ See id. \1318\ However, this commenter noted that specific industry standards should be adopted for SB SDRs, rather than adopting existing standards that were largely developed before repositories were developed and were not intended to cover these types of entities. See id. \1319\ See id. at 18-19. \1320\ See id. at 19. --------------------------------------------------------------------------- The Commission appreciates the comments received on the potential application of Regulation SCI to SB SDRs and SB SEFs. As noted above, should the Commission decide to propose to apply the requirements of Regulation SCI to SB SDRs or SB SEFs, the Commission would issue a separate release discussing such a proposal and would take these comments into account. 2. Applying Regulation SCI to Broker-Dealers Other Than SCI ATSs and Other Types of Entities Regulation SCI, as proposed and as adopted, would apply to national securities exchanges, registered securities associations, registered clearing agencies, the MSRB, SCI ATSs, plan processors, and exempt clearing agencies subject to ARP. It would not apply to other types of market participants, such as market makers or other broker-dealers. As noted in the SCI Proposal, recent events have highlighted the significance of systems integrity of a broader set of market participants than those included in the definition of SCI entity.\1321\ Also, as [[Page 72365]] noted in the SCI Proposal, some broker-dealers have grown in size and importance to the market in recent years.\1322\ As such, the Commission recognized that systems disruptions, systems compliance issues, and systems intrusions at broker-dealers could pose a significant risk to the market.\1323\ The Commission also noted that Rule 15c3-5 under the Exchange Act,\1324\ which requires brokers or dealers with market access to implement risk management controls and supervisory procedures to limit risk, already seeks to address certain risks posed to the markets by broker-dealer systems.\1325\ --------------------------------------------------------------------------- \1321\ See Proposing Release, supra note 13, at 18138, n. 334. \1322\ See id. at 18138, n. 335. \1323\ See id. at 18138. \1324\ 17 CFR 240.15c3-5. \1325\ See supra note 114 and Proposing Release, supra note 13, at 18138-39. --------------------------------------------------------------------------- The Commission did not propose to apply Regulation SCI to registered broker-dealers (other than SCI ATSs) or to other types of entities not covered by the definition of SCI entity. As noted in the SCI Proposal, if the Commission were to decide to propose to apply the requirements of Regulation SCI to such entities, the Commission would issue a separate release discussing such a proposal.\1326\ Nevertheless, in the SCI Proposal, the Commission sought comment on whether such entities should be subject to Regulation SCI in whole or in part.\1327\ --------------------------------------------------------------------------- \1326\ See id. at 18139. \1327\ See id. at 18139-41. --------------------------------------------------------------------------- Some commenters stated that the Commission should expand the definition of SCI entity to include broker-dealers.\1328\ One commenter stated that the goals of Regulation SCI could not be met without expanding the definition of SCI entity to include the following types of broker-dealers: Exchange market maker, OTC market maker, and any other broker or dealer that executes orders internally by trading as a principal or crossing orders as an agent.\1329\ This commenter stated that these entities should be included because they play a critical role in the markets, handle market share that exceeds that of certain SCI ATSs, and, like exchanges and ATSs, rely heavily on sophisticated automated systems.\1330\ Another commenter also believed that the objectives of Regulation SCI could more readily be achieved if the regulation also applied to market makers, high-frequency trading firms, and other broker-dealers because the activities of these types of entities could present systemic risks to the market.\1331\ --------------------------------------------------------------------------- \1328\ See NYSE Letter at 8-10; and Liquidnet Letter at 2-3. Another commenter expressed its view that inclusion of order routing systems within the definition of ``SCI systems'' puts SCI entities at a competitive disadvantage against broker-dealers that are not covered by Regulation SCI. See BATS Letter at 4. See also supra notes 48-50, 94-96, and 152 and accompanying text (discussing comments regarding broadening the coverage of ``SCI entity'' and ``SCI ATS'' and the effect of the adopted ATS thresholds on barriers to entry), and infra Section VI.C.1.c (discussing the effect of Regulation SCI on competition between SCI entities and non-SCI entities). \1329\ See NYSE Letter at 9. \1330\ See id. \1331\ See Liquidnet Letter at 2. --------------------------------------------------------------------------- In connection with questions in the SCI Proposal regarding the application of Regulation SCI to broker-dealers other than SCI ATSs, one commenter urged the Commission to broaden the definition of SCI entity to include any entity with direct electronic access to equity markets because the equity markets can be disrupted by a single server.\1332\ Another commenter stated that all direct access proprietary trading market participants (including high frequency market participants) should be included as SCI entities because of their significant footprint in the markets, past incidents like Knight Capital Group's massive trading losses from a systems malfunction in August 2012,\1333\ and flaws in the existing compliance controls and practices of such firms.\1334\ One commenter stated that Regulation SCI should be extended to any trading platforms that transact significant volume, including systems that are not required to register as an ATS, because all executions are against the bids and offers of a single dealer.\1335\ --------------------------------------------------------------------------- \1332\ See Lauer Letter at 3. See also supra notes 212-213 (explaining that the Commission believes that many systems with direct market access are captured by the adopted definition but the Commission is not expanding the scope of Regulation SCI to include other broker-dealer entities and their systems at this time). \1333\ See Proposing Release, supra note 13, at 18090, n. 70 (discussing Knight's systems malfunction in August 2012). \1334\ See Leuchtkafer Letter at 1-7. See supra notes 124-126 and accompanying text (discussing the Commission's determination to not apply Regulation SCI to non-ATS broker-dealers at this time). \1335\ See BlackRock Letter at 4. --------------------------------------------------------------------------- A few commenters further argued that Rule 15c3-5 under the Exchange Act is not sufficient by itself and therefore some broker-dealers should be treated as SCI entities.\1336\ One of these commenters stated that non-ATS broker-dealers should be treated as SCI entities because Rule 15c3-5, concerning the implementation of risk management and supervisory controls to limit risk associated with routing orders to exchanges or ATSs, does not address reliability or integrity of the systems that implement such controls.\1337\ --------------------------------------------------------------------------- \1336\ See Lauer Letter at 3 and NYSE Letter at 9. \1337\ See NYSE Letter at 9. --------------------------------------------------------------------------- Many other commenters stated more generally that broker-dealers should not be captured by the definition of SCI entity.\1338\ Several commenters stated that they do not support the expansion of Regulation SCI to all broker-dealers because broker-dealers generally perform functions that do not have any systemic impact on the operation of the national market system and are presently subject to numerous regulations that require the establishment of controls (such as the Market Access Rule, Rule 17a-3, and Rule 17a-4), making Regulation SCI duplicative and unduly burdensome.\1339\ --------------------------------------------------------------------------- \1338\ See SIFMA Letter at 3; MFA Letter at 4-5; FIA PTG Letter at 5; FSI Letter at 3; WF Letter at 2; Fidelity Letter at 4; KCG Letter at 14-17; LiquidPoint Letter at 4; and FSR Letter at 2-3, n. 5. \1339\ See SIFMA Letter at 3; MFA Letter at 4-5; FIA PTG Letter at 5; WF Letter at 2; KCG Letter at 15-17; LiquidPoint Letter at 4; and FSR Letter at 2-3, n. 5. --------------------------------------------------------------------------- One commenter stated that broker-dealers are currently subject to high standards of systems compliance and integrity by FINRA and state laws, and disciplinary actions for failure to maintain sufficient protection of customer data and supervisory policies.\1340\ Moreover, this commenter noted that, if potential systems issues could be addressed by Regulation SCI as applied to SCI entities, there would be no need to apply Regulation SCI to broker-dealers conducting activities on behalf of retail clients.\1341\ This commenter stated that additional regulation would only be warranted after a meticulous cost- benefit analysis and implementation of the additional regulation at the lowest cost to firms and investors.\1342\ This commenter concluded that the inclusion of broker-dealers would raise investors' costs and is unnecessary.\1343\ --------------------------------------------------------------------------- \1340\ See FSI Letter at 3. \1341\ See id. \1342\ See id. \1343\ See id. --------------------------------------------------------------------------- Another commenter believed that non-SCI ATS broker-dealers should not be included in the definition of SCI entity because, despite the longstanding practice of retail brokers routing their customers' orders to market markers for execution, those market makers are not critical.\1344\ Moreover, this commenter believed that FINRA's rules with respect to broker-dealers are more appropriate than the SCI Proposal, and FINRA rules hold broker-dealers accountable and do not shield them from liability.\1345\ This commenter stated that the combination of Commission and FINRA rules on [[Page 72366]] broker-dealers ensures that broker-dealers are sufficiently regulated, although this commenter stated that FINRA could provide additional guidance on its rules in light of the weaknesses revealed by Superstorm Sandy.\1346\ Similarly, another commenter stated that broker-dealers should not be regulated under Regulation SCI because broker-dealer operational regulation has been overseen almost entirely by FINRA.\1347\ Specifically, FINRA member broker-dealers are required to create and implement written supervisory procedures covering the operation of their business.\1348\ According to this commenter, this process allows broker-dealers to devise procedures that keep them in- line with FINRA and Commission regulations, and allows FINRA to focus on bigger picture issues impacting the broker-dealer industry.\1349\ --------------------------------------------------------------------------- \1344\ See KCG Letter at 14. \1345\ See id. at 14-15. \1346\ See id. at 14-17. \1347\ See OTC Markets Letter at 11. \1348\ See id. \1349\ See id. --------------------------------------------------------------------------- In addition, one commenter stated that the Commission should not propose a requirement that SCI SROs require their members to institute policies and procedures similar to those required under Regulation SCI.\1350\ According to this commenter, SCI SROs already impose regulatory requirements addressing similar concerns as those that Regulation SCI is designed to address.\1351\ --------------------------------------------------------------------------- \1350\ See WF Letter at 2. \1351\ See id. at 2-3. --------------------------------------------------------------------------- One commenter stated that the term SCI entity should not encompass clearing broker-dealers or transfer agents because they are not involved in ``real-time'' trading activities and therefore there would not be any material impact on critical market functions should their systems fail.\1352\ Additionally, this commenter stated that because Regulation SCI ``is designed to formalize the Commission's existing ARP Program,'' and clearing broker-dealers and transfer agents do not participate in ARP, those entities should not be included within the scope of Regulation SCI.\1353\ Another commenter echoed these positions with respect to transfer agents, and also stated that transfer agents should not be included within the definition of SCI entity because the majority of transfer agents do not have electronic connectivity to SCI entities.\1354\ Additionally, this commenter stated that larger transfer agents are already required to have business continuity plans and written policies and procedures to ensure that their systems are robust and will function as intended.\1355\ In determining whether to expand the scope of SCI entities, one commenter commented that the Commission should consider the role of an entity in the securities markets and the risks presented by that entity, and stated that transfer agents should not be covered because they raise fewer risks to the markets than the proposed SCI entities, as their systems do not directly support the functions intended to be targeted by the SCI Proposal.\1356\ Another commenter similarly stated that transfer agents should not be covered because there is little chance that a problem with a transfer agent's operations would impact market activity.\1357\ --------------------------------------------------------------------------- \1352\ See Fidelity Letter at 4. \1353\ See id. \1354\ See STA Letter at 2. \1355\ See id. \1356\ See ICI Letter at 3. \1357\ See Oppenheimer Letter at 2. --------------------------------------------------------------------------- The Commission appreciates the comments received on the potential application of Regulation SCI to broker-dealers other than SCI ATSs and other types of entities. As noted above, should the Commission decide to propose to apply the requirements of Regulation SCI to these entities, the Commission would issue a separate release discussing such a proposal and would take these comments into account. F. Effective Date and Compliance Dates Several commenters provided recommendations for when the requirements of Regulation SCI should go into effect and/or when SCI entities should be required to comply with the various requirements of the regulation.\1358\ Each commenter recommended allowing what they believed to be sufficient time for SCI entities to prepare for what they perceived as complex or substantial regulatory responsibilities.\1359\ --------------------------------------------------------------------------- \1358\ See e.g., FINRA Letter at 41-42; DTCC Letter at 3; OCC Letter at 2; MSRB Letter at 39-40; KCG Letter at 19; SIFMA Letter at 7; and OTC Markets Letter at 4, 22-23. \1359\ See e.g., FINRA Letter at 41-42; DTCC Letter at 3; OCC Letter at 2; MSRB Letter at 39-40; KCG Letter at 19; SIFMA Letter at 7; and OTC Markets Letter at 4, 22-23. --------------------------------------------------------------------------- Several commenters suggested that the implementation period should vary between those entities and/or systems currently subject to the ARP Inspection Program and those that are not.\1360\ For example, one commenter suggested an implementation period of no less than two years for SCI systems that are subject to the ARP Inspection Program and three years for all other systems.\1361\ Similarly, another commenter recommended that certain systems of non-ARP participants should be provided at least an additional one year transition period, after a six-month delayed effectiveness after final approval of Regulation SCI for SCI systems of current ARP participants that are trading, clearance and settlement, and order routing systems.\1362\ Another commenter stated that systems currently covered by the ARP Inspection Program should be granted two years to phase-in the rule and that non-ARP systems would need a phase-in period of at least four years.\1363\ One commenter also noted more generally that the time needed to meet the new requirements of Regulation SCI will vary by the type of SCI entity and the level of its current participation in the ARP Inspection Program.\1364\ --------------------------------------------------------------------------- \1360\ See, e.g., FINRA Letter at 41-42; DTCC Letter at 3; and OTC Markets Letter at 4, 22-23. \1361\ See FINRA Letter at 41-42. \1362\ See MSRB Letter at 39-40. \1363\ See OTC Markets Letter at 4, 22-23. \1364\ See DTCC Letter at 3. --------------------------------------------------------------------------- Some commenters requested a special phase-in period for ATSs. Specifically, two commenters suggested that ATSs should be given six months after meeting the given threshold in the definition of SCI ATS to come into compliance with Regulation SCI.\1365\ --------------------------------------------------------------------------- \1365\ See KCG Letter at 19; and SIFMA Letter at 7. See also adopted Rule 1000 (definition of ``SCI ATS'') and supra Section IV.A.1.b (discussing definition of ``SCI ATS''). --------------------------------------------------------------------------- Other commenters provided detailed suggestions for a phase-in compliance timeline for the requirements of Regulation SCI.\1366\ For example, one commenter suggested implementing the rule in three phases so that it would apply: (1) After initial six-month delayed effectiveness, to SCI systems of current ARP participants that are trading, clearance and settlement, and order routing systems, and after one additional year, to such systems of non-ARP participants (for at least one annual cycle); (2) to indirect SCI systems relating to the systems in phase one (for at least one annual cycle); and (3) to SCI systems that are market data, regulation and surveillance systems and related indirect SCI systems.\1367\ Another commenter believed the rule should be phased-in over four stages, where each SCI entity would: (1) Review its SCI systems risk-based assessment with Commission staff; (2) review and update its policies and procedures to reasonably ensure compliance with Regulation SCI; (3) implement such policies and procedures; and (4) conduct an annual review.\1368\ --------------------------------------------------------------------------- \1366\ See MSRB Letter at 39-40; and OCC Letter at 2-3. \1367\ See MSRB Letter at 40. \1368\ See OCC Letter at 3. --------------------------------------------------------------------------- [[Page 72367]] Other commenters recommended individual compliance deadlines for certain requirements of Regulation SCI.\1369\ Specifically, two commenters suggested that phased-in compliance should be permitted for proposed Rule 1000(b)(9) addressing testing of SCI entity business continuity and disaster recovery plans by SCI entity members or participants.\1370\ Specifically, one commenter believed that, if end- to-end business continuity and disaster recovery plans testing were to be required, it should be phased-in to allow SCI entities to conduct testing of specific SCI systems over time, rather than be required to conduct a full end-to-end test, which it stated cannot be done within a reasonable timeframe.\1371\ The other commenter recommended a phased-in approach to implementation of broader BC/DR testing over a period of years.\1372\ One commenter recommended that the Commission institute an implementation period for the Commission notification requirement under proposed Rule 1000(b)(4) to allow SCI entities to prepare for what the commenter believed to be an increase in the number of notifications that would be required.\1373\ This commenter also noted generally that business continuity and end-to-end testing requirements,\1374\ the two- hour recovery time objective,\1375\ and adopting the required policies and procedures may take longer to comply with than other provisions of Regulation SCI.\1376\ --------------------------------------------------------------------------- \1369\ See OCC Letter at 2-3, 11, and 18; and SIFMA Letter at 18. \1370\ See adopted Rule 1004 and supra Section IV.B.6 (discussing business continuity and disaster recovery plans testing requirements). \1371\ See OCC Letter at 18. \1372\ See SIFMA Letter at 18. \1373\ See OCC Letter at 11; see also adopted Rule 1002(b) and supra Section IV.B.3.c (discussing the Commission notification requirement for SCI events). One commenter also expressed concern about SCI entities being able to effectively make submissions on Form SCI upon Regulation SCI becoming effective, and urged Commission staff to work with the SCI entities in the development, testing, and implementation of the Form SCI electronic submission system, including provision of any systems requirements (e.g., supported browsers, required certificates, or authentication protocols). See MSRB Letter at 25. Another commenter requested that the Commission provide SCI entities sufficient time to learn the new Form SCI submission process, and recommended that the Commission delay implementation of Form SCI until SCI entities and Commission staff have gained experience with the Regulation SCI reporting requirements. See FINRA Letter at 28. In the alternative, this commenter recommended that the Commission provide a transition period for SCI entities to establish their processes for submission of Form SCI. See FINRA Letter at 28. \1374\ See adopted Rule 1004 and supra Section IV.B.6 (discussing business continuity and disaster recovery plans testing requirements). \1375\ See adopted Rule 1001(a)(2)(v) and supra Section IV.B.1.b (discussing the policies and procedures requirement and the two-hour recovery time objective). \1376\ See OCC Letter at 2-3; see also adopted Rule 1001 and supra Sections IV.B.1-2 (discussing the policies and procedures requirement for operational capability and systems compliance). --------------------------------------------------------------------------- Regulation SCI will become effective 60 days after publication of the rules in the Federal Register (``Effective Date''). As proposed, SCI entities would have been required to meet the requirements of Regulation SCI on the Effective Date. However, after consideration of the views of commenters, the Commission has determined to adopt a compliance date for Regulation SCI of nine months after the Effective Date, except as described below with regard to: (1) ATSs newly meeting the thresholds in the definition of ``SCI ATS;'' and (2) the industry- or sector-wide coordinated testing requirement, which will have different compliance periods. The Commission believes that the importance of strengthening the technology infrastructure of key market participants, the potential significant risks posed by systems issues to the U.S. securities markets, and the significant number of recent systems issues at various trading venues, necessitates as prompt an implementation of the requirements of Regulation SCI by SCI entities as possible. At the same time, the Commission understands that SCI entities will need time to prepare for the obligations imposed by Regulation SCI and, accordingly, believes that this nine-month time frame provides SCI entities adequate time to meet the requirements of Regulation SCI. While certain commenters suggested longer compliance periods or phased-in compliance periods, the Commission understands that entities currently subject to the ARP Inspection Program may already comply with certain requirements of Regulation SCI. In addition, the Commission also believes that SCI entities that have not previously participated in the ARP Inspection Program may also currently operate in accordance with certain of the adopted requirements. For example, the Commission believes that most SCI entities generally have in place policies and procedures designed to ensure its systems' capacity, integrity, resiliency, availability, and security and that most SCI entities already take corrective actions in response to systems issues. Further, the Commission notes that, as described above, it has further focused the scope of the requirements of Regulation SCI from the SCI Proposal and, thus, has lessened the potential burdens on SCI entities.\1377\ Therefore, the Commission believes that many of the concerns expressed by commenters regarding the time that would be needed to prepare for the responsibilities imposed by Regulation SCI have been significantly mitigated or addressed by this overall refinement of the rules and obligations of SCI entities. For example, as discussed above, the Commission has further focused the definition of ``SCI systems'' and clarified the scope of ``indirect SCI systems,'' which will result in fewer systems being subject to the requirements of Regulation SCI.\1378\ In addition, the Commission notification provision will require immediate Commission notice of fewer SCI events than as proposed as a result of the refining of several definitions and the adoption of an exception from the immediate reporting requirements for de minimis SCI events, which will instead be subject to recordkeeping requirements and/or a quarterly reporting obligation, as applicable.\1379\ Further, the Commission has clarified that an SCI entity's policies and procedures relating to the capacity, integrity, resiliency, availability, and security of its SCI systems and indirect SCI systems can to be tailored to a particular SCI system's criticality and risk, contrary to the belief of some commenters that the rule required all systems to be held to the same standards.\1380\ The Commission also notes that it expects, prior to the compliance date, that its staff will provide information to SCI entities regarding the operation of the electronic filing system to submit Forms SCI. --------------------------------------------------------------------------- \1377\ See supra Section III (providing a summary of the key modifications from the SCI Proposal) and Section IV (providing a detailed discussion of changes from the SCI Proposal). \1378\ See supra Sections IV.A.2.b and IV.A.2.d (discussing the definitions of ``SCI systems'' and ``indirect SCI systems''). The Commission notes that the refining of these definitions also reduces the need to phase-in compliance based on type of system as suggested by one commenter, because fewer systems overall will be subject to the regulation than proposed and many systems for which the commenter urged a delay in compliance will not be covered by the regulation, as adopted. \1379\ See supra Section IV.B.3.c (discussing the Commission notification requirement). As discussed above, SCI entities will be required to make, keep, and preserve records relating to all de minimis SCI events and to report de minimis systems disruptions and de minimis systems intrusions quarterly. \1380\ See supra Section IV.B.1 (discussing the requirement for policies and procedures to achieve capacity, integrity, resiliency, availability, and security). --------------------------------------------------------------------------- With regard to some commenters' suggestions that there should be different compliance periods for SCI entities currently subject to the ARP Inspection Program and those that do not currently participate in the ARP Inspection Program (or phased-in compliance based, in part, on this [[Page 72368]] distinction), as noted above, the Commission believes that both categories of entities already have some level of processes or procedures in place that are in compliance with the requirements of Regulation SCI. Further, given the voluntary nature of the current ARP Inspection Program, the Commission believes that the extent of current compliance with the requirements of adopted Regulation SCI by entities subject to the ARP Inspection Program varies for different entities. In addition, as noted above, Regulation SCI has a broader scope than the current ARP Inspection Program and imposes mandatory requirements on entities subject to the rules, and accordingly will require all SCI entities (both ARP entities and non-ARP entities) to take steps, including implementing necessary systems changes, to meet the requirements of Regulation SCI. For these reasons, the Commission believes that it is appropriate to provide all SCI entities nine months to become compliant with the requirements of Regulation SCI. With regard to two commenters' suggestions that the Commission should adopt specific phased-in compliance periods based on type of entity (i.e., ARP or non-ARP), type of system, or other factors, the Commission believes that such an approach is not necessary for the reasons stated above. Further, the Commission believes that having multiple phases of compliance would create unnecessary complexity and raise practical difficulties for implementation. At the same time, the Commission believes that it is appropriate to provide additional compliance periods for limited aspects of Regulation SCI, as requested by some commenters. Specifically, the Commission believes that ATSs meeting the volume thresholds in the definition of ``SCI ATS'' for the first time should be provided an additional six months from the time that the ATS first meets the applicable thresholds to comply with the requirements of Regulation SCI.\1381\ The Commission believes that this additional six-month period is appropriate and necessary to allow an SCI ATS the time needed to take steps to meet the requirements of the rules, rather than requiring compliance immediately upon meeting the volume thresholds. The Commission also believes that this additional compliance period should give a new ATS entrant the opportunity to initiate and develop its business by allowing additional time before a new ATS must incur the costs associated with compliance with Regulation SCI.\1382\ --------------------------------------------------------------------------- \1381\ See supra note 1365 and accompanying text. See also supra Section IV.A.1.b (discussing the definition of ``SCI ATS,'' including the applicable volume thresholds and the inclusion of a six-month compliance period within the definition). For example, if a new ATS begins operations in January 2016 and subsequently meets the volume thresholds in the definition of ``SCI ATS'' for four out of the six months ending December 31, 2016, it would have until June 30, 2017 to become compliant with the requirements of Regulation SCI. \1382\ See supra note 152 and accompanying text. --------------------------------------------------------------------------- The Commission is also adopting a longer compliance period with regard to the industry- or sector-wide coordinated testing requirement in adopted Rule 1004(d).\1383\ Specifically, SCI entities will have 21 months from the Effective Date to coordinate the testing of an SCI entity's business continuity and disaster recovery plans on an industry- or sector-wide basis with other SCI entities pursuant to adopted Rule 1004(d). Given that the compliance date for the other requirements of Regulation SCI is nine months from the Effective Date, this will provide SCI entities an additional year (12 months) beyond the compliance date for the other requirements of Regulation SCI (for a total of 21 months) to comply with Rule 1004(d). The Commission believes that this additional time period is appropriate in light of commenters' concerns regarding the complexity and logistical challenges posed by the requirement.\1384\ The Commission expects SCI entities to work cooperatively to address these logistical hurdles and to carefully plan such testing, and believes that the additional time for compliance should help to ensure that such testing is implemented effectively. --------------------------------------------------------------------------- \1383\ See supra Section IV.B.6.b.iv (discussing the coordinated testing requirement of adopted Rule 1004(d)). \1384\ See id. --------------------------------------------------------------------------- If any provision of Regulation SCI, or the application thereof to any person or circumstance, is held to be invalid, such invalidity shall not affect other provisions or application of such provisions to other persons or circumstances that can be given effect without the invalid provision or application. V. Paperwork Reduction Act Certain rules under Regulation SCI impose new ``collection of information'' requirements within the meaning of the Paperwork Reduction Act of 1995 (``PRA'').\1385\ An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid control number. In accordance with 44 U.S.C. 3507 and 5 CFR 1320.11, the Commission submitted these collections of information to the Office of Management and Budget (``OMB'') for review. The title for the collection of information requirement is ``Regulation Systems Compliance and Integrity.'' The collection of information was assigned OMB Control No. 3235-0703. --------------------------------------------------------------------------- \1385\ 44 U.S.C. 3501 et seq. --------------------------------------------------------------------------- In the SCI Proposal, the Commission solicited comments on the collection of information burdens associated with Regulation SCI. In particular, the Commission asked whether commenters agree with the Commission's estimate of the number of respondents and the burden associated with compliance with Regulation SCI.\1386\ In addition, the Commission asked whether SCI entities would outsource the work associated with compliance with Regulation SCI.\1387\ Some commenters noted that the Commission underestimated the burdens that would be imposed by proposed Regulation SCI.\1388\ As discussed above, the Commission received 60 comment letters on the proposal. Some of these comments relate directly or indirectly to the PRA. These comments are addressed below. --------------------------------------------------------------------------- \1386\ See Proposing Release, supra note 13, at 18155. \1387\ See id. at 18154-55. \1388\ See, e.g., Joint SRO Letter at 18-19; CME Letter at 4-5; OCC Letter at 11-12. --------------------------------------------------------------------------- A. Summary of Collection of Information Regulation SCI includes four categories of obligations that require a collection of information within the meaning of the PRA. Specifically, an SCI entity is required to: (1) Establish specified written policies and procedures, and mandate participation by designated members or participants in certain testing of the SCI entity's business continuity and disaster recovery plans; (2) provide certain notifications, disseminate certain information, and create reports; (3) take corrective actions, and identify critical SCI systems, major SCI events, de minimis SCI events, and material systems changes; and (4) comply with recordkeeping requirements. 1. Requirements To Establish Written Policies and Procedures and Mandate Participation in Certain Testing Rule 1001 requires SCI entities to establish policies and procedures with respect to various matters. Rule 1001(a) requires each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, [[Page 72369]] integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. Rule 1001(a)(2) specifies that such policies and procedures are required to include, at a minimum: (i) The establishment of reasonable current and future technology infrastructure capacity planning estimates; (ii) periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (iii) a program to review and keep current systems development and testing methodology for such systems; (iv) regular reviews and testing, as applicable, of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (v) business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; (vi) standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and (vii) monitoring of such systems to identify potential SCI events. Rule 1001(a)(3) requires each SCI entity to periodically review the effectiveness of the policies and procedures required by Rule 1001(a), and take prompt action to remedy deficiencies in such policies and procedures. Rule 1001(a)(4) states that an SCI entity's policies and procedures shall be deemed to be reasonably designed if they are consistent with current SCI industry standards, which are required to be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization, though compliance with current SCI industry standards is not the exclusive means to comply with the requirements of Rule 1001(a). Rule 1001(b)(1) requires each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Act and rules and regulations thereunder and the entity's rules and governing documents, as applicable. Rule 1001(b)(2) specifies that such policies and procedures are required to include, at a minimum: (i) Testing of all SCI systems and any changes to SCI systems prior to implementation; (ii) a system of internal controls over changes to SCI systems; (iii) a plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and (iv) a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. Rule 1001(b)(3) requires each SCI entity to periodically review the effectiveness of the policies and procedures required by Rule 1001(b), and take prompt action to remedy deficiencies in such policies and procedures. Further, pursuant to Rule 1001(b)(4), personnel of an SCI entity is deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by an SCI entity of Rule 1001(b) if the person: (i) Has reasonably discharged the duties and obligations incumbent upon such person by the SCI entity's policies and procedures; and (ii) was without reasonable cause to believe that the policies and procedures relating to an SCI system for which such person was responsible, or had supervisory responsibility, were not established, maintained, or enforced in accordance with Rule 1001(b) in any material respect. Rule 1001(c)(1) requires each SCI entity to establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. Rule 1001(c)(2) requires each SCI entity to periodically review the effectiveness of the policies and procedures required by Rule 1001(c)(1), and take prompt action to remedy deficiencies in such policies and procedures. Rule 1004 requires an SCI entity, with respect to its business continuity and disaster recovery plans, including its backup systems, to: (a) Establish standards for the designation of those members or participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans; and (b) designate members or participants pursuant to such standards and require participation by such members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency as specified by the SCI entity, at least once every 12 months (e.g., for SCI SROs, by submitting proposed rule changes under Section 19(b) of the Exchange Act; for SCI ATSs, by revising membership or subscriber agreements and internal procedures; for plan processors, through an amendment to an SCI Plan under Rule 608 of Regulation NMS; and, for exempt clearing agencies subject to ARP, by revising participant agreements and internal procedures). Rule 1004(c) requires an SCI entity to coordinate such required testing on an industry- or sector-wide basis with other SCI entities. 2. Notification, Dissemination, and Reporting Requirements for SCI Entities Certain rules under Regulation SCI require SCI entities to notify or report information to the Commission, or disseminate information to their members or participants. Rules 1002 and 1003 each contain notification, dissemination, or reporting requirements.\1389\ --------------------------------------------------------------------------- \1389\ To access EFFS, the secure Commission Web site for filing of Form SCI, an SCI entity will submit to the Commission an External Application User Authentication Form (``EAUF'') to register each individual at the SCI entity who will access the EFFS system on behalf of the SCI entity. Upon receipt and verification of the information in the EAUF process, the Commission will issue each such person a User ID and Password to permit access to the Commission's secure Web site. --------------------------------------------------------------------------- Rule 1002(b) requires Commission notification of SCI events. Rule 1002(b)(1) requires an SCI entity to immediately notify the Commission upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred. These notifications may be made orally or in writing. Rule 1002(b)(2) requires an SCI entity, within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, to submit a written notification to the Commission on Form SCI pertaining to such SCI event.\1390\ [[Page 72370]] Rule 1002(b)(2) requires that this notification include: (i) A description of the SCI event, including the system(s) affected; and (ii) to the extent available as of the time of the notification, the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event, the potential impact of the SCI event on the market, a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event, the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved, and any other pertinent information known by the SCI entity about the SCI event. --------------------------------------------------------------------------- \1390\ This notification is required to be submitted on a good faith, best efforts basis. --------------------------------------------------------------------------- Rule 1002(b)(3) requires an SCI entity, until an SCI event is resolved and the SCI entity's investigation of the SCI event is closed, to provide updates pertaining to such SCI event to the Commission on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, to correct any materially incorrect information previously provided, or when new information is discovered (including but not limited to any of the information listed in Rule 1002(b)(2)(ii)). The updates under Rule 1002(b)(3) may be made orally or in writing. Rule 1002(b)(4) states that, if an SCI event is resolved and the SCI entity's investigation of the SCI event is closed within 30 calendar days of the occurrence of the event, then within 5 business days after the resolution of the SCI event and closure of the investigation regarding the SCI event, the SCI entity is required to submit a final written notification to the Commission pertaining to the SCI event. This notification is required to include: (i) A detailed description of the SCI entity's assessment of the types and number of market participants affected by the SCI event, the SCI entity's assessment of the impact of the SCI event on the market, the steps that the SCI entity has taken, is taking, or plans to take with respect to the SCI event, the time the SCI event was resolved, the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event, and any other pertinent information known by the SCI entity about the SCI event; (ii) a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI event to any of its members or participants; and (iii) an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. Rule 1002(b)(4)(iv) further states that, if an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 days of the occurrence of the SCI event, then the SCI entity is required to submit an interim written notification pertaining to such event within 30 calendar days after the occurrence of the event, containing the information required by Rule 1002(b)(4)(ii) to the extent known at that time. Within 5 business days after the resolution of such event and closure of the investigation, the SCI entity is required to submit a final written notification to the Commission, containing the information required by Rule 1002(b)(4)(ii). Rule 1002(b)(5) states that the requirements of Rules 1002(b)(1)- (4) do not apply to de minimis SCI events. Instead, for these types of SCI events, an SCI entity is required to make, keep, and preserve records relating to these events, and submit to the Commission quarterly reports containing a summary description of de minimis systems disruptions and de minimis systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions and systems intrusions during the applicable calendar quarter. Rule 1002(c) requires the dissemination of information regarding certain SCI events and specifies the nature and timing of such dissemination. Rule 1002(c)(1)(i) requires an SCI entity, promptly after any responsible SCI personnel has a reasonable basis to conclude that a systems disruption or systems compliance issue has occurred, to disseminate the following information about such SCI event: (A) The system(s) affected by the SCI event; and (B) a summary description of the SCI event. In addition, Rule 1002(c)(1)(ii) requires an SCI entity, when known, to further disseminate the following information: (A) A detailed description of the SCI event; (B) the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and (C) a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. Rule 1002(c)(1)(iii) requires that an SCI entity provide regular updates of the information required to be disseminated under Rule 1002(c)(1)(i) and (ii). With respect to systems intrusions, Rule 1002(c)(2) states that, promptly after any responsible SCI personnel has a reasonable basis to conclude that a systems intrusion has occurred, an SCI entity is required to disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination.\1391\ --------------------------------------------------------------------------- \1391\ Rule 1002(c)(3) provides that the information specified in Rules 1002(c)(1) and (2) is required to be disseminated to members or participants of the SCI entity that a responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event. However, information regarding major SCI events must be disseminated to all members or participants of an SCI entity. --------------------------------------------------------------------------- Rule 1002(c)(4) provides that the information dissemination requirement does not apply to SCI events to the extent they relate to market regulation or market surveillance systems, or to any de minimis SCI events. Rule 1003(a)(1) requires an SCI entity, within 30 calendar days after the end of each calendar quarter, to submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. Rule 1003(a)(2) further requires an SCI entity to promptly submit a supplemental report to notify the Commission of a material error in or material omission from a report previously submitted under Rule 1003(a). Rules 1003(b)(1) and (2) require an SCI entity to conduct periodic SCI reviews of its compliance with Regulation SCI,\1392\ and to submit a report of the SCI review to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review. Rule 1003(b)(3) also requires an SCI entity to submit to the Commission, and to the board of directors of the SCI entity or the equivalent of such board, a report of the SCI review, together with any response by senior management, within [[Page 72371]] 60 calendar days after its submission to senior management of the SCI entity. --------------------------------------------------------------------------- \1392\ SCI entities are required to conduct an SCI review not less than once each calendar year. However, under Rule 1003(b)(1)(i), penetration test reviews of the network, firewalls, and production systems are required to be conducted not less than once every three years. Under Rule 1003(b)(1)(ii), assessments of SCI systems directly supporting market regulation or market surveillance are required to be conducted at a frequency based on risk assessment, but not less than once every three years. --------------------------------------------------------------------------- Rule 1006 requires any notifications to the Commission required to be submitted under Regulation SCI, except notifications pursuant to Rule 1002(b)(1) or 1002(b)(3), to be filed electronically on Form SCI, include all information as prescribed in Form SCI and the instructions thereto, and contain an electronic signature. In addition, pursuant to Rule 1006(b), the signatory to an electronically filed Form SCI is required to manually sign a signature page or document authenticating, acknowledging, or otherwise adopting his or her signature that appears in typed form within the electronic filing. Such document is required to be retained by the SCI entity in accordance with Rule 1005. 3. Requirements To Take Corrective Action and Identify Critical SCI Systems, Major SCI Events, De Minimis SCI Events, and Material Systems Changes Rule 1002(a) requires an SCI entity, upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, to begin to take appropriate corrective action, which is required to include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. The Commission believes that SCI entities are likely to work to develop a written process for ensuring that they are prepared to comply with the corrective action requirement and are likely to also periodically review this process. In connection with the reporting of material systems changes, Rule 1003(a)(1) requires an SCI entity to establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material. In addition, because the Commission notification and information dissemination requirements under Rules 1002(b) and (c), respectively, apply differently to SCI events depending on whether an event is a ``major SCI event'' or whether the event has no or a de minimis impact on the SCI entity's operations or on market participants, when an SCI event occurs, an SCI entity must determine whether an SCI event is a major SCI event or a de minimis SCI event. Moreover, because the business continuity and disaster recovery policies and procedures requirement under Rule 1001(a)(2)(v) imposes different resumption goals for critical SCI systems as compared to other SCI systems, an SCI entity must determine whether an SCI system is a critical SCI system.\1393\ As such, SCI entities would likely work to develop a written process for ensuring that they are able to make timely and accurate determinations regarding the nature of an SCI system or SCI event, and periodically review this process. --------------------------------------------------------------------------- \1393\ Also, pursuant to the definition of ``major SCI event,'' in determining whether an SCI event is a major SCI event, an SCI entity is required to consider whether an SCI event can have any impact on a critical SCI system. See Rule 1000. --------------------------------------------------------------------------- 4. Recordkeeping Requirements Rule 1005 sets forth recordkeeping requirements for SCI entities. Under Rule 1005(a), SCI SROs are required to make, keep, and preserve all documents relating to their compliance with Regulation SCI as prescribed in Rule 17a-1 under the Exchange Act. Under Rule 1005(b), each SCI entity that is not an SCI SRO is required to make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems. Each SCI entity that is not an SCI SRO is required to keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination. Upon request of any representative of the Commission, such SCI entities would be required to promptly furnish to the possession of such representative copies of any documents required to be kept and preserved by it under Rules 1005(b)(1) and (2). Under Rule 1005(c), upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, an SCI entity is required to take all necessary action to ensure that the records required to be made, kept, and preserved by Rule 1005 will be accessible to the Commission and its representatives in the manner required by Rule 1005 and for the remainder of the period required by Rule 1005. In addition, Rule 1007 provides that, if the records required to be filed or kept by an SCI entity under Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity is required to ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service and signed by a duly authorized person at such service bureau or other recordkeeping service. B. Use of Information 1. Requirements To Establish Written Policies and Procedures and Mandate Participation in Certain Testing The requirement that SCI entities establish policies and procedures under adopted Rule 1001(a) should advance the goal of improving Commission review and oversight of U.S. securities market infrastructure by requiring an SCI entity's policies and procedures to be reasonably designed to ensure its own operational capability, including the ability to maintain effective operations, minimize or eliminate the effect of performance degradations, and have sufficient backup and recovery capabilities. Because an SCI entity's own operational capability can have the potential to impact investors, the overall market, or the trading of individual securities, the Commission believes that these policies and procedures will help promote the maintenance of fair and orderly markets. The Commission believes that Rule 1001(b), which requires each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Exchange Act and the rules and regulations thereunder and the entity's rules and governing documents, as applicable, will help to prevent the occurrence of systems compliance issues. In addition, the Commission believes Rule 1001(b) will help to: Ensure that SCI SROs comply with Section 19(b)(1) of the Exchange Act; reinforce existing SRO rule filing processes to assist market participants and the public in understanding how the SCI systems of SCI SROs are intended to operate; and assist SCI SROs in meeting their obligations to file plan amendments to SCI Plans under Rule 608 of Regulation NMS. It should similarly help other SCI entities to achieve operational compliance with the Exchange Act, the rules and regulations thereunder, and their governing documents. The requirement to establish policies and procedures pursuant to Rule 1001(c) that include the designation and documentation of responsible SCI personnel should help make it clear to all employees of the SCI entity who the designated responsible SCI personnel are for purposes of the escalation procedures and so that Commission staff [[Page 72372]] can easily identify such responsible SCI personnel in the course of its inspections and examinations and other interactions with SCI entities. The Commission also believes that escalation procedures to quickly inform responsible SCI personnel of potential SCI events will help ensure that the appropriate person(s) are provided notice of potential SCI events so that any appropriate actions can be taken in accordance with the requirements of Regulation SCI without unnecessary delay. The Commission believes that the requirement that SCI entities establish standards that require designated members or participants to participate in the testing of their business continuity and disaster recovery plans will help reduce the risks associated with an SCI entity's decision to activate its BC/DR plans and help to ensure that such plans operate as intended, if activated. The testing participation requirement should help an SCI entity to ensure that its efforts to develop effective BC/DR plans are not undermined by a lack of participation by members or participants that the SCI entity believes are necessary to the successful activation of such plans. This requirement should also assist the Commission in maintaining fair and orderly markets in a BC/DR scenario following a wide-scale disruption. 2. Notification, Dissemination, and Reporting Requirements for SCI Entities Adopted Rule 1002(b), including adopted Rules 1002(b)(1)-(3), will foster a system for comprehensive reporting of SCI events, which should enhance the Commission's review and oversight of U.S. securities market infrastructure and foster cooperation between the Commission and SCI entities in responding to SCI events. The Commission also believes that the aggregated data that will result from the reporting of SCI events will enhance its ability to comprehensively analyze the nature and types of various SCI events and identify more effectively areas of persistent or recurring problems across the systems of all SCI entities. The information in the final report required under Rule 1002(b)(4) should provide the Commission with a comprehensive analysis to more fully understand and assess the impact caused by the SCI event. The Commission expects that the quarterly reporting required by Rule 1002(b)(5) will better achieve the goal of keeping Commission staff informed regarding the nature and frequency of systems disruptions and systems intrusions that arise but are reasonably estimated by the SCI entity to have a de minimis impact on the entity's operations or on market participants. Further, submission and review of regular reports should facilitate Commission staff comparisons among SCI entities and thereby permit the Commission and its staff to have a more holistic view of the types of systems operations challenges that were posed to SCI entities in the aggregate. Adopted Rule 1002(c) advances the Commission's goal of promoting fair and orderly markets by disseminating information about an SCI event to some or all of the SCI entity's members or participants, who can use such information to evaluate the event's impact on their trading and other activities and develop an appropriate response. The quarterly material systems change reports required by Rule 1003(a) should permit the Commission and its staff to have up-to-date information regarding an SCI entity's systems development progress and plans, and help the Commission with its oversight of U.S. securities market infrastructure. The SCI reviews under Rule 1003(b) should not only assist the Commission in improving its oversight of the technology infrastructure of SCI entities, but also each SCI entity in assessing the effectiveness of its information technology practices, helping to ensure compliance with the safeguards provided by the requirements of Regulation SCI, identifying potential areas of weakness that require additional or modified controls, and determining where to best devote resources. Rule 1006 provides a uniform manner in which the Commission would receive--and SCI entities would provide--written notifications, reviews, descriptions, analyses, or reports made pursuant to Regulation SCI. The Commission believes that Rule 1006 therefore allows SCI entities to efficiently draft and submit the required reports, and for the Commission to efficiently review, analyze, and respond to the information provided. As noted above, in order to access EFFS, an SCI entity will submit to the Commission an EAUF to register each individual at the SCI entity who access the EFFS system on behalf of the SCI entity. The information provided via EAUF will be used by the Commission to verify the identity of the individual submitting Form SCI on behalf of the SCI entity and provide such individual access to the EFFS. 3. Requirements To Take Corrective Action and Identify Critical SCI Systems, Major SCI Events, De Minimis SCI Events, and Material Systems Changes The requirement that SCI entities begin to take appropriate corrective action upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, and the policies and procedures SCI entities would likely use to implement this requirement, should help facilitate SCI entities' responses to SCI events, including taking appropriate steps necessary to remedy the problem or problems causing such SCI event and mitigate the negative effects of the SCI event, if any, on market participants and the securities markets more broadly. The requirement that each SCI entity establish written criteria for identifying material systems changes should help the Commission ensure that it is kept apprised of the systems changes that SCI entities believe to be material and aid the Commission and its staff in understanding the operations and functionality of the systems of an SCI entity and any changes to such systems. The Commission expects that the application of different requirements (e.g., Commission notification requirements and information dissemination requirements) to critical SCI systems, major SCI events, and de minimis SCI events, and the policies and procedures required by SCI entities to make these determinations, will help to ensure that the Commission is kept apprised of SCI events, and that relevant market participants have basic information about SCI events so that those notified can better develop an appropriate response. These policies and procedures should also assist SCI entities in complying with the notification, dissemination and reporting requirements of Regulation SCI. 4. Recordkeeping Requirements Rule 1005 requires each SCI entity to make, keep, and preserve records relating to its compliance with Regulation SCI because such records should assist the Commission in understanding whether an SCI entity is meeting its obligations under Regulation SCI, assessing whether an SCI entity has appropriate policies and procedures with respect to its technology systems, helping to identify the causes and consequences of an SCI event, and understanding the types of material systems changes occurring at an SCI entity. The Commission expects that Rule 1005 will also facilitate the [[Page 72373]] Commission's inspections and examinations of SCI entities and assist it in evaluating an SCI entity's compliance with Regulation SCI. Moreover, having an SCI entity's records available even after it has ceased to do business or to be registered under the Exchange Act should provide an additional tool to help the Commission to reconstruct important market events and better understand the impact of such events. Rule 1007 should help ensure the Commission's ability to obtain required records that are held by a third party who may not otherwise have an obligation to make such records available to the Commission. C. Respondents The ``collection of information'' requirements contained in Regulation SCI apply to SCI entities, as described below. Currently, there are 27 entities that would satisfy the definition of SCI SRO,\1394\ 14 entities that would satisfy the definition of SCI ATS,\1395\ 2 entities that would satisfy the definition of plan processor,\1396\ and 1 entity that would meet the definition of exempt clearing agency subject to ARP.\1397\ Accordingly, the Commission estimates that there are currently 44 entities that meet the definition of SCI entity and are subject to the collection of information requirements of Regulation SCI. --------------------------------------------------------------------------- \1394\ See supra notes 74-77 and accompanying text (listing 18 registered national securities exchanges, 7 registered clearing agencies, FINRA, and the MSRB). See also supra note 80 and accompanying text. \1395\ See supra notes 150 and 175 and accompanying text. \1396\ See supra note 202 and accompanying text. \1397\ See supra note 203 and accompanying text. --------------------------------------------------------------------------- D. Total Initial and Annual Reporting and Recordkeeping Burdens The Commission notes that national securities exchanges, national securities associations, registered clearing agencies, plan processors, one ATS, and one exempt clearing agency currently participate in the ARP Inspection Program. Under the ARP Inspection Program, Commission staff conducts inspections of these entities, attends periodic technology briefings by staff of these entities, monitors planned significant systems changes, and responds to reports of systems failures, disruptions, and other systems problems of these entities.\1398\ --------------------------------------------------------------------------- \1398\ See supra Section II.A. --------------------------------------------------------------------------- Under Regulation SCI, many of the principles of the ARP policy statements with which some SCI entities are familiar are codified. As such, current practices of these SCI entities already comply with certain requirements of Regulation SCI.\1399\ However, because Regulation SCI has a broader scope than the current ARP Inspection Program and imposes mandatory recordkeeping obligations on SCI entities,\1400\ the Commission believes Regulation SCI will impose paperwork burdens on all SCI entities. --------------------------------------------------------------------------- \1399\ In addition, some SCI entities already comply with certain requirements of Regulation SCI to some extent as a matter of prudent business practice or pursuant to other rules. For example, as noted above, FINRA Rule 4370 includes requirements for FINRA members related to business continuity plans. See supra note 115. In addition, NASD Rule 3010 and FINRA Rule 3130 include requirements for FINRA members related to procedures to achieve compliance with applicable securities laws and regulations and certain SRO rules. See supra note 115. Further, FINRA Rule 4530 includes reporting requirements related to certain compliance issues. See supra note 115. Compliance with existing requirements under FINRA rules could help SCI ATSs to comply with Regulation SCI. Therefore, the Commission acknowledges that SCI ATSs may experience a lower paperwork burden in complying with certain provisions of Regulation SCI than some other SCI entities. However, unlike SCI entities that participate in the ARP Inspection Program (where in many instances the Commission has estimated a 50% reduction in SCI entity staff compliance burden as compared to other SCI entities when estimating paperwork costs with regard to Regulation SCI requirements due to participation in the ARP inspection program), the Commission believes that any reduction in burden resulting from compliance with these FINRA and NASD rules is unlikely to be significant. \1400\ As discussed more fully in supra Section IV.C.1, SCI SROs are already subject to existing recordkeeping and retention requirements under Rule 17a-1. --------------------------------------------------------------------------- The Commission's total burden estimates in this Paperwork Reduction Act section reflect the total burdens on all SCI entities, taking into account the extent to which some SCI entities already comply with some of the requirements of Regulation SCI. The Commission also notes that the burden estimates per SCI entity are intended to reflect the average paperwork burden for each SCI entity to comply with Regulation SCI. Therefore, some SCI entities may experience more burden than the Commission's estimates, while others may experience less. The Commission notes that the burden figures set forth in this section are the Commission's estimate of the paperwork burden for compliance with Regulation SCI based on a variety of sources, including Commission staff's experience with the current ARP Inspection Program, other similar estimated burdens for analogous rulemakings, and comments received on the burden estimates in the SCI Proposal.\1401\ --------------------------------------------------------------------------- \1401\ The Commission also notes that the allocation of burden hours between staff and managers of an SCI entity that are identified in this section is intended to reflect the Commission's estimate of the broad categories of SCI entity personnel who will be involved in compliance with Regulation SCI. The Commission recognizes that some SCI entities may have additional subcategories of staff or managers who will be involved in compliance with Regulation SCI (e.g., information security staff may be a subcategory of systems analysts), whereas other SCI entities may not have the specific categories of staff or managers that are identified in this section. --------------------------------------------------------------------------- 1. Requirements To Establish Written Policies and Procedures and Mandate Participation in Certain Testing The rules under Regulation SCI that would require an SCI entity to establish policies and procedures and to mandate member or participant participation in business continuity and disaster recovery plan testing are discussed more fully in Sections IV.B.1, IV.B.2, and IV.B.6 above. a. Policies and Procedures In the SCI Proposal, the Commission estimated that an SCI entity that has not previously participated in the ARP Inspection Program would require an average of 210 burden hours initially to develop and draft the policies and procedures required by proposed Rule 1000(b)(1) (except for the policies and procedures for standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data) \1402\ and 60 hours annually to review and update such policies and procedures.\1403\ The Commission estimated that an SCI entity that currently participates in the ARP Inspection Program would require an average of 105 burden hours initially to develop and draft such policies and procedures \1404\ and 30 hours annually [[Page 72374]] to review and update such policies and procedures.\1405\ With respect to the requirement in proposed Rule 1000(b)(1) for policies and procedures that provide for standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data, the Commission estimated that each SCI entity would spend 130 hours annually.\1406\ In the SCI Proposal, the Commission also estimated that all SCI entities would conduct most of the work associated with proposed Rule 1000(b)(1) internally.\1407\ However, the Commission estimated that SCI entities would seek outside legal and/or consulting services in the initial preparation of the policies and procedures at an average cost of $20,000 per SCI entity.\1408\ --------------------------------------------------------------------------- \1402\ See Proposing Release, supra note 13, at 18145. The 210 burden hours included 80 hours by a Compliance Manager (including senior management review), 80 hours by an Attorney, 25 hours by a Senior Systems Analyst, and 25 hours by an Operations Specialist. See id. at 18146. This estimate was based on Commission staff's experience with the ARP Inspection Program and the Commission's preliminary estimate in the SB SDR Proposing Release for a similar requirement. See id. at 18145, n. 365. \1403\ See Proposing Release, supra note 13, at 18146. The 60 burden hours included 30 hours by a Compliance Manager and 30 hours by an Attorney. See id. This estimate was based on Commission staff's experience with the ARP Inspection Program and the Commission's preliminary estimate in the SB SDR Proposing Release for a similar requirement. See id. at 18146, n. 377. \1404\ See Proposing Release, supra note 13, at 18145. The 105 burden hours included 40 hours by a Compliance Manager (including senior management review), 40 hours by an Attorney, 12.5 hours by a Senior Systems Analyst, and 12.5 hours by an Operations Specialist. See id. at 18146. The Commission stated its belief that a fifty percent baseline for SCI entities that participate in the ARP Inspection Program is appropriate because, although these entities already have substantial policies and procedures in place, the rule would require these entities to devote substantial time to review and revise their existing policies and procedures to ensure that they are sufficiently robust. See id. at 18145. \1405\ See Proposing Release, supra note 13, at 18146. The 30 burden hours included 15 hours by a Compliance Manager and 15 hours by an Attorney. See id. \1406\ See Proposing Release, supra note 13, at 18145. The 130 burden hours included 30 hours by a Compliance Attorney and 100 hours by a Senior Systems Analyst. See id. at 18146. This estimate was based on Commission staff's experience with the ARP Inspection Program. See id. at 18145, n. 371. The Commission noted in the SCI Proposal that this proposed requirement was not addressed by the ARP Inspection Program. See id. at 18145. \1407\ See Proposing Release, supra note 13, at 18145. \1408\ See id. --------------------------------------------------------------------------- With respect to proposed Rule 1000(b)(2), the Commission estimated that each SCI entity would elect to comply with the proposed safe harbor provisions.\1409\ The Commission estimated that each SCI entity would spend 180 hours initially to design the policies and procedures accordingly.\1410\ The Commission estimated that each SCI SRO would spend approximately 120 hours annually to review and update such policies and procedures,\1411\ and that each SCI entity that is not an SRO would spend approximately 60 hours to review and update such policies and procedures.\1412\ In the SCI Proposal, the Commission also estimated that all SCI entities would conduct most of the work associated with proposed Rule 1000(b)(2) internally.\1413\ However, the Commission estimated that SCI entities would seek outside legal and/or consulting services in the initial preparation of the policies and procedures at an average cost of $20,000 per SCI entity.\1414\ --------------------------------------------------------------------------- \1409\ See id. at 18146, and proposed Rules 1000(b)(2)(ii) and (iii). \1410\ See id. at 18146. The 180 burden hours included 30 hours by a Compliance Attorney and 150 hours by a Senior Systems Analyst. See id. This estimate was based on Commission staff's experience with the ARP Inspection Program and OCIE examinations, which review policies and procedures of registered entities in conjunction with examinations of such entities for compliance with the federal securities laws. See id. at 18146, n. 383. \1411\ See id. at 18146. The 120 burden hours included 20 hours by a Compliance Attorney and 100 hours by a Senior Systems Analyst. See id. This estimate was based on Commission staff's experience with the ARP Inspection Program. See id. at 18146, n. 384. \1412\ See id. at 18146. The 60 burden hours included 10 hours by a Compliance Attorney and 50 hours by a Senior Systems Analyst. See id. \1413\ See id. at 18145. \1414\ See id. --------------------------------------------------------------------------- Several commenters noted that the Commission underestimated the paperwork burden of proposed Rules 1000(b)(1) and (b)(2). One commenter noted that the systems covered by proposed Rules 1000(b)(1) and (b)(2) are very complex and a first draft of the required policies and procedures would take far more than the estimated number of hours to complete and keep up-to-date.\1415\ With respect to proposed Rule 1000(b)(2), this commenter stated that the breadth of the rule is extremely comprehensive because it requires policies and procedures that are designed to ensure that SCI systems ``comply with the federal securities laws and rules and regulations thereunder'' and operate ``in the manner intended.'' \1416\ --------------------------------------------------------------------------- \1415\ See Omgeo Letter at 31-32, 34. According to this commenter, the implementation of its current information security policy framework and related standards took approximately 18 months and over 1600 work hours to put in place. See id. This commenter noted that proposed Rule 1000(b)(1) would be far more labor and resource intensive because security is just one of the proposed seven areas of policy and standards development this new rule would require. See id. \1416\ See id. at 34. --------------------------------------------------------------------------- Another commenter noted that the hour burdens did not take into account the appropriate level of management review in connection with the development of the policies and procedures.\1417\ This commenter also noted that policies and procedures developed to achieve compliance with Regulation SCI can potentially impact other areas of the SCI entity and other SCI entities, and therefore an SCI entity would broadly review the policies and procedures to ensure that they do not conflict with other policies, procedures, practices, and processes and revise the policies and procedures accordingly.\1418\ Therefore, this commenter argued that the Commission did not include adequate estimates for the substantial amount of time required by senior management and others in the organization, as well as the persons identified in the SCI Proposal, in: Understanding the breadth and depth of the requirements established by proposed Regulation SCI; determining which systems of the SCI entity fall into the various categories of systems described in proposed Regulation SCI; assessing, growing and potentially reorganizing large portions of the SCI entity's workforce to align with the requirements of proposed Regulation SCI; and establishing and conducting extensive training curriculum to ensure appropriate personnel fully understand their new or changed duties; and any number of other collateral effects of the new requirements.\1419\ This commenter suggested that a more accurate estimate of the paperwork burden from proposed Rule 1000(b)(1) would be three to four times the estimate in the SCI Proposal, and the allocation of the burden hours should be weighted more heavily toward more senior staff of the organization.\1420\ --------------------------------------------------------------------------- \1417\ See MSRB Letter at 28-29. This commenter stated that the Commission placed too much reliance on its experience with the ARP Inspection Program, which was ``a voluntary program that did not create potential legal liabilities for non-compliance, and may not take into account the heightened need for high-level supervision that a rule-based requirement would entail.'' See id. at 29. See also infra Sections IV.B.3.c and VI.C.2.b (discussing the Commission's view on the potential for liability resulting from requirements under Regulation SCI). See also Omgeo Letter at 32 (noting that the estimate of 210 hours for proposed Rule 1000(b)(1) is unrealistic because the estimate should include not only the drafting of the required policies and procedures, but also their review and approval by senior management) and 35 (noting that the burden estimate of proposed Rule 1000(b)(2) does not reflect the review and direction of senior managers); and CME Letter at 3, n. 5. \1418\ See MSRB Letter at 29. \1419\ See id. at 30. \1420\ See id. --------------------------------------------------------------------------- One commenter stated that the 50% baseline for SCI entities that are currently under the ARP Inspection Program does not account for the significant expansion of the requirements if the definition of SCI system is construed broadly, and as a result, the burden estimates may be too low.\1421\ --------------------------------------------------------------------------- \1421\ See FINRA Letter at 7. --------------------------------------------------------------------------- One commenter agreed with the Commission that ongoing paperwork burdens for compliance with proposed Rules 1000(b)(1) and (b)(2) should be lower than the initial burden.\1422\ However, this commenter stated that the estimated ongoing burden is understated, but likely to a lesser extent than with respect to the initial burden.\1423\ Another commenter also noted that, given the complexity of the [[Page 72375]] underlying systems and the requirements of proposed Rule 1000(b)(1), significantly more effort and time will be required on an ongoing basis to comply with that rule.\1424\ --------------------------------------------------------------------------- \1422\ See MSRB Letter at 31. \1423\ See id. \1424\ See Omgeo Letter at 32, n. 63. --------------------------------------------------------------------------- One commenter noted that the establishment of the policies and procedures under proposed Rules 1000(b)(1) and (b)(2) would not be conducive to outsourcing, although an SCI entity might incur some cost for outside counsel for consultation purposes.\1425\ On the other hand, another commenter argued that the Commission's burden estimate for proposed Rule 1000(b)(1) ``is inaccurate because of its mistaken assumption that SCI entities would not seek guidance from outside consultants and attorneys.'' \1426\ This commenter noted that, given the rates charged by large law firms and consulting firms, an estimate of approximately $100,000 for each exempt clearing agency subject to ARP is more realistic than the $20,000 estimated in the SCI Proposal.\1427\ This commenter similarly noted that the burden estimate for proposed Rule 1000(b)(2) failed to account for the costs associated with using outside counsel or an outside consulting firm to help draft the policies and procedure.\1428\ --------------------------------------------------------------------------- \1425\ See MSRB Letter at 31. \1426\ See Omgeo Letter at 32. \1427\ See id. at 32, n. 64. \1428\ See id. at 35. --------------------------------------------------------------------------- As discussed in detail above in Sections IV.B.1 and IV.B.2, the Commission is adopting proposed Rules 1000(b)(1) and (b)(2) as Rules 1001(a) and (b), respectively, with certain modifications. As adopted, Rule 1001(a)(1), consistent with the proposal, requires each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. Adopted Rule 1001(a)(2), consistent with the proposal, provides the minimum required elements of such policies and procedures. Some of these elements were modified from the proposal,\1429\ and one adopted element was not included in the proposal.\1430\ --------------------------------------------------------------------------- \1429\ See, e.g., Rules 1001(a)(2)(i) (requiring policies and procedures with respect to the establishment of reasonable current and future ``technological infrastructure capacity planning estimates'' rather than simply ``capacity planning estimates''); 1001(a)(2)(iv) (requiring policies and procedures with respect to ``regular reviews and testing, as applicable,'' of systems to identify vulnerabilities rather than ``regular reviews and testing'' of systems); and 1001(a)(2)(v) (requiring policies and procedures with respect to business continuity and disaster recovery plans that are ``reasonably designed to achieve'' next business day resumption of trading and two-hour resumption of ``critical SCI systems'' rather than ``to ensure'' next business day resumption of trading and two-hour resumption of ``clearance and settlement services''). See also supra Section IV.B.1.b.ii (discussing modifications from the SCI Proposal in adopted Rule 1001(a)(2)). \1430\ See Rule 1001(a)(2)(vii) (requiring policies and procedures with respect to monitoring of systems to identify potential SCI events). --------------------------------------------------------------------------- As compared to proposed Rule 1000(b)(2), which required written policies and procedures reasonably designed to ensure that SCI systems operate ``in the manner intended, including in a manner that complies with the federal securities laws,'' adopted Rule 1001(b)(1) requires an SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Exchange Act and the rules and regulations thereunder, and the entity's rules and governing documents, as applicable.\1431\ Further, rather than adopting the proposed safe harbor for SCI entities, Rule 1001(b)(2) provides the minimum required elements of such policies and procedures. Some of these elements were modified from the proposed safe harbor elements,\1432\ and one element of the proposed safe harbor is not included in Rule 1001(b)(2).\1433\ --------------------------------------------------------------------------- \1431\ See supra Section IV.B.2.a. \1432\ See Rules 1001(b)(2)(iii) (requiring policies and procedures with respect to ``a plan for assessments'' of systems compliance rather than both ``ongoing monitoring'' and ``assessments'' of systems compliance) and 1001(b)(2)(iv) (requiring policies and procedures with respect to ``a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel'' regarding SCI systems rather than ``review by regulatory personnel of SCI systems''). See also supra Section IV.B.2.c (discussing modifications from the SCI Proposal in adopted Rule 1001(b)(2)). \1433\ See proposed Rule 1000(b)(2)(ii)(A)(2) (periodic testing of all SCI systems and any changes to such systems after their implementation). --------------------------------------------------------------------------- With respect to the view of a commenter that the systems covered by proposed Rules 1000(b)(1) and (2) are very complex and that the Commission underestimated the burdens associated with completing and updating the required policies and procedures,\1434\ the Commission believes that most, if not all, SCI entities already have some policies and procedures related to systems capacity, integrity, resiliency, availability, security, and compliance, although such policies and procedures differ in a variety of respects from the requirements under Regulation SCI. Also, in adopting Regulation SCI, the Commission has reduced the burdens for proposed Rules 1000(b)(1) and (2) from the SCI Proposal in a variety of ways, including by, for example: Refining the definition of SCI systems; more explicitly recognizing that some systems pose greater risk than others to the maintenance of fair and orderly markets and imposing obligations that allow for risk-based considerations; and providing that staff guidance on current SCI industry standards be characterized as providing examples of publications describing processes, guidelines, frameworks, or standards for an SCI entity to consider looking to in developing reasonable policies and procedures, rather than strictly as listing industry standards. At the same time, the Commission acknowledges commenters' feedback with respect to the burden of the rules and thus is doubling the burden estimates for the policies and procedures under Rules 1000(b)(1) and (2).\1435\ The Commission notes that, as part of this approach, it doubled the ongoing burden estimates in part in response to comment stating that significantly more effort and time will be required on an ongoing basis to comply with proposed Rule 1000(b)(1).\1436\ --------------------------------------------------------------------------- \1434\ See supra note 1415 and accompanying text. As noted above, one commenter stated that its current information security policy framework and related standards took over 1,600 hours to put in place, and that security is just one of the seven areas of policies and standards proposed to be required. See supra note 1415. The Commission notes that, to the extent an SCI entity already has adequate policies and procedures in place with respect to systems capacity, integrity, resiliency, availability, security, and compliance, Rules 1001(a) and (b) will not impose significant additional paperwork burden on the entity. \1435\ In response to the commenter that suggested the initial burden for proposed Rule 1000(b)(1) would be three to four times that estimated in the SCI Proposal, the Commission believes that because it further focused the requirements associated with proposed Rules 1000(b)(1) and (2) in a variety of ways described above, resulting in reduced burden estimates as compared to the SCI Proposal, the commenter's estimate based on the proposal is too high. See supra note 1420. Based on Commission staff experience, the Commission believes it is more appropriate to double the estimated initial SCI entity staff burden and also add senior management time. \1436\ See supra note 1424. --------------------------------------------------------------------------- As noted above, some commenters noted that the policies and procedures could potentially impact other areas of the SCI entity and other SCI entities, and therefore would result in more burden hours to ensure that the policies and procedures do not conflict with other policies, procedures, practices, and processes, and would require greater involvement of senior management and others in an SCI [[Page 72376]] entity.\1437\ Similarly, some commenters noted that the establishment, maintenance, and enforcement of the policies and procedures would involve senior management review.\1438\ The Commission agrees with these comments and is adjusting the estimated paperwork burden. Specifically, in the SCI Proposal, the Commission included senior management review as part of its estimated burden hours for Compliance Managers in connection with the policies and procedures requirements under Rules 1001(a) and (b).\1439\ However, in response to comments and based on Commission staff experience, the Commission is additionally including burden estimates for a Director of Compliance (10 hours initially, 5 hours annually) and Chief Compliance Officer \1440\ (20 hours initially, 10 hours annually) with respect to both Rules 1001(a) and (b).\1441\ The Commission reiterates that these estimates are averages across all SCI entities--some SCI entities may spend more hours in connection with the establishment, maintenance, and enforcement of the policies and procedures than the Commission's estimates, while others may spend less.\1442\ Each SCI entity is required to determine for itself what is required for its staff and senior managers to do in order for the SCI entity to comply with Rules 1001(a) and (b). --------------------------------------------------------------------------- \1437\ See supra notes 1418-1419 and accompanying text. \1438\ See supra notes 1417, 1419, and 1420 and accompanying text. According to one commenter, the Commission's burden estimates for the policies and procedures did not account for the time required to determine which systems would fall into the various categories of systems. See supra note 1419 and accompanying text. The Commission disagrees with this view and notes that the burden of identifying various types of systems and events are discussed below in Section V.D.3. In addition, this commenter expressed concern that the Commission's estimates did not account for assessing, growing, and reorganizing an SCI entity's workforce; establishing and conducting training; and other collateral effects of the new requirements. See supra note 1419 and accompanying text. As discussed throughout this section, the Commission has increased the burden estimates for Rules 1001(a) and (b) in response to comments. \1439\ See supra note 1402. \1440\ The Chief Compliance Officer burden estimates include the time spent by other senior officers, including Chief Information Officers and Chief Information Security Officers, as appropriate for a particular requirement under Regulation SCI. \1441\ In estimating the number of burden hours to be spent by senior management, the Commission is not making a distinction between SCI entities that currently participate in the ARP Inspection Program and SCI entities that do not. In contrast to the Commission's estimate with regard to non-senior staff of SCI entities that currently participate in the ARP Inspection Program, who the Commission believes could be subject to less burden in drafting the policies and procedures because these SCI entities already have certain policies and procedures in place, the Commission believes that all senior management, regardless of whether an SCI entity participates in the ARP Inspection Program, would require a similar number of hours to review such policies and procedures to ensure compliance with Regulation SCI. \1442\ For example, some SCI entities have more complex systems than others, and current practices of some SCI entities already comply with certain requirements of Regulation SCI to some extent. --------------------------------------------------------------------------- After considering the views of commenters, and because Rule 1001(a) requires an additional element to be included in the policies and procedures (i.e., monitoring of systems to identify SCI events), the Commission estimates that an SCI entity that has not previously participated in the ARP Inspection Program would require an average of 534 burden hours initially to develop and draft the policies and procedures required by that rule (except for the policies and procedures for standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data, which is discussed below),\1443\ or 7,476 hours for all such SCI entities.\1444\ The Commission estimates that an SCI entity that has not previously participated in the ARP Inspection Program would require an average of 159 hours annually to review and update such policies and procedures,\1445\ or 2,226 hours for all such SCI entities.\1446\ --------------------------------------------------------------------------- \1443\ As noted above, the Commission is doubling its estimate of the burden for staff of SCI entities. 210 hours x 2 = 420 hours. 420 hours / 5 x 6 = 504 hours to establish policies and procedures that contain six elements, as opposed to the five in the SCI Proposal. The 504 burden hours include 192 hours by a Compliance Manager, 192 hours by an Attorney, 60 hours by a Senior Systems Analyst, and 60 hours by an Operations Specialist. This burden hour allocation is based on the allocation in the SCI Proposal. See Proposing Release, supra note 13, at 18146. As noted above, as compared to the proposal, the Commission is estimating an additional 20 hours by a Chief Compliance Officer and 10 hours by a Director of Compliance to reflect the views of commenters that compliance with the proposed policies and procedures requirements would require greater senior management involvement. See supra notes 1440-1441 and accompanying text. 504 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 534 hours. \1444\ As noted above, all of the national securities exchanges (18), national securities associations (1), registered clearing agencies (7), and plan processors (2) currently participate on a voluntary basis in the ARP Inspection Program. In addition, 1 ATS and 1 exempt clearing agency subject to ARP participate in the ARP Inspection Program, for a total of 30 SCI entities that currently participate in the ARP Inspection Program. Therefore, 14 SCI entities do not participate in the ARP Inspection Program. 534 hours x 14 SCI entities that do not participate in the ARP Inspection Program = 7,476 hours. \1445\ As noted above, the Commission is doubling its estimate of the burden for staff of SCI entities. 60 hours x 2 = 120 hours. 120 hours / 5 x 6 = 144 hours annually to review and update policies and procedures that contain six elements, as opposed to the five in the SCI Proposal. The 144 burden hours include 57 hours by a Compliance Manager, 57 hours by an Attorney, 15 hours by a Senior Systems Analyst, and 15 hours by an Operations Specialist. As compared to the proposal, the Commission is additionally allocating burden hours to Senior Systems Analysts and Operations Specialists. Also, as noted above, as compared to the proposal, the Commission is estimating an additional 10 hours by a Chief Compliance Officer and 5 hours by a Director of Compliance to reflect the views of commenters that compliance with the proposed policies and procedures requirements would require greater senior management involvement. See supra notes 1440-1441 and accompanying text. 144 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 159 hours. \1446\ 159 hours x 14 SCI entities that do not participate in the ARP Inspection Program = 2,226 hours. The Commission believes that the increases in the ongoing burden estimates for Rules 1001(a) and (b) are consistent with the comment that the Commission underestimated the ongoing burdens associated with proposed Rules 1000(b)(1) and (2), but to a lesser extent than with respect to the initial burden. See supra notes 1423-1424 and accompanying text. --------------------------------------------------------------------------- With respect to SCI entities that currently participate in the ARP Inspection Program, the Commission continues to believe that a 50% percent baseline for these SCI entities in terms of staff burden hours is appropriate because although these entities already have substantial policies and procedures in place, the rule would require these entities to devote substantial time to review and revise their existing policies and procedures to ensure that they meet all of the rule requirements.\1447\ However, the Commission does not believe that a 50% baseline would be appropriate for these SCI entities in terms of senior management review of the policies and procedures. Specifically, as noted above, Commission believes that, although these entities already have substantial policies and procedures in place, senior management of all SCI entities, regardless of whether an SCI entity currently participates in the ARP Inspection Program, would require a similar number of hours to review the SCI entity's policies and procedures to ensure compliance with the new requirements under Regulation SCI.\1448\ --------------------------------------------------------------------------- \1447\ With respect to a commenter's view that the 50% baseline does not account for the significant expansion of the requirements, the Commission notes that the 50% baseline merely indicates the difference between the level of burden imposed on SCI entities that participate in the ARP Inspection Program and SCI entities that do not. See supra note 1421 and accompanying text. As discussed above, the Commission has increased its burden estimates in response to comments. \1448\ See supra note 1441. --------------------------------------------------------------------------- [[Page 72377]] The Commission estimates that an SCI entity that currently participates in the ARP Inspection Program would require an average of 282 burden hours initially to develop and draft the policies and procedures required by Rule 1001(a) (except for the policies and procedures for standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data),\1449\ or 8,460 hours for all such SCI entities.\1450\ The Commission estimates that an SCI entity that currently participates in the ARP Inspection Program would require an average of 87 hours annually to review and update such policies and procedures,\1451\ or 2,610 hours for all such SCI entities.\1452\ --------------------------------------------------------------------------- \1449\ As noted above, the Commission is doubling its estimate of the burden for staff of SCI entities. 105 hours x 2 = 210 hours. 210 hours / 5 x 6 = 252 hours to establish policies and procedures that contain six elements, as opposed to the five in the SCI Proposal. The 252 burden hours include 96 hours by a Compliance Manager, 96 hours by an Attorney, 30 hours by a Senior Systems Analyst, and 30 hours by an Operations Specialist. This burden hour allocation is based on the allocation in the SCI Proposal. See Proposing Release, supra note 13, at 18146. As noted above, as compared to the proposal, the Commission is estimating an additional 20 hours by a Chief Compliance Officer and 10 hours by a Director of Compliance to reflect the views of commenters that compliance with the proposed policies and procedures requirements would require greater senior management involvement. See supra notes 1440-1441 and accompanying text. 252 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 282 hours. \1450\ 282 hours x 30 SCI entities that participate in the ARP Inspection Program = 8,460 hours. \1451\ As noted above, the Commission is doubling its estimate of the burden for staff of SCI entities. 30 hours x 2 = 60 hours. 60 hours / 5 x 6 = 72 hours to review and update policies and procedures that contain six elements, as opposed to the five in the SCI Proposal. The 72 burden hours include 28 hours by a Compliance Manager, 28 hours by an Attorney, 8 hours by a Senior Systems Analyst, and 8 hours by an Operations Specialist. As compared to the proposal, the Commission is additionally allocating burden hours to Senior Systems Analysts and Operations Specialists. Also, as noted above, as compared to the proposal, the Commission is estimating an additional 10 hours by a Chief Compliance Officer and 5 hours by a Director of Compliance to reflect the views of commenters that compliance with the proposed policies and procedures requirements would require greater senior management involvement. See supra notes 1440-1441 and accompanying text. 72 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 87 hours. \1452\ 87 hours x 30 SCI entities that participate in the ARP Inspection Program = 2,610 hours. --------------------------------------------------------------------------- With respect to the requirement in Rule 1001(a)(2)(vi) for policies and procedures that provide for standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data, the Commission estimates that each SCI entity would spend 160 hours initially,\1453\ or 7,040 hours for all SCI entities.\1454\ The Commission estimates that each SCI entity would spend 145 hours annually,\1455\ or 6,380 hours annually for all SCI entities.\1456\ --------------------------------------------------------------------------- \1453\ This estimate includes 130 hours by staff of an SCI entity, as estimated in the SCI Proposal, and 30 hours by senior management. The 130 burden hours include 30 hours by a Compliance Attorney and 100 hours by a Senior Systems Analyst. See Proposing Release, supra note 13, at 18146. This burden hour allocation is based on the allocation in the SCI Proposal. See Proposing Release, supra note 13, at 18146. As noted above, as compared to the proposal, the Commission is estimating an additional 20 hours by a Chief Compliance Officer and 10 hours by a Director of Compliance to reflect the views of commenters that compliance with the proposed policies and procedures requirements would require greater senior management involvement. See supra notes 1440-1441 and accompanying text. 130 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 160 hours. Unlike the burden estimates for complying with the rest of Rule 1001(a), the Commission does not believe it would be appropriate to double its proposed 130 hour staff burden estimate for Rule 1001(a)(2)(vi). Based on Commission staff experience, the Commission believes that these policies and procedures would not be so complex as to result in doubling the proposed burden estimate. The Commission also notes that the burden estimate for Rule 1001(a)(2)(vi) is already significantly higher than the estimated burden for the other individual policies and procedures required under Rule 1001(a)(2). In particular, the Commission estimates 160 hours for this one provision and 534 hours in total for the six other provisions of Rule 1001(a)(2) for non-ARP participants (which results in approximately 89 hours for each of those six other provisions). \1454\ 160 hours x 44 SCI entities = 7,040 hours. \1455\ This estimate includes 130 hours by staff of an SCI entity, as estimated in the SCI Proposal, and 15 hours by senior management. The 130 burden hours include 30 hours by a Compliance Attorney and 100 hours by a Senior Systems Analyst. See Proposing Release, supra note 13, at 18146. 130 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 145 hours. \1456\ 145 hours x 44 SCI entities = 6,380 hours. --------------------------------------------------------------------------- As noted above, one commenter argued that, given the rates charged by large law firms and consulting firms, an estimate of $100,000 is more appropriate for the cost of outsourcing under proposed Rule 1000(b)(1).\1457\ After considering the view of this commenter and because the Commission is increasing its estimated burden hours for compliance with Rule 1001(a), the Commission is similarly increasing its estimate of the outsourcing cost for complying with Rule 1001(a). In particular, because the Commission doubled the non-senior staff burden estimate for Rule 1001(a) in response to comments that the Commission underestimated the burden in the proposal, the Commission believes it is appropriate to similarly double its estimate of the outsourcing cost for complying with Rule 1001(a). As noted above in the context of the burden estimate for Rule 1001(a), the Commission believes that, by doubling its outsourcing cost estimate, the Commission has incorporated the views of commenters that the Commission underestimated the burden, and at the same time accounted for changes to the proposal that reduce the burden from the SCI Proposal. Further, the Commission acknowledges that some SCI entities may have more complex systems and policies and procedures, may outsource more of the work associated with the policies and procedures,\1458\ or may outsource the work to more expensive law firms and consulting firms than others. Therefore, the Commission believes that while some SCI entities may incur more outsourcing cost than the Commission's estimate, other SCI entities may incur less than the Commission's estimate. The Commission does not believe that a commenter's $100,000 estimate is more appropriate given that there will be differences among SCI entities in the extent of outsourcing and in the rates of outside firms. --------------------------------------------------------------------------- \1457\ See supra note 1427 and accompanying text. This commenter also argued that the Commission mistakenly assumed that SCI entities would not seek guidance from outside consultants or attorneys. See supra note 1426 and accompanying text. However, the Commission did account for outsourcing cost in the SCI Proposal and does so here, as well. \1458\ For example, smaller SCI entities may not have the same level of in-house expertise as larger SCI entities. --------------------------------------------------------------------------- Because Rule 1001(a) requires an additional element to be included in the policies and procedures as compared to proposed Rule 1000(b)(1) (i.e., monitoring of systems to identify SCI events), the Commission now estimates that on average, each SCI entity would seek outside legal and/or consulting services in the initial preparation of the policies and procedures at a cost of approximately $47,000,\1459\ or $2,068,000 for all SCI entities.\1460\ --------------------------------------------------------------------------- \1459\ As noted above, the Commission is doubling its estimate of the outsourcing cost for SCI entities. $20,000 x 2 = $40,000. The Commission is also revising this cost estimate to reflect that Rule 1001(a) requires seven specific elements to be included in the policies and procedures, as opposed to the six in the proposed rule. $40,000 / 6 x 7 = $46,667. \1460\ $47,000 x 44 SCI entities = $2,068,000. --------------------------------------------------------------------------- With respect to the view of a commenter that the Commission underestimated the paperwork burden under proposed Rule 1000(b)(2) because that rule is extremely extensive,\1461\ the Commission notes that, as adopted, Rule 1001(b) requires policies and procedures to be reasonably designed to ensure, in part, that SCI systems ``operate in a manner that complies with [[Page 72378]] the Act and the rules and regulations thereunder.'' As adopted, this rule no longer refers to compliance with ``the federal securities laws and rules and regulations thereunder'' and operation ``in the manner intended.'' Nevertheless, as noted above, after considering the views of commenters that the Commission underestimated the paperwork burden under proposed Rule 1000(b)(2), the Commission is doubling its estimates from the proposal (which were focused on the burden for SCI entity staff), and is increasing its estimates to account for senior management review of the policies and procedures. --------------------------------------------------------------------------- \1461\ See supra note 1416. --------------------------------------------------------------------------- The Commission now estimates that each SCI entity would spend 270 hours initially to design the systems compliance policies and procedures,\1462\ or 11,880 hours for all SCI entities.\1463\ The Commission estimates that each SCI SRO would spend approximately 175 hours annually to review and update such policies and procedures,\1464\ or 4,725 hours for all SCI SROs.\1465\ The Commission estimates that each SCI entity that is not an SRO would spend approximately 95 hours to review and update such policies and procedures,\1466\ or 1,615 hours for all such SCI entities.\1467\ --------------------------------------------------------------------------- \1462\ As noted above, the Commission is doubling its estimate of the burden for staff of SCI entities. 180 hours x 2 = 360 hours. 360 hours / 6 x 4 = 240 hours to establish policies and procedures that contain four elements at a minimum, as opposed to the six in the SCI Proposal. The 240 burden hours include 40 hours by a Compliance Attorney and 200 hours by a Senior Systems Analyst. This burden hour allocation is based on the allocation in the SCI Proposal. See Proposing Release, supra note 13, at 18146. As noted above, as compared to the proposal, the Commission is estimating an additional 20 hours by a Chief Compliance Officer and 10 hours by a Director of Compliance to reflect the views of commenters that compliance with the proposed policies and procedures requirements would require greater senior management involvement. See supra notes 1440-1441 and accompanying text. 240 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 270 hours. \1463\ 270 hours x 44 SCI entities = 11,880 hours. \1464\ As noted above, the Commission is doubling its estimate of the burden for staff of SCI entities. 120 hours x 2 = 240 hours. 240 hours / 6 x 4 = 160 hours to review and update policies and procedures that contain four elements at a minimum, as opposed to the six in the SCI Proposal. The 160 burden hours include 26 hours by a Compliance Attorney and 134 hours by a Senior Systems Analyst. This burden hour allocation is based on the allocation in the SCI Proposal. See Proposing Release, supra note 13, at 18146. As noted above, as compared to the proposal, the Commission is estimating an additional 10 hours by a Chief Compliance Officer and 5 hours by a Director of Compliance to reflect the views of commenters that compliance with the proposed policies and procedures requirements would require greater senior management involvement. See supra notes 1440-1441 and accompanying text. 160 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 175 hours. \1465\ 175 hours x 27 SCI SROs = 4,725 hours. \1466\ As noted above, the Commission is doubling its estimate of the burden for staff of SCI entities. 60 hours x 2 = 120 hours. 120 hours / 6 x 4 = 80 hours to review and update policies and procedures that contain four elements at a minimum, as opposed to the six in the SCI Proposal. The 80 burden hours include 14 hours by a Compliance Attorney and 66 hours by a Senior Systems Analyst. This burden hour allocation is based on the allocation in the SCI Proposal. See Proposing Release, supra note 13, at 18146. 80 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 95 hours. \1467\ 95 hours x 17 non-SRO SCI entities = 1,615 hours. --------------------------------------------------------------------------- As noted above, similar to the burden estimates for proposed Rule 1000(b)(1), one commenter argued that the Commission underestimated the outsourcing cost under proposed Rule 1000(b)(2).\1468\ Similar to the discussion above related to Rule 1001(a),\1469\ after considering the view of this commenter and because the Commission is increasing its estimated burden hours for compliance with Rule 1001(b), the Commission is doubling its estimate of the outsourcing cost for complying with Rule 1001(b). The Commission now estimates that on average, each SCI entity would seek outside legal and/or consulting services in the initial preparation of the policies and procedures at a cost of approximately $27,000,\1470\ or $1,188,000 for all SCI entities.\1471\ --------------------------------------------------------------------------- \1468\ See supra note 1428 and accompanying text. \1469\ See supra notes 1457-1458 and accompanying text. \1470\ As noted above, the Commission is doubling its estimate of the outsourcing cost for SCI entities. $20,000 x 2 = $40,000. The Commission is also revising this cost estimate to reflect that Rule 1001(b) will result in the inclusion of at least four elements in the policies and procedures, as opposed to the six in the proposed rule. $40,000 / 6 x 4 = $26,667. \1471\ $27,000 x 44 SCI entities = $1,188,000. --------------------------------------------------------------------------- Adopted Rules 1001(a)(3) and (b)(3) explicitly require each SCI entity to periodically review the effectiveness of the policies and procedures required by Rules 1001(a) and (b), respectively, and to take prompt action to remedy deficiencies in such policies and procedures. The Commission notes that the paperwork burden related to the review of the policies and procedures, and remedying deficiencies in policies and procedures, is included in the estimated annual ongoing burden of Rules 1001(a) and (b). Rule 1001(c)(1), which was not included in the proposal, requires each SCI entity to establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel,\1472\ and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. Like adopted Rules 1001(a)(3) and (b)(3), Rule 1001(c) requires each SCI entity periodically to review the effectiveness of these policies and procedures and to take prompt action to remedy deficiencies in policies and procedures. The Commission estimates that each SCI entity would require 114 hours initially to establish the criteria for identifying responsible SCI personnel and the escalation procedures,\1473\ or 5,016 hours for all SCI entities.\1474\ The Commission also estimates that each SCI entities would require 39 hours annually to review and update the criteria and the escalation procedures,\1475\ or 1,716 hours for all [[Page 72379]] SCI entities.\1476\ The Commission believes that SCI entities will internally establish and maintain the policies and procedures required by Rule 1001(c) because these policies and procedures relate to internal personnel designations and internal processes. --------------------------------------------------------------------------- \1472\ The paperwork burden associated with the documentation of responsible SCI personnel is included in the Commission's estimate of the recordkeeping burden, as discussed in Section V.D.4 below. \1473\ This estimate is based on the Commission's burden estimate for Rule 1001(a), because Rule 1001(a) and Rule 1001(c) both require policies and procedures or processes. Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires the establishment of six policies and procedures at a minimum and Rule 1001(c) requires the establishment of two policies and procedures, the Commission estimates that the initial burden to draft the policies and procedures required by Rule 1001(c) is one-third of the initial burden to draft the policies and procedures required by Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). Further, the Commission believes that, even though Rule 1001(c) will impose paperwork burdens on SCI entities, most, if not all, SCI entities, regardless of whether they participate in the ARP Inspection Program, already have some processes in place for the designation of persons responsible for particular systems and escalation procedures. Therefore, the Commission believes it is appropriate to assume a 50% baseline for all SCI entities (as compared to the burden estimate for Rule 1001(a) for SCI entities that do not participate in the ARP Inspection Program) in terms of the staff burden for compliance with Rule 1001(c). 252 hours / 3 = 84 hours. The 84 burden hours include 32 hours by a Compliance Manager, 32 hours by an Attorney, 10 hours by a Senior Systems Analyst, and 10 hours by an Operations Specialist. This burden hour allocation is based on the allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 1443. The Commission also estimates that a Chief Compliance Officer will spend 20 hours and a Director of Compliance will spend 10 hours reviewing the policies and procedures required by Rule 1001(c). 84 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 114 hours. The Commission notes that, in the SCI Proposal, it also estimated the burden hours for other policies and procedures based on its burden estimate under proposed Rule 1000(b)(1). See, e.g., Proposing Release, supra note 13, at 18152, n. 442. One commenter stated that it was appropriate to base the burden estimate for proposed Rule 1000(b)(3), which would likely result in SCI entities revising their policies, on the burden estimate under proposed Rule 1000(b)(1). See infra note 1700 and accompanying text. \1474\ 114 hours x 44 SCI entities = 5,016 hours. \1475\ This estimate is based on the Commission's burden estimate for Rule 1001(a), because Rule 1001(a) and Rule 1001(c) both require policies and procedures or processes. Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires the maintenance of six policies and procedures at a minimum and Rule 1001(c) requires the maintenance of two policies and procedures, the Commission estimates that the ongoing staff burden under Rule 1001(c) is one- third of the ongoing staff burden under Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). As noted above, the Commission believes it is appropriate to assume a 50% baseline for all SCI entities in terms of the staff burden for compliance with Rule 1001(c). 72 hours / 3 = 24 hours. The 24 burden hours include 9.5 hours by a Compliance Manager, 9.5 hours by an Attorney, 2.5 hours by a Senior Systems Analyst, and 2.5 hours by an Operations Specialist. This burden hour allocation is based on the allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 1445. The Commission also estimates that a Chief Compliance Officer will spend 10 hours and a Director of Compliance will spend 5 hours reviewing the policies and procedures required by Rule 1001(c). 24 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 39 hours. \1476\ 39 hours x 44 SCI entities = 1,716 hours. --------------------------------------------------------------------------- b. Mandate Participation in Certain Testing In the SCI Proposal, the Commission estimated that each SCI entity (other than plan processors) would spend approximately 130 hours initially to meet the requirements of proposed Rules 1000(b)(9)(i) and (ii) (i.e., the requirement to mandate participation by designated members or participants in testing and the requirement that an SCI entity coordinate required testing with other SCI entities).\1477\ The 130-hour estimate included 35 hours to write a proposed rule, or revise a membership/subscriber agreement or participant agreement to establish the participation requirement for designated members or participants.\1478\ It also included 95 hours of follow-up work (e.g., notice and schedule coordination) to ensure implementation.\1479\ The Commission estimated that each SCI entity (other than plan processors) would spend approximately 95 hours annually to comply with proposed Rules 1000(b)(9)(i) and (ii).\1480\ --------------------------------------------------------------------------- \1477\ See Proposing Release, supra note 13, at 18147. \1478\ See id. The 35 burden hours included 10 hours by a Compliance Manager, 15 hours by an Attorney, and 10 hours by a Compliance Clerk. See id. In establishing this estimate, the Commission considered its estimate of the burden for an SRO to file an average proposed rule change under Rule 19b-4. See id. at 18147, n. 389. \1479\ See Proposing Release, supra note 13, at 18147. The 95 burden hours included 10 hours by a Compliance Manager, 15 hours by an Attorney, and 70 hours by an Operations Specialist. See id. \1480\ See id. The 95 burden hours included 10 hours by a Compliance Manager, 15 hours by an Attorney, and 70 hours by an Operations Specialist. See id. The Commission noted that, although the initial burden included 35 hours to write a proposed rule, revise an agreement, or amend an SCI Plan, the Commission did not believe the 35-hour burden would be applicable on an ongoing basis. See id. at 18147, n. 393. --------------------------------------------------------------------------- In the SCI Proposal, the Commission estimated that each SCI entity (other than plan processors) would spend approximately 35 hours initially to meet the requirements of proposed Rule 1000(b)(9)(iii) (i.e., establishing standards for designating members or participants and filing such standards with the Commission, and determining, compiling, and submitting the list of designated members or participants).\1481\ The Commission estimated that each SCI entity (other than plan processors) would spend approximately 3 hours annually to comply with proposed Rule 1000(b)(9)(iii) (i.e., to review the designation standards to ensure that they remain up-to-date and to prepare any necessary amendments, to review the list of designated members or participants, and to update prior Commission notifications with respect to standards for designation and the list of designees).\1482\ The Commission also estimated that all SCI entities, other than plan processors, would conduct the work associated with proposed Rule 1000(b)(9) internally.\1483\ --------------------------------------------------------------------------- \1481\ See Proposing Release, supra note 13, at 18148. The 35 burden hours included 10 hours by a Compliance Manager, 15 hours by an Attorney, and 10 hours by a Compliance Clerk. See id. In establishing this estimate, the Commission considered its estimate of the burden for an SRO to file an average proposed rule filing under Rule 19b-4. See id. at 18148, n. 397. \1482\ See Proposing Release, supra note 13, at 18148. The 3 burden hours included 1.5 hours by a Compliance Manager and 1.5 hours by an Attorney. See id. In establishing this estimate, the Commission has considered its estimate of the burden for an SRO to amend a Form 19b-4 rule filing. See id. at 18148, n. 401. \1483\ See id. at 18145. --------------------------------------------------------------------------- For plan processors, the Commission estimated that proposed Rules 1000(b)(9)(i) and (ii) would carry an initial cost of $52,000 per plan processor \1484\ and an annual cost of $38,000 per plan processor.\1485\ The Commission also estimated that proposed Rule 1000(b)(9)(iii) would carry an initial cost of $14,000 per plan processor \1486\ and an annual cost of $1,200 per plan processor.\1487\ --------------------------------------------------------------------------- \1484\ 130 hours x $400 per hour for outside legal service = $52,000. See Proposing Release, supra note 13, at 18147. \1485\ 95 hours x $400 per hour for outside legal service = $38,000. See id. \1486\ 35 hours x $400 per hour for outside legal service = $14,000. See id. at 18148. \1487\ 3 hours x $400 per hour for outside legal service = $1,200. See id. --------------------------------------------------------------------------- With respect to the Commission's estimate of the burdens under proposed Rule 1000(b)(9), one commenter noted that the estimate was effectively limited to ministerial tasks of producing a rule filing and of undertaking follow-up work in connection with implementation and does not take into account significant activities relating to the SRO rule change process (e.g., board or directors briefing and deliberation, potential notice for comment, responses to comment letters received on such notice, responses to comment letters received by the Commission on a rule filing, etc.) and understates the activities necessary to implement testing with industry participants.\1488\ Another commenter argued that it has contractual relationships with thousands of clients, and contract negotiations always require a great deal of time and commitment from its legal personnel.\1489\ This commenter also noted that while a certain significant percentage of its clients may sign the contracts without any negotiation, many do not.\1490\ According to this commenter, the requirements under proposed Rule 1000(b)(9) would create for it many thousands of burden hours because it would require the commenter to re- negotiate contracts with ``the many thousands of clients it has already signed up.'' \1491\ --------------------------------------------------------------------------- \1488\ See MSRB Letter at 38. \1489\ See Omgeo Letter at 46. This commenter noted that its relationships with clients are often based on negotiated agreements and that clients do not automatically agree to all terms stated in the standard contract. See id. at 45. \1490\ See id. at 46. \1491\ See id. --------------------------------------------------------------------------- One commenter noted that the requirements under proposed Rule 1000(b)(9) would not be conducive to outsourcing.\1492\ --------------------------------------------------------------------------- \1492\ See MSRB Letter at 38. --------------------------------------------------------------------------- As discussed in detail above in Section IV.B.6, the Commission is adopting proposed Rule 1000(b)(9) as Rule 1004, with certain modifications. Rule 1004 requires each SCI entity to establish standards for the designation of certain members or participants for business continuity and disaster recovery plan testing, to designate members or participants in accordance with these standards, to require participation by designated members or participants in such testing at least annually, and to coordinate such testing on an industry- or sector-wide basis with other SCI entities. However, [[Page 72380]] adopted Rule 1004 does not require an SCI entity to notify and update the Commission of its designated members or participants and its standards for designation on Form SCI, as proposed. Considering commenters' view that the Commission had underestimated the burden hours associated with proposed Rule 1000(b)(9), the Commission now estimates that the requirements under Rules 1004(a) (i.e., establishment of standards for the designation of members and participants) and (c) (i.e., coordination of testing on an industry- or sector-wide basis) will initially require 360 hours for each SCI entity that is not a plan processor (e.g., establishing designation criteria by writing a proposed rule; revising a membership/subscriber agreement or participant agreement; providing notice to members or participants; scheduling the coordinated testing),\1493\ or 15,120 hours for all such SCI entities.\1494\ Further, the Commission estimates that the requirements under Rules 1004(a) and (c) will require 135 hours annually for each SCI entity that is not a plan processor,\1495\ or 5,670 hours for all such SCI entities.\1496\ The Commission continues to believe that SCI entities (other than plan processors) would handle internally the work associated with the requirements of Rule 1004.\1497\ --------------------------------------------------------------------------- \1493\ This estimate includes 90 hours to comply with Rule 1004(a) and 270 hours to comply with Rule 1004(c). The 90 hours include 30 hours by an Attorney, 20 hours by a Compliance Manager, 10 hours by an Assistant General Counsel, 6 hours by a Chief Compliance Officer, 4 hours by a Director of Compliance, and 20 hours by a Senior Operations Manager. The Commission is substantially increasing the estimated burden over that estimated for proposed Rule 1000(b)(9)(i), and is estimating an additional 10 hours by an Assistant General Counsel, 6 hours by a Chief Compliance Officer, 4 hours by a Director of Compliance, and 20 hours by a Senior Operations Manager to reflect senior management review of the standards for designation. With respect to the comment that the estimates in the proposal did not take into account significant activities relating to the SRO rule change process, the Commission notes that the paperwork burden associated with SRO rule filings are included as part of the burden associated with Rule 19b-4. See supra note 1488 and accompanying text. The 270 hours include 30 hours by an Attorney, 20 hours by a Compliance Manager, 10 hours by an Assistant General Counsel, 20 hours by a Chief Compliance Officer, 10 hours by a Director of Compliance, 140 hours by an Operations Specialist, and 40 hours by a Senior Operations Manager. The Commission is substantially increasing the estimated burden over that estimated for proposed Rule 1000(b)(9)(ii), and is estimating an additional 10 hours by an Assistant General Counsel, 20 hours by a Chief Compliance Officer, 10 hours by a Director of Compliance, and 40 hours by a Senior Operations Manager, in response to the view of a commenter that the estimates in the SCI Proposal underestimated the activities necessary to implement testing with industry participants. See supra note 1488 and accompanying text. The estimate of 360 hours includes the burden for designating members or participants for testing, as required by Rule 1004(b). \1494\ 360 hours x 42 SCI entities other than plan processors = 15,120 hours. \1495\ As noted in the SCI Proposal, the Commission does not believe that there would be significant annual burden under Rule 1004(a), as the Commission believes that the designation standards will likely not change substantially on an annual basis. See Proposing Release, supra note 13, at 18147, n. 393. The 135 hours include 15 hours by an Attorney, 10 hours by a Compliance Manager, 5 hours by an Assistant General Counsel, 10 hours by a Chief Compliance Officer, 5 hours by a Director of Compliance, 70 hours by an Operations Specialist, and 20 hours by a Senior Operations Manager. As compared to the estimated ongoing burden for proposed Rule 1000(b)(9)(ii), the Commission is estimating an additional 5 hours by an Assistant General Counsel, 10 hours by a Chief Compliance Officer, 5 hours by a Director of Compliance, and 20 hours by a Senior Operations Manager, consistent with the Commission's estimate for the initial burden for Rule 1004. \1496\ 135 hours x 42 SCI entities other than plan processors = 5,670 hours. \1497\ See supra note 1492 (discussing a commenter's view that the requirements under proposed Rule 1000(b)(9) would not be conducive to outsourcing). --------------------------------------------------------------------------- With respect to a commenter's statement that it has contractual relationships with thousands of clients and that proposed Rule 1000(b)(9) would create many thousands of burden hours,\1498\ the Commission notes that adoption of a more focused designation requirement is likely to result in a smaller number of SCI entity members or participants being designated for participation in testing as compared to the SCI Proposal. Specifically, as adopted, Rule 1004(a) requires an SCI entity to designate ``members or participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets'' in the event of the activation of the business continuity and disaster recovery plans. On the other hand, proposed Rule 1000(b)(9) required participation by members or participants the SCI entity deemed necessary ``for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans.'' \1499\ The Commission believes that SCI entities have an incentive to limit the imposition of the cost and burden associated with testing to the minimum necessary to comply with the rule, and it also believes that, given the option, most SCI entities would, in the exercise of reasonable discretion, prefer to designate few members or participants to participate in testing, than to designate more. Thus, even if an SCI entity individually negotiates contract modifications with certain designated members or participants, the Commission believes that the burden would be substantially less than suggested by the commenter.\1500\ Moreover, as noted above, taking into account commenters' view that the Commission underestimated the burden for proposed Rule 1000(b)(9), the Commission increased its estimate for initial burden hours from 130 hours for the proposed rule to 360 hours for adopted Rule 1004. The average burden estimate associated with Rule 1004 applies to SCI entities that would need to negotiate contract modifications with members or participants. --------------------------------------------------------------------------- \1498\ See supra notes 1489-1491 and accompanying text. \1499\ The Commission notes that, because Rule 1004 would not require all members or participants of an SCI entity to participate in business continuity and disaster recovery plan testing, Rule 1004 will not affect all of an SCI entity's contractual relationships with clients or members or participants. Further, the Commission notes that its estimated burden for compliance with Rule 1004 is intended to reflect the average burden for all SCI entities (other than plan processors). \1500\ As discussed in the Economic Analysis, the Commission estimates that each SCI entity would designate an average of 40 members or participants to participate in the necessary testing. See infra note 2065. Therefore, an SCI entity will not be required to re-negotiate contracts with ``the many thousands of clients it has already signed up.'' See supra note 1491 and accompanying text. Moreover, this commenter recognized that a significant percentage of its clients may sign the contracts without any negotiation. See supra note 1491 and accompanying text. As a result, the Commission does not expect that an SCI entity will need to negotiate with all of the estimated 40 members or participants. --------------------------------------------------------------------------- Based on its experience with plan processors, the Commission continues to believe that plan processors will outsource the work related to compliance with Rule 1004. The Commission estimates that Rule 1004 will carry an initial cost of $144,000 per plan processor,\1501\ or $288,000 for all plan processors.\1502\ The Commission estimates that Rule 1004 will carry an annual cost of $54,000 per plan processor,\1503\ or $108,000 for all plan processors.\1504\ --------------------------------------------------------------------------- \1501\ 360 hours x $400 per hour for outside legal service = $144,000. This is based on an estimated $400 per hour cost for outside legal services. This is the same estimate used by the Commission for these services in the ``Exemptions for Advisers to Venture Capital Funds, Private Fund Advisers with Less Than $150 Million Under Management, and Foreign Private Advisers'' final rule: SEC Release No. IA-3222 (June 22, 2011); 76 FR 39646 (July 6, 2011). \1502\ $144,000 x 2 plan processors = $288,000. \1503\ 135 hours x $400 per hour for outside legal service = $54,000. The Commission increased from its estimate in the proposal the estimated hours for the outsourced work for plan processors to be equivalent to the number of burden hours it estimated for an SCI entity that is not a plan processor (i.e., increasing the initial burden estimate from 130 hours to 360 hours and the annual burden estimate from 95 to 135 hours). \1504\ $54,000 x 2 plan processors = $108,000. --------------------------------------------------------------------------- 2. Notification, Dissemination, and Reporting Requirements for SCI Entities The rules under Regulation SCI that would require an SCI entity to notify the [[Page 72381]] Commission of SCI events, disseminate information regarding certain SCI events, and notify the Commission of certain systems changes are discussed more fully in Sections IV.B.3.c, IV.B.3.d, and IV.B.4 above. a. Commission Notification of SCI Events In the SCI Proposal, the Commission estimated that each SCI entity would experience an average of 40 immediate notification SCI events \1505\ per year (i.e., 40 notifications under proposed Rule 1000(b)(4)(i)), and that one-fourth of the notifications under proposed Rule 1000(b)(4)(i) would be in writing (i.e., 10 written notifications and 30 oral notifications).\1506\ The Commission estimated that each written notification would require 0.5 hours to prepare and submit to the Commission.\1507\ The Commission also estimated that each SCI entity would experience an average of 65 SCI events each year and therefore would submit 65 Commission notifications each year under proposed Rule 1000(b)(4)(ii).\1508\ The Commission estimated that each such notification would require an average of 20 burden hours.\1509\ In addition, the Commission estimated that on average, each SCI entity would submit 5 updates per year under proposed Rule 1000(b)(4)(iii), and that each update would require an average of 3 burden hours.\1510\ Finally, the Commission estimated that SCI entities would handle internally the work associated with the notification requirement under proposed Rule 1000(b)(4).\1511\ --------------------------------------------------------------------------- \1505\ Immediate notification SCI events included systems disruptions that an SCI entity reasonably estimated would have a material impact on its operations or on market participants, all systems compliance issues, and all systems intrusions. \1506\ See Proposing Release, supra note 13, at 18148. \1507\ See id. The 0.5 burden hour would be spent by an Attorney. See id. at 18149. \1508\ See id. at 18148-49. \1509\ See id. at 18149. The 20 burden hours included 10 hours by an Attorney and 10 hours by a Compliance Manager. See id. This estimate was based on Commission staff's experience with the ARP Inspection Program. In determining this estimate, the Commission also considered its estimate of the burden to complete a Form 19b-4 filing, although the Commission noted that, unlike a Form 19b-4 filing, the information contained in Form SCI would only be factual. See id. at 18149, n. 410. \1510\ See id. at 18149. The 3 burden hours included 1.5 hours by an Attorney and 1.5 hours by a Compliance Manager. See id. This estimate was based on Commission staff's experience with the ARP Inspection Program. In determining this estimate, the Commission also considered its estimate of the burden for an SRO to amend a Form 19b-4. See id. at 18149, n. 410. \1511\ See id. at 18148-49, n. 408, n. 411, and n. 413. --------------------------------------------------------------------------- Several commenters stated that the Commission underestimated the number of SCI events.\1512\ One commenter stated that, because the proposed definition of SCI event was broad and would include minor or immaterial events, it is likely that each SCI entity could have hundreds if not thousands of SCI events on an annual basis.\1513\ Similarly, another commenter stated that each SCI entity could be required to report hundreds of systems disruption events each year, although the vast majority of such events would be virtually unnoticed by market participants.\1514\ Another commenter stated that, based on its best reading of the more expansive definitions of disruptions and intrusions, a more accurate estimate could be between 200 to 500 events per year per exchange.\1515\ Several commenters noted that the Commission significantly underestimated the number of updates that would be required under Rule 1000(b)(4)(iii).\1516\ --------------------------------------------------------------------------- \1512\ See Omgeo Letter at 35; BATS Letter at 11; Joint SRO Letter at 18; OTC Markets Letter at 6; and NYSE Letter at 18. However, commenters did not specify estimates for the number of systems compliance issues an SCI entity would experience each year. \1513\ See Omgeo Letter at 35. According to this commenter, many of these SCI events would require written notification even though the vast majority of them would be minor and immaterial. See id. \1514\ See BATS Letter at 11. This commenter also noted that the Commission did not break down the anticipated reportable events into systems disruptions, systems intrusions, and systems compliance issues. See id. \1515\ See NYSE Letter at 18. See also FINRA Letter at 18, n. 32 (stating that depending on the interpretation of what constitutes a systems intrusion, it would be required to notify the Commission either: Several times a day under the broadest interpretation; three or four times per month under a narrower interpretation; or one or two times per year if limited to intrusions where there is a material impact). \1516\ See Joint SRO Letter at 19; NYSE Letter at 24 (noting that it is not realistic, with respect to over 90% of SCI events, that all required activity is complete and reportable on Form SCI within 24 hours). See also FINRA Letter at 19 (noting that some complex outages can take up to several days to triage, isolate, and begin to resolve, and that based on its experience with ARP outage reporting, it can take several days to confirm the root cause of an outage and even longer to determine the appropriate resolution and how long it will take to complete). --------------------------------------------------------------------------- With respect to the Commission's estimate of the burden for Commission notification generally, one commenter noted that preparation of Form SCI will take a fair amount of time, not just to compile information about the SCI event, but also to review and edit the submission.\1517\ According to this commenter, further impediments to timely reporting may arise where an issue requires cross-department coordination or coordination with a joint facility or RSA client.\1518\ This commenter stated that the Commission notification process will take even more time where a third party's technical and data personnel are relied on to provide initial drafts or where an RSA client requests that it have the opportunity to review all written notices before they are submitted.\1519\ Another commenter noted that senior management of SCI entities would want an SCI event to be investigated before it is reported to the Commission.\1520\ This commenter also noted that any responsible Chief Administrative Officer, Chief Financial Officer, Chief Operations Officer, Chief Compliance Officer, Chief Information Security Officer, General Counsel, and compliance attorneys and officers would want to review any report on an SCI event prior to submission to the Commission.\1521\ In addition, this commenter noted that the SCI entity would need to engage outside counsel and possibly other parties to review such reports.\1522\ --------------------------------------------------------------------------- \1517\ See FINRA Letter at 19. Similarly, another commenter noted that notifications to the Commission for SCI events and material systems changes would be considered a serious matter, and a diligent and properly considered notification would require the time and effort of numerous staff in different departments. See UBS Letter at 6. \1518\ See FINRA Letter at 19. \1519\ See id. \1520\ See Omgeo Letter at 35. \1521\ See id. \1522\ See id. at 35-36. This commenter also noted that the Commission's estimated cost for consulting outside experts is too low. See id. at 35, n. 69. --------------------------------------------------------------------------- With respect to the Commission's estimate of the burden for written Commission notification under proposed Rule 1000(b)(4)(i), one commenter noted that considerable amounts of activities may be necessary to gather the information needed, to have appropriate confirmations from persons with knowledge and authority with respect to the applicable SCI system, to provide for senior management review where appropriate, and to otherwise be in a position to draft the notification.\1523\ Another commenter noted that Commission notification required by proposed Rule 1000(b)(4)(i) would require substantive input from personnel outside of the legal and compliance departments, including IT analysts and managers as well as impacted business analysts and managers.\1524\ This commenter estimated that each notification under proposed Rule 1000(b)(4)(i) would require 12 hours.\1525\ This commenter also noted that the Commission erroneously assumed that verbal notifications under proposed Rule [[Page 72382]] 1000(b)(4)(i) would not consume the time of any employee.\1526\ --------------------------------------------------------------------------- \1523\ See MSRB Letter at 33. \1524\ See UBS Letter at 6. This commenter expressed the same concern with respect to proposed Rule 1000(b)(4)(ii). See id. \1525\ See id. \1526\ See id. --------------------------------------------------------------------------- With respect to the estimated burden under proposed Rule 1000(b)(4)(ii), one commenter noted that the estimate did not take into account the considerable amounts of activities to be undertaken by other personnel, including persons with knowledge and authority with respect to the applicable SCI system and the SCI event as well as senior management where appropriate, in order to collect and assess the appropriate information and to properly inform the attorney and compliance manager of such information in order to allow them to produce an accurate notification in compliance with proposed Rule 1000(b)(4)(ii).\1527\ This commenter had similar concerns with the burden estimates for proposed Rule 1000(b)(4)(iii).\1528\ Another commenter noted that, with respect to proposed Rule 1000(b)(4)(ii), no provision was made for the time burden that would be placed on technology personnel in the notification process.\1529\ Similarly, one commenter noted that the 20-hour burden estimate failed to take into account technology staff and business operations personnel who spend considerable time gathering facts and circumstances of a systems issue.\1530\ Another commenter estimated that each report under proposed Rule 1000(b)(4)(ii) will require approximately 5 hours of senior management time (including review and discussions between the Chief Administrative Officer, the Chief Compliance Officer, the Chief Information Officer, the Chief Operating Officer, and the General Counsel).\1531\ In addition, this commenter estimated that middle managers from its Compliance, Legal, Technology, Product, and Information Security functions would spend on average approximately 31 hours per report.\1532\ Further, this commenter estimated that associates from Compliance, Legal, Technology, Product, and Information Security functions would spend approximately 53.5 hours per report.\1533\ With respect to the burden estimates for proposed Rule 1000(b)(4)(iii), this commenter believed that proposed Rule 1000(b)(4)(iii) could conceivably require it to update the Commission approximately half of the time it files Form SCI.\1534\ According to this commenter, each update would result in 1 hour of senior management time, 17 hours of middle management time, and 9 hours of associate time.\1535\ --------------------------------------------------------------------------- \1527\ See MSRB Letter at 33. \1528\ See id. at 33-34. \1529\ See Joint SRO Letter at 18. This commenter also opined that, in other sections, the Commission either incorrectly assumes that no legal or outside counsel would be used, or significantly underestimates the amount of legal or outside counsel expenses. See id. at 18-19. \1530\ See OCC Letter at 12. See also NYSE Letter at 18 and 34 (stating that a significant number of full time staff, including legal, compliance, technical, and operations staff, would be required to comply with the Commission notification process under proposed Rule 1000(b)(4), and that no estimate is provided for a technology staff member under Rule 1000(b)(4)(ii)). \1531\ See Omgeo Letter at 36. \1532\ See id. \1533\ See id. \1534\ See id. \1535\ See id. --------------------------------------------------------------------------- One commenter stated its belief that none of the activities arising under proposed Rule 1000(b)(4) would be conducive to outsourcing.\1536\ --------------------------------------------------------------------------- \1536\ See MSRB Letter at 34-35. --------------------------------------------------------------------------- As discussed above in Section IV.B.3.c, the Commission is adopting the Commission notification requirements in Rule 1002(b), with certain modifications from the proposal. As adopted, the Commission notification requirements under Rules 1002(b)(1)-(4) do not apply to SCI events that had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants.\1537\ Rather, each SCI entity is required to make, keep, and preserve records relating to all such SCI events, and submit quarterly reports to the Commission regarding such de minimis systems disruptions and de minimis systems intrusions.\1538\ --------------------------------------------------------------------------- \1537\ See Rule 1002(b)(5). \1538\ See id. --------------------------------------------------------------------------- Rule 1002(b)(1), similar to the proposal, requires immediate Commission notification upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred. Rule 1002(b)(2), similar to the proposal, requires a written Commission notification within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred. Rule 1002(b)(2) also specifically states that the 24-hour report is required to be made on a good faith, best efforts basis. In addition, the information required to be disclosed to the Commission under Rule 1002(b)(2) is less comprehensive than as proposed.\1539\ Rule 1002(b)(3), similar to the proposal, requires SCI entities to provide updates pertaining to an SCI event on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, until the event is resolved and the SCI entity's investigation of the event is closed. However, Rule 1002(b)(3), unlike the proposal, does not require these updates to be in writing. Finally, Rule 1002(b)(4) includes requirements for SCI entities to submit interim written notifications, as necessary, and final written notifications regarding SCI events.\1540\ Specifically, if an SCI event is resolved and the SCI entity's investigation of the SCI event is closed within 30 calendar days of the occurrence of the SCI event, then within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event, the SCI entity is required to submit a final written notification. If an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 calendar days of the occurrence of the SCI event, then the SCI entity is required to submit an interim written notification within 30 calendar days after the occurrence of the SCI event. Within five business days after the resolution of such SCI event and closure of the investigation regarding such SCI event, the SCI entity is required to submit a final written notification. --------------------------------------------------------------------------- \1539\ For example, an SCI entity is not required to provide the Commission a detailed description of the SCI event; a discussion of whether the SCI event is a dissemination SCI event; a description of the SCI entity's rules and/or governing documents, as applicable, which relate to the SCI event; or an analysis of parties that may have experienced a loss due to the SCI event. \1540\ The written notification is required to include (i) a detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; (ii) a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI event to any of its members or participants; and (iii) an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. The information required to be included in the Rule 1002(b)(4) notifications is similar to the information required under proposed Rule 1000(b)(4)(iv)(A), which was related to the proposed 24-hour Commission notification. --------------------------------------------------------------------------- As noted above, some commenters expressed their view that the Commission underestimated the number of SCI events because they considered the definition of SCI event to be broad and would include minor or immaterial events.\1541\ These commenters estimated hundreds and even thousands of SCI events annually for each SCI entity, but noted that the majority of such events would have no [[Page 72383]] effect on market participants.\1542\ As discussed above in Section IV.B.3.c, the Commission notification requirements under adopted Rule 1002(b)(1)-(4) do not apply to any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants.\1543\ Rather, each SCI entity would be required to keep records related to such events and submit quarterly reports that only contain a summary description of such de minimis systems disruptions and de minimis systems intrusions.\1544\ Further, as noted above in Section IV.A, the Commission has refined the definition of SCI systems and SCI events in various respects.\1545\ Therefore, the Commission does not believe that the number of SCI events subject to Rules 1002(b)(1)-(4) would be substantially higher than the Commission's estimate in the SCI Proposal. --------------------------------------------------------------------------- \1541\ See supra notes 1513-1515 and accompanying text. \1542\ See id. \1543\ See Rule 1002(b)(5). \1544\ See id. \1545\ See Rule 1000 (defining ``SCI systems'' and ``SCI event''). --------------------------------------------------------------------------- After considering the views of commenters and in light of the more focused scope of the immediate Commission notification requirement, the Commission now estimates that each SCI entity will experience an average of 45 SCI events each year that are not de minimis SCI events, resulting in 45 written notifications under Rule 1002(b)(2) and 45 written notifications under Rule 1002(b)(4). The estimated 45 SCI events comprise 24 systems disruptions, 20 systems compliance issues, and one systems intrusion. These estimates are derived in part from the number of systems incidents reported to the Commission under the ARP Inspection Program and the number of compliance-related issues reported to the Commission by SROs.\1546\ --------------------------------------------------------------------------- \1546\ The Commission notes that only one ATS currently participates in the ARP Inspection Program and other ATSs generally do not self-report system incidents to the Commission. At the same time, the Commission acknowledges that, to the extent that some ATSs have less complex systems or perform fewer functions than other SCI entities, it is possible that these ATSs will experience fewer SCI events per year than other SCI entities. Also, as discussed more fully below, many ATSs do not have rulebooks and thus may experience fewer systems compliance issues than other SCI entities. Nevertheless, the Commission believes that an average of 45 SCI events per year (excluding de minimis SCI events) is an appropriate average across all SCI entities, including ATSs. --------------------------------------------------------------------------- In particular, the Commission notes that approximately 360 ARP incidents were reported to the Commission in 2013 by 29 entities that participated in the ARP Inspection Program.\1547\ Thus, on average, each entity reported approximately 12 incidents in 2013, although some entities reported fewer than 12 incidents, and some entities reported significantly more than 12 incidents (i.e., over 100). By defining ``systems disruption'' for purposes of Regulation SCI and requiring Commission notification of systems disruptions, the Commission expects that more incidents will be reported pursuant to Regulation SCI than pursuant to the voluntary ARP Inspection Program. Therefore, the Commission estimates that each SCI entity will report an average of 24 systems disruptions each year that are not de minimis systems disruptions, which is double the average number of systems incidents reported by each participant under the ARP Inspection Program in 2013. --------------------------------------------------------------------------- \1547\ In the SCI Proposal, the Commission noted that each entity reported an average of approximately 6 incidents under the ARP Inspection Program in 2011, and estimated that there would be an average of 65 SCI event notices per year for each SCI entity. See Proposing Release, supra note 13, at 18148. --------------------------------------------------------------------------- Further, based on notifications received by Commission staff regarding certain SROs, each of these SROs experienced an average of 17 systems compliance-related issues in 2013. The notifications received by Commission staff indicate that some SROs experienced fewer than 17 systems compliance-related issues, and others experienced more than 17. The Commission believes that very few, if any, of the notifications received in 2013 would qualify as de minimis systems compliance issues under Regulation SCI. By defining ``systems compliance issue'' for purposes of Regulation SCI and requiring Commission notification of systems compliance issues, the Commission expects that more issues will be reported pursuant to Regulation SCI than pursuant to self-reporting. Therefore, the Commission estimates that each SCI entity will experience an average of 20 systems compliance issues each year that are not de minimis systems compliance issues.\1548\ --------------------------------------------------------------------------- \1548\ The Commission acknowledges that SCI entities other than SCI SROs may experience fewer systems compliance issues than SCI SROs because they may not have rulebooks, and thus, one aspect of the definition of systems compliance issue would not apply to such SCI entities (i.e., operating in a manner that does not comply with the entity's rules). --------------------------------------------------------------------------- Based on the Commission's experience with the ARP Inspection Program, the Commission believes each SCI entity will experience on average less than one non-de minimis systems intrusion per year. However, for purposes of the PRA, the Commission estimates one non-de minimis systems intrusion per SCI entity per year.\1549\ --------------------------------------------------------------------------- \1549\ This estimate is lower than those provided by commenters (see supra note 1515 and accompanying text) because the adopted definitions of SCI systems and indirect SCI systems have been refined from the proposal, and because de minimis systems intrusions are required to be reported in summary format on a quarterly basis. --------------------------------------------------------------------------- With respect to the notification requirement under Rule 1002(b)(1), the Commission notes that the notification can be made orally or in writing. As with the SCI Proposal, the Commission estimates that one- fourth of the notifications under Rule 1002(b)(1) will be submitted in writing (i.e., approximately 11 events per year for each SCI entity),\1550\ and three-fourths will be provided orally (i.e., approximately 34 events per year for each SCI entity).\1551\ The Commission also estimates that each written notification under Rule 1002(b)(1) will require 2 hours \1552\ for each SCI entity.\1553\ The Commission is not [[Page 72384]] significantly increasing its burden estimate for proposed Rule 1000(b)(4)(i) because Rule 1002(b)(1) requires the immediate notification of SCI events and does not specify the minimum information that must be submitted to the Commission. The Commission believes that, for many SCI events, an SCI entity will simply notify the Commission that an SCI event has occurred, often in a single phone call, and may not provide the Commission with additional information because it is not yet available to the SCI entity. For these reasons, contrary to the view of some commenters,\1554\ the Commission does not expect that the SCI entity will need to gather a considerable amount of information or significantly confer with interested parties across the entity. In particular, while the Commission estimates some burden for legal and technology personnel of SCI entities in complying with Rule 1002(b)(1), it does not believe that Rule 1002(b)(1) will result in significant burden for such personnel.\1555\ --------------------------------------------------------------------------- \1550\ 45 SCI events / 4 = 11.25 SCI events reported in writing. One commenter noted that most SCI entities would submit a writing to document that they had satisfied the notice requirement of proposed Rule 1000(b)(4)(i). See Omgeo Letter at 16. However, the Commission continues to estimate that one-fourth of the notifications under Rule 1002(b)(1) will be submitted in writing and that the rest will be provided orally. The Commission believes that it is less burdensome for an SCI entity to provide oral notification than to provide written notification and, given the requirement of Rule 1002(b)(2) to provide a written notification to the Commission within 24 hours, the Commission believes it is likely that most initial notifications submitted under Rule 1002(b)(1) would be done orally. Moreover, based on Commission staff experience, ARP participants generally provide initial notifications of systems issues orally. \1551\ 45 SCI events-11 SCI events reported in writing = 34 SCI events reported orally. \1552\ The burden estimates for each rule under Regulation SCI that involves the filing of Form SCI include the burden associated with completing and electronically submitting Form SCI, and for manually signing a signature page or document, pursuant to the requirements of Rule 1006. \1553\ The 2 hours include 0.5 hours by an Attorney, 0.5 hours by a Compliance Manager, 0.5 hours by a Senior Systems Analyst, and 0.5 hours by a Senior Business Analyst. As compared to the estimated burden for proposed Rule 1000(b)(4)(i), the Commission is estimating an additional 0.5 hours by Compliance Managers, 0.5 hours by Senior Systems Analysts, and 0.5 hours by Senior Business Analysts to reflect that legal personnel may need to confer with technology and business personnel before contacting the Commission regarding an SCI event, in response to the views of commenters. See supra notes 1523- 1525 and accompanying text. The Commission notes that the General Counsel, Director of Compliance, Chief Compliance Officer, or other senior employees or officers of certain SCI entities may review Commission notifications under Rule 1002(b)(1) before they are submitted (orally or in writing) to the Commission. However, the Commission estimates that on average, the General Counsel, Director of Compliance, Chief Compliance Officer, or other senior employees or officers may spend a small amount of time reviewing each Rule 1002(b)(1) notification. Rather, they will spend more time reviewing the other notifications required by Rule 1002(b). \1554\ See supra notes 1523-1526 and accompanying text. \1555\ Given that there is not a minimum amount of information that must be submitted to the Commission, the Commission believes its estimated burden hours is more appropriate than the 12 hours suggested by a commenter. See supra note 1525 and accompanying text. --------------------------------------------------------------------------- The Commission agrees with the view of a commenter that oral notifications would also result in burdens on an SCI entity,\1556\ although it expects the burden for legal and compliance personnel to be lower than in the case of written notifications because they would not need to draft and review a written document for submission to the Commission. The Commission estimates that the burden for systems and business analysts would remain the same as for written notifications because the SCI entity will still need to gather the same type of information in order to prepare an oral notification. The Commission therefore estimates that each oral notification under Rule 1002(b)(1) will require 1.5 hours for each SCI entity.\1557\ The Commission estimates that each SCI entity would require an average of 73 hours annually to comply with Rule 1002(b)(1),\1558\ or 3,212 hours for all SCI entities.\1559\ --------------------------------------------------------------------------- \1556\ See supra note 1526 and accompanying text. \1557\ The 1.5 hours include 0.25 hours by an Attorney, 0.25 hours by a Compliance Manager, 0.5 hours by a Senior Systems Analyst, and 0.5 hours by a Senior Business Analyst. \1558\ 11 written notifications each year x 2 hours per notification + 34 oral notifications each year x 1.5 hours per notification = 73 hours. \1559\ 73 hours x 44 SCI entities = 3,212 hours. --------------------------------------------------------------------------- The Commission estimates that each written notification under Rule 1002(b)(2) will require 24 hours for each SCI entity.\1560\ Contrary to the views of a commenter that each notification under proposed Rule 1000(b)(4)(ii) would require approximately 90 burden hours between senior management, middle managers, and associates from various functions (e.g., legal, compliance, technology),\1561\ the Commission is not significantly increasing its estimate of the burden hours from its estimate for proposed Rule 1000(b)(4)(ii) because Rule 1002(b)(2) requires less information than proposed Rule 1000(b)(4)(ii), although the Commission has revised its estimated burden hours to account for the various functions and multiple levels of review suggested by the commenter.\1562\ Also, because Rule 1002(b)(2) explicitly permits information to be submitted on a good faith, best efforts basis, the Commission believes that SCI entities will be able to expend less resources in reviewing each notification. Therefore, the Commission estimates that each SCI entity would require an average of 1,080 hours annually to comply with Rule 1002(b)(2),\1563\ or 47,520 hours for all SCI entities.\1564\ --------------------------------------------------------------------------- \1560\ The 24 hours include 5 hours by an Attorney, 5 hours by a Compliance Manager, 6 hours by a Senior Systems Analyst, 1 hour by an Assistant General Counsel, 1 hour by a Chief Compliance Officer, and 6 hours by a Senior Business Analyst. Given the modifications from proposed Rule 1000(b)(4)(ii) identified below, the Commission estimates that legal and compliance personnel will have less work in drafting the written notifications under Rule 1002(b)(2), and accordingly reduced the burden hours for Attorneys and Compliance Managers from 10 to 5. Further, as compared to the estimated burden for proposed Rule 1000(b)(4)(ii), the Commission is estimating an additional 6 hours by a Senior Systems Analyst, 1 hour by an Assistant General Counsel, 1 hour by a Chief Compliance Officer, and 6 hours by a Senior Business Analyst to reflect that legal personnel may need to confer with technology and business personnel and senior management, as well as the multiple levels of review (e.g., attorney, compliance manager, chief compliance officer), before submitting a report regarding an SCI event, in response to the views of commenters. See supra notes 1520-1521, 1527, and 1529-1533 and accompanying text. \1561\ See supra notes 1531-1533 and accompanying text. \1562\ See supra notes 1539 and 1560. \1563\ 45 written notifications each year x 24 hours per notification = 1,080 hours. \1564\ 1,080 hours x 44 SCI entities = 47,520 hours. --------------------------------------------------------------------------- With respect to the number of updates required under Rule 1002(b)(3), the Commission estimates that each SCI entity will submit 6 written updates and 18 oral updates each year under that rule. These estimates are based on Commission staff's experience with the ARP Inspection Program, systems compliance-related issues at SROs, and views of commenters. Specifically, most of the systems incidents reported to the Commission in 2013 were reported as resolved within 24 hours. Further, as discussed above, de minimis SCI events are not subject to the update requirement under Rule 1002(b)(3). Moreover, the Commission believes that, for some SCI events, an SCI entity will not need to provide an update under Rule 1002(b)(3), because the SCI entity will be able to quickly submit a final report under Rule 1002(b)(4). However, after considering the views of a commenter that some complex outages can take up to several days to triage, isolate, and begin to resolve,\1565\ and the views of another commenter that proposed Rule 1000(b)(4)(iii) could conceivably require it to update the Commission approximately half the time it files Form SCI,\1566\ the Commission is increasing its estimate of the number of updates from 5 to 24.\1567\ Because Rule 1002(b)(3) does not require SCI entities to submit updates in writing or on Form SCI, the Commission estimates that one-fourth of the updates will be submitted in writing, and three-fourths will be provided orally.\1568\ Because the SCI entity will still need to gather the same type of information in order to prepare an oral or a written update, the Commission expects that the burden for systems and business analysts will be the same for either type of update. The Commission, however, expects that the burden for legal and compliance personnel would be less in the case of oral updates because in that case, an SCI entity would not need to draft and review a written document for submission to the Commission. --------------------------------------------------------------------------- \1565\ See supra note 1516. \1566\ See also supra note 1534 and accompanying text. \1567\ The Commission's estimate of 24 updates is slightly above half of the 45 written notifications estimated for Rule 1002(b)(2). See supra note 1534 (stating that the rule could conceivably require the commenter to update the Commission approximately half of the time it files Form SCI). \1568\ The Commission similarly estimated one-fourth written notifications and three-fourths oral notifications in the SCI Proposal for proposed Rule 1000(b)(4)(i). See Proposing Release, supra note 13, at 18148; see also supra note 1550 and accompanying text. --------------------------------------------------------------------------- The Commission estimates that each written update under Rule 1002(b)(3) will require 6 hours \1569\ and each oral [[Page 72385]] update will require 4.5 hours.\1570\ The Commission is not significantly increasing its burden estimate from proposed Rule 1000(b)(4)(iii). The Commission believes that each update will likely only reflect some of the information listed under Rules 1002(b)(1) and (2) because certain information about SCI events may not yet be available at the time the SCI entity submits such update or may not need to be updated. Therefore, contrary to one commenter's view that each update would require 27 hours,\1571\ the Commission does not believe that a Rule 1002(b)(3) update will require significantly more time than as estimated in the SCI Proposal. The Commission estimates that each SCI entity would require an average of 117 hours annually to comply with Rule 1002(b)(3),\1572\ or 5,148 hours for all SCI entities.\1573\ --------------------------------------------------------------------------- \1569\ The 6 hours include 1.5 hours by an Attorney, 1.5 hours by a Compliance Manager, 1.5 hours by a Senior Systems Analyst, and 1.5 hours by a Senior Business Analyst. As compared to the estimated burden for proposed Rule 1000(b)(4)(iii), the Commission is estimating an additional 1.5 hours by a Senior Systems Analyst and 1.5 hours by a Senior Business Analyst to reflect that legal personnel may need to confer with technology and business personnel before contacting the Commission regarding an SCI event, in response to the view of a commenter. See supra note 1528 and accompanying text. The Commission notes that the General Counsel, Director of Compliance, Chief Compliance Officer, or other senior employees or officers of certain SCI entities may review the updates under Rule 1002(b)(3) before they are submitted (orally or in writing) to the Commission. However, the Commission estimates that on average, the General Counsel, Director of Compliance, Chief Compliance Officer, or other senior employees or officers may spend a small amount of time reviewing each Rule 1002(b)(3) notification because it is not the final report to the Commission on an SCI event, and the SCI entity can subsequently submit additional updates. See supra note 1535 and accompanying text (noting a commenter's burden estimate for proposed Rule 1000(b)(4)(iii), which includes estimates for senior management review). \1570\ The 4.5 hours include 0.75 hours by an Attorney, 0.75 hours by a Compliance Manager, 1.5 hours by a Senior Systems Analyst, and 1.5 hours by a Senior Business Analyst. \1571\ See supra note 1535 and accompanying text. \1572\ 6 written updates each year x 6 hours per notification + 18 oral updates each year x 4.5 hours per notification = 117 hours. \1573\ 117 hours x 44 SCI entities = 5,148 hours. --------------------------------------------------------------------------- The Commission estimates that compliance with Rule 1002(b)(4) for a particular SCI event (which includes a final report under Rule 1002(b)(4)(i)(A) and, as applicable, an interim report under Rule 1002(b)(4)(i)(B)) will require 35 hours.\1574\ The Commission notes that the information required to be provided under Rule 1002(b)(4) is similar to the information required to be provided in a notification submitted under proposed Rule 1000(b)(4)(ii). As noted above, in the SCI Proposal, the Commission estimated that each notification under proposed Rule 1000(b)(4)(ii) would require an average of 20 burden hours,\1575\ and some commenters argued that the Commission underestimated this burden.\1576\ The Commission is estimating a higher burden for Rule 1002(b)(4) as compared to proposed Rule 1000(b)(4)(ii) (i.e., 35 hours as compared to 20 hours) because the reports under Rule 1002(b)(4) constitute final reports regarding SCI events, and SCI entities will likely confer with technology and business personnel and senior management to ensure that the information provided is accurate. For the same reason, and because Rule 1002(b)(4) (final report) requires more information than Rule 1002(b)(2), the Commission's burden estimate for Rule 1002(b)(4) is higher than the burden estimate for Rule 1002(b)(2) (i.e., 35 hours as compared to 24 hours).\1577\ Nevertheless, the Commission is not substantially increasing the burden estimate as compared to proposed Rule 1000(b)(4)(ii) or adopted Rule 1002(b)(2) because it recognizes that some of the information required by Rule 1002(b)(4) may already have been provided in a prior notification to the Commission and, thus, its burden has been included in the burden estimate for Rule 1002(b)(2). Therefore, the Commission estimates that each SCI entity would require an average of 1,575 hours annually to comply with Rule 1002(b)(4),\1578\ or 69,300 hours for all SCI entities.\1579\ --------------------------------------------------------------------------- \1574\ The 35 hours include 8 hours by an Attorney, 8 hours by a Compliance Manager, 7 hours by a Senior Systems Analyst, 2 hours by an Assistant General Counsel, 1 hour by a General Counsel, 2 hours by a Chief Compliance Officer, and 7 hours by a Senior Business Analyst. As compared to proposed Rule 1000(b)(4)(ii), the Commission expects the legal and compliance personnel to have less work in drafting the written notifications under Rule 1002(b)(4) because some of the information required by Rule 1002(b)(4) may already have been provided in a prior notification to the Commission, and accordingly reduced the burden hours for Attorneys and Compliance Managers from 10 to 8. Further, as compared to the estimated burden for proposed Rule 1000(b)(4)(ii), the Commission is estimating an additional 7 hours by a Senior Systems Analyst, 2 hours by an Assistant General Counsel, 1 hour by a General Counsel, 2 hours by a Chief Compliance Officer, and 7 hours by a Senior Business Analyst to reflect that legal personnel may need to confer with technology and business personnel and senior management before submitting a final report regarding an SCI event. \1575\ See supra note 1509 and accompanying text. \1576\ See supra notes 1527, 1529-1533 and accompanying text. \1577\ As compared to the Commission's burden estimate for Rule 1002(b)(2), the Commission is estimating an additional 3 hours by an Attorney, 3 hours by a Compliance Manager, 1 hour by a Senior Systems Analyst, 1 hour by an Assistant General Counsel, 1 hour by a General Counsel, 1 hour by a Chief Compliance Officer, and 1 hour by a Senior Business Analyst. The type of personnel involved in compliance with Rule 1002(b)(4) is the same as those involved in compliance with Rule 1002(b)(2), except for the addition of the General Counsel. \1578\ 45 written notifications each year x 35 hours per notification = 1,575 hours. \1579\ 1,575 hours x 44 SCI entities = 69,300 hours. The Commission notes that this burden estimate includes the burden for submitting the one interim Commission notification required under Rule 1002(b)(4)(i)(B) (if necessary). In particular, the Commission notes that the interim notification requires SCI entities to include the same information as required to be included in a final notification under Rule 1002(b)(4)(i)(A), except that SCI entities are only required to provide the information to the extent known at the time of the interim notification. If an SCI entity submits an interim notification, it would also be required to submit a final notification, which is required to include all of the remaining information that was not provided in the interim notification. Because all SCI entities are required to provide the same amount of information in total for a particular SCI event under Rule 1002(b)(4), regardless of whether they submit an interim notification, the estimated burden for Rule 1002(b)(4) includes the burden for both the interim notification and the final notification related to a particular SCI event. --------------------------------------------------------------------------- Finally, the quarterly notification under Rule 1002(b)(5) is required only to include ``a summary description'' of the SCI events. The Commission's estimated burden reflects the Commission's belief that most, if not all, SCI entities already have some internal documentation of de minimis SCI events. Rule 1002(b)(5) would impose more burden on SCI entities if they do not already have such internal documentation. The Commission estimates that the initial and ongoing burden to comply with the quarterly report requirement would be 40 hours per report per SCI entity,\1580\ or 160 hours annually per SCI entity,\1581\ and 7,040 hours annually for all SCI entities.\1582\ --------------------------------------------------------------------------- \1580\ The 40 burdens hours include 7.5 hours by an Attorney, 7.5 hours by a Compliance Manager, 2 hours by a Chief Compliance Officer, 2 hours by an Assistant General Counsel, 1 hour by a General Counsel, 10 hours by a Senior Business Analyst, and 10 hours by a Senior Systems Analyst. \1581\ 40 hours x 4 reports each year = 160 hours. \1582\ 160 hours x 44 SCI entities = 7,040 hours. --------------------------------------------------------------------------- The Commission estimates that while SCI entities would handle internally most of the work associated with Rule 1002(b), SCI entities would seek outside legal advice in the preparation of certain Commission notifications, at an average annual cost of $45,000 per SCI entity,\1583\ or $1,980,000 for all SCI entities.\1584\ --------------------------------------------------------------------------- \1583\ See supra note 1522 and accompanying text (discussing the view of a commenter that SCI entities would need to engage outside parties to review the Commission notifications). But see supra note 1536 and accompanying text (discussing the view of a commenter that none of the activities arising under proposed Rule 1000(b)(4) would be conducive to outsourcing). The Commission's estimate represents an average of $1,000 of outsourced cost for each SCI event that is not a de minimis SCI event. The $1,000 estimate is consistent with the Commission's estimated outsourcing cost for each SCI event that is subject to the dissemination requirements under Rule 1002(c). 45 SCI events x $1,000 = $45,000. \1584\ $45,000 x 44 SCI entities = $1,980,000. --------------------------------------------------------------------------- b. Dissemination of Information Regarding SCI Events In the SCI Proposal, the Commission estimated that each SCI entity would experience an average of 14 [[Page 72386]] dissemination SCI events \1585\ each year that are not systems intrusions, resulting in an average of 14 information disseminations per year for each SCI entity under proposed Rule 1000(b)(5)(i).\1586\ The Commission estimated that each information dissemination under proposed Rule 1000(b)(5)(i)(A) would require an average of 3 hours to prepare and make available to members or participants.\1587\ The Commission estimated that each information update under proposed Rule 1000(b)(5)(i)(B) would require an average of 5 hours to prepare and make available to members or participants.\1588\ The Commission also estimated that, on average, each SCI entity would provide one regular update per year per dissemination SCI event under proposed Rule 1000(b)(5)(i)(C).\1589\ The Commission estimated that each regular update would require an average of 1 hour to prepare and make available to members or participants.\1590\ --------------------------------------------------------------------------- \1585\ Dissemination SCI events included systems compliance issues, systems intrusions, and systems disruptions that resulted, or the SCI entity reasonably estimates would result, in significant harm or loss to market participants. \1586\ See Proposing Release, supra note 13, at 18149. \1587\ See id. The 3 burden hours included 2.67 hours by an Attorney and 0.33 hours by a Webmaster. See id. This estimate was based on Commission staff's experience with the ARP Inspection Program. See id. at 18149, n. 416. \1588\ See id. at 18150. The 5 burden hours included 4.67 hours by an Attorney and 0.33 hours by a Webmaster. See id. This estimate was based on Commission staff's experience with the ARP Inspection Program. See id. at 18150, n. 420. \1589\ See id. at 18150. \1590\ See id. The 1 burden hour included 0.67 hours by an Attorney and 0.33 hours by a Webmaster. See id. This estimate was based on the estimated burden to complete and submit a written update for an SCI event on Form SCI and on Commission staff's experience with the ARP Inspection Program. See id. at 18150, n. 422 and n. 423. --------------------------------------------------------------------------- In the SCI Proposal, the Commission estimated that each SCI entity would experience an average of 1 dissemination SCI event that is a systems intrusion each year, resulting in 1 information dissemination per year under proposed Rule 1000(b)(5)(ii). The Commission estimated that each information dissemination would require an average of 3 hours to prepare and make available to members or participants.\1591\ This burden estimate included any burden for an SCI entity to document its reason for determining that dissemination of information regarding a systems intrusion would likely compromise the security of the SCI entity's SCI systems or SCI security systems, or an investigation of the systems intrusion.\1592\ --------------------------------------------------------------------------- \1591\ See id. at 18150. The 3 burden hours included 2.67 hours by an Attorney and 0.33 hours by a Webmaster. See id. This estimate was based on Commission staff's experience with the ARP Inspection Program, and the Commission's burden estimate for proposed Rule 1000(b)(5)(i)(A). See id. at 18150, n. 426. \1592\ See id. --------------------------------------------------------------------------- In the SCI Proposal, the Commission estimated that while SCI entities would internally handle most of work associated with compliance with proposed Rule 1000(b)(5), SCI entities would seek outside legal advice in the preparation of the disseminations at an average annual cost of $15,000 per SCI entity.\1593\ --------------------------------------------------------------------------- \1593\ See id. at 18150-51. --------------------------------------------------------------------------- With respect to the estimated burden under proposed Rule 1000(b)(5), one commenter noted that since most of the work entailed in producing a notification relating to a dissemination SCI event would occur in connection with the Commission notification requirements under proposed Rule 1000(b)(4), the Commission's estimate of the burden of proposed Rule 1000(b)(5) is fairly accurate.\1594\ --------------------------------------------------------------------------- \1594\ See MSRB Letter at 35. --------------------------------------------------------------------------- Another commenter stated that the Commission underestimated the burden associated with information dissemination.\1595\ In connection with expressing its concern that almost any minor or immaterial systems issue would fall under the proposed definition of SCI event, this commenter estimated that there would be at a minimum a ten-fold increase in reportable events from the 175 incidents in 2011 under the ARP Inspection Program.\1596\ --------------------------------------------------------------------------- \1595\ See Omgeo Letter at 37. This commenter argued that the Commission mistakenly relied upon experience with the ARP Inspection Program as a basis for the estimates. See id. \1596\ See id. at 37-38. --------------------------------------------------------------------------- With respect to the estimated burden associated with information dissemination, this commenter argued that the Commission incorrectly assumed that such communications would be drafted only by a single attorney and a webmaster.\1597\ This commenter believed that properly drafting such communications will require a concerted effort by a number of individuals, including subject matter experts and mid-level and senior managers.\1598\ This commenter also noted that SCI entities would draft different dissemination notices designed to address the particular concerns of the different client segments it services (e.g., broker-dealers, custodian banks, investment managers, hedge funds).\1599\ As such, this commenter estimated that proposed Rule 1000(b)(5)(i)(A) would result in a burden of approximately 30 hours to create the dissemination \1600\ and 100 hours to review.\1601\ Further, this commenter disagreed that SCI entities are likely to handle internally most of the work associated with information dissemination.\1602\ This commenter believed that, to the extent a dissemination SCI event raises the possibility of litigation or reputational damage for an SCI entity, the SCI entity will likely engage outside counsel to review the facts and prepare the required materials.\1603\ This commenter also argued that the Commission's estimate did not take into account the burden associated with addressing responses from an SCI entity's participants, members, or clients, which, according to this commenter, would be hundreds of hours of SCI entity associate and management time.\1604\ This commenter expressed similar concerns respect to the burden estimates for proposed Rules 1000(b)(5)(i)(B) and (C) and noted that each follow-up notice would impose a burden far greater than 5 hours.\1605\ This commenter also noted that the Commission underestimated that each SCI entity would only have to provide one update each year under proposed Rule 1000(b)(5)(i)(C), and that each dissemination would only be prepared by an attorney and a webmaster.\1606\ --------------------------------------------------------------------------- \1597\ See id. at 38. \1598\ See id. According to this commenter, subject matter experts would include associates from functions such as Technology, Client Support, Information Security, Legal, Compliance, Product Management, and Sales and Relationship Management. See id. at 38, n. 75. \1599\ See Omgeo Letter at 38. \1600\ This commenter noted that major incidents would require far more resources. See id. \1601\ See id. This commenter noted that the 100-hour estimate does not include any follow up communications. See id. at 38, n. 76. \1602\ See id. at 39. However, another commenter stated its belief that none of the activities arising under proposed Rule 1000(b)(5) would be conducive to outsourcing. See MSRB Letter at 34- 35. \1603\ See Omgeo Letter at 39. This commenter also expressed concern that SCI entities would be forced to send their clients and participants a constant stream of communications detailing minor, inconsequential events that have no impact on them, which would cause reputational damage to SCI entities. See id. \1604\ See id. \1605\ See id. at 40-41. \1606\ See id. at 41. --------------------------------------------------------------------------- [[Page 72387]] With respect to the burden estimates for proposed Rule 1000(b)(5)(ii), this commenter expressed similar concern, and noted that each dissemination under proposed Rule 1000(b)(5)(ii) would require hundreds of burden hours.\1607\ --------------------------------------------------------------------------- \1607\ See id. at 41-42. --------------------------------------------------------------------------- As discussed above in Section IV.B.3.d, the Commission is adopting the information dissemination requirements in Rule 1002(c), with certain modifications from the proposal. As adopted, an SCI entity is required to disseminate certain information to its members or participants that may have been affected by an SCI event.\1608\ However, for major SCI events, an SCI entity must disseminate the required information to all of its member or participants.\1609\ Rule 1002(c)(4) further provides that the information dissemination requirement does not apply to SCI events to the extent they relate to market regulation or market surveillance systems, or any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants. --------------------------------------------------------------------------- \1608\ See Rule 1002(c)(3). \1609\ See id. --------------------------------------------------------------------------- Similar to proposed Rule 1000(b)(5), adopted Rule 1002(c)(1) requires SCI entities to promptly disseminate certain information regarding systems disruptions and systems compliance issues, to further disseminate certain information when such information becomes known,\1610\ and to provide regular updates of such information until the SCI event is resolved. In addition, similar to proposed Rule 1000(b)(5), adopted Rule 1002(c)(2) requires SCI entities to promptly disseminate certain information regarding systems intrusions,\1611\ and provides an exception when the SCI entity determines that dissemination of such information would likely compromise the security of its SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. --------------------------------------------------------------------------- \1610\ The information required to be disseminated under Rule 1002(c)(1) remains unchanged from the proposal. \1611\ The information required to be disseminated under Rule 1002(c)(2) remains unchanged from the proposal. --------------------------------------------------------------------------- With respect to a commenter's concern that because almost any minor or immaterial systems issue would fall under the proposed definition of SCI event, there would be at a minimum a ten-fold increase in reportable events as compared to the reported incidents under the ARP Inspection Program,\1612\ as noted above, Rule 1002(c)(4) provides exceptions to certain SCI events from the information dissemination requirement. Specifically, SCI events that relate to market regulation or market surveillance systems and de minimis SCI events would not be subject to the information dissemination requirement.\1613\ Further, as noted above in Section IV.A, the Commission has refined the definition of SCI systems and SCI event in various respects.\1614\ Given these changes, the Commission believes that the commenter's suggestion that there would be at a minimum a ten-fold increase in reportable events as compared to the reported incidents under the ARP Inspection Program is not an appropriate estimate. The Commission now estimates that each SCI entity would disseminate information regarding 36 SCI events each year under Rule 1002(c),\1615\ including 1 non-de minimis systems intrusion each year.\1616\ Therefore, the Commission now estimates that each SCI entity would disseminate information regarding 35 SCI events each year under Rule 1002(c)(1)(i). The Commission estimates that each SCI entity would disseminate 3 updates for each such SCI event under Rules 1002(c)(1)(ii) and (iii),\1617\ or 105 updates each year.\1618\ Further, the Commission estimates that each SCI entity would disseminate information regarding 1 systems intrusion each year under Rule 1002(c)(2). --------------------------------------------------------------------------- \1612\ See supra note 1596 and accompanying text. \1613\ These exceptions should address a commenter's concern that proposed Rule 1000(b)(5) would result in SCI entities being forced to send their clients and participants a constant stream of communications detailing minor, inconsequential events that have no impact on them. See id. \1614\ See Rule 1000 (defining ``SCI systems'' and ``SCI event''). \1615\ As discussed above, the Commission estimates that each SCI entity will experience an average of 45 SCI events each year that are not de minimis SCI events. The Commission estimates that approximately one-fifth of these SCI events relate to market regulation and market surveillance systems. Therefore, the Commission estimates that the number of SCI events subject to the requirements of Rule 1002(c) would be 36 per year for each SCI entity (45 SCI events / 5 x 4 = 36 SCI events). \1616\ Based on Commission's experience with the ARP Inspection Program, the Commission believes each SCI entity will experience on average less than one non-de minimis systems intrusion per year. However, for purposes of the PRA, the Commission estimates one non- de minimis systems intrusion per SCI entity per year. \1617\ The Commission notes that Rule 1002(c)(1)(ii) requires each SCI entity, when known, to promptly further disseminate for each SCI event three types of information: (A) A detailed description of the SCI event; (B) the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and (C) a description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved. The Commission believes that one or more of these types of information may become known to an SCI entity at different times, and therefore the Commission estimates that each SCI entity will submit two updates per SCI event under Rule 1002(c)(1)(ii). Rule 1002(c)(1)(iii) requires each SCI entity to provide regular updates of any information required to be disseminated under Rules 1002(c)(1)(i) and (ii). The Commission estimates that each SCI entity will submit one regular update under Rule 1002(c)(1)(iii) before the SCI event is resolved. The Commission believes that the number of updates under Rules 1002(c)(1)(ii) and (iii) will vary depending on how quickly information is discovered and how quickly the SCI event is resolved, but believes that a total of three updates for the two provisions is an appropriate estimate. \1618\ 35 SCI events x 3 updates per SCI event = 105 updates. --------------------------------------------------------------------------- The Commission estimates that each information dissemination under Rule 1002(c)(1)(i) will require 7 hours.\1619\ The Commission is not significantly increasing its burden estimate from the proposal because the Commission believes that the information required to be disseminated under Rule 1002(c)(1)(i) would likely already be collected for Commission notification under Rule 1002(b)(1) or (2).\1620\ Therefore, contrary to the view of a commenter,\1621\ the Commission does not believe that Rule 1002(c)(1)(i) will result in significantly higher burden for [[Page 72388]] SCI entities than as estimated in the proposal. With respect to the view of a commenter that SCI entities would create different dissemination notices designed to address the concerns of different client segments,\1622\ the Commission notes that Rule 1002(c) only specifies the general information that must be disseminated and does not require that SCI entities provide different information to different clients, even though SCI entities can decide to tailor the information dissemination for their clients.\1623\ Based on the foregoing, the Commission estimates that each SCI entity would require an average of 245 hours annually to comply with Rule 1002(c)(1)(i),\1624\ or 10,780 hours for all SCI entities.\1625\ --------------------------------------------------------------------------- \1619\ The 7 hours include 2.67 hours by an Attorney, 1 hour by a Compliance Manager, 0.5 hours by a Chief Compliance Officer, 0.5 hours by a General Counsel, 0.5 hours by a Director of Compliance, 1 hour by a Senior Systems Analyst, 0.5 hours by a Corporate Communications Manager, and 0.33 hours by a Webmaster. As compared to the estimated burden for proposed Rule 1000(b)(5)(i)(A), the Commission is estimating an additional 1 hour by a Compliance Manager, 0.5 hours by a General Counsel, 0.5 hours by a Chief Compliance Officer, 0.5 hours by a Director of Compliance, 1 hour by a Senior Systems Analyst, and 0.5 hours by a Corporate Communications Manager to reflect the view of commenters that the preparation for information dissemination would require the involvement of subject matter experts and mid-level and senior managers. See supra notes 1597-1598 and accompanying text. \1620\ See also supra note 1594 and accompanying text (discussing the view of a commenter that since most of the work entailed in producing a notification relating to a dissemination SCI event would occur in connection with the Commission notification requirements under proposed Rule 1000(b)(4), the Commission's estimate of the burden of proposed Rule 1000(b)(5) is fairly accurate). \1621\ See supra notes 1600-1601 and 1607 and accompanying text. \1622\ See supra notes 1599-1601 and accompanying text. \1623\ This commenter also noted that the Commission did not take into account the burden associated with addressing responses from an SCI entity's participants, members, or clients. See supra note 1604 and accompanying text. The Commission believes that currently, SCI entities already notify affected members or participants of certain systems issues. The Commission also believes that information regarding many systems issues that fall under the definition of major SCI event is already made available to members or participants of an SCI entity, and often to the public through the press or otherwise. Therefore, the Commission does not believe that the burden to respond to members or participants will be significantly higher than SCI entities' current practices in the absence of Regulation SCI. The Commission also notes that Rule 1002(c) does not impose any requirements related to responding to inquiries about the information dissemination. \1624\ 35 information dissemination each year x 7 hours per dissemination = 245 hours. \1625\ 245 hours x 44 SCI entities = 10,780 hours. --------------------------------------------------------------------------- The Commission estimates that each update under Rules 1002(c)(1)(ii) and (iii) will require 13 hours.\1626\ The Commission is not significantly increasing its burden estimate for proposed Rules 1000(b)(5)(i)(B) and (C) because the Commission believes that the information required to be disseminated under Rules 1002(c)(1)(ii) and (iii) would likely already be collected for Commission notification under Rules 1002(b)(2)-(4).\1627\ Therefore, contrary to the view of a commenter,\1628\ the Commission does not believe that Rules 1002(c)(1)(ii) and (iii) will result in significantly higher burden for SCI entities than as estimated in the SCI Proposal. Based on the foregoing, the Commission estimates that each SCI entity would require an average of 1,365 hours annually to comply with Rules 1002(c)(1)(ii) and (iii),\1629\ or 60,060 hours for all SCI entities.\1630\ --------------------------------------------------------------------------- \1626\ The 13 hours include 4.67 hours by an Attorney, 2 hours by a Compliance Manager, 1 hour by a Chief Compliance Officer, 1 hour by a General Counsel, 1 hour by a Director of Compliance, 2 hours by a Senior Systems Analyst, 1 hour by a Corporate Communications Manager, and 0.33 hours by a Webmaster. As compared to the estimated burden for proposed Rule 1000(b)(5)(i)(B), the Commission is estimating an additional 2 hours by a Compliance Manager, 1 hour by a General Counsel, 1 hour by a Chief Compliance Officer, 1 hour by a Director of Compliance, 2 hours by a Senior Systems Analyst, and 1 hour by a Corporate Communications Manager to reflect the view of commenters that the preparation for information dissemination would require the involvement of subject matter experts and mid-level and senior managers. See supra notes 1597-1598 and accompanying text. \1627\ See supra notes 1594 and 1620 accompanying text. \1628\ See supra notes 1605-1606 and accompanying text. \1629\ 105 updates each year x 13 hours per update = 1,365 hours. \1630\ 1,365 hours x 44 SCI entities = 60,060 hours. --------------------------------------------------------------------------- The information required to be disseminated under Rule 1002(c)(2) for systems intrusions is similar to the information required to be disseminated under Rule 1002(c)(1)(i) in that both provisions require the dissemination of a summary description of an SCI event. Therefore, the Commission is using the burden estimate for Rule 1002(c)(1)(i) as the basis for its estimate for Rule 1002(c)(2). However, the Commission believes that Rule 1002(c)(2) will impose more burden than Rule 1002(c)(1)(i) because it also requires that the SCI entity determine whether dissemination of information regarding a particular systems intrusion would compromise the security of its SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and if the SCI entity determines that it would, to document the reason for such determination.\1631\ Therefore, the Commission estimates that each SCI entity will spend an average of 10 hours to comply with Rule 1002(c)(2),\1632\ or 440 hours for all SCI entities.\1633\ --------------------------------------------------------------------------- \1631\ See Rule 1002(c)(2). \1632\ The 10 hours include 3.67 hours by an Attorney, 1.5 hours by a Compliance Manager, 0.75 hours by a Chief Compliance Officer, 0.75 hours by a General Counsel, 0.75 hours by a Director of Compliance, 1.5 hour by a Senior Systems Analyst, 0.75 hours by a Corporate Communications Manager, and 0.33 hours by a Webmaster. See supra note 1619. The burden estimate for Rule 1002(c)(2) is approximately one and a half times the Commission's burden estimate for Rule 1002(c)(1)(i). (7 hours x 1.5 = 10.5 hours.) \1633\ 10 hours x 44 SCI entities = 440 hours. --------------------------------------------------------------------------- The Commission estimates that while SCI entities would handle internally some or most the work associated with compliance with Rule 1002(c),\1634\ SCI entities would seek outside legal advice in the preparation of the information dissemination, at an average annual cost of $36,000 per SCI entity,\1635\ or $1,584,000 for all SCI entities.\1636\ --------------------------------------------------------------------------- \1634\ The Commission recognizes that some SCI entities, such as certain SCI SROs, may have the in-house expertise to complete the work associated with compliance with Rule 1002(c), while other SCI entities may not and would therefore need to outsource some of the work associated with compliance with Rule 1002(c). \1635\ The Commission is increasing its estimate of the outsourcing cost for compliance with Rule 1002(c) from its estimate in the proposal because its estimate of the number of information dissemination is higher than the estimated number in the proposal (i.e., from 15 to 36). In the SCI Proposal, the Commission estimated an outsourcing cost of $15,000 for 15 SCI events, which results in an average cost of $1,000 per SCI event. The Commission is continuing to estimate an average cost of $1,000 per SCI event subject to information dissemination, but is increasing the total outsourcing cost to $36,000 based on the increase in the number of estimated SCI events to 36. See also supra notes 1602-1603 and accompanying text (discussing the view of a commenter that SCI entities will likely engage outside counsel to review the facts and prepare the required documents to the extent an SCI event raises the possibility of litigation or reputational damage). But see supra note 1602 and accompanying text (discussing the view of a commenter that none of the activities arising under proposed Rule 1000(b)(5) would be conducive to outsourcing). \1636\ $36,000 x 44 SCI entities = $1,584,000. --------------------------------------------------------------------------- c. Commission Notification of Material Systems Changes In the SCI Proposal, the Commission estimated that each SCI entity would have an average of 60 planned material systems changes each year, resulting in 60 advance notifications per year.\1637\ The Commission estimated that each notification would require 2 hours to prepare and submit.\1638\ For SCI entities that currently participate in the ARP Inspection Program, the Commission estimated that these entities would start from a baseline of fifty percent.\1639\ The Commission also estimated that the initial and ongoing burden to submit semi-annual reports to the Commission pursuant to proposed Rule 1000(b)(8)(ii) would be 60 hours per report for each SCI entity.\1640\ --------------------------------------------------------------------------- \1637\ See Proposing Release, supra note 13, at 18151. This estimate included instances where the information previously provided to the Commission regarding any planned material systems change becomes inaccurate. See id. at 18151, n. 431. \1638\ See id. at 18151. The 2 burden hours included 0.33 hours by an Attorney and 1.67 hours by a Senior Systems Analyst. See id. This estimate was based on Commission staff's experience with the ARP Inspection Program. In determining this estimate, the Commission also considered its burden estimate for the same reporting requirement that was proposed for SB SEFs. See id. at 18151, n. 432. \1639\ See id. at 18151. \1640\ See id. at 18152. The 60 burden hours included 10 hours by an Attorney and 50 hours by a Senior Systems Analyst. See id. This estimate was based on Commission staff's experience with the ARP Inspection Program. See id. at 18152, n. 440. --------------------------------------------------------------------------- With respect to the estimated burden under proposed Rule 1000(b)(6), some commenters noted that the Commission underestimated the number of material systems changes.\1641\ For example, one [[Page 72389]] commenter stated that, based on the proposed definition of material systems changes, each SCI entity could be reporting 60 material systems changes each week.\1642\ One commenter noted that the burden estimate was effectively limited to ministerial tasks of producing material systems change notifications and did not take into account activities necessary to gather the information needed, to have appropriate confirmations from persons with knowledge of the material systems change, to provide for senior management review where appropriate, and to otherwise be in a position to draft the notification.\1643\ One commenter stated that the Commission's estimate of 2 hours for each material systems change notice is too low because describing systems changes ``involves the work of a tech-writer, who needs to collaborate with multiple groups on a project team, including the project manager, application development team and the testing and implementation teams.'' \1644\ Similarly, one commenter noted that material systems change notifications would require substantial review by IT management, relevant business supervisors, as well as compliance staff, which would increase the burden estimate at least three-fold.\1645\ One commenter noted that, based on its experience under the ARP Inspection Program, each notice under proposed Rule 1000(b)(6) would require at least 62 hours.\1646\ This commenter also opined that the Commission mistakenly assumed that only a senior systems analyst and an attorney would be involved in the drafting of the notice.\1647\ According to this commenter, a number of subject matter experts would need to be involved in drafting and reviewing these notices (i.e., Project Management, Developments, Quality Assurance, Performance Testing, Systems Engineering, Systems Architecture, Capacity Planning, Information Security, Business Continuity, Disaster Recovery, Legal, and Compliance).\1648\ --------------------------------------------------------------------------- \1641\ See BATS Letter at 14. See also NYSE Letter at 26 (stating that if ``material'' were interpreted broadly to cover any functional change to an SCI system, the number of material systems changes could measure in the thousands); and OTC Markets Letter at 21 (stating that it estimated it had a minimum of 430 reportable changes to its production systems over a ten-month time frame based on the proposed notification standards for material systems changes). \1642\ See BATS Letter at 14. \1643\ See MSRB Letter at 35. \1644\ See OCC Letter at 15. This commenter stated that a large amount of information needs to be assembled from different groups and consolidated into a single report, which would include, for example: (i) A high-level description of the functionality and configuration of the affected systems; (ii) a description of the systems development process; (iii) the relationship to other systems; (iv) changes to production schedules due to the planned system change; (v) any effects on capacity; (vi) a description of test results; (vii) a summary of test results; (viii) contingency protocols (i.e., fallback options and disaster recovery measures); (ix) vulnerability assessments and security measures; and (x) whether an SEC rule filing under Rule 19b-4 has been made in connection with the system change notification. See id. at 15-16. According to this commenter, unless the Commission intends for the scope of information provided with these notices to be limited to high level descriptions and generally less detailed, the preparation of material systems change notices generally requires considerably more time than estimated. See id. at 16. \1645\ See UBS Letter at 6. \1646\ See Omgeo Letter at 42. \1647\ See id. \1648\ See id. at 42-43. --------------------------------------------------------------------------- On the other hand, one commenter stated that the Commission's estimate of the burden of proposed rule 1000(b)(8)(ii) is fairly accurate.\1649\ --------------------------------------------------------------------------- \1649\ See MSRB Letter at 37. --------------------------------------------------------------------------- One commenter stated its belief that none of the activities arising under proposed Rules 1000(b)(6) and (b)(8) would be conducive to outsourcing.\1650\ --------------------------------------------------------------------------- \1650\ See id. at 36-37. --------------------------------------------------------------------------- As discussed in detail above in Section IV.B.4, the Commission is not adopting the requirement for SCI entities to provide 30-day advance notifications or semi-annual reports of material systems changes. Also as discussed in detail above in Section IV.B.4, the Commission is not adopting the proposed definition of material systems change. Adopted Rule 1003(a) requires each SCI entity to submit quarterly reports describing completed, ongoing, and planned material changes to its SCI systems and security of indirect SCI systems during the prior, current, and subsequent calendar quarters. Adopted Rule 1003(b) additionally requires each SCI entity to promptly submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under Rule 1003(a). With respect to the comment that, based on the proposed definition of material systems change, each SCI entity could be reporting 60 material systems changes each week (rather than each year), the Commission notes that it has not adopted the proposed definition of material systems change.\1651\ Rather, as discussed above in Section IV.B.4, Rule 1003(a)(1) requires each SCI entity to establish reasonable criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material. Because Rule 1003(a)(1) allows each SCI entity to identify material systems changes, it is responsive to commenters' concern that the proposed definition was too broad and would result in an excessive number of notifications, and to commenters' suggestion that the definition should be revised. In particular, an SCI entity will have reasonable discretion in establishing the written criteria in order to capture the systems changes that it believes are material. Relatedly, with respect to commenters who specifically discussed the 30-day advance Commission notification requirement for material systems changes,\1652\ the Commission notes that it is not adopting a 30-day advance notification requirement for each material systems change and is instead adopting a quarterly reporting requirement. Therefore, the Commission does not believe that it is necessary to estimate the number of material systems changes that each SCI entity will experience each year in order to estimate the burden associated with Rule 1003(a). --------------------------------------------------------------------------- \1651\ See supra notes 1641-1642 and accompanying text. \1652\ See supra notes 1643-1648 and accompanying text. --------------------------------------------------------------------------- As discussed above in Section IV.B.4, Rule 1003(a) requires quarterly reports on material systems changes and supplemental reports under certain circumstances. Specifically, the quarterly reports are required to include a description of the completed, ongoing, and planned material changes to SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion.\1653\ The Commission notes that the quarterly reports under Rule 1003(a) are required to include similar information as the information required under proposed Rule 1000(b)(8)(ii).\1654\ [[Page 72390]] However, because the Commission is not requiring 30-day advance notification of each material systems change, SCI entities may need to spend more time to gather the information required to be included in the quarterly reports and to prepare the quarterly reports than the burden estimated for proposed Rule 1000(b)(8)(ii).\1655\ Therefore, the Commission estimates that the initial and ongoing burden to comply with the quarterly reporting requirement would be 125 hours per report per SCI entity,\1656\ or 500 hours annually per SCI entity \1657\ and 22,000 hours annually for all SCI entities.\1658\ --------------------------------------------------------------------------- \1653\ Contrary to the views of a commenter, these quarterly reports are limited in scope and do not require a detailed description of each systems change that the SCI entity determines to be material. See supra note 1644 (discussing the concerns of a commenter that a large amount of information would need to be assembled and consolidated into a single report, and that unless the Commission intends for the scope of the information provided to be limited to high level descriptions and generally less detailed, the preparation of material systems change notices will require considerably more time than estimated). The Commission notes that it intends for the quarterly report to only require the information necessary to allow the Commission and its staff to gain a sufficient understanding of the relevant material systems changes, which would aid the Commission and its staff in understanding the operations and functionality of the systems of an SCI entity and changes to such systems. Specifically, Rule 1003(a)(1) requires the quarterly report to ``describe'' the material systems changes and gives each SCI entity reasonable flexibility in how to describe it. \1654\ Proposed Rule 1000(b)(8)(ii) required semi-annual reports that include a summary description of the progress of any material systems changes during the six-month period ending on June 30 or December 31, and the date, or expected date, of completion of implementation of such changes. \1655\ At the same time, the Commission believes that most, if not all, SCI entities already have some internal procedures for documenting all systems changes. \1656\ In the SCI Proposal, the Commission preliminarily estimated 60 hours per semi-annual report. See Proposing Release, supra note 13, at 18152. The Commission believes that, although Rule 1003(a)(1) requires quarterly reports rather than semi-annual reports, the reporting burden should not be reduced because the quarterly reports would cover material systems changes during the prior, current, and subsequent calendar quarters. On the other hand, the proposed semi-annual reports would have only covered material systems changes during the previous 6 months. In addition, because the Commission is not requiring 30-day advance notification of each material systems change, SCI entities may need more time to gather the information required to be included in the quarterly reports and to prepare the quarterly reports. Therefore, the Commission believes that it is appropriate to increase by fifty percent its estimate for the proposed semi-annual reporting requirement and to add additional personnel in response to comment. But see supra note 1649 and accompanying text (discussing a commenter's view that the Commission's estimate of the burden under proposed Rule 1000(b)(8)(ii) is fairly accurate). The 125 burdens hours include 7.5 hours by an Attorney, 7.5 hours by a Compliance Manager, 5 hours by a Chief Compliance Officer, 30 hours by a Senior Business Analyst, and 75 hours by a Senior Systems Analyst. In addition to adding fifty percent to the estimated burden for proposed Rule 1000(b)(8)(ii), the Commission is estimating an additional 7.5 hours by a Compliance Manager (and decreasing the proposed burden estimate for Attorney from 10 hours to 7.5 hours), 5 hours by a Chief Compliance Officer, and 30 hours by a Senior Business Analyst to address commenters' view that the estimates in the SCI Proposal did not take into account the activities to gather the information needed, to have appropriate confirmations from persons with knowledge of the material systems change, and to provide for senior management review where appropriate (even though some of these commenters commented on the burden estimate for proposed Rule 1000(b)(6) only). See supra notes 1643, 1645, 1647, and 1648 and accompanying text. The Commission notes that the inclusion of Senior Business Analyst and Senior Systems Analyst is intended to cover subject matter experts for material systems changes, as suggested by a commenter. See supra note 1648 and accompanying text. \1657\ 125 hours x 4 reports each year = 500 hours. The Commission recognizes that, to the extent an SCI entity develops a template for quarterly material systems change reports, the burden associated with creating future quarterly reports may be reduced. \1658\ 500 hours x 44 SCI entities = 22,000 hours. --------------------------------------------------------------------------- With respect to the requirement under Rule 1003(a)(2) for supplemental material systems change reports, for purposes of this PRA analysis, the Commission estimates that most quarterly reports will not contain material errors or material omissions. Therefore, the Commission estimates that each SCI entity will submit 2 supplemental reports each year under Rule 1003(a)(2), in order to account for the few instances where a quarterly report must be corrected. The Commission estimates that the initial and ongoing burden to comply with the supplemental reporting requirement would be 15 hours per report per SCI entity,\1659\ or 30 hours annually per SCI entity \1660\ and 1,320 hours annually for all SCI entities.\1661\ The Commission believes that SCI entities would handle internally the work associated with reports required under Rule 1003(a).\1662\ --------------------------------------------------------------------------- \1659\ The 15 burdens hours include 2 hours by an Attorney, 2 hours by a Compliance Manager, 1 hour by a Chief Compliance Officer, 3 hours by a Senior Business Analyst, and 7 hours by a Senior Systems Analyst. The Commission believes that the burden associated with supplemental material systems change reports will be substantially lower than the burden associated with quarterly material systems change reports, but the same type of personnel will be involved the supplemental report as the quarterly report. \1660\ 15 hours x 2 reports each year = 30 hours. \1661\ 30 hours x 44 SCI entities = 1,320 hours. \1662\ See supra note 1650 and accompanying text, --------------------------------------------------------------------------- d. SCI Review In the SCI Proposal, the Commission estimated that the initial and ongoing burden of conducting an SCI review and submitting the SCI review to senior management for review would be approximately 625 hours for each SCI entity.\1663\ The Commission also estimated that each SCI entity would spend 1 hour to submit the SCI review to the Commission pursuant to proposed Rule 1000(b)(8)(i).\1664\ --------------------------------------------------------------------------- \1663\ See Proposing Release, supra note 13, at 18151. The 625 burden hours included 80 hours by an Attorney, 170 hours by a Manager Internal Auditor, and 375 hours by a Senior Systems Analyst. See id. This estimate was the Commission's preliminary best estimate and was based on Commission staff's experience with the ARP Inspection Program. This estimate was also the same as the Commission's burden estimate for internal audits of SB SEFs. See id. at 18151, n. 437. \1664\ See id. at 18151. The 1 burden hour would be spent by an Attorney. See id. --------------------------------------------------------------------------- With respect to the burden associated with SCI reviews, one commenter stated that the Commission's estimate of the burden of proposed Rule 1000(b)(7) is fairly accurate.\1665\ According to this commenter, although the burden estimate of proposed Rule 1000(b)(7) did not require the inclusion of senior management's response, the Commission's estimate is sufficient to cover the burden on senior management to produce such response.\1666\ --------------------------------------------------------------------------- \1665\ See MSRB Letter at 36. \1666\ See id. at 37. --------------------------------------------------------------------------- Another commenter noted that the Commission's estimate of the burden associated with SCI review is too low and that the SCI review will require over 1,200 burden hours.\1667\ In connection with advocating for a risk-based approach for SCI reviews, one commenter noted that if it were to attempt to conduct all of the market-related technology application reviews that it currently conducts over four years during one year (excluding regulatory technology applications such as those related to member regulation), it would require approximately 6,400 to 8,320 hours.\1668\ According to this commenter, significantly more resources would be required to conduct SCI reviews if the definition of SCI systems includes non-market regulatory and surveillance systems, and development and testing systems.\1669\ One commenter noted that significant portions of the SCI review could be outsourced and that the Commission's estimate for the overall cost of outsourcing is reasonable, although some of the assumed hourly rates used in the SCI Proposal appear to be too low in the context of the current market environment.\1670\ --------------------------------------------------------------------------- \1667\ See ISE Letter at 12. \1668\ See FINRA Letter at 40. According to this commenter, it currently spends approximately 160 hours for each review of a technology application in connection with its regulatory audits, and currently it reviews between 10 and 13 market-related technology applications annually. See id. \1669\ See id. \1670\ See MSRB Letter at 36. --------------------------------------------------------------------------- One commenter noted that the Commission's estimate did not take into account the additional work that would be required by many different SCI entity associates, including managers and subject matter experts, in order to satisfy the requirements of proposed Rule 1000(b)(7).\1671\ This commenter stated that the Commission incorrectly assumed that only an attorney, manager internal audit, and systems analyst would be required to work on the SCI review.\1672\ According to this commenter, subject matter expertise that would be needed to perform such a review includes Product Managers, Project Managers, Developers, Quality Assurance staff, Systems Engineers, Systems Architects, Capacity Planners, Information Security experts, Business Continuity and Disaster Recovery staff, Compliance staff, and management.\1673\ This commenter estimated that the [[Page 72391]] annual burden under proposed Rule 1000(b)(7) would be 4,670 hours.\1674\ According to this commenter, if the Commission intended SCI entities to conduct a broader scope review beyond those now required by the ARP Inspection Program, then the annual burden would be 11,199 hours.\1675\ With respect to the burden estimate for proposed Rule 1000(b)(8)(i), one commenter stated that the estimate did not address the burden on senior management for reading, analyzing, and perhaps responding to the SCI review.\1676\ --------------------------------------------------------------------------- \1671\ See Omgeo Letter at 44. \1672\ See id. \1673\ See id. \1674\ See id. \1675\ See id. \1676\ See id. --------------------------------------------------------------------------- As discussed above in Section IV.B.5, the Commission is adopting SCI review-related requirements in Rule 1003(b), with some modifications from the proposal. Specifically, Rule 1003(b)(1) requires each SCI entity to conduct an SCI review of its compliance with Regulation SCI not less than once each calendar year, with an exception for penetration test reviews, which are required to be conducted not less than once every three years.\1677\ As adopted, Rule 1003(b)(1)(ii) provides an exception for assessments of SCI systems directly supporting market regulation or market surveillance, which are required to be reviewed at a frequency based on the risk assessment conducted as part of the SCI review, but in no case less than once every three years.\1678\ Rules 1003(b)(2) and (3) require each SCI entity to submit a report of the SCI review to senior management no more than 30 calendar days after completion of the review, and to submit the report to the Commission and to the board of directors of the SCI entity or the equivalent of such board, together with any response by senior management, within 60 calendar days after its submission to senior management. --------------------------------------------------------------------------- \1677\ As proposed, the rule would have required penetration test reviews of the SCI entity's network, firewalls and development, testing, and production systems. However, consistent with modifications to the definition of SCI systems, references to development and test systems have been deleted in adopted Rule 1003(b)(1)(i). \1678\ These exceptions, along with the exclusion of development and testing systems from the definition of SCI systems, would address, at least in part, some commenters' concern regarding the scope of the definition of SCI systems and consequently the burden of the SCI review requirement. See supra notes 1669 and 1675 and accompanying text. --------------------------------------------------------------------------- After considering the views of commenters, the Commission is not significantly increasing the burden estimate for compliance with Rules 1003(b)(1) and (2) from its estimates in the SCI Proposal. In particular, one commenter noted that the Commission's burden estimate for proposed Rule 1000(b)(7) was fairly accurate.\1679\ Further, while other commenters advocated higher burden estimates for the SCI review requirement,\1680\ the Commission notes that it has refined the definition of SCI systems (e.g., by eliminating development and testing systems, and focusing on market regulation and market surveillance systems) and has incorporated a risk-based approach to the frequency of testing for market regulation and market surveillance systems. The Commission estimates that the initial and ongoing burden of conducting an SCI review and submitting the SCI review to senior management of the SCI entity for review would be approximately 690 hours for each SCI entity,\1681\ and 30,360 hours annually for all SCI entities.\1682\ The Commission estimates that while SCI entities would handle internally some or most of the work associated with compliance with Rule 1003(b),\1683\ SCI entities would outsource some of the work associated with an SCI review, at an average annual cost of $50,000 per SCI entity,\1684\ or $2,200,000 for all SCI entities.\1685\ --------------------------------------------------------------------------- \1679\ See supra note 1665 and accompanying text. \1680\ See supra notes 1667-1668 and 1675 and accompanying text. These commenters estimated a range of 1,200 to 8,320 burden hours. In response to the commenter that stated that it currently spends approximately 160 hours for each review of a technology application and it reviews between 10 and 13 market-related technology applications annually, the Commission notes that the burden estimates in this section only include the incremental burden associated with the rule above what the Commission estimates that SCI entities are already performing. To the extent an SCI entity already reviews certain of its systems, the additional burden imposed by Rule 1003(b) will be lower than for other SCI entities. \1681\ The 690 hours include 80 hours by an Attorney, 35 hours by a Compliance Manager, 5 hours by a General Counsel, 20 hours by a Chief Compliance Officer, 5 hours by a Director of Compliance, 170 hours by a Manager Internal Audit, and 375 hours by a Senior Systems Analyst. As compared to the estimated burden for proposed Rule 1000(b)(7), the Commission is estimating an additional 35 hours by a Compliance Manager, 5 hours by a General Counsel, 20 hours by a Chief Compliance Officer, and 5 hours by a Director of Compliance, to reflect the view of commenters that managers would be involved in satisfying the requirements related to SCI review. See supra notes 1671-1675 and accompanying text. The Commission notes that the 20- hour burden estimate for the Chief Compliance Officer includes the time spent by other members of the senior management team (other than the General Counsel, who has a separate burden estimate). See supra Section IV.B.5 (discussing senior management involvement in compliance with Rule 1003(b)). The Commission notes that the inclusion of Manager Internal Audit and Senior Systems Analyst is intended to cover subject matter experts related to systems review (e.g., information security experts, systems engineers, quality assurance staff). See supra notes 1671-1675 and accompanying text. The Commission also believes that some SCI entities already conduct annual reviews of its systems, and therefore may incur less burden than other SCI entities in complying with Rule 1003(b). \1682\ 690 hours x 44 SCI entities = 30,360 hours. \1683\ As noted above, one commenter suggested that significant portions of the SCI review may be outsourced. This commenter also noted that the Commission's estimate of the overall cost of outsourcing is reasonable, although it believed some of the assumed hourly rates appear to be too low in the context of current market environment. See supra note 1670 and accompanying text. The Commission acknowledges that some SCI entities may outsource work related to SCI review to more expensive outside firms than others. On average, the Commission believes its hourly rate of $400 for outsourcing continues to be appropriate. \1684\ 125 hours x $400 = $50,000. The Commission believes that SCI entities may outsource some of the legal and audit work associated with an SCI review. In particular, the Commission estimates that, on average, an SCI entity will outsource 40 hours of legal work and 85 hours of audit work (or half of the hour burden estimates for Attorney and Manager Internal Audit). See supra note 1681. \1685\ $50,000 x 44 SCI entities = $2,200,000. --------------------------------------------------------------------------- With respect to the comment that the burden estimate for proposed Rule 1000(b)(8)(i) failed to account for the burden on senior management for reviewing and responding to the report of the SCI review,\1686\ the Commission notes that proposed Rule 1000(b)(8)(i) and adopted Rule 1003(b)(3) do not require senior management to respond to the report of the SCI review. Rather, Rule 1003(b)(3) only requires an SCI entity to submit the already prepared report of the SCI review, and response by senior management if there was any, to the Commission and to the board of directors of the SCI entity or the equivalent of such board. Moreover, the Commission is including in its burden estimate for Rules 1003(b)(1) and (2) the burden for senior management review of the report for the SCI review. Therefore, with respect to Rule 1003(b)(3), the Commission estimates that each SCI entity would require 1 hour per year to submit the report of the SCI review and any response by senior management to the Commission and to the board of directors of the SCI entity or the equivalent of such board,\1687\ for a [[Page 72392]] burden of 44 hours for all SCI entities.\1688\ --------------------------------------------------------------------------- \1686\ See supra notes 1666 and 1676 and accompanying text. One of these commenters, however, noted that the Commission's estimated burden for proposed Rule 1000(b)(7) is fairly accurate, even though it did not include senior management's response. See supra notes 1665-1666 and accompanying text. \1687\ The 1 hour would be spent by an Attorney. This estimate is unchanged from the burden estimate for proposed Rule 1000(b)(8)(i), which only required submission of the report and any response by senior management to the Commission. The Commission believes that the additional burden for submitting the same report and response to the SCI entity's board of directors or the equivalent of such board would be modest, and thus the estimate of one hour remains unchanged from the burden estimate for proposed Rule 1000(b)(8)(i), which required submission of the report and response by senior management only to the Commission. \1688\ 1 hour x 44 SCI entities = 44 hours. --------------------------------------------------------------------------- e. Access to EFFS As noted above, to access EFFS, an SCI entity will submit to the Commission an EAUF to register each individual at the SCI entity who will access the EFFS system on behalf of the SCI entity. The Commission is including in its burden estimates the burden for completing the EAUF for each individual at an SCI entity that will request access to EFFS. The Commission estimates that initially, on average, two individuals at each SCI entity will request access to EFFS through the EAUF, and each EAUF would require 0.15 hours to complete and submit. Therefore, each SCI entity would initially require 0.3 hours to complete the requisite EAUFs,\1689\ or approximately 13 hours for all SCI entities.\1690\ The Commission also estimates that annually, on average, one individual at each SCI entity will request access to EFFS through EAUF.\1691\ Therefore, the ongoing burden to complete the EAUF would be 0.15 hours annually for each SCI entity,\1692\ or approximately 7 hours annually for all SCI entities.\1693\ --------------------------------------------------------------------------- \1689\ 0.15 hours per EAUF x 2 individuals = 0.3 hours per SCI entity. These estimates are based on Commission staff's experience with EFFS and EAUFs pursuant to Rule 19b-4 under the Exchange Act. The 0.15 hours would be spent by an Attorney. The Commission acknowledges that an SCI SRO may initially submit fewer than two EAUFs because certain individuals at SCI SROs currently already have access to EFFS, whereas an SCI entity other than an SCI SRO may submit more than two EAUFs initially because it has not previously submitted filings through EFFS. Therefore, the Commission believes it is appropriate to estimate that, on average, each SCI entity will submit two EAUFs initially. \1690\ 0.30 hours x 44 SCI entities = 13.2 hours. \1691\ The Commission estimates that annually, on average, one individual at each SCI entity will request access to EFFS through EAUF to account for the possibility that an individual who previously had access to EFFS may no longer be designated as needing such access. \1692\ 0.15 hours per EAUF x 1 individual = 0.15 hours. \1693\ 0.15 hours x 44 entities = 6.6 hours. --------------------------------------------------------------------------- In addition, the Commission estimates that each SCI entity will designate two individuals to sign Form SCI each year. An individual signing a Form SCI must obtain a digital ID, at the cost of approximately $25 each year. Therefore, each SCI entity would require approximately $50 annually to obtain digital IDs for the individuals with access to EFFS for purposes of signing Form SCI,\1694\ or approximately $2,200 for all SCI entities.\1695\ --------------------------------------------------------------------------- \1694\ $25 per digital ID x 2 individuals = $50 per SCI entity. \1695\ $50 x 44 SCI entities = $2,200. --------------------------------------------------------------------------- 3. Requirements To Take Corrective Actions and Identify Critical SCI Systems, Major SCI Events, De Minimis SCI Events, and Material Systems Changes The rules under Regulation SCI that would result in SCI entities establishing additional processes for compliance are discussed more fully in Sections IV.A, IV.B.3.b, and IV.B.4 above. a. Corrective Actions In the SCI Proposal, the Commission noted that, although SCI entities already take corrective action in response to systems issues, proposed Rule 1000(b)(3) would likely result in SCI entities revising their policies regarding taking corrective actions.\1696\ The Commission estimated that the initial burden would be 42 hours per SCI entity,\1697\ and the ongoing burden would be 12 hours annually per SCI entity.\1698\ The Commission estimated that SCI entities would establish the process for compliance with proposed Rule 1000(b)(3) internally.\1699\ --------------------------------------------------------------------------- \1696\ See Proposing Release, supra note 13, at 18152. \1697\ See id. The 42 burden hours included 16 hours by a Compliance Manager, 16 hours by an Attorney, 5 hours by a Senior Systems Analyst, and 5 hours by an Operations Specialist. See id. This estimate was based on the Commission's burden estimate for proposed Rule 1000(b)(1). See id. at 18152, n. 442. \1698\ See id. at 18152. The 12 burden hours included 6 hours by a Compliance Manager and 6 hours by an Attorney. See id. This estimate was based on the Commission's burden estimate for proposed Rule 1000(b)(1). See id. at 18152, n. 443. \1699\ See id. at 18152, n. 442. --------------------------------------------------------------------------- One commenter stated its belief that basing the estimate for proposed Rule 1000(b)(3) on the percentage of the burden estimate under proposed Rule 1000(b)(1) is appropriate.\1700\ This commenter also noted that while the taking of corrective action might be wholly or partially outsourced with regard to systems development activities, the establishment of policies and procedures with respect to corrective action would not be conducive to outsourcing.\1701\ --------------------------------------------------------------------------- \1700\ See MSRB Letter at 31-32. \1701\ See id. at 32. --------------------------------------------------------------------------- As discussed in detail above in Section IV.B.3.b, the Commission continues to require each SCI entity to begin to take appropriate corrective action in Rule 1002(a), but the corrective action requirement is triggered when any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred.\1702\ The Commission continues to believe that all SCI entities, regardless of whether they participate in the ARP Inspection Program, already take corrective action in response to systems issues and have some internal processes with respect to corrective action.\1703\ The Commission also continues to believe that Rule 1002(a) will likely result in SCI entities revising their policies, which will help to ensure that their information technology staff has the ability to access systems in order to take appropriate corrective actions.\1704\ The Commission therefore believes that Rule 1002(a) may impose a one-time implementation burden on SCI entities associated with developing such a process, and periodic burdens in reviewing that process. The Commission estimates that the initial burden to implement such a process would be 114 hours per SCI entity,\1705\ or 5,016 hours for all SCI entities.\1706\ The Commission also estimates that the ongoing burden to review such a process would be 39 hours annually per SCI entity,\1707\ or [[Page 72393]] 1,716 hours annually for all SCI entities.\1708\ --------------------------------------------------------------------------- \1702\ See Rule 1002(a). \1703\ See Proposing Release, supra note 13, at 18152. \1704\ See id. \1705\ This estimate is based on the Commission's burden estimate for Rule 1001(a), because Rule 1001(a) and Rule 1002(a) both would result in policies and procedures or processes. As noted above, one commenter stated that basing the burden estimate for proposed Rule 1000(b)(3) on the burden estimate under proposed Rule 1000(b)(1) is appropriate. See supra note 1700 and accompanying text. Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires the establishment of six policies and procedures at a minimum and Rule 1002(a) would result in the establishment of one set of policies and procedures, the Commission estimates that the initial staff burden to draft the policies and procedures for Rule 1002(a) is one-sixth of the initial staff burden to draft the policies and procedures required by Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). 504 hours / 6 = 84 hours. The 84 burden hours include 32 hours by a Compliance Manager, 32 hours by an Attorney, 10 hours by a Senior Systems Analyst, and 10 hours by an Operations Specialist. This burden hour allocation is based on the allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 1443. The Commission also estimates that a Chief Compliance Officer will spend 20 hours and a Director of Compliance will spend 10 hours reviewing the policies and procedures required by Rule 1002(a). 84 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 114 hours. \1706\ 114 hours x 44 SCI entities = 5,016 hours. \1707\ This estimate is based on the Commission's burden estimate for Rule 1001(a), because Rule 1001(a) and 1002(a) both would result in policies and procedures or processes. See supra note 1700 and accompanying text (stating that basing the burden estimate for proposed Rule 1000(b)(3) on the burden estimate under proposed 1000(b)(1) is appropriate). Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires the maintenance of six policies and procedures at a minimum and 1002(a) would result in the maintenance of one set of policies and procedures, the Commission estimates that the ongoing staff burden under 1002(a) is one-sixth of the ongoing staff burden under Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). 144 hours / 6 = 24 hours. The 24 burden hours include 9 hours by a Compliance Manager, 9 hours by an Attorney, 3 hours by a Senior Systems Analyst, and 3 hours by an Operations Specialist. This burden hour allocation is based on the allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 1445. The Commission also estimates that a Chief Compliance Officer will spend 10 hours and a Director of Compliance will spend 5 hours reviewing the policies and procedures required by Rule 1002(a). 24 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 39 hours. \1708\ 39 hours x 44 SCI entities = 1,716 hours. --------------------------------------------------------------------------- The Commission continues to believe that SCI entities will conduct internally most of the work related to their corrective action procedures. As noted by a commenter, the establishment of policies and procedures with respect to corrective action would not be conducive to outsourcing.\1709\ --------------------------------------------------------------------------- \1709\ See supra note 1701 and accompanying text. --------------------------------------------------------------------------- b. Identification of Critical SCI Systems, Major SCI Events, De Minimis SCI Events, and Material Systems Changes In the SCI Proposal, the Commission estimated that requirements under the proposal with respect to immediate notification SCI events and dissemination SCI events may impose burdens on SCI entities in developing and reviewing a process to ensure that they are able to quickly and correctly make a determination regarding the nature of an SCI event.\1710\ For SCI entities that do not participate in the ARP Inspection Program, the Commission estimated that the initial burden would be 42 hours per SCI entity \1711\ and the ongoing burden would be 12 hours annually per SCI entity.\1712\ For SCI entities that currently participate in the ARP Inspection Program, the Commission estimated that the initial burden would be 21 hours per SCI entity \1713\ and the ongoing burden would be 6 hours annually per SCI entity.\1714\ The Commission believed that SCI entities would internally establish the process for determining whether an SCI event is an immediate notification SCI event or dissemination SCI event.\1715\ --------------------------------------------------------------------------- \1710\ See Proposing Release, supra note 13, at 18152. \1711\ See id. at 18153. The 42 burden hours included 16 hours by a Compliance Manager, 16 hours by an Attorney, 5 hours by a Senior Systems Analyst, and 5 hours by an Operations Specialist. See id. This estimate was based on the Commission's burden estimate for proposed Rule 1000(b)(1). See id. at 18153, n. 448. \1712\ See id. at 18153. The 12 burden hours included 6 hours by a Compliance Manager and 6 hours by an Attorney. See id. This estimate was based on the Commission's burden estimate for proposed Rule 1000(b)(1). See id. at 18153, n. 452. \1713\ See id. at 18153. The 21 burden hours included 8 hours by a Compliance Manager, 8 hours by an Attorney, 2.5 hours by a Senior Systems Analyst, and 2.5 hours by an Operations Specialist. See id. \1714\ See id. The 6 burden hours included 3 hours by a Compliance Manager and 3 hours by an Attorney. See id. \1715\ See id. at 18153, n. 448, n. 450, n. 452, and n. 454. --------------------------------------------------------------------------- One commenter stated its belief that the Commission's burden estimate for policies and procedures to identify an SCI event as an immediate notification SCI event or dissemination SCI event was effectively limited to ministerial tasks of producing such policies and procedures in isolation from other organizational activities and needs, and took into account only minimal supervisory or decision-making activities, therefore significantly underestimated the total burden of compliance with this provision.\1716\ This commenter urged the Commission to adjust the estimate in a manner similar to this commenter's suggestion with regard to proposed Rules 1000(b)(1) and (2).\1717\ --------------------------------------------------------------------------- \1716\ See MSRB Letter at 32. \1717\ See id. --------------------------------------------------------------------------- As discussed above in Section IV.B.4, Rule 1003(a)(1) requires each SCI entity to establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material. As noted in the SCI Proposal, because the ARP Inspection Program already provides for the reporting ``significant systems changes'' to Commission staff, the Commission believes that, as compared to entities that do not participate in the ARP Inspection Program, entities that currently participate in the ARP Inspection Program would already have some internal processes for determining the significance of a systems issue or systems change. Therefore, the Commission continues to estimate a 50% baseline for the staff burden estimates for SCI entities that currently participate in the ARP Inspection Program.\1718\ However, the Commission does not believe that a 50% baseline would be appropriate for these SCI entities in terms of senior management review. The Commission believes that, although these entities already have some internal processes for determining the significance of a systems change, their senior management would require the same number of hours as other SCI entities to review and ensure that the process is reasonable, as required by Rule 1003(a)(1). The Commission continues to believe that SCI entities will internally establish and maintain the policies and procedures required by Rule 1003(a)(1). --------------------------------------------------------------------------- \1718\ The 50% baseline for ARP participants is consistent with the baseline for the Rule 1001(a) burden estimates. --------------------------------------------------------------------------- The Commission estimates that each SCI entity that does not participate in the ARP Inspection Program would require 114 hours initially to establish the criteria for identifying material systems changes,\1719\ or 1,596 hours for all such SCI entities.\1720\ The Commission also estimates that each SCI entity that does not participate in the ARP Inspection Program would require 39 hours annually to review and update the criteria for identifying material systems changes,\1721\ or 546 hours for all such SCI entities.\1722\ The Commission estimates that each SCI entity that currently participates in the [[Page 72394]] ARP Inspection Program would require 72 hours initially to establish the criteria for identifying material systems changes,\1723\ or 2,160 hours for all such SCI entities.\1724\ The Commission also estimates that each SCI entity that currently participates in the ARP Inspection Program would require 27 hours annually to review and update the criteria,\1725\ or 810 hours for all such SCI entities.\1726\ --------------------------------------------------------------------------- \1719\ This estimate is based on the Commission's burden estimate for Rule 1001(a), because Rule 1001(a) and Rule 1003(a)(1) both require policies and procedures or processes. See supra note 1700 and accompanying text (stating, in the context of proposed Rule 1000(b)(3), that basing the burden estimate for a set of policies and procedures or processes on the burden estimate under proposed 1000(b)(1) is appropriate). Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires the establishment of six policies and procedures at a minimum and Rule 1003(a)(1) requires the establishment of one set of criteria, the Commission estimates that the initial staff burden to draft the criteria required by Rule 1003(a)(1) is one-sixth of the initial staff burden to draft the policies and procedures required by Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). 504 hours / 6 = 84 hours. The 84 burden hours include 32 hours by a Compliance Manager, 32 hours by an Attorney, 10 hours by a Senior Systems Analyst, and 10 hours by an Operations Specialist. This burden hour allocation is based on the allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 1443. The Commission also estimates that a Chief Compliance Officer will spend 20 hours and a Director of Compliance will spend 10 hours reviewing the policies and procedures required by Rule 1003(a)(1). 84 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 114 hours. \1720\ 114 hours x 14 SCI entities that do not participate in the ARP Inspection Program = 1,596 hours. \1721\ This estimate is based on the Commission's burden estimate for Rule 1001(a), because Rule 1001(a) and Rule 1003(a)(1) both require policies and procedures or processes. See supra note 1700 and accompanying text (stating, in the context of proposed Rule 1000(b)(3), that basing the burden estimate for a set of policies and procedures or processes on the burden estimate under proposed 1000(b)(1) is appropriate). Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires the maintenance of six policies and procedures at a minimum and Rule 1003(a)(1) requires the maintenance of one set of criteria, the Commission estimates that the ongoing staff burden under 1003(a)(1) is one-sixth of the ongoing staff burden under Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). 144 hours / 6 = 24 hours. The 24 burden hours include 9 hours by a Compliance Manager, 9 hours by an Attorney, 3 hours by a Senior Systems Analyst, and 3 hours by an Operations Specialist. This burden hour allocation is based on the allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 1445. The Commission also estimates that a Chief Compliance Officer will spend 10 hours and a Director of Compliance will spend 5 hours reviewing the policies and procedures required by Rule 1003(a)(1). 24 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 39 hours. \1722\ 39 hours x 14 SCI entities that do not participate in the ARP Inspection Program = 546 hours. \1723\ 84 hours / 2 = 42 hours. The 42 burden hours include 16 hours by a Compliance Manager, 16 hours by an Attorney, 5 hours by a Senior Systems Analyst, and 5 hours by an Operations Specialist. The Commission also estimates that a Chief Compliance Officer will spend 20 hours and a Director of Compliance will spend 10 hours reviewing the policies and procedures required by Rule 1003(a)(1). 42 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 72 hours. \1724\ 72 hours x 30 SCI entities that participate in the ARP Inspection Program = 2,160 hours. \1725\ 24 hours / 2 = 12 hours. The 12 burden hours include 4.5 hours by a Compliance Manager, 4.5 hours by an Attorney, 1.5 hours by a Senior Systems Analyst, and 1.5 hours by an Operations Specialist. The Commission also estimates that a Chief Compliance Officer will spend 10 hours and a Director of Compliance will spend 5 hours reviewing the policies and procedures required by Rule 1003(a)(1). 12 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 27 hours. \1726\ 27 hours x 30 SCI entities that participate in the ARP Inspection Program = 810 hours. --------------------------------------------------------------------------- As adopted, Regulation SCI requires SCI entities to identify certain types of events, systems, and changes. Specifically, Rule 1000 defines ``critical SCI systems'' as any SCI systems of, or operated by or on behalf of, an SCI entity that: (1) Directly support functionality relating to (i) clearance and settlement systems of clearing agencies; (ii) openings, reopenings, and closings on the primary listing market; (iii) trading halts; (iv) initial public offerings; (v) the provision of consolidated market data; or (vi) exclusively-listed securities; or (2) provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets. Rule 1000 defines ``major SCI event'' as an SCI event that has had, or the SCI entity reasonably estimates would have any impact on a critical SCI system or a significant impact on the SCI entity's operations or on market participants. Because Rule 1001(a)(2)(v) requires business continuity and disaster recovery plans that are reasonably designed to achieve two-hour resumption of critical SCI systems following a wide-scale disruption, each SCI entity needs to identify its critical SCI systems. In addition, each SCI entity needs to identify its critical SCI systems because the definition of major SCI event includes an SCI event that has had, or the SCI entity reasonably estimates would have, any impact on a critical SCI system. Further, when an SCI event occurs, an SCI entity needs to determine whether the event is a major SCI event, because Rule 1002(c)(3) requires an SCI entity to disseminate information regarding major SCI events to all of its member or participants. In addition, Rules 1002(b) and (c) provide certain exceptions from the Commission notification and information dissemination requirements for any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants. Therefore, when SCI events occur, an SCI entity needs to determine whether they are de minimis SCI events. The Commission believes that the identification of critical SCI systems, major SCI events, and de minimis SCI events will impose an initial one-time implementation burden on SCI entities in developing processes to quickly and correctly identify the nature of a system or event.\1727\ The identification of these systems and events may also impose periodic burdens on SCI entities in reviewing and updating the processes. As noted in the SCI Proposal, because the ARP Inspection Program already provides for the reporting ``significant systems changes'' and ``significant systems outages'' to Commission staff, the Commission believes that, as compared to entities that do not participate in the ARP Inspection Program, entities that currently participate in the ARP Inspection Program would already have some internal processes for determining the significance of a systems issue or systems change. Therefore, the Commission estimates a 50% baseline for the staff burden for SCI entities that currently participate in the ARP Inspection Program.\1728\ However, the Commission does not believe that a 50% baseline would be appropriate for these SCI entities in terms of senior management review. The Commission believes that SCI entities will internally establish and maintain the policies and procedures regarding the identification of critical SCI systems, major SCI events, and de minimis SCI events. --------------------------------------------------------------------------- \1727\ The Commission's approach with respect to SCI events and SCI systems is responsive to some commenters' suggestion for a risk- based regime. See, e.g., supra notes 784-789 and accompanying text (discussing commenters' suggestions for revising the Commission reporting requirement). \1728\ The 50% baseline for ARP participants is consistent with the baseline for the Rule 1001(a) burden estimates. --------------------------------------------------------------------------- The Commission estimates that each SCI entity that does not participate in the ARP Inspection Program would require 198 hours initially to establish the criteria for identifying certain systems and events,\1729\ or 2,772 hours for all such SCI entities.\1730\ The Commission also estimates that each SCI entity that does not participate in the ARP Inspection Program would require 63 hours annually to review and update such criteria,\1731\ or 882 hours [[Page 72395]] for all such SCI entities.\1732\ The Commission estimates that each SCI entity that currently participates in the ARP Inspection Program would require 114 hours initially to establish the criteria for identifying certain systems and events,\1733\ or 3,420 hours for all such SCI entities.\1734\ The Commission also estimates that each SCI entity that currently participates in the ARP Inspection Program would require 39 hours annually to review and update such criteria,\1735\ or 1,170 hours for all such SCI entities.\1736\ The Commission believes that the revised burden estimates for establishing policies and procedures to identify certain systems and events are responsive to a commenter's concern that the estimate in the SCI Proposal only included ministerial tasks and minimal supervisory activities.\1737\ Specifically, the Commission increased from the proposal the estimated burden hours for the personnel involved in establishing such policies and procedures, and included senior level review by adding burden estimates for the Chief Compliance Officer and Director of Compliance. Moreover, because these revised burden estimates are based on the revised burden estimates for Rule 1001(a), these estimates are responsive to a commenter's suggestion that they be revised in a manner similar to its suggestions with respect to proposed Rules 1000(b)(1) and (2).\1738\ --------------------------------------------------------------------------- \1729\ This estimate is based on the Commission's burden estimate for Rule 1001(a), because Rule 1001(a) and the identification of certain systems and events both would result in policies and procedures or processes. See supra note 1700 and accompanying text (stating, in the context of proposed Rule 1000(b)(3), that basing the burden estimate for a set of policies and procedures or processes on the burden estimate under proposed 1000(b)(1) is appropriate). Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires the establishment of six policies and procedures at a minimum and the identification of certain systems and events could result in the establishment of two policies and procedures (i.e., one for systems and one for events), the Commission estimates that the initial staff burden to draft the policies and procedures to identify certain systems and events is one-third of the initial staff burden to draft the policies and procedures required by Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). 504 hours / 3 = 168 hours. The 168 burden hours include 64 hours by a Compliance Manager, 64 hours by an Attorney, 20 hours by a Senior Systems Analyst, and 20 hours by an Operations Specialist. This burden hour allocation is based on the allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 1443. The Commission also estimates that a Chief Compliance Officer will spend 20 hours and a Director of Compliance will spend 10 hours reviewing the policies and procedures to identify certain systems and events. 168 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 198 hours. \1730\ 198 hours x 14 SCI entities that do not participate in the ARP Inspection Program = 2,772 hours. \1731\ This estimate is based on the Commission's burden estimate for Rule 1001(a), because Rule 1001(a) and the identification of certain systems and events both would result in policies and procedures or processes. See supra note 1700 and accompanying text (stating, in the context of proposed Rule 1000(b)(3), that basing the burden estimate for a set of policies and procedures or processes on the burden estimate under proposed 1000(b)(1) is appropriate). Because Rule 1001(a) (excluding Rule 1001(a)(2)(vi)) requires the maintenance of six policies and procedures at a minimum and the identification of certain systems and events could result in the maintenance of two policies and procedures, the Commission estimates that the ongoing staff burden to draft the policies and procedures to identify certain systems and events is one-third of the ongoing staff burden under Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). 144 hours / 3 = 48 hours. The 48 burden hours include 18 hours by a Compliance Manager, 18 hours by an Attorney, 6 hours by a Senior Systems Analyst, and 6 hours by an Operations Specialist. This burden hour allocation is based on the allocation for Rule 1001(a) (excluding Rule 1001(a)(2)(vi)). See supra note 1445. The Commission also estimates that a Chief Compliance Officer will spend 10 hours and a Director of Compliance will spend 5 hours reviewing the policies and procedures for identifying certain systems and events. 48 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 63 hours. \1732\ 63 hours x 14 SCI entities that do not participate in the ARP Inspection Program = 882 hours. \1733\ 168 hours / 2 = 84 hours. The 84 burden hours include 32 hours by a Compliance Manager, 32 hours by an Attorney, 10 hours by a Senior Systems Analyst, and 10 hours by an Operations Specialist. The Commission also estimates that a Chief Compliance Officer will spend 20 hours and a Director of Compliance will spend 10 hours reviewing the policies and procedures for identifying certain systems and events. 84 hours + Chief Compliance Officer at 20 hours + Director of Compliance at 10 hours = 114 hours. \1734\ 114 hours x 30 SCI entities that participate in the ARP Inspection Program = 3,420 hours. \1735\ 48 hours / 2 = 24 hours. The 24 burden hours include 9 hours by a Compliance Manager, 9 hours by an Attorney, 3 hours by a Senior Systems Analyst, and 3 hours by an Operations Specialist. The Commission also estimates that a Chief Compliance Officer will spend 10 hours and a Director of Compliance will spend 5 hours reviewing the policies and procedures for identifying certain systems and events. 24 hours + Chief Compliance Officer at 10 hours + Director of Compliance at 5 hours = 39 hours. \1736\ 39 hours x 30 SCI entities that participate in the ARP Inspection Program = 1,170 hours. \1737\ See supra note 1716 and accompanying text. \1738\ See supra note 1717 and accompanying text. --------------------------------------------------------------------------- 4. Recordkeeping Requirements In the SCI Proposal, the Commission noted that it is not proposing a new recordkeeping requirement for SCI SROs because the documents relating to compliance with proposed Regulation SCI are subject to their existing recordkeeping and retention requirements under Rule 17a- 1 under the Act.\1739\ The Commission therefore noted its belief that the proposed recordkeeping requirements would not result in any burden that is not already accounted for in the Commission's burden estimates for Rule 17a-1.\1740\ With respect to SCI entities other than SCI SROs, the Commission estimated that the initial and ongoing burdens to make, keep, and preserve records relating to compliance with proposed Regulation SCI would be approximately 25 hours annually per SCI entity.\1741\ The Commission also estimated that each SCI entity other than an SCI SRO would incur a one-time burden to set up or modify an existing recordkeeping system to comply with the proposed recordkeeping requirements.\1742\ Specifically, the Commission estimated that for each SCI entity other than an SCI SRO, setting up or modifying a recordkeeping system would create an initial burden of 170 hours and $900 in information technology costs for purchasing recordkeeping software.\1743\ Further, the Commission noted its belief that proposed Rule 1000(c)(3), which would require an SCI entity, upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, to take all necessary action to ensure that the records required to be made, kept, and preserved by Rules 1000(c)(1) and (2) remain accessible to the Commission and its representatives in the manner and for the remainder of the period required by Rule 1000(c), would not result in any additional paperwork burden that is not already accounted for in the Commission's burden estimates for proposed Rules 1000(c)(1) and (2).\1744\ --------------------------------------------------------------------------- \1739\ See Proposing Release, supra note 13, at 18153. \1740\ See id. \1741\ See id. at 18154. The 25 burden hours would be spent by a Compliance Clerk. See id. This estimate was based on Commission staff's experience with examinations of registered entities, the Commission's estimated burden for an SRO to comply with Rule 17a-1, and the Commission's estimated burden for a SB SEF to keep and preserve documents made or received in the conduct of its business. See id. at 18154, n. 458. \1742\ See id. at 18154. \1743\ See id. These estimates were based on the Commission's experience with examinations of registered entities and the Commission's estimated burden for an SB SEF to keep and preserve documents made or received in the conduct of its business. See id. at 18154, n. 460. \1744\ See id. at 18154. --------------------------------------------------------------------------- One commenter noted that while proposed Rule 1000(c) does not create new recordkeeping requirements for SCI SROs, the number of records to be retained by an SRO would increase due to proposed Regulation SCI.\1745\ This commenter stated that such additional recordkeeping is not costless and should be considered by the Commission.\1746\ --------------------------------------------------------------------------- \1745\ See MSRB Letter at 39. \1746\ See id. --------------------------------------------------------------------------- As discussed in detail above in Section IV.C.1.a, the Commission is adopting the recordkeeping requirements substantially as proposed. The Commission notes that the burden associated with creating such records, as required of all SCI entities, including SCI SROs, by Regulation SCI, are discussed and accounted for throughout this Section V. With respect to SCI SROs, the breadth of Rule 17a-1 under the Exchange Act \1747\ is such that it requires SCI SROs to make, keep, and preserve records relating to their compliance with Regulation SCI.\1748\ SCI entities that participate in the ARP Inspection Program (nearly all of whom are SCI SROs) do generally keep and preserve the types of records that are subject to the requirements of Rule 1005. However, because Regulation SCI imposes new requirements on SROs, as noted by a commenter, the number of records to be retained by an SRO may increase.\1749\ The Commission believes that existing recordkeeping systems and processes of SCI SROs will be used to retain the records required to be created pursuant to Regulation SCI. As a result, the Commission believes that the burden associated with retaining these additional records is an incrementally small increase in the burden currently incurred by SROs to retain records as required by Rule 17a-1 and that the burden associated with retaining records related to Regulation SCI is already accounted for in the [[Page 72396]] Commission's burden estimates for Rule 17a-1.\1750\ --------------------------------------------------------------------------- \1747\ ``Every national securities exchange, national securities association, registered clearing agency and the Municipal Securities Rulemaking Board shall keep and preserve at least one copy of all documents, including all correspondence, memoranda, papers, books, notices, accounts, and other such records as shall be made or received by it in the course of its business as such and in the conduct of its self-regulatory activity.'' Exchange Act Rule 17a- 1(a), 17 CFR 240.17a-1(a). \1748\ See also Rule 1005(a). \1749\ See supra notes 1745-1746 and accompanying text. \1750\ See Supporting Statement for the Paperwork Reduction Act Information Collection Submissions for Rule 17a-1, available at: https://www.reginfo.gov. --------------------------------------------------------------------------- The Commission continues to believe that for SCI entities other than SCI SROs, the initial and ongoing burden to make, keep, and preserve records relating to compliance with Regulation SCI, as required by Rule 1005(b), would be approximately 25 hours annually per SCI entity that is not an SCI SRO.\1751\ Therefore, the Commission estimates a total annual burden of 425 hours for all such SCI entities.\1752\ The Commission also continues to estimate that each SCI entity other than an SCI SRO would incur a one-time burden to set up or modify an existing recordkeeping system to comply with Rule 1005. Specifically, the Commission estimates that, for each SCI entity other than an SCI SRO, setting up or modifying a recordkeeping system would create an initial burden of 170 hours and $900 in information technology costs for purchasing software.\1753\ Therefore, the Commission estimates a total initial burden of 3,315 hours \1754\ and a total initial cost of $15,300 for all such SCI entities.\1755\ --------------------------------------------------------------------------- \1751\ See Proposing Release, supra note 13, at 18154, n. 458. \1752\ 25 hours x 17 non-SRO SCI entities = 425 hours. \1753\ See Proposing Release, supra note 13, at 18154, n. 460. The Commission believes that this burden estimate includes the burden imposed by Rule 1007. Specifically, Rule 1007 provides that, if the records required to be filed or kept by an SCI entity under Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity would be required to ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service, which is signed by a duly authorized person at such service bureau or other recordkeeping service. \1754\ (170 hours + 25 hours) x 17 non-SRO SCI entities = 3,315 hours. \1755\ $900 x 17 non-SRO SCI entities = $15,300. --------------------------------------------------------------------------- Finally, the Commission continues to believe that Rule 1005(c), which requires an SCI entity, upon or immediate prior to ceasing to do business or ceasing to be registered under the Exchange Act, to take all necessary action to ensure that the records required to be made, kept, and preserved by Rule 1005 remain accessible to the Commission and its representatives in the manner and for the remainder of the period required by Rule 1005, would not result in any additional paperwork burden that is not already accounted for in the Commission's burden estimates for Rule 1005(b).\1756\ --------------------------------------------------------------------------- \1756\ The Commission believes that SCI entities will comply with Rule 1005(c) by, for example, a contractual arrangement with a recordkeeping service. --------------------------------------------------------------------------- 5. Total Paperwork Burden Under Regulation SCI Based on the foregoing, the Commission estimates that the total one-time initial burden for all SCI entities to comply with Regulation SCI would be 330,508 hours \1757\ and the total one-time initial cost would be approximately $9.3 million.\1758\ The Commission estimates that the total annual ongoing burden for all SCI entities to comply with Regulation SCI would be 287,722 hours \1759\ and the total annual ongoing cost would be approximately $5.9 million.\1760\ --------------------------------------------------------------------------- \1757\ 330,508 hours = 54,992 hours (policies and procedures, mandate participation in certain testing) + 257,237 (notification, dissemination, reporting) + 14,964 hours (corrective action, identification of certain systems and events, identification of material systems changes) + 3,315 hours (recordkeeping). \1758\ $9,325,500 = $3,544,000 (policies and procedures, mandate participation in certain testing) + $5,766,200 (notification, dissemination, reporting) + $15,300 (recordkeeping). \1759\ 287,722 hours = 24,942 hours (policies and procedures, mandate participation in certain testing) + 257,231 (notification, dissemination, reporting) + 5,124 hours (corrective action, identification of certain systems and events, identification of material systems changes) + 425 hours (recordkeeping). \1760\ $5,874,200 = $108,000 (mandate participation in certain testing) + $5,766,200 (notification, dissemination, reporting). One commenter noted that majority of the estimated paperwork burden in the SCI Proposal relate to notifications of SCI events, rather than the writing and maintenance of the policies and procedures. See NYSE Letter at 18. This commenter noted that creating and maintaining reasonable policies and procedure to seek to ensure that important market systems have adequate levels of capacity, integrity, resiliency, availability, and security should be the main focus of the regulation, not the reporting provisions. See NYSE Letter at 18. The Commission notes that the burden estimates in this section relate solely to the paperwork burden of compliance with Regulation SCI. The Commission discusses other costs associated with compliance with Regulation SCI in the Economic Analysis section below. --------------------------------------------------------------------------- E. Collection of Information Is Mandatory All collections of information pursuant to Regulation SCI is a mandatory collection of information. F. Confidentiality The Commission expects that the written policies and procedures, processes, criteria, standards, or other written documents developed or revised by SCI entities pursuant to Regulation SCI will be retained by SCI entities in accordance with, and for the periods specified in Exchange Act Rule 17a-1 and Rule 1005, as applicable. Should such documents be made available for examination or inspection by the Commission and its representatives, they would be kept confidential subject to the provisions of applicable law.\1761\ In addition, the information submitted to the Commission pursuant to Regulation SCI that is filed on Form SCI, as required by Rule 1006, will be treated as confidential, subject to applicable law, including amended Rule 24b- 2.\1762\ The information disseminated by SCI entities pursuant to Rule 1002(c) under Regulation SCI to their members or participants will not be confidential. --------------------------------------------------------------------------- \1761\ See, e.g., 15 U.S.C. 78x (governing the public availability of information obtained by the Commission); 5 U.S.C. 552 et seq. \1762\ See, e.g., 15 U.S.C. 78x (governing the public availability of information obtained by the Commission); 5 U.S.C. 552 et seq. See also supra Section IV.C.2 (discussing confidentiality treatment for Form SCI filings). --------------------------------------------------------------------------- G. Reduced Burden From Amendment of Rule 301(b)(6) (OMB Control Number 3235-0509) Adopted Regulation SCI amends Rule 301(b)(6) of Regulation ATS.\1763\ Amendment of Rule 301(b)(6) would eliminate certain collection of information requirements within the meaning of the PRA, which the Commission had submitted to OMB in accordance with 44 U.S.C. 3507 and 5 CFR 1320.11 and OMB had approved. The approved collection of information is titled ``Rule 301: Requirements for Alternative Trading Systems and Form ATS; ATS-R,'' and the OMB control number for this collection of information is 3235-0509.\1764\ --------------------------------------------------------------------------- \1763\ See 17 CFR 242.301(b)(6). See also Securities Exchange Act Release No. 40760 (December 8, 1998), 63 FR 70844 (December 22, 1998) (``ATS Release''). In the SCI Proposal, the Commission proposed that Regulation SCI would replace and supersede Rule 301(b)(6) in its entirety. As discussed above, the Commission is now amending Rule 301(b)(6) to remove paragraphs (i)(A) and (i)(B) so that Rule 301(b)(6) will no longer apply to ATSs that trade NMS stocks and non-NMS stocks. However, as described above, the Commission has determined to exclude ATSs that trade only municipal securities or corporate debt securities from the scope of Regulation SCI, and such ATSs will remain subject to the requirements of Rule 301(b)(6) if they meet the volume thresholds therein. The Commission estimates that no ATS that trade only municipal securities or corporate debt securities currently meet the thresholds of Rule 301(b)(6). \1764\ See Rule 301: Requirements for Alternative Trading Systems and Form ATS; ATS-R, OMB Control No: 3235-0509 (Rule 301 supporting statement), available at: https://www.reginfo.gov. This approval has an expiration date of April 30, 2017. --------------------------------------------------------------------------- Some of the information collection burdens imposed by Regulation ATS would be reduced by the amendment of Rule 301(b)(6). Specifically, the paperwork burdens that would be eliminated by the amendment of Rule [[Page 72397]] 301(b)(6) would be: (i) Burdens on ATSs that trade NMS stocks and non- NMS stocks associated with the requirement to make records relating to any steps taken to comply with systems capacity, integrity and security requirements under Rule 301(b)(6) (estimated to be 20 hours); \1765\ and (ii) burdens on ATSs that trade NMS stocks and non-NMS stocks associated with the requirement to provide notices to the Commission to report systems outages (estimated to be 2.5 hours).\1766\ The Commission received no comments regarding the reduced paperwork burdens from the proposal to repeal Rule 301(b)(6) of Regulation ATS. --------------------------------------------------------------------------- \1765\ The Commission estimated that two alternative trading systems that register as broker-dealers and comply with Regulation ATS would trigger this requirement, and that the average compliance burden for each response would be 10 hours of in-house professional work at $379 per hour. Thus, the total compliance burden per year was estimated to be 20 hours (2 respondents x 10 hours = 20 hours). See Rule 301: Requirements for Alternative Trading Systems OMB Control No: 3235-0509 (Rule 301 supporting statement), available at: https://www.reginfo.gov. As discussed above, the Commission is amending Rule 301(b)(6) so that it will no longer apply to ATSs that trade NMS stocks and non-NMS stocks. ATSs that trade only municipal securities or corporate debt securities will remain subject to the requirements of Rule 301(b)(6), but the Commission estimates that no such ATS currently meets the thresholds of Rule 301(b)(6). \1766\ The Commission estimated that two alternative trading systems that register as broker-dealers and comply with Regulation ATS would meet the volume thresholds that trigger systems outage notice obligations approximately 5 times a year, and that the average compliance burden for each response would be .25 hours of in-house professional work at $379 per hour. Thus, the total compliance burden per year was estimated to be 2.5 hours (2 respondents x 5 responses each x .25 hours = 2.5 hours). See id. As discussed above, the Commission is amending Rule 301(b)(6) so that it will no longer apply to ATSs that trade NMS stocks and non-NMS stocks. ATSs that trade only municipal securities or corporate debt securities will remain subject to the requirements of Rule 301(b)(6), but the Commission estimates that no such ATS currently meets the thresholds of Rule 301(b)(6). --------------------------------------------------------------------------- VI. Economic Analysis A. Overview The Commission is sensitive to the economic effects, including the costs and benefits, of its rules. When engaging in rulemaking pursuant to the Exchange Act that requires the Commission to consider or determine whether an action is necessary or appropriate in the public interest, Section 3(f) of the Exchange Act requires the Commission to consider, in addition to the protection of investors, whether the action will promote efficiency, competition, and capital formation.\1767\ In addition, Section 23(a)(2) of the Exchange Act requires the Commission in making rules pursuant to the Exchange Act to consider the impact any such rule would have on competition. The Exchange Act prohibits the Commission from adopting any rule that would impose a burden on competition not necessary or appropriate in furtherance of the purposes of the Exchange Act.\1768\ --------------------------------------------------------------------------- \1767\ 15 U.S.C. 78c(f). \1768\ 15 U.S.C. 78w(a)(2). --------------------------------------------------------------------------- In the SCI Proposal, the Commission solicited comment on the economic effects of the proposed rules, including any effects that the proposed rules may have on efficiency, competition, and capital formation. The Commission also solicited comment on its representation of current practices and its characterization of the relevant markets in which SCI entities participate. In addition, the Commission solicited comment on reasonable alternatives to the proposed rules and their economic effects. The Commission encouraged commenters to identify, discuss, analyze, and supply relevant data, information, or statistics regarding any economic effects. The Commission received many comment letters that addressed the Commission's economic analysis of the proposed rules.\1769\ As described further below, some commenters stated that the Commission underestimated the costs (including, for example, the proposed rules' potential to impact innovation and create barriers to entry) of compliance with Regulation SCI.\1770\ Other commenters believed that the costs are justified by the benefits of the rules.\1771\ --------------------------------------------------------------------------- \1769\ See, e.g., Tellefsen Letter; Angel Letter; MSRB Letter; OCC Letter; BIDS Letter; ISE Letter; Leuchtkafer Letter; Better Markets Letter; CAST Letter; FINRA Letter; CISQ Letter; Fidelity Letter; CME Letter; Omgeo Letter; Lauer Letter; SIFMA Letter; SunGard Letter; NYSE Letter; BATS Letter; FIA PTG Letter; ITG Letter; KCG Letter; UBS Letter; Joint SROs Letter; and TMC Letter. \1770\ See, e.g., BIDS Letter at 2-3; NYSE Letter at 2; UBS Letter at 5; and Omgeo Letter at 2. \1771\ See, e.g., Lauer Letter at 7 (commenting that cost burden should not be an appropriate reason to omit an SCI entity and that, if the burden to ensure secure, stable systems is too high for an entity, that entity should not be allowed to be in a position to impact the market); and Better Markets Letter at 9-12 (commenting that the Commission's preeminent duty when promulgating rules is to protect investors and the public interest, and these goals should not be subordinate to industry concerns over the cost of regulation). --------------------------------------------------------------------------- As discussed above in Section I, a confluence of factors has contributed to the Commission's determination that it is necessary and appropriate at this time to address the technological vulnerabilities, and improve Commission oversight, of the core technology of key U.S. securities markets entities, including national securities exchanges and associations, significant ATSs, clearing agencies, and plan processors. These considerations include: The evolution of the markets to become significantly more dependent on sophisticated, complex, and interconnected technology; the current successes and limitations of the ARP Inspection Program; the significant number of, and lessons learned from, recent systems issues at exchanges and other trading venues,\1772\ including increased concerns over ``single points of failure'' in the securities markets; and the views of a wide variety of commenters received in response to the SCI Proposal. --------------------------------------------------------------------------- \1772\ See supra note 15 and accompanying text. --------------------------------------------------------------------------- Regulation SCI codifies, updates, and expands the existing ARP Inspection Program in an effort to further the goals of the national market system. Regulation SCI is intended to help to ensure the capacity, integrity, resiliency, availability, and security of the automated systems of entities important to the functioning of the U.S. securities markets. Regulation SCI is also intended to strengthen the U.S. securities market infrastructure and improve the resilience of the U.S. securities markets when technological issues arise. Moreover, Regulation SCI is intended to reinforce the requirement that SCI entities operate their systems in compliance with the Exchange Act and the rules and regulations thereunder. As adopted, Regulation SCI will apply to SCI SROs (including national securities exchanges,\1773\ national securities associations,\1774\ registered clearing agencies, and the MSRB), SCI ATSs, plan processors, and certain exempt clearing agencies.\1775\ As such, Regulation SCI covers the trading of NMS stocks, OTC equities, and listed options. As discussed below, Regulation SCI also will impact multiple markets for services, including the markets for trading services, listing services, regulation and surveillance services, clearance and settlement services, and market data. --------------------------------------------------------------------------- \1773\ Regulation SCI will not apply to an exchange that lists or trades security futures products that is notice-registered with the Commission as a national securities exchange pursuant to Section 6(g) of the Exchange Act, including security futures exchanges. See supra note 78 and accompanying text. \1774\ Regulation SCI will not apply to limited purpose national securities associations registered with the Commission pursuant to Section 15A(k) of the Exchange Act. See supra note 78 and accompanying text. \1775\ See supra Section IV.A.1 (discussing the definition of SCI entities). --------------------------------------------------------------------------- B. Economic Baseline The Commission recognizes that any economic effects, including costs and benefits and effects on efficiency, competition, and capital formation, [[Page 72398]] should be compared to a baseline that accounts for current practices. The description of current practices below is based, among other things, on the Commission's understanding of the current practices under the ARP Inspection Program (including current practices influenced by staff guidance related to the ARP Inspection Program), the requirements under Regulation ATS, rules of SROs, information provided by commenters, and current practices and staff guidance related to systems compliance-related issues. As noted above, all active registered clearing agencies, all registered national securities exchanges, FINRA, two plan processors, one ATS, and one exempt clearing agency currently participate in the ARP Inspection Program. Under the ARP Policy Statements and through the ARP Inspection Program, these entities, among other things, are expected to establish current and future capacity estimates; conduct capacity stress tests; and conduct annual reviews that cover significant elements of the operations of the automation process, including the capacity planning and testing process, contingency planning, systems development methodology, and vulnerability assessments. When conducting an ARP inspection, Commission staff also evaluates whether an ARP entity's controls over its information technology resources in nine general areas, or information technology ``domains,'' is consistent with ARP and industry guidelines.\1776\ The ARP Policy Statements and staff letters also address, among other things, the reporting of certain systems changes, intrusions, and outages, and the need to comply with relevant laws and rules.\1777\ Many participants in the ARP Inspection Program have developed current practices that to some extent overlap with the requirements of Regulation SCI. These practices are discussed in more detail throughout this economic analysis. --------------------------------------------------------------------------- \1776\ See supra Section II.A (discussing the ARP Policy Statements and Commission staff letters). \1777\ See id. --------------------------------------------------------------------------- The ARP Policy Statements and the ARP Inspection Program address systems that directly support trading, clearance and settlement, order routing, and market data, which are a subset of the systems covered by Regulation SCI.\1778\ Additionally, Commission staff currently inspects all the categories of systems that are included in the adopted definition of ``SCI systems'' to varying degrees.\1779\ In general, the Commission believes that, to varying degrees, entities participating in the ARP Inspection Program establish current and future capacity estimates, conduct periodic capacity stress tests, and conduct an annual independent assessment of whether their automated systems can perform adequately at their estimated capacity levels and whether these systems have adequate protection against threats.\1780\ Additionally, entities participating in the ARP Inspection Program provide to the Commission and its staff reports relating to system changes and reviews, as well as information regarding systems outages. --------------------------------------------------------------------------- \1778\ See infra note 1900 and accompanying text. \1779\ Commission staff inspects systems that are not directly related to trading, clearance and settlement, order routing, or market data if staff detects red flags. See Proposing Release, supra note 13, at 18158. \1780\ See ARP I Release and ARP II Release, supra note 1. --------------------------------------------------------------------------- In addition, as discussed above, pursuant to Rule 301(b)(6) of Regulation ATS, certain aspects of the ARP Policy Statements apply to ATSs that meet the thresholds set forth in that rule.\1781\ Currently, the Commission believes that only one ATS meets such thresholds and, thus, is required by Commission rule to implement systems safeguard measures. There is also one ATS that voluntarily participates in the ARP Inspection Program. Rule 301(b)(6) of Regulation ATS includes requirements that are similar to the requirements underlying the policies and procedures required by Rule 1001(a)(2) of Regulation SCI. Specifically, Rule 301(b)(6) under Regulation ATS requires relevant ATSs to establish certain capacity estimates, conduct periodic capacity stress tests of critical systems, develop and implement reasonable procedures to review and keep current systems development and testing methodology, review the vulnerability of their systems and data center computer operations to specified threats, establish adequate contingency and disaster recovery plans, conduct an independent review of its systems controls annually for ensuring that Rules 301(b)(6)(ii)(A)-(E) are met and conduct a review by senior management of a report of the independent review, and promptly notify the Commission of certain systems outages and systems changes. Rule 301(b)(6) of Regulation ATS, however, applies only to systems that support order entry, order routing, order execution, transaction reporting, and trade comparison,\1782\ which is more targeted than the adopted definition of ``SCI system.'' --------------------------------------------------------------------------- \1781\ Specifically, Rule 301(b)(6) of Regulation ATS applies to ATSs that, during at least four of the preceding six months, had: (A) With respect to any NMS stock, 20 percent or more of the average daily volume reported by an effective transaction reporting plan; (B) with respect to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, 20 percent or more of the average daily volume as calculated by the self-regulatory organization to which such transactions are reported; (C) with respect to municipal securities, 20 percent or more of the average daily volume traded in the United States; or (D) with respect to corporate debt securities, 20 percent or more of the average daily volume traded in the United States. See 17 CFR 242.301(b)(6)(i). \1782\ See 17 CFR 242.301(b)(6)(ii). --------------------------------------------------------------------------- The Commission recognizes that market participants that do not participate in the ARP Inspection Program and are not subject to Regulation ATS also take measures consistent with certain aspects of Regulation SCI to avoid systems disruptions, compliance issues, and intrusions. For example, the Commission believes that many market participants document systems events as prudent and standard business practice, even when the entity is not an ARP participant or does not report the incident as an ARP participant. Additionally, commenters provided information about their practices for maintaining suitable levels of systems capacity, integrity, resiliency, availability, and security. As discussed in Section IV.B.1, the Commission understands that some SCI entities are already following technology standards such as ISO 27000 and COBIT.\1783\ One commenter also stated that NFPA-1600 or BS 25999 was useful for contingency planning.\1784\ Commenters also provided less specific information on current practices that allow the Commission to gauge current practices. For example, one commenter stated that SCI entities commonly review a variety of different standards for frameworks or best practices, and then adopt a derivative of multiple standards, customizing them for the systems at issue.\1785\ In addition, another commenter stated that the financial services industry currently uses processes for software development that are more ``nimble'' than the frameworks listed in Table A, such as the NIST publication under the Systems Development Methodology domain.\1786\ --------------------------------------------------------------------------- \1783\ See text accompanying supra note 606. \1784\ See ISE Letter at 11. \1785\ See NYSE Letter at 20. \1786\ See BATS Letter at 6-7 (commenting that the NIST publication reflects a burdensome staged process to software development that favors the ``waterfall methodology'' over ``agile'' software development). --------------------------------------------------------------------------- FINRA members, including ATSs, are also subject to FINRA rules that are generally related to certain aspects of Regulation SCI.\1787\ For example, NASD [[Page 72399]] Rule 3010(b)(1) requires a member to establish, maintain, and enforce written procedures to supervise the types of business in which it engages and to supervise the activities of registered representatives, registered principals, and other associated persons that are reasonably designed to achieve compliance with applicable securities laws and regulations. However, this NASD rule does not specifically address compliance of the systems of FINRA members and does not cover more broadly policies and procedures relating to operational capability. Additionally, FINRA Rule 3130 requires a member's chief compliance officer to certify that the member has in place written policies and procedures reasonably designed to achieve compliance with applicable FINRA rules, MSRB rules, and federal securities laws and regulations. Again, this FINRA rule does not specifically address compliance of the systems of FINRA members and does not cover more broadly policies and procedures relating to operational capability. Further, FINRA Rule 4530 imposes a reporting regime for, among other things, compliance issues and other events where a member has concluded or should have reasonably concluded that a violation of securities or other enumerated law, rule, or regulation of any domestic or foreign regulatory body or SRO has occurred. However, the reporting requirements of FINRA Rule 4530 are different in several respects from the Commission notification requirements under Regulation SCI relating to systems compliance issues (e.g., scope, timing, content, the recipient of the reports) and would not cover reporting of systems disruptions or systems intrusions that did not also involve a violation of a securities law, rule, or regulation. In addition, FINRA Rule 4370 generally requires that a member maintain a written continuity plan identifying procedures relating to an emergency or significant business disruption. However, as compared to adopted Rules 1001(a)(2)(v) and 1004, this FINRA rule does not include a requirement that the business continuity and disaster recovery plans be reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption, nor does it require the functional and performance testing and coordination of industry or sector-testing of such plans. --------------------------------------------------------------------------- \1787\ See supra note 115. As noted above, although these rules have some broad relation to certain aspects of Regulation SCI, the Commission is not persuaded that the rules, even when taken together, are an appropriate substitute for the comprehensive approach in Regulation SCI with respect to technology systems and system issues. See id. --------------------------------------------------------------------------- Commenters addressed the Commission's consideration of current practices under the ARP Inspection Program as part of the baseline. According to a commenter, the ARP Inspection Program was implemented many years ago in a series of policy statements setting out guidance for voluntary compliance, and was supplemented with informal Commission staff guidance over the years, in many cases before the relevant systems existed.\1788\ This commenter also noted that Regulation SCI is a mandatory regulation with a more expansive nature, differentiating the proposed regulation from the voluntary, targeted scope of the ARP Inspection Program.\1789\ Some commenters believed that the Commission performed the economic analysis from a faulty premise by assuming that SCI entities that participate in the ARP Inspection Program have been in compliance with the voluntary standards and that the cost of compliance with Regulation SCI would merely be incremental as compared with the current baseline cost of voluntary compliance with the ARP regime.\1790\ One commenter noted that there is no publicly available information on voluntary compliance under the ARP Inspection Program, and the Commission should calculate the actual cost based on its knowledge of the extent to which SCI entities currently participating in the ARP Inspection Program are actually in compliance with ARP, rather than simply assuming full compliance.\1791\ --------------------------------------------------------------------------- \1788\ See NYSE Letter at 2, 6-7. This commenter noted that the ARP Inspection Program was never subject to Commission rulemaking, including notice and public comment, and a cost-benefit analysis. See id. at 6. This commenter further stated that if the Commission were to move forward with Regulation SCI, it should first engage in a detailed public analysis of the costs and benefits of the existing ARP Inspection Program. See id. at 2. \1789\ See id. at 6. \1790\ See ISE Letter at 11; and Joint SROs Letter at 18. \1791\ See ISE Letter at 11. --------------------------------------------------------------------------- In response to these comments, the Commission believes that current practices under the ARP Inspection Program continue to be relevant in an economic assessment of Regulation SCI and the current baseline. In particular, as described in more detail throughout the economic analysis, based on comments and staff experience, the Commission believes that ARP entities have developed practices that to some extent overlap with the requirements of Regulation SCI. Accordingly, the Commission believes that, for some entities, the economic effects associated with compliance with Regulation SCI will be less significant as these entities will need to make incremental adjustments to their current practices to comply with many of the requirements. The Commission recognizes that there is no publicly available information on voluntary compliance under the ARP Inspection Program. At the same time, the Commission and its staff have overseen the ARP Inspection Program for over two decades and notes that participants in the ARP Inspection Program generally follow the ARP Policy Statements. The Commission also notes that, in the ARP II Release, it stated that Commission staff and the SROs have discussed the independent review process, ``taking into account that the SROs already engage in testing and quality assurance reviews of new or modified systems, and that there are other significant controls in place to prevent, detect or correct problems in such areas as capacity planning, testing, systems development, vulnerability and contingency planning.'' \1792\ The Commission is not assuming in the economic analysis that each SCI entity is fully in compliance with the ARP Inspection Program. Rather, the Commission's and its staff's experience informs the Commission's view regarding the range of existing practices of SCI entities. The Commission recognizes that some participants in the ARP Inspection Program may also have adopted practices that are not precisely in line with the standards articulated in the ARP Policy Statements and other Commission policy statements. As discussed throughout this economic analysis, the Commission has considered what the economic effects, including the costs and benefits of complying with Regulation SCI, will be for those entities that may not have practices consistent with the standards articulated in the ARP Policy Statements. For example, some SRO backup facilities may be less geographically dispersed from the primary facilities than articulated in the 2003 BCP Policy Statement.\1793\ Further, some SROs may report systems issues or changes to the Commission in a manner different from what is articulated in the ARP Policy Statements and Commission staff letters. Instead of assuming full compliance with the ARP Inspection Program, throughout the economic analysis the Commission notes that some SCI entities that participate in the ARP Inspection Program have current [[Page 72400]] practices that already satisfy some of the requirements of Regulation SCI and considers the details of those current practices when assessing the economic effects of the rules. --------------------------------------------------------------------------- \1792\ See ARP II, supra note 1, at 22491. \1793\ See 2003 BCP Policy Statement, supra note 504, at 56658. --------------------------------------------------------------------------- Finally, in using the ARP Inspection Program as a component of the baseline, the Commission also recognizes that Regulation SCI is more expansive than the ARP Inspection Program and has taken this fact into consideration throughout the economic analysis. For example, among other things, Regulation SCI includes more expansive requirements compared to the ARP Inspection Program for the establishment of policies and procedures regarding systems capacity, integrity, resiliency, availability, security, and compliance; and annual business continuity and disaster recovery plans testing. In addition, the Commission is aware that more entities will be subject to Regulation SCI than are currently participating in the ARP Inspection Program, including a higher number of ATSs. The Commission has considered these differences in the economic analysis. The sections below describe in more detail the Commission's understanding of current practices related to areas covered by Regulation SCI, as informed by its experience with the ARP Inspection Program, the OCIE examination program, as well as by commenters. In particular, the sections below provide an overview of the frequency and the types of systems issues addressed by Regulation SCI (i.e., systems disruptions, systems intrusions, and systems compliance issues) and current practices related to these events, as well as current practices related to business continuity and disaster recovery, and material systems changes notifications. Additionally, the sections below include a summary of the current competitive landscape in various markets for services related to Regulation SCI and why the markets for these services do not provide an adequate competitive incentive to prevent the occurrence of these market events and reduce the duration and severity when they occur.\1794\ Details regarding the baseline for certain specific current practices relevant to specific provisions of Regulation SCI are discussed throughout the consideration of costs and benefits and the effect on efficiency, competition, and capital formation below. --------------------------------------------------------------------------- \1794\ Throughout this Economic Analysis, the general concept of a reduction of SCI events may refer to fewer events, shorter duration of events, and/or less severe events. --------------------------------------------------------------------------- 1. SCI Events a. Systems Disruptions and Intrusions Currently, market participants use an array of preventive and corrective measures to avoid systems disruptions and to restore systems when disruptions occur, including escalation procedures to notify management of disruptions. The range of preventive and corrective measures varies among market participants and SCI entities, and also differs among the systems employed by SCI entities. For instance, clearing systems and order matching engines generally are given higher priority by SCI entities than other SCI entity systems. Also, as noted by a commenter, exchanges, member firms, and ATSs conduct regular and ad hoc testing of mission critical systems for the introduction of new software releases, new features and functions, and systems upgrades, among other things.\1795\ This commenter also noted that the internal IT staff of exchanges, ATSs, trading platform providers, and clearing houses conduct regular systems testing, regression testing, stress testing, and failover testing to ensure the availability, capacity, resilience, and readiness of newly introduced systems, applications, products, and system functions.\1796\ However, industry practices are not codified as requirements for SCI entities and systems, except as may be the case in an entity's rulebook or subscriber agreement. --------------------------------------------------------------------------- \1795\ See Tellefsen Letter at 11. \1796\ See id. --------------------------------------------------------------------------- Market participants also employ a wide variety of measures to prevent and respond to systems intrusions, including escalation procedures to notify management of intrusions. Generally, market participants use measures such as firewalls to prevent systems intrusions, and use detection software to identify systems intrusions. Once an intrusion has been identified, the affected systems typically would be isolated and quarantined, and forensics would be performed. While there have been instances in which SCI entities revealed systems issues (including disruptions and intrusions) to their members or participants and to the public in the past,\1797\ there currently is no requirement applicable to SCI entities that includes the level of specificity in Regulation SCI for dissemination of information regarding systems disruptions and systems intrusions, as those terms are defined in Regulation SCI, to affected members or participants or to all members or participants of an SCI entity. --------------------------------------------------------------------------- \1797\ One instance of a publicly reported systems intrusion at an SCI entity occurred in February 2011, when NASDAQ OMX Group, Inc. revealed that hackers had penetrated certain of its computer networks, though Nasdaq reported that at no point did this intrusion compromise Nasdaq's trading systems. See Proposing Release, supra note 13, at 18089. One commenter also stated that when systems issues arise that impact subscriber access, functionality, or security, each potential SCI entity informs its subscribers of the problem and the expected solution, and generally follows with a post mortem. According to this commenter, some entities provide this notice pursuant to a contract or general agreement with subscribers, while others do so in order to maintain and grow their subscriber base. See OTC Markets Letter at 19. See also supra Section II.B (describing recent events involving systems-related issues, which have been made public). --------------------------------------------------------------------------- In 2013, entities that participated in the ARP Inspection Program, including at least one of each type of such participants (i.e., national securities exchange, national securities association, registered clearing agency, plan processor, ATS, and exempt clearing agency), reported a total of approximately 357 systems disruptions to the Commission.\1798\ These incidents had durations ranging from under one hour to well over several hours, with most incidents having a duration of less than three hours.\1799\ The Commission has also tracked the percentage of market outages at SROs and electronic communications networks, which were self-reported to the Commission or identified by Commission staff, that were corrected within targeted timeframes. Specifically, in fiscal year 2013, 80% of outages were resolved within 2 hours, 86% were resolved within 4 hours, and 98% were resolved within 24 hours.\1800\ --------------------------------------------------------------------------- \1798\ One commenter believes that ATSs have not contributed to the recent major systems issues that have impacted the market. See ITG letter at 4. However, as the Commission has noted, FINRA halted trading for over 3\1/2\ hours in all OTC equity securities due to a lack of availability of quotation information resulting from a connectivity issue experienced by OTC Markets Group Inc.'s OTC Link ATS. See supra note 33 and accompanying text. \1799\ The Commission acknowledges that the number of systems incidents reported to the Commission by entities that participated in the ARP Inspection Program represents the lower end of expected SCI events under Regulation SCI because the definition of ``SCI event'' is broader than the types of events covered by the current ARP Inspection Program. See supra Section V.D.2.a. \1800\ See U.S. Securities and Exchange Commission FY 2015 Annual Performance Plan, at 26 (March 7, 2014), available at: https://www.sec.gov/about/reports/secfy15congbudgjust.pdf. --------------------------------------------------------------------------- b. Systems Compliance Issues Currently, systems compliance issues are not covered by the ARP Inspection Program. However, the Commission notes that all SROs are required to comply with the Exchange Act, the rules [[Page 72401]] and regulations thereunder, and their own rules and governing documents, as applicable,\1801\ and securities information processors and ATSs are subject to similar requirements.\1802\ --------------------------------------------------------------------------- \1801\ See, e.g., 15 U.S.C. 78s(g) (requiring each SRO to comply with the Exchange Act, the rules and regulations thereunder, and its own rules). \1802\ See, e.g., 15 U.S.C. 78k-1(b)(6); 15 U.S.C. 78k-1(c)(1); and FINRA Rule 3130. Moreover, ATSs are registered broker-dealers and may be subject to Commission sanctions if they fail to comply with relevant federal securities laws and rules and regulations thereunder. --------------------------------------------------------------------------- Further, SROs currently take steps to ensure that their systems' operations are consistent with the federal securities laws and rules and their own rules, and some SROs notify Commission staff of certain systems compliance issues.\1803\ In particular, the Commission understands that SCI SROs generally have procedures to escalate a compliance issue upon discovery, to include legal and compliance personnel in the review of systems changes, and to periodically review rulebooks. However, although some SCI entities currently notify the Commission of certain systems compliance issues, the Commission does not receive comprehensive data regarding such issues. --------------------------------------------------------------------------- \1803\ See Proposing Release, supra note 13, at 18087, n. 36. As part of the Commission's oversight of SROs, OCIE reviews systems compliance issues reported to Commission staff. --------------------------------------------------------------------------- Similar to systems disruptions and systems intrusions, while there have been instances in which SCI entities revealed systems compliance- related issues to their members or participants and to the public in the past,\1804\ there currently is no requirement applicable to SCI entities that includes the level of specificity in Regulation SCI for dissemination of information regarding systems compliance issues, as that term is defined in Regulation SCI, to affected members or participants, or to all members or participants of an SCI entity. --------------------------------------------------------------------------- \1804\ See supra Section II.B (describing recent events involving systems-related issues, which have been made public). --------------------------------------------------------------------------- In the SCI Proposal, based on Commission staff's experience with SROs and the rule filing process, the Commission estimated that there are likely approximately seven systems compliance issues per SCI entity per year. No commenter provided additional information regarding the frequency of systems compliance issues. However, Commission staff received notifications indicating that certain SROs experienced an average of 17 systems compliance-related issues in 2013. The Commission believes that its staff received notification of a larger number of systems compliance issues in 2013 for a variety of reasons, including the proposal of Regulation SCI, recent Commission enforcement actions relating to systems compliance issues, as well as related press reports, all of which the Commission believes increased attention on systems compliance issues.\1805\ --------------------------------------------------------------------------- \1805\ See id. --------------------------------------------------------------------------- 2. Business Continuity and Disaster Recovery The Commission recognizes that SCI entities already have business continuity and disaster recovery plans. For example, nearly all national securities exchanges already have backup facilities that do not rely on the same infrastructure components as those used by their primary facility.\1806\ Additionally, most participants in the ARP Inspection Program have strived to adhere to the recovery timeframes in the Interagency White Paper and the 2003 BCP Policy Statement.\1807\ Some SCI entities also already require some of their members or participants to connect to their backup systems.\1808\ Further, some SCI entities already provide their members or participants with the opportunity to test the SCI entity's business continuity and disaster recovery plans, including its backup systems.\1809\ However, because participation in BC/DR testing, including backup systems, is not always required by SCI entities, the Commission understands that not all market participants participate in testing.\1810\ In addition, based on the discussions between Commission staff and market participants in the months following Superstorm Sandy, the Commission understands that many market participants had previously engaged in connectivity testing with backup facilities, and yet remained uncomfortable about switching to the use of backup facilities in advance of the storm. --------------------------------------------------------------------------- \1806\ See, e.g., CBOE Regulatory Circular RG14-001 (Back-Up Data Center Test on January 25, 2014). \1807\ See supra note 504 and accompanying text. \1808\ See, e.g., CBOE Regulatory Circular RG13-110 (Connectivity to the CBOE Back-Up Data Center). See also Proposing Release, supra note 13, at n. 641. \1809\ For example, SIFMA organizes industry-wide business continuity tests. See Industry Testing, https://www.sifma.org/services/bcp/industry-testing/. \1810\ See, e.g., Angel Letter at 9-10. --------------------------------------------------------------------------- Commenters also provided information regarding current practices surrounding business continuity and disaster recovery. One commenter noted that the major equity and options exchanges and numerous ATSs already regularly augment IT testing with other business continuity management exercises (e.g., they conduct annual business continuity and disaster recovery plan updates, building evacuation drills, and business disruption scenario planning workshops).\1811\ This commenter also noted that all of the U.S. exchanges and clearinghouses have participated in the planning and execution of the annual disaster recovery test initiative conducted and coordinated by the FIA and SIFMA.\1812\ This commenter noted that, in 2012, for example, the annual FIA industry test involved 18 exchanges and clearinghouses, 68 futures commission merchants, and 46 trading participant firms.\1813\ This commenter also noted that the exchanges reported that the firms engaged in testing represented approximately 80% of their clearing members and that these firms reflected approximately 85% of the exchanges' 2012 volumes.\1814\ --------------------------------------------------------------------------- \1811\ See Tellefsen Letter at 7. \1812\ See id. \1813\ See id. at 8. \1814\ See id. See also CME Letter at 12. --------------------------------------------------------------------------- 3. Material Systems Changes Notifications Many entities that participate in the ARP Inspection Program already voluntarily provide material systems change notifications to the Commission on an annual and ad hoc basis. In particular, the ARP II Release stated that SROs should notify Commission staff of significant additions, deletions, or other changes to their automated systems.\1815\ Moreover, in the 2001 Staff ARP Interpretive Letter, Commission staff provided guidance to ARP entities on how they should report planned systems changes to the Commission.\1816\ In addition, Rule 301(b)(6) under Regulation ATS requires that ATSs that meet the thresholds in that rule notify Commission staff of significant systems changes,\1817\ and Rule 301(b)(2) under Regulation ATS requires each ATS that is subject to Rule 301, regardless of activity level, to file an amendment on Form ATS at least 20 days prior to implementing a material change to the operation of the ATS.\1818\ --------------------------------------------------------------------------- \1815\ See ARP II Release, supra note 1, at 22491. \1816\ See supra note 21 and accompanying text. The 2001 Staff ARP Interpretive Letter provided guidance on what Commission staff considers significant systems changes to include. \1817\ 17 CFR 242.301(b)(6)(ii)(G). \1818\ 17 CFR 242.301(b)(2)(ii) (requiring an amendment to Form ATS not solely for material systems changes, but also for any material change to the operation of an ATS). --------------------------------------------------------------------------- [[Page 72402]] 4. Potential for Market Solutions The current competitive landscape in various markets for services related to Regulation SCI affect current incentives to prevent the occurrence of SCI events in these markets.\1819\ The Commission outlined and examined this competitive landscape and potential for market solutions to reduce SCI events and their shortcomings in the SCI Proposal.\1820\ In particular, the Commission evaluated current limitations to competition and potential market solutions in the markets for trading services, listing services, regulatory services, clearance and settlement services, and market data. --------------------------------------------------------------------------- \1819\ This section evaluates competition as it currently exists. The Commission analyzes the economic effects of Regulation SCI, including potential effects on competition, in Section VI.C. \1820\ See Proposing Release, supra note 13, at 18159-61. --------------------------------------------------------------------------- The discussion below responds to comments received regarding the Commission's discussion of the potential for market solutions in the markets for trading services and market data. The Commission did not receive specific comments regarding its analysis of the markets for listing services, regulatory services, and clearance and settlement services. Therefore, the Commission believes that its analysis of these markets in the SCI Proposal continues to apply. Specifically, the Commission believes that, while the market for listing services provides some discipline, it has limitations related to a disconnect between trading location and listing market (i.e., while a company can be listed on a certain exchange, trading does not necessarily occur on that exchange), to switching costs if an issuer wishes to change its listing exchange, and to market power deriving from the ``prestige'' of a listing exchange.\1821\ Further, the Commission believes that the market for regulatory and surveillance services is concentrated in a few competitors and that the market for clearance and settlement services is currently characterized by specialization and limited competition.\1822\ --------------------------------------------------------------------------- \1821\ See id. at 18160. \1822\ See id. at 18160-61. --------------------------------------------------------------------------- The Commission has considered the views of commenters and the Commission's analysis of markets not addressed by commenters, and continues to believe that market forces alone are insufficient to significantly reduce SCI events in the markets that it evaluated and that a regulatory solution is needed. In particular, the Commission continues to believe that SCI entities do not fully internalize the costs associated with systems issues, SCI events pose significant negative externalities on the market--i.e., systems issues have ramifications on the securities markets beyond the impact on the entity responsible for the systems issues--and, as discussed above, significant technology issues continue to occur in the absence of regulation. Some commenters broadly addressed the potential for market solutions evaluated in the SCI Proposal. According to one commenter, SCI entities (e.g., ATSs) are highly motivated to provide uninterrupted order matching services for economic reasons.\1823\ On the other hand, another commenter noted that, as indicated by the 2008 financial crisis and the technology incidents over the past few years, market participants do not have the right economic incentives to protect themselves.\1824\ Another commenter stated that, in the past, ``disruptive or deviant behavior in the markets was disciplined not just by regulators but also by trading crowds,'' but anonymity and fully automated price/time matching made it impossible for the trading crowd to attribute and sanction disruptive behavior.\1825\ This commenter also noted that market incentives can drive the industry in the opposite direction (i.e., short-term market incentives can drive the industry to minimize risk controls).\1826\ According to this commenter, the only practical source of discipline left is government regulation.\1827\ --------------------------------------------------------------------------- \1823\ See ITG Letter at 4 (stating also that sponsors of ATSs have a ``compelling business incentive to avoid systems issues''). See also Angel Letter at 5-6 (commenting that firms have sufficient motivation to take every precaution against catastrophic failures, although the interaction between firms may result in a catastrophic event). \1824\ See Lauer Letter at 3-4. \1825\ See Leuchtkafer Letter at 1-2. \1826\ See id. at 6. This commenter stated that it is far cheaper for firms to implement new trading strategies ``in a matter of minutes'' than it is for them to rigorously test a new strategy before deployment, and that it is more profitable for firms to skimp on risk controls because controls take time. See id. Further, this commenter noted that the exchanges know, or should know, who ``misbehaves,'' but they are tangled in mixed incentives of their own, dependent on firms for the next quarter's profits and, at the same time, expected to moderate the firms' behavior. See id. \1827\ See id. at 6-7. --------------------------------------------------------------------------- The Commission believes that all SCI entities have some incentives to maintain robust systems in order to maximize long-term revenue. However, as evidenced by the various systems issues that have occurred prior to and since publication of the SCI Proposal, economic motivations alone have not been sufficient to significantly reduce systems issues.\1828\ In addition, although SCI entities may suffer an economic and reputational burden if a systems issue becomes apparent to the trading community or the public, the Commission believes that SCI entities are not sufficiently incentivized to improve the robustness of these systems to prevent systems issues, as described in more detail below.\1829\ Further, SCI entities may fail to internalize the risk of catastrophic failure associated with systems issues. --------------------------------------------------------------------------- \1828\ See supra Section II.B (discussing recent events involving systems-related issues). \1829\ As noted above, the Commission acknowledges that the nature of technology and the level of sophistication and automation of current market systems prevent any measure, regulatory or otherwise, from completely eliminating all systems disruptions, intrusions, or other systems issues. See supra Section III. --------------------------------------------------------------------------- As noted above, systems issues have ramifications on the securities markets beyond the impact on the entity responsible for or experiencing the systems issues (an ``economic externality''). That is, a systems issue not only affects the entity responsible for the issue, but also directly affects other entities that use that entity. Often, when an SCI entity experiences a systems issue, all market participants that use that entity incur costs. For example, if market data systems fail, it affects anyone requiring such market data to make informed decisions. Also, when a matching engine fails, securities cannot be traded via that functionality. As discussed in greater detail below, the failure of a trading system not only forces the venue to forgo revenue, but also can diminish trading in financial instruments during the disruption. Additionally, the failure of a trading system can impose costs on market participants that have optimized their strategy so that trading costs are minimized. If the strategy of these market participants assumes that all trading venues are fully operational, then the failure of a trading system could impose additional transaction costs. The Commission believes that, in part because the costs of such externalities are not fully borne by SCI entities in the form of lost business, market forces alone are insufficient to significantly reduce SCI events. Market for Trading Services In the proposing release, the Commission identified many competitors in the market for trading services, including equities exchanges, options exchanges, ATSs, OTC market makers, and broker- dealers.\1830\ Competitors for listed-equity (NMS) [[Page 72403]] trading services include 11 national securities exchanges, none having an overall market share of 20 percent,\1831\ 44 ATSs, which account for 18% of dollar volume, and several hundred OTC market makers and broker- dealers, which account for 15.8% of dollar volume.\1832\ In the SCI Proposal, the Commission recognized that all providers of trading services compete and have incentives to avoid systems disruptions, systems compliance issues, and systems intrusions because, for example, brokers and other entities will be inclined to route orders away from trading venues that have frequent systems problems. However, the Commission noted several limitations on competition, including market participants misjudging the quality of trading services because of incomplete information regarding SCI events and the limited number of competitors (in some cases only one competitor) that may offer trading services in a particular product.\1833\ --------------------------------------------------------------------------- \1830\ See Proposing Release, supra note 13, at 18159. \1831\ See supra note 106 and accompanying text. \1832\ Calculated by Commission staff using market volume statistics reported by BATS and data from Form ATS-R for the second quarter of 2014. See supra notes 106 and 150. In 2012, 255 OTC market makers and broker-dealers accounted for 17% of volume. See DERA staff white papers, ``Alternative Trading Systems: Description of ATS Trading in National Market System Stocks'' by Laura Tuttle (https://www.sec.gov/marketstructure/research/alternative-trading-systems-march-2014.pdf) and ``OTC Trading: Description of Non-ATS OTC Trading in National Market System Stocks'' by Laura Tuttle (https://www.sec.gov/marketstructure/research/otc_trading_march_2014.pdf). \1833\ For example, a number of listed options and NMS stocks trade on only one venue. --------------------------------------------------------------------------- With respect to the market for trading services, one commenter stated that the current competitive market for trading services provides sufficient redundancies that make a disruption at any particular service provider minor.\1834\ Another commenter noted that exchanges compete vigorously with one another and against broker-dealer execution platforms and cannot afford to develop a reputation for technology problems.\1835\ This commenter also noted that the incidence of self-help declarations \1836\ has been reduced, which reflects technology enhancements by exchanges that are a direct result of the competitive environment in which exchanges operate.\1837\ Similarly, another commenter stated that, apart from any regulatory standards, no organization has a greater stake in assuring the effective operation of its systems than the owners and operators of the entities that participate in the market structure.\1838\ Moreover, one commenter stated that ATSs already have incentives to avoid any systems disruptions for competitive reasons and also perform numerous tests and employ best practices.\1839\ --------------------------------------------------------------------------- \1834\ See KCG Letter at 6-8. \1835\ See BATS Letter at 2. \1836\ Rule 611(b) under Regulation NMS provides a number of exceptions from the general requirement to prevent trade-throughs of protected quotations. In particular, Rule 611(b)(1) provides the ``self-help'' exception, which applies when the ``transaction that constituted the trade-through was effected when the trading center displaying the protected quotation that was traded through was experiencing a failure, material delay, or malfunction of its systems or equipment.'' See 17 CFR 242.611(b)(1). \1837\ See BATS Letter at 2-3. \1838\ See BIDS Letter at 2. \1839\ See ITG Letter at 4. --------------------------------------------------------------------------- Again, the Commission acknowledges that all providers of trading services compete and have some incentives to avoid systems issues. However, the Commission continues to believe that there are limits to the extent to which competition mitigates systems problems associated with trading services because providers of trading services compete on a variety of measures--for example, providing the best prices, deep quotes, and fast executions--not just the quality of their systems. As a result, an issue with trading systems might not significantly harm the SCI entity that experienced the issue. Additionally, competition in the market for trading services may also not sufficiently mitigate the occurrence and effects of SCI events because market participants may lack information about SCI events. The Commission believes that it is important for affected SCI entity members or participants and, in some cases, all members or participants of an SCI entity, to know about SCI events at a particular service provider.\1840\ Moreover, even in markets where significant competition exists--such as the market for trading NMS securities, which has many competitors including exchanges and ATSs--entities that experience significant outages may temporarily lose market share, but may quickly regain the lost market share.\1841\ The Commission believes that this further suggests that competition alone will not significantly reduce systems issues. --------------------------------------------------------------------------- \1840\ See supra Section VI.B.1 (discussing current practices of SCI entities regarding dissemination of information on systems- related issues). \1841\ For example, on November 12, 2012, the NYSE experienced a failure in a matching engine that forced it to stop trading 216 stocks. See NYSE Market Status Alert, https://markets.nyx.com/nyse/market-status/view/11558. The NYSE lost market share on the day of the outage but regained its market share the next day. See generally https://www.batstrading.com/market_summary/ (compiling data on market share). --------------------------------------------------------------------------- In addition, some entities that face little competition in one security may impose significant externalities on the market with little competitive recourse. For example, even though there may be multiple trading venues for the majority of securities, trading service providers may have limited means to transact in particular securities (e.g., certain index options exclusively traded on one options exchange) and thus, if systems issues persist at certain venues, brokers, investors, and other entities will not be able to trade the security until the venue that lists the security recovers. In this particular case, not only does the venue lose revenue from forgone volume, but market participants also incur costs because they are not able to trade the security. As a result, the Commission believes that competition alone in the market for trading services is not sufficient to reduce SCI events at entities providing these services. As mentioned by one commenter,\1842\ competitive forces among trading venues may also lead to ``underinvestment and cutting corners.'' For example, the incentive to migrate software from testing to the production environment to improve trading services (and thereby the entity's profitability) may promote an environment where software that has not been adequately tested is launched into production, thus increasing the potential for systems issues to develop. --------------------------------------------------------------------------- \1842\ See Lauer Letter at 4 (stating that ``[e]very firm in every industry is constantly balancing the cost of safety with scarcity of resources . . . [and t]he Commission's job in this regard is to compel these firms to act in their own long-term interests, and the interests of the public at-large, rather than any short-term interests that may be better served by underinvestment and cutting corners''). --------------------------------------------------------------------------- Market for Market Data One commenter stated that Regulation SCI, as applied to market data, is unnecessary and will have ``zero benefits'' because the revenue from the sale of market data is an important revenue source for an SRO.\1843\ Therefore, according to this commenter, SROs already have the right incentives to successfully collect, process, and disseminate market data.\1844\ --------------------------------------------------------------------------- \1843\ See Angel Letter at 18-19. \1844\ See id. --------------------------------------------------------------------------- As noted above, the Commission has, on numerous occasions, emphasized the importance of market data, including the consolidated data feed.\1845\ The Commission believes that consolidated market data is an important part of the investment and trading process as it helps market participants to make well-informed investment and trading decisions, and also helps investors to monitor the quality of execution of orders by their brokers. In addition, [[Page 72404]] exchanges rely on accurate consolidated market data for many of their real-time functions. Even though demand is great, a total of only two SIPs collect, process, and distribute consolidated market data in NMS securities, and only a single SIP collects, processes, and distributes consolidated market data for any given security. Further, other providers of market data in markets other than NMS securities (e.g., municipal securities) may also be the sole providers of their data. Therefore, the Commission believes that the market data consolidators are not subject to significant competitive market forces. Further, because the demand for market data from the SIPs is inelastic,\1846\ there is little incentive to improve reliability as few alternatives exist. Thus, the Commission believes that competition alone is not sufficient to reduce SCI events for market data consolidators. Because an SCI event in connection with market data can significantly disrupt markets, the Commission believes that regulation is needed and, as discussed below, will provide significant benefits.\1847\ --------------------------------------------------------------------------- \1845\ See supra note 249 and accompanying text. \1846\ Demand is inelastic when demand does not diminish as price increases. \1847\ For example, as discussed above, on August 22, 2013, Nasdaq halted trading in all Nasdaq-listed securities for more than three hours after the Nasdaq SIP, the single source of consolidated market data for Nasdaq-listed securities, became unable to process quotes from exchanges for dissemination to the public. See supra note 32 and accompanying text. --------------------------------------------------------------------------- C. Consideration of Costs and Benefits and the Effect on Efficiency, Competition, and Capital Formation 1. Broad Economic Considerations The Commission has considered the economic effects of Regulation SCI as a whole as well as the specific effect of each rule. This section provides an overview of the broad economic considerations relevant to Regulation SCI and the economic effects, including the costs, benefits, and effects on efficiency, competition, and capital formation that are attributable to Regulation SCI as a whole. Additional economic effects, including benefits and costs, related to specific requirements in Regulation SCI and reasonable alternatives are discussed in Section VI.C.2 below. The Commission has attempted, where possible, to quantify the benefits and costs anticipated to flow from Regulation SCI. The Commission notes, however, that many of the costs and benefits of Regulation SCI are difficult to quantify with any degree of certainty, especially as the current practices of market participants vary and are expected to evolve and adapt to changes in technology and market developments. For example, in some cases, quantification depends heavily on factors outside of the control of the Commission, particularly because Regulation SCI provides flexibility to an SCI entity to tailor its policies and procedures to the nature of its business, technology, and the relative criticality of each of its SCI systems. Additionally, in some cases, the Commission is unable to quantify the benefits and costs associated with Regulation SCI because the Commission lacks the information necessary to provide a reasonable estimate. For example, the Commission does not have sufficient information upon which to base an estimate of all costs associated with the various specific systems changes that may be required as the result of Regulation SCI. Accordingly, much of the discussion of economic effects is qualitative in nature but, again, where possible, the Commission has provided quantified information. a. Benefits The Commission believes that the adoption of, and compliance by SCI entities with Regulation SCI, will further the goals of the national market system as a result of each SCI entity establishing, maintaining, and enforcing written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. In this respect, Regulation SCI will promote the capacity, integrity, resiliency, availability, and security of the automated systems of entities important to the functioning of the U.S. securities markets, as well as reinforce the requirement that such systems operate in compliance with the Exchange Act and rules and regulations thereunder, thus strengthening the infrastructure of the U.S. securities markets and improving their resilience when technological issues arise. Regulation SCI also establishes an updated and formalized regulatory framework, thereby helping to ensure more effective Commission oversight of such systems. Although the Commission acknowledges that Regulation SCI likely will not eliminate all systems issues, the Commission believes that Regulation SCI will change and strengthen the practices of SCI entities, and should result in a number of benefits, including those summarized below.\1848\ --------------------------------------------------------------------------- \1848\ As noted above, in the SCI Proposal, the Commission encouraged commenters to identify, discuss, analyze, and supply relevant data, information, or statistics regarding benefits. The Commission notes that it is unable to quantify the benefits associated with Regulation SCI as a whole because quantitative data regarding each of the benefits is not readily available to the Commission, and commenters did not provide sufficient quantitative data to allow the Commission to do so. --------------------------------------------------------------------------- The Commission believes that adopting Regulation SCI will result in fewer market disruptions due to systems issues, which could lead to fewer interruptions in the price discovery process \1849\ and liquidity flows and, thus, may result in fewer periods with pricing inefficiencies. Specifically, the Commission believes that Regulation SCI would improve systems up-time for SCI entities and also would promote more robust systems that directly support execution facilities, order matching, and the dissemination of market data. Systems issues that directly inhibit execution facilities, order matching, and dissemination of market data could cause slow executions and result in delaying the incorporation of information into prices, and thus could harm price efficiency and price discovery. System issues could also result in unfilled orders, depriving traders of an execution. The Commission believes that Regulation SCI would reduce the frequency, severity, and duration of such effects resulting from systems issues. Moreover, decreasing the number of trading interruptions could improve price discovery and liquidity because interruptions in trading interfere with the process in which relevant information gets incorporated into security prices and, thus, temporarily disrupt liquidity flows and lower the quality of the price discovery process. Further, because interruptions in liquidity flows and the price discovery process in one security can affect securities trading in other markets, reducing trading interruptions could have broad effects. For example, an interruption in the market for securities that underlie derivative securities (e.g., index options and futures) would harm the price discovery process for those products and potentially restrict liquidity flows between the stock market and the derivative markets. --------------------------------------------------------------------------- \1849\ The price discovery process involves trading--buyers and sellers arriving at a transaction price for a specific asset at a given time. Thus, generally, any trading interruptions would interfere with the price discovery process. --------------------------------------------------------------------------- The Commission also believes that Regulation SCI has the potential to reduce widespread SCI events. Given [[Page 72405]] the speed and interconnected nature of the U.S. securities markets, a seemingly minor systems problem at a single entity can quickly create losses and liability for market participants, and spread rapidly across the national market system, potentially creating widespread damage and harm to market participants, including investors. By reducing systems issues, Regulation SCI also has the potential to decrease the risk of these catastrophic events. In addition, other benefits may derive from the additional information provided to the Commission and to members or participants of an SCI entity resulting from Regulation SCI. In particular, the information provided to the Commission should enhance the Commission's review and oversight of U.S. securities market infrastructure and foster cooperation between the Commission and SCI entities in responding to SCI events. Also, as noted in Section IV.B.3.c, the Commission believes that the aggregated data that will result from the reporting of SCI events will enhance its ability to comprehensively analyze the nature and types of various SCI events and identify more effectively areas of persistent or recurring problems across the systems of all SCI entities. Moreover, as discussed in Section IV.A.3, the Commission notification requirements for SCI events will help to focus the Commission's and SCI entities' resources on the more significant SCI events, as the Commission has determined to distinguish the timing of its receipt of information regarding SCI events based on their impact, with SCI events estimated to have a greater impact being subject to ``immediate'' Commission notification, and SCI events having no or a de minimis impact being subject to recordkeeping obligations, and for de minimis systems disruptions and de minimis systems intrusions, a quarterly summary notification. Moreover, the increased dissemination of information about SCI events to SCI entity members or participants could reduce search costs for market participants when they are gathering information to make a decision with respect to the use of an entity's services. As discussed more thoroughly below, by lowering search costs, the information dissemination requirement could provide SCI entities additional competitive incentives to ensure and maintain robust policies and procedures to promote systems capacity, integrity, resiliency, availability, security and compliance. Some commenters addressed how the availability of Commission resources may affect the benefits and costs of Regulation SCI. One commenter argued that Regulation SCI would result in misallocation of Commission resources.\1850\ This commenter stated that it is likely that Regulation SCI would not reduce in a material manner the occurrence of systems issues at SCI entities, and Commission staff resources would be better devoted to working with the industry to develop best practices (not legal requirements) for all regulated entities in the areas of systems capacity, security, and integrity.\1851\ Similarly, one commenter noted that unless the Commission and Congress devote sufficient resources to hiring enough skilled technical staff, Regulation SCI will devolve into a paperwork exercise with little added benefit to the markets.\1852\ Another commenter stated that there is insufficient evidence regarding the resources and capacity of Commission staff to assess and analyze the data required to be provided under Regulation SCI.\1853\ This commenter urged the Commission to consider its resources as the Commission accommodates new initiatives.\1854\ --------------------------------------------------------------------------- \1850\ See ITG Letter at 6-7. This commenter noted that Commission staff resources used to oversee Regulation SCI compliance would dwarf those used for the ARP Inspection Program and that Commission staff would have to analyze and act upon notifications from SCI entities, including systems change notifications. See id. This commenter also noted that substantial examination resources from the Commission and FINRA would be assigned to Regulation SCI oversight. See id. Similarly, another commenter noted that proposed Regulation SCI would result in a dramatic increase in the number of Commission notifications and would require substantial resources for Commission staff to process them in a responsible fashion. See Omgeo Letter at 8, n. 14. \1851\ See ITG Letter at 7. \1852\ See Angel Letter at 2. \1853\ See SunGard Letter at 2. \1854\ See id. at 5. --------------------------------------------------------------------------- As described throughout this release, the Commission believes that Regulation SCI will have significant benefits and that a regulatory solution is necessary because market forces alone are insufficient to significantly reduce SCI events in the relevant markets. The Commission has significant experience with the ARP Inspection Program, and thus has developed expertise in this area that it will apply to implementing and monitoring compliance with Regulation SCI. In light of this experience, the Commission believes that it can devote sufficient resources to carry out its obligations associated with Regulation SCI so that the benefits of Regulation SCI can be realized. b. Costs Some of the costs associated with Regulation SCI are compliance costs. Compliance costs include, for example, documentation and mandatory reporting and dissemination of SCI events, and reports that include material systems changes. SCI entities will also incur costs in complying with the SCI review requirement, as well as in implementing the policies and procedures related to systems capacity, integrity, resiliency, availability, security, and compliance. Moreover, SCI entities will incur costs related to recordkeeping. Additional costs will also result from member/participant participation in the testing of SCI entity business continuity and disaster recovery plans. Also, market participants (including institutional and retail investors) in the securities markets may face increased transaction costs from SCI entities, to the extent that increased compliance costs are passed on to market participants. Many, but not all, of the quantifiable costs of Regulation SCI involve a collection of information, and these costs and burdens are discussed in the Paperwork Reduction Act section of this release.\1855\ When the PRA burdens are monetized, the estimated paperwork related compliance burdens for SCI entities as a result of Regulation SCI total approximately $117 million initially and approximately $100 million annually.\1856\ The Commission notes that the monetized PRA burdens have increased from those contained in the SCI Proposal. Although many of the adopted rules are more targeted and impose fewer requirements on SCI entities than the proposed rules, the monetized PRA burdens have changed in part due to modifications made to the PRA estimates as a result of recommendations from commenters, revisions to the rule text, and the revised estimate of the number of SCI events, which resulted from incorporating the Commission's review of the number of systems compliance-related issues and ARP incidents reported to Commission staff in 2013. --------------------------------------------------------------------------- \1855\ See supra Section V. The Commission provides below quantified estimates of other costs imposed by Regulation SCI beyond the PRA burdens, to the extent the Commission can quantify such costs. \1856\ The monetized PRA cost reflects the paperwork cost estimated for all of Regulation SCI, as discussed in Section V. --------------------------------------------------------------------------- In addition, the Commission has quantified non-paperwork related costs for SCI entities that total between approximately $14 million \1857\ and $106 million \1858\ in initial costs and between [[Page 72406]] $9 million \1859\ and $70 million \1860\ in annual ongoing costs. In addition to the costs to SCI entities, the Commission also estimates the total connectivity costs to members or participants of SCI entities associated with the testing of business continuity and disaster recovery plans to be $18 million annually.\1861\ Thus, the Commission estimates total quantified costs for SCI entities and members or participants of SCI entities to be between approximately $149 million \1862\ and $241 million \1863\ in initial costs and between $127 million \1864\ and $188 million \1865\ in annual ongoing costs. --------------------------------------------------------------------------- \1857\ See infra note 1943 (estimating cost for complying with the policies and procedures required by Rules 1001(a) and (b)). \1858\ See infra note 1944 (estimating cost for complying with the policies and procedures required by Rules 1001(a) and (b)). \1859\ See infra note 1945 (estimating cost for complying with the policies and procedures required by Rule 1001(a) and (b)). \1860\ See infra note 1946 (estimating cost for complying with the policies and procedures required by Rule 1001(a) and (b)). \1861\ See infra note 2065. \1862\ $149 million = $117 million (PRA cost) + $14 million (other costs for SCI entities) + $18 million (connectivity costs for members or participants of SCI entities). \1863\ $241 million = $117 million (PRA cost) + $106 million (other costs for SCI entities) + $18 million (connectivity costs for members or participants of SCI entities). \1864\ $127 million = $100 million (PRA cost) + $9 million (other costs for SCI entities) + $18 million (connectivity costs for members or participants of SCI entities). \1865\ $188 million = $100 million (PRA cost) + $70 million (other costs for SCI entities) + $18 million (connectivity costs for members or participants of SCI entities). --------------------------------------------------------------------------- Several commenters provided broad comments regarding the costs of proposed Regulation SCI.\1866\ According to one commenter, Regulation SCI as proposed is ``too universal in its application, too ambitious in its scope and too costly in its implementation to achieve the hoped for reduction in risk to the markets without simultaneously diminishing other important SEC accomplishments, such as increased competition, improved innovation, increased consumer choice, lower barriers to entry into the industry and reduced transaction costs to the customer.'' \1867\ Another commenter noted that proposed Regulation SCI would impose an unreasonably burdensome technology and controls standard on automated systems of SCI entities, which could lead to allocative inefficiencies in the marketplace and therefore have a stifling effect on innovation in the U.S. equity markets.\1868\ Another commenter stated that the ultimate result of proposed Regulation SCI will be to limit or suppress the execution choice of buy-side investors, meaning investors will have less ability to effectively manage their trading strategies and diminished opportunities to seek better execution, lower transaction costs, and achieve price improvement and investment performance.\1869\ --------------------------------------------------------------------------- \1866\ One commenter provided ``conservative and preliminary'' estimates for the cost of compliance with Regulation SCI. See FINRA Letter at 42-43. This commenter estimated that its one-time cost to comply with Regulation SCI would be between approximately $1.1 million and $1.3 million, and its ongoing annual costs would be between approximately $4.5 million and $5.5 million, if Regulation SCI is adopted as proposed (e.g., if SCI systems is defined to apply to non-market regulatory and surveillance systems, and development and testing environments). See id. at 42. As discussed above, the definition of SCI systems does not include non-market regulation and non-market surveillance systems, or development and testing systems. Therefore, the Commission believes these estimates are too high. This commenter estimated that, under a narrower Regulation SCI (e.g., if non-market systems and development and testing environments are excluded from the definition of SCI systems), its one-time compliance costs would be between approximately $675,000 and $825,000 and its annual costs would be between approximately $2.2 million and $2.6 million. See id. This commenter also stated that, monetizing its hour estimates for annual SCI reviews, its compliance costs would increase by between approximately $600,000 and $900,000, and higher if more systems than currently in scope under ARP would be subject to annual SCI reviews. See id. at 42. The Commission notes that, other than the costs for SCI reviews, these estimates do not distinguish paperwork costs from non-paperwork costs. If the commenter's estimates are intended to include all costs for compliance with Regulation SCI, these estimates are close to or within the Commission's estimated total quantified cost ranges for SCI entities. See supra notes 1862-1865 and accompanying text. \1867\ See BIDS Letter at 2-3. \1868\ See ITG Letter at 2. \1869\ See UBS Letter at 7-8. --------------------------------------------------------------------------- As discussed throughout this release, the Commission believes that Regulation SCI will change and strengthen the practices of SCI entities, and should result in a number of benefits. Further, the Commission believes that these benefits should result without diminishing the Commission's accomplishments in other areas, stifling innovation, or suppressing the execution choice of investors. In particular, although costs associated with Regulation SCI could adversely impact competition and increase barriers to entry, the Commission believes that the adverse effect on competition and heightened barriers for SCI entities that provide venues for trading, including ATSs and exchanges, would be mitigated and therefore the Commission does not expect that investor choice on trading venues would be significantly limited.\1870\ The Commission also believes that any such effects would be warranted in light of the expected benefits of Regulation SCI. Additionally, as discussed below, the dissemination of information regarding certain major SCI events to all members or participants of an SCI entity can promote competitive incentives to prevent systems issues. The Commission also believes that the reduction in systems issues resulting from Regulation SCI could result in fewer interruptions in the price discovery process and liquidity flows and thus result in fewer periods with pricing inefficiencies. Furthermore, Regulation SCI could improve system uptime for SCI entities, and therefore reduce latency as market participants will not be forced to reroute orders or change execution strategies associated with situations in which an SCI entity is not operational. --------------------------------------------------------------------------- \1870\ See infra Section VI.C.1.c (addressing potential effects on efficiency, competition, and capital formation, including effects on other SCI entities). --------------------------------------------------------------------------- Moreover, the Commission notes that it has revised the proposed rules after considering the comments received. The Commission believes that many of the revisions to the proposed rules would reduce burdens on SCI entities and significantly address commenters' concerns regarding potential negative effects on allocative inefficiency and innovation. For example, because the Commission is adopting a quarterly reporting requirement for material systems changes instead of the proposed 30-day advance notification requirement, adopted Regulation SCI would impose lower burdens on SCI entities compared to the proposal and allow SCI entities more flexibility when they implement material systems changes.\1871\ --------------------------------------------------------------------------- \1871\ See supra Section IV.B.4.b.i. --------------------------------------------------------------------------- c. Effects on Efficiency, Competition, and Capital Formation Along with the effects on efficiency, competition, and capital formation discussed below with regard to specific provisions of Regulation SCI, the Commission believes that Regulation SCI as a whole could affect efficiency, competition, and capital formation in several ways. By increasing the robustness of SCI systems and indirect SCI systems of SCI entities, Regulation SCI may improve efficiency--in particular, price efficiency--and the improvement in pricing efficiency could promote capital formation. In particular, as discussed in VI.C.1, disruptions to SCI systems and the resulting trading interruptions can degrade pricing efficiency, price discovery, and liquidity. Regulation SCI may reduce the frequency, severity, and duration of market disruptions (e.g., trading interruptions) that may otherwise prevent market participants from impounding information into security prices through market activity (e.g., order submission) and, thus, [[Page 72407]] improve price efficiency in the markets. Such disruptions also impose liquidity costs and harm the price discovery process. The quality of the price discovery process has important implications for efficiency and capital formation, as prices that accurately convey information about fundamental value improve the efficiency with which capital is allocated across projects and firms. The Commission also believes that Regulation SCI could affect competition in several ways. The Commission believes that the existing competition among the markets has not sufficiently mitigated the occurrence of SCI events.\1872\ Regulation SCI requires SCI entities to disseminate information regarding certain SCI events to affected members or participants or to all members or participants of an SCI entity. As discussed more thoroughly in Section VI.C.2.b.iv below, the Commission believes that requiring the dissemination of information regarding certain SCI events could further incentivize SCI entities to maintain more robust SCI systems and indirect SCI systems and would enhance competition among SCI entities with respect to the maintenance of robust SCI systems and indirect SCI systems. --------------------------------------------------------------------------- \1872\ See supra Section VI.B.4. --------------------------------------------------------------------------- Additionally, the Commission believes that Regulation SCI may have an impact on competition among SCI entities, in part because the compliance costs of Regulation SCI will be different among SCI entities. Specifically, some SCI entities already satisfy some of the requirements of Regulation SCI because those provisions codify certain aspects of the ARP Policy Statements. The Commission believes that these current ARP participants will incur direct compliance costs that are incremental relative to the current cost of participating in the ARP Inspection Program and current practices outside of the scope of ARP. But Regulation SCI also applies to some entities that currently do not participate in the ARP Inspection Program such as the MSRB and most SCI ATSs. These SCI entities may incur higher initial compliance costs, compared to current ARP participants, in modifying their current practices to comply with Regulation SCI.\1873\ To the extent that SCI entities with different initial compliance costs compete, Regulation SCI could alter the competitive relationship and give SCI entities that are currently in compliance with certain provisions of Regulation SCI a competitive advantage.\1874\ --------------------------------------------------------------------------- \1873\ The Commission notes that the SCI entities incurring the lower initial compliance costs previously incurred such costs to participate in the ARP Inspection Program. \1874\ However, given the voluntary nature of the current ARP Inspection Program, the extent of current compliance with the requirements of adopted Regulation SCI by entities subject to the ARP Inspection Program varies. --------------------------------------------------------------------------- In addition to competition among SCI entities, the compliance costs imposed by Regulation SCI could have an effect on competition between SCI entities and non-SCI entities in the markets for trading services. Specifically, in part because non-SCI entities do not have to incur the compliance costs associated with Regulation SCI, these entities may have a competitive advantage in the markets for trading services over SCI entities that they compete with. The adverse competitive effects, however, are likely to be minor when considering only ATSs because an SCI ATS is likely to be larger and have more of an established customer base than other ATSs. The Commission recognizes that broker-dealers also compete with SCI entities in the market for trading services and that some broker-dealers are larger than some ATSs and exchanges. However, broker-dealers cannot offer the same services as ATSs or exchanges without becoming ATSs or exchanges. The costs imposed by Regulation SCI could also affect barriers to entry for new ATSs and exchanges and, thus, could adversely affect competition.\1875\ Specifically, the Commission acknowledges that Regulation SCI will increase the costs for those that meet the definition of SCI entity. This will increase the expected costs of market entrants who expect to eventually be SCI entities. If an increase in these costs reduces the number of potential new entrants, the potential competition from new entrants will be lower. --------------------------------------------------------------------------- \1875\ While Regulation SCI could also increase start-up costs for SIPs and registered clearing agencies, SIPs provide exclusive services and registered clearing agencies are currently characterized by specialization and limited competition. Clearing and settlement services exhibit high barriers to entry and economies of scale. See Clearing Agency Standards Release, supra note 76, at 66263 and 66265. --------------------------------------------------------------------------- As noted above, however, the Commission believes that the heightened barriers to entry for ATSs would be mitigated to some degree because the compliance period would provide a new ATS entrant the opportunity to initiate and develop its business before the ATS would need to comply with Regulation SCI.\1876\ In particular, the Commission believes that few new ATSs would likely initially meet the threshold to be covered under Regulation SCI and a new ATS could trade for at least three months (i.e., less than four of the preceding six months) and conduct such trading at any level without being subject to Regulation SCI. The Commission also notes that ATSs meeting the volume thresholds in the definition of ``SCI ATS'' for the first time will also be provided six months from the time that the ATS first meets the applicable thresholds to comply with the requirements of Regulation SCI.\1877\ This compliance period should also provide such ATSs with time to plan on how they would meet the requirements of Regulation SCI, and could also potentially allow SCI ATSs to become more equipped to bear the cost of Regulation SCI once compliance is required, and thus not significantly discourage new ATSs from entering the market and growing. For newly registered exchanges, the Commission believes the costs associated with Regulation SCI would not represent a significant increased barrier to entry, as the costs would represent a small portion of total costs associated with creating and registering an exchange. --------------------------------------------------------------------------- \1876\ See supra note 152. \1877\ See supra Section IV.F (discussing effective date and compliance dates for Regulation SCI). --------------------------------------------------------------------------- The compliance costs associated with participating in business continuity and disaster recovery plan testing may affect competition among members or participants of SCI entities and also could raise barriers to entry for new members or participants. In particular, Regulation SCI imposes compliance costs on certain members or participants of SCI entities that are designated to participate in business continuity and disaster recovery plans testing. Because some members or participants may incur compliance costs associated with Rule 1004 and others may not, it could negatively impact the ability for some to compete and could raise barriers to entry. As discussed more thoroughly in Section VI.C.2.b.vii below, the Commission expects the compliance costs associated with the business continuity and disaster recovery plans testing requirements in Rule 1004 to be limited for larger members or participants who already maintain connections to backup facilities, including for testing purposes, than for smaller members or participants. Furthermore, the Commission believes that new members or participants are less likely to be designated immediately to participate in business continuity and disaster recovery plan testing than existing significant members or participants because new members may not initially satisfy the SCI entity's designation standards as they establish their businesses. Thus, the Commission [[Page 72408]] believes the adverse effect on competition may be mitigated to some extent as the most likely members or participants to be designated for testing are those comprising the largest market share as ranked by volume by the SCI entity, and that these firms will have more limited compliance costs.\1878\ --------------------------------------------------------------------------- \1878\ The Commission also notes that SCI entities have an incentive to limit the imposition of the cost and burden associated with testing to the minimum necessary to comply with Rule 1004, and that, given the option, most SCI entities would, in the exercise of reasonable discretion, prefer to designate fewer members or participants to participate in testing, than to designate more. See supra Section IV.B.6.b. --------------------------------------------------------------------------- 2. Analysis of Final Rules a. Definitions--Rule 1000 In general, the definitions in Rule 1000 either clarify a provision or circumscribe the scope of a provision in Regulation SCI. Therefore, many of the costs and benefits associated with the impacts of the definitions are incorporated in the discussion of the substantive requirements of Regulation SCI. This section contains a discussion of the economic effects of the scope of Regulation SCI resulting from the definitions adopted by the Commission. i. SCI Entities The Commission estimates that the definition of SCI entity in Rule 1000 currently covers 44 entities. This includes 30 current participants in the ARP Inspection Program (i.e., 18 registered national securities exchanges, seven registered clearing agencies, FINRA, two plan processors, one ATS trading NMS stocks, and one exempt clearing agency). The definition of SCI entity also includes one ATS that currently exceeds the relevant threshold in Rule 301(b)(6)(i) of Regulation ATS and is subject to the systems safeguard requirements of Regulation ATS. In addition to these entities, the definition of SCI entity includes the MSRB and an estimated 12 additional SCI ATSs. Generally, by including certain entities that do not currently participate in the ARP Inspection Program or meet the current threshold for the systems safeguard requirements of Regulation ATS in the definition of SCI entity, the Commission believes that Regulation SCI will not only enhance systems resiliency at such entities, but also reduce the potential for incidents at these entities to have broader, disruptive effects across the securities markets more generally on other SCI entities, and attendant costs to investors. Although the Commission believes that the requirements of Regulation SCI will reduce the impact of SCI events, the Commission is unable to quantify the economic effects of the reduction because the degree to which adherence to the requirements of Regulation SCI will reduce the impact of SCI events is unknown. As discussed throughout the economic analysis, the Commission also expects that SCI entities will incur costs for complying with the requirements of Regulation SCI and that these costs could affect the competitiveness of entities incurring such costs. For example, the section summarizing the effects of Regulation SCI on efficiency, competition, and capital formation, Section VI.C.1.c, discusses several ways that Regulation SCI might affect the competitiveness of SCI entities, including the competitiveness of SCI entities versus non-SCI entities, the relative initial competitiveness of SCI entities needing to make more changes to comply with Regulation SCI, and barriers to entry for SCI entities. As discussed in detail in Section IV.A.1, many commenters addressed the scope of the definition of SCI entity. Many of these comments related to the inclusion of certain ATSs in the definition.\1879\ Commenters presented mixed views on the inclusion of ATSs, with some commenters believing that all ATSs should be covered by Regulation SCI,\1880\ and other commenters arguing that no ATSs should be covered by Regulation SCI.\1881\ The commenters who supported including all ATSs in the scope of the definition of SCI entity argued that any ATS can impact the market and one of these commenters also stated that any participant on any ATS can have disproportionate impact on the market.\1882\ One of the main points of commenters that suggested no ATSs should be covered was that ATSs are redundant of exchanges and other ATSs and that, in case an ATS fails, other ATSs or exchanges can service investors and absorb trading volume.\1883\ Additionally, some commenters suggested applying higher thresholds in the definition of SCI ATS such that fewer ATSs would be covered under Regulation SCI.\1884\ Many of these commenters who advocated for applying higher thresholds in the definition of SCI ATS stated that the inclusion of smaller ATSs in the definition of SCI ATS does not justify what they believed to be the significant compliance costs imposed by Regulation SCI.\1885\ --------------------------------------------------------------------------- \1879\ See supra Section IV.A.1.b. \1880\ See, e.g., NYSE Letter at 8-10; and Lauer Letter at 4. \1881\ See, e.g., BIDS Letter at 3; ITG Letter at 2-4; and OTC Markets Letter at 9. \1882\ See, e.g., NYSE Letter at 8-10; and Lauer Letter at 4. \1883\ See, e.g., BIDS Letter at 7-8; and ITG Letter at 3. \1884\ See, e.g., Direct Edge Letter at 2; ITG Letter at 10. \1885\ See, e.g., ITG Letter at 9-10. --------------------------------------------------------------------------- The Commission believes that certain ATSs should be required to comply with rules regarding systems capacity, integrity, resiliency, availability, security, and compliance. ATSs now collectively represent a significant source of liquidity for NMS stocks.\1886\ Given this level of activity on ATSs, coupled with the increasingly inter- connected and complex nature of the markets and heavy reliance on automated systems, the Commission recognizes that a systems issue even at one ATS could result in a market-wide impact. Further, some ATSs execute a larger portion of consolidated volume than smaller exchanges. In this respect, an outage at one or more of these ATSs, which serve as markets to bring buyers and sellers together in the national market system, could disrupt the entire market and could pose even greater risks to the market as a whole than certain smaller exchanges. Accordingly, the Commission believes that the exclusion of all ATSs from the definition of SCI entity would significantly reduce the benefits of Regulation SCI discussed in Section VI.C.1. On the other hand, the Commission believes that including all ATSs in the definition of SCI entity would heighten barriers to entry and restrict competition in the markets for trading services and, thus, could stifle innovations. As discussed in Section IV.A.1.b, the Commission believes that the adopted thresholds for SCI ATSs result in the inclusion of ATSs that can play a significant role in the securities markets and, given their heavy reliance on automated systems, have the potential to impact investors, the overall market, and the trading of individual securities should an SCI event occur. With respect to comments calling for higher or lower volume thresholds, the Commission believes that higher thresholds would increase the risk of significant market disruptions due to SCI events relative to the adopted thresholds and lower thresholds would serve to increase barriers to entry. In setting the levels in the thresholds for SCI ATS, the Commission has considered the trade-offs between barriers to entry and the risk of significant market disruptions. --------------------------------------------------------------------------- \1886\ See supra note 148 and accompanying text. See also text accompanying supra note 1832. --------------------------------------------------------------------------- In adopting the thresholds in the definition of SCI ATS, the Commission also considered alternative thresholds, [[Page 72409]] including the threshold used in Regulation ATS. The adopted thresholds in the definition of SCI ATS differ from the thresholds that subject an ATS to the systems safeguard requirements under Rule 301(b)(6) of Regulation ATS in several ways.\1887\ First, for ATSs that trade NMS stocks or non-NMS stocks, the adopted thresholds are based on dollar trading volume instead of share trading volume. The Commission believes that the application of dollar trading volume thresholds better reflects the potential economic impact of a systems issue at a significant ATS as it more accurately measures the value of trading activity compared to a threshold based on share trading volume.\1888\ Second, the adopted volume thresholds for NMS stocks and non-NMS stocks are lower than the volume thresholds in Rule 301(b)(6) of Regulation ATS. As discussed in IV.A.1.b, securities trading has evolved significantly since the adoption of Regulation ATS; today, trading activity in stocks is more dispersed among a larger number of trading venues. Because trading activity in stocks is now dispersed among a larger number of trading venues and markets today are so inter- connected and complex, the Commission believes that the application of lower volume thresholds would more effectively capture multiple sources of potential systems issues that could significantly disrupt the market for a single security or for the market as a whole. Third, with respect to ATSs that trade NMS stocks, the Commission is adopting the two-fold dollar volume thresholds in the first prong--a single NMS stock threshold and an all NMS stocks threshold. The Commission believes that such thresholds would appropriately account for the significance of an ATS in both overall trading of NMS stocks and for a single NMS stock. --------------------------------------------------------------------------- \1887\ See also supra Section IV.A.1.b. \1888\ See text accompanying supra note 161; see also Proposing Release, supra note 13, at 18094 (stating that the use of dollar thresholds may better reflect the economic impact of trading activity). --------------------------------------------------------------------------- With regard to commenters that stated no ATSs should be covered because ATSs are redundant of exchanges and other ATS, the Commission acknowledges that, to some extent, certain services provided by any trading venue, including exchanges and ATSs, are redundant in the sense that these facilities execute and process trades. However, the Commission notes that each ATS provides different services in terms of, among other things, order types, matching rules, and the speed of execution to meet investors' specific needs. If an ATS outage interferes with the supply of certain services that investors demand, it would impose costs on investors. For example, market participants may program their routing algorithms assuming that all market centers are operational. If one of those venues is not available, rerouting order flow may increase costs to the market participant seeking execution as time required for executing orders may increase, order fill rates may decrease, and slippage \1889\ may also increase, which would further increase transaction costs.\1890\ --------------------------------------------------------------------------- \1889\ Slippage refers to the difference between the expected price of a trade and the actual trade price due to the passage of time. \1890\ See supra Section VI.B.4 for a discussion of why market incentives do not seem to reduce these costs. --------------------------------------------------------------------------- The Commission also received comments regarding the inclusion of fixed-income ATSs. One commenter suggested the use of par value traded rather than volume.\1891\ Further, in noting that fixed-income ATSs should not be subject to Regulation SCI, this commenter noted that retail fixed-income ATSs operate on a vastly different scale than institutional equity markets.\1892\ According to this commenter, the costs of compliance for a retail fixed-income ATS would be several orders of magnitude higher than for an exchange in the equity market, and would overwhelm revenues for retail fixed-income ATSs.\1893\ --------------------------------------------------------------------------- \1891\ See TMC Letter at 1-3. \1892\ See id. at 2. \1893\ See id. --------------------------------------------------------------------------- The Commission, after considering the views of commenters, has determined to exclude ATSs that trade only municipal securities or corporate debt securities from the definition of SCI ATS at this time.\1894\ Accordingly, such fixed-income ATSs will not be subject to the requirements of Regulation SCI. Rather, fixed-income ATSs will continue to be subject to the existing requirements in Rule 301(b)(6) of Regulation ATS regarding systems capacity, integrity and security if they meet the twenty percent threshold for municipal securities or corporate debt securities provided by that rule.\1895\ Because no such ATS is subject to Regulation SCI at this time, it is possible that the municipal security and corporate debt markets may be affected by SCI events that otherwise may have been prevented with more robust systems that would result from Regulation SCI. However, the Commission believes that this loss in potential benefit relative to the proposed approach would be minimal as fixed-income securities trading is generally significantly less automated than trading in equities.\1896\ Further, as commenters pointed out, the cost of the requirements of Regulation SCI could be significant for fixed-income ATSs relative to their size, scope of operations, and more limited potential for systems risk. Therefore, lowering the current threshold applicable to fixed-income ATSs in Regulation ATS and subjecting such ATSs to the requirements of Regulation SCI could have potentially discouraged the growth of automation that could benefit investors in these markets. However, as the Commission monitors the evolution of automation in this market, the Commission may reconsider the benefits and costs of extending the requirements of Regulation SCI to fixed-income ATSs in the future. --------------------------------------------------------------------------- \1894\ See supra Section IV.A.1.b. \1895\ See 17 CFR 242.301(b)(6). \1896\ The Commission notes that the corporate debt and municipal securities markets are primarily voice markets with little automation. See also supra note 185 (discussing the view of commenters that the inclusion of fixed-income ATSs and/or the adoption of the proposed thresholds would impose unduly high costs on these entities given their size, scope of operations, lack of automation, low speed, and resulting low potential to pose risk to systems). --------------------------------------------------------------------------- The adopted definition of SCI SRO includes all national securities exchanges regardless of their volume share. The Commission received one comment letter stating that the rule should also include volume thresholds for exchanges.\1897\ The Commission is not persuaded that applying a volume threshold is appropriate for SCI SROs that are exchanges, but instead believes that Regulation SCI should cover all exchanges. In particular, the Commission recognizes that all exchanges play an important role in the securities markets. As discussed above in Section IV.A.1.a, all stock exchanges are subject to a variety of specific public obligations under the Exchange Act, including the requirements of Regulation NMS which, among other things, designates the best bid or offer of such exchanges to be protected quotations. Accordingly, every exchange may have a protected quotation that can obligate market participants to send orders to that exchange if such exchange is displaying the best bid or offer. Among other reasons, given that market participants may be required to send orders to any one of the exchanges at any given time if such exchange is displaying the best bid or offer, the Commission believes that it is important that the safeguards of Regulation SCI apply equally to all exchanges irrespective of trading volume. As [[Page 72410]] market participants may be required to send orders to the exchange displaying the best prices, systems issues at such exchange could force market participants to re-route their orders and, thus, could increase execution time and slippage, imposing additional transaction costs to investors. --------------------------------------------------------------------------- \1897\ See supra note 81 and accompanying text. --------------------------------------------------------------------------- With respect to options exchanges, the Commission additionally believes that it would be inappropriate to exclude them from the definition of SCI SRO because technology risks are equally applicable to such exchanges, as evidenced by recent technology incidents affecting the options markets.\1898\ While there are many options that trade on multiple venues, systems issues resulting in trading disruptions at an options exchange could lower the quality of pricing efficiency and disrupt the price discovery process for singly-listed options (e.g., certain index options only trade on one options exchange). As such, systems issues at options exchanges can pose significant risks to the markets, and the Commission believes that the inclusion of options exchanges within the scope of Regulation SCI is necessary to achieve the goals of Regulation SCI. --------------------------------------------------------------------------- \1898\ See supra note 84. --------------------------------------------------------------------------- The definition of SCI entity also includes the MSRB. The Commission believes that the inclusion of the MSRB as an SCI entity will provide several significant benefits. In particular, the MSRB collects and consolidates municipal securities data and makes it available to market participants. The Commission believes that any event that could affect the market data collected and consolidated by the MSRB could significantly disrupt the municipal bond market. Also, the municipal securities data collected by the MSRB is provided to FINRA and made available to the Commission and the bank regulators, and serves as a key resource for monitoring the municipal bond market. Therefore, the inclusion of the MSRB will help ensure the robustness of the MSRB's systems and reduce the likelihood of systems issues that could harm investors in the municipal bond market. As discussed above in Section IV.A.1, several commenters advocated the adoption of a ``risk-based'' approach in the definition of SCI entity based on the criticality of the functions performed.\1899\ In effect, these commenters suggested that the Commission apply provisions of Regulation SCI based on the entity's risk to the operations of the U.S. securities markets based on the entity's functional role in the market (e.g., a primary listing market, the sole venue of the security, a monopoly or utility type role with no redundancy). The Commission has considered these factors in developing the definition of SCI entity and believes that the adopted definition, in part, captures the intent of the commenters' suggestions in that it includes entities in the definition that play a significant role in the securities markets. In particular, as discussed in Section IV.A.1.a in detail, the Commission included all exchanges in the definition of SCI SRO because exchanges play a significant role in the functioning of securities markets. With respect to the comments that suggested including only those entities that are essential to continuous market-wide operation, the Commission believes that the specific criteria suggested by commenters, in effect, could lead to the exclusion of significant ATSs. As discussed above, the Commission continues to believe that significant ATSs that trade NMS and non-NMS stocks should be included in Regulation SCI. ATSs collectively represent a significant source of liquidity for stocks. Furthermore, as today's markets are increasingly inter-connected and complex with heavy reliance on automated systems, the Commission recognizes that a systems issue at an ATS could result in a market-wide impact. Consequently, the Commission believes that re-defining SCI entities according to commenters' ``risk-based'' approach could exclude certain entities that the Commission believes have the potential to pose significant risks to the securities markets should an SCI event occur, and thus limit the potential benefits from Regulation SCI, which are discussed throughout this economic analysis. --------------------------------------------------------------------------- \1899\ See supra notes 53-57 and accompanying text. --------------------------------------------------------------------------- ii. SCI Systems Regulation SCI expands on current practice, and applies to a broader range of systems than the current ARP Inspection Program. In particular, the ARP Policy Statements are focused on specific types of automated systems.\1900\ The ARP Policy Statements and the ARP Inspection Program address systems that directly support trading, clearance and settlement, order routing, and market data. The definition of ``SCI systems'' would include these systems, as well as those that directly support market regulation and market surveillance, systems that serve an essential function for investor protection and market integrity. --------------------------------------------------------------------------- \1900\ See supra Section II.A and Proposing Release, supra note 13, at Section I.A (discussing in more detail the ARP Policy Statements and the ARP Inspection Program). According to the ARP I Release, the term ``automated systems'' or ``automated trading systems'' means computer systems for listed and OTC equities, as well as options, that electronically route orders to applicable market makers and systems that electronically route and execute orders, including the data networks that feed the systems. These terms also encompass systems that disseminate transaction and quotation information and conduct trade comparisons prior to settlement, including the associated communication networks. See ARP I Release, supra note 1, at 48706, n. 21. --------------------------------------------------------------------------- The inclusion of market regulation and market surveillance systems under Regulation SCI could reduce systems compliance issues that result from disruptions in systems that support market regulation and market surveillance. The Commission believes that including market regulation and market surveillance systems under the definition of SCI systems should help ensure the robustness of the systems used by SCI entities to monitor compliance with relevant laws, rules, and their own rules, and detect any violations of such laws or rules by members or participants. The reduction in market regulation and market surveillance systems issues could help ensure investor protection and preserve market integrity. The Commission also believes that the inclusion of market data systems in the definition of SCI systems will benefit the market. Currently, SIAC, Nasdaq, and the MSRB \1901\ process, collect, and disseminate market data on equities, options, and municipal securities to investors. While SIAC and Nasdaq are part of the ARP Inspection Program, the MSRB is not. The Commission believes that consolidated market data is an important part of the investing and trading process as it helps market participants to make well-informed investment and trading decisions, and also helps investors to monitor the quality of execution of orders by their brokers. Thus, any SCI events that affect market data processed, collected, and disseminated by the MSRB could reduce [[Page 72411]] pricing efficiency and, consequently, could significantly disrupt the municipal bond market. Further, with respect to NMS securities, the Commission understands that many trading algorithms make trading decisions based primarily on market data and rely on that data being current and accurate. --------------------------------------------------------------------------- \1901\ As discussed above, in 2008, the Commission amended Rule 15c2-12 to designate the MSRB as the single centralized disclosure repository for continuing municipal securities disclosure. In 2009, the MSRB established EMMA, which serves as the official repository of municipal securities disclosure and provides the public with free access to relevant municipal securities data, and is the central database for information about municipal securities offerings, issuers, and obligors. Additionally, the MSRB's RTRS, with limited exceptions, requires municipal bond dealers to submit transaction data to the MSRB within 15 minutes of trade execution, and such near real-time post-trade transaction data can be accessed through the MSRB's EMMA Web site. See supra note 77. The MSRB is an SCI entity by virtue of being an SRO, rather than a plan processor. --------------------------------------------------------------------------- In addition, as noted in Section IV.A.2.b, market data as used in the definition of ``SCI systems'' does not refer exclusively to consolidated market data, but also includes proprietary market data generated by SCI entities as well. The Commission notes that proprietary market data is widely used and relied upon by a broad array of market participants, including institutional investors, to make trading decisions. Therefore, if a proprietary market data feed became unavailable or otherwise unreliable, it could interfere with market participants making trading decisions and impose additional transaction costs on market participants. The Commission has limited information on the extent to which the ARP Policy Statements guide ARP participants' practices with respect to their proprietary market data systems because this information is not reported to the Commission. To the extent that the ARP Policy Statements guide ARP participants with respect to certain of their proprietary market data systems, the potential benefits from including proprietary market data systems in Regulation SCI could be incremental given current practice. The Commission also notes that entities have competitive incentives to limit the number of systems issues with their proprietary market data systems, as those SCI entities with minimum latency and the most robust proprietary market data systems may attract more trading volume. While proprietary market data systems have experienced systems issues, because these issues are not reported to the Commission, the Commission has limited information on the frequency and severity of such systems issues and, in addition, does not have information about how proprietary market data systems issues affect the demand to subscribe to a particular proprietary market data feed. Although the Commission is unable to estimate the benefits and costs of subjecting proprietary market data systems to Regulation SCI, the Commission believes that if a proprietary market data feed became unavailable or otherwise unreliable, it could have a significant impact on the trading of the securities to which it pertains, and could interfere with the maintenance of fair and orderly markets.\1902\ --------------------------------------------------------------------------- \1902\ See supra Section IV.A.2.b. --------------------------------------------------------------------------- To the extent that proprietary market data systems and consolidated market data systems share common infrastructure, the compliance costs associated with proprietary market data systems could be incremental to those costs associated with consolidated market data systems. In addition, to the extent the ARP Policy Statements guide ARP participants with respect to their proprietary market data systems, the initial compliance costs associated with proprietary market data systems will be lower for these participants with respect to the relevant proprietary market data systems. As adopted, a subset of SCI systems are defined as critical SCI systems. Critical SCI systems are defined as SCI systems of, or operated by or on behalf of, an SCI entity that directly support functionality relating to clearance and settlement systems of clearing agencies; openings, reopenings, and closings on the primary listing exchange; trading halts; initial public offerings; the provision of consolidated market data; and exclusively listed securities.\1903\ In addition, critical SCI systems include systems that provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent, and without which there would be a material impact on fair and orderly markets.\1904\ Critical SCI systems include systems that represent potential ``single points of failure'' in the securities markets--if they were to experience systems issues, the Commission believes they would be the most likely to have a widespread and significant impact on the U.S. securities markets. Critical SCI systems are subject to certain heightened resilience and information dissemination requirements under Regulation SCI. In addition, because an SCI entity may tailor its policies and procedures based on the relative criticality of a given system to the SCI entity and to the securities markets generally, an SCI entity may subject its critical SCI systems to higher standards than other SCI systems. --------------------------------------------------------------------------- \1903\ See Rule 1000. \1904\ See id. --------------------------------------------------------------------------- By adopting a defined term ``critical SCI systems'' (which is not defined for purposes of the ARP Inspection Program or Regulation ATS), along with the heightened requirements associated with critical SCI systems, the Commission expects fewer disruptions in critical SCI systems, and therefore fewer SCI events involving potential ``single points of failure'' that could cause wide-scale disruptions across the securities markets. As explained in Section VI.C.1, this could reduce the likelihood and duration of systems issues, thereby helping to avoid pricing inefficiencies and reduce interruptions in liquidity flow, which may occur during times when systems disruptions can make systems unavailable or unreliable. The Commission also notes that, by distinguishing critical SCI systems from other SCI systems, and because an SCI entity may tailor its policies and procedures based on the relative criticality of a given system to the SCI entity and to the securities markets generally, an SCI entity may subject its critical SCI systems to higher standards than other SCI systems. In addition, critical SCI systems are subject to a goal of two-hour recovery following a wide-scale disruption, and a requirement for information dissemination to all members or participants of an SCI entity in the case of an SCI event impacting critical SCI systems (unless the SCI event qualifies as a de minimis SCI event). As result, the designation of critical SCI systems may result in additional costs as compared to the proposal. However, by distinguishing critical systems, Regulation SCI is consistent with a risk-based approach that targets areas that would generate the most benefits. Regulation SCI defines ``indirect SCI systems'' \1905\ to mean any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems.\1906\ As discussed above in Section IV.A.2.d, the adopted definition excludes systems that are effectively physically or logically separated from SCI systems because the Commission believes that the benefit of including systems that can effectively be ``walled off'' may be limited, as ``walled off'' systems are less likely to serve as potential vulnerable entry points to SCI systems in the event of a security [[Page 72412]] breach.\1907\ Regulation SCI will expressly impose new requirements on systems that fall within the definition of ``indirect SCI systems'' (which is not defined for purposes of the ARP Inspection Program or Regulation ATS). These new requirements for indirect SCI systems should help ensure the robustness and resiliency of SCI systems by reducing the occurrence of security-related issues at SCI systems. Moreover, the application of Regulation SCI to indirect SCI systems could encourage SCI entities to isolate certain non-SCI systems from SCI systems (thereby removing these non-SCI systems from the scope of indirect SCI systems), which would decrease the risk that non-SCI systems provide vulnerable points of entry into SCI systems and cause security-related issues at SCI systems. The reduction in security-related SCI systems issues could lead to fewer interruptions in the price discovery process and liquidity flows and thus result in fewer periods with pricing inefficiencies as discussed in Section VI.C.1. --------------------------------------------------------------------------- \1905\ As discussed in Section IV.A.2.d, ``SCI security systems'' have been renamed ``indirect SCI systems'' and its definition has been revised in response to commenters who expressed concern about the breadth of the proposed definition. Because the definition of indirect SCI systems has been refined from the proposal, the compliance costs associated with indirect SCI systems (discussed below) would be lower relative to the compliance costs associated with the proposed rules. \1906\ As proposed, ``SCI security systems'' means any systems that share network resources with SCI systems that, if breached, would be reasonably likely to pose a security threat to SCI systems. \1907\ Some SCI entities currently employ a wide variety of means to separate their systems, including logical and physical separation. --------------------------------------------------------------------------- Regulation SCI specifies the obligations SCI entities would have with respect to SCI systems and indirect SCI systems. As mentioned above, the definition of SCI systems includes more systems than the ARP Inspection Program traditionally covered, and ``indirect SCI systems'' is not defined for purposes of the ARP Inspection Program or Regulation ATS. Because Regulation SCI applies to SCI systems and indirect SCI systems, SCI entities will incur compliance costs, discussed in detail further below in Section VI.C.2, which include, among other things, costs associated with policies and procedures related to such systems. Furthermore, as mentioned above, the definition of SCI systems includes systems that directly support trading, clearance and settlement, order routing, and market data, which are covered by the ARP Inspection Program. Accordingly, the Commission believes that initial compliance costs associated with SCI systems will be higher for SCI entities that are not currently participating in the ARP Inspection Program (e.g., some SCI ATSs) as compared to ARP Inspection Program participants that have established practices consistent with the ARP Policy Statements. Although the Commission believes that some SCI ATSs will generally incur higher initial compliance costs associated with the requirements of Rule 1001 compared to other SCI entities that are current participants in the ARP Inspection Program, the difference in initial compliance costs could be limited because, as currently constituted, relative to the systems of SCI SROs, the systems of SCI ATSs generally would not fall within the category of critical SCI systems, and thus such SCI ATSs would not be subject to the more stringent requirements that would be applicable to the critical SCI systems of other SCI entities. Further, as discussed in Section VI.C.1, the Commission believes that Regulation SCI could have an impact on competition among SCI entities in part because the initial compliance costs associated with SCI systems and indirect SCI systems will vary across SCI entities. In the SCI Proposal, the Commission defined SCI systems more broadly than it has in the adopted rule. Specifically, the proposed definition of SCI systems would have included all regulation and surveillance systems, as well as development and testing systems. As discussed above in Section IV.A.2.b, after considering, among other things, the views of commenters that the definition of SCI systems was overbroad and, thus, could cover nearly all systems of an SCI entity, the Commission refined the definition of SCI systems.\1908\ Specifically, the scope of adopted Regulation SCI does not cover member regulation or member surveillance systems such as those, for example, relating to member registration, capital requirements, or dispute resolution, because issues relating to such systems are unlikely to have the same level of impact on the maintenance of fair and orderly markets or an SCI entity's operational capability as those systems identified in the definition of SCI systems. Consequently, the Commission does not believe that the exclusion of member regulation and member surveillance systems will significantly reduce the benefits of Regulations SCI discussed in Section VI.C.1. Furthermore, the Commission believes that the exclusion of member regulation and member surveillance systems from the adopted definition of SCI systems will substantially reduce the costs of compliance with Regulation SCI relative to the proposal because it reduces the potential number of SCI events that would be subject to the Commission notification requirements compared to the proposal. --------------------------------------------------------------------------- \1908\ See supra Section IV.A.2.b (discussing the definition of SCI systems). --------------------------------------------------------------------------- As discussed above in Section IV.A.2.b, many commenters also opposed the inclusion of development and testing systems in the definition of SCI system, stating that issues in development and testing systems would have little or no impact on the operations of SCI entities.\1909\ The Commission agrees that issues with development and testing systems generally have less of an impact on the SCI entity's operations than production systems that directly support trading, clearance and settlements, order routing, market data, market regulation, and market surveillance. In response to comment letters, the adopted definition of SCI systems is limited to systems that directly support trading, clearance and settlement, order routing, market data, market regulation, and market surveillance, and does not include development and testing systems. Consequently, the requirements of Regulation SCI that are triggered by the definition of SCI systems do not apply to development and testing systems. However, the Commission recognizes that there would be benefits from maintaining robust development and testing systems because these systems are important in ensuring the reliability and resiliency of systems of SCI entities. As discussed in Section IV.A.2.b, in order to have policies and procedures reasonably designed to ensure capacity, integrity, resiliency, availability, and security for SCI systems (and indirect SCI systems, as applicable) in accordance with adopted Rule 1001(a), an SCI entity will be required to have policies and procedures that include a program to review and keep current systems development and testing methodology for such systems.\1910\ --------------------------------------------------------------------------- \1909\ See supra note 234 and accompanying text. \1910\ Further, as discussed above, the definition of SCI review and the corresponding requirement for an annual SCI review require an assessment of internal control design and effectiveness, which includes development processes. In addition, if development and testing systems are not appropriately walled off from production systems, such systems could be captured under the definition of indirect SCI systems and be subject to the requirements of Regulation SCI. --------------------------------------------------------------------------- A few commenters advocated that SCI entities should be permitted to conduct their own risk-based assessment in determining the scope of SCI systems.\1911\ As discussed in Section IV.A.2.b, rather than limiting the definition of SCI systems to systems that pose a greater risk to the markets in the event of a systems issue or that are of paramount importance to the functioning of the U.S. securities market, the Commission is subjecting those systems that meet the definition of ``critical SCI systems'' to certain heightened requirements under [[Page 72413]] Regulation SCI. The Commission continues to believe that any systems issues involving systems that directly support one of the six functions (trading, clearance and settlement, order routing, market data, market regulation, or market surveillance) listed in the definition of SCI systems could also cause significant market disruptions and, thus, including such systems and imposing heightened requirements on a subset of such systems--critical SCI systems--should help realize the benefits of Regulation SCI discussed in Section VI.C.1.a. --------------------------------------------------------------------------- \1911\ See DTCC Letter at 3-5; Omgeo Letter at 5-6; and OCC Letter at 3-4. --------------------------------------------------------------------------- As discussed above in Section IV.A.2.b, the definition of SCI systems includes any system that is operated by a third-party on behalf of an SCI entity and directly supports one of the six key functions (trading, clearance and settlement, order routing, market data, market regulation, or market surveillance) listed in the definition of SCI systems. The Commission understands that many SCI entities and many SROs, in particular, rely heavily on outsourcing to help test, operate, and run various systems in their daily operations and that they outsource networks, data center operations, and many of the products and systems that support their trading and/or clearing systems. The Commission also notes that its staff already discusses with ARP entities their use of certain third-party systems as necessary under the ARP Inspection Program. Because of this reliance on outsourcing to third party systems, the Commission believes that including any system that directly supports one of the six functions listed in the definition of SCI system, regardless of whether it is operated by the SCI entity directly or by a third party, is important in reducing systems issues and, thus, promoting pricing efficiency and price discovery process. Several commenters stated that the definition of SCI systems should not include systems operated on behalf of an SCI entity by a third- party.\1912\ These commenters expressed concerns about potential difficulties with meeting the requirements of Regulation SCI with regard to third-party systems.\1913\ Another commenter questioned whether the Commission considered the costs and benefits of including third-party systems within the definition.\1914\ This commenter also noted that the inclusion of third-party systems may force SCI entities to insource functions that are more efficiently performed by vendors, and the cost of insourcing will be passed along to members and market participants and may degrade competition.\1915\ --------------------------------------------------------------------------- \1912\ See, e.g., Omgeo Letter at 5-6; and BATS Letter at 4. \1913\ See, e.g., Omgeo Letter at 5-6; and BATS Letter at 4. \1914\ See BATS Letter at 4-5. \1915\ See id. at 5. --------------------------------------------------------------------------- As discussed above, the Commission believes that, among other reasons, allowing systems operated on behalf of an SCI entity by a third-party to be excluded from the requirements of Regulation SCI would reduce the effectiveness of the regulation in promoting the national market system by ensuring the capacity, integrity, resiliency, availability, and security of those systems important to the functioning of the U.S. securities markets.\1916\ The Commission acknowledges that ensuring compliance of systems operated by a third- party with Regulation SCI may be more costly than ensuring compliance of internal systems with Regulation SCI because of search costs associated with employing adequate third-party systems or services and the additional communication needed with the third-party service provider. The Commission acknowledges that higher compliance costs associated with managing third-party systems could be passed on to market participants. --------------------------------------------------------------------------- \1916\ See supra Section IV.A.2.b (discussing the definition of ``SCI systems''). --------------------------------------------------------------------------- Moreover, the Commission recognizes that the inclusion of systems operated by a third-party on behalf of an SCI entity in the scope of SCI systems may in certain cases make it more difficult for an SCI entity to utilize third parties because the SCI entity is required to ensure that SCI systems and indirect SCI systems operated on its behalf by a third party are operated in compliance with Regulation SCI. In particular, the SCI entity might not be able to ensure that systems operated by certain third parties are in compliance with Regulation SCI and therefore might not be able to utilize such third-party service providers. Limitations on the choice of third-party systems could lower the quality of employable third-party systems because the employable third-party systems may not be best suited for the SCI entity or be the best available of its type. At this time, however, it is difficult to estimate the extent to which inclusion of systems operated by third parties on behalf of an SCI entity in the definition of SCI systems will alter outsourcing arrangements in a manner that would result in reducing an SCI entity's ability to maintain its operational capability and promote the maintenance of fair and orderly markets. While the Commission understands that SROs outsource some systems, the Commission lacks sufficient information regarding the specific contractual relationships between SCI entities and third-party service providers. Furthermore, if--due to limited options on employable third- parties--an SCI entity decides to insource systems that could be more cost-effectively provided by third parties with relevant expertise, the quality of such systems may be adversely affected, while the cost to the SCI entity may be increased. As such, Regulation SCI could impose higher costs on SCI entities that are currently more dependent on third-party systems for their operations than SCI entities that primarily employ their own systems and therefore could potentially have adverse effects on competition among SCI entities. In addition, the requirements of Regulation SCI could force some third-party vendors out of the market for SCI systems or indirect SCI systems. In this respect, Regulation SCI could negatively impact such vendors and reduce the ability for some third-party vendors to compete in the market for SCI systems and indirect SCI systems, with attendant costs to SCI entities. However, Regulation SCI, over time, could result in quality improvements for systems or services provided by such third-party vendors as vendors that primarily provide services to SCI entities may compete in part on the quality of their systems in light of the requirements of Regulation SCI. iii. SCI Events Rule 1000 defines SCI events to include systems disruptions, systems compliance issues, and systems intrusions. Further, for purposes of the information dissemination requirement under Rule 1002(c), the Commission defines the new term, major SCI event, to mean an SCI event that has had, or the SCI entity reasonably estimates would have, any impact on a critical SCI system, or a significant impact on the SCI entity's operations or on market participants. As discussed further below, Regulation SCI requires SCI entities to take appropriate corrective actions in response to SCI events (Rule 1002(a)), notify the Commission of SCI events (Rule 1002(b)), and disseminate information regarding certain major SCI events to all members or participants of an SCI entity and certain other SCI events to affected members or participants (Rule 1002(c)). Prior to the adoption of Regulation SCI, ``systems disruption'' was not defined by Commission rule. Rather, in the 2001 Staff ARP Interpretive Letter, Commission staff provided guidance on [[Page 72414]] examples of significant systems outages that should be reported to Commission staff.\1917\ The Commission understands that ARP participants currently exercise a level of discretion in determining what systems issues constitute significant systems outages. --------------------------------------------------------------------------- \1917\ See 2001 Staff ARP Interpretive Letter, supra note 21. --------------------------------------------------------------------------- As adopted, ``systems disruption'' is defined to mean an event in an SCI entity's SCI systems that disrupts, or significantly degrades, the normal operation of an SCI system. The Commission believes the revised definition sets forth a standard that SCI entities can apply in a wide variety of circumstances to determine in their discretion whether a systems issue should be appropriately categorized as a systems disruption. The adopted definition of systems disruption potentially covers types of events that were not articulated as part of Commission staff guidance regarding significant systems outages, and at the same time potentially excludes types of systems events that were articulated as part of such guidance. The Commission, however, believes that the adopted definition of systems disruptions would more appropriately capture material or significant systems issues than the 2001 Staff ARP Interpretive Letter. Accordingly, the inclusion of systems disruptions in the definition of SCI event, along with the requirements of taking timely corrective actions, Commission notification, information dissemination, and recordkeeping on these systems issues, should help effectively reduce the severity and duration of events that harm pricing efficiency, price discovery, and liquidity and help Commission oversight of the securities markets. The Commission also acknowledges that SCI entities will incur some costs to determine whether a systems disruption has occurred. The Commission notes that these costs should be lower compared to the proposed definition, in part, because the adopted definition of systems disruption sets forth a standard that permits SCI entities to more effectively identify such systems issues. As discussed in Section IV.A.3.a, after considering the views of commenters that the proposed definition of systems disruption was too prescriptive, insufficiently flexible, and should be limited to material systems disruptions, the Commission has taken a different approach. Instead of the proposed seven-prong prescriptive definition representing the effects caused by a disruption of an SCI entity's systems, the adopted definition focuses on whether a system is halted or degraded in a manner that is outside of its normal operation. The proposed definition had the potential to incorporate certain types of minor events that should more appropriately fall outside the purview of the regulation. Similarly, the prescriptive approach of the proposed definition also had the potential to exclude certain types of events that were significant enough to warrant inclusion, but may otherwise have gone unreported because they were not one of the seven enumerated types of systems malfunctions. Currently, ``systems intrusion'' is not defined by Commission rule or Commission staff guidance. The Commission believes that regulated entities exercise a level of discretion in determining what systems intrusions to report to Commission staff. By adopting a definition of systems intrusion, the Commission is specifying the criteria for SCI entities to use to identify systems intrusions that would be subject to Regulation SCI. The definition of systems intrusion covers successful unauthorized entry to SCI systems and indirect SCI systems. Unauthorized access, destruction, and manipulation of SCI systems and indirect SCI systems could adversely affect the markets and market participants because intruders could force systems to operate in unintended ways that could create significant disruptions in securities markets. Therefore, the inclusion of systems intrusions in the definition of SCI events can help reduce the risk of such adverse effects. The Commission believes that the inclusion of systems intrusion in the definition of SCI event should help ensure consistent compliance with the requirements of taking timely corrective actions, Commission notification, information dissemination, and recordkeeping and, thus, should help realize the benefits of those requirements discussed in sections below. The Commission also acknowledges that SCI entities will incur some costs to determine whether a systems intrusion has occurred. Currently, ``systems compliance issue'' is also not defined by Commission rule or Commission staff guidance and the Commission believes that regulated entities exercise a level of discretion in determining what systems compliance-related issues to report to Commission staff. While the ARP Policy Statements do not address systems compliance issues, some SCI entities notify the Commission of certain systems compliance-related issues.\1918\ As noted above, however, the Commission does not receive comprehensive data regarding such issues. By adopting a definition of systems compliance issue, the Commission is specifying the criteria for SCI entities to use to identify systems compliance issues that would be subject to Regulation SCI. --------------------------------------------------------------------------- \1918\ See supra note 1803 and accompanying text. As part of the Commission's oversight of SROs, OCIE reviews systems compliance issues reported to Commission staff. --------------------------------------------------------------------------- By defining SCI events to include systems compliance issues, the Commission believes Regulation SCI should further assist the Commission in its oversight of SCI entities and in the protection of investors. Specifically, the Commission believes that inclusion of systems compliance issues in the definition of SCI event and the resulting applicability of the Commission reporting, information dissemination, and recordkeeping requirements are important to help ensure that SCI systems are operated by SCI entities in compliance with the Exchange Act, rules thereunder, and their own rules and governing documents.\1919\ In addition, the Commission believes that, as part of its oversight of the securities markets, it should learn of a non-de minimis systems compliance issue immediately upon an SCI entity having a reasonable basis to conclude that such a systems compliance issue has occurred so that the Commission may consider whether there has been any resulting harm to investors or market participants. The Commission also acknowledges that SCI entities could incur some costs to determine whether a systems compliance issue has occurred. --------------------------------------------------------------------------- \1919\ See supra Section IV.A.3.b. --------------------------------------------------------------------------- The Commission notes that it has refined the definition of systems compliance issue as compared to the proposal by replacing the phrase ``federal securities laws'' with ``the Act.'' \1920\ Accordingly, the number of systems compliance issues subject to Regulation SCI could be no greater and possibly lower than if the Commission adopted the definition of systems compliance issue as proposed and there could be a corresponding reduction in benefits, compared to the proposal, as a result of adopting a targeted definition.\1921\ --------------------------------------------------------------------------- \1920\ See id. \1921\ For example, the adopted definition of systems compliance issue makes explicit that the requirements of Regulation SCI do not apply to any obligations that an SCI entity has under the Securities Act of 1933. --------------------------------------------------------------------------- Regulation SCI also defines ``major SCI event.'' The addition of the definition of major SCI event allows the requirement for dissemination of [[Page 72415]] information to all members or participants of an SCI entity to be consistent with a tiered, risk-based approach. As discussed in Section VI.C.2.b.iv below and in Section VI.C.1 above, dissemination of information regarding SCI events to all members or participants of an SCI entity can result in benefits and affect competitive incentives to prevent systems issues. The Commission acknowledges, however, that the benefits of information dissemination to all members or participants of an SCI entity would not be realized if SCI entities were required to disseminate too many events, creating confusion about which events are meaningful, or if SCI entities were required to disseminate too few events. The definition of major SCI events provides a targeted approach to determining which events are appropriately disseminated to all members or participants of an SCI entity. The Commission also acknowledges that, as discussed in Section VI.C.2.b.iv below, SCI entities would incur compliance costs associated with developing a process for determining major SCI events and de minimis SCI events. SCI entities will incur compliance costs with regard to the requirements of Regulation SCI. As noted above, the definition of SCI event includes systems disruptions and systems intrusions, terms that are not defined under the ARP Inspection Program, but which are contemplated by the ARP Inspection Program's attention to systems failures, disruptions, and other systems problems, including systems vulnerability.\1922\ To this extent, the initial compliance costs associated with SCI events may be higher for SCI entities that are not currently participating in the ARP Inspection Program than for those currently participating in the ARP Inspection Program. Similarly, the initial compliance costs associated with SCI events will be higher for SCI entities that do not currently self-report systems compliance- related issues to the Commission than those that do. As discussed in Section VI.C.1, the Commission believes that Regulation SCI will have an impact on competition among SCI entities because the initial compliance costs stemming from the definition of SCI events will be different among SCI entities. However, all SCI entities, regardless of current participation in the ARP Inspection Program or self-reporting of systems compliance-related issues, could incur costs associated with the inclusion of major SCI events as a definition. --------------------------------------------------------------------------- \1922\ See supra Section II.A (discussing the ARP Inspection Program). --------------------------------------------------------------------------- As an alternative to the adopted definitions of SCI event, several commenters suggested that the definition of SCI event include a materiality threshold such that certain Regulation SCI requirements would apply only to events that exceed the threshold, as determined by the SCI entity.\1923\ The Commission is not persuaded that incorporating a materiality threshold into the definition of SCI event would appropriately capture SCI events. Some systems issues, which may initially seem insignificant to an SCI entity, may later prove to be the source of significant systems issues at the SCI entity. Furthermore, there could be incidences in which systems issues cause minor disruptions for one particular SCI entity but result in significant disruptions for another SCI entity or market participant. Under the use of the suggested materiality threshold, such systems issues could be overlooked and timely corrective action may not be taken. --------------------------------------------------------------------------- \1923\ See supra note 334 and accompanying text. --------------------------------------------------------------------------- b. Requirements for SCI Entities--Rules 1001-1004 i. Policies and Procedures--Rules 1001(a), (b), and (c) Rules 1001(a), (b), and (c) set forth requirements relating to the written policies and procedures that SCI entities are required to establish, maintain, and enforce. Rule 1001(a) requires an SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. Rule 1001(b) requires an SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Exchange Act and the rules regulations thereunder and the entity's rules and governing documents, as applicable. Rule 1001(c) requires an SCI entity to establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. This section discusses the economic effects of requiring these policies and procedures, both individually and as a whole. The Commission believes the policies and procedures requirements as a whole should reduce the risk and incidences of SCI events because they are requirements under Commission rules rather than voluntary guidelines, and require SCI entities to establish, maintain, and enforce written policies and procedures related to capacity, integrity, resiliency, availability, security, compliance, responsible SCI personnel, and escalation. Also, policies and procedures requirements as a whole should reduce the risk and incidences of SCI events by imposing requirements on entities that are not currently participating in the ARP Inspection Program, and by covering areas not currently within the scope of the ARP Inspection Program, such as policies and procedures regarding systems compliance.\1924\ The policies and procedures requirements in Regulation SCI should help ensure faster recoveries from systems disruptions, systems compliance issues, and systems intrusions. As discussed in Section VI.C.1, reducing the risk, incidence, and duration of SCI events could reduce interruptions in the price discovery process and liquidity flows and thus result in reduced periods with pricing inefficiencies. --------------------------------------------------------------------------- \1924\ With respect to NASD and FINRA rules identified by commenters, although they have some broad relation to certain aspects of the policies and procedures provisions under Regulation SCI, the Commission is not persuaded that these rules, even when taken together, are an appropriate substitute for the comprehensive approach in Regulation SCI with respect to technology systems and system issues. See NASD Rule 3010(b)(1) and FINRA Rule 3130. See also supra note 115. --------------------------------------------------------------------------- The Commission also recognizes that the policies and procedures requirements of Regulation SCI will impose certain costs. In general, the Commission believes that some SCI entities that participate in the ARP Inspection Program already comply with some of the requirements of Rule 1001 and thus would incur lower initial costs to comply with the requirements of Rule 1001 than SCI entities that do not participate in the ARP Inspection Program. Additionally, some SCI entities that currently participate in the ARP Inspection Program are large and have complex systems and, therefore, will incur more costs to comply with Rule 1001 than others. Furthermore, SCI entities that do not currently participate in the ARP Inspection Program will also face costs to comply with Rule 1001 if they do not already have policies and procedures similar to those required by [[Page 72416]] Rule 1001. These costs are discussed further below. Quantifiable Costs In the SCI Proposal, based on discussion with industry participants, the Commission estimated that, to comply with all requirements underlying the policies and procedures required by proposed Rules 1000(b)(1) and (2) other than paperwork burdens, on average, each SCI entity would incur an initial cost of between approximately $400,000 and $3 million.\1925\ Based on this estimated range in costs, the Commission estimated that in the aggregate SCI entities would incur a total initial cost of between approximately $17.6 million \1926\ and $132 million \1927\ to comply with proposed Rules 1000(b)(1) and (2). In addition, the Commission estimated that, to comply with the policies and procedures required by proposed Rules 1000(b)(1) and (2), on average, each SCI entity would incur an ongoing annual cost of between approximately $267,000 \1928\ and $2 million.\1929\ Based on this estimated range, the Commission estimated that in the aggregate SCI entities would incur a total annual ongoing cost of between approximately $11.7 million \1930\ and $88 million.\1931\ --------------------------------------------------------------------------- \1925\ See Proposing Release, supra note 13, at 18171. As explained in the SCI proposal, the Commission preliminarily estimated a range of cost for complying with the policies and procedures required by proposed Rules 1000(b)(1) and (2) because some SCI entities are already in compliance with some of these requirements and thus would likely need to incur less costs to comply with the rules. For example, the Commission believed that many SCI SROs (e.g., certain national securities exchanges and registered clearing agencies) already have or have begun implementation of business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse to ensure next business day resumption of trading and two-hour resumption of clearance and settlement services following a wide-scale disruption. See id. at 18171, n. 633. \1926\ See id. at 18171, n. 634. \1927\ See id. at 18171, n. 635. \1928\ See id. at 18172, n. 637. \1929\ See id. at 18172, n. 638. \1930\ See id. \1931\ See id. at 18172, n. 640. --------------------------------------------------------------------------- One commenter noted that the Commission did not provide sufficient discussion of the basis for the cost estimates for complying with the policies and procedures required by proposed Rules 1000(b)(1) and (2).\1932\ However, this commenter was cautiously confident that its initial cost for full implementation of proposed Rules 1000(b)(1) and (2) would not exceed $3 million plus four times the estimated burden under the Paperwork Reduction Act analysis, although the commenter believed that such cost would not be less than half of such $3 million plus at least three times the Paperwork Reduction Act estimate.\1933\ This commenter further noted that the approach taken by the Commission in the proposal with regard to federal securities law liabilities and the safe harbors likely will result in increased insurance costs for SCI entities and higher salaries for employees.\1934\ --------------------------------------------------------------------------- \1932\ See MSRB Letter at 30. \1933\ See id. at 31. According to this commenter, if as a result of the restrictive listing of industry standards in Table A, it determines that it should adhere to one of the listed standards rather than the standards to which it currently adheres, its cost of compliance with proposed Rule 1000(b)(1) would be considerably increased and its total cost for compliance with proposed Rules 1000(b)(1) and (2) would likely be at or near $3 million plus four times the estimated burden under the Paperwork Reduction Act analysis. See id. As noted above in Section IV.B.1.b.iii, the Commission believes that staff guidance should be characterized as listing examples of publications describing processes, guidelines, frameworks, and/or standards for an SCI entity to consider looking to in developing reasonable policies and procedures, rather than strictly as listing examples of ``standards.'' As such, nothing that the staff may include in its guidance precludes an SCI entity from adhering to standards such as ISO 27000, COBIT, or others referenced by commenters to the extent they result in policies and procedures that comply with the requirements of Rule 1001(a). \1934\ See id. The commenter did not provide an estimate of the anticipated increased insurance costs for SCI entities and higher salaries for employees. The Commission acknowledges that SCI entities may incur increased insurance and personnel costs because of the potential additional liability associated with Regulation SCI, although the Commission is unable to estimate these costs given it lacks specific information regarding current personnel and insurance costs and the amount of any potential increases associated with changes in liability. The Commission also notes that many entities that fall within the definition of SCI entity could already be subject to liability for systems issues and thus may already largely be incurring these insurance and personnel costs. --------------------------------------------------------------------------- Another commenter noted that, without further clarification, the broad scope of the policies and procedures requirement under Regulation SCI could be burdensome, in terms of the cost of developing and implementing new (or enhancing existing) policies and procedures, and in terms of complying and documenting compliance under such policies and procedures.\1935\ According to this commenter, these requirements could significantly increase technology project costs (e.g., for testing, monitoring, and compliance staff) and would significantly prolong the systems development lifecycle and time to market.\1936\ With respect to the Commission's cost estimate for proposed Rules 1000(b)(1) and (2), another commenter noted that the Commission's estimates do not adequately account for the opportunity costs of delays in systems innovation.\1937\ This commenter stated that the Commission did not address the significant costs of complying with the requirements concerning the capacity, integrity, resiliency, availability, and security of systems.\1938\ --------------------------------------------------------------------------- \1935\ See FINRA Letter at 32. The estimated burden associated with the development and maintenance of policies and procedures is discussed in the Paperwork Reduction Act section above. See supra Section V.D.1.a. \1936\ See FINRA Letter at 32. \1937\ See ITG Letter at 7. This commenter also noted that the estimates do not adequately account for the monitoring and notification costs that would be engendered by the proposal. See id. \1938\ See id. --------------------------------------------------------------------------- After considering the views of these commenters and in light of the changes to the proposed rules, the Commission now estimates that, to comply with all requirements underlying the policies and procedures required by Rules 1001(a) and (b),\1939\ other than paperwork burdens, on average, each SCI entity will incur an initial cost of between approximately $320,000 and $2.4 million and an ongoing annual cost of between approximately $213,600 and $1.6 million.\1940\ The Commission notes that it has reduced the cost for complying with the policies and procedures required by Rules 1001(a) and (b) in a variety of ways, including by, for example: Refining the definition of SCI systems; more explicitly allowing SCI entities to tailor policies and procedures consistent with a risk-based approach; having separate staff guidance on current SCI industry standards rather than Commission guidance through proposed Table A, with staff guidance characterized as listing examples of publications describing processes, guidelines, frameworks, and/or standards for an SCI entity to consider looking to in developing reasonable policies and procedures, rather than strictly as listing examples of [[Page 72417]] ``standards;'' and focusing compliance on the Exchange Act rather than federal securities laws generally. --------------------------------------------------------------------------- \1939\ These include, for example, establishing current and future capacity planning estimates, capacity stress testing, reviewing and keeping current systems development and testing methodology, regular reviews and testing to detect vulnerabilities, testing of all SCI systems and changes to SCI systems prior to implementation, implementing a system of internal controls, implementing a plan for assessments of the functionality of SCI systems, implementing a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, designed to detect and prevent systems compliance issues, and hiring additional staff. \1940\ The Commission estimates an average range of cost for complying with the policies and procedures required by Rules 1001(a) and (b) because some SCI entities are already in compliance with some of these requirements. The Commission recognizes that, for SCI entities that do not currently comply with the policies and procedures required by Rules 1001(a) and (b), their cost of compliance may, depending on their nature, size, technology, business model, and other aspects of their business, be at the upper end of the estimated average cost range. --------------------------------------------------------------------------- At the same time, the Commission acknowledges that other aspects of the compliance costs could potentially be higher for the adopted rules than the proposed rules. For example, the requirement for a goal of two-hour resumption for all critical SCI systems (rather than only clearance and settlement systems) could increase compliance costs for SCI entities with critical SCI systems as compared to the proposal. However, as discussed above, the Commission has specified that the stated recovery timeframes in Regulation SCI are goals, rather than inflexible requirements.\1941\ In addition, for some SCI entities that would have chosen to not use the proposed SCI entity safe harbor, the Commission's adoption of non-exhaustive, general minimum elements for systems compliance policies and procedures in Rule 1001(b)(2) could increase compliance costs as compared to the proposal. Based on the foregoing, the Commission believes that it is reasonable to revise the estimate to reflect the more targeted scope and increased flexibility of the adopted regulation, as compared to the proposal, in combination with potential increased costs associated with compliance with Rules 1001(a)(2)(v) and 1001(b)(2), and new costs associated with compliance with Rule 1001(a)(2)(vii).\1942\ Therefore, the Commission believes that on balance overall, the costs will be reduced, and in its best judgment, each SCI entity is likely to incur an initial cost of between approximately $320,000 and $2.4 million and an ongoing annual cost of between approximately $213,600 and $1.6 million for complying with the policies and procedures required by Rules 1001(a) and (b). However, the Commission acknowledges that its cost estimates reflect a high degree of uncertainty. As noted above, the compliance costs of Rule 1001 may depend on the complexity of SCI entities' systems (e.g., the compliance costs will be higher for SCI entities with more complex systems). The initial compliance costs associated with Rule 1001 may also vary across SCI entities depending on the degree of current practices' compliance with the requirements of Rule 1001. Because it is difficult to gauge the precise degree of current compliance for each SCI entity in estimating potential costs with respect to Rule 1001 at this time, the Commission is estimating a range of compliance costs above. --------------------------------------------------------------------------- \1941\ See supra note 504 and accompanying text. \1942\ Rule 1001s(a)(2)(v), 1001(a)(2)(vii), and 1001(b)(2) are discussed further below. --------------------------------------------------------------------------- The Commission estimates that, in the aggregate, SCI entities will incur a total initial cost of between approximately $14 million \1943\ and $106 million \1944\ to comply with the policies and procedures required by Rules 1001(a) and (b). In addition, the Commission estimates that, in the aggregate, SCI entities will incur total annual ongoing cost of between approximately $9 million \1945\ and $70 million.\1946\ These cost estimates are intended to cover the cost of complying with all substantive requirements under Rules 1001(a) and (b) other than paperwork related burdens. --------------------------------------------------------------------------- \1943\ $320,000 x 44 SCI entities = $14.1 million. \1944\ $2.4 million x 44 SCI entities = $105.6 million. \1945\ $213,600 x 44 SCI entities = $9.4 million. \1946\ $1.6 million x 44 SCI entities = $70.4 million. --------------------------------------------------------------------------- The Commission acknowledges that, for SCI entities, the requirements of Rules 1001(a) and (b) could increase technology project costs, prolong the systems development lifecycle and time to market, and result in opportunity costs because of potential delays in systems innovation.\1947\ On the other hand, as discussed throughout this release, the Commission believes that entities that are important to the functioning of the U.S. securities markets should be required to have policies and procedures reasonably designed to ensure systems capacity, integrity, resiliency, availability, security, and compliance. Further, as discussed above in Sections IV.B.1 and IV.B.2, the Commission has focused the scope of Rules 1001(a) and (b) as compared to the SCI Proposal. Moreover, in tandem with the adoption of a definition of critical SCI systems, the Commission is making more clear that Rule 1001(a) permits SCI entities to tailor policies and procedures consistent with a risk-based approach. With respect to Rule 1001(b), the Commission is adopting non-exhaustive, general minimum elements that an SCI entity must include in its systems compliance policies and procedures.\1948\ --------------------------------------------------------------------------- \1947\ See supra note 1936 and accompanying text (discussing a commenter's view regarding the potential economic effects of the policies and procedures requirements). \1948\ See supra note 1935 and accompanying text (discussing a commenter's views that, without clarification, the policies and procedures requirement under Regulation SCI could be burdensome). --------------------------------------------------------------------------- Benefits and Qualitative Costs Capacity, Integrity, Resiliency, Availability, and Security Rule 1001(a)(1) requires that each SCI entity establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. Rule 1001(a)(2)(i)-(iv) provides that an SCI entity's policies and procedures under Rule 1001(a) must include, at a minimum: (i) The establishment of reasonable current and future technological infrastructure capacity planning estimates; (ii) periodic capacity stress tests of systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (iii) a program to review and keep current systems development and testing methodology of such systems; and (iv) regular reviews and testing, as applicable, of systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters.\1949\ --------------------------------------------------------------------------- \1949\ See Rule 1001(a)(2) and supra Section IV.B.1. --------------------------------------------------------------------------- Rules 1001(a)(1) and (2)(i)-(iv) codify and expand certain provisions of the ARP Policy Statements. They also expand on the requirements under Rule 301(b)(6) of Regulation ATS for ATSs that trade NMS stocks and non-NMS stocks. In particular, under the ARP Policy Statements and through the ARP Inspection Program, ARP participants, among other things, are expected to establish current and future capacity estimates; conduct capacity stress tests; and conduct annual reviews that cover significant elements of the operations of the automation process, including the capacity planning and testing process, contingency planning, systems development methodology, and vulnerability assessments. Further, Rule 301(b)(6) requires certain ATSs, with respect to those systems that support order entry, order routing, order execution, transaction reporting, and trade comparison, to establish certain capacity estimates, conduct periodic capacity stress tests of critical systems, develop and implement reasonable procedures to review and keep current systems development and testing methodology, review the vulnerability of their systems and data center computer operations to specified threats, establish adequate contingency and disaster recovery plans, conduct an independent review of their systems controls annually for ensuring that Rule 301(b)(6)(ii)(A)-(E) are met and conduct a review by senior management of a report of the independent review, and [[Page 72418]] promptly notify the Commission of certain systems outages and systems changes.\1950\ --------------------------------------------------------------------------- \1950\ See 17 CFR 242.301(b)(6)(ii). --------------------------------------------------------------------------- As mentioned above, Rules 1001(a)(1) and (2)(i)-(iv) codify certain aspects of the ARP Policy Statements. For SCI entities that are current participants in the ARP Inspection Program, codifying these aspects into requirements to establish policies and procedures should help ensure more robust systems that help realize the benefits of Regulation SCI discussed in Section VI.C.1.\1951\ --------------------------------------------------------------------------- \1951\ Likewise, the relocation and modification of certain requirements in Rule 301(b)(6) of Regulation ATS applicable to significant-volume ATSs that trade NMS stocks and non-NMS stocks will help ensure that SCI ATSs create and maintain policies and procedures to support robust systems. See supra note 2 and accompanying text (noting that Regulation SCI, in addition to codifying the ARP Policy Statements, also supersedes and replaces aspects of those policy statements codified in Rule 301(b)(6) under the Exchange Act for significant-volume ATSs that trade NMS stocks and non-NMS stocks). --------------------------------------------------------------------------- In addition to the effects of the codification of aspects of the ARP Inspection Program, the Commission believes that the rules would further reduce the risk and incidences of systems issues affecting the markets by imposing requirements on entities that are not currently participating in the ARP Inspection Program, and by covering systems and events not currently within the scope of the ARP Inspection Program. For example, Rules 1001(a)(2)(i)-(iv) will help maintain robust systems at SCI entities that currently do not have the policies and procedures in place required by the rule. In particular, the Commission believes that, taken together, Rules 1001(a)(2)(i)-(iv) will benefit the securities markets by leading to the establishment, maintenance, and enforcement of policies and procedures that will reduce the risks and incidences of systems disruptions and systems intrusions. As noted above in Section VI.C.1, a reduction in the risk and incidences of systems issues could reduce interruptions in the price discovery process and liquidity flows. Because current ARP participants will change their current practices to comply with Rules 1001(a)(2)(i)-(iv), the Commission recognizes that these entities will incur compliance costs that are incremental relative to the current compliance costs of the ARP Inspection Program.\1952\ Furthermore, SCI entities that are not currently participating in the ARP Inspection Program may incur higher initial compliance costs to meet the requirements of Rules 1001(a)(2)(i)-(iv), compared to SCI entities that are current participants of the ARP Inspection Program. The paperwork burdens are discussed in Section V, and other costs are included as part of the quantified costs estimated above related to all requirements associated with Rules 1001(a) and (b) other than paperwork burdens.\1953\ --------------------------------------------------------------------------- \1952\ See supra Section VI.B (discussing current practices of SCI entities). \1953\ See supra note 1940 and accompanying text. --------------------------------------------------------------------------- A few commenters discussed in detail how setting forth policies and procedures with regard to systems development could yield benefits, such as efficient pricing of securities, to markets. One commenter noted that preventing defects from entering in software construction is the most cost effective approach to quality assurance.\1954\ This commenter stated that it is ten times cheaper to find a defect in development than it is during systems testing, and it is one hundred times cheaper to fix a defect in development than in production (and this is not accounting for the impact on business).\1955\ In addition, this commenter noted that software of higher quality is cheaper to maintain and easier to enhance, and that testing schedules for low quality, large software projects are two to three times longer and more than twice as costly as testing for high quality projects.\1956\ According to information submitted by this commenter of large, mission critical systems across several industries, improving overall structural quality by 10 percent reduces ``ticket volume'' by over 30 percent.\1957\ This commenter believed that this would be an inadvertent benefit of controlling integrity at the structural level that may even compensate for the cost of other aspects of Regulation SCI.\1958\ Another commenter noted that the cost of a serious operational problem can rise to eight digits, and in extreme cases nine digits.\1959\ This commenter noted that these costs are often shared with market participants beyond the owners of the disrupted systems.\1960\ This commenter believed that the proposed Rule 1000(b)(1) requirements are reasonable and their cost can be balanced against the losses associated with the operational risks they address.\1961\ --------------------------------------------------------------------------- \1954\ See CAST Letter at 10. \1955\ See id. \1956\ See id. (quoting Capers Jones and Olivier Bonsignour, The Economics of Software Quality (2012)). \1957\ See id. at 10-11. \1958\ See id. at 11. \1959\ See CISQ Letter at 2. \1960\ See id. at 2. \1961\ See id. at 2. See also CISQ2 Letter at 6 (stating, ``[t]he cost of recent outages in SCI systems easily justifies the additional effort in quality assurance. However, empirical evidence from software industry improvement programs demonstrates that the additional time added into quality assurance is more than compensated for by a reduction in rework to produce [return on investments] of 5:1 or greater''). --------------------------------------------------------------------------- The Commission generally agrees with commenters that setting forth policies and procedures with regard to systems development could yield benefits to market participants and SCI entities, including a potential reduction in losses due to SCI events. Rule 1001(a)(2)(iii) requires SCI entities to establish a program to review and keep current systems development and testing methodology for SCI systems and, for purposes of security standards, indirect SCI systems. The Commission believes that development and testing systems are important in ensuring the reliability and resiliency of SCI systems. More reliable and resilient systems should help reduce the occurrences of SCI events and improve systems uptime for SCI entities, and thus possibly result in a reduction in losses due to SCI events. Furthermore, the Commission recognizes that the use of inadequately tested software in production could result in substantial losses to market participants if it does not function as intended. For instance, if software malfunctions, it may not route orders as intended and also could result in mispricing of securities. Additionally, if a system's capacity thresholds are improperly estimated, it may become congested, resulting in higher indirect transaction costs due to lower execution quality (e.g., decrease in order fill rates). The Commission believes that costs associated with Rule 1001(a)(2)(iii) are appropriate in light of the reduction in losses due to SCI events and other benefits discussed throughout this Economic Analysis. Business Continuity and Disaster Recovery Plans Rule 1001(a)(2)(v) requires SCI entities' policies and procedures to set forth business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption.\1962\ Therefore, as [[Page 72419]] adopted, Rule 1001(a)(2)(v) puts an emphasis on trading and critical SCI systems with respect to resumption following a wide-scale disruption. As discussed above, the definition of critical SCI systems is intended to capture those systems that are critical to the operation of the securities markets, including systems that are potential single points of failure in the securities markets. The Commission understands that some SCI entities already have, to an extent, policies and procedures that are required by Rule 1001(a)(2)(v), while others would need to make more significant changes to their current practices.\1963\ --------------------------------------------------------------------------- \1962\ FINRA Rule 4370 generally requires that a FINRA member maintain a written continuity plan identifying procedures relating to an emergency or significant business disruption, which is akin to adopted Rule 1001(a)(2)(v) requiring policies and procedures for business continuity and disaster recovery plans. However, the FINRA rule does not include the requirement that the business continuity and disaster recovery plans be reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption, nor does it require the functional and performance testing and coordination of industry or sector-testing of such plans. See supra note 115. \1963\ See infra note 1973 and accompanying text (discussing the estimated range of cost per SCI entity to comply with the policies and procedures required by Rules 1001(a) and (b)). --------------------------------------------------------------------------- Rule 1001(a), among other things, is expected to help ensure prompt resumption of all critical SCI systems, which in turn is expected to help minimize interruptions in trading and liquidity after a wide-scale disruption. In addition, in the case of a wide-scale disruption, multiple SCI entities may be affected by the same incident at the same time. Given that U.S. securities market infrastructure is concentrated in relatively few areas, such as New York City, New Jersey, and Chicago, maintaining backup and recovery capabilities that are geographically diverse could facilitate resumption in trading and critical SCI systems following wide-scale market disruptions. As discussed in detail in Section VI.C.1, the Commission expects the reduction in the occurrence of trading interruptions and the duration of trading interruptions would promote pricing efficiency, price discovery, and liquidity flows in markets. One commenter noted that the Commission's cost-benefit analysis in the SCI Proposal did not take into consideration the already existing industry excess capacity as backup.\1964\ With respect to this commenter, the Commission understands, based on staff expertise, that systems are sized to adequately handle message traffic with excess capacity under normal conditions and in those situations that moderately exceed the norm. The Commission also understands, however, that exchanges periodically receive escalated levels of message traffic due to unanticipated events and must make real-time adjustments to manage the capacity of their systems, such as queuing and/or throttling. Therefore, the Commission is not persuaded that excess capacity is a reasonable alternative to backup systems because systems may reach their capacity periodically. Also, as noted above, in the case of a wide-scale disruption, multiple SCI entities may be affected by the same incident at the same time. Given that U.S. securities market infrastructure is concentrated in relatively few areas, maintaining backup and recovery capabilities that are geographically diverse could facilitate resumption in trading and critical SCI systems following wide-scale market disruptions. --------------------------------------------------------------------------- \1964\ See Angel Letter at 14. --------------------------------------------------------------------------- The Commission also received comments regarding the costs of maintaining geographically diverse backup facilities under proposed Rule 1000(b)(1). One commenter stated that the Commission did not appropriately consider the costs and benefits of maintaining geographically diverse data centers to meet the next-day readiness requirement.\1965\ This commenter believed that the cost of establishing and maintaining geographically diverse data centers alone will dwarf the estimated overall compliance cost of $400,000 to $3 million.\1966\ This commenter estimated that the incremental all-in, five-year cost to it to relocate its backup site would be $17 million.\1967\ This commenter noted that the geographically diverse backup center requirement could also result in costs on members and users of the SCI entity.\1968\ Another commenter noted that it maintains robust redundant and backup systems that exceed regulatory requirements and provide adequate capacity, security, and resiliency for its trading operations; however, the manpower and financial capital required to maintain and staff a geographically diverse backup site would easily push its annual and recurring compliance cost beyond the higher estimates provided by the Commission.\1969\ --------------------------------------------------------------------------- \1965\ See ISE Letter at 12. See also FIF Letter at 3. \1966\ See ISE Letter at 12. \1967\ See id. \1968\ See id. The cost to members or participants of SCI entities in connection with business continuity and disaster recovery plan testing is discussed in Section VI.C.2.b.vii below. \1969\ See ITG Letter at 7-8. --------------------------------------------------------------------------- The Commission notes that the potential cost for maintaining geographically diverse backup and recovery capabilities is likely less than those estimated by commenters given the scope of the adopted rule. Specifically, because Rule 1001(a)(2)(v) does not require an SCI entity to require its members or participants to use an SCI entity's backup facility in the same way they use the primary facility (i.e., does not require members or participants to co-locate their systems at backup sites to replicate the speed and efficiency of the primary site), the requirement for geographically diverse backup systems does not mean that the backup systems are required to be identical (e.g., same speed and efficiency) to the primary facility. Nevertheless, the Commission believes it is critical that SCI entities and their designated members or participants be able to operate with the SCI entities' backup systems in the event of a wide-scale disruption. In addition, the Commission notes that Rule 1001(a) does not specify any particular minimum distance or geographic location that would be necessary to achieve geographic diversity, although the Commission believes that backup sites should not rely on the same infrastructure components, such as for transportation, telecommunications, water supply, and electric power. Further, Regulation SCI does not require an SCI entity to have a geographically diverse backup facility so distant from the primary facility that the SCI entity may not rely primarily on the same labor pool to staff both facilities if it believed it to be appropriate. With respect to commenters who expressed concern regarding the potential cost for maintaining geographically diverse backup and recovery capabilities, the Commission cannot estimate with confidence the precise costs for the creation of a new, geographically diverse backup facility, given the wide range of message traffic that various exchanges, ATSs, and other entities receive and the reasonable flexibility in the design of the backup facility. Given that Rule 1001(a)(2)(v) does not require an SCI entity to require its members or participants to use an SCI entity's backup facility in the same way they use the primary facility, however, the Commission believes that the upper bound of building a new backup facility is equal to the cost of building a new primary facility. Given the Commission's response to commenters' concerns regarding the requirement to maintain geographically diverse backup and recovery capabilities, and the degree of flexibility within Regulation SCI to determine the precise nature and location of its backup site,\1970\ the Commission believes that the commenter's estimate of $17 million over five years (or $3.4 million per [[Page 72420]] year),\1971\ is high. Based on the Commission's best judgment, including taking into account Commission staff experience with SCI entities that have invested in geographically diverse backup facilities in recent years, the Commission believes that the average cost is more likely to be approximately $1.5 million annually for an SCI entity (that does not already have geographically diverse backup facilities). Nevertheless, even were the costs to be at the upper amount suggested by the commenter, the Commission believes the costs are appropriate given that individual SCI entity resilience is fundamental to achieving the goal of improving U.S. securities market infrastructure resilience.\1972\ --------------------------------------------------------------------------- \1970\ See supra notes 541-544 and accompanying text. \1971\ See supra note 1967 and accompanying text. \1972\ See supra notes 499-544 and accompanying text. --------------------------------------------------------------------------- The Commission recognizes that SCI entities may encounter significantly different costs in complying with the geographic diversity requirement underlying Rule 1001(a)(2)(v). As noted in Section VI.B.2, nearly all national securities exchanges already have backup facilities that do not rely on the same infrastructure components as those used by their primary facility. For those national securities exchanges that do not have such backup facilities, the cost to build such backup facilities will result in higher initial compliance costs than for national securities exchanges that do. For other SCI entities (e.g., some SCI ATSs), the compliance costs to meet the geographic diversity requirement would depend on the nature, size, technology, business model, and other aspects of their business.\1973\ Because SCI entities may encounter significantly different costs in complying with the geographic diversity requirement, the Commission believes that the initial compliance costs could have impact on competition among SCI entities. --------------------------------------------------------------------------- \1973\ The Commission notes that its average estimated range of initial cost of approximately $320,000 to $2.4 million per SCI entity to comply with Rules 1001(a) and (b), other than paperwork burdens, includes the cost to build and maintain a geographically diverse backup facility. The Commission estimates that the costs for SCI entities that do not currently have a geographically diverse backup facility would be at the higher end of this range. --------------------------------------------------------------------------- The requirement to have policies and procedure to meet a goal of next day resumption in trading and two-hour resumption in critical SCI systems will impose compliance costs for SCI entities. The Interagency White Paper sets forth sound practices for core clearing and settlement organizations and firms that play significant roles in critical financial markets,\1974\ and the 2003 BCP Policy Statement discusses the resumption of certain trading markets following a wide-scale disruption.\1975\ As noted in Section VI.B.1, the Commission believes that SCI entities currently use an array of measures to restore systems when disruptions occur. However, the two-hour resumption goal for all critical SCI systems differs from the goals set forth in the Interagency White Paper insofar as the goal for Regulation SCI applies to critical SCI systems generally.\1976\ To this extent, Rule 1001(a)(2)(v) would impose additional costs for SCI entities that currently have practices that are consistent with the Interagency White Paper for clearance and settlement systems but not all critical SCI systems. The next business day resumption goal for certain trading markets set forth in the 2003 BCP Policy Statement is consistent with the resumption goal for trading in Rule 1001(a)(2)(v). For some SCI entities that do not have policies and procedures with respect to critical SCI systems consistent with the Interagency White Paper and the 2003 BCP Policy Statement, the Commission believes that the initial compliance costs associated with establishing policies and procedures with respect to next day resumption in trading and two-hour resumption in all critical SCI systems would be larger than those that do. The costs associated with designing and modifying policies and procedures with respect to systems resumption requirements are included in the costs related to paperwork burdens in Section V. Furthermore, as discussed in Section VI.C.1, the Commission believes that the systems resumption requirements of Rule 1001(a)(2)(v) will have an impact on competition among SCI entities in part because the associated initial compliance costs will be different among SCI entities. --------------------------------------------------------------------------- \1974\ According to the Interagency White Paper, core clearing and settlement organizations should develop the capacity to recover and resume clearing and settlement activities within the business day on which the disruption occurs with the overall goal of achieving recovery and resumption within two hours after an event. See Interagency White Paper, supra note 504, at 17812. \1975\ The 2003 BCP Policy Statement states that each SRO market and ECN should have a business continuity plan that anticipates the resumption of trading, in the securities traded by that market, no later than the next business day following a wide-scale disruption. See 2003 BCP Policy Statement, supra note 504, at 56658. \1976\ See supra Section IV.A.2.c (discussing the definition of critical SCI systems) and supra Section IV.B.1 (discussing the Commission's rationale for applying the two hour recovery goal to critical SCI systems generally instead of clearance and settlement services specifically). --------------------------------------------------------------------------- Market Data Rule 1001(a)(2)(vi) provides that an SCI entity's policies and procedures must include standards that result in systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data.\1977\ Unlike the other provisions of Rule 1001(a)(2) discussed above, Rule 1001(a)(2)(vi) is not addressed in Regulation ATS or the ARP Policy Statements. --------------------------------------------------------------------------- \1977\ See Rule 1001(a)(2) and supra Section IV.B.1. --------------------------------------------------------------------------- The Commission believes that Rule 1001(a)(2)(vi) should help ensure that timely and accurate market data is available to all market participants. Given that market participants rely on consolidated market data in a variety of ways, including making markets, formulating trading algorithms, and placing orders, the Commission believes that this is an important benefit of Regulation SCI, although the Commission recognizes that SCI entities currently already take measures to facilitate the successful collection, processing, and dissemination of market data. As discussed in Section VI.C.1, the Commission believes that the further improvements in timeliness and accuracy of market data would help further ensure pricing efficiencies and uninterrupted liquidity flows in markets. As Rule 1001(a)(2)(vi) will be a new requirement for SCI entities, it will impose incremental compliance costs on SCI entities in setting aside additional resources to satisfy the requirements of the rule. These costs are included as part of the quantified costs estimated above related to all requirements underlying Rules 1001(a) and (b) other than paperwork burdens.\1978\ --------------------------------------------------------------------------- \1978\ See supra note 1940 and accompanying text. --------------------------------------------------------------------------- Monitoring Rule 1001(a)(2)(vii) provides that an SCI entity's policies and procedures must include monitoring of systems to identify potential SCI events. Rule 1001(a)(2)(vii) imposes a new requirement that is not addressed in Regulation ATS or the ARP Policy Statements. The Commission believes that SCI entities, particularly those that participate in the ARP Inspection Program, already monitor their systems in order to identify potential systems issues. Nevertheless, by defining ``SCI event'' and requiring policies and procedures for monitoring systems to identify potential SCI events, the Commission believes that Rule [[Page 72421]] 1001(a)(2)(vii) should further help ensure that SCI entities identify potential SCI events, which could allow them to prevent some SCI events from occurring or to take timely appropriate corrective action after the occurrence of SCI events. As discussed above, the Commission believes the reduction in the occurrence of SCI events or the reduction in the duration of SCI events that disrupt markets would reduce pricing inefficiencies and promote price discovery and liquidity. Although the Commission believes that SCI entities already monitor their systems in order to identify potential systems issues, the Commission believes that SCI entities will have to allocate additional resources to comply with the requirements of Rule 1001(a)(2)(vii), including potentially hiring additional staff, and thus will incur costs. These costs are included as part of the quantified costs estimated above related to all requirements underlying Rules 1001(a) and (b) other than paperwork burdens. Current SCI Industry Standards Rule 1001(a)(4) deems an SCI entity's policies and procedures under Rule 1001(a) to be reasonably designed if they are consistent with current SCI industry standards.\1979\ However, Rule 1001(a)(4) specifically states that compliance with current SCI industry standards is not the exclusive means to comply with the requirements of Rule 1001(a). Therefore, as adopted, Rule 1001(a)(4) provides flexibility to allow each SCI entity to determine how to best meet the requirements in Rule 1001(a), taking into account, for example, its nature, size, technology, business model, and other aspects of its business. Thus, Rule 1001(a)(4) allows SCI entities to choose the technology standards that best fit with their business, promoting efficiency. Furthermore, as discussed in Section IV.B.1, staff guidance lists examples of publications describing processes, guidelines, frameworks, or standards for an SCI entity to consider looking to in developing reasonable policies and procedures under Rule 1001(a). The reference to the publications which the staff may include, and which the Commission believes should be general and flexible enough to be compatible with many widely-recognized technology standards, will help SCI entities to implement and comply with Regulation SCI.\1980\ --------------------------------------------------------------------------- \1979\ Current SCI industry standards are required to be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. See Rule 1001(a)(4). \1980\ See supra Section IV.B.1.b (discussing the role of staff guidance on current SCI industry standards). --------------------------------------------------------------------------- Some commenters expressed concern that SCI entities would closely adhere to the publications listed in Table A rather than take advantage of the flexibility built into the proposed rule out of concern that, if they did not, they would expose themselves to potential regulatory action for failure to comply with Regulation SCI.\1981\ As discussed above in Section IV.B.1, Rule 1001(a) allows for flexibility in choosing standards or guidelines when an SCI entity is designing policies and procedures required by that rule. Moreover, the staff guidance lists examples of publications describing processes, guidelines, frameworks, or standards for an SCI entity to consider looking to in developing reasonable policies and procedures under Rule 1001(a). As noted in Section IV.B.1, the Commission understands that many SCI entities are already following other technology standards, such as ISO 27000 and COBIT. The staff guidance would not preclude SCI entities from adhering to standards such as ISO 27000, COBIT, or others, to the extent they result in policies and procedures that comply with the requirements of Rule 1001(a).\1982\ Because there is no requirement for SCI entities to follow the publications listed as staff guidance, there is no separate compliance cost associated with the staff guidance in addition to the cost of complying with Rule 1001(a). As discussed throughout this section, the Commission recognizes that, in general, there will be costs associated with designing policies and procedures required by Rule 1001(a). Such costs to SCI entities that already set forth their policies and procedures based on industry standards, or that follow the publications listed in the staff guidance or comparable publications as a guide, would be minimal. On the other hand, other SCI entities that decide to modify their policies and procedures and those that do not have such policies and procedures in place may incur greater costs in designing policies and procedures required by Rule 1001(a). The costs associated with modifying and designing policies and procedures are included in the costs related to paperwork burdens in Section V. --------------------------------------------------------------------------- \1981\ See, e.g., MSRB Letter at 11; Angel Letter at 8; BATS Letter at 6; and NYSE Letter at 20-21. \1982\ Likewise, the staff guidance would not preclude an SCI entity from adopting a derivative of multiple standards, and/or customizing one or more standards for the particular system at issue. In assessing whether an SCI entity's use of such an approach in designing its policies and policies and procedures would be ``deemed'' to be reasonably designed, the Commission's inquiry would be into whether its policies and procedures were consistent with standards meeting the criteria in adopted Rule 1001(a)(4). --------------------------------------------------------------------------- Systems Compliance Rule 1001(b)(1) requires each SCI entity to establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Exchange Act and the rules and regulations thereunder, and the entity's rules and governing documents, as applicable. Rule 1001(b)(2)(i)-(iv) provides that an SCI entity's policies and procedures under Rule 1001(b)(1) must include, at a minimum: (i) Testing of all SCI systems and any changes to SCI systems prior to implementation; (ii) a system of internal controls over changes to SCI systems; (iii) a plan for assessments of the functionality of SCI systems designed to detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and (iv) a plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. The Commission recognizes that SCI entities currently take varying measures to ensure that their systems operate in a manner that complies with relevant laws and rules. These practices at SCI entities may include escalating a compliance issue upon discovery, including legal and compliance personnel in the review of systems changes, and periodically reviewing rulebooks. The Commission believes that Rule 1001(b) should help to ensure that SCI entities operate their SCI systems in compliance with the Exchange Act and relevant rules and should help to reduce the occurrence of systems compliance issues. For example, the tests under Rule 1001(b)(2)(i) should help SCI entities to identify potential compliance issues before new systems or systems changes are implemented; the internal controls under Rule 1001(b)(2)(ii) should help to ensure that SCI entities remain vigilant against compliance issues when changing their systems and resolve potential compliance issues before the changes are implemented; and the systems assessment plans under Rule 1001(b)(2)(iii) and the coordination [[Page 72422]] and communication plans under Rule 1001(b)(2)(iv) should help technology, regulatory, and other relevant personnel (including responsible SCI personnel) of SCI entities to work together to prevent compliance issues, and to promptly identify and address compliance issues if they occur. To the extent that compliance with Rule 1001(b) reduces the occurrence of systems compliance issues, Rule 1001(b) should help ensure investor protection. Because SCI entities will need to allocate their resources towards establishing, maintaining, and enforcing policies and procedures with regard to systems compliance, Rule 1001(b) will impose compliance costs on SCI entities. These costs are included as part of the quantified costs estimated above related to all requirements underlying Rules 1001(a) and (b) other than paperwork burdens.\1983\ --------------------------------------------------------------------------- \1983\ See supra note 1940 and accompanying text. However, the costs associated with establishing and maintaining policies and procedures are included in the costs related to paperwork burdens in Section V. --------------------------------------------------------------------------- One commenter suggested that the Commission follow the Federal Aviation Administration's and NASA's approach, where, according to this commenter, individuals are encouraged to report safety issues and penalties are waived where there is self-reporting.\1984\ As discussed above in Section IV.B.2.b, the Commission is not persuaded that it would be appropriate to provide a safe harbor for all problems that are self-reported by SCI entities and individuals because the Commission is not persuaded that the suggested self-report safe harbor will effectively further the intent of Regulation SCI.\1985\ The extent to which regulators' reporting rules offer safe harbor protection is determined by particular circumstances and regulatory objectives. For purposes of Regulation SCI, a blanket safe harbor provision of the type proposed by the commenter would reduce incentives for SCI entities to take the proactive actions required to ensure the compliance of their SCI systems and, thus, could undermine the benefits of Regulation SCI discussed in Section IV.C.1. --------------------------------------------------------------------------- \1984\ See Angel Letter at 3-4. This commenter also stated that, in the SCI Proposal, the Commission did not analyze how other government regulatory agencies in the U.S. and elsewhere address technology risks (e.g., in the aviation, nuclear power, electricity, telecommunications, medical, and banking sectors). See Angel Letter at 3 and 15. The Commission notes that, in considering the adoption of Regulation SCI, it has considered some of the current practices in other industries, such as those discussed by panelists at the Technology Roundtable (e.g., aviation, nuclear power). See supra note 15 and Transcript of the Technology Roundtable, at 42-45. \1985\ The Commission notes that, in addition to dealing with a different problem in different industries, the ``waiving of penalties'' cited by the commenter has limitations (e.g., the ASRS system cited by the comment suspends safe harbor protection for repeat violators and does not offer safe harbor for certain types of violations). Safe harbor protection for self-reporters may be appropriate in some circumstances. However, the Commission believes that in the specific context of Regulation SCI, such safe harbor protections would not further the intent of the regulation. --------------------------------------------------------------------------- Responsible SCI Personnel Rule 1001(c) requires an SCI entity to establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. Rule 1001(c) imposes a requirement that is not addressed in Regulation ATS or the ARP Policy Statements. The Commission believes that requiring policies and procedures to identify and designate responsible SCI personnel and to establish escalation procedures to quickly inform responsible SCI personnel of potential SCI events should help to effectively alert responsible SCI personnel of potential SCI events, in order for such personnel to determine whether an SCI event has occurred so that any appropriate actions can be taken in accordance with the requirements of Regulation SCI without unnecessary delay. As such, Rule 1001(c) should help reduce the duration of SCI events as SCI entities should become aware of potential SCI events and take appropriate corrective actions more quickly. The reduction in the duration of SCI events would benefit markets as it would promote pricing efficiency and price discovery as discussed in Section VI.C.1. The Commission believes that the costs associated with Rule 1001(c) are attributed to paperwork burdens, which are discussed in Section V.D.1.a above.\1986\ The Commission does not believe that Rule 1001(c) will impose significant other costs on SCI entities because these entities already identify and designate responsible SCI personnel and have escalation procedures.\1987\ --------------------------------------------------------------------------- \1986\ When monetized, the paperwork burden would result in approximately $1.7 million initially and $611,000 annually for all SCI entities in the aggregate. \1987\ As noted above, several commenters emphasized the importance of escalation procedures at SCI entities, pursuant to which technology staff or junior employees could assess a systems problem and escalate the issue up the chain of command to management as well as legal and/or compliance personnel. See supra note 740 and accompanying text. --------------------------------------------------------------------------- Periodic Review Rules 1001(a)(3), (b)(3), and (c)(2) require each SCI entity to periodically review the effectiveness of the policies and procedures required under Rules 1001(a), (b), and (c), respectively, and to take prompt action to remedy deficiencies in such policies and procedures. Regulation ATS and the ARP Policy Statements do not explicitly address the periodic review of policies and procedures and remediation of deficient policies and procedures. The Commission believes that requiring periodic review of the policies and procedures and remedial actions to address any deficiencies in the policies and procedures will help to ensure that SCI entities maintain robust policies and procedures and update them when necessary so that the benefits of Rules 1001(a), (b), and (c) should continue to be realized. As such, the Commission believes that Rules 1001(a)(3), (b)(3), and (c)(2) will help realize the benefits of Regulation SCI, and would facilitate price discovery and liquidity flow, as discussed in Section VI.C.1. These requirements, however, will impose costs on SCI entities because they will have to use resources to review the policies and procedures required by Rules 1001(a), (b), and (c) beyond the resources currently expended for this purpose or will have to take more prompt remedial action to remedy any identified deficiencies. The Commission expects that these costs generally will arise following an SCI entity's periodic review of the effectiveness of its policies and procedures and as a result of SCI events. The Commission believes that the costs associated with the review and update requirements are attributed to paperwork burdens, which are discussed in Section V.D.1.a above.\1988\ However, the Commission recognizes that, if an SCI entity takes prompt or unplanned remedial action following the discovery of deficiencies in its policies and procedures, this may result in indirect costs (i.e., opportunity costs) to SCI entities because they may need to delay or shift their resources away from profitable projects and reallocate their resources towards taking prompt or unplanned remedial actions required by the rules. However, it is difficult to assess such indirect costs imposed on SCI entities because the Commission lacks information necessary to provide a reasonable estimate. For example, the Commission does not have [[Page 72423]] comprehensive and detailed information on the value of the potential forgone projects of SCI entities. --------------------------------------------------------------------------- \1988\ As noted in Section V.D.1.a above, the paperwork burden related to the review of the policies and procedures is included in the estimated annual ongoing burden of Rules 1001(a), (b), and (c). --------------------------------------------------------------------------- ii. Corrective Action--Rule 1002(a) Rule 1002(a) requires an SCI entity to begin to take appropriate corrective action upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred. Rule 1002(a) also requires corrective action to include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. Thus, it would not be appropriate for an SCI entity to unnecessarily delay the start of corrective action once its responsible SCI personnel have a reasonable basis to conclude that an SCI event has occurred, and the SCI entity would be required to focus on mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. The Commission believes that SCI entities already have a variety of procedures in place to take corrective actions when system issues occur. However, Rule 1002(a) will likely require modifications to those existing practices in part because the rule specifies the timing and enumerates certain goals for corrective action.\1989\ --------------------------------------------------------------------------- \1989\ For example, although the Commission believes that market participants already take corrective actions when system issues occur, currently, when taking corrective action, market participants may not always focus on mitigating potential harm to investors and market integrity or devoting adequate resources to remedy the issues as soon as reasonably practicable, as SCI entities are required to do under Rule 1002(a). --------------------------------------------------------------------------- The Commission believes that the corrective action requirement will reduce the length of systems disruptions, systems compliance issues, and systems intrusions, and thus, as noted in Section VI.C.1, reduce the negative effects of those interruptions on the SCI entity and market participants. Additionally, to the extent that corrective action could involve wide-scale systems upgrades, some SCI entities may potentially seek to accelerate capital expenditures, for example, by updating their systems with newer technology earlier than they might have otherwise to comply with Regulation SCI. As such, Rule 1002(a) could further help ensure that SCI entities invest sufficient resources as soon as reasonably practicable to address systems issues. The Commission recognizes that Rule 1002(a) may require SCI entities to undertake corrective action sooner and/or to increase investments in newer and more updated systems earlier than they might have otherwise. The Commission thus believes that Rule 1002(a) could impose modestly higher costs for SCI entities in responding to SCI events relative to their current practice.\1990\ But, given the wide variety of current practices, the Commission is unable to estimate the incremental costs associated with the required changes. Furthermore, if Regulation SCI reduces the frequency and severity of SCI events in the future, the cost of corrective action could similarly decline over time. However, the Commission cannot estimate these costs because the degree to which Regulation SCI will reduce the frequency and severity of SCI events is unknown. The Commission also believes that, if an SCI entity takes corrective action sooner than they might have without the requirements of Regulation SCI, this may impose indirect costs (i.e., opportunity costs) to SCI entities because they may have to delay or reallocate their resources away from profitable projects and direct their resources toward taking corrective action required by the rule. However, the Commission acknowledges that it is difficult to assess such indirect costs imposed on SCI entities. For instance, the Commission does not have comprehensive and detailed information on the value of the potential foregone projects of SCI entities. Consequently, the Commission is, at this time, unable to estimate the costs of Rule 1002(a) of Regulation SCI because the Commission lacks information necessary to provide a reasonable cost estimate. --------------------------------------------------------------------------- \1990\ See also MSRB Letter at 32 (commenting that under most circumstances, any increased cost due to proposed Rule 1000(b)(3) would be modest since corrective action normally would already be taken). --------------------------------------------------------------------------- Several commenters stated that the requirements of proposed Rule 1000(b)(3) put too great an emphasis on immediate corrective action at the expense of thoroughly analyzing the SCI event and its cause, considering potential remedies, and/or acting in accordance with internal policies and procedures before committing to a plan to take corrective action.\1991\ Partly in response to this concern, the Commission has modified the rule as adopted from the proposal. The Commission agrees that an SCI entity should be given appropriate time to perform an initial analysis and preliminary investigation into a potential systems issue before the corrective obligations are triggered. If a corrective action were to be applied without such analysis or investigation, then the impact of an SCI event could persist, exacerbating or prolonging its negative effects on markets and market participants. The Commission notes that Rule 1002(a) does not use the term ``immediate.'' Rather, Rule 1002(a) requires that corrective action be taken ``as soon as reasonably practicable'' once the triggering standard has been met. The Commission believes that, because the facts and circumstances of each specific SCI event will be different, this standard would help ensure that an SCI entity takes necessary corrective action soon after an SCI event, but not without sufficient time to first consider what is the appropriate action to remedy the SCI event in a particular situation and how such corrective action should be implemented.\1992\ --------------------------------------------------------------------------- \1991\ See SIFMA Letter at 3; OCC Letter at 14; Joint SROs Letter at 11; LiquidPoint Letter at 4; DTCC Letter at 10; and Direct Edge Letter at 7. \1992\ See also supra Section IV.B.3.a (discussing in more detail the triggering standard for corrective action, Commission notification, and information dissemination) and Section IV.B.3.b (discussing the corrective action requirement). --------------------------------------------------------------------------- iii. Commission Notification--Rule 1002(b) As discussed above in Section IV.B.3.c, Rule 1002(b) requires SCI entities to provide notifications to the Commission regarding SCI events. Specifically, upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, an SCI entity is required to notify the Commission of the SCI event immediately. Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, an SCI entity is required to submit a more detailed written notification, on a good faith, best efforts basis, pertaining to the SCI event. Until such time as the SCI event is resolved and the SCI entity's investigation of the SCI event is closed, the SCI entity is required to provide updates regularly, or at such frequency as requested by a representative of the Commission. The SCI entity is also required to submit a detailed final written notification after the SCI event is resolved and the SCI entity's investigation of the event is closed (and an additional interim written notification, if the SCI event is not resolved or the investigation is not closed within a specified period of time). Finally, SCI entities are required to notify the Commission of information regarding de minimis systems disruptions and de minimis systems intrusions on a quarterly basis. The Commission believes that most, if not all, major systems incidents are [[Page 72424]] reported by ARP entities to the Commission and that many ``de minimis'' systems issues are documented internally by SCI entities as part of their incident management systems. For those entities that do not participate in the ARP Inspection Program, the Commission also believes that some internal documentation of systems incidents exists. In addition, the Commission notes that some SCI entities currently notify the Commission of certain systems compliance issues. Rule 1002(b) will apply to more entities (e.g., some SCI ATSs), more systems (e.g., market regulation and market surveillance systems, additional market data systems), and more types of systems issues (e.g., systems compliance issues) than the ARP Policy Statements, and also require more detailed reporting to the Commission.\1993\ The Commission believes that Rule 1002(b) will enhance the effectiveness of Commission oversight of the operation of SCI entities. For example, one commenter suggested that SCI events notification results in greater transparency for the Commission, with multiple benefits, including ensuring that the Commission has a view into problems at particular SCI entities for regulatory purposes as well as perspective on the effect of a single problem to the market at-large.\1994\ Further, the Commission believes that providing written notifications to the Commission could help prevent systems failures from being dismissed as momentary issues, because notification would help focus the SCI entity's attention on the issue and encourage allocation of SCI entity resources to resolve the issue as soon as reasonably practicable. --------------------------------------------------------------------------- \1993\ See supra Section IV.B.3.c (discussing in detail the requirements of Rule 1002(b)). \1994\ See Lauer Letter at 8. --------------------------------------------------------------------------- As noted in Section IV.B.3.c, the Commission received comment letters that discuss the resource and efficiency demands of the Commission notification requirement.\1995\ Some commenters expressed concern that SCI entities may feel compelled to characterize and report a greater number of systems anomalies as disruptions to comply with Regulation SCI,\1996\ and that the proposal would result in SCI entities having ``shadow staff'' on hand solely for reporting SCI events so as to not divert staff away from working to resolve SCI events.\1997\ While the Commission is adopting the definitions of systems disruptions, systems compliance issues, and systems intrusions, and providing discussions of these definitions in this release, the Commission acknowledges that some SCI entities could be overly cautious in seeking to be in compliance with Regulation SCI and therefore over- report systems issues to the Commission. Furthermore, the Commission notes that some SCI entities currently notify the Commission of systems related issues under the ARP Inspection Program or as part of their current business practice, but the Commission believes that SCI entities will have to allocate additional resources to meet the Commission notification requirement. Although the estimated cost to comply with the adopted notification provisions is greater than the estimate in the SCI Proposal, the Commission is not persuaded that the adopted rule, with its more targeted scope, will require SCI entities to have a ``shadow staff'' on hand solely for reporting SCI events. As discussed in Section IV.B.3.c, the Commission believes that concerns with respect to resource demands regarding the Commission notification requirements have been substantially mitigated by the numerous changes from the proposal, such as the adoption of a quarterly reporting framework for de minimis systems disruptions and de minimis systems intrusions; the adoption of an exception from the Commission notification requirements for de minimis systems compliance issues; the revised definitions of SCI systems, indirect SCI systems, systems disruption, and systems compliance issue; and the reduction in the obligations SCI entities have with respect to reporting requirements. In addition, the Commission is not persuaded that the burden of the Commission notification requirement will significantly reduce SCI entities' ability to adequately respond to SCI events. It is the Commission's experience that the staff engaging in corrective action to resolve an SCI event is generally distinct from the staff that has been charged with notifying the Commission of systems issues. --------------------------------------------------------------------------- \1995\ See, e.g., UBS Letter at 3; Omgeo Letter at 16; MSRB Letter at 19; OCC Letter at 14; SunGard Letter at 5; Joint SROs Letter at 7; and NYSE Letter at 22. \1996\ See Joint SROs Letter at 9-10. \1997\ See FINRA Letter at 19. --------------------------------------------------------------------------- The compliance costs associated with Rule 1002(b) are attributed to the paperwork burden of Commission notifications of SCI events, including recordkeeping and submission of quarterly reports with respect to de minimis SCI events, as applicable.\1998\ As discussed in the PRA, with respect to SCI events that are not de minimis, the Commission has estimated the total annual hourly burden to comply with Rules 1002(b)(1)-(4) to be 125,180 hours for all SCI entities (monetized to be approximately $40 million), or 2,845 hours per SCI entity.\1999\ This estimate is greater than that estimated in the SCI Proposal (which estimate was 58,080 hours for all SCI entities, or 1,320 hour per SCI entity to comply with proposed Rules 1000(b)(4)(i)- (iii)). As more fully explained in the PRA, the Commission has increased its estimate to comply with the Commission notification provisions in Rules 1002(b)(1)-(4), notwithstanding the more targeted scope of the adopted rule, as compared to the proposed rule. These increased estimates are in response to comment that the estimates in the SCI Proposal were too low, particularly with respect to the time necessary for an SCI entity to prepare, review, and submit the required notifications.\2000\ In addition, for Rule 1002(b)(5), which requires recordkeeping of all de minimis SCI events and quarterly reporting of de minimis systems disruptions and de minimis systems intrusions, the Commission has estimated a total of 7,040 hours for all SCI entities (monetized to be approximately $2 million), or 160 hours per SCI entity, for Commission notification. The number of SCI events (de minimis and otherwise), and the burdens to comply with notification requirements will likely vary among individual SCI entities, based on the nature of their business, technology, and the relative criticality of each of their SCI systems. --------------------------------------------------------------------------- \1998\ When monetized, the paperwork burden would result in approximately $42 million, in addition to approximately $2 million in outsourcing cost, annually for all SCI entities in the aggregate. \1999\ See supra Section V.D.2.a (discussing the Commission's estimate of the hours required to comply with Rule 1002(b)). \2000\ See id. --------------------------------------------------------------------------- In addition, the Commission believes that most, if not all, SCI entities already have some internal procedures for determining the severity of a systems issue. Nevertheless, to the extent that an SCI entity must determine whether an SCI event is a de minimis SCI event, Rule 1002(b) may impose one-time implementation costs on SCI entities associated with developing a process for ensuring that they are able to quickly and correctly make such determinations, as well as ongoing costs in reviewing the adopted process. The initial and ongoing burden associated with identifying certain systems and SCI events is discussed in Section V.D.3.b.\2001\ --------------------------------------------------------------------------- \2001\ When monetized, the paperwork burden would result in approximately $1.1 million initially and $413,000 annually for all ARP entities in the aggregate, and approximately $885,000 initially and $292,000 annually for all non-ARP entities in the aggregate. These estimates include the identification of critical SCI systems, major SCI events, and de minimis SCI events. --------------------------------------------------------------------------- [[Page 72425]] Proposed Rule 1000(b)(4) did not distinguish de minimis SCI events from other SCI events in terms of the timing or type of Commission notifications. The Commission believes that the adopted quarterly Commission reporting requirement for de minimis systems disruptions and de minimis systems intrusions, and the exception from the Commission reporting requirement for de minimis systems compliance issues, will reduce costs related to Commission reporting (as compared to the costs of complying with the proposed Commission notification requirements) for SCI entities, and could facilitate more efficient allocation of SCI entities' resources toward more significant systems issues because de minimis SCI events would be subject to a recordkeeping requirement and de minimis systems disruptions and de minimis systems intrusions would be subject to a quarterly reporting requirement, rather than a requirement to report such events to the Commission more immediately. As de minimis SCI events are defined to have no or a de minimis impact on the SCI entity's operations or on market participants, the Commission believes that the recordkeeping requirement and quarterly reporting requirement, as applicable, will allow both the SCI entity and its personnel, as well as the Commission and its staff, to focus more of their attention and resources on other, more significant SCI events. Moreover, the quarterly Commission notification requirement for de minimis systems disruptions and de minimis systems intrusions will help SCI entities and the Commission to gather information on the nature, types, and frequency of de minimis SCI events and, thus, help identify potential weaknesses in systems across SCI entities and Commission's ability to monitor market events. The Commission believes that the quarterly reporting requirement for de minimis systems disruptions and de minimis systems intrusions balances the interest of SCI entities in having a limited reporting burden for de minimis systems disruptions and de minimis systems intrusions with the Commission's interest in oversight of the information technology programs of SCI entities. Furthermore, proposed Rule 1000(b)(4)(iii) would have required an SCI entity to submit written updates pertaining to an SCI event until the SCI event is resolved. The Commission has revised the update requirement from the proposal in adopted Rule 1002(b)(3) so that the submission of updates may be provided either orally or in written form.\2002\ This revision should reduce costs as compared to proposed Rule 1000(b)(4) by providing flexibility to SCI entities and because oral notifications will likely result in a lower burden than written notifications. --------------------------------------------------------------------------- \2002\ See supra Section IV.B.3.c. --------------------------------------------------------------------------- The Commission has also modified the 24-hour written notification requirement in adopted Rule 1002(b) to make clear that the written notification provided within 24 hours be submitted on a good faith, best effort basis. Compared to the proposed rule, the Commission believes the adopted rules will help provide certainty to SCI entities that they will not be accountable for unintentional inaccuracies or omissions contained in these submissions. The ``best efforts'' standard will also help to ensure that SCI entities will make a diligent and timely attempt to provide all the information required by the written notification requirement, thus permitting the Commission to effectively monitor SCI events. As discussed in Section IV.B.3.c, with respect to submitting final written notifications, proposed Rule 1000(b)(4)(ii) would have required the submission of the information required to be included in the final written notification within a shorter time frame. By requiring that the final written notification be submitted after resolution of an SCI event, the Commission believes that the adopted rule will encourage SCI entities to allocate their resources efficiently in resolving the SCI event. One commenter expressed concern that, without a safe harbor and a guarantee of immunity, the disclosures to the Commission required under Regulation SCI would provide a roadmap for litigation against non-SRO entities.\2003\ As discussed in Section IV.B.2.b, the occurrence of a systems compliance issue does not necessarily mean that the SCI entity will be subject to an enforcement action. Rather, the Commission will exercise its discretion to initiate an enforcement action if the Commission determines that action is warranted, based on the particular facts and circumstances of an individual situation. Moreover, the Commission recognizes that compliance with Regulation SCI will increase the amount of information about SCI events available to the Commission and SCI entities' members and participants, and that the greater availability of this information has some potential to increase litigation risks for SCI entities, including the risk of private civil litigation. Commenters did not provide estimates of potential litigation costs and Commission staff were unable to find readily- available public information from which to estimate specific costs of possible litigation associated with the increased information available about SCI events, but based on staff experience, depending on the complexity, scope, and length of the litigation, the costs to defend an individual case could be quite significant. The Commission notes, however, that it is not clear that the incremental increase in costs due to Regulation SCI will be significant in the aggregate. Regulation SCI does not alter the elements of any available private cause of action, and the elements of such actions are likely to limit the potential for recovery. Moreover, to the extent members and participants suffer damages when SCI events occur, SCI entities are already subject to litigation risk. --------------------------------------------------------------------------- \2003\ See OTC Markets Letter at 15-16 (stating that ``entities that do not have SRO immunity, such as ATSs, may be subject to liability based on information reported under Reg. SCI's Rule 1000(b)(4)(iv) . . . [w]ithout a safe harbor and a guarantee of immunity, this kind of disclosure provides a roadmap for litigation against non-SRO SCI entities''). See also FIF Letter at 5. --------------------------------------------------------------------------- As an alternative to the adopted rule, some commenters suggested that non-material systems intrusions not be reported to the Commission at all, and only be recorded by the SCI entity to reduce the instances in which notice of systems intrusions would be required.\2004\ The Commission continues to believe that reporting intrusions in SCI systems and indirect SCI systems will help the Commission and its staff to detect patterns or understand trends over time and the nature of systems intrusions that may be occurring at multiple SCI entities and, thus, help ensure effective Commission oversight. As discussed in Section IV.B.3.c in detail, to reduce the burden associated with the Commission notification requirement, the Commission established separate reporting requirements (e.g., quarterly reporting) for de minimis systems disruptions and de minimis systems intrusions and provided an exception from the Commission reporting requirement for de minimis systems compliance issues. --------------------------------------------------------------------------- \2004\ See Omgeo Letter at 12; and DTCC Letter at 8. --------------------------------------------------------------------------- iv. Information Dissemination--Rule 1002(c) Rule 1002(c) requires an SCI entity to disseminate information regarding [[Page 72426]] certain major SCI events to all of its members or participants and certain other SCI events to affected members or participants. Specifically, promptly after any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, an SCI entity is required to disseminate certain information regarding the SCI event. When certain additional information becomes known, the SCI entity is required to promptly disseminate such information. Until the SCI event is resolved, the SCI entity is required to provide regular updates on the required information.\2005\ As adopted, the information dissemination requirement does not apply to SCI events to the extent they relate to market regulation or market surveillance systems and de minimis SCI events. Rule 1002(c) imposes new requirements that are not currently part of the ARP Inspection Program. However, some entities currently provide their members or participants and, in some cases, market participants or the public more generally, with notices of systems issues. --------------------------------------------------------------------------- \2005\ Rule 1002(c)(2) provides an exception to the information dissemination requirement for systems intrusions when an SCI entity determines that dissemination of information would likely compromise the security of the SCI entity's systems, or an investigation of the systems intrusion, and documents the reasons for such determination. --------------------------------------------------------------------------- As discussed in Section IV.B.3.d, a major SCI event is defined to mean an SCI event that has any impact on a critical SCI system or a significant impact on the SCI entity's operations or on market participants. The Commission believes that, in the context of a major SCI event, where the impact of the SCI event is most likely to be felt by many market participants, the goal of aiding market participants in evaluating the impact of the event would be efficiently served by dissemination of information to all members or participants of the SCI entity.\2006\ --------------------------------------------------------------------------- \2006\ At the same time, the Commission recognizes that some SCI events that meet the definition of ``major SCI event'' could also qualify as de minimis SCI events. Like other de minimis SCI events, they are excepted from the information dissemination requirement. In particular, because major SCI events are a subset of SCI events, the exception under Rule 1002(c)(4)(ii) applies to major SCI events that meet the requirements of that rule. --------------------------------------------------------------------------- The Commission believes that Rule 1002(c) will help market participants--specifically the members or participants of SCI entities estimated to be affected by an SCI event and any additional members or participants subsequently estimated to be affected by an SCI event and, in some cases, all members or participants of an SCI entity--to better evaluate the operations of SCI entities by requiring certain information to be disclosed. Furthermore, increased awareness of SCI events through information disseminated to members or participants should provide SCI entities additional incentives to maintain robust systems and minimize the occurrence of SCI events. More robust SCI systems and the reduction in the occurrence of SCI events could reduce interruptions in price discovery process and liquidity flows as discussed above in Section VI.C.1. One commenter provided information about the benefits of the proposed information dissemination requirements. Specifically, according to this commenter, one of the major benefits of Regulation SCI could be better sharing of information about technology problems.\2007\ According to this commenter, sharing information about hardware failures, systems intrusions, and software glitches will alert others in the industry about such problems and help reduce system-wide costs of diagnosing problems, as well as result in improved responses to technology problems.\2008\ This commenter also believed that the information will serve as warnings to other SCI entities to stay vigilant to prevent similar problems.\2009\ The Commission believes that benefits identified by the commenter could be benefits of Rule 1002(c). --------------------------------------------------------------------------- \2007\ See Angel Letter at 5. \2008\ See id. \2009\ See id. However, this commenter also disagreed with the Commission that SCI entities may be reluctant to admit publicly to their glitches. See id. at 14. According to this commenter, market participants interact repeatedly with each other on a real-time basis and are acutely aware of glitches when they occur. See id. --------------------------------------------------------------------------- As discussed above, while some entities currently provide their members or participants and, in some cases, market participants or the public more generally, with notices of certain systems issues (e.g., system outages), Rule 1002(c) imposes new requirements that are not currently part of the ARP Inspection Program. As such, the requirements of Rule 1002(c) will impose costs--which are attributed to paperwork burdens--on SCI entities with respect to preparing, drafting, reviewing, and making the information available to members or participants. These costs are discussed in more detail in Section V.D.2.b.\2010\ --------------------------------------------------------------------------- \2010\ When monetized, the paperwork burden would result in approximately $26 million, in addition to approximately $1.6 million in outsourcing cost, annually for all SCI entities in the aggregate. --------------------------------------------------------------------------- In the SCI Proposal, the Commission recognized that SCI entities incur costs to determine whether an event needs to be disseminated. While the SCI events subject to the adopted information dissemination requirements are different from those that would have been subject to the proposed requirements, the Commission continues to recognize that the determination imposes costs. Specifically, identifying major SCI events may impose one-time implementation costs on SCI entities associated with developing a process for ensuring that they are able to quickly and correctly make such determinations, as well as periodic costs in reviewing the adopted process. These costs are discussed in more detail in Section V.D.3.b.\2011\ --------------------------------------------------------------------------- \2011\ See also supra note 2001. --------------------------------------------------------------------------- One commenter expressed concern that SCI entities may over-report issues out of an abundance of caution if SCI entities are not given clear guidelines as to what and to whom they are required to provide information.\2012\ This commenter believed that a flood of notifications, taken out of context, may create investor impression based on the quantity, not the quality, of the notifications disseminated, that certain counterparties pose serious risks to the market, when that is not the case.\2013\ For the reasons discussed in Section IV.B.3.d, the Commission believes that information about SCI events (other than major SCI events and de minimis SCI events) should be disseminated to affected members or participants, and information about major SCI events (other than those that qualify as de minimis SCI events) should be disseminated to all members or participants of an SCI entity. At the same time, as compared to proposed Rule 1000(b)(5), the Commission is limiting the requirement for information dissemination to all members or participants of an SCI entity to major SCI events; limiting other information dissemination to members or participants affected by the SCI event; and excluding de minimis SCI events and SCI events related to market regulation or market surveillance systems from the information dissemination requirement. These changes would limit the compliance cost for Rule 1002(c), and are responsive to the commenter's concern that SCI entities may over-disclose systems issues. --------------------------------------------------------------------------- \2012\ See Fidelity Letter at 5. \2013\ See id. --------------------------------------------------------------------------- As an alternative to the adopted rule, one commenter suggested broadening the proposed rule to require an SCI entity to disseminate information on SCI events to the public, and not just to its [[Page 72427]] members or participants.\2014\ This commenter believed that public dissemination of the facts of an SCI event would help enhance investor confidence by preventing speculation and misinformation, and would provide important learning opportunities for the industry and other SCI entities.\2015\ The Commission acknowledges that there can be additional benefits from disseminating major SCI events to the public as noted by the commenter. Under the adopted rule, an SCI entity is required to disseminate information on major SCI events (other than those that qualify as de minimis SCI events) to all of its members and participants. The Commission believes that these market participants are the most likely to act on this information and, thus, induce additional competitive incentives for SCI entities to avoid systems issues. As such, the Commission believes that it can achieve the purposes of the rule without requiring public dissemination, and also believes any additional gain in benefits from public dissemination would be minimal. --------------------------------------------------------------------------- \2014\ See MFA Letter at 7. \2015\ See id. --------------------------------------------------------------------------- v. Material Systems Changes--Rule 1003(a) Rule 1003(a)(1) requires an SCI entity to provide quarterly reports to the Commission, describing completed, ongoing, and planned material systems changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters. Rule 1003(a)(1) also requires an SCI entity to establish reasonable written criteria for identifying a change to its SCI systems and the security of its indirect SCI systems as material. Rule 1003(a)(2) requires an SCI entity to promptly submit a supplemental report to notify the Commission of a material error in or material omission from a previously submitted report. Entities that participate in the ARP Inspection Program currently provide some material systems change notifications to the Commission and the Commission believes that all SCI entities have some internal processes for documenting systems changes as a matter of prudent business practice. For example, consistent with the ARP Policy Statements, certain entities provide annual reports on significant systems changes and notify the Commission on an as-needed basis regarding certain significant systems changes. In addition, ATSs are required notify the Commission of certain systems changes pursuant to Rule 301(b)(2)(ii) and Rule 301(b)(6)(ii)(G) of Regulation ATS, as applicable. Rule 1003(a) changes some of the current practices and sets forth more detailed requirements for these notifications. For example, Rule 1003(a) covers material changes on a broader set of systems than the ARP Inspection Program or Regulation ATS. Rule 1003(a) also requires an SCI entity to submit quarterly reports on Form SCI regarding material systems changes, but does not require separate notification for each material systems change. Further, Rule 1003(a) requires an SCI entity to promptly notify the Commission (by submitting Form SCI) of a material error in or material omission from a previously submitted report. To the extent that Rule 1003(a) requires SCI entities to notify the Commission of material systems changes for more types of systems and to the extent that it requires notification at a higher frequency than current practice (quarterly reports vs. annual reports), the Commission believes that Rule 1003(a) should enhance the Commission's oversight of the operation of SCI entities. The compliance costs of Rule 1003(a) primarily entail costs associated with preparing and submitting Form SCI in accordance with the instructions thereto. The initial and ongoing cost estimates associated with preparing and submitting Form SCI with regard to material systems changes under Rules 1003(a)(1) and (2) are discussed in detail in Section V.D.2.c.\2016\ The Commission does not expect Rule 1003(a) will impose significant costs on SCI entities other than those discussed in Section V.D.2.c. --------------------------------------------------------------------------- \2016\ When monetized, the paperwork burden would result in approximately $6.8 million annually for all SCI entities in the aggregate. --------------------------------------------------------------------------- According to one commenter, ``[t]he larger market participants [that will be subject to Regulation SCI] are generally experienced and circumspect with regards to significant infrastructure changes, such as data center migrations and major platform upgrades.'' \2017\ This commenter expected that, for these larger entities, integrating Regulation SCI compliance into their existing programs can occur without crippling disruption or exorbitant cost, and expected that insight from the implementation of Regulation SCI would contribute to overall stability and resiliency of the markets over time.\2018\ However, this commenter expressed concern that compliance with the Commission notification requirement will result in incremental costs that may in some cases delay or discourage innovation.\2019\ Another commenter similarly expressed concern about the compliance burden and the resulting impact on competition and innovation associated with the 30-day advance Commission notification requirement for material systems changes.\2020\ In addition, one commenter noted that the Commission underestimated the cost of lost business opportunities and the inability to swiftly deploy corrective solutions that would result from the 30-day advance systems change notification requirements.\2021\ This commenter noted that most ATS operators with advanced systems purposefully implement frequent agile modifications instead of major episodic changes in order to continuously improve their systems and minimize the impact of the changes.\2022\ This commenter expressed concern that a built-in 30-day delay in implementing changes would encourage the deployment of larger, riskier changes more infrequently, thereby creating longer periods of time during which a systems issue and/or erroneous configuration would continue without correction.\2023\ This commenter also stated that the 30-day advance notification process has the potential to delay the deployment of corrective solutions that are necessary to ensure the provision of uninterrupted and efficient order matching services at the best available prices.\2024\ --------------------------------------------------------------------------- \2017\ See SunGard Letter at 3. \2018\ See id. \2019\ See id.. \2020\ See BATS Letter at 15. See also, e.g., supra notes 999- 1000 (discussing the views of commenters that the proposed 30-day advance notification requirement would stifle innovation and interfere with an SCI entity's natural planning and development process). \2021\ See ITG Letter at 8. \2022\ See id. \2023\ See id. \2024\ See id. --------------------------------------------------------------------------- As noted above, as adopted, Regulation SCI does not include the proposed 30-day advance Commission notification requirement for material systems changes. Rather, Rule 1003(a)(1) requires quarterly reports of material systems changes. Elimination of the proposed 30-day advance Commission notification requirement addresses the concern of some commenters that the rule would impede agile development methodology and favor the waterfall development methodology, or delay the implementation of systems changes or innovations, particularly for smaller SCI entities. The quarterly reports will also provide the Commission and its staff with a more efficient framework to review material systems changes, [[Page 72428]] because including all relevant material systems changes in a single report will allow the Commission to more easily and clearly understand an SCI entity's framework for systems changes, including how certain material systems changes are related.\2025\ --------------------------------------------------------------------------- \2025\ As discussed above, Commission staff will not use material systems change reports to require any approval of planned systems changes in advance of their implementation pursuant to any provision of Regulation SCI, or to delay implementation of material systems changes pursuant to any provision of Regulation SCI. See supra Section IV.B.4.b. --------------------------------------------------------------------------- vi. SCI Review--Rule 1003(b) Rule 1003(b) requires an SCI entity to conduct an SCI review of its compliance with Regulation SCI not less than once each year,\2026\ and submit a report of the SCI review to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review. Rule 1003(b) also requires an SCI entity to submit a report of the SCI review to the Commission and to the board of directors of the SCI entity or the equivalent of such board, together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. --------------------------------------------------------------------------- \2026\ However, penetration test reviews of the network, firewalls, and production systems are required to be conducted not less than once every three years. See Rule 1003(b)(i). Assessments of SCI systems directly supporting market regulation or market surveillance are required to be conducted at a frequency based upon the risk assessment conducted as part of the SCI review, but also not less than once every three years. See Rule 1003(b)(1)(ii). --------------------------------------------------------------------------- Systems reviews have been part of the ARP Inspection Program, and through this program, the Commission understands that many SCI entities currently undertake annual systems reviews and that senior management and/or the board of directors or a committee thereof reviews reports of such reviews. However, the Commission believes that the scope of the systems reviews, and the level of senior management and/or board involvement in such reviews, varies among ARP entities. The Commission expects that the SCI review requirement would produce greater consistency in the approach that SCI entities take in systems reviews, which would help improve the efficiency of the Commission's oversight (e.g., inspection) of SCI entities' systems. In addition, the Commission believes that the SCI review requirement would result in SCI entities having an improved awareness of the relative strengths and weaknesses of their systems independent of the assessment of Commission staff, which should, in turn, improve systems and reduce the number of SCI events. As discussed in Section VI.C.1, the reduction in occurrence of SCI events could reduce interruptions in the price discovery process and liquidity flows. The initial and ongoing paperwork burden associated with conducting an SCI review, submitting a report of the SCI review to senior management of the SCI entity for review, and submitting a report of the SCI review and any response by senior management to the Commission and to the board of directors of the SCI entity or the equivalent of such board is discussed in Section V.D.2.d.\2027\ SCI entities will also incur costs in addition to the paperwork burden to comply with the SCI review requirement. Although the Commission understands that most SCI entities currently undertake annual systems reviews, Rule 1003(b) sets forth specific requirements related to the SCI review. In particular, an SCI review is required to include a risk assessment with respect to SCI systems and indirect SCI systems of an SCI entity, an assessment of internal control design and effectiveness of SCI systems and indirect SCI systems, and penetration testing reviews. Moreover, Rule 1003(b) specifies that the SCI review is to determine the SCI entity's compliance with Regulation SCI. Rule 1003(b) also requires a report of the SCI review and any senior management response to be submitted to the board of directors of the SCI entity or the equivalent of such board and thus SCI entities may incur an additional cost as a result of additional time the board allocates to evaluate the review. The Commission cannot estimate costs other than paperwork burdens because the Commission does not have the information necessary to provide a reasonable estimate. In particular, the Commission lacks information on how SCI entities will structure their reviews. --------------------------------------------------------------------------- \2027\ When monetized, the paperwork burden would result in approximately $9.7 million, in addition to approximately $2.2 million in outsourcing cost, annually for all SCI entities in the aggregate. --------------------------------------------------------------------------- As discussed above in Section IV.B.5, the Commission is not adopting a requirement that SCI reviews be conducted by an independent third party because the Commission believes that the goals of Regulation SCI can be achieved through reviews by either internal objective personnel or external objective personnel. The Commission acknowledges that, in some cases, there could be potential benefits from requiring third party reviews. However, as noted in Section IV.B.5, third parties can also have conflicts of interest that prevent a particular entity or personnel from meeting the objectivity standard required for an SCI review. In addition, during the Technology Roundtable in which participants discussed third party review, some panelists suggested that the use of an external third party is unnecessary because, for example, the training for a third party as well as the costs involved with third party evaluations would be large with little additional benefit.\2028\ The Commission agrees that SCI entities would likely need to provide significant guidance to third- party reviewers on the specific features of the entity's systems. The Commission recognizes that a third-party review requirement could impose additional costs on SCI entities, and believes that it is appropriate at this time to allow SCI entities to decide whether to incur such costs instead of mandating third-party review. --------------------------------------------------------------------------- \2028\ See Transcript of the Technology Roundtable, at 86-91. --------------------------------------------------------------------------- vii. Business Continuity and Disaster Recovery Plan Testing--Rule 1004 Rule 1004(b) requires the testing of an SCI entity's business continuity and disaster recovery plans at least once every 12 months. Rules 1004(a) and (b) require participation in such testing by those members or participants that an SCI entity reasonably determines are, taken as a whole, the minimum number necessary for the maintenance of fair and orderly markets in the event of the activation of its business continuity and disaster recovery plans. Rule 1004(c) requires an SCI entity to coordinate such testing on an industry- or sector-wide basis with other SCI entities. The requirements under Rule 1004 are not a part of the ARP Inspection Program. As discussed above in Section VI.B.2, the securities industry generally has a voluntary system for testing business continuity and disaster recovery plans and market participants, including exchanges, members of exchanges, clearing agencies, clearing members, and ATSs, already coordinate certain business continuity and disaster recovery plan testing to some extent. For example, some SCI entities already require some of their members or participants to connect to their backup systems. Further, although participation is not always mandatory, some SCI entities already provide their members or participants with the opportunity to test the SCI entity's business continuity and disaster recovery plans. However, because not all SCI entities require member or participant participation in business continuity and disaster recovery plans testing, the Commission [[Page 72429]] understands that not all market participants participate in such testing. Moreover, the Commission understands that, to the extent such participation occurs, it may in many cases be limited in nature (e.g., testing for connectivity to backup systems).\2029\ --------------------------------------------------------------------------- \2029\ See Proposing Release, supra note 13, at 18164. --------------------------------------------------------------------------- The Commission believes that, for SCI entities, voluntary testing is insufficient, and that business continuity and disaster recovery planning for market centers and certain members or participants must be an integral component of business continuity and disaster recovery preparedness. The Commission further believes that the requirements under Rule 1004 should help ensure that the securities markets will have improved backup infrastructure and fewer market-wide shutdowns. As discussed in detail in Section VI.C.1, fewer market-wide shutdowns should help facilitate continuous liquidity flows in markets, reduce pricing errors, and thus improve the quality of the price discovery process. With respect to these benefits, one commenter suggested measuring benefits of reducing outages and technical issues by looking at, for example, loss of trading commissions due to outages.\2030\ This commenter estimated that the potential loss of equity commissions by broker-dealers over the two-day market closure from Superstorm Sandy may have been approximately $374 million.\2031\ The Commission believes that measuring potential benefits in terms of transaction costs (commission revenue) does not fully account for other benefits, such as uninterrupted liquidity flows and price discovery.\2032\ Furthermore, the Commission believes that the estimated commission loss noted by the commenter likely overstates the actual losses in commissions because some of the ``lost'' trading may have only been delayed until the markets re-opened after Superstorm Sandy. Accordingly, the Commission is not persuaded that the estimate provided by the commenter represents the quantified benefit associated with this component of Regulation SCI. The Commission is unable to estimate the benefit of this component of Regulation SCI because the Commission does not have quantified information on the extent that a reduction in SCI events will help facilitate liquidity flows in markets, reduce pricing errors, and thus improve the quality of the price discovery process. Furthermore, the Commission is unable to quantify the impact of ``delayed'' trading because it lacks the information necessary to provide a reasonable estimate. In particular, data on the trading activity lost as opposed to ``delayed'' due to the two-day market closure would be extremely difficult to piece together in a meaningful way. --------------------------------------------------------------------------- \2030\ See Angel Letter at 15-16. The Commission also notes that this commenter and others expressed the view that enhanced BC/DR testing would have substantial benefits. See, e.g., id. at 9-10 (stating that the ``ability of SROs to require their members to participate in testing is an important step forward in making sure that testing is as realistic as possible . . . [and] is one of the most valuable parts of Regulation SCI and will do the most to ensure improved market network reliability''); and UBS Letter at 5 (stating that the ``critical task of BCP testing should not be undertaken in isolated silos by individual firms. Individual BCP testing that does not involve realistic scenarios with connected participants may mask gaps and/or be insufficient from a systems integrity standpoint'' and that the benefits of a ``new and more comprehensive BCP testing paradigm'' would be ``broad and considerable''). \2031\ This commenter based this estimate on FINRA member equity commissions in 2010 obtained from SIFMA. See Angel Letter at 16. In addition, this commenter referred to the losses and legal and administrative costs associated with the Facebook IPO, as well as the losses associated with the May 6, 2010 incident. See id. at 15- 16. This commenter also more generally stated that the benefits of reducing outages and major technical issues are pretty straightforward--catastrophic failures in exchange systems are extremely costly, both in terms of direct losses to participants and in reduced investor confidence in the markets. See id. at 15. According to this commenter, even a modest reduction in the overall risk of a meltdown is quite cost effective to the economy as a whole. See id. \2032\ As noted by this commenter, the $374 million loss does not include lost trading profits to investors, or loss of utility from being able to hedge risk, monetize holdings, or otherwise trade. See id. at 16. --------------------------------------------------------------------------- Costs to SCI Entities The mandatory testing of SCI entity business continuity and disaster recovery plans, including backup systems, as required under Rule 1004, will result in additional costs to SCI entities. The Commission notes that some SCI entities already offer availability for their members or participants to test business continuity and disaster recovery plans. Furthermore, as mentioned above, market participants, including SCI entities, already coordinate certain business continuity plan testing to an extent. However, Rule 1004 mandates participation in testing for some entities that do not currently participate, requires more rigorous testing than currently required, and requires greater coordination than SCI entities and market participants currently engage in. In particular, Rule 1004 requires SCI entities to designate their members or participants to participate in business continuity and disaster recovery plan testing and to coordinate such testing with other SCI entities on an industry- or sector-wide basis. The requirement of member or participant designation in business continuity and disaster recovery plan testing under Rule 1004 imposes additional costs as an SCI would have to allocate resources towards initially establishing and later updating standards for the designation of its members and participants for testing. Furthermore, the requirement to coordinate industry- or sector-wide testing will impose additional administrative costs because an SCI entity would be required to notify its members or participants and also organize, schedule, and manage the coordinated testing.\2033\ --------------------------------------------------------------------------- \2033\ Administrative costs associated with coordinating testing are included as part of the PRA burden of Rule 1004. See supra Section V.D.1.b. As discussed in Section V.D.1.b, the Commission continues to believe that plan processors will outsource the work related to compliance with Rule 1004. --------------------------------------------------------------------------- Some commenters stated that the scope of the proposed testing requirement would impose costs on SCI entities that the Commission did not account for, including the cost to reconfigure their systems to engage in functional and performance testing, the cost of establishing effective coordinated test scripts for the testing, and time necessary to conduct the required testing.\2034\ Another commenter stated that testing will be costly to ATSs and their subscribers, and that the aggregate cost for all would be higher than the $66 million estimated in the SCI Proposal.\2035\ This commenter noted that the cost includes the time, resources, and professional staff that would be devoted to the testing process, and the resulting lost business opportunities associated with the ability to focus on revenue generating projects.\2036\ In addition, this commenter stated that, while connectivity between an ATS and its subscribers may already be established, additional configurations and build out of systems may be required to create a testing environment that simulates live market conditions.\2037\ --------------------------------------------------------------------------- \2034\ See supra Section IV.B.6.b (discussing comments on proposed Rule 1000(b)(9)). \2035\ See ITG Letter at 15-16. \2036\ See id. \2037\ See id. --------------------------------------------------------------------------- Another commenter stated that there are dozens of man-days of pre- test planning, preparation, pre-testing testing, testing, and post- mortem reviews for SCI entities associated with the industry test initiatives.\2038\ According to this commenter, there are anywhere from tens to hundreds of business and technology staff engaged [[Page 72430]] in this initiative.\2039\ This commenter estimated the following staff levels required to support testing: Exchanges--175-200+ man-days; member firms--80-85 man-days; and ATSs--12-25 man-days.\2040\ Based on the commenter's upper estimates measured in man-days, the Commission estimated monetary values by allocating hours among the traders, technologists, programmers/system administrators, exchange personnel, and analysts necessary for implementation of disaster recovery testing. This estimation yields implied annual average total cost estimates of $500,000 and $60,000 for exchanges and ATSs, respectively.\2041\ For the reasons discussed below, the Commission believes that this commenter's cost estimate does not accurately reflect the costs to SCI entities. --------------------------------------------------------------------------- \2038\ See Tellefsen Letter at 11. \2039\ See id. \2040\ See id. \2041\ The allocations are based on Commission staff experience that exchanges would divide their personnel as 85% technologists, 5% exchange rule enforcement personnel, and 10% business analysts, and ATSs are assumed to divide their personnel as 90% technologists and 10% business analysts based on staff experience. The hourly rates are from SIFMA's Management & Professional Earnings in the Securities Industry 2012, modified by Commission staff to account for an 1800-hour work-year and multiplied by 5.35 to account for bonuses, firm size, employee benefits and overhead. The calculation for ATSs was as follows: 25 days x (10% time required by analysts x $245/hour + 90% time required by technologists x $282/hour) = $55,660 per ATS. For each exchange: 200 days x (85% time required by technologists x $282/hour + 10% time required by analysts x $245/ hour + 5% time required by supervisors x $446/hour) = $458,400 per exchange. The Commission has rounded up because the breakdown between analysts, supervisors, and technologists may vary between ATSs and Exchanges. In the absence of a specific estimate provided by the commenter for plan processors or clearing agencies, the estimate for exchanges is assumed to apply to these types of SCI entities. Estimates for members and participants are discussed separately below. --------------------------------------------------------------------------- The Commission recognizes that the factors described by commenters will contribute to costs for SCI entities associated with business continuity and disaster recovery plans testing. For example, as discussed in Section IV.B.6.b, the Commission acknowledges that systems reconfiguration for functional and performance testing and establishing an effective coordinated test script could be a complex process and result in costs. At the same time, the Commission believes that systems reconfiguration and the establishment of an effective coordinated test script is an important first step in establishing robust and effective business continuity and disaster continuity plans testing. The Commission also notes that costs of Rule 1004 are likely to be lower than those estimated by commenters because of changes made to the proposed rule. For example, although Rule 1004 would require testing of BC/DR plans that is more rigorous than some types of testing urged by some commenters, the adopted rule includes a more targeted member and participant designation provision than the proposed rule. As discussed above in Section IV.B.6.b, compared to proposed Rule 1000(b)(9), the Commission believes that the adoption of a more targeted designation requirement is likely to result in a smaller number of SCI entity members or participants being designated to participate in business continuity and disaster recovery plans testing and thus should result in lower costs for SCI entities to coordinate testing.\2042\ --------------------------------------------------------------------------- \2042\ See supra Section IV.B.6.b (discussing the designation requirement in adopted Rule 1004). --------------------------------------------------------------------------- The Commission is unable to provide a quantified estimate of the specific costs for SCI entities associated with the mandatory testing of SCI entity business continuity and disaster recovery plans, including backup systems. Although several commenters provided general estimates as to the costs of compliance with Rule 1004, these commenters did not provide their assumptions or a description of the quantified costs associated with each potential source of costs. Given the lack of information provided by commenters and that these costs could vary significantly based on the specific systems of each SCI entity, the Commission is unable to determine whether the costs provided by commenters are representative. Additionally, the Commission notes that commenters appeared to focus on costs as if assuming there is no testing today. Because SCI entities currently engage in some coordinated BC/DR testing, the Commission believes that the average incremental cost to SCI entities, in addition to the burden estimated in the PRA, would be lower than these commenters' cost estimates. The Commission also believes that costs would be significantly lower in the year following the initial year of testing. Because the Commission does not have detailed information regarding the current level of BC/DR testing and coordination of such testing by each SCI entity, and the cost associated with such testing and coordination, however, the Commission cannot at this time provide a quantified estimate of the cost for SCI entities to comply with Rule 1004. Costs to SCI Entity Members and Participants The Commission believes that Rule 1004 will also impose costs on SCI entity designated members and participants. In the SCI Proposal, based on discussions with market participants, the Commission estimated that the cost of business continuity and disaster recovery plan testing would range from immaterial administrative costs (for SCI entity members and participants that currently maintain connections to SCI entity backup systems) to a range of $24,000 to $60,000 per year per member or participant in connection with each SCI entity.\2043\ As noted in the SCI Proposal and also above, the Commission understood that most of the larger members or participants of SCI entities already maintain connectivity with the backup systems of SCI entities and, thus, the additional connectivity costs imposed by proposed Rule 1000(b)(9) to these larger members or participants may be minimal.\2044\ However, among smaller members or participants of SCI entities, the number of members or participants who maintain such connectivity is lower.\2045\ Therefore, costs at the higher end of the estimated range would accrue for members or participants who would need to invest in additional infrastructure and to maintain connectivity with an SCI entity's backup systems in order to participate in testing. --------------------------------------------------------------------------- \2043\ See Proposing Release, supra note 13, at 18172. \2044\ See id. at 18172 and n. 642. \2045\ See id. at 18172. --------------------------------------------------------------------------- Furthermore, in the SCI Proposal, the Commission acknowledged that it is difficult to provide an estimate for the total aggregate cost to SCI entity members or participants under proposed Rule 1000(b)(9).\2046\ Because each SCI entity had discretion in determining its standards for designating members or participants for the testing required by proposed Rule 1000(b)(9)(i), the Commission did not have enough information to estimate the number of members or participants at each SCI entity that would be designated as required to participate in testing and to determine whether such designated members or participants are those that already maintain connections to SCI entity backup systems. With limited information, the Commission provided a total aggregate annual cost estimate in the SCI Proposal of approximately $66 million for designated members and participants to participate in business continuity and disaster recovery plans testing.\2047\ --------------------------------------------------------------------------- \2046\ See id. \2047\ See id. at 18172 and n.643. --------------------------------------------------------------------------- Several commenters stated that the Commission underestimated the cost of [[Page 72431]] business continuity and disaster recovery plan testing under proposed Rule 1000(b)(9). One commenter noted that the Commission failed to take into account those SCI entities that engage in systems-specific testing upon implementation or initial connection by a market participant, but do not engage in business continuity and disaster recovery testing with the participation of market participants.\2048\ One commenter noted that the average cost for a broker-dealer to maintain fully redundant systems at all relevant exchange backup facilities would be approximately $3 million annually, according to one of its informal surveys.\2049\ Further, this cost would not include the initial capital costs related to the infrastructure or the labor/employment necessary for the maintenance and monitoring of backup connection and facilities.\2050\ --------------------------------------------------------------------------- \2048\ See MSRB Letter at 38. \2049\ See FIA PTG Letter at 3. See also BIDS Letter at 8 (commenting that testing and backup connections are expensive, and the expense of the connections could outweigh the value or the utilization of the value that certain venues provide). \2050\ See FIA PTG Letter at 3. This commenter noted that the costs vary widely among members and exchanges but are not insubstantial. See id. --------------------------------------------------------------------------- Other commenters stated that the Commission underestimated other aspects of the cost of business continuity and disaster recovery plan testing under proposed Rule 1000(b)(9). One commenter believed that the requirement for members to connect to an SCI entity's backup site could pose significant economic burden and provide little benefit to the market.\2051\ This commenter believed that the cost of such connections would be well over the $10,000 per connection that the Commission estimated.\2052\ According to this commenter, establishing and maintaining a connection with comparable trading capability and latency could cost a broker-dealer that co-locates at an SCI entity's data center between $15,000 and $20,000 monthly simply for the necessary communication lines.\2053\ In addition, this commenter noted that such members would need additional hardware (estimated to be up to $500,000) to establish an appropriate presence at the backup site to ensure that they could trade in an efficient manner with low latency.\2054\ This commenter believed that compliance with the Rule 1000(b)(9) requirements could cause broker-dealers to reduce the number of SCI entities through which they trade.\2055\ This commenter suggested that the standard for designating members should be those members ``critical to the operation of the SCI entity.'' \2056\ --------------------------------------------------------------------------- \2051\ See ISE Letter at 9. \2052\ See id. \2053\ See id. \2054\ See id. \2055\ See id. \2056\ See id. According to this commenter, under the suggested standard, its focus would be on its seven Primary Market Makers who provide continuous liquidity, and these members would provide a baseline of liquidity for trading. See id. However, this commenter believed that, in order to satisfy the standard to provide ``fair and orderly trading,'' it may need to require some or all of its 145 Electronic Access Members who access liquidity. See id. --------------------------------------------------------------------------- Another commenter estimated that the costs to a market making firm to support fully redundant exchange and ATS backup facilities would be approximately $7 million to $10 million in initial capital, with annual costs of between $5 million and $9 million.\2057\ According to this commenter, this cost is not justified by the benefits because backup facilities would not be used in the event of an outage at the primary site,\2058\ and would lead firms to reconsider their ability to make markets on as many trading platforms and potentially reduce price competition.\2059\ --------------------------------------------------------------------------- \2057\ See KCG Letter at 4, 12. This commenter stated that the cost of supporting a backup facility of an SCI entity would be reduced, if the backup facility of an SCI entity were at the primary site of another SCI entity where the market maker traded. See id. at 12. \2058\ See id. at 4. \2059\ See id. at 12. --------------------------------------------------------------------------- The same commenter who provided an estimate of burdens for SCI entities expressed the view that there are also dozens of man-days of pre-test planning, preparation, pre-testing testing, testing, and post- mortem reviews for members and participants that would be associated with industry test initiatives.\2060\ Based on the commenter's upper estimates for member firms, measured in man-days, the Commission assigned monetary values using appropriate hours allocation among the traders, technologists, programmers/system administrators, exchange personnel, and analysts necessary for implementation of disaster recovery testing. This procedure yields an annual average total cost estimate of about $200,000 for each member firm.\2061\ For the reasons discussed below, the Commission believes that this commenter's cost estimate does not accurately reflect the costs to members or participants. --------------------------------------------------------------------------- \2060\ See also supra note 2038 and accompanying text (discussing this commenter's cost estimate for SCI entities). \2061\ The allocations are based on the staff experience that member firms divide their personnel as 45% traders, 45% technologists, and 10% business analysts. The hourly rates are from SIFMA's Management & Professional Earnings in the Securities Industry 2012, modified by Commission staff to account for an 1800- hour work-year and multiplied by 5.35 to account for bonuses, firm size, employee benefits and overhead. The calculation for member firms was as follows: 85 days x (10% time required by analysts x $245/hour + 45% time required by technologists x $282/hour + 45% time required by traders x $312/hour) = $198,424 per member firm. --------------------------------------------------------------------------- The Commission acknowledges that members or participants will incur costs as a result of Rule 1004. However, the Commission believes that the members or participants likely to be designated to participate in such testing are those that conduct a high level of activity with the SCI entity, or that play an important role for the SCI entity (such as market makers), and who are more likely to have already established connections to the SCI entity's backup site. The Commission believes that many of these members or participants already have established connectivity with the SCI entity's backup site and already monitor and maintain such connectivity, and thus the additional connectivity costs imposed by Rule 1004 would be modest to these members or participants. For members or participants that currently do not have connectivity, the Commission recognizes the requirements of Rule 1004 will impose costs on members or participants in establishing, maintaining, and monitoring backup connection and facilities. The Commission believes that a few commenters who stated that the Commission underestimated these costs may have based their cost estimates for proposed Rule 1000(b)(9) on the assumption that member connections to SCI entities' backup systems need to be the same as those at the primary site.\2062\ However, as discussed above in Section IV.B.6, Rule 1004 does not require SCI entity members or participants to maintain the same level of connectivity with the backup sites of an SCI entity as they do with the primary sites. In the event of a wide- scale disruption in the securities markets, the Commission acknowledges that an SCI entity and its members or participants may not be able to provide the same level of liquidity as on a normal trading day. In addition, the Commission recognizes that the concept of ``fair and orderly markets'' does not require that trading on a day when business continuity and disaster recovery plans are in effect reflect the same level of liquidity, depth, volatility, and other characteristics of trading on a normal trading day. --------------------------------------------------------------------------- \2062\ See supra notes 2049, 2050, 2052-2054, and 2057 and accompanying text (discussing commenters' estimates of the cost to maintain fully redundant systems at relevant SCI entity backup facilities). --------------------------------------------------------------------------- The Commission, however, is unable to provide a quantified estimate of the [[Page 72432]] specific costs for SCI entity members or participants associated with the mandatory testing required by Rule 1004. Although several commenters provided general estimates as to the costs of compliance with Rule 1004, these commenters did not provide their assumptions or a description of the quantified costs associated with each potential source of costs. Given the lack of information provided by commenters and that these costs could vary significantly based on the specific systems of each SCI entity and member or participant, the Commission is unable to determine whether the costs provided by commenters are representative. Additionally, the Commission notes that some commenters appeared to focus on costs as if assuming there is no testing today. Because some members and participants of SCI entities currently participate in SCI entities' BC/DR testing, these members and participants would not incur the full costs estimated by the commenters. Thus the Commission believes that the average incremental cost to members or participants would be lower than these commenter's estimates because the estimates do not account for current practices. The Commission also believes that costs will be highly variable among member firms, and will be significantly lower in the year following the initial year of testing. Because the Commission does not have detailed information regarding the current level of engagement by members or participants in BC/DR testing and the associated costs, or the details of the BC/DR testing that SCI entities will implement pursuant to Rule 1004, the Commission cannot at this time provide a precise quantified estimate of the cost for SCI entities' designated members or participants to comply with Rule 1004.\2063\ The Commission also notes that it is critical that SCI entities and their designated members or participants be able to operate with the SCI entities' backup systems in the event of a wide-scale disruption, and believes that the costs that would be incurred by essential market participants are appropriate in light of the benefits discussed above.\2064\ --------------------------------------------------------------------------- \2063\ Although the Commission cannot at this time precisely estimate the total cost of compliance with Rule 1004, the Commission believes that $10,000 on average per SCI entity is a reasonable estimate solely for the incremental cost of connectivity associated with the requirements of Rule 1004. As noted above, the Commission continues to believe that it is reasonable to estimate that the members or participants of SCI entities that are most likely to be designated as required to participate in testing are those that conduct a high level of activity with the SCI entity, or that play an important role for the SCI entity (such as market makers), and that such members or participants are likely to already maintain connectivity with an SCI entity's backup systems. Therefore, the Commission is not persuaded that its estimate of the average connectivity cost for each member or participant of an SCI entity should be modified from $10,000. \2064\ Further, in response to comment that the added benefit of requiring fully redundant backup systems is almost impossible to measure while the cost of implementation is significant, the Commission acknowledges that testing of a BC/DR plan does not guarantee flawless execution of that plan, but still believes testing is warranted because a tested plan is likely to be more reliable and effective than an inadequately tested plan. --------------------------------------------------------------------------- Although the Commission generally believes that the aggregate cost to SCI entity members or participants under Rule 1004 will be lower than the cost estimated for proposed Rule 1000(b)(9), the Commission continues to believe it is difficult to provide an estimate for the aggregate cost to SCI entity members or participants because under Rule 1004, each SCI entity has reasonable discretion in designating its members or participants for the required testing, and, as noted above, the Commission does not possess necessary information to estimate the number of designated members or participants and to determine whether such designated members or participants are those that already have established and maintained connectivity to the SCI entity's backup systems. Accordingly, the Commission cannot at this time provide a quantified estimate of the total aggregate cost to SCI entity members or participants under Rule 1004.\2065\ --------------------------------------------------------------------------- \2065\ The Commission believes that it can reasonably estimate connectivity costs but not all costs associated with BC/DR testing. With respect to connectivity, the Commission now estimates that Rule 1004 will impose a total aggregate annual cost of approximately $18 million for designated members and participants. This estimate assumes that each of the 44 SCI entities will designate between 10 and 20 percent of its members or participants to participate in the necessary testing. This 10-20 percent estimate is based on staff experience and takes into consideration comment that typically 20 percent of an SCI entity's members might provide 80 percent of the order flow or liquidity (see Tellefsen Letter at 9), and balances it against another commenter's view that if the standard for designation was to identify those firms ``critical to the operation of the SCI entity'' (which is more targeted than the adopted standard), this commenter would designate approximately five percent of its members to participate in testing (see ISE Letter at 9). The Commission understands that many SCI entities have between 200 and 400 members or participants, although some have more and some have fewer. Therefore, the Commission estimates that on average, each SCI entity will designate approximately 40 members or participants in such testing. Based on these assumptions, the Commission estimates the total aggregate cost for connectivity to all designated members or participants of all SCI entities to be approximately $17.6 million (44 SCI entities x 40 members or participants x $10,000 = $17.6 million). --------------------------------------------------------------------------- Moreover, as noted above in Section IV.B.6.b, the Commission believes that adoption of a designation requirement that requires SCI entities to exercise reasonable discretion to identify those members or participants that, taken as a whole, are the ``minimum necessary'' for the maintenance of fair and orderly markets in the event of the activation of such plans is likely to result in a smaller number of SCI entity members or participants being designated for participation in testing as compared to the SCI Proposal, thus reducing total costs to all members or participants combined. Because the Commission believes that SCI entities have an incentive to limit the imposition of the cost and burden associated with testing to the minimum necessary to comply with the rule, it also believes that, given the option, most SCI entities would, in the exercise of reasonable discretion, prefer to designate fewer members or participants to participate in testing, than to designate more. On balance, the Commission believes that the adopted rule will incentivize SCI entities to designate those members and participants that are in fact the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of their BC/ DR plans, and that this should reduce the number of designations to which any particular member or participant would be subject, compared to the SCI Proposal. It remains possible, as some commenters noted, that firms that are members of multiple SCI entities will be the subject of multiple designations, and that multiple designations could require certain firms to maintain connections to backup sites and participate in testing of the BC/DR plans of multiple SCI entities. As discussed in Section IV.B.6.b, the Commission believes this possibility, though real, may be mitigated by the fact that designations are likely to be made to firms that are already connected to one or more SCI entity backup facilities, because they are more likely to be significant members or participants of the applicable SCI entities; and that, because some SCI entity backup facilities are located in close proximity to each other, multiple connections to such backup facilities may be less costly than if SCI entity backup facilities were not so located. The Commission recognizes that there would be greater costs to a firm being designated by multiple SCI entities to participate in the testing of their business continuity and disaster recovery plans, but believes that these greater costs are warranted for such firms, as they represent significant participants in each of the SCI entities for which they are designated, and their participation in the testing of each such [[Page 72433]] SCI entity's business continuity and disaster recovery plans is necessary to evaluate whether such plans are reliable and effective. The Commission recognizes that a firm that is designated to participate in testing with multiple SCI entities may assess the costs and burdens of participating in every test to be too great, and make business decisions to withdraw its membership or participation from one or more such SCI entities so as to avoid the costs and burdens of such testing. The Commission believes such a scenario is unlikely because such firm is likely to be a larger firm with a significant level of participation in such SCI entity and is likely to already have connections to backup facilities of the SCI entity. The Commission believes that the cost associated with Rule 1004 is unlikely to induce the designated members or participants to reduce the number of SCI entities through which they trade and adversely affect price competitiveness in markets.\2066\ As noted above, the Commission also recognizes that costs to some SCI entity members or participants associated with Rule 1004 could be significant, and also highly variable depending on the business continuity and disaster recovery plans being tested. Based on industry sources, the Commission understands that most of the larger members or participants of SCI entities already maintain connectivity with the backup systems of SCI entities. However, the Commission understands that there is a lower incidence of smaller members or participants maintaining connectivity with the backup sites of SCI entities.\2067\ As such, the Commission believes that the compliance costs associated with Rule 1004 would be higher for those members or participants that are designated for testing by SCI entities who would need to invest in additional infrastructure to maintain connectivity with an SCI entity's backup systems to participate in testing, which the Commission believes is more likely to be the case for smaller members or participants designated for testing. --------------------------------------------------------------------------- \2066\ See supra notes 2055 and 2059 and accompanying text. \2067\ See Proposing Release, supra note 13, at 18172, n. 642. --------------------------------------------------------------------------- The Commission acknowledges that the compliance costs associated with Rule 1004 could raise barriers to entry and affect competition among members or participants of SCI entities. Specifically, to the extent that members or participants could be subject to designation in business continuity and disaster recovery plan testing and could incur additional compliance costs, the member or participant designation requirement of Rule 1004 could raise barriers to entry. Also, as discussed above, the compliance costs of the rule will likely be higher for smaller members or participants of SCI entities compared to larger members or participants of SCI entities. However, the Commission believes the adverse effect on competition may be mitigated to some extent as the most likely members or participants to be designated for testing are larger members or participants who already maintain connectivity with an SCI entity's backup systems. Further, the adverse effect on competition could be partially mitigated to the extent that larger firms, which are members of multiple SCI entities, could incur additional compliance costs as these larger member firms could be subject to multiple designations for business continuity and disaster recovery plan testing. One commenter noted that mere network connectivity to an exchange or ATS would be insufficient for a market maker to provide meaningful liquidity on an SCI entity.\2068\ This commenter noted that, if the Commission does not intend for SCI entities to be able to trade in the same way from a backup facility as it trades from the primary site, then market makers could maintain a more limited remote connectivity to the backup site and incur less cost, although this commenter believed that such an approach would not facilitate the posting of competitive quotes.\2069\ This commenter believed that this alternative approach would result in unusually wide markets, and would not result in any benefits.\2070\ --------------------------------------------------------------------------- \2068\ See KCG Letter at 12. \2069\ See id. at 13. \2070\ See id. at 13. --------------------------------------------------------------------------- As discussed in Section IV.B.6, Rule 1001(a) does not require that backup facilities of SCI entities fully duplicate the features of primary facilities. Further as discussed in Section IV.B.6, SCI entity members or participants are not required by Regulation SCI to maintain the same level of connectivity with the backup sites of an SCI entity as they do with the primary sites. In the event of a wide-scale disruption in the securities markets, the Commission acknowledges that SCI entities and their members or participants may not be able to provide the same level of liquidity as on a normal trading day. However, the Commission expects that, on a day when business continuity and disaster recovery plans are in effect due to a wide-scale disruption in the securities markets, the requirements of Rule 1004 will help ensure adequate levels of liquidity and pricing efficiency to facilitate trading and maintain fair and orderly markets without imposing excessive costs on SCI entities and market participants by requiring them to maintain the same connectivity with the backup systems as with the primary sites. Alternatives Several commenters suggested alternatives to the proposed BC/DR testing requirements.\2071\ Two commenters suggested that few ATSs are critical enough to warrant inclusion in the BC/DR testing requirement.\2072\ One commenter suggested that only SCI entities that provide market functions on which other market participants depend be subject to the requirements for separate backup and recovery capabilities.\2073\ Furthermore, one commenter urged that BC/DR testing coordination only be required among providers of singular services in the market (i.e., exchange that lists securities, exclusive processors under NMS plans, and clearing and settlement agencies).\2074\ --------------------------------------------------------------------------- \2071\ See SIFMA Letter at 17; BIDS Letter at 8; and ITG Letter at 15. \2072\ See BIDS Letter at 8; and ITG Letter at 15. \2073\ See KCG Letter at 8. \2074\ See Direct Edge Letter at 9. --------------------------------------------------------------------------- The Commission is not persuaded that SCI ATSs should be excluded from the requirements of BC/DR testing plans. In today's market, as discussed in Section IV.A.1.b, ATSs collectively represent a significant source of liquidity for stock trading. Although the concept of ``fair and orderly markets'' when BC/DR plans are in effect does not require the same level of liquidity, depth, volatility, and other characteristics of trading on a normal trading day, the Commission believes that excluding significant ATSs from BC/DR testing could harm liquidity, depth, and volatility when BC/DR plans are in effect and, thus, could significantly reduce the benefits of Rule 1004. Furthermore, with respect to the commenter that urged the Commission only to include providers of singular services in BC/DR testing coordination, as mentioned in Section IV.A.1.b, because trading in the U.S. securities markets today is dispersed among exchanges, ATSs, and other trading venues, and often involves trading strategies that require access to multiple trading venues, including ATSs, simultaneously, including all SCI entities, the Commission believes that requiring SCI entities to coordinate testing would result in testing under [[Page 72434]] more realistic market conditions and help ensure that securities markets have improved backup infrastructure, fewer market shutdowns, and fair and orderly markets in the event of the activation of BC/DR plans. Furthermore, one commenter stated that coordinated BC/DR testing is a good aspirational goal, but expressed concern that too much is outside of the control of an individual SCI entity, and therefore the rule should, at most, require SCI entities to attempt to coordinate such testing.\2075\ With respect to the comment suggesting that BC/DR testing coordination should be an aspirational goal rather than a requirement, the Commission believes that voluntary BC/DR testing is insufficient and will not further the goal of Regulation SCI as evidenced by Superstorm Sandy discussed in Section IV.B.6. As discussed above, the Commission acknowledges that there could be potential difficulties, including communicating with other SCI entities, in coordinating BC/DR testing on an industry- or sector-wide basis. --------------------------------------------------------------------------- \2075\ See CME Letter at 13. --------------------------------------------------------------------------- c. Recordkeeping and Electronic Filing--Rules 1005-1007 Entities that participate in the ARP Inspection Program currently keep records related to the ARP Inspection Program. However, the recordkeeping requirements of Rules 1005-1007 would apply to more entities, systems, and types of systems issues than the ARP Inspection Program. In addition, SCI entities are already subject to certain Commission recordkeeping requirements.\2076\ However, records relating to Regulation SCI may not be specifically addressed in the recordkeeping requirements of certain rules.\2077\ The Commission believes that the recordkeeping requirements specifically related to Regulation SCI would enhance the ability of the Commission to evaluate SCI entities' compliance with Regulation SCI. --------------------------------------------------------------------------- \2076\ See, e.g., 17 CFR 240.17a-1, applicable to SCI SROs; 17 CFR 240.17a-3 and 17a-4, applicable to broker-dealers; and 17 CFR 242.301-303, applicable to ATSs. It has been the experience of the Commission that SCI entities presently subject to the ARP Inspection Program (nearly all of whom are SCI SROs that are also subject to the recordkeeping requirements of Rule 17a-1(a)) do generally keep and preserve the types of records that would be subject to the requirements of Rule 1005. Nevertheless, the Commission continues to believe that Regulation SCI's codification of these preservation practices will support an accurate, timely, and efficient inspection and examination process and help ensure that all types of SCI entities keep and preserve such records. \2077\ See Proposing Release, supra note 13, at 18128. --------------------------------------------------------------------------- With respect to SCI SROs in particular, the Commission notes that they are subject to the recordkeeping requirements of Rule 17a-1 under the Exchange Act, and the breadth of Rule 17a-1 is such that it would require SCI SROs to make, keep, and preserve records relating to their compliance with Regulation SCI. Therefore, Rule 1005(a) requires each SCI SRO to make, keep, and preserve all documents relating to its compliance with Regulation SCI as prescribed in Rule 17a-1 under the Exchange Act.\2078\ --------------------------------------------------------------------------- \2078\ See supra Section IV.C.1.a (discussing recordkeeping requirements for SROs under Rule 17a-1). --------------------------------------------------------------------------- Rule 1005(b) requires each SCI entity that is not an SCI SRO to make, keep, and preserve at least one copy of all documents relating to its compliance with Regulation SCI. Each such SCI entity is required to keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination. Each such SCI entity is also required to promptly furnish copies of such documents to Commission representatives upon request. Rule 1005(c) requires each such SCI entity, upon or immediately prior to ceasing to do business or ceasing to be registered under the Exchange Act, to take all necessary action to ensure that the records required to be made, kept, and preserved by Rule 1005 shall be accessible to the Commission and its representatives in the manner required by Rule 1005 and for the remainder of the period required by Rule 1005. According to Rule 1007, if the records required to be filed or kept by an SCI entity under Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity is required to ensure that such records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service to that effect. For SCI entities other than SCI SROs, Rule 1005 specifically addresses recordkeeping requirements with respect to records relating to Regulation SCI compliance. The Commission believes that Rules 1005 and 1007 would allow Commission staff to perform efficient inspections and examinations of SCI entities for their compliance with Regulation SCI, and would increase the likelihood that Commission staff can identify conduct inconsistent with Regulation SCI at earlier stages in the inspection and examination process. Furthermore, as discussed in Section IV.C.1.a, although many SCI events may be resolved in a short time frame, there may be other SCI events that may not be discovered for an extended period of time after their occurrences, or may take significant periods of time to fully resolve. In such cases, having an SCI entity's records available for a longer period of time or even after it has ceased to do business or be registered under the Exchange Act would be beneficial. Preserved information should provide the Commission with an additional source to help determine the causes and consequences of one or more SCI events and better understand how such events may have impacted trade execution, price discovery, liquidity, and investor participation. Consequently, the Commission believes that the requirements of Rules 1005 and 1007 would help ensure compliance with Regulation SCI and help realize the potential benefits (e.g., better pricing efficiency, price discovery, and liquidity flows) of the regulation. As noted above, the breadth of Rule 17a-1 under the Exchange Act is such that it would require SCI SROs to make, keep, and preserve records relating to their compliance with Regulation SCI. Therefore, for SCI SROs, the incremental compliance costs associated with Rules 1005 and 1007 will be modest.\2079\ On the other hand, for SCI entities that are not SCI SROs, the recordkeeping requirements of Rules 1005 and 1007 will impose additional costs, including one-time cost to set up or modify an existing recordkeeping system to comply with Rules 1005 and 1007. The initial and ongoing compliance costs associated with the recordkeeping requirements are attributed to paperwork burdens, which are discussed in Section V.D.4 above.\2080\ --------------------------------------------------------------------------- \2079\ As noted above, it has been the experience of the Commission that SCI entities presently subject to the ARP Inspection Program generally keep and preserve the types of records that would be subject to the requirements of Rule 1005. Nearly all of these ARP participants are SCI SROs that are also subject to the recordkeeping requirements of Rule 17a-1. \2080\ When monetized, the paperwork burden associated with all recordkeeping requirements would result in approximately $857,000 initially for all non-SRO SCI entities in the aggregate, and $27,000 annually for all non-SRO SCI entities in the aggregate. --------------------------------------------------------------------------- Rule 1006 requires SCI entities to electronically file all written information to the Commission on Form SCI (except for notifications submitted pursuant to Rules 1002(b)(1) and (b)(3)). [[Page 72435]] Rule 1006 should provide a uniform manner in which the Commission would receive--and SCI entities would provide--written notifications, reviews, descriptions, analyses, or reports required by Regulation SCI.\2081\ Rule 1006 should add efficiency for SCI entities in drafting and submitting the required reports, and for the Commission in reviewing, analyzing, and responding to the information provided.\2082\ All costs associated with Form SCI are attributed to paperwork burdens discussed in Section V. --------------------------------------------------------------------------- \2081\ See Proposing Release, supra note 13, at 18129-30. \2082\ See id. at 18130. --------------------------------------------------------------------------- Every SCI entity will be required to have the ability to electronically submit Form SCI through the EFFS system, and every person designated to sign Form SCI will be required to have an electronic signature and a digital ID. Each SCI entity will also be required to submit documents attached as exhibits through the EFFS system in a text-searchable format, subject to a limited exception.\2083\ The Commission believes that requiring documents to be submitted in a text-searchable format, subject to a limited exception, is necessary to allow Commission staff to efficiently review and analyze information provided by SCI entities. Additionally, the Commission believes that this requirement will not impose an additional burden on SCI entities, as SCI entities likely already prepare documents in an electronic format that is text searchable or can readily be converted into a format that is text searchable. The Commission also believes that many SCI entities currently have the ability to access the EFFS system and electronically submit Form SCI such that the requirement to submit Form SCI electronically will not impose significant new implementation or ongoing costs.\2084\ The Commission also believes that some of the persons who will be designated to sign Form SCI already have digital IDs and the ability to provide an electronic signature. To the extent that some persons do not have digital IDs, the additional cost to obtain and maintain digital IDs is accounted for in the paperwork burden.\2085\ --------------------------------------------------------------------------- \2083\ As noted in Section IV.C.2, the General Instructions to Form SCI, Item A. specify that documents filed through the EFFS system must be in a text-searchable format without the use of optical character recognition, with a limited exception to allow for a portion of a Form SCI submission (e.g., an image or diagram) that cannot be made available in a text-searchable format to be submitted in a non-text-searchable format. \2084\ The initial and ongoing costs associated with various electronic submissions of Form SCI are discussed in the Paperwork Reduction Act section above. See supra Section V. \2085\ See supra Section V.D.2.e. --------------------------------------------------------------------------- As an alternative to the adopted electronic submission requirement, the Commission considered requiring data to be submitted in a tagged data format such as XBRL. Requiring reports to be filed in a tagged data format such as XBRL would likely permit faster and more efficient analysis of information disclosed in reports but would also likely impose additional compliance costs associated with tagging information in the narrative responses. Rather than requiring the use of XBRL formatting for Form SCI, the Commission notes that certain fields in Sections I-III of Form SCI will require information provided by SCI entities to be in a format that will allow the Commission to gather information in a structured manner (e.g., the submission type and SCI event type in Section I). By collecting information on Form SCI in a way that allows the Commission to gather key information in a structured manner, the Commission believes it will be able to more efficiently review and process filings made on Form SCI. Moreover, gathering certain information in Sections I-III of Form SCI in a structured format should not result in an additional cost to SCI entities. VII. Regulatory Flexibility Act Certification The Regulatory Flexibility Act (``RFA'') \2086\ requires Federal agencies, in promulgating rules, to consider the impact of those rules on small entities. The Commission certified in the SCI Proposal, pursuant to Section 605(b) of the Regulatory Flexibility Act of 1980 (``RFA''),\2087\ that proposed Regulation SCI would not, if adopted, have a significant impact on a substantial number of small entities. The Commission received no comments on this certification. --------------------------------------------------------------------------- \2086\ 5 U.S.C. 601 et seq. \2087\ 5 U.S.C. 605(b). --------------------------------------------------------------------------- A. SCI Entities Paragraph (a) of Rule 0-10 provides that for purposes of the RFA, a small entity when used with reference to a ``person'' other than an investment company means a person that, on the last day of its most recent fiscal year, had total assets of $5 million or less.\2088\ With regard to broker-dealers, small entity means a broker or dealer that had total capital of less than $500,000 on the date in the prior fiscal year as of which its audited financial statements were prepared pursuant to Rule 17a-5(d) under the Exchange Act, or, if not required to file such statements, had total capital of less than $500,000 on the last business day of the preceding fiscal year (or in the time that it has been in business, if shorter), and that is not affiliated with any person (other than a natural person) that is not a small business or small organization.\2089\ With regard to clearing agencies, small entity means a clearing agency that compared, cleared, and settled less than $500 million in securities transactions during the preceding fiscal year (or in the time that it has been in business, if shorter), had less than $200 million of funds and securities in its custody or control at all times during the preceding fiscal year (or in the time that it has been in business, if shorter), and is not affiliated with any person (other than a natural person) that is not a small business or small organization.\2090\ With regard to exchanges, small entity means an exchange that has been exempt from the reporting requirements of Rule 601 under Regulation NMS, and is not affiliated with any person (other than a natural person) that is not a small business or small organization.\2091\ With regard to securities information processors, small entity means a securities information processor that had gross revenue of less than $10 million during the preceding fiscal year (or in the time it has been in business, if shorter), provided service to fewer than 100 interrogation devices or moving tickers at all times during the preceding fiscal year (or in the time it has been in business, if shorter), and is not affiliated with any person (that is not a natural person) that is not a small business or small organization.\2092\ Under the standards adopted by the Small Business Administration (``SBA''), entities engaged in financial investments and related activities are considered small entities if they have $35.5 million or less in average annual receipts.\2093\ --------------------------------------------------------------------------- \2088\ See 17 CFR 240.0-10(a). \2089\ See 17 CFR 240.0-10(c). \2090\ See 17 CFR 240.0-10(d). \2091\ See 17 CFR 240.0-10(e). \2092\ See 17 CFR 240.0-10(g). \2093\ See SBA's Table of Small Business Size Standards, Subsector 523 and 13 CFR 121.201. Such entities include firms engaged in investment banking and securities dealing, securities brokerage, commodity contracts dealing, commodity contracts brokerage, securities and commodity exchanges, miscellaneous intermediation, portfolio management, investment advice, trust, fiduciary and custody activities, and miscellaneous financial investment activities. --------------------------------------------------------------------------- Based on the Commission's existing information about the entities that will be subject to Regulation SCI, the Commission believes that SCI entities that are self-regulatory organizations [[Page 72436]] (national securities exchanges, national securities associations, registered clearing agencies, and the MSRB) or exempt clearing agencies subject to ARP would not fall within the Commission's definition of small entity as described above. With regard to plan processors, which are defined under Rule 600(b)(55) of Regulation NMS to mean a self- regulatory organization or securities information processor acting as an exclusive processor in connection with the development, implementation and/or operation of any facility contemplated by an effective NMS plan,\2094\ the Commission's definition of small entity as it relates to self-regulatory organizations and securities information processors would apply. The Commission does not believe that any plan processor would be a small entity as defined above. With regard to SCI ATSs, because they are registered as broker-dealers, the Commission's definition of small entity as it relates to broker-dealers would apply. The Commission does not believe that any of the SCI ATSs would be a small entity as defined above. --------------------------------------------------------------------------- \2094\ See 17 CFR 242.600(b)(55). --------------------------------------------------------------------------- B. Certification For the foregoing reasons, the Commission again certifies that Regulation SCI will not have a significant economic impact on a substantial number of small entities. VIII. Statutory Authority and Text of Amendments Pursuant to the Exchange Act, 15 U.S.C. 78a et seq., and particularly, Sections 2, 3, 5, 6, 11A, 15, 15A, 17, 17A, 23(a), and 24 thereof, 15 U.S.C. 78b, 78c, 78e, 78f, 78k-1, 78o, 78o-3, 78q, 78q-1, 78x, and 78w(a), the Commission adopts Regulation SCI under the Exchange Act and Form SCI under the Exchange Act, and amends Regulation ATS and Rule 24b-2 under the Exchange Act. List of Subjects in 17 CFR Parts 240, 242, and 249 Brokers; Confidential business information; Reporting and recordkeeping requirements; and Securities. In accordance with the foregoing, Title 17, Chapter II of the Code of Federal Regulations is amended as follows: PART 240--GENERAL RULES AND REGULATIONS, SECURITIES EXCHANGE ACT OF 1934 0 1. The authority citation for part 240 continues to read in part as follows: Authority: 15 U.S.C. 77c, 77d, 77g, 77j, 77s, 77z-2, 77z-3, 77eee, 77ggg, 77nnn, 77sss, 77ttt, 78c, 78c-3, 78c-5, 78d, 78e, 78f, 78g, 78i, 78j, 78j-1, 78k, 78k-1, 78l, 78m, 78n, 78n-1, 78o, 78o-4, 78o-10, 78p, 78q, 78q-1, 78s, 78u-5, 78w, 78x, 78ll, 78mm, 80a-20, 80a-23, 80a-29, 80a-37, 80b-3, 80b-4, 80b-11, 7201 et seq., and 8302; 7 U.S.C. 2(c)(2)(E); 12 U.S.C. 5221(e)(3); 18 U.S.C. 1350, unless otherwise noted. * * * * * 0 2. Amend Sec. 240.24b-2 by: 0 a. After the words PRELIMINARY NOTE: Adding the words ``Except as otherwise provided in this rule,'' and revising the word ``Confidential'' to read ``confidential''. 0 b. Adding at the beginning of paragraph (b) introductory text the words ``Except as otherwise provided in paragraph (g) of this section,'' and revising the word ``The'' to read ``the''. 0 c. Adding paragraph (g). The addition reads as follows: Sec. 240.24b-2. Nondisclosure of information filed with the Commission and with any exchange. * * * * * (g) An SCI entity (as defined in Sec. 242.1000 of this chapter) shall not omit the confidential portion from the material filed in electronic format on Form SCI pursuant to Regulation SCI, Sec. 242.1000 et. seq., and, in lieu of the procedures described in paragraph (b) of this section, may request confidential treatment of all information provided on Form SCI by completing Section IV of Form SCI. PART 242--REGULATIONS M, SHO, ATS, AC, NMS AND SCI AND CUSTOMER MARGIN REQUIREMENTS FOR SECURITY FUTURES 0 3. The authority citation for part 242 continues to read as follows: Authority: 15 U.S.C. 77g, 77q(a), 77s(a), 78b, 78c, 78g(c)(2), 78i(a), 78j, 78k-1(c), 78l, 78m, 78n, 78o(b), 78o(c), 78o(g), 78q(a), 78q(b), 78q(h), 78w(a), 78dd-1, 78mm, 80a23, 80a-29, and 80a-37. * * * * * 0 4. The heading of part 242 is revised to read as set forth above. Sec. 242.301 [Amended] 0 5. Amend Sec. 242.301 by removing paragraphs (b)(6)(i)(A) and (B) and redesignating paragraphs (b)(6)(i)(C) and (D) as paragraphs (b)(6)(i)(A) and (B), respectively. 0 6. Add Sec. Sec. 242.1000 through 242.1007 to read as follows: Sec. Regulation SCI--Systems Compliance and Integrity 242.1000 Definitions. 242.1001 Obligations related to policies and procedures of SCI entities. 242.1002 Obligations related to SCI events. 242.1003 Obligations related to systems changes; SCI review. 242.1004 SCI entity business continuity and disaster recovery plans testing requirements for members or participants. 242.1005 Recordkeeping requirements related to compliance with Regulation SCI. 242.1006 Electronic filing and submission. 242.1007 Requirements for service bureaus. Sec. 242.1000 Definitions. For purposes of Regulation SCI (Sec. Sec. 242.1000 through 242.1007), the following definitions shall apply: Critical SCI systems means any SCI systems of, or operated by or on behalf of, an SCI entity that: (1) Directly support functionality relating to: (i) Clearance and settlement systems of clearing agencies; (ii) Openings, reopenings, and closings on the primary listing market; (iii) Trading halts; (iv) Initial public offerings; (v) The provision of consolidated market data; or (vi) Exclusively-listed securities; or (2) Provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets. Electronic signature has the meaning set forth in Sec. 240.19b- 4(j) of this chapter. Exempt clearing agency subject to ARP means an entity that has received from the Commission an exemption from registration as a clearing agency under Section 17A of the Act, and whose exemption contains conditions that relate to the Commission's Automation Review Policies (ARP), or any Commission regulation that supersedes or replaces such policies. Indirect SCI systems means any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems. Major SCI event means an SCI event that has had, or the SCI entity reasonably estimates would have: (1) Any impact on a critical SCI system; or [[Page 72437]] (2) A significant impact on the SCI entity's operations or on market participants. Plan processor has the meaning set forth in Sec. 242.600(b)(55). Responsible SCI personnel means, for a particular SCI system or indirect SCI system impacted by an SCI event, such senior manager(s) of the SCI entity having responsibility for such system, and their designee(s). SCI alternative trading system or SCI ATS means an alternative trading system, as defined in Sec. 242.300(a), which during at least four of the preceding six calendar months: (1) Had with respect to NMS stocks: (i) Five percent (5%) or more in any single NMS stock, and one- quarter percent (0.25%) or more in all NMS stocks, of the average daily dollar volume reported by applicable transaction reporting plans; or (ii) One percent (1%) or more in all NMS stocks of the average daily dollar volume reported by applicable transaction reporting plans; or (2) Had with respect to equity securities that are not NMS stocks and for which transactions are reported to a self-regulatory organization, five percent (5%) or more of the average daily dollar volume as calculated by the self-regulatory organization to which such transactions are reported; (3) Provided, however, that such SCI ATS shall not be required to comply with the requirements of Regulation SCI until six months after satisfying any of paragraphs (a) or (b) of this section, as applicable, for the first time. SCI entity means an SCI self-regulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP. SCI event means an event at an SCI entity that constitutes: (1) A systems disruption; (2) A systems compliance issue; or (3) A systems intrusion. SCI review means a review, following established procedures and standards, that is performed by objective personnel having appropriate experience to conduct reviews of SCI systems and indirect SCI systems, and which review contains: (1) A risk assessment with respect to such systems of an SCI entity; and (2) An assessment of internal control design and effectiveness of its SCI systems and indirect SCI systems to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards. SCI self-regulatory organization or SCI SRO means any national securities exchange, registered securities association, or registered clearing agency, or the Municipal Securities Rulemaking Board; provided however, that for purposes of this section, the term SCI self- regulatory organization shall not include an exchange that is notice registered with the Commission pursuant to 15 U.S.C. 78f(g) or a limited purpose national securities association registered with the Commission pursuant to 15 U.S.C. 78o-3(k). SCI systems means all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance. Senior management means, for purposes of Rule 1003(b), an SCI entity's Chief Executive Officer, Chief Technology Officer, Chief Information Officer, General Counsel, and Chief Compliance Officer, or the equivalent of such employees or officers of an SCI entity. Systems compliance issue means an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the Act and the rules and regulations thereunder or the entity's rules or governing documents, as applicable. Systems disruption means an event in an SCI entity's SCI systems that disrupts, or significantly degrades, the normal operation of an SCI system. Systems intrusion means any unauthorized entry into the SCI systems or indirect SCI systems of an SCI entity. Sec. 242.1001 Obligations related to policies and procedures of SCI entities. (a) Capacity, integrity, resiliency, availability, and security. (1) Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems and, for purposes of security standards, indirect SCI systems, have levels of capacity, integrity, resiliency, availability, and security, adequate to maintain the SCI entity's operational capability and promote the maintenance of fair and orderly markets. (2) Policies and procedures required by paragraph (a)(1) of this section shall include, at a minimum: (i) The establishment of reasonable current and future technological infrastructure capacity planning estimates; (ii) Periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (iii) A program to review and keep current systems development and testing methodology for such systems; (iv) Regular reviews and testing, as applicable, of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (v) Business continuity and disaster recovery plans that include maintaining backup and recovery capabilities sufficiently resilient and geographically diverse and that are reasonably designed to achieve next business day resumption of trading and two-hour resumption of critical SCI systems following a wide-scale disruption; (vi) Standards that result in such systems being designed, developed, tested, maintained, operated, and surveilled in a manner that facilitates the successful collection, processing, and dissemination of market data; and (vii) Monitoring of such systems to identify potential SCI events. (3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (a), and take prompt action to remedy deficiencies in such policies and procedures. (4) For purposes of this paragraph (a), such policies and procedures shall be deemed to be reasonably designed if they are consistent with current SCI industry standards, which shall be comprised of information technology practices that are widely available to information technology professionals in the financial sector and issued by an authoritative body that is a U.S. governmental entity or agency, association of U.S. governmental entities or agencies, or widely recognized organization. Compliance with such current SCI industry standards, however, shall not be the exclusive means to comply with the requirements of this paragraph (a). (b) Systems compliance. (1) Each SCI entity shall establish, maintain, and enforce written policies and procedures reasonably designed to ensure that its SCI systems operate in a manner that complies with the Act and the rules and regulations thereunder and the entity's rules and governing documents, as applicable. (2) Policies and procedures required by paragraph (b)(1) of this section shall include, at a minimum: (i) Testing of all SCI systems and any changes to SCI systems prior to implementation; (ii) A system of internal controls over changes to SCI systems; (iii) A plan for assessments of the functionality of SCI systems designed to [[Page 72438]] detect systems compliance issues, including by responsible SCI personnel and by personnel familiar with applicable provisions of the Act and the rules and regulations thereunder and the SCI entity's rules and governing documents; and (iv) A plan of coordination and communication between regulatory and other personnel of the SCI entity, including by responsible SCI personnel, regarding SCI systems design, changes, testing, and controls designed to detect and prevent systems compliance issues. (3) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (b), and take prompt action to remedy deficiencies in such policies and procedures. (4) Safe harbor from liability for individuals. Personnel of an SCI entity shall be deemed not to have aided, abetted, counseled, commanded, caused, induced, or procured the violation by an SCI entity of this paragraph (b) if the person: (i) Has reasonably discharged the duties and obligations incumbent upon such person by the SCI entity's policies and procedures; and (ii) Was without reasonable cause to believe that the policies and procedures relating to an SCI system for which such person was responsible, or had supervisory responsibility, were not established, maintained, or enforced in accordance with this paragraph (b) in any material respect. (c) Responsible SCI personnel. (1) Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI personnel of potential SCI events. (2) Each SCI entity shall periodically review the effectiveness of the policies and procedures required by paragraph (c)(1) of this section, and take prompt action to remedy deficiencies in such policies and procedures. Sec. 242.1002 Obligations related to SCI events. (a) Corrective action. Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, each SCI entity shall begin to take appropriate corrective action which shall include, at a minimum, mitigating potential harm to investors and market integrity resulting from the SCI event and devoting adequate resources to remedy the SCI event as soon as reasonably practicable. (b) Commission notification and recordkeeping of SCI events. Each SCI entity shall: (1) Upon any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred, notify the Commission of such SCI event immediately; (2) Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: (i) A description of the SCI event, including the system(s) affected; and (ii) To the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event; (3) Until such time as the SCI event is resolved and the SCI entity's investigation of the SCI event is closed, provide updates pertaining to such SCI event to the Commission on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, to correct any materially incorrect information previously provided, or when new material information is discovered, including but not limited to, any of the information listed in paragraph (b)(2)(ii) of this section; (4)(i)(A) If an SCI event is resolved and the SCI entity's investigation of the SCI event is closed within 30 calendar days of the occurrence of the SCI event, then within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event, submit a final written notification pertaining to such SCI event to the Commission containing the information required in paragraph (b)(4)(ii) of this section. (B)(1) If an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 calendar days of the occurrence of the SCI event, then submit an interim written notification pertaining to such SCI event to the Commission within 30 calendar days after the occurrence of the SCI event containing the information required in paragraph (b)(4)(ii) of this section, to the extent known at the time. (2) Within five business days after the resolution of such SCI event and closure of the investigation regarding such SCI event, submit a final written notification pertaining to such SCI event to the Commission containing the information required in paragraph (b)(4)(ii) of this section. (ii) Written notifications required by paragraph (b)(4)(i) of this section shall include: (A) A detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; (B) A copy of any information disseminated pursuant to paragraph (c) of this section by the SCI entity to date regarding the SCI event to any of its members or participants; and (C) An analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. (5) The requirements of paragraphs (b)(1) through (4) of this section shall not apply to any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants. For such events, each SCI entity shall: (i) Make, keep, and preserve records relating to all such SCI events; and (ii) Submit to the Commission a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of such systems disruptions and systems intrusions, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such systems disruptions and systems intrusions during the applicable calendar quarter. (c) Dissemination of SCI events. (1) Each SCI entity shall: (i) Promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event that is a systems disruption or systems compliance issue has occurred, disseminate the following information about such SCI event: (A) The system(s) affected by the SCI event; and [[Page 72439]] (B) A summary description of the SCI event; and (ii) When known, promptly further disseminate the following information about such SCI event: (A) A detailed description of the SCI event; (B) The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; and (C) A description of the progress of its corrective action for the SCI event and when the SCI event has been or is expected to be resolved; and (iii) Until resolved, provide regular updates of any information required to be disseminated under paragraphs (c)(1)(i) and (ii) of this section. (2) Each SCI entity shall, promptly after any responsible SCI personnel has a reasonable basis to conclude that a SCI event that is a systems intrusion has occurred, disseminate a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination. (3) The information required to be disseminated under paragraphs (c)(1) and (2) of this section promptly after any responsible SCI personnel has a reasonable basis to conclude that an SCI event has occurred, shall be promptly disseminated by the SCI entity to those members or participants of the SCI entity that any responsible SCI personnel has reasonably estimated may have been affected by the SCI event, and promptly disseminated to any additional members or participants that any responsible SCI personnel subsequently reasonably estimates may have been affected by the SCI event; provided, however, that for major SCI events, the information required to be disseminated under paragraphs (c)(1) and (2) of this section shall be promptly disseminated by the SCI entity to all of its members or participants. (4) The requirements of paragraphs (c)(1) through (3) of this section shall not apply to: (i) SCI events to the extent they relate to market regulation or market surveillance systems; or (ii) Any SCI event that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants. Sec. 242.1003 Obligations related to systems changes; SCI review. (a) Systems changes. Each SCI entity shall: (1) Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. (2) Promptly submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under this paragraph (a). (b) SCI review. Each SCI entity shall: (1) Conduct an SCI review of the SCI entity's compliance with Regulation SCI not less than once each calendar year; provided, however, that: (i) Penetration test reviews of the network, firewalls, and production systems shall be conducted at a frequency of not less than once every three years; and (ii) Assessments of SCI systems directly supporting market regulation or market surveillance shall be conducted at a frequency based upon the risk assessment conducted as part of the SCI review, but in no case less than once every three years; and (2) Submit a report of the SCI review required by paragraph (b)(1) of this section to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review; and (3) Submit to the Commission, and to the board of directors of the SCI entity or the equivalent of such board, a report of the SCI review required by paragraph (b)(1) of this section, together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. Sec. 242.1004 SCI entity business continuity and disaster recovery plans testing requirements for members or participants. With respect to an SCI entity's business continuity and disaster recovery plans, including its backup systems, each SCI entity shall: (a) Establish standards for the designation of those members or participants that the SCI entity reasonably determines are, taken as a whole, the minimum necessary for the maintenance of fair and orderly markets in the event of the activation of such plans; (b) Designate members or participants pursuant to the standards established in paragraph (a) of this section and require participation by such designated members or participants in scheduled functional and performance testing of the operation of such plans, in the manner and frequency specified by the SCI entity, provided that such frequency shall not be less than once every 12 months; and (c) Coordinate the testing of such plans on an industry- or sector- wide basis with other SCI entities. Sec. 242.1005 Recordkeeping requirements related to compliance with Regulation SCI. (a) An SCI SRO shall make, keep, and preserve all documents relating to its compliance with Regulation SCI as prescribed in Sec. 240.17a-1 of this chapter. (b) An SCI entity that is not an SCI SRO shall: (1) Make, keep, and preserve at least one copy of all documents, including correspondence, memoranda, papers, books, notices, accounts, and other such records, relating to its compliance with Regulation SCI, including, but not limited to, records relating to any changes to its SCI systems and indirect SCI systems; (2) Keep all such documents for a period of not less than five years, the first two years in a place that is readily accessible to the Commission or its representatives for inspection and examination; and (3) Upon request of any representative of the Commission, promptly furnish to the possession of such representative copies of any documents required to be kept and preserved by it pursuant to paragraphs (b)(1) and (2) of this section. (c) Upon or immediately prior to ceasing to do business or ceasing to be registered under the Securities Exchange Act of 1934, an SCI entity shall take all necessary action to ensure that the records required to be made, kept, and preserved by this section shall be accessible to the Commission and its representatives in the manner required by this section and for the remainder of the period required by this section. Sec. 242.1006 Electronic filing and submission. (a) Except with respect to notifications to the Commission made pursuant to Sec. 242.1002(b)(1) or updates to the Commission made pursuant to paragraph Sec. 242.1002(b)(3), any notification, review, description, analysis, or report to the Commission [[Page 72440]] required to be submitted under Regulation SCI shall be filed electronically on Form SCI (Sec. 249.1900 of this chapter), include all information as prescribed in Form SCI and the instructions thereto, and contain an electronic signature; and (b) The signatory to an electronically filed Form SCI shall manually sign a signature page or document, in the manner prescribed by Form SCI, authenticating, acknowledging, or otherwise adopting his or her signature that appears in typed form within the electronic filing. Such document shall be executed before or at the time Form SCI is electronically filed and shall be retained by the SCI entity in accordance with Sec. 242.1005. Sec. 242.1007 Requirements for service bureaus. If records required to be filed or kept by an SCI entity under Regulation SCI are prepared or maintained by a service bureau or other recordkeeping service on behalf of the SCI entity, the SCI entity shall ensure that the records are available for review by the Commission and its representatives by submitting a written undertaking, in a form acceptable to the Commission, by such service bureau or other recordkeeping service, signed by a duly authorized person at such service bureau or other recordkeeping service. Such a written undertaking shall include an agreement by the service bureau to permit the Commission and its representatives to examine such records at any time or from time to time during business hours, and to promptly furnish to the Commission and its representatives true, correct, and current electronic files in a form acceptable to the Commission or its representatives or hard copies of any or all or any part of such records, upon request, periodically, or continuously and, in any case, within the same time periods as would apply to the SCI entity for such records. The preparation or maintenance of records by a service bureau or other recordkeeping service shall not relieve an SCI entity from its obligation to prepare, maintain, and provide the Commission and its representatives access to such records. PART 249--FORMS, SECURITIES EXCHANGE ACT OF 1934 0 7. The general authority citation for part 249 continues to read in part as follows: Authority: 15 U.S.C. 78a et seq. and 7201; and 18 U.S.C. 1350 unless otherwise noted. * * * * * 0 8. Add subpart T, consisting of Sec. 249.1900 to read as follows: Subpart T--Form SCI, for filing notices and reports as required by Regulation SCI. Sec. 249.1900. Form SCI, for filing notices and reports as required by Regulation SCI. Form SCI shall be used to file notices and reports as required by Regulation SCI (Sec. Sec. 242.1000 through 242.1007). Note: The text of Form SCI does not, and the amendments will not, appear in the Code of Federal Regulations. BILLING CODE P [[Page 72441]] [GRAPHIC] [TIFF OMITTED] TR05DE14.000 [[Page 72442]] [GRAPHIC] [TIFF OMITTED] TR05DE14.001 [[Page 72443]] [GRAPHIC] [TIFF OMITTED] TR05DE14.002 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Exhibit 1: Rule 1002(b)(2) Within 24 hours of any Notification of SCI Event. responsible SCI personnel having Add/Remove/View...................... a reasonable basis to conclude that the SCI event has occurred, the SCI entity shall submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: (a) a description of the SCI event, including the system(s) affected; and (b) to the extent available as of the time of the notification: The SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event. Exhibit 2: Rule 1002(b)(4) Final or When submitting a final report Interim Report of SCI Event. pursuant to either Rule Add/Remove/View...................... 1002(b)(4)(i)(A) or Rule 1002(b)(4)(i)(B)(2), the SCI entity shall include: (a) a detailed description of: The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; (b) a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI event to any of its members or participants; and (c) an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. When submitting an interim report pursuant to Rule 1002(b)(4)(i)(B)(1), the SCI entity shall include such information to the extent known at the time. Exhibit 3: Rule 1002(b)(5)(ii) The SCI entity shall submit a Quarterly Report of De Minimis SCI report, within 30 calendar days Events. after the end of each calendar Add/Remove/View...................... quarter, containing a summary description of systems disruptions and systems intrusions that have had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such SCI events during the applicable calendar quarter. [[Page 72444]] Exhibit 4: Rule 1003 (a) Quarterly When submitting a report pursuant Report of Systems Changes. to Rule 1003(a)(1), the SCI Add/Remove/View...................... entity shall provide a report, within 30 calendar days after the end of each calendar quarter, describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. When submitting a report pursuant to Rule 1003(a)(2), the SCI entity shall provide a supplemental report of a material error in or material omission from a report previously submitted under Rule 1003(a)(1). Exhibit 5: Rule 1003(b)(3) Report of The SCI entity shall provide a SCI review. report of the SCI review, Add/Remove/View...................... together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. Exhibit 6: Optional Attachments...... This exhibit may be used in order Add/Remove/View...................... to attach other documents that the SCI entity may wish to submit as part of a Rule 1002(b)(1) initial notification submission or Rule 1002(b)(3) update submission. ------------------------------------------------------------------------ General Instructions for Form SCI A. Use of the Form Except with respect to notifications to the Commission made pursuant to Rule 1002(b)(1) or updates to the Commission made pursuant to Rule 1002(b)(3), any notification, review, description, analysis, or report required to be submitted pursuant to Regulation SCI under the Securities Exchange Act of 1934 (``Act'') shall be filed in an electronic format through an electronic form filing system (``EFFS''), a secure Web site operated by the Securities and Exchange Commission (``Commission''). Documents attached as exhibits filed through the EFFS system must be in a text-searchable format without the use of optical character recognition. If, however, a portion of a Form SCI submission (e.g., an image or diagram) cannot be made available in a text- searchable format, such portion may be submitted in a non-text searchable format. B. Need for Careful Preparation of the Completed Form, Including Exhibits This form, including the exhibits, is intended to elicit information necessary for Commission staff to work with SCI self- regulatory organizations, SCI alternative trading systems, plan processors, and exempt clearing agencies subject to ARP (collectively, ``SCI entities'') to ensure the capacity, integrity, resiliency, availability, security, and compliance of their automated systems. An SCI entity must provide all the information required by the form, including the exhibits, and must present the information in a clear and comprehensible manner. A filing that is incomplete or similarly deficient may be returned to the SCI entity. Any filing so returned shall for all purposes be deemed not to have been filed with the Commission. See also Rule 0-3 under the Act (17 CFR 240.0-3). C. When To Use the Form Form SCI is comprised of six types of required submissions to the Commission pursuant to Rules 1002 and 1003. In addition, Form SCI permits SCI entities to submit to the Commission two additional types of submissions pursuant to Rules 1002(b)(1) and 1002(b)(3); however, SCI entities are not required to use Form SCI for these two types of submissions to the Commission. In filling out Form SCI, an SCI entity shall select the type of filing and provide all information required by Regulation SCI specific to that type of filing. The first two types of required submissions relate to Commission notification of certain SCI events: (1) ``Rule 1002(b)(2) Notification of SCI Event'' submissions for notifications regarding systems disruptions, systems compliance issues, or systems intrusions (collectively, ``SCI events''), other than any systems disruption or systems intrusion that has had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants; and (2) ``Rule 1002(b)(4) Final or Interim Report of SCI Event'' submissions, of which there are two kinds (a final report under Rule 1002(b)(4)(i)(A) or Rule 1002(b)(4)(i)(B)(2); or an interim status report under Rule 1002(b)(4)(i)(B)(1)). The other four types of required submissions are periodic reports, and include: (1) ``Rule 1002(b)(5)(ii)'' submissions for quarterly reports of systems disruptions and systems intrusions which have had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants (``de minimis SCI events''); (2) ``Rule 1003(a)(1)'' submissions for quarterly reports of material systems changes; (3) ``Rule 1003(a)(2)'' submissions for supplemental reports of material systems changes; and (4) ``Rule 1003(b)(3)'' submissions for reports of SCI reviews. Required Submissions for SCI Events For 1002(b)(2) submissions, an SCI entity must notify the Commission using Form SCI by selecting the appropriate box in Section I and filling out all information required by the form, including Exhibit 1. 1002(b)(2) submissions must be submitted within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that an SCI event has occurred. For 1002(b)(4) submissions, if an SCI event is resolved and the SCI entity's investigation of the SCI event is closed within 30 calendar days of the occurrence of the SCI event, an SCI entity must file a final report under Rule 1002(b)(4)(i)(A) within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event. However, if an SCI event is not resolved or the SCI entity's investigation of the SCI event is not closed within 30 calendar days of the occurrence of the SCI event, an SCI entity must file an interim status report under Rule 1002(b)(4)(i)(B)(1) within 30 calendar days after the occurrence of the SCI event. For SCI events in which an interim status report is required to be filed, an SCI entity must file a final report under Rule 1002(b)(4)(i)(B)(2) within five business days after the resolution of the SCI event and closure of the investigation regarding the SCI event. For 1002(b)(4) submissions, an SCI entity must notify the Commission using Form SCI by selecting the appropriate box in Section I and filling out all information required by the form, including Exhibit 2. Required Submissions for Periodic Reporting For 1002(b)(5)(ii) submissions, an SCI entity must submit quarterly reports of systems disruptions and systems intrusions which have had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants. The SCI entity must select [[Page 72445]] the appropriate box in Section II and fill out all information required by the form, including Exhibit 3. For 1003(a)(1) submissions, an SCI entity must submit its quarterly report of material systems changes to the Commission using Form SCI. The SCI entity must select the appropriate box in Section II and fill out all information required by the form, including Exhibit 4. Filings made pursuant to Rule 1002(b)(5)(ii) and Rule 1003(a)(1) must be submitted to the Commission within 30 calendar days after the end of each calendar quarter (i.e., March 31st, June 30th, September 30th and December 31st) of each year. For 1003(a)(2) submissions, an SCI entity must submit a supplemental report notifying the Commission of a material error in or material omission from a report previously submitted under Rule 1003(a). The SCI entity must select the appropriate box in Section II and fill out all information required by the form, including Exhibit 4. For 1003(b)(3) submissions, an SCI entity must submit its report of its SCI review, together with any response by senior management, to the Commission using Form SCI. A 1003(b)(3) submission is required within 60 calendar days after the report of the SCI review has been submitted to senior management of the SCI entity. The SCI entity must select the appropriate box in Section II and fill out all information required by the form, including Exhibit 5. Optional Submissions An SCI entity may, but is not required to, use Form SCI to submit a notification pursuant to Rule 1002(b)(1). If the SCI entity uses Form SCI to submit a notification pursuant to Rule 1002(b)(1), it must select the appropriate box in Section I and provide a short description of the SCI event. Documents may also be attached as Exhibit 6 if the SCI entity chooses to do so. An SCI entity may, but is not required to, use Form SCI to submit an update pursuant to Rule 1002(b)(3). Rule 1002(b)(3) requires an SCI entity to, until such time as the SCI event is resolved and the SCI entity's investigation of the SCI event is closed, provide updates pertaining to such SCI event to the Commission on a regular basis, or at such frequency as reasonably requested by a representative of the Commission, to correct any materially incorrect information previously provided, or when new material information is discovered, including but not limited to, any of the information listed in Rule 1002(b)(2)(ii). If the SCI entity uses Form SCI to submit an update pursuant to Rule 1002(b)(3), it must select the appropriate box in Section I and provide a short description of the SCI event. Documents may also be attached as Exhibit 6 if the SCI entity chooses to do so. D. Documents Comprising the Completed Form The completed form filed with the Commission shall consist of Form SCI, responses to all applicable items, and any exhibits required in connection with the filing. Each filing shall be marked on Form SCI with the initials of the SCI entity, the four-digit year, and the number of the filing for the year (e.g., SCI Name-YYYY-XXX). E. Contact Information; Signature; and Filing of the Completed Form Each time an SCI entity submits a filing to the Commission on Form SCI, the SCI entity must provide the contact information required by Section III of Form SCI. Space for additional contact information, if appropriate, is also provided. All notifications and reports required to be submitted through Form SCI shall be filed through the EFFS. In order to file Form SCI through the EFFS, SCI entities must request access to the Commission's External Application Server by completing a request for an external account user ID and password. Initial requests will be received by contacting (202) 551-5777. An email will be sent to the requestor that will provide a link to a secure Web site where basic profile information will be requested. A duly authorized individual of the SCI entity shall electronically sign the completed Form SCI as indicated in Section IV of the form. In addition, a duly authorized individual of the SCI entity shall manually sign one copy of the completed Form SCI, and the manually signed signature page shall be preserved pursuant to the requirements of Rule 1005. F. Withdrawals of Commission Notifications and Periodic Reports If an SCI entity determines to withdraw a Form SCI, it must complete Page 1 of the Form SCI and indicate by selecting the appropriate check box to withdraw the submission. G. Paperwork Reduction Act Disclosure This collection of information will be reviewed by the Office of Management and Budget in accordance with the clearance requirements of 44 U.S.C. 3507. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid control number. The Commission estimates that the average burden to respond to Form SCI will be between one and 125 hours, depending upon the purpose for which the form is being filed. Any member of the public may direct to the Commission any comments concerning the accuracy of this burden estimate and any suggestions for reducing this burden. Except with respect to notifications to the Commission made pursuant to Rule 1002(b)(1) or updates to the Commission made pursuant to Rule 1002(b)(3), it is mandatory that an SCI entity file all notifications, reviews, descriptions, analyses, and reports required by Regulation SCI using Form SCI. The Commission will keep the information collected pursuant to Form SCI confidential to the extent permitted by law. Subject to the provisions of the Freedom of Information Act, 5 U.S.C. 522 (``FOIA''), and the Commission's rules thereunder (17 CFR 200.80(b)(4)(iii)), the Commission does not generally publish or make available information contained in any reports, summaries, analyses, letters, or memoranda arising out of, in anticipation of, or in connection with an examination or inspection of the books and records of any person or any other investigation. H. Exhibits List of exhibits to be filed, as applicable: Exhibit 1: Rule 1002(b)(2)--Notification of SCI Event. Within 24 hours of any responsible SCI personnel having a reasonable basis to conclude that the SCI event has occurred, the SCI entity shall submit a written notification pertaining to such SCI event to the Commission, which shall be made on a good faith, best efforts basis and include: (a) A description of the SCI event, including the system(s) affected; and (b) to the extent available as of the time of the notification: the SCI entity's current assessment of the types and number of market participants potentially affected by the SCI event; the potential impact of the SCI event on the market; a description of the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved or timeframe within which the SCI event is expected to be resolved; and any other pertinent information known by the SCI entity about the SCI event. Exhibit 2: Rule 1002(b)(4)--Final or Interim Report of SCI Event. When submitting a final report pursuant to either Rule 1002(b)(4)(i)(A) or Rule 1002(b)(4)(i)(B)(2), the SCI entity shall include: (a) A detailed description of: [[Page 72446]] The SCI entity's assessment of the types and number of market participants affected by the SCI event; the SCI entity's assessment of the impact of the SCI event on the market; the steps the SCI entity has taken, is taking, or plans to take, with respect to the SCI event; the time the SCI event was resolved; the SCI entity's rule(s) and/or governing document(s), as applicable, that relate to the SCI event; and any other pertinent information known by the SCI entity about the SCI event; (b) a copy of any information disseminated pursuant to Rule 1002(c) by the SCI entity to date regarding the SCI event to any of its members or participants; and (c) an analysis of parties that may have experienced a loss, whether monetary or otherwise, due to the SCI event, the number of such parties, and an estimate of the aggregate amount of such loss. When submitting an interim report pursuant to Rule 1002(b)(4)(i)(B)(1), the SCI entity shall include such information to the extent known at the time. Exhibit 3: Rule 1002(b)(5)(ii)--Quarterly Report of De Minimis SCI Events. The SCI entity shall submit a report, within 30 calendar days after the end of each calendar quarter, containing a summary description of systems disruptions and systems intrusions that have had, or the SCI entity reasonably estimates would have, no or a de minimis impact on the SCI entity's operations or on market participants, including the SCI systems and, for systems intrusions, indirect SCI systems, affected by such SCI events during the applicable calendar quarter. Exhibit 4: Rule 1003(a)--Quarterly Report of Systems Changes. When submitting a report pursuant to Rule 1003(a)(1), the SCI entity shall provide a report, within 30 calendar days after the end of each calendar quarter, describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates or expected dates of commencement and completion. An SCI entity shall establish reasonable written criteria for identifying a change to its SCI systems and the security of indirect SCI systems as material and report such changes in accordance with such criteria. When submitting a report pursuant to Rule 1003(a)(2), the SCI entity shall provide a supplemental report of a material error in or material omission from a report previously submitted under Rule 1003(a); provided, however, that a supplemental report is not required if information regarding a material systems change is or will be provided as part of a notification made pursuant to Rule 1002(b). Exhibit 5: Rule 1003(b)(3)--Report of SCI Review. The SCI entity shall provide a report of the SCI review, together with any response by senior management, within 60 calendar days after its submission to senior management of the SCI entity. Exhibit 6: Optional Attachments. This exhibit may be used in order to attach other documents that the SCI entity may wish to submit as part of a Rule 1002(b)(1) initial notification submission or Rule 1002(b)(3) update submission. I. Explanation of Terms Critical SCI systems means any SCI systems of, or operated by or on behalf of, an SCI entity that: (1) directly support functionality relating to: (i) clearance and settlement systems of clearing agencies; (ii) openings, reopenings, and closings on the primary listing market; (iii) trading halts; (iv) initial public offerings; (v) the provision of consolidated market data; or (vi) exclusively-listed securities; or (2) provide functionality to the securities markets for which the availability of alternatives is significantly limited or nonexistent and without which there would be a material impact on fair and orderly markets. Indirect SCI systems means any systems of, or operated by or on behalf of, an SCI entity that, if breached, would be reasonably likely to pose a security threat to SCI systems. Major SCI event means an SCI event that has had, or the SCI entity reasonably estimates would have: (1) Any impact on a critical SCI system; or (2) a significant impact on the SCI entity's operations or on market participants. Responsible SCI personnel means, for a particular SCI system or indirect SCI system impacted by an SCI event, such senior manager(s) of the SCI entity having responsibility for such system, and their designee(s). SCI entity means an SCI self-regulatory organization, SCI alternative trading system, plan processor, or exempt clearing agency subject to ARP. SCI event means an event at an SCI entity that constitutes: (1) A systems disruption; (2) a systems compliance issue; or (3) a systems intrusion. SCI review means a review, following established procedures and standards, that is performed by objective personnel having appropriate experience to conduct reviews of SCI systems and indirect SCI systems, and which review contains: (1) A risk assessment with respect to such systems of an SCI entity; and (2) an assessment of internal control design and effectiveness of its SCI systems and indirect SCI systems to include logical and physical security controls, development processes, and information technology governance, consistent with industry standards. SCI systems means all computer, network, electronic, technical, automated, or similar systems of, or operated by or on behalf of, an SCI entity that, with respect to securities, directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance. Systems Compliance Issue means an event at an SCI entity that has caused any SCI system of such entity to operate in a manner that does not comply with the Act and the rules and regulations thereunder or the entity's rules or governing documents, as applicable. Systems Disruption means an event in an SCI entity's SCI systems that disrupts, or significantly degrades, the normal operation of an SCI system. Systems Intrusion means any unauthorized entry into the SCI systems or indirect SCI systems of an SCI entity. By the Commission. Dated: November 19, 2014. Brent J. Fields, Secretary. Exhibit A Key to Comment Letters Cited in Regulation SCI Adopting Release (File No. S7-01-13) Letter from Charles V. Rossi, President, The Securities Transfer Association, Inc. to Elizabeth Murphy, Secretary, Commission, dated April 3, 2013 (``STA Letter'') Letter from John J. Rapa, President/Chief Executive Officer, Tellefsen and Company, L.L.C., Northborough, Massachusetts to Elizabeth Murphy, Commission, dated April 19, 2013 (``Tellefsen Letter'') Letter from Cynthia Fuller, Executive Director, on behalf of Accredited Standards Committee X9, Inc. Financial Industry Standards to the Commission, dated May 23, 2013 (``X9 Letter'') Letter from Scott Cooper, Vice President, Government Relations and Public Policy, American National Standards Institute to the Commission, dated May 23, 2013 (``ANSI Letter'') Letter from James J. Angel, Ph.D., CFA, Visiting Associate Professor, The Wharton School, University of Pennsylvania to the Commission, dated June 3, 2013 (``Angel Letter'') Letter from Raymond M. Tierney III, President and Chief Executive Officer, Bloomberg Tradebook LLC to Elizabeth Murphy, Secretary, Commission, dated June 19, 2013 (``Tradebook Letter'') Letter from Jay M. Goldstone, Chairman, Municipal Securities Rulemaking Board, Alexandria, Virginia to Elizabeth Murphy, Secretary, Commission, dated June 28, 2013 (``MSRB Letter'') [[Page 72447]] Letter from Thomas V. D'Ambrosio, Chairman, Committee on Futures and Derivatives, New York City Bar Association to Elizabeth Murphy, Secretary, Commission, dated July 1, 2013 (``NYC Bar Letter'') Letter from Richard M. Whiting, Executive Director and General Counsel, The Financial Services Roundtable to Elizabeth Murphy, Secretary, Commission, dated July 5, 2013 (``FSR Letter'') Letter from Rob Flatley, Chief Executive Officer and President, CoreOne Technologies to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``CoreOne Letter'') Letter from Manisha Kimmel, Executive Director, Financial Information Forum to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``FIF Letter'') Letter from Larry E. Thompson, Managing Director and General Counsel, The Depository Trust Clearing Corporation to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``DTCC Letter'') Letter from Raymond Tamayo, Chief Information Officer, Options Clearing Corporation to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``OCC Letter'') Letter from Timothy J. Mahoney, CEO, BIDS Trading, L.P., New York, New York to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``BIDS Letter'') Letter from Michael Simon, Secretary, International Securities Exchange, LLC to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``ISE Letter'') Letter from Courtney D. McGuinn, Operations Director, FIX Protocol Ltd., New York, New York to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``FIX Letter'') Letter from R.T. Leuchtkafer to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``Leuchtkafer Letter '') Letter from Dennis M. Kelleher, President & CEO; Stephen W. Hall, Securities Specialist; Katelynn O. Bradley, Attorney; and David Frenk, Director of Research; Better Markets, Inc. to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``Better Markets Letter'') Letter from Lev Lesokhin, Executive Vice President, Strategy and Markets, CAST, Inc., New York, New York to the Commission, dated July 8, 2013 (``CAST Letter'') Letter from Robert J. McCarthy, Director of Regulatory Policy, Wells Fargo Advisors to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``Wells Fargo Letter'') Letter from Marcia E. Asquith, Senior Vice President and Corporate Secretary, FINRA to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``FINRA Letter'') Letter from Dr. Bill Curtis, Director, Consortium for IT Software Quality to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``CISQ Letter'') Letter from Howard Meyerson, General Counsel, Liquidnet, Inc., New York, New York to the Commission, dated July 8, 2013 (``Liquidnet Letter'') Letter from David T. Bellaire, Esq., Executive Vice President and General Counsel, Financial Services Institute, Washington, District of Columbia to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``FSI Letter'') Letter from Scott C. Goebel, General Counsel, Fidelity Management and Research Co., Boston, Massachusetts to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``Fidelity Letter'') Letter from Joseph Adamczyk, Executive Director, Associate General Counsel, CME Group Inc. to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``CME Letter'') Letter from Norman M. Reed, Omgeo LLC, New York, New York to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``Omgeo Letter'') Letter from David Lauer, Market Structure and Technology Architecture Consultant, Step Ahead Technologies, LLC to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``Lauer Letter'') Letter from Theodore R. Lazo, Managing Director and Associate General Counsel, SIFMA to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``SIFMA Letter'') Letter from Jeffrey Wallis, Managing Partner, SunGard Consulting Services, New York, New York to Elizabeth Murphy, Secretary, Commission, dated July 8, 2013 (``SunGard Letter'') Letter from Janet McGinness, EVP & Corporate Secretary, NYSE Euronext to Elizabeth Murphy, Secretary, Commission, dated July 9, 2013 (``NYSE Letter'') Letter from Eric J. Swanson, Secretary, BATS Global Markets to Elizabeth Murphy, Secretary, Commission, dated July 10, 2013 (``BATS Letter'') Letter from Mary Ann Burns, Futures Industry Association Principal Traders Group, Washington, District of Columbia to Elizabeth Murphy, Secretary, Commission, dated July 11, 2013 (``FIA PTG Letter'') Letter from James P. Selway, III, P. Mats Goebels and Sudhanshu Arya, ITG Inc. to Elizabeth Murphy, Secretary, Commission, dated July 11, 2013 (``ITG Letter'') Letter from Karrie McMillan, General Counsel, Investment Company Institute to Elizabeth Murphy, Secretary, Commission, dated July 12, 2013 (``ICI Letter'') Letter from Stuart J. Kaswell, Executive Vice President & Managing Director, Managed Funds Association, and Jir[iacute] Kr[oacute]l, Deputy CEO, Head of Government and Regulatory Affairs, Alternative Investment Management Association to Elizabeth Murphy, Secretary, Commission, dated July 17, 2013 (``MFA Letter'') Letter from Anthony J. Saliba, Chief Executive Officer, LiquidPoint, LLC to Elizabeth Murphy, Secretary, Commission, dated July 22, 2013 (``LiquidPoint Letter'') Letter from Elizabeth K. King, Global Head of Regulatory Affairs, KCG Holdings, Inc., Jersey City, New Jersey to Elizabeth Murphy, Secretary, Commission, dated July 25, 2013 (``KCG Letter'') Letter from Roger Anerella, Managing Director, Global Head of Securities Execution Services, UBS Investment Bank to Elizabeth Murphy, Secretary, Commission, dated July 26, 2013 (``UBS Letter'') Letter from Eric Swanson, SVP, General Counsel and Secretary, BATS Global Markets, Inc., et al. to Elizabeth Murphy, Secretary, Commission, dated July 30, 2013 (``Joint SROs Letter'') Letter from Thomas S. Vales, Chief Executive Officer, TMC Bonds LLC to Elizabeth Murphy, Secretary, Commission, dated August 6, 2013 (``TMC Bonds Letter'') Letter from James J. Angel, Ph.D., CFA, Visiting Associate Professor, The Wharton School, University of Pennsylvania to the Commission, dated September 3, 2013 (``Angel2 Letter'') Letter from Benjamin R. Londergan, Chief Executive Officer, Group One Trading L.P. to Elizabeth Murphy, Secretary, Commission, dated September 3, 2013 (``Group One Letter'') Letter from Ari Gabinet, Executive Vice President and General Counsel, OFI Global Asset Management to Elizabeth Murphy, Secretary, Commission, dated September 9, 2013 (``Oppenheimer Letter'') Letter from Daniel Zinn, General Counsel, OTC Markets Group Inc. to Elizabeth Murphy, Secretary, Commission, dated September 12, 2013 (``OTC Markets Letter'') Letter from Dr. Bill Curtis, Director, Consortium for IT Software Quality to Elizabeth Murphy, Secretary, Commission, dated September 17, 2013 (``CISQ2 Letter'') Letter from William O'Brien, Chief Executive Officer, Direct Edge Holdings to Elizabeth M. Murphy, Secretary, Commission, dated September 25, 2013 (``Direct Edge Letter'') Letter from Richie Prager, Managing Director, Head of Trading & Liquidity Strategies, Hubert De Jesus, Managing Director, Co-Head of Market Structure & Electronic Trading, Supurna Vedbrat, Managing Director, Co-Head of Market Structure & Electronic Trading, and Joanne Medero, Managing Director, Government Relations & Public Policy, BlackRock, Inc. to Mary Jo White, Chair, Commission, dated September 12, 2014 (``BlackRock Letter''). [FR Doc. 2014-27767 Filed 12-4-14; 8:45 am] BILLING CODE P
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
